clones/librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-09-21 18:38:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
29bd6789cb
librenms/tests/AuthSSOTest.php

479 lines
16 KiB
PHP
Raw Normal View History

Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
<?php
/**
* AuthSSO.php
*
* -Description-
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
Swich links to https (#12511) * Switch librenms links to https * Convert librenms links in comments * Switch gnu.org url to https * switch php urls to https
2021-02-08 23:29:04 +00:00
* along with this program. If not, see <https://www.gnu.org/licenses/>.
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
*
* @link https://librenms.org
Apply fixes from StyleCI (#13224)
2021-09-10 18:09:53 +00:00
*
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
* @copyright 2017 Adam Bishop
* @author Adam Bishop <adam@omega.org.uk>
*/
namespace LibreNMS\Tests;
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
use Illuminate\Foundation\Testing\DatabaseTransactions;
use Illuminate\Support\Str;
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
use LibreNMS\Authentication\LegacyAuth;
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
use LibreNMS\Config;
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
class AuthSSOTest extends DBTestCase
{
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
use DatabaseTransactions;
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
private $original_auth_mech = null;
Fixed snmptraps. (#8898) * Fixed snmptraps. * Fixed space * Added bgp down/up and authentication failure * Fixed typo * Fixed some typos, arrays, astext and format_hostname * Updated documentation * Moved code to a function * Some refactor * Minor fixes * Minor fixes 2 * More minor fixes * Changes requested by Tony * Minor fixes * Moved include to snmptrap.php * Refactor traps to use object oriented code. Should trigger events too/instead, but we'll leave that. Testing todo * Add tests and fix things so they actually work Not checking events yet. * Fixed typo and severity level * Update composer deps, I think the lock file wasn't right. add json and mbstring extension deps while I'm at it. * Fix several issues with phpunit fixtures
2018-08-11 21:37:45 +00:00
private $server;
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Update PHPUnit to 8.x (#11635) * Shift return type of base TestCase methods From the [PHPUnit 8 release notes][1], the `TestCase` methods below now declare a `void` return type: - `setUpBeforeClass()` - `setUp()` - `assertPreConditions()` - `assertPostConditions()` - `tearDown()` - `tearDownAfterClass()` - `onNotSuccessfulTest()` [1]: https://phpunit.de/announcements/phpunit-8.html * Update PHPUnit to 8.x Part of Laravel 6 upgrade * Bump php versions Co-authored-by: Laravel Shift <shift@laravelshift.com> Co-authored-by: Tony Murray <murraytony@gmail.com>
2020-05-19 14:31:50 +00:00
protected function setUp(): void
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
{
parent::setUp();
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->original_auth_mech = Config::get('auth_mechanism');
Config::set('auth_mechanism', 'sso');
Fixed snmptraps. (#8898) * Fixed snmptraps. * Fixed space * Added bgp down/up and authentication failure * Fixed typo * Fixed some typos, arrays, astext and format_hostname * Updated documentation * Moved code to a function * Some refactor * Minor fixes * Minor fixes 2 * More minor fixes * Changes requested by Tony * Minor fixes * Moved include to snmptrap.php * Refactor traps to use object oriented code. Should trigger events too/instead, but we'll leave that. Testing todo * Add tests and fix things so they actually work Not checking events yet. * Fixed typo and severity level * Update composer deps, I think the lock file wasn't right. add json and mbstring extension deps while I'm at it. * Fix several issues with phpunit fixtures
2018-08-11 21:37:45 +00:00
$this->server = $_SERVER;
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Set up an SSO config for tests
public function basicConfig()
{
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.mode', 'env');
Config::set('sso.create_users', true);
Config::set('sso.update_users', true);
Config::set('sso.trusted_proxies', ['127.0.0.1', '::1']);
Config::set('sso.user_attr', 'REMOTE_USER');
Config::set('sso.realname_attr', 'displayName');
Config::set('sso.email_attr', 'mail');
Config::set('sso.descr_attr', null);
Config::set('sso.level_attr', null);
Config::set('sso.group_strategy', 'static');
Config::set('sso.group_attr', 'member');
Config::set('sso.group_filter', '/(.*)/i');
Config::set('sso.group_delimiter', ';');
Config::set('sso.group_level_map', null);
Config::set('sso.static_level', -1);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Set up $_SERVER in env mode
public function basicEnvironmentEnv()
{
unset($_SERVER);
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.mode', 'env');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['REMOTE_ADDR'] = '::1';
$_SERVER['REMOTE_USER'] = 'test';
$_SERVER['mail'] = 'test@example.org';
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$_SERVER['displayName'] = Str::random();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Set up $_SERVER in header mode
public function basicEnvironmentHeader()
{
unset($_SERVER);
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.mode', 'header');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['REMOTE_ADDR'] = '::1';
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$_SERVER['REMOTE_USER'] = Str::random();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['HTTP_MAIL'] = 'test@example.org';
$_SERVER['HTTP_DISPLAYNAME'] = 'Test User';
}
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
public function makeUser()
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
{
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$user = Str::random();
$_SERVER['REMOTE_USER'] = $user;
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
return $user;
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Excercise general auth flow
public function testValidAuthNoCreateUpdate()
{
$this->basicConfig();
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.create_users', false);
Config::set('sso.update_users', false);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Create a random username and store it with the defaults
$this->basicEnvironmentEnv();
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$user = $this->makeUser();
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertTrue($a->authenticate(['username' => $user]));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Retrieve it and validate
$dbuser = $a->getUser($a->getUserid($user));
Cleanup (#12695) * Use true/false to return booleans * Misc fixes
2021-04-01 15:35:18 +00:00
$this->assertFalse($dbuser);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Excercise general auth flow with creation enabled
public function testValidAuthCreateOnly()
{
$this->basicConfig();
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.create_users', true);
Config::set('sso.update_users', false);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Create a random username and store it with the defaults
$this->basicEnvironmentEnv();
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$user = $this->makeUser();
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertTrue($a->authenticate(['username' => $user]));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Retrieve it and validate
$dbuser = $a->getUser($a->getUserid($user));
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertTrue($a->authSSOGetAttr(Config::get('sso.realname_attr')) === $dbuser['realname']);
Use PDO for MySQL queries (#8935) Gut dbFacile mres() now does nothing... could have some vulnerable queries, but most are ok TODO - [x] IRC client broke - [x] Install broke DO NOT DELETE THIS TEXT #### Please note > Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting. - [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/) #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926`
2018-08-17 20:29:20 +00:00
$this->assertTrue($dbuser['level'] == -1);
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertTrue($a->authSSOGetAttr(Config::get('sso.email_attr')) === $dbuser['email']);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Change a few things and reauth
$_SERVER['mail'] = 'test@example.net';
$_SERVER['displayName'] = 'Testier User';
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.static_level', 10);
$this->assertTrue($a->authenticate(['username' => $user]));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Retrieve it and validate the update was not persisted
$dbuser = $a->getUser($a->getUserid($user));
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertFalse($a->authSSOGetAttr(Config::get('sso.realname_attr')) === $dbuser['realname']);
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$this->assertFalse($dbuser['level'] === '10');
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertFalse($a->authSSOGetAttr(Config::get('sso.email_attr')) === $dbuser['email']);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Excercise general auth flow with updates enabled
public function testValidAuthUpdate()
{
$this->basicConfig();
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Create a random username and store it with the defaults
$this->basicEnvironmentEnv();
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$user = $this->makeUser();
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertTrue($a->authenticate(['username' => $user]));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Change a few things and reauth
$_SERVER['mail'] = 'test@example.net';
$_SERVER['displayName'] = 'Testier User';
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.static_level', 10);
$this->assertTrue($a->authenticate(['username' => $user]));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Retrieve it and validate the update persisted
$dbuser = $a->getUser($a->getUserid($user));
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertTrue($a->authSSOGetAttr(Config::get('sso.realname_attr')) === $dbuser['realname']);
Use PDO for MySQL queries (#8935) Gut dbFacile mres() now does nothing... could have some vulnerable queries, but most are ok TODO - [x] IRC client broke - [x] Install broke DO NOT DELETE THIS TEXT #### Please note > Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting. - [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/) #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926`
2018-08-17 20:29:20 +00:00
$this->assertTrue($dbuser['level'] == 10);
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$this->assertTrue($a->authSSOGetAttr(Config::get('sso.email_attr')) === $dbuser['email']);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Check some invalid authentication modes
public function testBadAuth()
{
$this->basicConfig();
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->basicEnvironmentEnv();
unset($_SERVER);
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$a->authenticate([]);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->basicEnvironmentHeader();
unset($_SERVER);
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
$a->authenticate([]);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Test some missing attributes
public function testNoAttribute()
{
$this->basicConfig();
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->basicEnvironmentEnv();
unset($_SERVER['displayName']);
unset($_SERVER['mail']);
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$this->assertTrue($a->authenticate(['username' => $this->makeUser()]));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->basicEnvironmentHeader();
unset($_SERVER['HTTP_DISPLAYNAME']);
unset($_SERVER['HTTP_MAIL']);
Testing cleanup (#11677) All tests use transactions One test isn't a db test...
2020-05-24 18:49:01 +00:00
$this->assertTrue($a->authenticate(['username' => $this->makeUser()]));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
// Document the modules current behaviour, so that changes trigger test failures
public function testCapabilityFunctions()
{
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Cleanup (#12695) * Use true/false to return booleans * Misc fixes
2021-04-01 15:35:18 +00:00
$this->assertFalse($a->canUpdatePasswords());
$this->assertTrue($a->canManageUsers());
$this->assertTrue($a->canUpdateUsers());
$this->assertTrue($a->authIsExternal());
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
/* Everything from here comprises of targeted tests to excercise single methods */
public function testGetExternalUserName()
{
$this->basicConfig();
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->basicEnvironmentEnv();
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->assertIsString($a->getExternalUsername());
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Missing
unset($_SERVER['REMOTE_USER']);
$this->assertNull($a->getExternalUsername());
$this->basicEnvironmentEnv();
// Missing pointer to attribute
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::forget('sso.user_attr');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertNull($a->getExternalUsername());
$this->basicEnvironmentEnv();
// Non-existant attribute
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.user_attr', 'foobar');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertNull($a->getExternalUsername());
$this->basicEnvironmentEnv();
// null pointer to attribute
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.user_attr', null);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertNull($a->getExternalUsername());
$this->basicEnvironmentEnv();
// null attribute
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.user_attr', 'REMOTE_USER');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['REMOTE_USER'] = null;
$this->assertNull($a->getExternalUsername());
}
public function testGetAttr()
{
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['HTTP_VALID_ATTR'] = 'string';
$_SERVER['alsoVALID-ATTR'] = 'otherstring';
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.mode', 'env');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertNull($a->authSSOGetAttr('foobar'));
$this->assertNull($a->authSSOGetAttr(null));
$this->assertNull($a->authSSOGetAttr(1));
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->assertIsString($a->authSSOGetAttr('alsoVALID-ATTR'));
$this->assertIsString($a->authSSOGetAttr('HTTP_VALID_ATTR'));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.mode', 'header');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertNull($a->authSSOGetAttr('foobar'));
$this->assertNull($a->authSSOGetAttr(null));
$this->assertNull($a->authSSOGetAttr(1));
$this->assertNull($a->authSSOGetAttr('alsoVALID-ATTR'));
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->assertIsString($a->authSSOGetAttr('VALID-ATTR'));
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
public function testTrustedProxies()
{
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.trusted_proxies', ['127.0.0.1', '::1', '2001:630:50::/48', '8.8.8.0/25']);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// v4 valid CIDR
$_SERVER['REMOTE_ADDR'] = '8.8.8.8';
$this->assertTrue($a->authSSOProxyTrusted());
// v4 valid single
$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
$this->assertTrue($a->authSSOProxyTrusted());
// v4 invalid CIDR
$_SERVER['REMOTE_ADDR'] = '9.8.8.8';
$this->assertFalse($a->authSSOProxyTrusted());
// v6 valid CIDR
$_SERVER['REMOTE_ADDR'] = '2001:630:50:baad:beef:feed:face:cafe';
$this->assertTrue($a->authSSOProxyTrusted());
// v6 valid single
$_SERVER['REMOTE_ADDR'] = '::1';
$this->assertTrue($a->authSSOProxyTrusted());
// v6 invalid CIDR
$_SERVER['REMOTE_ADDR'] = '2600::';
$this->assertFalse($a->authSSOProxyTrusted());
// Not an IP
$_SERVER['REMOTE_ADDR'] = 16;
$this->assertFalse($a->authSSOProxyTrusted());
//null
$_SERVER['REMOTE_ADDR'] = null;
$this->assertFalse($a->authSSOProxyTrusted());
// Invalid String
$_SERVER['REMOTE_ADDR'] = 'Not an IP address at all, but maybe PHP will end up type juggling somehow';
$this->assertFalse($a->authSSOProxyTrusted());
// Not a list
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.trusted_proxies', '8.8.8.0/25');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['REMOTE_ADDR'] = '8.8.8.8';
$this->assertFalse($a->authSSOProxyTrusted());
// Unset
unset($_SERVER['REMOTE_ADDR']);
$this->assertFalse($a->authSSOProxyTrusted());
}
public function testLevelCaulculationFromAttr()
{
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.mode', 'env');
Config::set('sso.group_strategy', 'attribute');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
//Integer
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.level_attr', 'level');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['level'] = 9;
$this->assertTrue($a->authSSOCalculateLevel() === 9);
//String
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.level_attr', 'level');
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$_SERVER['level'] = '9';
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOCalculateLevel() === 9);
//Invalid String
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.level_attr', 'level');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['level'] = 'foobar';
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$a->authSSOCalculateLevel();
//null
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.level_attr', 'level');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$_SERVER['level'] = null;
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$a->authSSOCalculateLevel();
//Unset pointer
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::forget('sso.level_attr');
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$_SERVER['level'] = '9';
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$a->authSSOCalculateLevel();
//Unset attr
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.level_attr', 'level');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
unset($_SERVER['level']);
Update to Laravel 5.7 (PHP 7.3 support) (#9800) * Move assets to 5.7 location * Add 5.7 SVGs * add cache data dir * update QUEUE_DRIVER -> QUEUE_CONNECTION * Update trusted proxy config * update composer.json * 5.5 command loading * @php and @endphp can't be inline * Laravel 5.6 logging, Nice! * Update blade directives * improved redirects * remove unneeded service providers * Improved debugbar loading * no need to emulate renderable exceptions anymore * merge updated 5.7 files (WIP) * Enable CSRF * database_path() call causes issue in init.php * fix old testcase name * generic phpunit 7 fixes * add missed file_get_contents Keep migrations table content * fix duplicate key * Drop old php versions from travis-ci * remove hhvm * fix code climate message * remove use of deprecated function assertInternalType * Disable CSRF, we'll enable it separately. All forms need to be updated to work. * Update document references
2019-02-12 23:45:04 +00:00
$this->expectException('LibreNMS\Exceptions\AuthenticationException');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$a->authSSOCalculateLevel();
}
public function testGroupParsing()
{
$this->basicConfig();
PHPDoc fixes (#12693)
2021-03-31 22:35:19 +00:00
/** @var \LibreNMS\Authentication\SSOAuthorizer */
Use Laravel authentication (#8702) * Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
2018-09-11 12:51:35 +00:00
$a = LegacyAuth::reset();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->basicEnvironmentEnv();
Improvements to SSO Authorization and logout handling (#13311) * Improvements to SSO Authorization and logout handling Changes: * Adds support for a default access level in the SSO authorization plugin when group mapping is enabled. * Restore functionality of the auth_logout_handler configuration option, allowing the user to be redirected to a configured URL to complete logout from an external IdP. * Documentation and test coverage updates * Set sso.static_level to 0 in AuthSSOTest:testGroupParsing() * Simplify implementation to use default values in Config::get()
2021-10-02 13:02:42 +00:00
Config::set('sso.static_level', 0);
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.group_strategy', 'map');
Config::set('sso.group_delimiter', ';');
Config::set('sso.group_attr', 'member');
Config::set('sso.group_level_map', ['librenms-admins' => 10, 'librenms-readers' => 1, 'librenms-billingcontacts' => 5]);
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$_SERVER['member'] = 'librenms-admins;librenms-readers;librenms-billingcontacts;unrelatedgroup;confluence-admins';
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Valid options
$this->assertTrue($a->authSSOParseGroups() === 10);
// No match
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$_SERVER['member'] = 'confluence-admins';
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
// Delimiter only
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$_SERVER['member'] = ';;;;';
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
// Empty
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$_SERVER['member'] = '';
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
Improvements to SSO Authorization and logout handling (#13311) * Improvements to SSO Authorization and logout handling Changes: * Adds support for a default access level in the SSO authorization plugin when group mapping is enabled. * Restore functionality of the auth_logout_handler configuration option, allowing the user to be redirected to a configured URL to complete logout from an external IdP. * Documentation and test coverage updates * Set sso.static_level to 0 in AuthSSOTest:testGroupParsing() * Simplify implementation to use default values in Config::get()
2021-10-02 13:02:42 +00:00
// Empty with default access level
Config::set('sso.static_level', 5);
$this->assertTrue($a->authSSOParseGroups() === 5);
Config::forget('sso.static_level');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Null
$_SERVER['member'] = null;
$this->assertTrue($a->authSSOParseGroups() === 0);
// Unset
unset($_SERVER['member']);
$this->assertTrue($a->authSSOParseGroups() === 0);
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
$_SERVER['member'] = 'librenms-admins;librenms-readers;librenms-billingcontacts;unrelatedgroup;confluence-admins';
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
// Empty
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.group_level_map', []);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
// Not associative
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.group_level_map', ['foo', 'bar', 'librenms-admins']);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
// Null
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.group_level_map', null);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
// Unset
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::forget('sso.group_level_map');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
// No delimiter
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::forget('sso.group_delimiter');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 0);
// Test group filtering by regex
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
Config::set('sso.group_filter', '/confluence-(.*)/i');
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.group_delimiter', ';');
Config::set('sso.group_level_map', ['librenms-admins' => 10, 'librenms-readers' => 1, 'librenms-billingcontacts' => 5, 'confluence-admins' => 7]);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 7);
// Test group filtering by empty regex
Apply fixes from StyleCI (#12124)
2020-09-21 13:59:34 +00:00
Config::set('sso.group_filter', '');
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 10);
// Test group filtering by null regex
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('sso.group_filter', null);
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
$this->assertTrue($a->authSSOParseGroups() === 10);
}
Update PHPUnit to 8.x (#11635) * Shift return type of base TestCase methods From the [PHPUnit 8 release notes][1], the `TestCase` methods below now declare a `void` return type: - `setUpBeforeClass()` - `setUp()` - `assertPreConditions()` - `assertPostConditions()` - `tearDown()` - `tearDownAfterClass()` - `onNotSuccessfulTest()` [1]: https://phpunit.de/announcements/phpunit-8.html * Update PHPUnit to 8.x Part of Laravel 6 upgrade * Bump php versions Co-authored-by: Laravel Shift <shift@laravelshift.com> Co-authored-by: Tony Murray <murraytony@gmail.com>
2020-05-19 14:31:50 +00:00
protected function tearDown(): void
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
{
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test
2019-03-05 06:24:14 +00:00
Config::set('auth_mechanism', $this->original_auth_mech);
Config::forget('sso');
Fixed snmptraps. (#8898) * Fixed snmptraps. * Fixed space * Added bgp down/up and authentication failure * Fixed typo * Fixed some typos, arrays, astext and format_hostname * Updated documentation * Moved code to a function * Some refactor * Minor fixes * Minor fixes 2 * More minor fixes * Changes requested by Tony * Minor fixes * Moved include to snmptrap.php * Refactor traps to use object oriented code. Should trigger events too/instead, but we'll leave that. Testing todo * Add tests and fix things so they actually work Not checking events yet. * Fixed typo and severity level * Update composer deps, I think the lock file wasn't right. add json and mbstring extension deps while I'm at it. * Fix several issues with phpunit fixtures
2018-08-11 21:37:45 +00:00
$_SERVER = $this->server;
Resubmit #9608 (#9941) * Reorganize trap tests * Testing db DRIVER to prevent .env from interfering * New code to detect if Laravel is booted. Hopefully more reliable. * WIP external test process * revert module test helper * Use .env in Eloquent::boot() * Fix test database settings loading * fix undefined classes (didn't find the one I needed) * Fix incorrect Config usages And RrdDefinition return type * fix .env loading * use the right DB * slightly more accurate isConnected * Move db_name to DBSetupTest specifically * restore $_SERVER in AuthSSOTest * missed item * WIP * tear down in the correct order. * some testing cleanups * remove check for duplicate event listener, it's not working right * Don't need this change anymore * Implement Log::event to replace legacy function log_event() * fix port tests * fix up tests * remove pointless TrapTestCase class * fix style * Fix db config not being merged... * skip env check for tests * defer database operations until after Laravel is booted. * don't include dbFaciale... * redundant use
2019-03-13 04:59:03 +00:00
parent::tearDown();
Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth
2017-11-29 02:40:17 +00:00
}
}
Reference in New Issue Copy Permalink