CAS Functional Tests
This page is an attempt to enumerate a set of functional tests for CAS 2.0 that will test every aspect of login and validation.
Login Tests
Note: it is assumed at each Step 1 that you are starting with a clean session (no TGT cookie in your browser).
Incorrect credentials
1. visit /login
2. submit incorrect credentials
3. see "bad username/password" error
Correct credentials, no service, SSO test
1. visit /login
2. submit correct credentials
3. see "you have been logged in"
4. visit /login
5. see "you have been logged in"
Correct credentials, with service, logout test
1. visit /login?service=foo
2. submit correct credentials
3. you should be redirected to foo with a valid service ticket
4. visit /logout
5. Verify that CAS overwrote the TGT cookie
6. visit /login?service=foo
7. see form asking for credentials
Gateway
1. visit /login?service=foo
2. Submit correct credentials
3. You should be redirected to foo with a valid service ticket
4. visit /login?service=bar&gateway=true
5. You should be redirected to bar with a valid service ticket
Correct credentials, warn, warn & gateway
1. visit /login?service=foo
2. submit correct credentials and check "warn"
3. you should be redirected to foo
4. visit /login?service=bar
5. you should receive a warning with a link to click to go to bar with a valid service ticket
6. visit /login?service=bar&gateway=true
7. you should receive a warning with a link to click to go to bar with a valid service ticket
No credentials, gateway
1. visit /login?service=foo&gateway=true
2. you should be redirected to foo with no ticket parameter on the URL
Logging in as someone else
1. visit /login?service=foo
2. submit correct credentials for user A
3. you should be redirected to foo
4. visit /login?service=bar&renew=true
5. You should be prompted for username and password.
6. submit correct credentials for user B
7. You should receive a new TGT and a service ticket for user B. The TGT cookie for user A should be destroyed.
Validation Tests
For each of the tests below, follow steps 1-3 below before running step 4 to start each test.
Login steps for all validation tests
1. visit /login?service=foo
2. enter correct credentials
3. you should be redirected to foo with a valid service ticket
CAS 1.0 validation
4. take service ticket and present to /validate?service=foo&ticket=[ticket from Step 3]
5. you should get back:
yes\n netid\n
6. reload /validate?service=foo&ticket=[ticket from Step 3]
7. you should get back:
no\n \n
CAS 1.0 validation failure (bad ticket, wrong service)
4. visit /validate?service=foo&ticket=foo
5. you should get back:
no\n \n
6. visit /validate?service=bar&ticket=[ticket from Step 3]
7. you should get back:
no\n \n
CAS 2.0 validation
4. visit /serviceValidate?service=foo&ticket=[ticket from Step 3]
5. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>netid</cas:user> </cas:authenticationSuccess> </cas:serviceResponse>
6. reload /serviceValidate?service=foo&ticket=[ticket from Step 3]
7. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ticket '\[ticket from Step 3\]' not recognized </cas:authenticationFailure> </cas:serviceResponse>
CAS 2.0 unsuccessful validation (bad ticket, wrong service)
4. visit /serviceValidate?service=foo&ticket=foo
5. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ticket 'foo' not recognized </cas:authenticationFailure> </cas:serviceResponse>
6. visit /serviceValidate?service=bar&ticket=[ticket from Step 3]
7. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_SERVICE'> ticket '\[ticket from Step 3\]' does not match supplied service </cas:authenticationFailure> </cas:serviceResponse>
CAS 2.0 validation, acquire proxy-granting ticket, proxy authentication
Note: for this test, you will need a proxy callback listener set up that can provide you with access to the PGT. This callback listener needs to have an https certificate that is trusted by the CAS server. TODO: explain how or provide a link.
4. visit /serviceValidate?service=foo&ticket=[ticket from Step 3]&pgtUrl=[URL of callback]
5. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>netid</cas:user> <cas:proxyGrantingTicket>\[valid PGTIOU\]</cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse>
6. using your callback, correlate PGTIOU with PGT
7. visit /proxy?targetService=bar&pgt=[PGT]
8. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>\[valid proxy ticket\]</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse>
9. visit /proxyValidate?service=bar&ticket=[proxy ticket from Step 8]
10. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>netid</cas:user> <cas:proxies> <cas:proxy>\[pgtUrl from Step 4\]</cas:proxy> </cas:proxies> </cas:authenticationSuccess> </cas:serviceResponse>
11. reload /proxyValidate?service=bar&ticket=[proxy ticket from Step 8]
12. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ticket '\[proxy ticket from Step 8\]' not recognized </cas:authenticationFailure> </cas:serviceResponse>
CAS 2.0 unsuccessful validation at /serviceValidate
/serviceValidate MUST NOT validate proxy tickets by the CAS 2.0 Specification.
Assuming you kept the PGT from the previous section, you can begin at Step 7 above. Otherwise start at Step 1 above. After running Step 8, jump to Step 9 below.
9. visit /serviceValidate?service=bar&ticket=[proxy ticket from Step 8]
10. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ticket '\[proxy ticket from Step 8\]' not recognized </cas:authenticationFailure> </cas:serviceResponse>
CAS 2.0 unsuccessful validation at /validate
/validate MUST NOT validate proxy tickets by the CAS 2.0 Specification.
Assuming you kept the PGT from the section, "CAS 2.0 validation, acquire proxy-granting ticket, proxy authentication," you can begin at Step 7 above. Otherwise start at Step 1 of that section. After running Step 8, jump to Step 9 below.
9. visit /validate?service=bar&ticket=[proxy ticket from Step 8]
10. you should get back:
no\n \n
multi-level proxy
Assuming you kept the PGT from the section, "CAS 2.0 validation, acquire proxy-granting ticket, proxy authentication," you can begin at Step 7 above. Otherwise start at Step 1 of that section. After running Step 8, jump to Step 9 below.
This test will require two separate proxy callback listeners.
9. visit /proxyValidate?service=bar&ticket=[proxy ticket from Step 8]&pgtUrl=[URL of 2nd callback]
10. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>netid</cas:user> <cas:proxyGrantingTicket>\[PGTIOU\]</cas:proxyGrantingTicket> <cas:proxies> <cas:proxy>\[pgtUrl from Step 4\]</cas:proxy> </cas:proxies> </cas:authenticationSuccess> </cas:serviceResponse>
11. using your callback, correlate PGTIOU with PGT
12. visit /proxy?pgt=[PGT from Step 11]&targetService=baz
13. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxySuccess> <cas:proxyTicket>\[valid proxy ticket\]</cas:proxyTicket> </cas:proxySuccess> </cas:serviceResponse>
14. visit /proxyValidate?ticket=[proxy ticket from Step 13]&service=baz
15. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>netid</cas:user> <cas:proxies> <cas:proxy>\[pgtUrl from Step 10\]</cas:proxy> <cas:proxy>\[pgtUrl from Step 4\]</cas:proxy> </cas:proxies> </cas:authenticationSuccess> </cas:serviceResponse>
proxy-granting ticket invalidation by logout
9. After verifying that Steps 1-8 above succeed, visit /logout
10. visit /proxy?targetService=bar&pgt=[PGT]
11. you should get back:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxyFailure code='BAD_PGT'> unrecognized pgt: '\[PGT from Step 6\]' </cas:proxyFailure> </cas:serviceResponse>