From aec94b681c69eb429fcfa5050602608d8cfcdb86 Mon Sep 17 00:00:00 2001
From: Jacek Kowalski <Jacek@jacekk.info>
Date: Mon, 16 Mar 2020 23:20:08 +0000
Subject: [PATCH] Create the CA as self-signed certs no longer work

---
 docker.sh                            |   22 +++++++++++
 install.sh                           |   25 +++++++-----
 install_root.sh                      |    9 ++++
 build.gradle                         |    2 
 src/test/groovy/StandardTests.groovy |   26 ++++++++----
 script.sh                            |    2 +
 6 files changed, 65 insertions(+), 21 deletions(-)

diff --git a/build.gradle b/build.gradle
index f43ce99..7fbace1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,7 +1,7 @@
 apply plugin: 'groovy'
 
 dependencies {
-	compile 'org.codehaus.groovy:groovy-all:2.4.4'
+	compile 'org.codehaus.groovy:groovy-all:2.5.10'
 	compile 'junit:junit:4.12'
 	compile 'org.seleniumhq.selenium:selenium-htmlunit-driver:2.47.1'
 }
diff --git a/docker.sh b/docker.sh
new file mode 100755
index 0000000..ad3fcc9
--- /dev/null
+++ b/docker.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+DIR_NAME=`dirname $0`
+PARENT_NAME=`realpath "${DIR_NAME}/.."`
+
+docker pull debian
+docker run -i -t -d \
+	-v "${PARENT_NAME}:/data:ro" \
+	--name uphpcas-tests \
+	debian
+
+set -e
+
+docker exec -i -t uphpcas-tests /data/tests/install_root.sh
+docker exec -i -t uphpcas-tests apt-get -y install php php-xml
+docker exec -i -t uphpcas-tests chown www-data:www-data /var/www
+docker exec -i -t --user www-data --workdir /var/www uphpcas-tests cp -Rfv /data .
+docker exec -i -t --user www-data --workdir /var/www/data uphpcas-tests ./tests/install.sh
+docker exec -i -t --user www-data --workdir /var/www/data uphpcas-tests ./tests/script.sh
+
+docker stop uphpcas-tests
+docker rm -v uphpcas-tests
diff --git a/install.sh b/install.sh
index 8d3179a..2db81b0 100755
--- a/install.sh
+++ b/install.sh
@@ -1,16 +1,19 @@
 #!/bin/bash
 
-sudo add-apt-repository -y ppa:cwchien/gradle
-sudo apt-get update
-sudo apt-get -y install gradle-ppa openjdk-7-jdk openssl stunnel
+set -e
 
-sudo update-java-alternatives -s java-1.7.0-openjdk-amd64
-sudo rm /usr/lib/jvm/default-java
+function genAndSign() {
+	local cn=$1
+	local file=$2
+	openssl genrsa -out "/tmp/${file}.key" 2048
+	openssl req -new -key "/tmp/${file}.key" -out "/tmp/${file}.csr" -subj "/CN=${cn}/"
+	openssl x509 -req -in "/tmp/${file}.csr" -out "/tmp/${file}.crt" \
+		-CA /tmp/ca.crt -CAkey /tmp/ca.key -CAcreateserial
+	cat "/tmp/${file}.crt" "/tmp/${file}.key" > "/tmp/${file}.pem"
+}
 
-openssl genrsa -out /tmp/correct.key 1024
-openssl req -new -key /tmp/correct.key -out /tmp/correct.crt -subj '/CN=127.0.0.1/' -x509
-cat /tmp/correct.crt /tmp/correct.key > /tmp/correct.pem
+openssl genrsa -out /tmp/ca.key 2048
+openssl req -new -key /tmp/ca.key -out /tmp/ca.crt -subj '/CN=Test CA/' -x509
 
-openssl genrsa -out /tmp/wrongcn.key 1024
-openssl req -new -key /tmp/wrongcn.key -out /tmp/wrongcn.crt -subj '/CN=127.0.0.2/' -x509
-cat /tmp/wrongcn.crt /tmp/wrongcn.key > /tmp/wrongcn.pem 
+genAndSign "127.0.0.1" "correct"
+genAndSign "127.0.0.2" "wrongcn"
diff --git a/install_root.sh b/install_root.sh
new file mode 100755
index 0000000..bd7d21f
--- /dev/null
+++ b/install_root.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+apt-get -y update
+apt-get -y install \
+	--no-install-recommends \
+	--no-install-suggests \
+	gradle openssl stunnel
diff --git a/script.sh b/script.sh
index 53f1667..3eda212 100755
--- a/script.sh
+++ b/script.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e
+
 cd `dirname $0`
 
 stunnel4 etc/stunnel.conf
diff --git a/src/test/groovy/StandardTests.groovy b/src/test/groovy/StandardTests.groovy
index 74828c6..a470fc0 100644
--- a/src/test/groovy/StandardTests.groovy
+++ b/src/test/groovy/StandardTests.groovy
@@ -16,7 +16,7 @@
 	@Parameters(name = "{0}")
 	public static Iterable<Object[]> data() {
 		return [
-			// cas, cafile, method, login page expected text, main page expected text
+			// name, cas, cafile, method, login page expected text, main page expected text
 			
 			// HTTP should succeed
 			[ "HTTP",  "http://127.0.0.1:8081/cas.php", null, null, "Authenticated as user123", "Authenticated as user123" ] as Object[],
@@ -24,14 +24,18 @@
 			[ "HTTP POST", "http://127.0.0.1:8081/cas.php", null, "POST", "Authenticated as user123", "Authenticated as user123" ] as Object[],
 			
 			// HTTPS should succeed
-			[ "HTTPS", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", null, "Authenticated as user123", "Authenticated as user123" ] as Object[],
-			[ "HTTPS GET", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "GET", "Authenticated as user123", "Authenticated as user123" ] as Object[],
-			[ "HTTPS POST", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "POST", "Authenticated as user123", "Authenticated as user123" ] as Object[],
-			
-			// system CAfile does not contain this self-signed certificate - should fail
+			[ "HTTPS", "https://127.0.0.1:8444/cas.php", "/tmp/ca.crt", null, "Authenticated as user123", "Authenticated as user123" ] as Object[],
+			[ "HTTPS GET", "https://127.0.0.1:8444/cas.php", "/tmp/ca.crt", "GET", "Authenticated as user123", "Authenticated as user123" ] as Object[],
+			[ "HTTPS POST", "https://127.0.0.1:8444/cas.php", "/tmp/ca.crt", "POST", "Authenticated as user123", "Authenticated as user123" ] as Object[],
+
+			// system CAfile does not contain CA certificate - should fail
 			[ "HTTPS SysCA", "https://127.0.0.1:8444/cas.php", null, null, "CAS server is unavailable", "Not authenticated." ] as Object[],
 			[ "HTTPS SysCA GET", "https://127.0.0.1:8444/cas.php", null, "GET", "CAS server is unavailable", "Not authenticated." ] as Object[],
 			[ "HTTPS SysCA POST", "https://127.0.0.1:8444/cas.php", null, "POST", "CAS server is unavailable", "Not authenticated." ] as Object[],
+			// correct.crt is a leaf certificate - should fail
+			[ "HTTPS LeafCA", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[],
+			[ "HTTPS LeafCA GET", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[],
+			[ "HTTPS LeafCA POST", "https://127.0.0.1:8444/cas.php", "/tmp/correct.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[],
 			// wrongcn.crt does not contain correct.crt - should fail
 			[ "HTTPS WrongCA", "https://127.0.0.1:8444/cas.php", "/tmp/wrongcn.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[],
 			[ "HTTPS WrongCA GET", "https://127.0.0.1:8444/cas.php", "/tmp/wrongcn.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[],
@@ -45,10 +49,14 @@
 			[ "HTTPS2 WrongCA", "https://127.0.0.1:8445/cas.php", "/tmp/correct.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[],
 			[ "HTTPS2 WrongCA GET", "https://127.0.0.1:8445/cas.php", "/tmp/correct.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[],
 			[ "HTTPS2 WrongCA POST", "https://127.0.0.1:8445/cas.php", "/tmp/correct.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[],
+			// wrongcn.crt is a leaf certificate - should fail
+			[ "HTTPS2 WrongCN", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[],
+			[ "HTTPS2 WrongCN GET", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[],
+			[ "HTTPS2 WrongCN POST", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[],
 			// wrongcn.crt is issued to 127.0.0.2, not 127.0.0.1 - should fail
-			[ "HTTPS2 CN", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[],
-			[ "HTTPS2 CN GET", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[],
-			[ "HTTPS2 CN POST", "https://127.0.0.1:8445/cas.php", "/tmp/wrongcn.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[],
+			[ "HTTPS2 CA+WrongCN", "https://127.0.0.1:8445/cas.php", "/tmp/ca.crt", null, "CAS server is unavailable", "Not authenticated." ] as Object[],
+			[ "HTTPS2 CA+WrongCN GET", "https://127.0.0.1:8445/cas.php", "/tmp/ca.crt", "GET", "CAS server is unavailable", "Not authenticated." ] as Object[],
+			[ "HTTPS2 CA+WrongCN POST", "https://127.0.0.1:8445/cas.php", "/tmp/ca.crt", "POST", "CAS server is unavailable", "Not authenticated." ] as Object[],
 		]
 	}
 	

--
Gitblit v1.9.1