AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add unit tests for LDAP and ReverseProxy auth

This commit is contained in:
Frederic Guillot 2015-09-06 14:28:06 -04:00
parent 3c0b56bc02
commit b0994ba68e
6 changed files with 455 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Makefile
View File

@ -77,4 +77,15 @@ archive:
@ cd ${dst} && if [ -L kanboard-latest.zip ]; then unlink kanboard-latest.zip; ln -s kanboard-${version}.zip kanboard-latest.zip; fi
@ rm -rf ${BUILD_DIR}/kanboard
test-sqlite:
@ phpunit -c tests/units.sqlite.xml
test-mysql:
@ phpunit -c tests/units.mysql.xml
test-postgres:
@ phpunit -c tests/units.postgres.xml
unittest: test-sqlite test-mysql test-postgres
.PHONY: all

76
app/Auth/Ldap.php
View File

@ -109,9 +109,11 @@ class Ldap extends Base
* LDAP connection
*
* @access public
* @param string $ldap_hostname
* @param integer $ldap_port
* @return resource|boolean
*/
public function connect()
public function connect($ldap_hostname = LDAP_SERVER, $ldap_port = LDAP_PORT)
{
if (! function_exists('ldap_connect')) {
$this->logger->error('The PHP LDAP extension is required');
@ -123,12 +125,13 @@ class Ldap extends Base
putenv('LDAPTLS_REQCERT=never');
}
$ldap = ldap_connect(LDAP_SERVER, LDAP_PORT);
$ldap = ldap_connect($ldap_hostname, $ldap_port);
if ($ldap === false) {
$this->logger->error('Unable to connect to the LDAP server: "'.LDAP_SERVER.'"');
return false;
}
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 1);
@ -143,7 +146,7 @@ class Ldap extends Base
}
/**
* LDAP bind
* LDAP authentication
*
* @access public
* @param resource $ldap
@ -179,33 +182,34 @@ class Ldap extends Base
/**
* LDAP user lookup
*
* @access private
* @param resource $ldap LDAP connection
* @param string $username Username
* @param string $password Password
* @access public
* @param resource $ldap
* @param string $username
* @param string $password
* @param string $base_dn
* @param string $user_pattern
* @param array $attributes
* @return boolean|array
*/
private function search($ldap, $username, $password)
public function search($ldap, $username, $password, $base_dn = LDAP_ACCOUNT_BASE, $user_pattern = LDAP_USER_PATTERN, array $attributes = array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL))
{
$sr = @ldap_search($ldap, LDAP_ACCOUNT_BASE, sprintf(LDAP_USER_PATTERN, $username), array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL));
$sr = ldap_search($ldap, $base_dn, sprintf($user_pattern, $username), $attributes);
if ($sr === false) {
return false;
}
$info = ldap_get_entries($ldap, $sr);
$entries = ldap_get_entries($ldap, $sr);
// User not found
if (count($info) === 0 || $info['count'] == 0) {
if ($entries === false || count($entries) === 0 || $entries['count'] == 0) {
return false;
}
// We got our user
if (@ldap_bind($ldap, $info[0]['dn'], $password)) {
if (@ldap_bind($ldap, $entries[0]['dn'], $password)) {
return array(
'username' => $username,
'name' => $this->getFromInfo($info, LDAP_ACCOUNT_FULLNAME),
'email' => $this->getFromInfo($info, LDAP_ACCOUNT_EMAIL),
'name' => $this->getEntry($entries, LDAP_ACCOUNT_FULLNAME),
'email' => $this->getEntry($entries, LDAP_ACCOUNT_EMAIL),
);
}
@ -215,24 +219,26 @@ class Ldap extends Base
/**
* Retrieve info on LDAP user
*
* @param string $username Username
* @param string $email Email address
* @access public
* @param string $username Username
* @param string $email Email address
* @return boolean|array
*/
public function lookup($username = null, $email = null)
{
$query = $this->getQuery($username, $email);
if ($query === false) {
if ($query === '') {
return false;
}
// Connect and attempt anonymous bind
$ldap = $this->connect();
if (! is_resource($ldap) || ! $this->bind($ldap, null, null)) {
if ($ldap === false || ! $this->bind($ldap, null, null, 'anonymous')) {
return false;
}
// Try to find user
$sr = @ldap_search($ldap, LDAP_ACCOUNT_BASE, $query, array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL, LDAP_ACCOUNT_ID));
$sr = ldap_search($ldap, LDAP_ACCOUNT_BASE, $query, array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL, LDAP_ACCOUNT_ID));
if ($sr === false) {
return false;
}
@ -250,17 +256,19 @@ class Ldap extends Base
}
return array(
'username' => $this->getFromInfo($info, LDAP_ACCOUNT_ID, $username),
'name' => $this->getFromInfo($info, LDAP_ACCOUNT_FULLNAME),
'email' => $this->getFromInfo($info, LDAP_ACCOUNT_EMAIL, $email),
'username' => $this->getEntry($info, LDAP_ACCOUNT_ID, $username),
'name' => $this->getEntry($info, LDAP_ACCOUNT_FULLNAME),
'email' => $this->getEntry($info, LDAP_ACCOUNT_EMAIL, $email),
);
}
/**
* Get the LDAP query to find a user
*
* @param string $username Username
* @param string $email Email address
* @access private
* @param string $username Username
* @param string $email Email address
* @return string
*/
private function getQuery($username, $email)
{
@ -273,21 +281,21 @@ class Ldap extends Base
else if ($email) {
return '('.LDAP_ACCOUNT_EMAIL.'='.$email.')';
}
else {
return false;
}
return '';
}
/**
* Return a value from the LDAP info
*
* @param array $info LDAP info
* @param string $key Key
* @param string $default Default value if key not set in entry
* @access private
* @param array $entries LDAP entries
* @param string $key Key
* @param string $default Default value if key not set in entry
* @return string
*/
private function getFromInfo($info, $key, $default = '')
private function getEntry(array $entries, $key, $default = '')
{
return isset($info[0][$key][0]) ? $info[0][$key][0] : $default;
return isset($entries[0][$key][0]) ? $entries[0][$key][0] : $default;
}
}

1
app/Auth/ReverseProxy.php
View File

@ -28,7 +28,6 @@ class ReverseProxy extends Base
public function authenticate()
{
if (isset($_SERVER[REVERSE_PROXY_USER_HEADER])) {
$login = $_SERVER[REVERSE_PROXY_USER_HEADER];
$user = $this->user->getByUsername($login);

377
tests/units/Auth/LdapTest.php
View File

@ -13,25 +13,40 @@ function ldap_set_option()
{
}
function ldap_bind($ldap, $ldap_username, $ldap_password)
function ldap_bind($link_identifier, $bind_rdn, $bind_password)
{
return LdapTest::$functions->ldap_bind($ldap, $ldap_username, $ldap_password);
return LdapTest::$functions->ldap_bind($link_identifier, $bind_rdn, $bind_password);
}
function ldap_search($link_identifier, $base_dn, $filter, array $attributes)
{
return LdapTest::$functions->ldap_search($link_identifier, $base_dn, $filter, $attributes);
}
function ldap_get_entries($link_identifier, $result_identifier)
{
return LdapTest::$functions->ldap_get_entries($link_identifier, $result_identifier);
}
class LdapTest extends \Base
{
public static $functions;
private $ldap;
public function setUp()
{
parent::setup();
$this->ldap = $ldap = new Ldap($this->container);
self::$functions = $this
->getMockBuilder('stdClass')
->setMethods(array(
'ldap_connect',
'ldap_set_option',
'ldap_bind',
'ldap_search',
'ldap_get_entries',
))
->getMock();
}
@ -53,8 +68,7 @@ class LdapTest extends \Base
)
->will($this->returnValue('my_ldap_resource'));
$ldap = new Ldap($this->container);
$this->assertNotFalse($ldap->connect());
$this->assertNotFalse($this->ldap->connect('my_ldap_server'));
}
public function testConnectFailure()
@ -68,8 +82,7 @@ class LdapTest extends \Base
)
->will($this->returnValue(false));
$ldap = new Ldap($this->container);
$this->assertFalse($ldap->connect());
$this->assertFalse($this->ldap->connect('my_ldap_server'));
}
public function testBindAnonymous()
@ -84,8 +97,7 @@ class LdapTest extends \Base
)
->will($this->returnValue(true));
$ldap = new Ldap($this->container);
$this->assertTrue($ldap->bind('my_ldap_connection', 'my_user', 'my_password', 'anonymous'));
$this->assertTrue($this->ldap->bind('my_ldap_connection', 'my_user', 'my_password', 'anonymous'));
}
public function testBindUser()
@ -100,8 +112,7 @@ class LdapTest extends \Base
)
->will($this->returnValue(true));
$ldap = new Ldap($this->container);
$this->assertTrue($ldap->bind('my_ldap_connection', 'my_user', 'my_password', 'user', 'uid=%s', 'something'));
$this->assertTrue($this->ldap->bind('my_ldap_connection', 'my_user', 'my_password', 'user', 'uid=%s', 'something'));
}
public function testBindProxy()
@ -116,7 +127,349 @@ class LdapTest extends \Base
)
->will($this->returnValue(true));
$ldap = new Ldap($this->container);
$this->assertTrue($ldap->bind('my_ldap_connection', 'my_user', 'my_password', 'proxy', 'someone', 'something'));
$this->assertTrue($this->ldap->bind('my_ldap_connection', 'my_user', 'my_password', 'proxy', 'someone', 'something'));
}
public function testSearchSuccess()
{
$entries = array(
'count' => 1,
0 => array(
'count' => 2,
'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
'displayname' => array(
'count' => 1,
0 => 'My user',
),
'mail' => array(
'count' => 2,
0 => 'user1@localhost',
1 => 'user2@localhost',
),
0 => 'displayname',
1 => 'mail',
)
);
$expected = array(
'username' => 'my_user',
'name' => 'My user',
'email' => 'user1@localhost',
);
self::$functions
->expects($this->at(0))
->method('ldap_search')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('ou=People,dc=kanboard,dc=local'),
$this->equalTo('uid=my_user'),
$this->equalTo(array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL))
)
->will($this->returnValue('my_result_identifier'));
self::$functions
->expects($this->at(1))
->method('ldap_get_entries')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('my_result_identifier')
)
->will($this->returnValue($entries));
self::$functions
->expects($this->at(2))
->method('ldap_bind')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('uid=my_user,ou=People,dc=kanboard,dc=local'),
$this->equalTo('my_password')
)
->will($this->returnValue(true));
$this->assertEquals($expected, $this->ldap->search('my_ldap_connection', 'my_user', 'my_password', 'ou=People,dc=kanboard,dc=local', 'uid=%s'));
}
public function testSearchWithBadPassword()
{
$entries = array(
'count' => 1,
0 => array(
'count' => 2,
'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
'displayname' => array(
'count' => 1,
0 => 'My user',
),
'mail' => array(
'count' => 2,
0 => 'user1@localhost',
1 => 'user2@localhost',
),
0 => 'displayname',
1 => 'mail',
)
);
self::$functions
->expects($this->at(0))
->method('ldap_search')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('ou=People,dc=kanboard,dc=local'),
$this->equalTo('uid=my_user'),
$this->equalTo(array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL))
)
->will($this->returnValue('my_result_identifier'));
self::$functions
->expects($this->at(1))
->method('ldap_get_entries')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('my_result_identifier')
)
->will($this->returnValue($entries));
self::$functions
->expects($this->at(2))
->method('ldap_bind')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('uid=my_user,ou=People,dc=kanboard,dc=local'),
$this->equalTo('my_password')
)
->will($this->returnValue(false));
$this->assertFalse($this->ldap->search('my_ldap_connection', 'my_user', 'my_password', 'ou=People,dc=kanboard,dc=local', 'uid=%s'));
}
public function testSearchWithUserNotFound()
{
self::$functions
->expects($this->at(0))
->method('ldap_search')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('ou=People,dc=kanboard,dc=local'),
$this->equalTo('uid=my_user'),
$this->equalTo(array(LDAP_ACCOUNT_FULLNAME, LDAP_ACCOUNT_EMAIL))
)
->will($this->returnValue('my_result_identifier'));
self::$functions
->expects($this->at(1))
->method('ldap_get_entries')
->with(
$this->equalTo('my_ldap_connection'),
$this->equalTo('my_result_identifier')
)
->will($this->returnValue(array()));
$this->assertFalse($this->ldap->search('my_ldap_connection', 'my_user', 'my_password', 'ou=People,dc=kanboard,dc=local', 'uid=%s'));
}
public function testSuccessfulAuthentication()
{
$this->container['userSession'] = $this
->getMockBuilder('\Model\UserSession')
->setConstructorArgs(array($this->container))
->setMethods(array('refresh'))
->getMock();
$this->container['user'] = $this
->getMockBuilder('\Model\User')
->setConstructorArgs(array($this->container))
->setMethods(array('getByUsername'))
->getMock();
$ldap = $this
->getMockBuilder('\Auth\Ldap')
->setConstructorArgs(array($this->container))
->setMethods(array('findUser'))
->getMock();
$ldap
->expects($this->once())
->method('findUser')
->with(
$this->equalTo('user'),
$this->equalTo('password')
)
->will($this->returnValue(array('username' => 'user', 'name' => 'My user', 'email' => 'user@here')));
$this->container['user']
->expects($this->once())
->method('getByUsername')
->with(
$this->equalTo('user')
)
->will($this->returnValue(array('id' => 2, 'username' => 'user', 'is_ldap_user' => 1)));
$this->container['userSession']
->expects($this->once())
->method('refresh');
$this->assertTrue($ldap->authenticate('user', 'password'));
}
public function testAuthenticationWithExistingLocalUser()
{
$this->container['userSession'] = $this
->getMockBuilder('\Model\UserSession')
->setConstructorArgs(array($this->container))
->setMethods(array('refresh'))
->getMock();
$this->container['user'] = $this
->getMockBuilder('\Model\User')
->setConstructorArgs(array($this->container))
->setMethods(array('getByUsername'))
->getMock();
$ldap = $this
->getMockBuilder('\Auth\Ldap')
->setConstructorArgs(array($this->container))
->setMethods(array('findUser'))
->getMock();
$ldap
->expects($this->once())
->method('findUser')
->with(
$this->equalTo('user'),
$this->equalTo('password')
)
->will($this->returnValue(array('username' => 'user', 'name' => 'My user', 'email' => 'user@here')));
$this->container['user']
->expects($this->once())
->method('getByUsername')
->with(
$this->equalTo('user')
)
->will($this->returnValue(array('id' => 2, 'username' => 'user', 'is_ldap_user' => 0)));
$this->container['userSession']
->expects($this->never())
->method('refresh');
$this->assertFalse($ldap->authenticate('user', 'password'));
}
public function testAuthenticationWithAutomaticAccountCreation()
{
$this->container['userSession'] = $this
->getMockBuilder('\Model\UserSession')
->setConstructorArgs(array($this->container))
->setMethods(array('refresh'))
->getMock();
$this->container['user'] = $this
->getMockBuilder('\Model\User')
->setConstructorArgs(array($this->container))
->setMethods(array('getByUsername'))
->getMock();
$ldap = $this
->getMockBuilder('\Auth\Ldap')
->setConstructorArgs(array($this->container))
->setMethods(array('findUser', 'createUser'))
->getMock();
$ldap
->expects($this->at(0))
->method('findUser')
->with(
$this->equalTo('user'),
$this->equalTo('password')
)
->will($this->returnValue(array('username' => 'user', 'name' => 'My user', 'email' => 'user@here')));
$ldap
->expects($this->at(1))
->method('createUser')
->with(
$this->equalTo('user'),
$this->equalTo('My user'),
$this->equalTo('user@here')
)
->will($this->returnValue(true));
$this->container['user']
->expects($this->at(0))
->method('getByUsername')
->with(
$this->equalTo('user')
)
->will($this->returnValue(null));
$this->container['user']
->expects($this->at(1))
->method('getByUsername')
->with(
$this->equalTo('user')
)
->will($this->returnValue(array('id' => 2, 'username' => 'user', 'is_ldap_user' => 1)));
$this->container['userSession']
->expects($this->once())
->method('refresh');
$this->assertTrue($ldap->authenticate('user', 'password'));
}
public function testAuthenticationWithAutomaticAccountCreationFailed()
{
$this->container['userSession'] = $this
->getMockBuilder('\Model\UserSession')
->setConstructorArgs(array($this->container))
->setMethods(array('refresh'))
->getMock();
$this->container['user'] = $this
->getMockBuilder('\Model\User')
->setConstructorArgs(array($this->container))
->setMethods(array('getByUsername'))
->getMock();
$ldap = $this
->getMockBuilder('\Auth\Ldap')
->setConstructorArgs(array($this->container))
->setMethods(array('findUser', 'createUser'))
->getMock();
$ldap
->expects($this->at(0))
->method('findUser')
->with(
$this->equalTo('user'),
$this->equalTo('password')
)
->will($this->returnValue(array('username' => 'user', 'name' => 'My user', 'email' => 'user@here')));
$ldap
->expects($this->at(1))
->method('createUser')
->with(
$this->equalTo('user'),
$this->equalTo('My user'),
$this->equalTo('user@here')
)
->will($this->returnValue(false));
$this->container['user']
->expects($this->once())
->method('getByUsername')
->with(
$this->equalTo('user')
)
->will($this->returnValue(null));
$this->container['userSession']
->expects($this->never())
->method('refresh');
$this->assertFalse($ldap->authenticate('user', 'password'));
}
}

37
tests/units/Auth/ReverseProxyTest.php Normal file
View File

@ -0,0 +1,37 @@
<?php
require_once __DIR__.'/../Base.php';
use Auth\ReverseProxy;
use Model\User;
class ReverseProxyTest extends Base
{
public function setUp()
{
parent::setup();
$_SERVER = array();
}
public function testFailedAuthentication()
{
$auth = new ReverseProxy($this->container);
$this->assertFalse($auth->authenticate());
}
public function testSuccessfulAuthentication()
{
$_SERVER[REVERSE_PROXY_USER_HEADER] = 'my_user';
$a = new ReverseProxy($this->container);
$u = new User($this->container);
$this->assertTrue($a->authenticate());
$user = $u->getByUsername('my_user');
$this->assertNotEmpty($user);
$this->assertEquals(0, $user['is_admin']);
$this->assertEquals(1, $user['is_ldap_user']);
$this->assertEquals(1, $user['disable_login_form']);
}
}

3
tests/units/Base.php
View File

@ -1,9 +1,6 @@
<?php
require __DIR__.'/../../vendor/autoload.php';
define('LDAP_SERVER', 'my_ldap_server');
require __DIR__.'/../../app/constants.php';
use Symfony\Component\EventDispatcher\EventDispatcher;