Rewrite of the authentication and authorization system
This commit is contained in:
Frederic Guillot
@@ -6,17 +6,34 @@ use Kanboard\Core\Security\AccessMap;
|
||||
|
||||
class AccessMapTest extends Base
|
||||
{
|
||||
public function testGetRoles()
|
||||
public function testRoleHierarchy()
|
||||
{
|
||||
$acl = new AccessMap;
|
||||
$acl->setRoleHierarchy('admin', array('manager', 'user'));
|
||||
$acl->setRoleHierarchy('manager', array('user'));
|
||||
|
||||
$this->assertEquals(array('admin'), $acl->getRoleHierarchy('admin'));
|
||||
$this->assertEquals(array('manager', 'admin'), $acl->getRoleHierarchy('manager'));
|
||||
$this->assertEquals(array('user', 'admin', 'manager'), $acl->getRoleHierarchy('user'));
|
||||
}
|
||||
|
||||
public function testAddRulesAndGetRoles()
|
||||
{
|
||||
$acl = new AccessMap;
|
||||
$acl->setDefaultRole('role3');
|
||||
$acl->add('MyController', 'myAction1', array('role1', 'role2'));
|
||||
$acl->add('MyController', 'myAction2', array('role1'));
|
||||
$acl->add('MyAdminController', '*', array('role2'));
|
||||
$acl->setRoleHierarchy('role2', array('role1'));
|
||||
|
||||
$this->assertEquals(array('role1', 'role2'), $acl->getRoles('mycontroller', 'MyAction1'));
|
||||
$this->assertEquals(array('role1'), $acl->getRoles('mycontroller', 'MyAction2'));
|
||||
$acl->add('MyController', 'myAction1', 'role2');
|
||||
$acl->add('MyController', 'myAction2', 'role1');
|
||||
$acl->add('MyAdminController', '*', 'role2');
|
||||
$acl->add('SomethingElse', array('actionA', 'actionB'), 'role2');
|
||||
|
||||
$this->assertEquals(array('role2'), $acl->getRoles('mycontroller', 'MyAction1'));
|
||||
$this->assertEquals(array('role1', 'role2'), $acl->getRoles('mycontroller', 'MyAction2'));
|
||||
$this->assertEquals(array('role2'), $acl->getRoles('Myadmincontroller', 'MyAction'));
|
||||
$this->assertEquals(array('role3'), $acl->getRoles('AnotherController', 'ActionNotFound'));
|
||||
$this->assertEquals(array('role2'), $acl->getRoles('somethingelse', 'actiona'));
|
||||
$this->assertEquals(array('role2'), $acl->getRoles('somethingelse', 'actionb'));
|
||||
$this->assertEquals(array('role3'), $acl->getRoles('somethingelse', 'actionc'));
|
||||
}
|
||||
}
|
||||
|
||||
150
tests/units/Core/Security/AuthenticationManagerTest.php
Normal file
150
tests/units/Core/Security/AuthenticationManagerTest.php
Normal file
@@ -0,0 +1,150 @@
|
||||
<?php
|
||||
|
||||
require_once __DIR__.'/../../Base.php';
|
||||
|
||||
use Kanboard\Core\Http\Request;
|
||||
use Kanboard\Core\Security\AuthenticationManager;
|
||||
use Kanboard\Auth\DatabaseAuth;
|
||||
use Kanboard\Auth\TotpAuth;
|
||||
use Kanboard\Auth\ReverseProxyAuth;
|
||||
|
||||
class AuthenticationManagerTest extends Base
|
||||
{
|
||||
public function testRegister()
|
||||
{
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new DatabaseAuth($this->container));
|
||||
$provider = $authManager->getProvider('Database');
|
||||
|
||||
$this->assertInstanceOf('Kanboard\Core\Security\AuthenticationProviderInterface', $provider);
|
||||
}
|
||||
|
||||
public function testGetProviderNotFound()
|
||||
{
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$this->setExpectedException('LogicException');
|
||||
$authManager->getProvider('Dababase');
|
||||
}
|
||||
|
||||
public function testGetPostProviderNotFound()
|
||||
{
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$this->setExpectedException('LogicException');
|
||||
$authManager->getPostAuthenticationProvider();
|
||||
}
|
||||
|
||||
public function testGetPostProvider()
|
||||
{
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new TotpAuth($this->container));
|
||||
$provider = $authManager->getPostAuthenticationProvider();
|
||||
|
||||
$this->assertInstanceOf('Kanboard\Core\Security\PostAuthenticationProviderInterface', $provider);
|
||||
}
|
||||
|
||||
public function testCheckSessionWhenNobodyIsLogged()
|
||||
{
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new DatabaseAuth($this->container));
|
||||
|
||||
$this->assertFalse($this->container['userSession']->isLogged());
|
||||
$this->assertTrue($authManager->checkCurrentSession());
|
||||
}
|
||||
|
||||
public function testCheckSessionWhenSomeoneIsLogged()
|
||||
{
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new DatabaseAuth($this->container));
|
||||
|
||||
$this->container['sessionStorage']->user = array('id' => 1);
|
||||
|
||||
$this->assertTrue($this->container['userSession']->isLogged());
|
||||
$this->assertTrue($authManager->checkCurrentSession());
|
||||
}
|
||||
|
||||
public function testCheckSessionWhenNotValid()
|
||||
{
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new DatabaseAuth($this->container));
|
||||
|
||||
$this->container['sessionStorage']->user = array('id' => 2);
|
||||
|
||||
$this->assertTrue($this->container['userSession']->isLogged());
|
||||
$this->assertFalse($authManager->checkCurrentSession());
|
||||
$this->assertFalse($this->container['userSession']->isLogged());
|
||||
}
|
||||
|
||||
public function testPreAuthenticationSuccessful()
|
||||
{
|
||||
$this->container['request'] = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => 'admin'));
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
|
||||
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new ReverseProxyAuth($this->container));
|
||||
|
||||
$this->assertTrue($authManager->preAuthentication());
|
||||
|
||||
$called = $this->container['dispatcher']->getCalledListeners();
|
||||
$this->assertArrayHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
|
||||
$this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
|
||||
}
|
||||
|
||||
public function testPreAuthenticationFailed()
|
||||
{
|
||||
$this->container['request'] = new Request($this->container, array(REVERSE_PROXY_USER_HEADER => ''));
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
|
||||
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new ReverseProxyAuth($this->container));
|
||||
|
||||
$this->assertFalse($authManager->preAuthentication());
|
||||
|
||||
$called = $this->container['dispatcher']->getCalledListeners();
|
||||
$this->assertArrayNotHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
|
||||
$this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
|
||||
}
|
||||
|
||||
public function testPasswordAuthenticationSuccessful()
|
||||
{
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
|
||||
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new DatabaseAuth($this->container));
|
||||
|
||||
$this->assertTrue($authManager->passwordAuthentication('admin', 'admin'));
|
||||
|
||||
$called = $this->container['dispatcher']->getCalledListeners();
|
||||
$this->assertArrayHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
|
||||
$this->assertArrayNotHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
|
||||
}
|
||||
|
||||
public function testPasswordAuthenticationFailed()
|
||||
{
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_SUCCESS, array($this, 'onSuccess'));
|
||||
$this->container['dispatcher']->addListener(AuthenticationManager::EVENT_FAILURE, array($this, 'onFailure'));
|
||||
|
||||
$authManager = new AuthenticationManager($this->container);
|
||||
$authManager->register(new DatabaseAuth($this->container));
|
||||
|
||||
$this->assertFalse($authManager->passwordAuthentication('admin', 'wrong password'));
|
||||
|
||||
$called = $this->container['dispatcher']->getCalledListeners();
|
||||
$this->assertArrayNotHasKey(AuthenticationManager::EVENT_SUCCESS.'.AuthenticationManagerTest::onSuccess', $called);
|
||||
$this->assertArrayHasKey(AuthenticationManager::EVENT_FAILURE.'.AuthenticationManagerTest::onFailure', $called);
|
||||
}
|
||||
|
||||
public function onSuccess($event)
|
||||
{
|
||||
$this->assertInstanceOf('Kanboard\Event\AuthSuccessEvent', $event);
|
||||
$this->assertTrue(in_array($event->getAuthType(), array('Database', 'ReverseProxy')));
|
||||
}
|
||||
|
||||
public function onFailure($event)
|
||||
{
|
||||
$this->assertInstanceOf('Kanboard\Event\AuthFailureEvent', $event);
|
||||
$this->assertEquals('admin', $event->getUsername());
|
||||
}
|
||||
}
|
||||
@@ -12,17 +12,28 @@ class AuthorizationTest extends Base
|
||||
{
|
||||
$acl = new AccessMap;
|
||||
$acl->setDefaultRole(Role::APP_USER);
|
||||
$acl->add('MyController', 'myAction1', array(Role::APP_ADMIN, Role::APP_MANAGER));
|
||||
$acl->add('MyController', 'myAction2', array(Role::APP_ADMIN));
|
||||
$acl->add('MyAdminController', '*', array(Role::APP_MANAGER));
|
||||
$acl->setRoleHierarchy(Role::APP_ADMIN, array(Role::APP_MANAGER, Role::APP_USER));
|
||||
$acl->setRoleHierarchy(Role::APP_MANAGER, array(Role::APP_USER));
|
||||
|
||||
$acl->add('MyController', 'myAction1', Role::APP_MANAGER);
|
||||
$acl->add('MyController', 'myAction2', Role::APP_ADMIN);
|
||||
$acl->add('MyManagerController', '*', Role::APP_MANAGER);
|
||||
|
||||
$authorization = new Authorization($acl);
|
||||
|
||||
$this->assertTrue($authorization->isAllowed('myController', 'myAction1', Role::APP_ADMIN));
|
||||
$this->assertTrue($authorization->isAllowed('myController', 'myAction1', Role::APP_MANAGER));
|
||||
$this->assertFalse($authorization->isAllowed('myController', 'myAction1', Role::APP_USER));
|
||||
$this->assertTrue($authorization->isAllowed('anotherController', 'anotherAction', Role::APP_USER));
|
||||
$this->assertTrue($authorization->isAllowed('MyAdminController', 'myAction', Role::APP_MANAGER));
|
||||
$this->assertFalse($authorization->isAllowed('MyAdminController', 'myAction', Role::APP_ADMIN));
|
||||
$this->assertFalse($authorization->isAllowed('MyAdminController', 'myAction', 'something else'));
|
||||
$this->assertFalse($authorization->isAllowed('myController', 'myAction1', 'something else'));
|
||||
|
||||
$this->assertTrue($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_ADMIN));
|
||||
$this->assertTrue($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_MANAGER));
|
||||
$this->assertFalse($authorization->isAllowed('MyManagerController', 'myAction', Role::APP_USER));
|
||||
$this->assertFalse($authorization->isAllowed('MyManagerController', 'myAction', 'something else'));
|
||||
|
||||
$this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_ADMIN));
|
||||
$this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_MANAGER));
|
||||
$this->assertTrue($authorization->isAllowed('MyUserController', 'myAction', Role::APP_USER));
|
||||
$this->assertFalse($authorization->isAllowed('MyUserController', 'myAction', 'something else'));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user