tests/integration/saml_test.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package integration

import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io"
	"net/http"
	"net/http/cookiejar"
	"net/url"
	"os"
	"regexp"
	"strings"
	"testing"
	"time"

	"code.gitea.io/gitea/models/auth"
	"code.gitea.io/gitea/models/db"
	user_model "code.gitea.io/gitea/models/user"
	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/modules/test"
	"code.gitea.io/gitea/services/auth/source/saml"
	"code.gitea.io/gitea/tests"

	"github.com/stretchr/testify/assert"
)

func TestSAMLRegistration(t *testing.T) {
	defer tests.PrepareTestEnv(t)()

	samlURL := "localhost:8080"

	if os.Getenv("CI") == "" || !setting.Database.Type.IsPostgreSQL() {
		// Make it possible to run tests against a local simplesaml instance
		samlURL = os.Getenv("TEST_SIMPLESAML_URL")
		if samlURL == "" {
			t.Skip("TEST_SIMPLESAML_URL not set and not running in CI")
			return
		}
	}

	privateKey, cert, err := saml.GenerateSAMLSPKeypair()
	assert.NoError(t, err)

	// verify that the keypair can be parsed
	keyPair, err := tls.X509KeyPair([]byte(cert), []byte(privateKey))
	assert.NoError(t, err)
	keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])
	assert.NoError(t, err)

	assert.NoError(t, auth.CreateSource(db.DefaultContext, &auth.Source{
		Type:          auth.SAML,
		Name:          "test-sp",
		IsActive:      true,
		IsSyncEnabled: false,
		Cfg: &saml.Source{
			IdentityProviderMetadata:                 "",
			IdentityProviderMetadataURL:              fmt.Sprintf("http://%s/simplesaml/saml2/idp/metadata.php", samlURL),
			InsecureSkipAssertionSignatureValidation: false,
			NameIDFormat:                             4,
			ServiceProviderCertificate:               "", // SimpleSAMLPhp requires that the SP certificate be specified in the server configuration rather than SP metadata
			ServiceProviderPrivateKey:                "",
			EmailAssertionKey:                        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
			NameAssertionKey:                         "http://schemas.xmlsoap.org/claims/CommonName",
			UsernameAssertionKey:                     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
			IconURL:                                  "",
		},
	}))

	// check the saml metadata url
	req := NewRequest(t, "GET", "/user/saml/test-sp/metadata")
	MakeRequest(t, req, http.StatusOK)

	req = NewRequest(t, "GET", "/user/saml/test-sp")
	resp := MakeRequest(t, req, http.StatusTemporaryRedirect)

	jar, err := cookiejar.New(nil)
	assert.NoError(t, err)

	client := http.Client{
		Timeout: 30 * time.Second,
		Jar:     jar,
	}

	httpReq, err := http.NewRequest("GET", test.RedirectURL(resp), nil)
	assert.NoError(t, err)

	var formRedirectURL *url.URL
	client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
		// capture the redirected destination to use in POST request
		formRedirectURL = req.URL
		return nil
	}

	res, err := client.Do(httpReq)
	client.CheckRedirect = nil
	assert.NoError(t, err)
	assert.Equal(t, http.StatusOK, res.StatusCode)
	assert.NotNil(t, formRedirectURL)

	form := url.Values{
		"username": {"user1"},
		"password": {"user1pass"},
	}

	httpReq, err = http.NewRequest("POST", formRedirectURL.String(), strings.NewReader(form.Encode()))
	assert.NoError(t, err)
	httpReq.Header.Add("Content-Type", "application/x-www-form-urlencoded")

	res, err = client.Do(httpReq)
	assert.NoError(t, err)
	assert.Equal(t, http.StatusOK, res.StatusCode)

	body, err := io.ReadAll(res.Body)
	assert.NoError(t, err)

	samlResMatcher := regexp.MustCompile(`<input.*?name="SAMLResponse".*?value="([^"]+)".*?>`)
	matches := samlResMatcher.FindStringSubmatch(string(body))
	assert.Len(t, matches, 2)
	assert.NoError(t, res.Body.Close())

	session := emptyTestSession(t)

	req = NewRequestWithValues(t, "POST", "/user/saml/test-sp/acs", map[string]string{
		"SAMLResponse": matches[1],
	})
	resp = session.MakeRequest(t, req, http.StatusSeeOther)
	assert.Equal(t, test.RedirectURL(resp), "/user/link_account")

	csrf := GetCSRF(t, session, test.RedirectURL(resp))

	// link the account
	req = NewRequestWithValues(t, "POST", "/user/link_account_signup", map[string]string{
		"_csrf":     csrf,
		"user_name": "samluser",
		"email":     "saml@example.com",
	})

	resp = session.MakeRequest(t, req, http.StatusSeeOther)
	assert.Equal(t, test.RedirectURL(resp), "/")

	// verify that the user was created
	u, err := user_model.GetUserByEmail(db.DefaultContext, "saml@example.com")
	assert.NoError(t, err)
	assert.NotNil(t, u)
	assert.Equal(t, "samluser", u.Name)
}