END_TEST START_TEST(cas_attribute_authz_test) { int should_fail1, should_fail2, should_succeed1, should_succeed2, should_succeed3, should_succeed4, should_succeed5, should_decline1, should_decline2; cas_saml_attr *attrs = NULL; cas_attr_builder *builder; require_line require_line_array[5]; cas_cfg *c; int i; require_line *r; const char *old_method; int old_method_number; /* Manually create some SAML attributes. These attributes represent * a CAS attribute payload returned by CAS. This test will apply an * authorization policy to these attributes to test its behavior. */ struct test_data { const char *const k; const char *const v; } test_data_list[] = { {"key1", "val1"}, {"key1", "val2"}, {"key2", "val3"}, {"should", "succeed"}, {"regexAttribute", "urn:mace:example.edu:testing?placeholder=there&success=true"}, {0, 0} /* NULL terminator */ }; // Build a CAS attribute structure. builder = cas_attr_builder_new(pool, &attrs); i = 0; while (1) { struct test_data d = test_data_list[i]; if (d.v == NULL) break; cas_attr_builder_add(builder, d.k, d.v); i++; } c = ap_get_module_config(request->server->module_config, &auth_cas_module); /* Allow these tests to pass - simulate a GET request. */ old_method = request->method; old_method_number = request->method_number; request->method = "GET"; request->method_number = M_GET; /* Create 'Require' config structures representing the * configured authorization policy. Although we create many, we'll * apply different combinations of them in the tests which * follow. */ r = &(require_line_array[0]); r->method_mask = AP_METHOD_BIT; r->requirement = apr_pstrdup(pool, "cas-attribute hopefully:fail"); r = &(require_line_array[1]); r->method_mask = AP_METHOD_BIT; r->requirement = apr_pstrdup(pool, "cas-attribute should:succeed"); r = &(require_line_array[2]); r->method_mask = AP_METHOD_BIT; r->requirement = apr_pstrdup(pool, "cas-attribute regexAttribute~.+:testing\?.*success=true.*"); r = &(require_line_array[3]); r->method_mask = AP_METHOD_BIT; r->requirement = apr_pstrdup(pool, "cas-attribute regexAttribute~.+:testing\?.*success=TRUE.*"); r = &(require_line_array[4]); r->method_mask = AP_METHOD_BIT; r->requirement = apr_pstrdup(pool, "cas-attribute regexAttribute~.+:testing\?.*(?i:success=TRUE).*"); /* When mod_auth_cas is authoritative, an attribute payload which * fails to pass the policy check should result in * HTTP_UNAUTHORIZED. */ c->CASAuthoritative = 1; should_fail1 = cas_authorize_worker(request, attrs, &(require_line_array[0]), 1, c); c->CASAuthoritative = 1; should_fail2 = cas_authorize_worker(request, attrs, &(require_line_array[3]), 1, c); /* When mod_auth_cas is authoritative, an attribute payload which * does pass the policy check should succeed. */ c->CASAuthoritative = 1; should_succeed1 = cas_authorize_worker(request, attrs, &(require_line_array[1]), 1, c); c->CASAuthoritative = 1; should_succeed2 = cas_authorize_worker(request, attrs, &(require_line_array[2]), 1, c); /* When mod_auth_cas is *not* authoritative, an attribute payload * which does pass the policy check should succeed. */ c->CASAuthoritative = 0; should_succeed3 = cas_authorize_worker(request, attrs, &(require_line_array[0]), 2, c); c->CASAuthoritative = 0; should_succeed4 = cas_authorize_worker(request, attrs, &(require_line_array[2]), 1, c); /* Case-insensitive flag should allow case-sensitivity to be overridden */ c->CASAuthoritative = 0; should_succeed5 = cas_authorize_worker(request, attrs, &(require_line_array[4]), 1, c); /* Regardless of whether mod_auth_cas is authoritative, the empty * list of Require directives means mod_auth_cas has no policy to * check and should DECLINE. */ c->CASAuthoritative = 1; should_decline1 = cas_authorize_worker(request, attrs, NULL, 0, c); c->CASAuthoritative = 0; should_decline2 = cas_authorize_worker(request, attrs, NULL, 0, c); /* Restore the request object */ request->method = old_method; request->method_number = old_method_number; fail_unless((should_fail1 == HTTP_UNAUTHORIZED) && (should_fail2 == HTTP_UNAUTHORIZED) && (should_succeed1 == OK) && (should_succeed2 == OK) && (should_succeed3 == OK) && (should_succeed4 == OK) && (should_succeed5 == OK) && (should_decline1 == DECLINED) && (should_decline2 == DECLINED)); }
END_TEST START_TEST(cas_attribute_authz_test) { int should_fail, should_succeed1, should_succeed2, should_decline1, should_decline2; cas_saml_attr *attrs = NULL; cas_attr_builder *builder; require_line require_line_array[2]; cas_cfg *c; int i; require_line *r; /* Manually create some SAML attributes. These attributes represent * a CAS attribute payload returned by CAS. This test will apply an * authorization policy to these attributes to test its behavior. */ struct test_data { const char *const k; const char *const v; } test_data_list[] = { {"key1", "val1"}, {"key1", "val2"}, {"key2", "val3"}, {"should", "succeed"}, {0, 0} /* NULL terminator */ }; // Build a CAS attribute structure. builder = cas_attr_builder_new(pool, &attrs); i = 0; while (1) { struct test_data d = test_data_list[i]; if (d.v == NULL) break; cas_attr_builder_add(builder, d.k, d.v); i++; } c = ap_get_module_config(request->server->module_config, &auth_cas_module); /* Create two 'Require' config structures representing the * configured authorization policy. Although we create two, we'll * apply different combinations of them in the tests which * follow. */ r = &(require_line_array[0]); r->method_mask = AP_METHOD_BIT; r->requirement = apr_pstrdup(pool, "cas-attribute hopefully:fail"); r = &(require_line_array[1]); r->method_mask = AP_METHOD_BIT; r->requirement = apr_pstrdup(pool, "cas-attribute should:succeed"); /* When mod_auth_cas is authoritative, an attribute payload which * fails to pass the policy check should result in * HTTP_UNAUTHORIZED. */ c->CASAuthoritative = 1; should_fail = cas_authorize_worker(request, attrs, &(require_line_array[0]), 1, c); /* When mod_auth_cas is authoritative, an attribute payload which * does pass the policy check should succeed. */ c->CASAuthoritative = 1; should_succeed1 = cas_authorize_worker(request, attrs, &(require_line_array[1]), 1, c); /* When mod_auth_cas is *not* authoritative, an attribute payload * which does pass the policy check should succeed. */ c->CASAuthoritative = 0; should_succeed2 = cas_authorize_worker(request, attrs, &(require_line_array[0]), 2, c); /* Regardless of whether mod_auth_cas is authoritative, the empty * list of Require directives means mod_auth_cas has no policy to * check and should DECLINE. */ c->CASAuthoritative = 1; should_decline1 = cas_authorize_worker(request, attrs, NULL, 0, c); c->CASAuthoritative = 0; should_decline2 = cas_authorize_worker(request, attrs, NULL, 0, c); fail_unless((should_fail == HTTP_UNAUTHORIZED) && (should_succeed1 == OK) && (should_succeed2 == OK) && (should_decline1 == DECLINED) && (should_decline2 == DECLINED)); }