From 755fd78fa0ee0f2a67417a119382c63e02c1091e Mon Sep 17 00:00:00 2001
From: Alexandre Rocha Wendling <alexandrerw@celepar.pr.gov.br>
Date: Tue, 16 Jul 2024 14:15:23 +0000
Subject: [PATCH] Proxy ticket service and proxy ticket validation Proxy endpoints improvements suggested by Jacek Kowalski Add ticket type to storage key Rename isreuse to isReusable Remove "parsing" of "codeUUID" that is String, not UUID Improve error reporting in CAS ticket validation
---
integrationTest/suite.sh | 83 ++++++++++++++++++++++++++++++++---------
1 files changed, 65 insertions(+), 18 deletions(-)
diff --git a/integrationTest/suite.sh b/integrationTest/suite.sh
index 6958b45..3f6f56a 100755
--- a/integrationTest/suite.sh
+++ b/integrationTest/suite.sh
@@ -1,41 +1,88 @@
#!/bin/bash
set -e
+keycloak_cas_url='http://localhost:8080/realms/master/protocol/cas'
action_pattern='action="([^"]+)"'
-ticket_pattern='Location: .*\?ticket=(ST-[-A-Za-z0-9_.=]+)'
+CURL="curl --fail --silent --verbose"
get_ticket() {
- login_response=$(curl --fail --silent -c /tmp/cookies http://localhost:8080/auth/realms/master/protocol/cas/login?service=http://localhost)
- if [[ !($login_response =~ $action_pattern) ]] ; then
+ local cookie_options="-b /tmp/cookies"
+ local ticket_pattern='Location: .*\?ticket=(ST-[-A-Za-z0-9_.=]+)'
+ local client_url_param=service
+
+ if [ "$1" == "save_cookies" ]; then
+ cookie_options="${cookie_options} -c /tmp/cookies"
+ elif [ "$1" == "SAML" ]; then
+ ticket_pattern='Location: .*\?SAMLart=(ST-[-A-Za-z0-9_.=]+)'
+ client_url_param=TARGET
+ fi
+
+ local login_response=$($CURL -c /tmp/cookies "${keycloak_cas_url}/login?${client_url_param}=http://localhost")
+ if [[ ! ($login_response =~ $action_pattern) ]] ; then
echo "Could not parse login form in response"
- echo $login_response
+ echo "${login_response}"
exit 1
fi
- login_url=${BASH_REMATCH[1]//&/&}
- redirect_response=$(curl --fail --silent -D - -b /tmp/cookies --data 'username=admin&password=admin' "$login_url")
- if [[ !($redirect_response =~ $ticket_pattern) ]] ; then
+ local login_url=${BASH_REMATCH[1]//&/&}
+ local redirect_response=$($CURL -D - $cookie_options --data 'username=admin&password=admin' "$login_url")
+ if [[ ! ($redirect_response =~ $ticket_pattern) ]] ; then
echo "No service ticket found in response"
- echo $redirect_response
+ echo "${redirect_response}"
exit 1
fi
- ticket=${BASH_REMATCH[1]}
- echo $ticket
+ echo "${BASH_REMATCH[1]}"
}
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/validate?service=http://localhost&ticket=$ticket"
+# CAS 1.0
+echo "Testing CAS 1.0..."
+ticket=$(get_ticket)
+$CURL "${keycloak_cas_url}/validate?service=http://localhost&ticket=$ticket"
echo
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/serviceValidate?service=http://localhost&format=XML&ticket=$ticket"
+# CAS 2.0
+echo "Testing CAS 2.0 - XML..."
+ticket=$(get_ticket)
+$CURL "${keycloak_cas_url}/serviceValidate?service=http://localhost&format=XML&ticket=$ticket"
echo
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
+echo "Testing CAS 2.0 - JSON..."
+ticket=$(get_ticket)
+$CURL "${keycloak_cas_url}/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
echo
-get_ticket
-curl --fail --silent "http://localhost:8080/auth/realms/master/protocol/cas/p3/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
+# CAS 3.0
+echo "Testing CAS 3.0..."
+ticket=$(get_ticket save_cookies)
+$CURL "${keycloak_cas_url}/p3/serviceValidate?service=http://localhost&format=JSON&ticket=$ticket"
echo
+
+# SAML 1.1
+echo "Testing SAML 1.1..."
+ticket=$(get_ticket SAML)
+timestamp=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+saml_template=$(dirname "$0")/samlValidateTemplate.xml
+sed -e "s/CAS_TICKET/$ticket/g" -e "s/TIMESTAMP/$timestamp/g" "$saml_template" \
+ | $CURL -X POST -H "Content-Type: text/xml" \
+ -H "SOAPAction: http://www.oasis-open.org/committees/security" \
+ --data-binary @- "${keycloak_cas_url}/samlValidate?TARGET=http://localhost"
+echo
+
+# CAS - gateway option
+echo "Testing CAS - gateway option, stage 1..."
+get_ticket save_cookies
+login_response=$($CURL -D - -b /tmp/cookies "${keycloak_cas_url}/login?service=http://localhost&gateway=true")
+if echo "${login_response}" | grep '^Location: http://localhost\?ticket='; then
+ echo "Gateway option did not redirect back to service with ticket"
+ echo "${login_response}"
+ exit 1
+fi
+
+echo "Testing CAS - gateway option, stage 2..."
+login_response=$($CURL -D - "${keycloak_cas_url}/login?service=http://localhost&gateway=true")
+if echo "${login_response}" | grep '^Location: http://localhost$'; then
+ echo "Gateway option did not redirect back to service without ticket"
+ echo "${login_response}"
+ exit 1
+fi
--
Gitblit v1.9.1