Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support agentOptions configuration for requests to CAS server #50

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Support agentOptions configuration for requests to CAS server #50

wants to merge 5 commits into from

Conversation

mikesir87
Copy link

Motivation

Since CAS is such an important auth protocol, we want to make sure we trust the other end when making validations/working with proxy ticketing. In order to do that, we'd like to be able to specify agentOptions on requests being made to the CAS server. Two use cases...

  • In local dev and test environments, we frequently use self-signed certs. So, we'd like to be able to specify the CA cert to trust (rather than be dumb and use NODE_TLS_REJECT_UNAUTHORIZED).
  • In production, we'd like to be able to support cert pinning, adding additional validation that the other end is what we'd expect.

Implementation

To implement, I added support for agentOptions to the configure() method, which defaults simply to {} and is passed along to all calls to request.

I also updated the test suite with new certs/keys that 1) don't include the port number in the CN and 2) are signed by a rootCA and updated the CAS servers to use them (it was speaking plain HTTP before). I included the csr and root CA key in case you want to reuse it or whatever. Totally up to you if you want to nuke those.

If you remove the setting of the agentOptions in all cas.configure calls in the test suite, you'll see that they fail. I'm more than happy to add/consider other tests that should fit into this, if you can think of any others.

mikesir87 added 5 commits July 30, 2018 22:47
@mikesir87
Updated express version to resolve test failures
b3bf314 
With previous version, tests would fail when comparing query
string values, as (for some reason), req.query would also contain
{__proto__: ""}, which would then then encoded into the URL.
@mikesir87
Created new key/cert that doesn't contain port in CN
3d2fba7 
This allows the same cert to be used for both cas and app server
in the tests. But, it causes problems when the port is included,
but doesn't match what the server is using.

Create rootCA that can sign the request, allowing future work
to specify the CA to trust when communicating with the CAS server
for validations
@mikesir87
Added ability to set agentOptions on requests to CAS server
b832a71 
All tests were updated to make the CAS server run using HTTPS and
the cas configuration was updated to use the CA cert to verify
it all works.
@mikesir87
Comment out setTimeout, as not found in node version
b8fbc06 
(Might it be time to consider updating the node_js version used
in the travis builds??)
@mikesir87
Bumped travis to use Node 8, current LTS
6a091f0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mikesir87