mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
17279 Commits
17 Branches
Tree: 875f5ea6d8
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '875f5ea6d8'
${ noResults }
gitea/tests/integration/saml_test.go

saml_test.go 4.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150 
  1. // Copyright 2023 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"crypto/tls"

  8. 	"crypto/x509"

  9. 	"fmt"

  10. 	"io"

  11. 	"net/http"

  12. 	"net/http/cookiejar"

  13. 	"net/url"

  14. 	"os"

  15. 	"regexp"

  16. 	"strings"

  17. 	"testing"

  18. 	"time"

  19. 

  20. 	"code.gitea.io/gitea/models/auth"

  21. 	"code.gitea.io/gitea/models/db"

  22. 	user_model "code.gitea.io/gitea/models/user"

  23. 	"code.gitea.io/gitea/modules/setting"

  24. 	"code.gitea.io/gitea/modules/test"

  25. 	"code.gitea.io/gitea/services/auth/source/saml"

  26. 	"code.gitea.io/gitea/tests"

  27. 

  28. 	"github.com/stretchr/testify/assert"

  29. )

  30. 

  31. func TestSAMLRegistration(t *testing.T) {

  32. 	defer tests.PrepareTestEnv(t)()

  33. 

  34. 	samlURL := "localhost:8080"

  35. 

  36. 	if os.Getenv("CI") == "" || !setting.Database.Type.IsPostgreSQL() {

  37. 		// Make it possible to run tests against a local simplesaml instance

  38. 		samlURL = os.Getenv("TEST_SIMPLESAML_URL")

  39. 		if samlURL == "" {

  40. 			t.Skip("TEST_SIMPLESAML_URL not set and not running in CI")

  41. 			return

  42. 		}

  43. 	}

  44. 

  45. 	privateKey, cert, err := saml.GenerateSAMLSPKeypair()

  46. 	assert.NoError(t, err)

  47. 

  48. 	// verify that the keypair can be parsed

  49. 	keyPair, err := tls.X509KeyPair([]byte(cert), []byte(privateKey))

  50. 	assert.NoError(t, err)

  51. 	keyPair.Leaf, err = x509.ParseCertificate(keyPair.Certificate[0])

  52. 	assert.NoError(t, err)

  53. 

  54. 	assert.NoError(t, auth.CreateSource(db.DefaultContext, &auth.Source{

  55. 		Type:          auth.SAML,

  56. 		Name:          "test-sp",

  57. 		IsActive:      true,

  58. 		IsSyncEnabled: false,

  59. 		Cfg: &saml.Source{

  60. 			IdentityProviderMetadata:                 "",

  61. 			IdentityProviderMetadataURL:              fmt.Sprintf("http://%s/simplesaml/saml2/idp/metadata.php", samlURL),

  62. 			InsecureSkipAssertionSignatureValidation: false,

  63. 			NameIDFormat:                             4,

  64. 			ServiceProviderCertificate:               "", // SimpleSAMLPhp requires that the SP certificate be specified in the server configuration rather than SP metadata

  65. 			ServiceProviderPrivateKey:                "",

  66. 			EmailAssertionKey:                        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

  67. 			NameAssertionKey:                         "http://schemas.xmlsoap.org/claims/CommonName",

  68. 			UsernameAssertionKey:                     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",

  69. 			IconURL:                                  "",

  70. 		},

  71. 	}))

  72. 

  73. 	// check the saml metadata url

  74. 	req := NewRequest(t, "GET", "/user/saml/test-sp/metadata")

  75. 	MakeRequest(t, req, http.StatusOK)

  76. 

  77. 	req = NewRequest(t, "GET", "/user/saml/test-sp")

  78. 	resp := MakeRequest(t, req, http.StatusTemporaryRedirect)

  79. 

  80. 	jar, err := cookiejar.New(nil)

  81. 	assert.NoError(t, err)

  82. 

  83. 	client := http.Client{

  84. 		Timeout: 30 * time.Second,

  85. 		Jar:     jar,

  86. 	}

  87. 

  88. 	httpReq, err := http.NewRequest("GET", test.RedirectURL(resp), nil)

  89. 	assert.NoError(t, err)

  90. 

  91. 	var formRedirectURL *url.URL

  92. 	client.CheckRedirect = func(req *http.Request, via []*http.Request) error {

  93. 		// capture the redirected destination to use in POST request

  94. 		formRedirectURL = req.URL

  95. 		return nil

  96. 	}

  97. 

  98. 	res, err := client.Do(httpReq)

  99. 	client.CheckRedirect = nil

  100. 	assert.NoError(t, err)

  101. 	assert.Equal(t, http.StatusOK, res.StatusCode)

  102. 	assert.NotNil(t, formRedirectURL)

  103. 

  104. 	form := url.Values{

  105. 		"username": {"user1"},

  106. 		"password": {"user1pass"},

  107. 	}

  108. 

  109. 	httpReq, err = http.NewRequest("POST", formRedirectURL.String(), strings.NewReader(form.Encode()))

  110. 	assert.NoError(t, err)

  111. 	httpReq.Header.Add("Content-Type", "application/x-www-form-urlencoded")

  112. 

  113. 	res, err = client.Do(httpReq)

  114. 	assert.NoError(t, err)

  115. 	assert.Equal(t, http.StatusOK, res.StatusCode)

  116. 

  117. 	body, err := io.ReadAll(res.Body)

  118. 	assert.NoError(t, err)

  119. 

  120. 	samlResMatcher := regexp.MustCompile(`<input.*?name="SAMLResponse".*?value="([^"]+)".*?>`)

  121. 	matches := samlResMatcher.FindStringSubmatch(string(body))

  122. 	assert.Len(t, matches, 2)

  123. 	assert.NoError(t, res.Body.Close())

  124. 

  125. 	session := emptyTestSession(t)

  126. 

  127. 	req = NewRequestWithValues(t, "POST", "/user/saml/test-sp/acs", map[string]string{

  128. 		"SAMLResponse": matches[1],

  129. 	})

  130. 	resp = session.MakeRequest(t, req, http.StatusSeeOther)

  131. 	assert.Equal(t, test.RedirectURL(resp), "/user/link_account")

  132. 

  133. 	csrf := GetCSRF(t, session, test.RedirectURL(resp))

  134. 

  135. 	// link the account

  136. 	req = NewRequestWithValues(t, "POST", "/user/link_account_signup", map[string]string{

  137. 		"_csrf":     csrf,

  138. 		"user_name": "samluser",

  139. 		"email":     "saml@example.com",

  140. 	})

  141. 

  142. 	resp = session.MakeRequest(t, req, http.StatusSeeOther)

  143. 	assert.Equal(t, test.RedirectURL(resp), "/")

  144. 

  145. 	// verify that the user was created

  146. 	u, err := user_model.GetUserByEmail(db.DefaultContext, "saml@example.com")

  147. 	assert.NoError(t, err)

  148. 	assert.NotNil(t, u)

  149. 	assert.Equal(t, "samluser", u.Name)

  150. }