use Test::More; use strict; use IO::String; BEGIN { require 't/test-lib.pm'; } my $res; my $client = LLNG::Manager::Test->new( { ini => { logLevel => 'error', authentication => 'Demo', userDB => 'Same', loginHistoryEnabled => 0, brutForceProtection => 0, portalMainLogo => 'common/logos/logo_llng_old.png', requireToken => 0, checkUser => 1, impersonationRule => '$uid ne "msmith"', impersonationIdRule => '$uid ne "msmith"', impersonationPrefix => 'testPrefix_', securedCookie => 2, https => 1, checkUserDisplayPersistentInfo => 0, checkUserDisplayEmptyValues => 0, impersonationMergeSSOgroups => 0, checkUserHiddenAttributes => '_loginHistory hGroups', macros => { test_impersonation => '"$testPrefix__user/$_user"', _whatToTrace => '$_auth eq "SAML" ? "$_user@$_idpConfKey" : $_user', }, } } ); ## Try to impersonate with a bad spoofed user ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', ); count(1); my ( $host, $url, $query ) = expectForm( $res, '#', undef, 'user', 'password', 'spoofId' ); $query =~ s/user=/user=rtyler/; $query =~ s/password=/password=rtyler/; $query =~ s/spoofId=/spoofId=dwho*/; ok( $res = $client->_post( '/', IO::String->new($query), length => length($query), accept => 'text/html', ), 'Auth query' ); ok( $res->[2]->[0] =~ m%%, ' PE40 found' ) or explain( $res->[2]->[0], "PE40 - Bad formed user" ); count(2); ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', ); count(1); expectForm( $res, '#', undef, 'user', 'password', 'spoofId' ); ## Try to impersonate with a forbidden identity ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', ); count(1); ( $host, $url, $query ) = expectForm( $res, '#', undef, 'user', 'password', 'spoofId' ); $query =~ s/user=/user=rtyler/; $query =~ s/password=/password=rtyler/; $query =~ s/spoofId=/spoofId=msmith/; ok( $res = $client->_post( '/', IO::String->new($query), length => length($query), accept => 'text/html', ), 'Auth query' ); ok( $res->[2]->[0] =~ m%
%, ' PE5 found' ) or explain( $res->[2]->[0], "PE5 - Forbidden identity" ); count(2); ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', ); count(1); expectForm( $res, '#', undef, 'user', 'password', 'spoofId' ); ## An unauthorized user try to impersonate ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', ); count(1); ( $host, $url, $query ) = expectForm( $res, '#', undef, 'user', 'password', 'spoofId' ); $query =~ s/user=/user=msmith/; $query =~ s/password=/password=msmith/; $query =~ s/spoofId=/spoofId=rtyler/; ok( $res = $client->_post( '/', IO::String->new($query), length => length($query), accept => 'text/html', ), 'Auth query' ); ok( $res->[2]->[0] =~ m% %, ' PE93 found' ) or explain( $res->[2]->[0], "PE93 - Impersonation service not allowed" ); count(2); ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', ); count(1); expectForm( $res, '#', undef, 'user', 'password', 'spoofId' ); ## An unauthorized user to impersonate tries to authenticate ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', ); count(1); ( $host, $url, $query ) = expectForm( $res, '#', undef, 'user', 'password', 'spoofId' ); $query =~ s/user=/user=msmith/; $query =~ s/password=/password=msmith/; ok( $res = $client->_post( '/', IO::String->new($query), length => length($query), accept => 'text/html', ), 'Auth query' ); count(1); my $id = expectCookie($res); my $id2 = expectCookie( $res, 'lemonldaphttp' ); expectRedirection( $res, 'http://auth.example.com/' ); # Check lemonldap Cookie ok( $id =~ /^\w{64}$/, " -> Get cookie : lemonldap=something" ) or explain( $res->[1], "Set-Cookie: lemonldap=$id" ); ok( ${ $res->[1] }[3] =~ /HttpOnly=1/, " -> Cookie 'lemonldap' is HttpOnly" ) or explain( $res->[1] ); ok( ${ $res->[1] }[3] =~ /secure/, " -> Cookie 'lemonldap' is secure" ) or explain( $res->[1] ); count(3); # ???????? # # Check lemonldaphttp Cookie # ok( $id2 =~ /^\w{64}$/, " -> Get cookie lemonldaphttp=something" ) # or explain( $res->[1], "Set-Cookie: lemonldaphttp=$id2" ); # ok( # ${ $res->[1] }[5] =~ /HttpOnly=1/, # " -> Cookie 'lemonldaphttp' is HttpOnly" # ) or explain( $res->[1] ); # ok( ${ $res->[1] }[5] !~ /secure/, " -> Cookie 'lemonldaphttp' is NOT secure" ) # or explain( $res->[1] ); # count(3); # CheckUser form # ------------------------ ok( $res = $client->_get( '/checkuser', cookie => "lemonldap=$id", accept => 'text/html' ), 'CheckUser form', ); count(1); ( $host, $url, $query ) = expectForm( $res, undef, '/checkuser', 'user', 'url' ); ok( $res->[2]->[0] =~ m%%, 'Found trspan="checkUser"' ) or explain( $res->[2]->[0], 'trspan="checkUser"' ); count(1); ok( $res = $client->_post( '/checkuser', IO::String->new($query), cookie => "lemonldap=$id", length => length($query), accept => 'text/html', ), 'POST checkuser' ); count(1); ok( $res->[2]->[0] =~ m%