END_TEST

START_TEST(cas_attr_cmp_test) {
    cas_saml_attr *attrs1, *attrs2;
    cas_attr_builder *builder1 = cas_attr_builder_new(pool, &attrs1);
    cas_attr_builder *builder2 = cas_attr_builder_new(pool, &attrs2);

    /* Newly created, empty attribute lists compare equal. */
    fail_unless(cas_saml_attr_cmp(attrs1, attrs2) == 0);

    /* Adding equal pairs to each lists still compares equal. */
    cas_attr_builder_add(builder1, "foo", "bar");
    cas_attr_builder_add(builder2, "foo", "bar");
    fail_unless(cas_saml_attr_cmp(attrs1, attrs2) == 0);

    /* An explicitly empty (NULL) list compares less than a list that
       we have added a value to. */
    fail_unless(cas_saml_attr_cmp(NULL, attrs2) < 0);

    /* A duplicated list behaves the same as the original list. */
    fail_unless(cas_saml_attr_cmp(cas_saml_attr_pdup(pool, attrs1),
                                  attrs2) == 0);
}
Ejemplo n.º 2
0
END_TEST

#else

START_TEST(cas_attribute_authz_test) {
  int should_fail1, should_fail2, should_fail3 ,should_fail4 ,should_fail5 ,should_fail6, should_succeed1, should_succeed2,
      should_succeed3;
  cas_saml_attr *attrs = NULL;
  cas_attr_builder *builder;
  int i;

  const char *old_method;
  int old_method_number;

  /* Manually create some SAML attributes.  These attributes represent
   * a CAS attribute payload returned by CAS.  This test will apply an
   * authorization policy to these attributes to test its behavior.
   */
  struct test_data {
      const char *const k;
      const char *const v;
  } test_data_list[] = {
      {"key1", "val1"},
      {"key1", "val2"},
      {"key2", "val3"},
      {"should", "succeed"},
      {"regexAttribute", "urn:mace:example.edu:testing?placeholder=there&success=true"},
      {0, 0} /* NULL terminator */
  };

  const char *r[] = {
	  "hopefully:fail should:fail",
	  "hopefully:fail should:succeed",
	  "regexAttribute~.+:testing\?.*success=true.*",
	  "regexAttribute~.+:testing\?.*success=TRUE.*",
	  "regexAttribute~.+:testing\?.*(?i:success=TRUE).*",
	  "",
	  "novalue:",
	  ":noattribute",
	  "fail",
	  NULL
  };
  
  // Build a CAS attribute structure.
  builder = cas_attr_builder_new(pool, &attrs);
  i = 0;
  while (1) {
      struct test_data d = test_data_list[i];
      if (d.v == NULL) break;

      cas_attr_builder_add(builder, d.k, d.v);
      i++;
  }

  cas_set_attributes(request, attrs);
  
  /* Allow these tests to pass - simulate a GET request. */
  old_method = request->method;
  old_method_number = request->method_number;
  request->method = "GET";
  request->method_number = M_GET;

  should_fail1 = cas_check_authorization(request, r[0], (const void*)0);
  should_fail2 = cas_check_authorization(request, r[3], (const void*)0);
  should_fail3 = cas_check_authorization(request, r[5], (const void*)0);
  should_fail4 = cas_check_authorization(request, r[6], (const void*)0);
  should_fail5 = cas_check_authorization(request, r[7], (const void*)0);
  should_fail6 = cas_check_authorization(request, r[8], (const void*)0);

  should_succeed1 = cas_check_authorization(request, r[1], (const void*)0);
  should_succeed2 = cas_check_authorization(request, r[2], (const void*)0);
  should_succeed3 = cas_check_authorization(request, r[4], (const void*)0);

  /* Restore the request object */
  request->method = old_method;
  request->method_number = old_method_number;

  fail_unless((should_fail1 == AUTHZ_DENIED) &&
              (should_fail2 == AUTHZ_DENIED) &&
              (should_fail3 == AUTHZ_DENIED) &&
              (should_fail4 == AUTHZ_DENIED) &&
              (should_fail5 == AUTHZ_DENIED) &&
              (should_fail6 == AUTHZ_DENIED) &&
              (should_succeed1 == AUTHZ_GRANTED) &&
              (should_succeed2 == AUTHZ_GRANTED) &&
              (should_succeed3 == AUTHZ_GRANTED));
}
Ejemplo n.º 3
0
END_TEST

START_TEST(cas_attribute_authz_test) {
  int should_fail1, should_fail2, should_succeed1, should_succeed2,
      should_succeed3, should_succeed4, should_succeed5, should_decline1,
      should_decline2;
  cas_saml_attr *attrs = NULL;
  cas_attr_builder *builder;
  require_line require_line_array[5];
  cas_cfg *c;
  int i;
  require_line *r;

  const char *old_method;
  int old_method_number;

  /* Manually create some SAML attributes.  These attributes represent
   * a CAS attribute payload returned by CAS.  This test will apply an
   * authorization policy to these attributes to test its behavior.
   */
  struct test_data {
      const char *const k;
      const char *const v;
  } test_data_list[] = {
      {"key1", "val1"},
      {"key1", "val2"},
      {"key2", "val3"},
      {"should", "succeed"},
      {"regexAttribute", "urn:mace:example.edu:testing?placeholder=there&success=true"},
      {0, 0} /* NULL terminator */
  };

  // Build a CAS attribute structure.
  builder = cas_attr_builder_new(pool, &attrs);
  i = 0;
  while (1) {
      struct test_data d = test_data_list[i];
      if (d.v == NULL) break;

      cas_attr_builder_add(builder, d.k, d.v);
      i++;
  }

  c = ap_get_module_config(request->server->module_config,
                           &auth_cas_module);

  /* Allow these tests to pass - simulate a GET request. */
  old_method = request->method;
  old_method_number = request->method_number;
  request->method = "GET";
  request->method_number = M_GET;

  /* Create 'Require' config structures representing the
   * configured authorization policy.  Although we create many, we'll
   * apply different combinations of them in the tests which
   * follow. */
  r = &(require_line_array[0]);
  r->method_mask = AP_METHOD_BIT;
  r->requirement = apr_pstrdup(pool, "cas-attribute hopefully:fail");

  r = &(require_line_array[1]);
  r->method_mask = AP_METHOD_BIT;
  r->requirement = apr_pstrdup(pool, "cas-attribute should:succeed");

  r = &(require_line_array[2]);
  r->method_mask = AP_METHOD_BIT;
  r->requirement = apr_pstrdup(pool, "cas-attribute regexAttribute~.+:testing\?.*success=true.*");

  r = &(require_line_array[3]);
  r->method_mask = AP_METHOD_BIT;
  r->requirement = apr_pstrdup(pool, "cas-attribute regexAttribute~.+:testing\?.*success=TRUE.*");

  r = &(require_line_array[4]);
  r->method_mask = AP_METHOD_BIT;
  r->requirement = apr_pstrdup(pool, "cas-attribute regexAttribute~.+:testing\?.*(?i:success=TRUE).*");

  /* When mod_auth_cas is authoritative, an attribute payload which
   * fails to pass the policy check should result in
   * HTTP_UNAUTHORIZED. */
  c->CASAuthoritative = 1;
  should_fail1 = cas_authorize_worker(request, attrs, &(require_line_array[0]), 1, c);
  c->CASAuthoritative = 1;
  should_fail2 = cas_authorize_worker(request, attrs, &(require_line_array[3]), 1, c);

  /* When mod_auth_cas is authoritative, an attribute payload which
   * does pass the policy check should succeed. */
  c->CASAuthoritative = 1;
  should_succeed1 = cas_authorize_worker(request, attrs, &(require_line_array[1]), 1, c);
  c->CASAuthoritative = 1;
  should_succeed2 = cas_authorize_worker(request, attrs, &(require_line_array[2]), 1, c);

  /* When mod_auth_cas is *not* authoritative, an attribute payload
   * which does pass the policy check should succeed. */
  c->CASAuthoritative = 0;
  should_succeed3 = cas_authorize_worker(request, attrs, &(require_line_array[0]), 2, c);
  c->CASAuthoritative = 0;
  should_succeed4 = cas_authorize_worker(request, attrs, &(require_line_array[2]), 1, c);

  /* Case-insensitive flag should allow case-sensitivity to be overridden */
  c->CASAuthoritative = 0;
  should_succeed5 = cas_authorize_worker(request, attrs, &(require_line_array[4]), 1, c);

  /* Regardless of whether mod_auth_cas is authoritative, the empty
   * list of Require directives means mod_auth_cas has no policy to
   * check and should DECLINE. */
  c->CASAuthoritative = 1;
  should_decline1 = cas_authorize_worker(request, attrs, NULL, 0, c);
  c->CASAuthoritative = 0;
  should_decline2 = cas_authorize_worker(request, attrs, NULL, 0, c);

  /* Restore the request object */
  request->method = old_method;
  request->method_number = old_method_number;

  fail_unless((should_fail1 == HTTP_UNAUTHORIZED) &&
              (should_fail2 == HTTP_UNAUTHORIZED) &&
              (should_succeed1 == OK) &&
              (should_succeed2 == OK) &&
              (should_succeed3 == OK) &&
              (should_succeed4 == OK) &&
              (should_succeed5 == OK) &&
              (should_decline1 == DECLINED) &&
              (should_decline2 == DECLINED));
}
Ejemplo n.º 4
0
END_TEST

START_TEST(cas_attribute_authz_test) {
  int should_fail, should_succeed1, should_succeed2,
      should_decline1, should_decline2;
  cas_saml_attr *attrs = NULL;
  cas_attr_builder *builder;
  require_line require_line_array[2];
  cas_cfg *c;
  int i;
  require_line *r;

  /* Manually create some SAML attributes.  These attributes represent
   * a CAS attribute payload returned by CAS.  This test will apply an
   * authorization policy to these attributes to test its behavior.
   */
  struct test_data {
      const char *const k;
      const char *const v;
  } test_data_list[] = {
      {"key1", "val1"},
      {"key1", "val2"},
      {"key2", "val3"},
      {"should", "succeed"},
      {0, 0} /* NULL terminator */
  };

  // Build a CAS attribute structure.
  builder = cas_attr_builder_new(pool, &attrs);
  i = 0;
  while (1) {
      struct test_data d = test_data_list[i];
      if (d.v == NULL) break;

      cas_attr_builder_add(builder, d.k, d.v);
      i++;
  }

  c = ap_get_module_config(request->server->module_config,
                           &auth_cas_module);

  /* Create two 'Require' config structures representing the
   * configured authorization policy.  Although we create two, we'll
   * apply different combinations of them in the tests which
   * follow. */
  r = &(require_line_array[0]);
  r->method_mask = AP_METHOD_BIT;
  r->requirement = apr_pstrdup(pool, "cas-attribute hopefully:fail");

  r = &(require_line_array[1]);
  r->method_mask = AP_METHOD_BIT;
  r->requirement = apr_pstrdup(pool, "cas-attribute should:succeed");

  /* When mod_auth_cas is authoritative, an attribute payload which
   * fails to pass the policy check should result in
   * HTTP_UNAUTHORIZED. */
  c->CASAuthoritative = 1;
  should_fail = cas_authorize_worker(request, attrs, &(require_line_array[0]), 1, c);

  /* When mod_auth_cas is authoritative, an attribute payload which
   * does pass the policy check should succeed. */
  c->CASAuthoritative = 1;
  should_succeed1 = cas_authorize_worker(request, attrs, &(require_line_array[1]), 1, c);

  /* When mod_auth_cas is *not* authoritative, an attribute payload
   * which does pass the policy check should succeed. */
  c->CASAuthoritative = 0;
  should_succeed2 = cas_authorize_worker(request, attrs, &(require_line_array[0]), 2, c);

  /* Regardless of whether mod_auth_cas is authoritative, the empty
   * list of Require directives means mod_auth_cas has no policy to
   * check and should DECLINE. */
  c->CASAuthoritative = 1;
  should_decline1 = cas_authorize_worker(request, attrs, NULL, 0, c);
  c->CASAuthoritative = 0;
  should_decline2 = cas_authorize_worker(request, attrs, NULL, 0, c);

  fail_unless((should_fail == HTTP_UNAUTHORIZED) &&
              (should_succeed1 == OK) &&
              (should_succeed2 == OK) &&
              (should_decline1 == DECLINED) &&
              (should_decline2 == DECLINED));
}