Merge branch 'master' of gitlab.ow2.org:lemonldap-ng/lemonldap-ng

7 years ago · 5ae8ce1d67
parent 34cc0c3693 d536e1f9d2
commit 5ae8ce1d67
5 changed files with 206 additions and 10 deletions
--- a/lemonldap-ng-portal/MANIFEST
+++ b/lemonldap-ng-portal/MANIFEST
@ -382,6 +382,7 @@ t/30-SAML-ReAuth.t
 t/30-SAML-SP-rule.t
 t/31-Auth-and-issuer-CAS-declared-app.t
 t/31-Auth-and-issuer-CAS-default.t
+t/31-Auth-and-issuer-CAS-gateway.t
 t/31-Auth-and-issuer-CAS-proxied.t
 t/31-Auth-and-issuer-CAS-with-choice.t
 t/32-Auth-and-issuer-OIDC-authorization_code-OP-logout.t
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Issuer/CAS.pm
@ -9,6 +9,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
  PE_ERROR
  PE_LOGOUT_OK
  PE_OK
+  PE_SENDRESPONSE
 );

 our $VERSION = '2.0.0';
@ -18,7 +19,7 @@ extends 'Lemonldap::NG::Portal::Main::Issuer',

 # INITIALIZATION

-use constant beforeAuth => 'storeEnv';
+use constant beforeAuth => 'storeEnvAndCheckGateway';

 sub init {
    my ($self) = @_;
@ -44,10 +45,19 @@ sub init {

 # RUNNING METHODS

-sub storeEnv {
+sub storeEnvAndCheckGateway {
    my ( $self, $req ) = @_;
    my $service = $self->p->getHiddenFormValue( $req, 'service' )
      || $req->param('service');
+    my $gateway = $self->p->getHiddenFormValue( $req, 'gateway' )
+      || $req->param('gateway');
+
+    if ( $gateway and $gateway eq "true" ) {
+        $self->logger->debug(
+            "Gateway mode requested, redirect without authentication");
+        $req->response( [ 302, [ Location => $service ], [] ] );
+        return PE_SENDRESPONSE;
+    }

    if ( $service and $service =~ m#^(https?://[^/]+)(/.*)?$# ) {
        my ( $host, $uri ) = ( $1, $2 );
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Init.pm
@ -98,14 +98,18 @@ sub init {

    # Purge loaded module list
    $self->loadedModules( {} );
+
+    # Insert `reloadConf` in handler reload stack
    Lemonldap::NG::Handler::Main->onReload( $self, 'reloadConf' );
+
+    # Handler::PSGI::Try initialization
    return 0 unless ( $self->SUPER::init( $self->localConfig ) );
    return 0 if ( $self->error );

    # Handle requests (other path may be declared in enabled plugins)
    $self

-      # "/"
+      # "/" or undeclared paths
      ->addUnauthRoute( '*' => 'login',     ['GET'] )
      ->addUnauthRoute( '*' => 'postLogin', ['POST'] )
      ->addAuthRoute( '*' => 'authenticatedRequest',     ['GET'] )
--- a/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t
+++ b/lemonldap-ng-portal/t/31-Auth-and-issuer-CAS-gateway.t
@ -0,0 +1,165 @@
+use Test::More;    # skip_all => 'CAS is in rebuild';
+use strict;
+use IO::String;
+use LWP::UserAgent;
+use inc::LWP::Protocol::PSGI;
+use MIME::Base64;
+
+BEGIN {
+    require 't/test-lib.pm';
+}
+
+my $debug = 'error';
+my ( $issuer, $sp, $res );
+my %handlerOR = ( issuer => [], sp => [] );
+
+# Redefine LWP methods for tests
+LWP::Protocol::PSGI->register(
+    sub {
+        my $req = Plack::Request->new(@_);
+        ok( $req->uri =~ m#http://auth.((?:id|s)p).com([^\?]*)(?:\?(.*))?$#,
+            'SOAP request' );
+        my $host  = $1;
+        my $url   = $2;
+        my $query = $3;
+        my $res;
+        my $client = ( $host eq 'idp' ? $issuer : $sp );
+        if ( $req->method eq 'POST' ) {
+            my $s = $req->content;
+            ok(
+                $res = $client->_post(
+                    $url, IO::String->new($s),
+                    length => length($s),
+                    query  => $query,
+                    type   => 'application/xml',
+                ),
+                "Execute POST request to $url"
+            );
+        }
+        else {
+            ok(
+                $res = $client->_get(
+                    $url,
+                    type  => 'application/xml',
+                    query => $query,
+                ),
+                "Execute request to $url"
+            );
+        }
+        expectOK($res);
+        ok( getHeader( $res, 'Content-Type' ) =~ m#xml#, 'Content is XML' )
+          or explain( $res->[1], 'Content-Type => application/xml' );
+        count(3);
+        return $res;
+    }
+);
+
+ok( $issuer = issuer(), 'Issuer portal' );
+$handlerOR{issuer} = \@Lemonldap::NG::Handler::Main::_onReload;
+count(1);
+switch ('sp');
+&Lemonldap::NG::Handler::Main::cfgNum( 0, 0 );
+
+ok( $sp = sp(), 'SP portal' );
+count(1);
+$handlerOR{sp} = \@Lemonldap::NG::Handler::Main::_onReload;
+
+# Simple SP access
+ok(
+    $res = $sp->_get(
+        '/', accept => 'text/html',
+    ),
+    'Unauth SP request'
+);
+count(1);
+ok( expectCookie( $res, 'llngcasserver' ) eq 'idp', 'Get CAS server cookie' );
+count(1);
+expectRedirection( $res,
+    'http://auth.idp.com/cas/login?service=http%3A%2F%2Fauth.sp.com%2F' );
+
+# Query IdP
+switch ('issuer');
+ok(
+    $res = $issuer->_get(
+        '/cas/login',
+        query  => 'service=http://auth.sp.com/&gateway=true',
+        accept => 'text/html'
+    ),
+    'Query CAS server'
+);
+count(1);
+my ($query) =
+  expectRedirection( $res, qr#^http://auth.sp.com/# );
+
+# Back to SP
+switch ('sp');
+ok(
+    $res = $sp->_get(
+        '/',
+        query  => $query,
+        accept => 'text/html',
+        cookie => 'llngcasserver=idp',
+    ),
+    'Query SP with ticket'
+);
+count(1);
+
+clean_sessions();
+done_testing( count() );
+
+sub switch {
+    my $type = shift;
+    @Lemonldap::NG::Handler::Main::_onReload = @{
+        $handlerOR{$type};
+    };
+}
+
+sub issuer {
+    return LLNG::Manager::Test->new(
+        {
+            ini => {
+                logLevel               => $debug,
+                templatesDir           => 'site/htdocs/static',
+                domain                 => 'idp.com',
+                portal                 => 'http://auth.idp.com',
+                authentication         => 'Demo',
+                userDB                 => 'Same',
+                issuerDBCASActivation  => 1,
+                casAttr                => 'uid',
+                casAttributes          => { cn => 'cn', uid => 'uid', },
+                casAccessControlPolicy => 'none',
+                multiValuesSeparator   => ';',
+            }
+        }
+    );
+}
+
+sub sp {
+    return LLNG::Manager::Test->new(
+        {
+            ini => {
+                logLevel                   => $debug,
+                domain                     => 'sp.com',
+                portal                     => 'http://auth.sp.com',
+                authentication             => 'CAS',
+                userDB                     => 'CAS',
+                restSessionServer          => 1,
+                issuerDBCASActivation      => 0,
+                multiValuesSeparator       => ';',
+                casSrvMetaDataExportedVars => {
+                    idp => {
+                        cn   => 'cn',
+                        mail => 'mail',
+                        uid  => 'uid',
+                    }
+                },
+                casSrvMetaDataOptions => {
+                    idp => {
+                        casSrvMetaDataOptionsUrl => 'http://auth.idp.com/cas',
+                        casSrvMetaDataOptionsGateway => 0,
+                    }
+                },
+            },
+        }
+    );
+}
--- a/rpm/lemonldap-ng.spec
+++ b/rpm/lemonldap-ng.spec
@ -200,6 +200,17 @@ Requires:	perl-FCGI-ProcManager
 %description -n lemonldap-ng-fastcgi-server
 This package deploys files needed to start a FastCGI server.

+#==============================================================================
+# UWSGI Application
+#==============================================================================
+%package -n lemonldap-ng-uwsgi-app
+Summary:        LemonLDAP-NG UWSGI Application
+Requires:	uwsgi-plugin-psgi
+
+%description -n lemonldap-ng-uwsgi-app
+LemonLDAP::NG uWSGI server provides a replacement to LemonLDAP::NG FastCGI
+server, using uWSGI instead of Plack FCGI.
+
 #==============================================================================
 # CPAN modules - Common
 #==============================================================================
@ -297,15 +308,10 @@ chmod +x %{__perl_requires}
 	ETCDEFAULTDIR=/etc/default \
 	DNSDOMAIN=%{lm_dnsdomain} \
 	APACHEVERSION=%{apache_version} \
+	UWSGIYAMLDIR=/etc/uwsgi/apps-available \
+	LLNGAPPDIR=%{lm_sharedir}/llng-server \
 	PROD=yes

-%{__make} %{?_smp_mflags} install_fr_doc_site \
-	DESTDIR=%{buildroot} \
-	PREFIX=%{lm_prefix} \
-	BINDIR=%{lm_sharedir}/bin \
-	DOCUMENTROOT=%{lm_vardir} \
-	DATADIR=%{lm_vardir}
-
 # Remove some unwanted files
 find %{buildroot} -name .packlist -exec rm -f {} \;
 find %{buildroot} -name perllocal.pod -exec rm -f {} \;
@ -323,6 +329,10 @@ sed -i 's:__FASTCGISOCKDIR__:/var/run/llng-fastcgi-server:' %{buildroot}%{_tmpfi
 sed -i 's:__USER__:%{lm_apacheuser}:' %{buildroot}%{_tmpfilesdir}/llng-fastcgi-server.conf
 sed -i 's:__GROUP__:%{lm_apachegroup}:' %{buildroot}%{_tmpfilesdir}/llng-fastcgi-server.conf

+# UWSGI Application
+mkdir -p %{buildroot}/etc/uwsgi/apps-available
+mkdir -p %{buildroot}%{lm_sharedir}/llng-server
+
 # Set apache user in some files (see Makefile)
 # Note: we do not use the APACHEUSER and APACHEGROUP in make install
 # because it launches a 'chown', which is not permitted if RPM is not
@ -500,6 +510,12 @@ fi
 %{_tmpfilesdir}/llng-fastcgi-server.conf
 %defattr(755,%{lm_apacheuser},%{lm_apachegroup},-)
 %dir /var/run/llng-fastcgi-server
+%{lm_sharedir}/examples/llngapp.psgi
+
+%files -n lemonldap-ng-uwsgi-app
+%defattr(-,root,root,-)
+/etc/uwsgi/apps-available/llng-server.yaml
+%{lm_sharedir}/llng-server/llng-server.psgi

 %files -n perl-Lemonldap-NG-Common
 %defattr(-,root,root,-)