Support alternate service and ticket param names

For some reason (unknown to me) the Apereo java CAS client supports
configuring different query param names for 'service' and 'ticket'.
The combinations we have encountered in the wild for these are
TARGET and SAMLart. It is a requirement in Banner to use these
alernative names for "security".

Author: pradtke

tests/config/module_casserver.php

@@ -27,6 +27,9 @@
         '|https://override.example.com/|' => [
             'attrname' => 'uid',
             'attributes_to_transfer' => ['cn'],
+        ],
+        'http://changeTicketParam' => [
+            'ticketName' => 'myTicket',
         ]
     ],
 

tests/www/LoginIntegrationTest.php

@@ -3,6 +3,7 @@
 namespace Simplesamlphp\Casserver;
 
 use DOMDocument;
+use PHPUnit\Framework\TestCase;
 use SimpleSAML\Test\BuiltInServer;
 
 /**
@@ -13,11 +14,14 @@
  *
  * @package Simplesamlphp\Casserver
  */
-class LoginIntegrationTest extends \PHPUnit\Framework\TestCase
+class LoginIntegrationTest extends TestCase
 {
     /** @var string $LINK_URL */
     private static $LINK_URL = '/module.php/casserver/login.php';
 
+    /** @var string $VALIDATE_URL */
+    private static $VALIDATE_URL = '/module.php/casserver/serviceValidate.php';
+
     /**
      * @var string $SAMLVALIDATE_URL
      */
@@ -129,10 +133,13 @@ public function testWrongServiceUrl()
 
 
     /**
-     * test a valid service URL
+     * Test a valid service URL
+     * @dataProvider validServiceUrlProvider
+     * @param string $serviceParam The name of the query parameter to use for the service url
+     * @param string $ticketParam The name of the query parameter that will contain the ticket
      * @return void
      */
-    public function testValidServiceUrl()
+    public function testValidServiceUrl(string $serviceParam, string $ticketParam)
     {
         $service_url = 'http://host1.domain:1234/path1';
 
@@ -141,7 +148,7 @@ public function testValidServiceUrl()
         /** @var array $resp */
         $resp = $this->server->get(
             self::$LINK_URL,
-            ['service' => $service_url],
+            [$serviceParam => $service_url],
             [
                 CURLOPT_COOKIEJAR => $this->cookies_file,
                 CURLOPT_COOKIEFILE => $this->cookies_file
@@ -150,7 +157,71 @@ public function testValidServiceUrl()
         $this->assertEquals(302, $resp['code']);
 
         $this->assertStringStartsWith(
-            $service_url . '?ticket=ST-',
+            $service_url . '?' . $ticketParam . '=ST-',
+            $resp['headers']['Location'],
+            'Ticket should be part of the redirect.'
+        );
+
+        // Config ticket can be validated
+        $matches = [];
+        $this->assertEquals(1, preg_match("@$ticketParam=(.*)@", $resp['headers']['Location'], $matches));
+        $ticket = $matches[1];
+        $resp = $this->server->get(
+            self::$VALIDATE_URL,
+            [
+                $serviceParam => $service_url,
+                'ticket' => $ticket,
+                ],
+            [
+                CURLOPT_COOKIEJAR => $this->cookies_file,
+                CURLOPT_COOKIEFILE => $this->cookies_file
+            ]
+        );
+        $expectedResponse = '<?xml version="1.0"?>
+<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
+<cas:authenticationSuccess>
+<cas:user>testuser@example.com</cas:user>
+<cas:attributes>
+<cas:eduPersonPrincipalName>testuser@example.com</cas:eduPersonPrincipalName>
+<cas:base64Attributes>false</cas:base64Attributes>
+</cas:attributes>
+</cas:authenticationSuccess>
+</cas:serviceResponse>';
+        $this->assertEquals(200, $resp['code']);
+        $this->assertEquals($expectedResponse, $resp['body']);
+    }
+
+    public function validServiceUrlProvider(): array
+    {
+        return [
+            ['service', 'ticket'],
+            ['TARGET', 'SAMLart']
+        ];
+    }
+
+    /**
+     * Test changing the ticket name
+     * @return void
+     */
+    public function testValidTicketNameOverride()
+    {
+        $service_url = 'http://changeTicketParam/abc';
+
+        $this->authenticate();
+
+        /** @var array $resp */
+        $resp = $this->server->get(
+            self::$LINK_URL,
+            ['TARGET' => $service_url],
+            [
+                CURLOPT_COOKIEJAR => $this->cookies_file,
+                CURLOPT_COOKIEFILE => $this->cookies_file
+            ]
+        );
+        $this->assertEquals(302, $resp['code']);
+
+        $this->assertStringStartsWith(
+            $service_url . '?myTicket=ST-',
             $resp['headers']['Location'],
             'Ticket should be part of the redirect.'
         );

www/login.php

@@ -50,14 +50,16 @@
 $casconfig = Configuration::getConfig('module_casserver.php');
 $serviceValidator = new ServiceValidator($casconfig);
 
-if (isset($_GET['service'])) {
-    $serviceCasConfig = $serviceValidator->checkServiceURL(sanitize($_GET['service']));
+$serviceUrl = $_GET['service'] ?? $_GET['TARGET'] ?? null;
+
+if (isset($serviceUrl)) {
+    $serviceCasConfig = $serviceValidator->checkServiceURL(sanitize($serviceUrl));
     if (isset($serviceCasConfig)) {
         // Override the cas configuration to use for this service
         $casconfig = $serviceCasConfig;
     } else {
         $message = 'Service parameter provided to CAS server is not listed as a legal service: [service] = ' .
-            var_export($_GET['service'], true);
+            var_export($serviceUrl, true);
         Logger::debug('casserver:' . $message);
 
         throw new \Exception($message);
@@ -113,6 +115,10 @@
         $query['service'] = $_REQUEST['service'];
     }
 
+    if (isset($_REQUEST['TARGET'])) {
+        $query['TARGET'] = $_REQUEST['TARGET'];
+    }
+
     if (isset($_REQUEST['method'])) {
         $query['method'] = $_REQUEST['method'];
     }
@@ -174,12 +180,15 @@
     }
 }
 
-if (isset($_GET['service'])) {
+if (isset($serviceUrl)) {
+    $defaultTicketName = isset($_GET['service']) ? 'ticket' : 'SAMLart';
+    $ticketName = $casconfig->getValue('ticketName', $defaultTicketName);
+
     $attributeExtractor = new AttributeExtractor();
     $mappedAttributes = $attributeExtractor->extractUserAndAttributes($as->getAttributes(), $casconfig);
 
     $serviceTicket = $ticketFactory->createServiceTicket([
-        'service' => $_GET['service'],
+        'service' => $serviceUrl,
         'forceAuthn' => $forceAuthn,
         'userName' => $mappedAttributes['user'],
         'attributes' => $mappedAttributes['attributes'],
@@ -189,7 +198,7 @@
 
     $ticketStore->addTicket($serviceTicket);
 
-    $parameters['ticket'] = $serviceTicket['id'];
+    $parameters[$ticketName] = $serviceTicket['id'];
 
     $validDebugModes = ['true', 'samlValidate'];
     if (
@@ -205,7 +214,7 @@
         } else {
             $method = 'serviceValidate';
             // Fake some options for validateTicket
-            $_GET['ticket'] = $serviceTicket['id'];
+            $_GET[$ticketName] = $serviceTicket['id'];
             // We want to capture the output from echo used in validateTicket
             ob_start();
             require_once 'utility/validateTicket.php';
@@ -214,9 +223,9 @@
             echo '<pre>' . htmlspecialchars($casResponse) . '</pre>';
         }
     } elseif ($redirect) {
-        HTTP::redirectTrustedURL(HTTP::addURLParameters($_GET['service'], $parameters));
+        HTTP::redirectTrustedURL(HTTP::addURLParameters($serviceUrl, $parameters));
     } else {
-        HTTP::submitPOSTData($_GET['service'], $parameters);
+        HTTP::submitPOSTData($serviceUrl, $parameters);
     }
 } else {
     HTTP::redirectTrustedURL(

www/utility/validateTicket.php

@@ -41,8 +41,9 @@
 /** @var Cas20 $protocol */
 /** @psalm-suppress InvalidStringClass */
 $protocol = new $protocolClass($casconfig);
+$serviceUrl = $_GET['service'] ?? $_GET['TARGET'] ?? null;
 
-if (array_key_exists('service', $_GET) && array_key_exists('ticket', $_GET)) {
+if (isset($serviceUrl) && array_key_exists('ticket', $_GET)) {
     $forceAuthn = isset($_GET['renew']) && $_GET['renew'];
 
     try {
@@ -73,7 +74,7 @@
 
             if (
                 !$ticketFactory->isExpired($serviceTicket) &&
-                sanitize($serviceTicket['service']) == sanitize($_GET['service']) &&
+                sanitize($serviceTicket['service']) == sanitize($serviceUrl) &&
                 (!$forceAuthn || $serviceTicket['forceAuthn'])
             ) {
                 $protocol->setAttributes($attributes);
@@ -91,7 +92,7 @@
                             'userName' => $serviceTicket['userName'],
                             'attributes' => $attributes,
                             'forceAuthn' => false,
-                            'proxies' => array_merge([$_GET['service']], $serviceTicket['proxies']),
+                            'proxies' => array_merge([$serviceUrl], $serviceTicket['proxies']),
                             'sessionId' => $serviceTicket['sessionId']
                         ]);
                         try {
@@ -116,10 +117,10 @@
 
                     echo $protocol->getValidateFailureResponse('INVALID_TICKET', $message);
                 } else {
-                    if (sanitize($serviceTicket['service']) != sanitize($_GET['service'])) {
+                    if (sanitize($serviceTicket['service']) != sanitize($serviceUrl)) {
                         $message = 'Mismatching service parameters: expected ' .
                             var_export($serviceTicket['service'], true) .
-                            ' but was: ' . var_export($_GET['service'], true);
+                            ' but was: ' . var_export($serviceUrl, true);
 
                         \SimpleSAML\Logger::debug('casserver:' . $message);