END_TEST
START_TEST(getResponseFromServer_test) {
const char *response = "<cas:serviceResponse xmlns:cas="
"'http://www.yale.edu/tp/cas'>"
"<cas:authenticationSuccess>"
"<cas:user>username</cas:user>"
"</cas:authenticationSuccess>"
"</cas:serviceResponse>";
char *rv;
cas_cfg *c = ap_get_module_config(request->server->module_config,
&auth_cas_module);
set_curl_response(response);
rv = getResponseFromServer(request, c, "ST-1234");
#ifndef DARWIN
// apr_stat behaves oddly while the tests are running (but works
// just fine on a standalone test program). It almost looks
// like it doesn't get called at all, which results in NULL
// being returned from getResponseFromServer. In any case, the
// code in getResponseFromServer needs to be refactored anyway,
// so improving the test quality and getting it to work on OS X
// can be saved for that date.
fail_if(rv == NULL, apr_psprintf(request->pool,
"getResponseFromServer() returned NULL\n"
" (Does %s (CAS_DEFAULT_CA_PATH in mod_auth_cas.h) exist?)",
c->CASCertificatePath));
fail_unless(strcmp(rv, response) == 0);
#endif
}
END_TEST
START_TEST(removeGatewayCookie_test) {
const char *expected = "MOD_CAS_G=TRUE;Secure;Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT";
const char *ernVal;
const char *response =
"<cas:serviceResponse xmlns:cas=\"http://www.yale.edu/tp/cas\">"
"<cas:authenticationSuccess>"
"<cas:user>good</cas:user>"
"</cas:authenticationSuccess>"
"</cas:serviceResponse>";
int rv;
cas_cfg *c = ap_get_module_config(request->server->module_config,
&auth_cas_module);
c->CASCookiePath = "/tmp/";
/*
* setup request as if we've just returned from a gateway trip,
* with a gateway cookie and a cas ticket
*/
apr_table_set(request->headers_in, "Cookie", "MOD_CAS_G=TRUE; cookie_name=cookie_value ");
request->unparsed_uri = "/foo?ticket=ST-1234";
request->uri = "/foo";
request->args = apr_pstrdup(request->pool, "ticket=ST-1234");
request->connection->local_addr->port = 443;
request->ap_auth_type = "cas";
fail_unless(strcmp(request->args, "ticket=ST-1234") == 0, request->args);
apr_uri_parse(request->pool, "http://foo.example.com/foo?ticket=ST-12345",
&request->parsed_uri);
/*
* setup fake serviceValidate response from cas server
*/
set_curl_response(response);
/*
* authenticate the user
*/
c->CASCertificatePath = "/";
rv = cas_authenticate(request);
fail_unless(rv == HTTP_MOVED_TEMPORARILY, "cas_authenticate failed");
fail_unless(strcmp(request->user, "good") == 0, request->user);
/*
* verify that the Set-Cookie header removes the gateway cookie
*/
apr_table_compress(request->err_headers_out, APR_OVERLAP_TABLES_MERGE);
ernVal = apr_table_get(request->err_headers_out, "Set-Cookie");
fail_unless(strstr(ernVal, expected) != NULL, ernVal);
}
END_TEST
/* Test OpenSAML 2.x responses (CAS >= 3.5.1) */
START_TEST(isValidCASTicket_OpenSAML2_test) {
const char *response =
"<?xml version='1.0' encoding='UTF-8'?>"
"<SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/'>"
"<SOAP-ENV:Body>"
"<saml1p:Response xmlns:saml1p='urn:oasis:names:tc:SAML:1.0:protocol'"
" IssueInstant='2011-01-01T01:01:01.001Z'"
" MajorVersion='1' MinorVersion='1'"
" Recipient='https://example.com/example_app'"
" ResponseID='_0123456789abcdef0123456789abcdef'>"
"<saml1p:Status><saml1p:StatusCode Value='saml1p:Success'/></saml1p:Status>"
"<saml1:Assertion xmlns:saml1='urn:oasis:names:tc:SAML:1.0:assertion'"
" AssertionID='_0123456789abcdef0123456789abcdef'"
" IssueInstant='2011-01-01T01:01:01.001Z' Issuer='localhost'"
" MajorVersion='1' MinorVersion='1'>"
"<saml1:Conditions NotBefore='2011-01-01T12:00:00.000Z' NotOnOrAfter='2011-01-01T12:01:00.000Z'>"
"<saml1:AudienceRestrictionCondition>"
"<saml1:Audience>https://example.com/example_app</saml1:Audience>"
"</saml1:AudienceRestrictionCondition>"
"</saml1:Conditions>"
"<saml1:AuthenticationStatement AuthenticationMethod='urn:oasis:names:tc:SAML:1.0:am:password'>"
"<saml1:Subject><saml1:NameIdentifier>username</saml1:NameIdentifier></saml1:Subject>"
"</saml1:AuthenticationStatement>"
"<saml1:AttributeStatement>"
"<saml1:Subject><saml1:NameIdentifier>username</saml1:NameIdentifier></saml1:Subject>"
"<saml1:Attribute AttributeName='FirstName'"
" AttributeNamespace='http://www.ja-sig.org/products/cas/'>"
"<saml1:AttributeValue>Joe</saml1:AttributeValue>"
"</saml1:Attribute>"
"<saml1:Attribute AttributeName='Last Name'"
" AttributeNamespace='http://www.ja-sig.org/products/cas/'>"
"<saml1:AttributeValue>Test</saml1:AttributeValue>"
"</saml1:Attribute>"
"<saml1:Attribute AttributeName='GroupList'"
" AttributeNamespace='http://www.ja-sig.org/products/cas/'>"
"<saml1:AttributeValue>A,B</saml1:AttributeValue>"
"<saml1:AttributeValue>C</saml1:AttributeValue>"
"</saml1:Attribute>"
"</saml1:AttributeStatement>"
"</saml1:Assertion>"
"</saml1p:Response>"
"</SOAP-ENV:Body>"
"</SOAP-ENV:Envelope>";
char *remoteUser = NULL;
cas_saml_attr *attrs = NULL;
char *attr;
apr_byte_t rv;
cas_cfg *c = ap_get_module_config(request->server->module_config,
&auth_cas_module);
set_curl_response(response);
c->CASCertificatePath = "/";
c->CASValidateSAML = TRUE;
rv = isValidCASTicket(request, c, "ST-1234", &remoteUser, &attrs);
fail_if(rv == FALSE);
attr = get_attr(c, attrs, "FirstName");
fail_if(attr == NULL);
fail_unless(strcmp(attr, "Joe") == 0);
attr = get_attr(c, attrs, "Last Name");
fail_if(attr == NULL);
fail_unless(strcmp(attr, "Test") == 0);
attr = get_attr(c, attrs, "GroupList");
fail_if(attr == NULL);
fail_unless(strcmp(attr, "A,B" CAS_DEFAULT_ATTRIBUTE_DELIMITER "C") == 0);
attr = get_attr(c, attrs, "AuthenticationMethod");
fail_if(attr == NULL);
fail_unless(strcmp(attr, "urn:oasis:names:tc:SAML:1.0:am:password") == 0);
}
