Integrate CAS v2 Auth

[ABalanuta]

Hi there,

Can we integrate CAS v2 into the kibana-auth-proxy ?

https://github.com/acemetrix/connect-cas or https://github.com/sfu/node-cas-sfu

[fangli]

Well thanks I'll give it a try, Should be done within one week. keep updated.

[ABalanuta]

Here is a more cleaner one I think: https://www.npmjs.org/package/jcas

[fangli]

aha I prefer this one! seems like support both v1 and v2, after I read its source code, even though without any docs:( I think this would be done in few days.

[ABalanuta]

Great

[ABalanuta]

Any News ?

[fangli]

Hi there, sorry for the late reply. I got stuck when trying jcas, maybe there are some bugs in this module. See: https://github.com/tiksin/jcas/pull/2 Eventually I fixed it.

Please note I have the CAS1.0 tested, but CAS2.0 NOT. Could you help testing the 2.0 protocol, with the following step?

1. npm install
2. set cas_protocol_version to 2.0 in config.js

Let me know if you get any problems.

[ABalanuta]

I will give it a try.

[fangli]

Thanks a lot!

[ABalanuta]

Hi, I cannot make it to work. after adding the following debug lines after cas.validate(ticket, function(err, status, username) { in the cas-auth.js file

console.log(err); console.log(status); console.log(username);

I get the folowing:

"[Error: Validation failed [Service not allowed to validate tickets.]: Service not allowed to validate tickets. ] false undefined"

[fangli]

Hi, Did the "Service not allowed to validate tickets" error happened AFTER jump back from your SSO login URL? Could you show me the redirect target URL? just like https://sso.yourdomain.com/cas?service=http://** (Please replace your real domain with "*")

[ABalanuta]

Redirect link: https://_myCASDomain_/cas//login?service=https://_myServer_/auth/cas/login?ticket=ST-25417-OI5tQrf0axA1sRvSCJhv-_myCASDomain_

Error Link https://_myServer_/auth/cas/login?ticket=ST-23327-KPqOVNsFyXSFsYamomCQ-_myCASDomain_

[fangli]

OK maybe I've got the bug. I have pushed the fixed version, please revert your changes and do fresh "git pull", then try again.

Thanks:)

[ABalanuta]

:( Server starting... Warning: No basic authentication presented Warning: No Google OAuth2 presented Info: CAS Authentication applied Server listening on 443(SSL)

events.js:72 throw er; // Unhandled 'error' event ^ TypeError: Cannot read property '0' of undefined at /opt/kibana-authentication-proxy/lib/jcas.js:167:61 at Parser. (/opt/kibana-authentication-proxy/node_modules/xml2js/lib/xml2js.js:379:20) at Parser.EventEmitter.emit (events.js:95:17) at Object.onclosetag (/opt/kibana-authentication-proxy/node_modules/xml2js/lib/xml2js.js:343:26) at emit (/opt/kibana-authentication-proxy/node_modules/xml2js/node_modules/sax/lib/sax.js:615:33) at emitNode (/opt/kibana-authentication-proxy/node_modules/xml2js/node_modules/sax/lib/sax.js:620:3) at closeTag (/opt/kibana-authentication-proxy/node_modules/xml2js/node_modules/sax/lib/sax.js:861:5) at Object.write (/opt/kibana-authentication-proxy/node_modules/xml2js/node_modules/sax/lib/sax.js:1293:29) at Parser.exports.Parser.Parser.parseString (/opt/kibana-authentication-proxy/node_modules/xml2js/lib/xml2js.js:398:31) at Parser.parseString (/opt/kibana-authentication-proxy/node_modules/xml2js/lib/xml2js.js:6:61)

[fangli]

Yes actually glad to see such error.

The validation response of CAS2.0 may has some addition attributes for each user than CAS1.0, but the protocol of 2.0 doesn't define them strictly. when jcas couldn't get the addition attributes, error happens.

I need to hack the jcas again, to remove the particular attributes, with only "username" left.

Please wait a little while.

[fangli]

Hi there, Should be fixed now, git pull and try again.

[ABalanuta]

module.js:340 throw err; ^ Error: Cannot find module 'express' at Function.Module._resolveFilename (module.js:338:15) at Function.Module._load (module.js:280:25) at Module.require (module.js:364:17) at require (module.js:380:17) at Object. (/opt/proxyKibana/app.js:10:15) at Module._compile (module.js:456:26) at Object.Module._extensions..js (module.js:474:10) at Module.load (module.js:356:32) at Function.Module._load (module.js:312:12) at Function.Module.runMain (module.js:497:10)

[fangli]

That's weird. (If you delete the old repo and do a fresh clone, ) have you run the following commands?

# git clone https://github.com/fangli/kibana-authentication-proxy
# cd kibana-authentication-proxy/
# git submodule init
# git submodule update
# npm install

[ABalanuta]

ok

[fangli]

Expecting for your feedback:)

[ABalanuta]

strangely it bypassed the auth process

[ABalanuta]

nevermind,it worked, damn chrome cache

[fangli]

Could you be more specific? What's the config.js, console output and behavior of browser?

[ABalanuta]

console did not output anything, i will print the username to check the autentication

[fangli]

Yes, console should prints

Server starting...
Warning: No basic authentication presented
Warning: No Google OAuth2 presented
Info: CAS Authentication applied

at least.

But I still don't get your point by "it bypassed the auth process".

[ABalanuta]

Server starting... Warning: No basic authentication presented Warning: No Google OAuth2 presented Info: CAS Authentication applied Server listening on 443(SSL)

When I print the username at lib/cas-auth.js it does not show UP . Why?

[fangli]

If your browser redirect to https://your_CAS_server/***\ and then back to https://kibana.domain/... automatically, it DOES work, that what SSO mean.

If you want to input your credential in the CAS page, you need use another browser which not logged in your CAS2.

[fangli]

If you want to see whether the username has been recognized, please add

console.log(username);

after

48    // Log the user in
49    req.session.cas_user_name = username;

and refresh the page, login again.

[ABalanuta]

Yes i know, it works as it is suposed to. :+1: I was printing in the wrong place, i printed the username in the lib/jcas.js file and it worked nicely. My objective is to only let in a list of usernames just as in the basic auth model.

Thank you very much.

PS: I would appreciate to have this option built in, do you think you can add that?

[fangli]

It's not difficult but I'm just surprised, that can't you control the permissions and privileges in CAS2 server? why not just remove the permissions in CAS2?

[fangli]

If it's really necessary for you, please add it by yourself, here's the way:

In /lib/cas-auth.js:

40  cas.validate(ticket, function(err, status, username) {
         //////// Username filter /////////
         if username not in config.cas_allowed_users {
              err = "some error: user not in list"
         }
         //////////////////////////////////
41  if (err || !status) {

In config.js:

"cas_allowed_users": ["user1", "user2", ...],

Hope you can understand:)

[ABalanuta]

I just don't have the access to the CAS server. And thank you for the solution, I'm not really an expert in javascript.

[fangli]

All you need is 3 or 4 more lines in js, as above. why not just give it a try?

It's really late in China, I'll be offline till tomorrow.

[ABalanuta]

No problem, I could Implement it, I just thought it would be nice to have this feature for the community.

Thank you again. I think we can close this Issue now.

[fangli]

Appreciate your testing:) I'll close this issue. Feel free to comment or reopen it again if have further question.