Program Testing - ADFS User Mapping Development

Analyses, Implementation and Test

6.2 ADFS User Mapping Development

6.3.2 Program Testing

This testing plan covers the program’s behavior during a normal execution.

Access control set in a TWiki topic:

The first tests with the new module are the restriction settings. The settings ALLOWTOPICVIEW, ALLOWTOPICCHANGE, DENYTOPICVIEW, DENY-TOPICCHANGE in combination with an E-group must be tested in a TWiki Topic. For this scenario, a TWiki Topic with the name ”RestrictedArea” was generated and the settings placed in as standard commands. For each test run, only one of the four settings was activated. The next tests were to set a command with a user in a TWiki Group and with a user in an E-group. This test shows if it is possible to use the new module in combination with standard restriction of TWiki groups (e.g.: Set ALLOWTOPICVIEW = TWikiAdmin-Group, CERN E-groups). If the test is successful, another test with a setting of DENY for one E-group and ALLOW for another E-group has to be done.

The important thing is to find out which command is stronger, or which com-mand gets executed first. The question: ”What happens if the user is in both groups?” helps provide an answer to the previous question as well. To last, the first test with the different settings must be performed again with e-groups written in uppercase, lowercase, mixed upper and lowercase, frag-mentary spelled, misspelled and as an email address.

All this tests were done in a TWiki Topic. The next test plan is specific for TWiki Web restrictions.

Access control set in TWiki WebPreferences:

Since the Web restrictions are concerning the same permission routines, all the tests done in RestrictedArea Topic can be executed in Web settings as well.

Therefore, a test Web with the name MainWeb gets generated. In its pref-erences, the restriction settings are already set with whitespace. This means everybody is allowed, no one is restricted. For the ongoing tests, the whites-pace has to be exchanged to a user, a TWiki group or an E-group.

In addition to the tests in a Topic, an equal restriction method, one in Web and one in Topic, must be set to discover if the WebPreferences are overwritten by Topic settings as they should be. (see Figure 6.7).

Miscellaneous testing in Topic and Web:

For this part of the test plan, miscellaneous testing of both Web and Topic will be executed. The first is to try ALLOWWEBVIEW for E-group it-dep-des AND DENYWEBVIEW for TWikiGuest AND DENYTOPICVIEW for Twiki user AlexanderBernegger. This will provide information about what happens when AlexanderBernegger is not a guest, but denied for Topic and allowed for Web. Furthermore, a test with DENY and ALLOW in one Topic with the same E-group shall test the compiling order. Which is stronger than the other one? The same must be done in Web preferences.

Two sessions testing, logged in and as TWiki Guest

The test for two different sessions is used to figure out if ADFSUserMapping module works in both cases. As done in the previous test parts, the standard restriction settings have to be tested here as logged-in user and as a guest.

E-groups in TWiki groups

The E-groups in TWiki groups tests shall show if encapsulated E-group in Twiki groups also can be used for restricting access.

6.4 Results

The development of ADFSUserMapping module has been an iterative process.

After the first round of the Software Development Life Circle stages, the testing of the developed prototype showed that the restricting method DENY won’t work in combination with ADFS groups. This was detected while running program specific tests as explained in 6.3. In the test ”Test ADFS groups with Restriction Settings”, the DENY mode erroneous allowed the restricted ADFS group. Due to the urgent need for this module, a first version was installed on production server to be able to operate only in ALLOW mode. It was dis-covered that the ALLOW mode is more important for restricting than DENY because allowing only one special group means an automatic refusal for all others. This was a first solution for the LHC project group CMS in November 2009.

As shown in section 6.2.3.2 of this thesis the DENY view problem was solved by introducing a new subroutine (redirectView) to ADFSUserMapping mod-ule. This piece of code changes into the important authentication mode and DENY was from now on able to work with ADFS groups. Furthermore, the encapsulated restriction of TWikiGroups which contain ADFS E-groups was also not possible due to TWiki’s - users in TWikiGroups - handling. To be able to use the encapsulated information, the function _expandUserList has to be implemented to grab these values.

The most difficult part was to find the concerning functions for each prob-lem. Since TWiki has about 630 files in its library² and each file has numerous amounts of built in subroutines and functions, many analyzing periods were necessary between the development and testing phase.

2checked on TWiki-4.3.2, Georgetown

After all, the module worked as planned in section 6.2.1 and was ready for installation on production server.

Please find all testing results in Appendix E.

Conclusion

This Diploma Thesis gives an outline of how TWiki can be combined with a Single Sign-On solution. The goal was to incorporate security aspects to the TWiki installation by regulating its access over CERN SSO accounts.

The approach, to incorporate e-group verification in existing TWiki Access Control system, was successfully done by installing the developed ADFSUserMap-ping module to the production TWiki. After the e-groups in TWikiGroups and the DENY View problem was solved, all standard restriction settings worked with ADFS e-groups as they should. The defined goals of this Thesis have been achieved and the module can be installed and used for every TWiki installation.

In terms of OpenSource, the ADFSUserMapping module is made available in the TWiki Extensions Repository on TWiki.org and can be used by everyone for further development.

7.1 Outlook

According to the TWikiAtCern Roadmap (See Figure 6.1), the ADFSUserMap-ping module for e-group alignment is a part of a larger project. The roadmap contains ideas to remove the necessity of the TWiki user lists and use the spe-cific information from CERN SSO accounts instead. This will facilitate user handling because the current unique identifier is a user’s mail address which has to be kept up-to-date. Every time a user changes the mail address only in SSO environment, a TWiki administrator must change the TWiki address manually too (See Use Case no. 8 in figure: 6.6).

The switch to this step has to be discussed first since users who do not have a CERN account (so called light-weight users), would then no longer be able to use the TWiki collaboration. A hybrid solution, using CERN accounts as unique identifier and TWiki userlists for non-CERN-Personnel, can be a conceivable solution to this problem.

[1] A Pace. Identity Management. oai:cds.cern.ch:1054162. Technical Report CERN-IT-Note-2007-005, CERN, Geneva, Sep 2007.

[2] Pete Jones. CERN TWiki Statistics. https://twiki.cern.ch/twiki/

bin/view/Main/CERNTWikiStatistics.

[3] Peter Thoeny. TWiki.org, Main Page. http://twiki.org (1998-2009).

[4] Bill McCreary. Web Collaboration How It Is Impacting Business. http:

//www.bsu.edu/mcobwin/majb/?p=600.

[5] AllConferenceServices.com. Web Collaboration. http://www.

allconferenceservices.com/web-collaboration.html.

[6] Wikipedia Enzyclopedia. Wikipedia. http://en.wikipedia.org/wiki/

Wikipedia.

[7] MediaWiki. MediaWiki. http://www.mediawiki.org/wiki/MediaWiki/

de.

[8] TimeBridge. Web Collaboration Platform. http://www.timebridge.

com/pages/features-overview.

[9] Google Groups. Web Collaboration Platform. http://groups.google.

com/intl/de/googlegroups/tour3/index.html#?lnk=hptt.

[10] TextFlow. Web Collaboration Platform. http://www.nordicriver.com/

#main.

[11] Present.io. Web Collaboration Platform. http://drop.io/about.

[12] Microsoft SharePoint. Collaboration Tool. http://sharepoint.

microsoft.com/de-at/Seiten/default.aspx.

[13] Ward Cunningham. Wiki. http://wiki.org/wiki.cgi?WhatIsWiki.

[14] A. Ebersbach. WikiTools. Springer, Berlin, 2007.

[15] Peter Thoeny. Wiki Collaboration and Wiki Applications for the Enterprise. LinuxWorld; http://twiki.org/cgi-bin/view/Codev/

TWikiPresentation11Aug2005 (11 Aug 2005).

[16] SearchSecurit.com. Authorization, Authentication, Accounting.

http://searchsecurity.techtarget.com/sDefinition/0,,sid14_

gci514544,00.html (01.07.2007).

[17] Topbits.com. Two Factor Authentication. http://www.topbits.com/

two-factor-authentication.html (2010).

[18] RSA Security. One Time Password. ftp://ftp.rsasecurity.com/pub/

otps/kerberos/draft-ietf-krb-wg-otp-preauth-10.html.

[19] M. WP3, Edited by: Gasson, M. Meints, and Warwick K. D3.2: A study on PKI and biometrics. Future of Identity in the Information Society, July 2005.

[20] JoelWeise. Public Key Infrastructure, Overview. Sun Microsystems, Inc., July 2005.

[21] MIT. MIT Kerberos. http://web.mit.edu/kerberos/www/ (2010).

[22] C Neumann. Kerberos: An Authentication Service for Computer Net-works. Technical Report Volume 32, Number 9, pages 33-38, IEEE, Sep 1994.

[23] Topbits.com. Accounting. http://www.topbits.com/accounting.html (2010).

[24] Emmanuel Ormancey. CERN Single Sign On Solution.

oai:cds.cern.ch:1054179. Technical Report CERN-IT-Note-2007-006, CERN, Geneva, Sep 2007.

[25] C. Dunne. Build and implement a single sign-on solution. IBM Technical Library, September 2003. Internet Magazine (https://www.ibm.com/

developerworks/web/library/wa-singlesign/#ibm-pcon).

[26] Developer Tutorials. Single Sign On. http://www.developertutorials.

com/tutorials/java/single-sign-on/page7.html.

[27] O. Rummeyer and J. Dsterhaus. SSO frei Haus. Entwickler Maga-zin, 1(5), September 2006. Internet Magazine (http://entwickler.de/

zonen/portale/psecom,id,101,online,910,p,0.html).

[28] R. Muldoon and S. Fullerton. Web Initial Sign-on (WebISO) - requirements. Internet2 Draft, December 2001. Internet Magazine (http://middleware.internet2.edu/webiso/docs/

draft-internet2-webiso-requirements-07.html).

[29] SSOCircle. SSOCircle Identity Provider. http://www.ssocircle.com/

de/idp.shtml.

[30] Microsoft Corporation. Overview of ADFS. Technical report, Microsoft TechNet Library, Redmond, CA., Aug 2005.

[31] Microsoft Corporation. WS-Federation: Passive Requestor Profile. Tech-nical report, Microsoft TechNet Library, Redmond, CA., Jul 2003.

[32] G. Martin and M. Hadley. SOAP Version 1.2 Part 1: Messaging Frame-work (Second Edition). W3C Recommendation, April 2007. Internet Mag-azine (http://www.w3.org/TR/soap12-part1/).

[33] G. Alonso, F. Casati, H. Kuno, and V. Machiraju. Web Services. Springer, Berlin, 2004.

[34] Internet2 Middleware. Shibboleths. http://shibboleth.internet2.

edu/about.html.

[35] Pete Jones. TWiki facilitates collaborative information handling at CERN. CERN Computer Newsletter (CNL) http://cerncourier.com/

cws/article/cnl/27095.

[36] P. Jones, A. Bernegger, and N. Hoimyr. Integrating CERN e-groups into TWiki access control. CERN IOP Publishing, April 2010.

[37] Peter Thoeny. TWiki Plugins. http://twiki.org/cgi-bin/view/

TWiki/TWikiPlugins.

[38] Peter Thoeny. TWiki Authentication. http://twiki.org/cgi-bin/

view/TWiki/TWikiUserAuthentication.

[39] Peter Thoeny. TWiki Access Control. http://twiki.org/cgi-bin/

view/TWiki/TWikiAccessControl.

[40] David Barney. Compact Muon Solenoid (CMS). http://visits.web.

cern.ch/visits/guides/tools/manual/deutsch/CMS.html.

[41] Everett, G. and McLeod, R. Software Testing. IEEE Press, 2007.

[42] Capretz, L. and Capretz, M. Object Oriented Software: Design and Main-tenance. World Scientific Publishing Co., 1996.

[43] Heistracher, T. Software Engineering, SWE-08-M2-Current UML Intro.

http://www.users.fh-sbg.ac.at/~theistra/.

[44] Perldoc. Perl Programming Documentation: ENV. http://perldoc.

perl.org/Env.html.

2FA . . . Two Factor Authentication

KDC . . . Key Distribution Center LHC . . . Large Hadron Collider OTP . . . One Time Password

PES . . . Platforms and Engineering Tools PRP . . . Passive Requestor Profile

RA . . . Registration Authority RCS . . . Revision Control System

SAML . . . Security Assertion Markup Language SDLC . . . Software Development Life Circle shibd . . . Shibboleth Daemon

SP . . . Service Provider SSO . . . Single Sign-On

TGS . . . Ticket Granting Server TWiki . . . Take-Five Wiki

WS . . . Web Services

WYSIWYG . . . What-You-See-Is-What-You-Get

ADFSUserMapping.pm

15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

87 # i . e . : ”Main . UserA , UserB , Main . UserC # s o m e t h i n g e l s e ”

88 $ u s e r l i s t =˜ s /( <[ˆ >]∗ >) // go ; # Remove HTML t a g s 89

90 return 0 unless defined $cUID ; 91

106 next unless $ENV{HTTP ADFS GROUP} ;

107 $names2 = $TWiki : : U s e r s : : TWikiUserMapping : : names2 ;

108

109

In document DIPLOMA THESIS. Authentication, Authorization and Security Aspects of Collaborative Web Applications - Case: TWiki and Single Sign-On (Page 77-97)