2017-11-29 02:40:17 +00:00
|
|
|
<?php
|
|
|
|
|
/**
|
|
|
|
|
* AuthSSO.php
|
|
|
|
|
*
|
|
|
|
|
* -Description-
|
|
|
|
|
*
|
|
|
|
|
* This program is free software: you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
* (at your option) any later version.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2021-02-08 23:29:04 +00:00
|
|
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
2017-11-29 02:40:17 +00:00
|
|
|
*
|
|
|
|
|
* @link https://librenms.org
|
2021-09-10 18:09:53 +00:00
|
|
|
*
|
2017-11-29 02:40:17 +00:00
|
|
|
* @copyright 2017 Adam Bishop
|
|
|
|
|
* @author Adam Bishop <adam@omega.org.uk>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
namespace LibreNMS\Tests;
|
|
|
|
|
|
2023-08-28 05:13:40 +00:00
|
|
|
use App\Models\User;
|
2020-05-24 18:49:01 +00:00
|
|
|
use Illuminate\Foundation\Testing\DatabaseTransactions;
|
|
|
|
|
use Illuminate\Support\Str;
|
2018-09-11 12:51:35 +00:00
|
|
|
use LibreNMS\Authentication\LegacyAuth;
|
2019-03-05 06:24:14 +00:00
|
|
|
use LibreNMS\Config;
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
class AuthSSOTest extends DBTestCase
|
|
|
|
|
{
|
2020-05-24 18:49:01 +00:00
|
|
|
use DatabaseTransactions;
|
|
|
|
|
|
2017-11-29 02:40:17 +00:00
|
|
|
private $original_auth_mech = null;
|
2018-08-11 21:37:45 +00:00
|
|
|
private $server;
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2020-05-19 14:31:50 +00:00
|
|
|
protected function setUp(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
parent::setUp();
|
|
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
$this->original_auth_mech = Config::get('auth_mechanism');
|
|
|
|
|
Config::set('auth_mechanism', 'sso');
|
2018-08-11 21:37:45 +00:00
|
|
|
|
|
|
|
|
$this->server = $_SERVER;
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set up an SSO config for tests
|
|
|
|
|
public function basicConfig()
|
|
|
|
|
{
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.mode', 'env');
|
|
|
|
|
Config::set('sso.create_users', true);
|
|
|
|
|
Config::set('sso.update_users', true);
|
|
|
|
|
Config::set('sso.trusted_proxies', ['127.0.0.1', '::1']);
|
|
|
|
|
Config::set('sso.user_attr', 'REMOTE_USER');
|
|
|
|
|
Config::set('sso.realname_attr', 'displayName');
|
|
|
|
|
Config::set('sso.email_attr', 'mail');
|
|
|
|
|
Config::set('sso.descr_attr', null);
|
|
|
|
|
Config::set('sso.level_attr', null);
|
|
|
|
|
Config::set('sso.group_strategy', 'static');
|
|
|
|
|
Config::set('sso.group_attr', 'member');
|
|
|
|
|
Config::set('sso.group_filter', '/(.*)/i');
|
|
|
|
|
Config::set('sso.group_delimiter', ';');
|
|
|
|
|
Config::set('sso.group_level_map', null);
|
|
|
|
|
Config::set('sso.static_level', -1);
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set up $_SERVER in env mode
|
|
|
|
|
public function basicEnvironmentEnv()
|
|
|
|
|
{
|
|
|
|
|
unset($_SERVER);
|
|
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.mode', 'env');
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '::1';
|
|
|
|
|
$_SERVER['REMOTE_USER'] = 'test';
|
|
|
|
|
|
|
|
|
|
$_SERVER['mail'] = 'test@example.org';
|
2020-05-24 18:49:01 +00:00
|
|
|
$_SERVER['displayName'] = Str::random();
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set up $_SERVER in header mode
|
|
|
|
|
public function basicEnvironmentHeader()
|
|
|
|
|
{
|
|
|
|
|
unset($_SERVER);
|
|
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.mode', 'header');
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '::1';
|
2020-05-24 18:49:01 +00:00
|
|
|
$_SERVER['REMOTE_USER'] = Str::random();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$_SERVER['HTTP_MAIL'] = 'test@example.org';
|
|
|
|
|
$_SERVER['HTTP_DISPLAYNAME'] = 'Test User';
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-24 18:49:01 +00:00
|
|
|
public function makeUser()
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
2020-05-24 18:49:01 +00:00
|
|
|
$user = Str::random();
|
|
|
|
|
$_SERVER['REMOTE_USER'] = $user;
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2020-05-24 18:49:01 +00:00
|
|
|
return $user;
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Excercise general auth flow
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testValidAuthNoCreateUpdate(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
$this->basicConfig();
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.create_users', false);
|
|
|
|
|
Config::set('sso.update_users', false);
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Create a random username and store it with the defaults
|
|
|
|
|
$this->basicEnvironmentEnv();
|
2020-05-24 18:49:01 +00:00
|
|
|
$user = $this->makeUser();
|
2019-03-05 06:24:14 +00:00
|
|
|
$this->assertTrue($a->authenticate(['username' => $user]));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Retrieve it and validate
|
2023-08-28 05:13:40 +00:00
|
|
|
$this->assertFalse(User::thisAuth()->where('username', $user)->exists());
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Excercise general auth flow with creation enabled
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testValidAuthCreateOnly(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
$this->basicConfig();
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.create_users', true);
|
|
|
|
|
Config::set('sso.update_users', false);
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Create a random username and store it with the defaults
|
|
|
|
|
$this->basicEnvironmentEnv();
|
2020-05-24 18:49:01 +00:00
|
|
|
$user = $this->makeUser();
|
2019-03-05 06:24:14 +00:00
|
|
|
$this->assertTrue($a->authenticate(['username' => $user]));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Retrieve it and validate
|
2023-08-28 05:13:40 +00:00
|
|
|
$dbuser = User::thisAuth()->where('username', $user)->firstOrNew();
|
|
|
|
|
$this->assertSame($dbuser->realname, $a->authSSOGetAttr(Config::get('sso.realname_attr')));
|
|
|
|
|
$this->assertEmpty($dbuser->getRoles());
|
|
|
|
|
$this->assertSame($dbuser->email, $a->authSSOGetAttr(Config::get('sso.email_attr')));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Change a few things and reauth
|
|
|
|
|
$_SERVER['mail'] = 'test@example.net';
|
|
|
|
|
$_SERVER['displayName'] = 'Testier User';
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.static_level', 10);
|
|
|
|
|
$this->assertTrue($a->authenticate(['username' => $user]));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Retrieve it and validate the update was not persisted
|
2023-08-28 05:13:40 +00:00
|
|
|
$dbuser = User::thisAuth()->where('username', $user)->firstOrNew();
|
|
|
|
|
$this->assertFalse($a->authSSOGetAttr(Config::get('sso.realname_attr')) === $dbuser->realname);
|
|
|
|
|
$this->assertFalse($dbuser->roles()->where('name', 'admin')->exists());
|
|
|
|
|
$this->assertFalse($a->authSSOGetAttr(Config::get('sso.email_attr')) === $dbuser->email);
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Excercise general auth flow with updates enabled
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testValidAuthUpdate(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
$this->basicConfig();
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Create a random username and store it with the defaults
|
|
|
|
|
$this->basicEnvironmentEnv();
|
2020-05-24 18:49:01 +00:00
|
|
|
$user = $this->makeUser();
|
2023-08-28 05:13:40 +00:00
|
|
|
$this->assertTrue(auth()->attempt(['username' => $user]));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Change a few things and reauth
|
|
|
|
|
$_SERVER['mail'] = 'test@example.net';
|
|
|
|
|
$_SERVER['displayName'] = 'Testier User';
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.static_level', 10);
|
2023-08-28 05:13:40 +00:00
|
|
|
$this->assertTrue(auth()->attempt(['username' => $user]));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Retrieve it and validate the update persisted
|
2023-08-28 05:13:40 +00:00
|
|
|
$dbuser = User::thisAuth()->where('username', $user)->firstOrNew();
|
|
|
|
|
$this->assertSame($dbuser->realname, $a->authSSOGetAttr(Config::get('sso.realname_attr')));
|
|
|
|
|
$this->assertTrue($dbuser->roles()->where('name', 'admin')->exists());
|
|
|
|
|
$this->assertSame($dbuser->email, $a->authSSOGetAttr(Config::get('sso.email_attr')));
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check some invalid authentication modes
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testBadAuth(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
$this->basicConfig();
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$this->basicEnvironmentEnv();
|
|
|
|
|
unset($_SERVER);
|
|
|
|
|
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
|
2019-03-05 06:24:14 +00:00
|
|
|
$a->authenticate([]);
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$this->basicEnvironmentHeader();
|
|
|
|
|
unset($_SERVER);
|
|
|
|
|
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
|
2019-03-05 06:24:14 +00:00
|
|
|
$a->authenticate([]);
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Test some missing attributes
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testNoAttribute(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
$this->basicConfig();
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$this->basicEnvironmentEnv();
|
|
|
|
|
unset($_SERVER['displayName']);
|
|
|
|
|
unset($_SERVER['mail']);
|
|
|
|
|
|
2023-08-28 05:13:40 +00:00
|
|
|
$this->assertTrue(auth()->attempt(['username' => $this->makeUser()]));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$this->basicEnvironmentHeader();
|
|
|
|
|
unset($_SERVER['HTTP_DISPLAYNAME']);
|
|
|
|
|
unset($_SERVER['HTTP_MAIL']);
|
|
|
|
|
|
2023-08-28 05:13:40 +00:00
|
|
|
$this->assertTrue(auth()->attempt(['username' => $this->makeUser()]));
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Document the modules current behaviour, so that changes trigger test failures
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testCapabilityFunctions(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2021-04-01 15:35:18 +00:00
|
|
|
$this->assertFalse($a->canUpdatePasswords());
|
|
|
|
|
$this->assertTrue($a->canManageUsers());
|
|
|
|
|
$this->assertTrue($a->canUpdateUsers());
|
|
|
|
|
$this->assertTrue($a->authIsExternal());
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Everything from here comprises of targeted tests to excercise single methods */
|
|
|
|
|
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testGetExternalUserName(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
$this->basicConfig();
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$this->basicEnvironmentEnv();
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->assertIsString($a->getExternalUsername());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Missing
|
|
|
|
|
unset($_SERVER['REMOTE_USER']);
|
|
|
|
|
$this->assertNull($a->getExternalUsername());
|
|
|
|
|
$this->basicEnvironmentEnv();
|
|
|
|
|
|
|
|
|
|
// Missing pointer to attribute
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::forget('sso.user_attr');
|
2017-11-29 02:40:17 +00:00
|
|
|
$this->assertNull($a->getExternalUsername());
|
|
|
|
|
$this->basicEnvironmentEnv();
|
|
|
|
|
|
|
|
|
|
// Non-existant attribute
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.user_attr', 'foobar');
|
2017-11-29 02:40:17 +00:00
|
|
|
$this->assertNull($a->getExternalUsername());
|
|
|
|
|
$this->basicEnvironmentEnv();
|
|
|
|
|
|
|
|
|
|
// null pointer to attribute
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.user_attr', null);
|
2017-11-29 02:40:17 +00:00
|
|
|
$this->assertNull($a->getExternalUsername());
|
|
|
|
|
$this->basicEnvironmentEnv();
|
|
|
|
|
|
|
|
|
|
// null attribute
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.user_attr', 'REMOTE_USER');
|
2017-11-29 02:40:17 +00:00
|
|
|
$_SERVER['REMOTE_USER'] = null;
|
|
|
|
|
$this->assertNull($a->getExternalUsername());
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testGetAttr(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$_SERVER['HTTP_VALID_ATTR'] = 'string';
|
|
|
|
|
$_SERVER['alsoVALID-ATTR'] = 'otherstring';
|
|
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.mode', 'env');
|
2017-11-29 02:40:17 +00:00
|
|
|
$this->assertNull($a->authSSOGetAttr('foobar'));
|
|
|
|
|
$this->assertNull($a->authSSOGetAttr(null));
|
|
|
|
|
$this->assertNull($a->authSSOGetAttr(1));
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->assertIsString($a->authSSOGetAttr('alsoVALID-ATTR'));
|
|
|
|
|
$this->assertIsString($a->authSSOGetAttr('HTTP_VALID_ATTR'));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.mode', 'header');
|
2017-11-29 02:40:17 +00:00
|
|
|
$this->assertNull($a->authSSOGetAttr('foobar'));
|
|
|
|
|
$this->assertNull($a->authSSOGetAttr(null));
|
|
|
|
|
$this->assertNull($a->authSSOGetAttr(1));
|
|
|
|
|
$this->assertNull($a->authSSOGetAttr('alsoVALID-ATTR'));
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->assertIsString($a->authSSOGetAttr('VALID-ATTR'));
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testTrustedProxies(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.trusted_proxies', ['127.0.0.1', '::1', '2001:630:50::/48', '8.8.8.0/25']);
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// v4 valid CIDR
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '8.8.8.8';
|
|
|
|
|
$this->assertTrue($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// v4 valid single
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
|
|
|
|
|
$this->assertTrue($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// v4 invalid CIDR
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '9.8.8.8';
|
|
|
|
|
$this->assertFalse($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// v6 valid CIDR
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '2001:630:50:baad:beef:feed:face:cafe';
|
|
|
|
|
$this->assertTrue($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// v6 valid single
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '::1';
|
|
|
|
|
$this->assertTrue($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// v6 invalid CIDR
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = '2600::';
|
|
|
|
|
$this->assertFalse($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// Not an IP
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = 16;
|
|
|
|
|
$this->assertFalse($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
//null
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = null;
|
|
|
|
|
$this->assertFalse($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// Invalid String
|
|
|
|
|
$_SERVER['REMOTE_ADDR'] = 'Not an IP address at all, but maybe PHP will end up type juggling somehow';
|
|
|
|
|
$this->assertFalse($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// Not a list
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.trusted_proxies', '8.8.8.0/25');
|
2017-11-29 02:40:17 +00:00
|
|
|
$_SERVER['REMOTE_ADDR'] = '8.8.8.8';
|
|
|
|
|
$this->assertFalse($a->authSSOProxyTrusted());
|
|
|
|
|
|
|
|
|
|
// Unset
|
|
|
|
|
unset($_SERVER['REMOTE_ADDR']);
|
|
|
|
|
$this->assertFalse($a->authSSOProxyTrusted());
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testLevelCaulculationFromAttr(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
2023-08-28 05:13:40 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer $a */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.mode', 'env');
|
|
|
|
|
Config::set('sso.group_strategy', 'attribute');
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
//Integer
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.level_attr', 'level');
|
2023-08-28 05:13:40 +00:00
|
|
|
$_SERVER['level'] = 5;
|
|
|
|
|
$this->assertSame(['global-read'], $a->getRoles(''));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
//String
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.level_attr', 'level');
|
2023-08-28 05:13:40 +00:00
|
|
|
$_SERVER['level'] = '5';
|
|
|
|
|
$this->assertSame(['global-read'], $a->getRoles(''));
|
|
|
|
|
|
|
|
|
|
// invalid level
|
|
|
|
|
Config::set('sso.level_attr', 'level');
|
|
|
|
|
$_SERVER['level'] = 9;
|
|
|
|
|
$this->assertSame([], $a->getRoles(''));
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
//Invalid String
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.level_attr', 'level');
|
2017-11-29 02:40:17 +00:00
|
|
|
$_SERVER['level'] = 'foobar';
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
|
2023-08-28 05:13:40 +00:00
|
|
|
$a->getRoles('');
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
//null
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.level_attr', 'level');
|
2017-11-29 02:40:17 +00:00
|
|
|
$_SERVER['level'] = null;
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
|
2023-08-28 05:13:40 +00:00
|
|
|
$a->getRoles('');
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
//Unset pointer
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::forget('sso.level_attr');
|
2017-11-29 02:40:17 +00:00
|
|
|
$_SERVER['level'] = '9';
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
|
2023-08-28 05:13:40 +00:00
|
|
|
$a->getRoles('');
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
//Unset attr
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.level_attr', 'level');
|
2017-11-29 02:40:17 +00:00
|
|
|
unset($_SERVER['level']);
|
2019-02-12 23:45:04 +00:00
|
|
|
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
|
2023-08-28 05:13:40 +00:00
|
|
|
$a->getRoles('');
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
2023-05-24 20:21:54 +00:00
|
|
|
public function testGroupParsing(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
|
|
|
|
$this->basicConfig();
|
2021-03-31 22:35:19 +00:00
|
|
|
/** @var \LibreNMS\Authentication\SSOAuthorizer */
|
2018-09-11 12:51:35 +00:00
|
|
|
$a = LegacyAuth::reset();
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$this->basicEnvironmentEnv();
|
|
|
|
|
|
2021-10-02 13:02:42 +00:00
|
|
|
Config::set('sso.static_level', 0);
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.group_strategy', 'map');
|
|
|
|
|
Config::set('sso.group_delimiter', ';');
|
|
|
|
|
Config::set('sso.group_attr', 'member');
|
|
|
|
|
Config::set('sso.group_level_map', ['librenms-admins' => 10, 'librenms-readers' => 1, 'librenms-billingcontacts' => 5]);
|
2017-11-29 02:40:17 +00:00
|
|
|
$_SERVER['member'] = 'librenms-admins;librenms-readers;librenms-billingcontacts;unrelatedgroup;confluence-admins';
|
|
|
|
|
|
|
|
|
|
// Valid options
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(10, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// No match
|
|
|
|
|
$_SERVER['member'] = 'confluence-admins';
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Delimiter only
|
|
|
|
|
$_SERVER['member'] = ';;;;';
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Empty
|
|
|
|
|
$_SERVER['member'] = '';
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
2021-10-02 13:02:42 +00:00
|
|
|
// Empty with default access level
|
|
|
|
|
Config::set('sso.static_level', 5);
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(5, $a->authSSOParseGroups());
|
2021-10-02 13:02:42 +00:00
|
|
|
Config::forget('sso.static_level');
|
|
|
|
|
|
2017-11-29 02:40:17 +00:00
|
|
|
// Null
|
|
|
|
|
$_SERVER['member'] = null;
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Unset
|
|
|
|
|
unset($_SERVER['member']);
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
$_SERVER['member'] = 'librenms-admins;librenms-readers;librenms-billingcontacts;unrelatedgroup;confluence-admins';
|
|
|
|
|
|
|
|
|
|
// Empty
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.group_level_map', []);
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Not associative
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.group_level_map', ['foo', 'bar', 'librenms-admins']);
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Null
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.group_level_map', null);
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Unset
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::forget('sso.group_level_map');
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// No delimiter
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::forget('sso.group_delimiter');
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(0, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Test group filtering by regex
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.group_filter', '/confluence-(.*)/i');
|
|
|
|
|
Config::set('sso.group_delimiter', ';');
|
|
|
|
|
Config::set('sso.group_level_map', ['librenms-admins' => 10, 'librenms-readers' => 1, 'librenms-billingcontacts' => 5, 'confluence-admins' => 7]);
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(7, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Test group filtering by empty regex
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.group_filter', '');
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(10, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
|
|
|
|
|
// Test group filtering by null regex
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('sso.group_filter', null);
|
2023-04-15 14:02:41 +00:00
|
|
|
$this->assertSame(10, $a->authSSOParseGroups());
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
|
2020-05-19 14:31:50 +00:00
|
|
|
protected function tearDown(): void
|
2017-11-29 02:40:17 +00:00
|
|
|
{
|
2019-03-05 06:24:14 +00:00
|
|
|
Config::set('auth_mechanism', $this->original_auth_mech);
|
|
|
|
|
Config::forget('sso');
|
2018-08-11 21:37:45 +00:00
|
|
|
$_SERVER = $this->server;
|
2019-03-13 04:59:03 +00:00
|
|
|
parent::tearDown();
|
2017-11-29 02:40:17 +00:00
|
|
|
}
|
|
|
|
|
}
|
