Rewrite of the authentication and authorization system

tests/units/Core/Http/OAuth2Test.php

@@ -1,8 +1,8 @@
 <?php
 
-require_once __DIR__.'/../Base.php';
+require_once __DIR__.'/../../Base.php';
 
-use Kanboard\Core\OAuth2;
+use Kanboard\Core\Http\OAuth2;
 
 class OAuth2Test extends Base
 {

tests/units/Core/Http/RememberMeCookieTest.php

@@ -0,0 +1,108 @@
+<?php
+
+namespace Kanboard\Core\Http;
+
+require_once __DIR__.'/../../Base.php';
+
+function setcookie($name, $value = "", $expire = 0, $path = "", $domain = "", $secure = false, $httponly = false)
+{
+    return RememberMeCookieTest::$functions->setcookie($name, $value, $expire, $path, $domain, $secure, $httponly);
+}
+
+class RememberMeCookieTest extends \Base
+{
+    public static $functions;
+
+    public function setUp()
+    {
+        parent::setup();
+
+        self::$functions = $this
+            ->getMockBuilder('stdClass')
+            ->setMethods(array(
+                'setcookie',
+            ))
+            ->getMock();
+    }
+
+    public function tearDown()
+    {
+        parent::tearDown();
+        self::$functions = null;
+    }
+
+    public function testEncode()
+    {
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertEquals('a|b', $cookie->encode('a', 'b'));
+    }
+
+    public function testDecode()
+    {
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertEquals(array('token' => 'a', 'sequence' => 'b'), $cookie->decode('a|b'));
+    }
+
+    public function testHasCookie()
+    {
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array());
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertFalse($cookie->hasCookie());
+
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array(RememberMeCookie::COOKIE_NAME => 'miam'));
+        $this->assertTrue($cookie->hasCookie());
+    }
+
+    public function testWrite()
+    {
+        self::$functions
+            ->expects($this->once())
+            ->method('setcookie')
+            ->with(
+                RememberMeCookie::COOKIE_NAME,
+                'myToken|mySequence',
+                1234,
+                '',
+                '',
+                false,
+                true
+            )
+            ->will($this->returnValue(true));
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertTrue($cookie->write('myToken', 'mySequence', 1234));
+    }
+
+    public function testRead()
+    {
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array());
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertFalse($cookie->read());
+
+        $this->container['request'] = new Request($this->container, array(), array(), array(), array(), array(RememberMeCookie::COOKIE_NAME => 'T|S'));
+
+        $this->assertEquals(array('token' => 'T', 'sequence' => 'S'), $cookie->read());
+    }
+
+    public function testRemove()
+    {
+        self::$functions
+            ->expects($this->once())
+            ->method('setcookie')
+            ->with(
+                RememberMeCookie::COOKIE_NAME,
+                '',
+                time() - 3600,
+                '',
+                '',
+                false,
+                true
+            )
+            ->will($this->returnValue(true));
+
+        $cookie = new RememberMeCookie($this->container);
+        $this->assertTrue($cookie->remove());
+    }
+}

tests/units/Core/Http/RequestTest.php

@@ -0,0 +1,175 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Http\Request;
+
+class RequestTest extends Base
+{
+    public function testGetStringParam()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('', $request->getStringParam('myvar'));
+
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('default', $request->getStringParam('myvar', 'default'));
+
+        $request = new Request($this->container, array(), array('myvar' => 'myvalue'), array(), array(), array());
+        $this->assertEquals('myvalue', $request->getStringParam('myvar'));
+    }
+
+    public function testGetIntegerParam()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals(0, $request->getIntegerParam('myvar'));
+
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals(5, $request->getIntegerParam('myvar', 5));
+
+        $request = new Request($this->container, array(), array('myvar' => 'myvalue'), array(), array(), array());
+        $this->assertEquals(0, $request->getIntegerParam('myvar'));
+
+        $request = new Request($this->container, array(), array('myvar' => '123'), array(), array(), array());
+        $this->assertEquals(123, $request->getIntegerParam('myvar'));
+    }
+
+    public function testGetValues()
+    {
+        $request = new Request($this->container, array(), array(), array('myvar' => 'myvalue'), array(), array());
+        $this->assertEmpty($request->getValue('myvar'));
+
+        $request = new Request($this->container, array(), array(), array('myvar' => 'myvalue', 'csrf_token' => $this->container['token']->getCSRFToken()), array(), array());
+        $this->assertEquals('myvalue', $request->getValue('myvar'));
+
+        $request = new Request($this->container, array(), array(), array('myvar' => 'myvalue', 'csrf_token' => $this->container['token']->getCSRFToken()), array(), array());
+        $this->assertEquals(array('myvar' => 'myvalue'), $request->getValues());
+    }
+
+    public function testGetFileContent()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getFileContent('myfile'));
+
+        $filename = tempnam(sys_get_temp_dir(), 'UnitTest');
+        file_put_contents($filename, 'something');
+
+        $request = new Request($this->container, array(), array(), array(), array('myfile' => array('tmp_name' => $filename)), array());
+        $this->assertEquals('something', $request->getFileContent('myfile'));
+
+        unlink($filename);
+    }
+
+    public function testGetFilePath()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getFilePath('myfile'));
+
+        $request = new Request($this->container, array(), array(), array(), array('myfile' => array('tmp_name' => 'somewhere')), array());
+        $this->assertEquals('somewhere', $request->getFilePath('myfile'));
+    }
+
+    public function testIsPost()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertFalse($request->isPost());
+
+        $request = new Request($this->container, array('REQUEST_METHOD' => 'POST'), array(), array(), array(), array());
+        $this->assertTrue($request->isPost());
+    }
+
+    public function testIsAjax()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertFalse($request->isAjax());
+
+        $request = new Request($this->container, array('HTTP_X_REQUESTED_WITH' => 'XMLHttpRequest'), array(), array(), array(), array());
+        $this->assertTrue($request->isAjax());
+    }
+
+    public function testIsHTTPS()
+    {
+        $request = new Request($this->container, array(), array(), array(), array());
+        $this->assertFalse($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => ''), array(), array(), array(), array());
+        $this->assertFalse($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => 'off'), array(), array(), array(), array());
+        $this->assertFalse($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => 'on'), array(), array(), array(), array());
+        $this->assertTrue($request->isHTTPS());
+
+        $request = new Request($this->container, array('HTTPS' => '1'), array(), array(), array(), array());
+        $this->assertTrue($request->isHTTPS());
+    }
+
+    public function testGetCookie()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getCookie('mycookie'));
+
+        $request = new Request($this->container, array(), array(), array(), array(), array('mycookie' => 'miam'));
+        $this->assertEquals('miam', $request->getCookie('mycookie'));
+    }
+
+    public function testGetHeader()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getHeader('X-Forwarded-For'));
+
+        $request = new Request($this->container, array('HTTP_X_FORWARDED_FOR' => 'test'), array(), array(), array(), array());
+        $this->assertEquals('test', $request->getHeader('X-Forwarded-For'));
+    }
+
+    public function testGetRemoteUser()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getRemoteUser());
+
+        $request = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => 'test'), array(), array(), array(), array());
+        $this->assertEquals('test', $request->getRemoteUser());
+    }
+
+    public function testGetQueryString()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getQueryString());
+
+        $request = new Request($this->container, array('QUERY_STRING' => 'k=v'), array(), array(), array(), array());
+        $this->assertEquals('k=v', $request->getQueryString());
+    }
+
+    public function testGetUri()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEmpty($request->getUri());
+
+        $request = new Request($this->container, array('REQUEST_URI' => '/blah'), array(), array(), array(), array());
+        $this->assertEquals('/blah', $request->getUri());
+    }
+
+    public function testGetUserAgent()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('Unknown', $request->getUserAgent());
+
+        $request = new Request($this->container, array('HTTP_USER_AGENT' => 'My browser'), array(), array(), array(), array());
+        $this->assertEquals('My browser', $request->getUserAgent());
+    }
+
+    public function testGetIpAddress()
+    {
+        $request = new Request($this->container, array(), array(), array(), array(), array());
+        $this->assertEquals('Unknown', $request->getIpAddress());
+
+        $request = new Request($this->container, array('HTTP_X_FORWARDED_FOR' => '192.168.0.1,127.0.0.1'), array(), array(), array(), array());
+        $this->assertEquals('192.168.0.1', $request->getIpAddress());
+
+        $request = new Request($this->container, array('REMOTE_ADDR' => '192.168.0.1'), array(), array(), array(), array());
+        $this->assertEquals('192.168.0.1', $request->getIpAddress());
+
+        $request = new Request($this->container, array('REMOTE_ADDR' => ''), array(), array(), array(), array());
+        $this->assertEquals('Unknown', $request->getIpAddress());
+    }
+}

tests/units/Core/Ldap/ClientTest.php

@@ -49,6 +49,13 @@ class ClientTest extends \Base
         self::$functions = null;
     }
 
+    public function testGetLdapServerNotConfigured()
+    {
+        $this->setExpectedException('\LogicException');
+        $ldap = new Client;
+        $ldap->getLdapServer();
+    }
+
     public function testConnectSuccess()
     {
         self::$functions
@@ -61,7 +68,8 @@ class ClientTest extends \Base
             ->will($this->returnValue('my_ldap_resource'));
 
         $ldap = new Client;
-        $this->assertEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server'));
+        $ldap->open('my_ldap_server');
+        $this->assertEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testConnectFailure()
@@ -78,7 +86,8 @@ class ClientTest extends \Base
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server'));
+        $ldap->open('my_ldap_server');
+        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testConnectSuccessWithTLS()
@@ -101,7 +110,8 @@ class ClientTest extends \Base
             ->will($this->returnValue(true));
 
         $ldap = new Client;
-        $this->assertEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server', 389, true));
+        $ldap->open('my_ldap_server', 389, true);
+        $this->assertEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testConnectFailureWithTLS()
@@ -126,7 +136,8 @@ class ClientTest extends \Base
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server', 389, true));
+        $ldap->open('my_ldap_server', 389, true);
+        $this->assertNotEquals('my_ldap_resource', $ldap->getConnection());
     }
 
     public function testAnonymousAuthenticationSuccess()
@@ -134,13 +145,10 @@ class ClientTest extends \Base
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_resource')
-            )
             ->will($this->returnValue(true));
 
         $ldap = new Client;
-        $this->assertTrue($ldap->useAnonymousAuthentication('my_ldap_resource'));
+        $this->assertTrue($ldap->useAnonymousAuthentication());
     }
 
     public function testAnonymousAuthenticationFailure()
@@ -148,19 +156,25 @@ class ClientTest extends \Base
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
-            ->with(
-                $this->equalTo('my_ldap_resource')
-            )
             ->will($this->returnValue(false));
 
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $ldap->useAnonymousAuthentication('my_ldap_resource');
+        $ldap->useAnonymousAuthentication();
     }
 
     public function testUserAuthenticationSuccess()
     {
+        self::$functions
+            ->expects($this->once())
+            ->method('ldap_connect')
+            ->with(
+                $this->equalTo('my_ldap_server'),
+                $this->equalTo(389)
+            )
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
@@ -172,11 +186,21 @@ class ClientTest extends \Base
             ->will($this->returnValue(true));
 
         $ldap = new Client;
-        $this->assertTrue($ldap->authenticate('my_ldap_resource', 'my_ldap_user', 'my_ldap_password'));
+        $ldap->open('my_ldap_server');
+        $this->assertTrue($ldap->authenticate('my_ldap_user', 'my_ldap_password'));
     }
 
     public function testUserAuthenticationFailure()
     {
+        self::$functions
+            ->expects($this->once())
+            ->method('ldap_connect')
+            ->with(
+                $this->equalTo('my_ldap_server'),
+                $this->equalTo(389)
+            )
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_bind')
@@ -190,6 +214,7 @@ class ClientTest extends \Base
         $this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
 
         $ldap = new Client;
-        $ldap->authenticate('my_ldap_resource', 'my_ldap_user', 'my_ldap_password');
+        $ldap->open('my_ldap_server');
+        $ldap->authenticate('my_ldap_user', 'my_ldap_password');
     }
 }

tests/units/Core/Ldap/EntriesTest.php

@@ -0,0 +1,55 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\Entries;
+
+class EntriesTest extends Base
+{
+    private $entries = array(
+        'count' => 2,
+        0 => array(
+            'cn' => array(
+                'count' => 1,
+                0 => 'Kanboard Other Group',
+            ),
+            0 => 'cn',
+            'count' => 1,
+            'dn' => 'CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local',
+        ),
+        1 => array(
+            'cn' => array(
+                'count' => 1,
+                0 => 'Kanboard Users',
+            ),
+            0 => 'cn',
+            'count' => 1,
+            'dn' => 'CN=Kanboard Users,CN=Users,DC=kanboard,DC=local',
+        ),
+    );
+
+    public function testGetAll()
+    {
+        $entries = new Entries(array());
+        $this->assertEmpty($entries->getAll());
+
+        $entries = new Entries($this->entries);
+        $result = $entries->getAll();
+        $this->assertCount(2, $result);
+        $this->assertInstanceOf('Kanboard\Core\Ldap\Entry', $result[0]);
+        $this->assertEquals('CN=Kanboard Users,CN=Users,DC=kanboard,DC=local', $result[1]->getDn());
+        $this->assertEquals('Kanboard Users', $result[1]->getFirstValue('cn'));
+    }
+
+    public function testGetFirst()
+    {
+        $entries = new Entries(array());
+        $this->assertEquals('', $entries->getFirstEntry()->getDn());
+
+        $entries = new Entries($this->entries);
+        $result = $entries->getFirstEntry();
+        $this->assertInstanceOf('Kanboard\Core\Ldap\Entry', $result);
+        $this->assertEquals('CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local', $result->getDn());
+        $this->assertEquals('Kanboard Other Group', $result->getFirstValue('cn'));
+    }
+}

tests/units/Core/Ldap/EntryTest.php

@@ -0,0 +1,71 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\Entry;
+
+class EntryTest extends Base
+{
+    private $entry = array(
+        'count' => 2,
+        'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
+        'displayname' => array(
+            'count' => 1,
+            0 => 'My LDAP user',
+        ),
+        'broken' => array(
+        ),
+        'mail' => array(
+            'count' => 2,
+            0 => 'user1@localhost',
+            1 => 'user2@localhost',
+        ),
+        'samaccountname' => array(
+            'count' => 1,
+            0 => 'my_ldap_user',
+        ),
+        0 => 'displayname',
+        1 => 'mail',
+        2 => 'samaccountname',
+    );
+
+    public function testGetAll()
+    {
+        $expected = array(
+            'user1@localhost',
+            'user2@localhost',
+        );
+
+        $entry = new Entry($this->entry);
+        $this->assertEquals($expected, $entry->getAll('mail'));
+        $this->assertEmpty($entry->getAll('not found'));
+        $this->assertEmpty($entry->getAll('broken'));
+    }
+
+    public function testGetFirst()
+    {
+        $entry = new Entry($this->entry);
+        $this->assertEquals('user1@localhost', $entry->getFirstValue('mail'));
+        $this->assertEquals('', $entry->getFirstValue('not found'));
+        $this->assertEquals('default', $entry->getFirstValue('not found', 'default'));
+        $this->assertEquals('default', $entry->getFirstValue('broken', 'default'));
+    }
+
+    public function testGetDn()
+    {
+        $entry = new Entry($this->entry);
+        $this->assertEquals('uid=my_user,ou=People,dc=kanboard,dc=local', $entry->getDn());
+
+        $entry = new Entry(array());
+        $this->assertEquals('', $entry->getDn());
+    }
+
+    public function testHasValue()
+    {
+        $entry = new Entry($this->entry);
+        $this->assertTrue($entry->hasValue('mail', 'user2@localhost'));
+        $this->assertFalse($entry->hasValue('mail', 'user3@localhost'));
+        $this->assertTrue($entry->hasValue('displayname', 'My LDAP user'));
+        $this->assertFalse($entry->hasValue('displayname', 'Something else'));
+    }
+}

tests/units/Core/Ldap/LdapGroupTest.php

@@ -0,0 +1,160 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\Group;
+use Kanboard\Core\Ldap\Entries;
+use Kanboard\Core\Security\Role;
+
+class LdapGroupTest extends Base
+{
+    private $query;
+    private $client;
+    private $group;
+
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->client = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Client')
+            ->setMethods(array(
+                'getConnection',
+            ))
+            ->getMock();
+
+        $this->query = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Query')
+            ->setConstructorArgs(array($this->client))
+            ->setMethods(array(
+                'execute',
+                'hasResult',
+                'getEntries',
+            ))
+            ->getMock();
+
+        $this->group = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Group')
+            ->setConstructorArgs(array($this->query))
+            ->setMethods(array(
+                'getAttributeName',
+                'getBasDn',
+            ))
+            ->getMock();
+    }
+
+    public function testGetGroups()
+    {
+        $entries = new Entries(array(
+            'count' => 2,
+            0 => array(
+                'cn' => array(
+                    'count' => 1,
+                    0 => 'Kanboard Other Group',
+                ),
+                0 => 'cn',
+                'count' => 1,
+                'dn' => 'CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local',
+            ),
+            1 => array(
+                'cn' => array(
+                    'count' => 1,
+                    0 => 'Kanboard Users',
+                ),
+                0 => 'cn',
+                'count' => 1,
+                'dn' => 'CN=Kanboard Users,CN=Users,DC=kanboard,DC=local',
+            ),
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('CN=Users,DC=kanboard,DC=local'),
+                $this->equalTo('(&(objectClass=group)(sAMAccountName=Kanboard*))')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->group
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('cn'));
+
+        $this->group
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('CN=Users,DC=kanboard,DC=local'));
+
+        $groups = $this->group->find('(&(objectClass=group)(sAMAccountName=Kanboard*))');
+        $this->assertCount(2, $groups);
+        $this->assertInstanceOf('Kanboard\Group\LdapGroupProvider', $groups[0]);
+        $this->assertInstanceOf('Kanboard\Group\LdapGroupProvider', $groups[1]);
+        $this->assertEquals('Kanboard Other Group', $groups[0]->getName());
+        $this->assertEquals('Kanboard Users', $groups[1]->getName());
+        $this->assertEquals('CN=Kanboard Other Group,CN=Users,DC=kanboard,DC=local', $groups[0]->getExternalId());
+        $this->assertEquals('CN=Kanboard Users,CN=Users,DC=kanboard,DC=local', $groups[1]->getExternalId());
+    }
+
+    public function testGetGroupsWithNoResult()
+    {
+        $entries = new Entries(array());
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('CN=Users,DC=kanboard,DC=local'),
+                $this->equalTo('(&(objectClass=group)(sAMAccountName=Kanboard*))')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(false));
+
+        $this->query
+            ->expects($this->never())
+            ->method('getEntries');
+
+        $this->group
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('cn'));
+
+        $this->group
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('CN=Users,DC=kanboard,DC=local'));
+
+        $groups = $this->group->find('(&(objectClass=group)(sAMAccountName=Kanboard*))');
+        $this->assertCount(0, $groups);
+    }
+
+    public function testGetBaseDnNotConfigured()
+    {
+        $this->setExpectedException('\LogicException');
+
+        $group = new Group($this->query);
+        $group->getBasDn();
+    }
+}

tests/units/Core/Ldap/LdapUserTest.php

@@ -0,0 +1,379 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Ldap\User;
+use Kanboard\Core\Ldap\Entries;
+use Kanboard\Core\Security\Role;
+
+class LdapUserTest extends Base
+{
+    private $query;
+    private $client;
+    private $user;
+
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->client = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Client')
+            ->setMethods(array(
+                'getConnection',
+            ))
+            ->getMock();
+
+        $this->query = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Query')
+            ->setConstructorArgs(array($this->client))
+            ->setMethods(array(
+                'execute',
+                'hasResult',
+                'getEntries',
+            ))
+            ->getMock();
+
+        $this->user = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\User')
+            ->setConstructorArgs(array($this->query))
+            ->setMethods(array(
+                'getAttributeUsername',
+                'getAttributeEmail',
+                'getAttributeName',
+                'getAttributeGroup',
+                'getGroupAdminDn',
+                'getGroupManagerDn',
+                'getBasDn',
+            ))
+            ->getMock();
+    }
+
+    public function testGetUser()
+    {
+        $entries = new Entries(array(
+            'count' => 1,
+            0 => array(
+                'count' => 2,
+                'dn' => 'uid=my_ldap_user,ou=People,dc=kanboard,dc=local',
+                'displayname' => array(
+                    'count' => 1,
+                    0 => 'My LDAP user',
+                ),
+                'mail' => array(
+                    'count' => 2,
+                    0 => 'user1@localhost',
+                    1 => 'user2@localhost',
+                ),
+                'samaccountname' => array(
+                    'count' => 1,
+                    0 => 'my_ldap_user',
+                ),
+                0 => 'displayname',
+                1 => 'mail',
+                2 => 'samaccountname',
+            )
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertInstanceOf('Kanboard\User\LdapUserProvider', $user);
+        $this->assertEquals('uid=my_ldap_user,ou=People,dc=kanboard,dc=local', $user->getDn());
+        $this->assertEquals('my_ldap_user', $user->getUsername());
+        $this->assertEquals('My LDAP user', $user->getName());
+        $this->assertEquals('user1@localhost', $user->getEmail());
+        $this->assertEquals(Role::APP_USER, $user->getRole());
+        $this->assertEquals(array(), $user->getExternalGroupIds());
+        $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
+    }
+
+    public function testGetUserWithAdminRole()
+    {
+        $entries = new Entries(array(
+            'count' => 1,
+            0 => array(
+                'count' => 2,
+                'dn' => 'uid=my_ldap_user,ou=People,dc=kanboard,dc=local',
+                'displayname' => array(
+                    'count' => 1,
+                    0 => 'My LDAP user',
+                ),
+                'mail' => array(
+                    'count' => 2,
+                    0 => 'user1@localhost',
+                    1 => 'user2@localhost',
+                ),
+                'samaccountname' => array(
+                    'count' => 1,
+                    0 => 'my_ldap_user',
+                ),
+                'memberof' => array(
+                    'count' => 1,
+                    0 => 'CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local',
+                ),
+                0 => 'displayname',
+                1 => 'mail',
+                2 => 'samaccountname',
+                3 => 'memberof',
+            )
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeGroup')
+            ->will($this->returnValue('memberof'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getGroupAdminDn')
+            ->will($this->returnValue('CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertInstanceOf('Kanboard\User\LdapUserProvider', $user);
+        $this->assertEquals('uid=my_ldap_user,ou=People,dc=kanboard,dc=local', $user->getDn());
+        $this->assertEquals('my_ldap_user', $user->getUsername());
+        $this->assertEquals('My LDAP user', $user->getName());
+        $this->assertEquals('user1@localhost', $user->getEmail());
+        $this->assertEquals(Role::APP_ADMIN, $user->getRole());
+        $this->assertEquals(array('CN=Kanboard-Admins,CN=Users,DC=kanboard,DC=local'), $user->getExternalGroupIds());
+        $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
+    }
+
+    public function testGetUserWithManagerRole()
+    {
+        $entries = new Entries(array(
+            'count' => 1,
+            0 => array(
+                'count' => 2,
+                'dn' => 'uid=my_ldap_user,ou=People,dc=kanboard,dc=local',
+                'displayname' => array(
+                    'count' => 1,
+                    0 => 'My LDAP user',
+                ),
+                'mail' => array(
+                    'count' => 2,
+                    0 => 'user1@localhost',
+                    1 => 'user2@localhost',
+                ),
+                'samaccountname' => array(
+                    'count' => 1,
+                    0 => 'my_ldap_user',
+                ),
+                'memberof' => array(
+                    'count' => 2,
+                    0 => 'CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local',
+                    1 => 'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local',
+                ),
+                0 => 'displayname',
+                1 => 'mail',
+                2 => 'samaccountname',
+                3 => 'memberof',
+            )
+        ));
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(true));
+
+        $this->query
+            ->expects($this->once())
+            ->method('getEntries')
+            ->will($this->returnValue($entries));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeGroup')
+            ->will($this->returnValue('memberof'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getGroupManagerDn')
+            ->will($this->returnValue('CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertInstanceOf('Kanboard\User\LdapUserProvider', $user);
+        $this->assertEquals('uid=my_ldap_user,ou=People,dc=kanboard,dc=local', $user->getDn());
+        $this->assertEquals('my_ldap_user', $user->getUsername());
+        $this->assertEquals('My LDAP user', $user->getName());
+        $this->assertEquals('user1@localhost', $user->getEmail());
+        $this->assertEquals(Role::APP_MANAGER, $user->getRole());
+        $this->assertEquals(array('CN=Kanboard-Users,CN=Users,DC=kanboard,DC=local', 'CN=Kanboard-Managers,CN=Users,DC=kanboard,DC=local'), $user->getExternalGroupIds());
+        $this->assertEquals(array('is_ldap_user' => 1), $user->getExtraAttributes());
+    }
+
+    public function testGetUserNotFound()
+    {
+        $entries = new Entries(array());
+
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
+        $this->query
+            ->expects($this->once())
+            ->method('execute')
+            ->with(
+                $this->equalTo('ou=People,dc=kanboard,dc=local'),
+                $this->equalTo('(uid=my_ldap_user)')
+            );
+
+        $this->query
+            ->expects($this->once())
+            ->method('hasResult')
+            ->will($this->returnValue(false));
+
+        $this->query
+            ->expects($this->never())
+            ->method('getEntries');
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeUsername')
+            ->will($this->returnValue('samaccountname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeName')
+            ->will($this->returnValue('displayname'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getAttributeEmail')
+            ->will($this->returnValue('mail'));
+
+        $this->user
+            ->expects($this->any())
+            ->method('getBasDn')
+            ->will($this->returnValue('ou=People,dc=kanboard,dc=local'));
+
+        $user = $this->user->find('(uid=my_ldap_user)');
+        $this->assertEquals(null, $user);
+    }
+
+    public function testGetBaseDnNotConfigured()
+    {
+        $this->setExpectedException('\LogicException');
+
+        $user = new User($this->query);
+        $user->getBasDn();
+    }
+}

tests/units/Core/Ldap/QueryTest.php

@@ -17,6 +17,7 @@ function ldap_get_entries($link_identifier, $result_identifier)
 class QueryTest extends \Base
 {
     public static $functions;
+    private $client;
 
     public function setUp()
     {
@@ -29,6 +30,13 @@ class QueryTest extends \Base
                 'ldap_get_entries',
             ))
             ->getMock();
+
+        $this->client = $this
+            ->getMockBuilder('\Kanboard\Core\Ldap\Client')
+            ->setMethods(array(
+                'getConnection',
+            ))
+            ->getMock();
     }
 
     public function tearDown()
@@ -58,6 +66,11 @@ class QueryTest extends \Base
             )
         );
 
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_search')
@@ -78,20 +91,25 @@ class QueryTest extends \Base
             )
             ->will($this->returnValue($entries));
 
-        $query = new Query;
-        $query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
+        $query = new Query($this->client);
+        $query->execute('ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
         $this->assertTrue($query->hasResult());
 
-        $this->assertEquals('My user', $query->getAttributeValue('displayname'));
-        $this->assertEquals('user1@localhost', $query->getAttributeValue('mail'));
-        $this->assertEquals('', $query->getAttributeValue('not_found'));
+        $this->assertEquals('My user', $query->getEntries()->getFirstEntry()->getFirstValue('displayname'));
+        $this->assertEquals('user1@localhost', $query->getEntries()->getFirstEntry()->getFirstValue('mail'));
+        $this->assertEquals('', $query->getEntries()->getFirstEntry()->getFirstValue('not_found'));
 
-        $this->assertEquals('uid=my_user,ou=People,dc=kanboard,dc=local', $query->getAttribute('dn'));
-        $this->assertEquals(null, $query->getAttribute('missing'));
+        $this->assertEquals('uid=my_user,ou=People,dc=kanboard,dc=local', $query->getEntries()->getFirstEntry()->getDn());
+        $this->assertEquals('', $query->getEntries()->getFirstEntry()->getFirstValue('missing'));
     }
 
     public function testExecuteQueryNotFound()
     {
+        $this->client
+            ->expects($this->any())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_search')
@@ -112,13 +130,18 @@ class QueryTest extends \Base
             )
             ->will($this->returnValue(array()));
 
-        $query = new Query;
-        $query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
+        $query = new Query($this->client);
+        $query->execute('ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
         $this->assertFalse($query->hasResult());
     }
 
     public function testExecuteQueryFailed()
     {
+        $this->client
+            ->expects($this->once())
+            ->method('getConnection')
+            ->will($this->returnValue('my_ldap_resource'));
+
         self::$functions
             ->expects($this->once())
             ->method('ldap_search')
@@ -130,8 +153,8 @@ class QueryTest extends \Base
             )
             ->will($this->returnValue(false));
 
-        $query = new Query;
-        $query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
+        $query = new Query($this->client);
+        $query->execute('ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
         $this->assertFalse($query->hasResult());
     }
 }

tests/units/Core/Ldap/UserTest.php

@@ -1,95 +0,0 @@
-<?php
-
-namespace Kanboard\Core\Ldap;
-
-require_once __DIR__.'/../../Base.php';
-
-class UserTest extends \Base
-{
-    public function testGetProfile()
-    {
-        $entries = array(
-            'count' => 1,
-            0 => array(
-                'count' => 2,
-                'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
-                'displayname' => array(
-                    'count' => 1,
-                    0 => 'My LDAP user',
-                ),
-                'mail' => array(
-                    'count' => 2,
-                    0 => 'user1@localhost',
-                    1 => 'user2@localhost',
-                ),
-                'samaccountname' => array(
-                    'count' => 1,
-                    0 => 'my_ldap_user',
-                ),
-                0 => 'displayname',
-                1 => 'mail',
-                2 => 'samaccountname',
-            )
-        );
-
-        $expected = array(
-            'ldap_id' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
-            'username' => 'my_ldap_user',
-            'name' => 'My LDAP user',
-            'email' => 'user1@localhost',
-            'is_admin' => 0,
-            'is_project_admin' => 0,
-            'is_ldap_user' => 1,
-        );
-
-        $query = $this
-            ->getMockBuilder('\Kanboard\Core\Ldap\Query')
-            ->setConstructorArgs(array($entries))
-            ->setMethods(array(
-                'execute',
-                'hasResult',
-            ))
-            ->getMock();
-
-        $query
-            ->expects($this->once())
-            ->method('execute')
-            ->with(
-                $this->equalTo('my_ldap_resource'),
-                $this->equalTo('ou=People,dc=kanboard,dc=local'),
-                $this->equalTo('(uid=my_user)')
-            );
-
-        $query
-            ->expects($this->once())
-            ->method('hasResult')
-            ->will($this->returnValue(true));
-
-        $user = $this
-            ->getMockBuilder('\Kanboard\Core\Ldap\User')
-            ->setConstructorArgs(array($query))
-            ->setMethods(array(
-                'getAttributeUsername',
-                'getAttributeEmail',
-                'getAttributeName',
-            ))
-            ->getMock();
-
-        $user
-            ->expects($this->any())
-            ->method('getAttributeUsername')
-            ->will($this->returnValue('samaccountname'));
-
-        $user
-            ->expects($this->any())
-            ->method('getAttributeName')
-            ->will($this->returnValue('displayname'));
-
-        $user
-            ->expects($this->any())
-            ->method('getAttributeEmail')
-            ->will($this->returnValue('mail'));
-
-        $this->assertEquals($expected, $user->getProfile('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', '(uid=my_user)'));
-    }
-}

tests/units/Core/Security/AccessMapTest.php

@@ -6,17 +6,34 @@ use Kanboard\Core\Security\AccessMap;
 
 class AccessMapTest extends Base
 {
-    public function testGetRoles()
+    public function testRoleHierarchy()
+    {
+        $acl = new AccessMap;
+        $acl->setRoleHierarchy('admin', array('manager', 'user'));
+        $acl->setRoleHierarchy('manager', array('user'));
+
+        $this->assertEquals(array('admin'), $acl->getRoleHierarchy('admin'));
+        $this->assertEquals(array('manager', 'admin'), $acl->getRoleHierarchy('manager'));
+        $this->assertEquals(array('user', 'admin', 'manager'), $acl->getRoleHierarchy('user'));
+    }
+
+    public function testAddRulesAndGetRoles()
     {
         $acl = new AccessMap;
         $acl->setDefaultRole('role3');
-        $acl->add('MyController', 'myAction1', array('role1', 'role2'));
-        $acl->add('MyController', 'myAction2', array('role1'));
-        $acl->add('MyAdminController', '*', array('role2'));
+        $acl->setRoleHierarchy('role2', array('role1'));
 
-        $this->assertEquals(array('role1', 'role2'), $acl->getRoles('mycontroller', 'MyAction1'));
-        $this->assertEquals(array('role1'), $acl->getRoles('mycontroller', 'MyAction2'));
+        $acl->add('MyController', 'myAction1', 'role2');
+        $acl->add('MyController', 'myAction2', 'role1');
+        $acl->add('MyAdminController', '*', 'role2');
+        $acl->add('SomethingElse', array('actionA', 'actionB'), 'role2');
+
+        $this->assertEquals(array('role2'), $acl->getRoles('mycontroller', 'MyAction1'));
+        $this->assertEquals(array('role1', 'role2'), $acl->getRoles('mycontroller', 'MyAction2'));
         $this->assertEquals(array('role2'), $acl->getRoles('Myadmincontroller', 'MyAction'));
         $this->assertEquals(array('role3'), $acl->getRoles('AnotherController', 'ActionNotFound'));
+        $this->assertEquals(array('role2'), $acl->getRoles('somethingelse', 'actiona'));
+        $this->assertEquals(array('role2'), $acl->getRoles('somethingelse', 'actionb'));
+        $this->assertEquals(array('role3'), $acl->getRoles('somethingelse', 'actionc'));
     }
 }

tests/units/Core/Security/AuthenticationManagerTest.php

@@ -0,0 +1,150 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Http\Request;
+use Kanboard\Core\Security\AuthenticationManager;
+use Kanboard\Auth\DatabaseAuth;
+use Kanboard\Auth\TotpAuth;
+use Kanboard\Auth\ReverseProxyAuth;
+
+class AuthenticationManagerTest extends Base
+{
+    public function testRegister()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+        $provider = $authManager->getProvider('Database');
+
+        $this->assertInstanceOf('Kanboard\Core\Security\AuthenticationProviderInterface', $provider);
+    }
+
+    public function testGetProviderNotFound()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $this->setExpectedException('LogicException');
+        $authManager->getProvider('Dababase');
+    }
+
+    public function testGetPostProviderNotFound()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $this->setExpectedException('LogicException');
+        $authManager->getPostAuthenticationProvider();
+    }
+
+    public function testGetPostProvider()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new TotpAuth($this->container));
+        $provider = $authManager->getPostAuthenticationProvider();
+
+        $this->assertInstanceOf('Kanboard\Core\Security\PostAuthenticationProviderInterface', $provider);
+    }
+
+    public function testCheckSessionWhenNobodyIsLogged()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->assertFalse($this->container['userSession']->isLogged());
+        $this->assertTrue($authManager->checkCurrentSession());
+    }
+
+    public function testCheckSessionWhenSomeoneIsLogged()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->container['sessionStorage']->user = array('id' => 1);
+
+        $this->assertTrue($this->container['userSession']->isLogged());
+        $this->assertTrue($authManager->checkCurrentSession());
+    }
+
+    public function testCheckSessionWhenNotValid()
+    {
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->container['sessionStorage']->user = array('id' => 2);
+
+        $this->assertTrue($this->container['userSession']->isLogged());
+        $this->assertFalse($authManager->checkCurrentSession());
+        $this->assertFalse($this->container['userSession']->isLogged());
+    }
+
+    public function testPreAuthenticationSuccessful()
+    {
+        $this->container['request'] = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => 'admin'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new ReverseProxyAuth($this->container));
+
+        $this->assertTrue($authManager->preAuthentication());
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function testPreAuthenticationFailed()
+    {
+        $this->container['request'] = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => ''));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new ReverseProxyAuth($this->container));
+
+        $this->assertFalse($authManager->preAuthentication());
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function testPasswordAuthenticationSuccessful()
+    {
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->assertTrue($authManager->passwordAuthentication('admin', 'admin'));
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function testPasswordAuthenticationFailed()
+    {
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
+        $this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
+
+        $authManager = new AuthenticationManager($this->container);
+        $authManager->register(new DatabaseAuth($this->container));
+
+        $this->assertFalse($authManager->passwordAuthentication('admin', 'wrong password'));
+
+        $called = $this->container['dispatcher']->getCalledListeners();
+        $this->assertArrayNotHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
+        $this->assertArrayHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
+    }
+
+    public function onSuccess($event)
+    {
+        $this->assertInstanceOf('Kanboard\Event\AuthSuccessEvent', $event);
+        $this->assertTrue(in_array($event->getAuthType(), array('Database', 'ReverseProxy')));
+    }
+
+    public function onFailure($event)
+    {
+        $this->assertInstanceOf('Kanboard\Event\AuthFailureEvent', $event);
+        $this->assertEquals('admin', $event->getUsername());
+    }
+}

tests/units/Core/Security/AuthorizationTest.php

@@ -12,17 +12,28 @@ class AuthorizationTest extends Base
     {
         $acl = new AccessMap;
         $acl->setDefaultRole(Role::APP_USER);
-        $acl->add('MyController', 'myAction1', array(Role::APP_ADMIN, Role::APP_MANAGER));
-        $acl->add('MyController', 'myAction2', array(Role::APP_ADMIN));
-        $acl->add('MyAdminController', '*', array(Role::APP_MANAGER));
+        $acl->setRoleHierarchy(Role::APP_ADMIN, array(Role::APP_MANAGER, Role::APP_USER));
+        $acl->setRoleHierarchy(Role::APP_MANAGER, array(Role::APP_USER));
+
+        $acl->add('MyController', 'myAction1', Role::APP_MANAGER);
+        $acl->add('MyController', 'myAction2', Role::APP_ADMIN);
+        $acl->add('MyManagerController', '*', Role::APP_MANAGER);
 
         $authorization = new Authorization($acl);
+
         $this->assertTrue($authorization->isAllowed('myController', 'myAction1', Role::APP_ADMIN));
         $this->assertTrue($authorization->isAllowed('myController', 'myAction1', Role::APP_MANAGER));
         $this->assertFalse($authorization->isAllowed('myController', 'myAction1', Role::APP_USER));
-        $this->assertTrue($authorization->isAllowed('anotherController', 'anotherAction', Role::APP_USER));
-        $this->assertTrue($authorization->isAllowed('MyAdminController', 'myAction', Role::APP_MANAGER));
-        $this->assertFalse($authorization->isAllowed('MyAdminController', 'myAction', Role::APP_ADMIN));
-        $this->assertFalse($authorization->isAllowed('MyAdminController', 'myAction', 'something else'));
+        $this->assertFalse($authorization->isAllowed('myController', 'myAction1', 'something else'));
+
+        $this->assertTrue($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_ADMIN));
+        $this->assertTrue($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_MANAGER));
+        $this->assertFalse($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_USER));
+        $this->assertFalse($authorization->isAllowed('MyManagerController', 'myAction', 'something else'));
+
+        $this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_ADMIN));
+        $this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_MANAGER));
+        $this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_USER));
+        $this->assertFalse($authorization->isAllowed('MyUserController', 'myAction', 'something else'));
     }
 }

tests/units/Core/User/GroupSyncTest.php

@@ -0,0 +1,30 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\User\GroupSync;
+use Kanboard\Model\Group;
+use Kanboard\Model\GroupMember;
+
+class GroupSyncTest extends Base
+{
+    public function testSynchronize()
+    {
+        $group = new Group($this->container);
+        $groupMember = new GroupMember($this->container);
+        $groupSync = new GroupSync($this->container);
+
+        $this->assertEquals(1, $group->create('My Group 1', 'externalId1'));
+        $this->assertEquals(2, $group->create('My Group 2', 'externalId2'));
+
+        $this->assertTrue($groupMember->addUser(1, 1));
+
+        $this->assertTrue($groupMember->isMember(1, 1));
+        $this->assertFalse($groupMember->isMember(2, 1));
+
+        $groupSync->synchronize(1, array('externalId1', 'externalId2', 'externalId3'));
+
+        $this->assertTrue($groupMember->isMember(1, 1));
+        $this->assertTrue($groupMember->isMember(2, 1));
+    }
+}

tests/units/Core/User/UserProfileTest.php

@@ -0,0 +1,63 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Security\Role;
+use Kanboard\Core\User\UserProfile;
+use Kanboard\User\LdapUserProvider;
+use Kanboard\User\DatabaseUserProvider;
+
+class UserProfileTest extends Base
+{
+    public function testInitializeLocalUser()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new DatabaseUserProvider(array('id' => 1));
+
+        $this->assertTrue($userProfile->initialize($user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals('admin', $this->container['sessionStorage']->user['username']);
+    }
+
+    public function testInitializeLocalUserNotFound()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new DatabaseUserProvider(array('id' => 2));
+
+        $this->assertFalse($userProfile->initialize($user));
+        $this->assertFalse(isset($this->container['sessionStorage']->user));
+    }
+
+    public function testInitializeRemoteUser()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+
+        $this->assertTrue($userProfile->initialize($user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals(2, $this->container['sessionStorage']->user['id']);
+        $this->assertEquals('bob', $this->container['sessionStorage']->user['username']);
+        $this->assertEquals(Role::APP_MANAGER, $this->container['sessionStorage']->user['role']);
+
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+
+        $this->assertTrue($userProfile->initialize($user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals(2, $this->container['sessionStorage']->user['id']);
+        $this->assertEquals('bob', $this->container['sessionStorage']->user['username']);
+    }
+
+    public function testAssignRemoteUser()
+    {
+        $userProfile = new UserProfile($this->container);
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+
+        $this->assertTrue($userProfile->assign(1, $user));
+        $this->assertNotEmpty($this->container['sessionStorage']->user);
+        $this->assertEquals(1, $this->container['sessionStorage']->user['id']);
+        $this->assertEquals('admin', $this->container['sessionStorage']->user['username']);
+        $this->assertEquals('Bob', $this->container['sessionStorage']->user['name']);
+        $this->assertEquals('', $this->container['sessionStorage']->user['email']);
+        $this->assertEquals(Role::APP_ADMIN, $this->container['sessionStorage']->user['role']);
+    }
+}

tests/units/Core/User/UserPropertyTest.php

@@ -0,0 +1,60 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Security\Role;
+use Kanboard\Core\User\UserProperty;
+use Kanboard\User\LdapUserProvider;
+
+class UserPropertyTest extends Base
+{
+    public function testGetProperties()
+    {
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_USER, array());
+
+        $expected = array(
+            'username' => 'bob',
+            'name' => 'Bob',
+            'role' => Role::APP_USER,
+            'is_ldap_user' => 1,
+        );
+
+        $this->assertEquals($expected, UserProperty::getProperties($user));
+
+        $user = new LdapUserProvider('ldapId', 'bob', '', '', '', array());
+
+        $expected = array(
+            'username' => 'bob',
+            'is_ldap_user' => 1,
+        );
+
+        $this->assertEquals($expected, UserProperty::getProperties($user));
+    }
+
+    public function testFilterProperties()
+    {
+        $profile = array(
+            'id' => 123,
+            'username' => 'bob',
+            'name' => null,
+            'email' => '',
+            'other_column' => 'myvalue',
+            'role' => Role::APP_ADMIN,
+        );
+
+        $properties = array(
+            'external_id' => '456',
+            'username' => 'bobby',
+            'name' => 'Bobby',
+            'email' => 'admin@localhost',
+            'role' => '',
+        );
+
+        $expected = array(
+            'name' => 'Bobby',
+            'email' => 'admin@localhost',
+        );
+
+        $this->assertEquals($expected, UserProperty::filterProperties($profile, $properties));
+    }
+}

tests/units/Core/User/UserSessionTest.php

@@ -0,0 +1,144 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\User\UserSession;
+use Kanboard\Core\Security\Role;
+
+class UserSessionTest extends Base
+{
+    public function testInitialize()
+    {
+        $us = new UserSession($this->container);
+
+        $user = array(
+            'id' => '123',
+            'username' => 'john',
+            'password' => 'something',
+            'twofactor_secret' => 'something else',
+            'is_admin' => '1',
+            'is_project_admin' => '0',
+            'is_ldap_user' => '0',
+            'twofactor_activated' => '0',
+            'role' => Role::APP_MANAGER,
+        );
+
+        $us->initialize($user);
+
+        $session = $this->container['sessionStorage']->getAll();
+
+        $this->assertNotEmpty($session);
+        $this->assertEquals(123, $session['user']['id']);
+        $this->assertEquals('john', $session['user']['username']);
+        $this->assertEquals(Role::APP_MANAGER, $session['user']['role']);
+        $this->assertFalse($session['user']['is_ldap_user']);
+        $this->assertFalse($session['user']['twofactor_activated']);
+        $this->assertArrayNotHasKey('password', $session['user']);
+        $this->assertArrayNotHasKey('twofactor_secret', $session['user']);
+        $this->assertArrayNotHasKey('is_admin', $session['user']);
+        $this->assertArrayNotHasKey('is_project_admin', $session['user']);
+
+        $this->assertEquals('john', $us->getUsername());
+    }
+
+    public function testGetId()
+    {
+        $us = new UserSession($this->container);
+
+        $this->assertEquals(0, $us->getId());
+
+        $this->container['sessionStorage']->user = array('id' => 2);
+        $this->assertEquals(2, $us->getId());
+
+        $this->container['sessionStorage']->user = array('id' => '2');
+        $this->assertEquals(2, $us->getId());
+    }
+
+    public function testIsLogged()
+    {
+        $us = new UserSession($this->container);
+
+        $this->assertFalse($us->isLogged());
+
+        $this->container['sessionStorage']->user = array();
+        $this->assertFalse($us->isLogged());
+
+        $this->container['sessionStorage']->user = array('id' => 1);
+        $this->assertTrue($us->isLogged());
+    }
+
+    public function testIsAdmin()
+    {
+        $us = new UserSession($this->container);
+
+        $this->assertFalse($us->isAdmin());
+
+        $this->container['sessionStorage']->user = array('role' => Role::APP_ADMIN);
+        $this->assertTrue($us->isAdmin());
+
+        $this->container['sessionStorage']->user = array('role' => Role::APP_USER);
+        $this->assertFalse($us->isAdmin());
+
+        $this->container['sessionStorage']->user = array('role' => '');
+        $this->assertFalse($us->isAdmin());
+    }
+
+    public function testCommentSorting()
+    {
+        $us = new UserSession($this->container);
+        $this->assertEquals('ASC', $us->getCommentSorting());
+
+        $us->setCommentSorting('DESC');
+        $this->assertEquals('DESC', $us->getCommentSorting());
+    }
+
+    public function testBoardCollapseMode()
+    {
+        $us = new UserSession($this->container);
+        $this->assertFalse($us->isBoardCollapsed(2));
+
+        $us->setBoardDisplayMode(3, false);
+        $this->assertFalse($us->isBoardCollapsed(3));
+
+        $us->setBoardDisplayMode(3, true);
+        $this->assertTrue($us->isBoardCollapsed(3));
+    }
+
+    public function testFilters()
+    {
+        $us = new UserSession($this->container);
+        $this->assertEquals('status:open', $us->getFilters(1));
+
+        $us->setFilters(1, 'assignee:me');
+        $this->assertEquals('assignee:me', $us->getFilters(1));
+
+        $this->assertEquals('status:open', $us->getFilters(2));
+
+        $us->setFilters(2, 'assignee:bob');
+        $this->assertEquals('assignee:bob', $us->getFilters(2));
+    }
+
+    public function testPostAuthentication()
+    {
+        $us = new UserSession($this->container);
+        $this->assertFalse($us->isPostAuthenticationValidated());
+
+        $this->container['sessionStorage']->postAuthenticationValidated = false;
+        $this->assertFalse($us->isPostAuthenticationValidated());
+
+        $us->validatePostAuthentication();
+        $this->assertTrue($us->isPostAuthenticationValidated());
+
+        $this->container['sessionStorage']->user = array();
+        $this->assertFalse($us->hasPostAuthentication());
+
+        $this->container['sessionStorage']->user = array('twofactor_activated' => false);
+        $this->assertFalse($us->hasPostAuthentication());
+
+        $this->container['sessionStorage']->user = array('twofactor_activated' => true);
+        $this->assertTrue($us->hasPostAuthentication());
+
+        $us->disablePostAuthentication();
+        $this->assertFalse($us->hasPostAuthentication());
+    }
+}

tests/units/Core/User/UserSyncTest.php

@@ -0,0 +1,55 @@
+<?php
+
+require_once __DIR__.'/../../Base.php';
+
+use Kanboard\Core\Security\Role;
+use Kanboard\Core\User\UserSync;
+use Kanboard\User\LdapUserProvider;
+
+class UserSyncTest extends Base
+{
+    public function testSynchronizeNewUser()
+    {
+        $user = new LdapUserProvider('ldapId', 'bob', 'Bob', '', Role::APP_MANAGER, array());
+        $userSync = new UserSync($this->container);
+
+        $profile = array(
+            'id' => 2,
+            'username' => 'bob',
+            'name' => 'Bob',
+            'email' => '',
+            'role' => Role::APP_MANAGER,
+            'is_ldap_user' => 1,
+        );
+
+        $this->assertArraySubset($profile, $userSync->synchronize($user));
+    }
+
+    public function testSynchronizeExistingUser()
+    {
+        $userSync = new UserSync($this->container);
+        $user = new LdapUserProvider('ldapId', 'admin', 'Admin', 'email@localhost', Role::APP_MANAGER, array());
+
+        $profile = array(
+            'id' => 1,
+            'username' => 'admin',
+            'name' => 'Admin',
+            'email' => 'email@localhost',
+            'role' => Role::APP_MANAGER,
+        );
+
+        $this->assertArraySubset($profile, $userSync->synchronize($user));
+
+        $user = new LdapUserProvider('ldapId', 'admin', '', '', Role::APP_ADMIN, array());
+
+        $profile = array(
+            'id' => 1,
+            'username' => 'admin',
+            'name' => 'Admin',
+            'email' => 'email@localhost',
+            'role' => Role::APP_ADMIN,
+        );
+
+        $this->assertArraySubset($profile, $userSync->synchronize($user));
+    }
+}