Merge pull request #27 from cirrusidentity/feature/alt-ticketname-support

pradtke · web-flow · commit e3fba5ec7020 · 2020-01-16T12:42:25.000+13:00
Support alternate service and ticket param names
diff --git a/tests/config/module_casserver.php b/tests/config/module_casserver.php
@@ -27,6 +27,9 @@
         '|https://override.example.com/|' => [
             'attrname' => 'uid',
             'attributes_to_transfer' => ['cn'],
+        ],
+        'http://changeTicketParam' => [
+            'ticketName' => 'myTicket',
         ]
     ],
 
diff --git a/tests/www/LoginIntegrationTest.php b/tests/www/LoginIntegrationTest.php
@@ -3,6 +3,7 @@
 namespace Simplesamlphp\Casserver;
 
 use DOMDocument;
+use PHPUnit\Framework\TestCase;
 use SimpleSAML\Test\BuiltInServer;
 
 /**
@@ -13,11 +14,14 @@
  *
  * @package Simplesamlphp\Casserver
  */
-class LoginIntegrationTest extends \PHPUnit\Framework\TestCase
+class LoginIntegrationTest extends TestCase
 {
     /** @var string $LINK_URL */
     private static $LINK_URL = '/module.php/casserver/login.php';
 
+    /** @var string $VALIDATE_URL */
+    private static $VALIDATE_URL = '/module.php/casserver/serviceValidate.php';
+
     /**
      * @var string $SAMLVALIDATE_URL
      */
@@ -129,10 +133,13 @@ public function testWrongServiceUrl()
 
 
     /**
-     * test a valid service URL
+     * Test a valid service URL
+     * @dataProvider validServiceUrlProvider
+     * @param string $serviceParam The name of the query parameter to use for the service url
+     * @param string $ticketParam The name of the query parameter that will contain the ticket
      * @return void
      */
-    public function testValidServiceUrl()
+    public function testValidServiceUrl(string $serviceParam, string $ticketParam)
     {
         $service_url = 'http://host1.domain:1234/path1';
 
@@ -141,7 +148,7 @@ public function testValidServiceUrl()
         /** @var array $resp */
         $resp = $this->server->get(
             self::$LINK_URL,
-            ['service' => $service_url],
+            [$serviceParam => $service_url],
             [
                 CURLOPT_COOKIEJAR => $this->cookies_file,
                 CURLOPT_COOKIEFILE => $this->cookies_file
@@ -150,7 +157,71 @@ public function testValidServiceUrl()
         $this->assertEquals(302, $resp['code']);
 
         $this->assertStringStartsWith(
-            $service_url . '?ticket=ST-',
+            $service_url . '?' . $ticketParam . '=ST-',
+            $resp['headers']['Location'],
+            'Ticket should be part of the redirect.'
+        );
+
+        // Config ticket can be validated
+        $matches = [];
+        $this->assertEquals(1, preg_match("@$ticketParam=(.*)@", $resp['headers']['Location'], $matches));
+        $ticket = $matches[1];
+        $resp = $this->server->get(
+            self::$VALIDATE_URL,
+            [
+                $serviceParam => $service_url,
+                'ticket' => $ticket,
+                ],
+            [
+                CURLOPT_COOKIEJAR => $this->cookies_file,
+                CURLOPT_COOKIEFILE => $this->cookies_file
+            ]
+        );
+        $expectedResponse = '<?xml version="1.0"?>
+<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
+<cas:authenticationSuccess>
+<cas:user>testuser@example.com</cas:user>
+<cas:attributes>
+<cas:eduPersonPrincipalName>testuser@example.com</cas:eduPersonPrincipalName>
+<cas:base64Attributes>false</cas:base64Attributes>
+</cas:attributes>
+</cas:authenticationSuccess>
+</cas:serviceResponse>';
+        $this->assertEquals(200, $resp['code']);
+        $this->assertEquals($expectedResponse, $resp['body']);
+    }
+
+    public function validServiceUrlProvider(): array
+    {
+        return [
+            ['service', 'ticket'],
+            ['TARGET', 'SAMLart']
+        ];
+    }
+
+    /**
+     * Test changing the ticket name
+     * @return void
+     */
+    public function testValidTicketNameOverride()
+    {
+        $service_url = 'http://changeTicketParam/abc';
+
+        $this->authenticate();
+
+        /** @var array $resp */
+        $resp = $this->server->get(
+            self::$LINK_URL,
+            ['TARGET' => $service_url],
+            [
+                CURLOPT_COOKIEJAR => $this->cookies_file,
+                CURLOPT_COOKIEFILE => $this->cookies_file
+            ]
+        );
+        $this->assertEquals(302, $resp['code']);
+
+        $this->assertStringStartsWith(
+            $service_url . '?myTicket=ST-',
             $resp['headers']['Location'],
             'Ticket should be part of the redirect.'
         );
diff --git a/www/login.php b/www/login.php
@@ -50,14 +50,16 @@
 $casconfig = Configuration::getConfig('module_casserver.php');
 $serviceValidator = new ServiceValidator($casconfig);
 
-if (isset($_GET['service'])) {
-    $serviceCasConfig = $serviceValidator->checkServiceURL(sanitize($_GET['service']));
+$serviceUrl = $_GET['service'] ?? $_GET['TARGET'] ?? null;
+
+if (isset($serviceUrl)) {
+    $serviceCasConfig = $serviceValidator->checkServiceURL(sanitize($serviceUrl));
     if (isset($serviceCasConfig)) {
         // Override the cas configuration to use for this service
         $casconfig = $serviceCasConfig;
     } else {
         $message = 'Service parameter provided to CAS server is not listed as a legal service: [service] = ' .
-            var_export($_GET['service'], true);
+            var_export($serviceUrl, true);
         Logger::debug('casserver:' . $message);
 
         throw new \Exception($message);
@@ -113,6 +115,10 @@
         $query['service'] = $_REQUEST['service'];
     }
 
+    if (isset($_REQUEST['TARGET'])) {
+        $query['TARGET'] = $_REQUEST['TARGET'];
+    }
+
     if (isset($_REQUEST['method'])) {
         $query['method'] = $_REQUEST['method'];
     }
@@ -174,12 +180,15 @@
     }
 }
 
-if (isset($_GET['service'])) {
+if (isset($serviceUrl)) {
+    $defaultTicketName = isset($_GET['service']) ? 'ticket' : 'SAMLart';
+    $ticketName = $casconfig->getValue('ticketName', $defaultTicketName);
+
     $attributeExtractor = new AttributeExtractor();
     $mappedAttributes = $attributeExtractor->extractUserAndAttributes($as->getAttributes(), $casconfig);
 
     $serviceTicket = $ticketFactory->createServiceTicket([
-        'service' => $_GET['service'],
+        'service' => $serviceUrl,
         'forceAuthn' => $forceAuthn,
         'userName' => $mappedAttributes['user'],
         'attributes' => $mappedAttributes['attributes'],
@@ -189,7 +198,7 @@
 
     $ticketStore->addTicket($serviceTicket);
 
-    $parameters['ticket'] = $serviceTicket['id'];
+    $parameters[$ticketName] = $serviceTicket['id'];
 
     $validDebugModes = ['true', 'samlValidate'];
     if (
@@ -205,7 +214,7 @@
         } else {
             $method = 'serviceValidate';
             // Fake some options for validateTicket
-            $_GET['ticket'] = $serviceTicket['id'];
+            $_GET[$ticketName] = $serviceTicket['id'];
             // We want to capture the output from echo used in validateTicket
             ob_start();
             require_once 'utility/validateTicket.php';
@@ -214,9 +223,9 @@
             echo '<pre>' . htmlspecialchars($casResponse) . '</pre>';
         }
     } elseif ($redirect) {
-        HTTP::redirectTrustedURL(HTTP::addURLParameters($_GET['service'], $parameters));
+        HTTP::redirectTrustedURL(HTTP::addURLParameters($serviceUrl, $parameters));
     } else {
-        HTTP::submitPOSTData($_GET['service'], $parameters);
+        HTTP::submitPOSTData($serviceUrl, $parameters);
     }
 } else {
     HTTP::redirectTrustedURL(
diff --git a/www/utility/validateTicket.php b/www/utility/validateTicket.php
@@ -41,8 +41,9 @@
 /** @var Cas20 $protocol */
 /** @psalm-suppress InvalidStringClass */
 $protocol = new $protocolClass($casconfig);
+$serviceUrl = $_GET['service'] ?? $_GET['TARGET'] ?? null;
 
-if (array_key_exists('service', $_GET) && array_key_exists('ticket', $_GET)) {
+if (isset($serviceUrl) && array_key_exists('ticket', $_GET)) {
     $forceAuthn = isset($_GET['renew']) && $_GET['renew'];
 
     try {
@@ -73,7 +74,7 @@
 
             if (
                 !$ticketFactory->isExpired($serviceTicket) &&
-                sanitize($serviceTicket['service']) == sanitize($_GET['service']) &&
+                sanitize($serviceTicket['service']) == sanitize($serviceUrl) &&
                 (!$forceAuthn || $serviceTicket['forceAuthn'])
             ) {
                 $protocol->setAttributes($attributes);
@@ -91,7 +92,7 @@
                             'userName' => $serviceTicket['userName'],
                             'attributes' => $attributes,
                             'forceAuthn' => false,
-                            'proxies' => array_merge([$_GET['service']], $serviceTicket['proxies']),
+                            'proxies' => array_merge([$serviceUrl], $serviceTicket['proxies']),
                             'sessionId' => $serviceTicket['sessionId']
                         ]);
                         try {
@@ -116,10 +117,10 @@
 
                     echo $protocol->getValidateFailureResponse('INVALID_TICKET', $message);
                 } else {
-                    if (sanitize($serviceTicket['service']) != sanitize($_GET['service'])) {
+                    if (sanitize($serviceTicket['service']) != sanitize($serviceUrl)) {
                         $message = 'Mismatching service parameters: expected ' .
                             var_export($serviceTicket['service'], true) .
-                            ' but was: ' . var_export($_GET['service'], true);
+                            ' but was: ' . var_export($serviceUrl, true);
 
                         \SimpleSAML\Logger::debug('casserver:' . $message);
 

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,9 @@`
`27`	`27`	`'\|https://override.example.com/\|' => [`
`28`	`28`	`'attrname' => 'uid',`
`29`	`29`	`'attributes_to_transfer' => ['cn'],`
	`30`	`+ ],`
	`31`	`+ 'http://changeTicketParam' => [`
	`32`	`+ 'ticketName' => 'myTicket',`
`30`	`33`	`]`
`31`	`34`	`],`
`32`	`35`