Merge pull request #56 from timlegge/testapp-multiple-idp-support

Testapp multiple idp support

Author: timlegge

.gitignore

@@ -21,3 +21,4 @@ xt/testapp/sign-certonly-dsa.pem
 xt/testapp/sign-nopw-cert-dsa.pem
 xt/testapp/sign-private-dsa.pem
 Release-*
+xt/testapp/IdPs/*/*

xt/testapp/IdPs/.keep

@@ -33,7 +33,7 @@ Access http://localhost:3000
 
 ### Run lighttpd to proxy https to the Saml2Test application
 
-Many SAML2 Identity Providers will not allow the application (Service Provider) URL to be http and force you to specify https to use SAML2.  lighttpd is used to listen on port 443 and use https protocol so that the Identity Provider can redirect or POST to a https site.  lighttpd then proxies that communication to the Dancer application listening on port 3000.
+Many SAML2 Identity Providers will not allow the application (Service Provider) URL to be http and forces you to specify https to use SAML2.  lighttpd is used to listen on port 443 and use https protocol so that the Identity Provider can redirect or POST to a https site.  lighttpd then proxies that communication to the Dancer application listening on port 3000.
 
    1. cd xt/testapp
    2. sudo lighttpd -D -f lighttpd.conf
@@ -42,11 +42,30 @@ Note that the command requires sudo to allow it to use the default https port of
 
 TODO: maybe change it to use 8443
 
-### Create your metadata.xml file
+### Configure the testapp to connect to the Identity Provider
 
-Download the metadata for you configured application from your Identity Provider and save it to:
+The testapp now supports a simplified automatic configuration for testing against multiple Identity Providers (IdPs).
 
-    xt/testapp/metadata.xml
+   1. Simply create a directory in xt/testapp/IdPs for the name of the IdP (eg. google)
+   2. Download the metadata from your IdP and save it as IdPs/google/metadata.xml
+   3. Download the cacert.pem from the IdP and save it as IdPs/google/cacert.pem
+   4. Optionally create IdPs/google/config.yml for custom settings for the IdP (if the a custom config.yml does not exist it will refresh the settings from the default config.yml.
+
+The index page will automatically list each configured Identity Provider as a link to initiate login against that IdP.
+
+Your directory structure should look like:
+
+IdPs/
+    auth0/
+        cacert.pem
+        metadata.yml
+    azure/
+        cacert.pem
+        config.yml (optional)
+        metadata.yml
+    google/
+        cacert.pem
+        metadata.yml
 
 ### Run lighttpd to deliver metadata.xml
 
@@ -55,7 +74,7 @@ Net::SAML2 requires access to a URL containing the metadata.  The simplest metho
    1. cd xt/testapp
    2. lighttpd -D -f lighttpd-metadata.conf
 
-The metadata has been configured to be available at: http://localhost:8880/metadata.xml.
+The metadata has been configured to be available at: http://localhost:8880/metadata.xml.  The simplified IdP configuration will automatically access the metadata.xml at http://localhost:8880/IdPs/google/metadata.xml (if you followed the instructions above and created the google directory in xt/testapp/IdPs)
 
 Note that the configuration attempts to only deliver a file named metadata.xml from the xt/testapp directory.  There are no guarantees - this is a test application so verify your own security.
 

xt/testapp/README.md

@@ -2,13 +2,11 @@ layout: "main"
 #logger: "console"
 appname: "Saml2Test"
 charset: "UTF-8"
-
-idp: "http://localhost:8880/metadata.xml"
+template: "template_toolkit"
 issuer: "https://netsaml2-testapp.local"
 url: "https://netsaml2-testapp.local"
 cert: "sign-certonly.pem"
 key: "sign-nopw-cert.pem"
-cacert: "saml_cacert.pem"
 slo_url_soap: "/slo-soap"
 slo_url_redirect: "/sls-redirect-response"
 slo_url_post: "/sls-post-response"

xt/testapp/config.yml

@@ -16,14 +16,52 @@ Demo app to show use of Net::SAML2 as an SP.
 use Dancer ':syntax';
 use Net::SAML2;
 use MIME::Base64 qw/ decode_base64 /;
+use File::Slurper qw/ read_dir /;
 
-our $VERSION = '0.1';
+our $VERSION = '0.2';
 
 get '/' => sub {
-    template 'index';
+    if ( ! -x './IdPs' ) {
+        return "<html><pre>You must have a xt/testapp/IdPs directory</pre></html>";
+    }
+    my @dirs = read_dir('./IdPs');
+    my @idps;
+    for my $dir (sort @dirs) {
+        if ( $dir eq '.keep' ) { next ; }
+        my %tempidp;
+        $tempidp{'idp'} = $dir;
+        if ( -f "./IdPs/$dir/cacert.pem" ) {
+            $tempidp{'cacert'} = 'exists';
+        } else {
+            $tempidp{'cacert'} = 'missing';
+        }
+        if ( -f "./IdPs/$dir/metadata.xml" ) {
+            $tempidp{'metadata'} = 'exists';
+        } else {
+            $tempidp{'metadata'} = 'missing';
+        }
+        push @idps, \%tempidp;
+    }
+
+    template 'index', { 'idps' => \@idps };
 };
 
 get '/login' => sub {
+
+    config->{cacert} = 'IdPs/' . params->{idp} . '/cacert.pem';
+    config->{idp} = 'http://localhost:8880/IdPs/' . params->{idp} . '/metadata.xml';
+    if ( -f 'IdPs/' . params->{idp} . '/config.yml' ) {
+        my $config_file = YAML::LoadFile('IdPs/' . params->{idp} . '/config.yml');
+        for my $key (keys %$config_file) {
+            config->{$key} = $config_file->{$key};
+        }
+    } else {
+        my $config_file = YAML::LoadFile('config.yml');
+        for my $key (keys %$config_file) {
+            config->{$key} = $config_file->{$key};
+        }
+
+    }
     my $idp = _idp();
     my $sp = _sp();
     my $authnreq = $sp->authn_request(
@@ -86,7 +124,7 @@ get '/logout-soap' => sub {
         cert	 => 'sign-nopw-cert.pem',
         url	 => $slo_url,
         idp_cert => $idp_cert,
-        cacert   => 'saml_cacert.pem',
+        cacert   => config->{cacert},
     );
 
     my $res = $soap->request($logoutreq);
@@ -97,7 +135,7 @@ get '/logout-soap' => sub {
 
 post '/consumer-post' => sub {
     my $post = Net::SAML2::Binding::POST->new(
-        cacert => 'saml_cacert.pem',
+        cacert => config->{cacert},
     );
     my $ret = $post->handle_response(
         params->{SAMLResponse}
@@ -226,7 +264,7 @@ sub _sp {
 sub _idp {
     my $idp = Net::SAML2::IdP->new_from_url(
         url    => config->{idp},
-        cacert => 'saml_cacert.pem',
+        cacert => config->{cacert},
         sls_force_lcase_url_encoding => config->{sls_force_lcase_url_encoding},
         sls_double_encoded_response => config->{sls_double_encoded_response}
     );

xt/testapp/lib/Saml2Test.pm

@@ -24,7 +24,7 @@ $HTTP["host"] != "localhost" {
 
 $HTTP["host"] == "localhost" {
 
-    $HTTP["url"] !~ "^/metadata.xml" {
+    $HTTP["url"] !~ "metadata.xml" {
         url.access-deny = ("")
     }
     url.access-deny = ("disable")

xt/testapp/lighttpd-metadata.conf

@@ -1,6 +1,7 @@
 server.document-root = var.CWD + "/"
 server.modules = (
    "mod_openssl",
+   "mod_rewrite",
    "mod_proxy"
 )
 
@@ -34,9 +35,12 @@ setenv.add-environment = ("PATH" => env.PATH )
 # request debugging - UNCOMMENT TO ENABLE
 debug.log-request-handling = "enable"
 
-$HTTP["host"] == "netsaml2-testapp.local" {
-    proxy.server  = ( "" => ( (
-            "host" => "127.0.0.1",
-            "port" => 3000
-    ) ) )
-}
+url.rewrite-repeat = (
+  "^/bin/login" => "/consumer-post",
+  "^/bin/logout(.*)" => "/sls-redirect-response$1"
+)
+
+proxy.server  = ( "" => ( (
+    "host" => "127.0.0.1",
+    "port" => 3000
+) ) )

xt/testapp/lighttpd.conf

@@ -8,7 +8,7 @@ use Dancer::Test;
 
 route_exists [GET => '/'], 'a route handler is defined for /';
 response_status_is ['GET' => '/'], 200, 'response status is 200 for /';
-response_content_like [GET => '/'], qr/Log In/s,
+response_content_like [GET => '/'], qr/Login with/s,
     'content looks OK for /';
 
 done_testing;

xt/testapp/t/002_index_route.t

@@ -1,3 +1,22 @@
-<p><a href="/metadata.xml">SP Metadata</a></p>
+    <% if idps.size >= 1 %>
+        <h2>Login with:</h2>
+    <ul>
+        <% FOREACH provider IN idps %>
+            <li><h3><a href ="/login?idp=<% provider.idp %>"><% provider.idp %> </a>
+            <% if provider.metadata == 'missing' %>metadata missing <% end %>
+            <% if provider.cacert == 'missing' %>cacert missing<% end %>
+            </h3>
+        <% END %>
+    </ul>
+    <% else %>
+        <h2>No Identity Providers (IdP) found!</h2>
+        <h3>Configure an Idp</h3>
+        <ol>
+            <li>Simply create a directory in xt/testapp/IdPs for the name of the IdP (eg. <i>google</i>)
+            <li>Download the metadata from your IdP and save it to IdPs/<i>google</i>/metadata.xml
+            <li>Download the cacert.pem from the IdP and save it to IdPs/<i>google</i>/cacert.pem
+        </ol>
+    <% end %>
+
+    <h2>Download SP <a href="/metadata.xml">Metadata</a></h2>
 
-<p><a href="/login">Log In</a></p>

xt/testapp/views/index.tt

@@ -1,4 +1,4 @@
-<h1>User: <% assertion.nameid %></h1>
+<h1>NameID: <% assertion.nameid %></h1>
 
 <p><a href="/logout-redirect?nameid=<% assertion.nameid | html %>&session=<% assertion.session | html %>">Logout (redirect binding)</a></p>
 
@@ -17,25 +17,21 @@
     <td>Issuer</td>
     <td><% assertion.issuer %></td>
   </tr>
-  <tr>
-    <td>DN</td>
-    <td><% assertion.attributes.DN %></td>
-  </tr>
-  <tr>
-    <td>CN</td>
-    <td><% assertion.attributes.CN %></td>
-  </tr>
   <tr>
     <td>EmailAddress</td>
-    <td><% assertion.attributes.EmailAddress %></td>
+    <td><% assertion.attributes.EmailAddress.0 %></td>
   </tr>
   <tr>
     <td>FirstName</td>
-    <td><% assertion.attributes.FirstName %></td>
+    <td><% assertion.attributes.FirstName.0 %><% assertion.attributes.fname.0 %></td>
+  </tr>
+  <tr>
+    <td>LastName</td>
+    <td><% assertion.attributes.LastName.0 %><% assertion.attributes.lname.0 %></td>
   </tr>
   <tr>
     <td>Address</td>
-    <td><% assertion.attributes.Address %></td>
+    <td><% assertion.attributes.Address.0 %></td>
   </tr>
   <tr>
     <td>Phone</td>
@@ -45,5 +41,4 @@
     <td>EmployeeNumber</td>
     <td><% assertion.attributes.EmployeeNumber %></td>
   </tr>
-  <% end %>
 </table>