BookStack Code Mirror - bookstack/blob - tests/Auth/LdapTest.php

1 <?php

2

3 namespace Tests\Auth;

4

5 use BookStack\Auth\Access\Ldap;

6 use BookStack\Auth\Access\LdapService;

7 use BookStack\Auth\Role;

8 use BookStack\Auth\User;

9 use Mockery\MockInterface;

10 use Tests\TestCase;

11 use Tests\TestResponse;

12

13 class LdapTest extends TestCase

14 {

15 /**

16 * @var MockInterface

17 */

18 protected $mockLdap;

19

20 protected $mockUser;

21 protected $resourceId = 'resource-test';

22

23 protected function setUp(): void

24 {

25 parent::setUp();

26 if (!defined('LDAP_OPT_REFERRALS')) {

27 define('LDAP_OPT_REFERRALS', 1);

28 }

29 config()->set([

30 'auth.method' => 'ldap',

31 'auth.defaults.guard' => 'ldap',

32 'services.ldap.base_dn' => 'dc=ldap,dc=local',

33 'services.ldap.email_attribute' => 'mail',

34 'services.ldap.display_name_attribute' => 'cn',

35 'services.ldap.id_attribute' => 'uid',

36 'services.ldap.user_to_groups' => false,

37 'services.ldap.version' => '3',

38 'services.ldap.user_filter' => '(&(uid=${user}))',

39 'services.ldap.follow_referrals' => false,

40 'services.ldap.tls_insecure' => false,

41 'services.ldap.thumbnail_attribute' => null,

42 ]);

43 $this->mockLdap = \Mockery::mock(Ldap::class);

44 $this->app[Ldap::class] = $this->mockLdap;

45 $this->mockUser = User::factory()->make();

46 }

47

48 protected function runFailedAuthLogin()

49 {

50 $this->commonLdapMocks(1, 1, 1, 1, 1);

51 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

52 ->andReturn(['count' => 0]);

53 $this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);

54 }

55

56 protected function mockEscapes($times = 1)

57 {

58 $this->mockLdap->shouldReceive('escape')->times($times)->andReturnUsing(function ($val) {

59 return ldap_escape($val);

60 });

61 }

62

63 protected function mockExplodes($times = 1)

64 {

65 $this->mockLdap->shouldReceive('explodeDn')->times($times)->andReturnUsing(function ($dn, $withAttrib) {

66 return ldap_explode_dn($dn, $withAttrib);

67 });

68 }

69

70 protected function mockUserLogin(?string $email = null): TestResponse

71 {

72 return $this->post('/login', [

73 'username' => $this->mockUser->name,

74 'password' => $this->mockUser->password,

75 ] + ($email ? ['email' => $email] : []));

76 }

77

78 /**

79 * Set LDAP method mocks for things we commonly call without altering.

80 */

81 protected function commonLdapMocks(int $connects = 1, int $versions = 1, int $options = 2, int $binds = 4, int $escapes = 2, int $explodes = 0)

82 {

83 $this->mockLdap->shouldReceive('connect')->times($connects)->andReturn($this->resourceId);

84 $this->mockLdap->shouldReceive('setVersion')->times($versions);

85 $this->mockLdap->shouldReceive('setOption')->times($options);

86 $this->mockLdap->shouldReceive('bind')->times($binds)->andReturn(true);

87 $this->mockEscapes($escapes);

88 $this->mockExplodes($explodes);

89 }

90

91 public function test_login()

92 {

93 $this->commonLdapMocks(1, 1, 2, 4, 2);

94 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)

95 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

96 ->andReturn(['count' => 1, 0 => [

97 'uid' => [$this->mockUser->name],

98 'cn' => [$this->mockUser->name],

99 'dn' => ['dc=test' . config('services.ldap.base_dn')],

100 ]]);

101

102 $resp = $this->mockUserLogin();

103 $resp->assertRedirect('/login');

104 $resp = $this->followRedirects($resp);

105 $resp->assertSee('Please enter an email to use for this account.');

106 $resp->assertSee($this->mockUser->name);

107

108 $resp = $this->followingRedirects()->mockUserLogin($this->mockUser->email);

109 $resp->assertElementExists('#home-default');

110 $resp->assertSee($this->mockUser->name);

111 $this->assertDatabaseHas('users', [

112 'email' => $this->mockUser->email,

113 'email_confirmed' => false,

114 'external_auth_id' => $this->mockUser->name,

115 ]);

116 }

117

118 public function test_email_domain_restriction_active_on_new_ldap_login()

119 {

120 $this->setSettings([

121 'registration-restrict' => 'testing.com',

122 ]);

123

124 $this->commonLdapMocks(1, 1, 2, 4, 2);

125 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)

126 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

127 ->andReturn(['count' => 1, 0 => [

128 'uid' => [$this->mockUser->name],

129 'cn' => [$this->mockUser->name],

130 'dn' => ['dc=test' . config('services.ldap.base_dn')],

131 ]]);

132

133 $resp = $this->mockUserLogin();

134 $resp->assertRedirect('/login');

135 $this->followRedirects($resp)->assertSee('Please enter an email to use for this account.');

136

137 $email = 'tester@invaliddomain.com';

138 $resp = $this->mockUserLogin($email);

139 $resp->assertRedirect('/login');

140 $this->followRedirects($resp)->assertSee('That email domain does not have access to this application');

141

142 $this->assertDatabaseMissing('users', ['email' => $email]);

143 }

144

145 public function test_login_works_when_no_uid_provided_by_ldap_server()

146 {

147 $ldapDn = 'cn=test-user,dc=test' . config('services.ldap.base_dn');

148

149 $this->commonLdapMocks(1, 1, 1, 2, 1);

150 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

151 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

152 ->andReturn(['count' => 1, 0 => [

153 'cn' => [$this->mockUser->name],

154 'dn' => $ldapDn,

155 'mail' => [$this->mockUser->email],

156 ]]);

157

158 $resp = $this->mockUserLogin();

159 $resp->assertRedirect('/');

160 $this->followRedirects($resp)->assertSee($this->mockUser->name);

161 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => $ldapDn]);

162 }

163

164 public function test_a_custom_uid_attribute_can_be_specified_and_is_used_properly()

165 {

166 config()->set(['services.ldap.id_attribute' => 'my_custom_id']);

167

168 $this->commonLdapMocks(1, 1, 1, 2, 1);

169 $ldapDn = 'cn=test-user,dc=test' . config('services.ldap.base_dn');

170 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

171 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

172 ->andReturn(['count' => 1, 0 => [

173 'cn' => [$this->mockUser->name],

174 'dn' => $ldapDn,

175 'my_custom_id' => ['cooluser456'],

176 'mail' => [$this->mockUser->email],

177 ]]);

178

179 $resp = $this->mockUserLogin();

180 $resp->assertRedirect('/');

181 $this->followRedirects($resp)->assertSee($this->mockUser->name);

182 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => 'cooluser456']);

183 }

184

185 public function test_initial_incorrect_credentials()

186 {

187 $this->commonLdapMocks(1, 1, 1, 0, 1);

188 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

189 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

190 ->andReturn(['count' => 1, 0 => [

191 'uid' => [$this->mockUser->name],

192 'cn' => [$this->mockUser->name],

193 'dn' => ['dc=test' . config('services.ldap.base_dn')],

194 ]]);

195 $this->mockLdap->shouldReceive('bind')->times(2)->andReturn(true, false);

196

197 $resp = $this->mockUserLogin();

198 $resp->assertRedirect('/login');

199 $this->followRedirects($resp)->assertSee('These credentials do not match our records.');

200 $this->assertDatabaseMissing('users', ['external_auth_id' => $this->mockUser->name]);

201 }

202

203 public function test_login_not_found_username()

204 {

205 $this->commonLdapMocks(1, 1, 1, 1, 1);

206 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

207 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

208 ->andReturn(['count' => 0]);

209

210 $resp = $this->mockUserLogin();

211 $resp->assertRedirect('/login');

212 $this->followRedirects($resp)->assertSee('These credentials do not match our records.');

213 $this->assertDatabaseMissing('users', ['external_auth_id' => $this->mockUser->name]);

214 }

215

216 public function test_create_user_form()

217 {

218 $userForm = $this->asAdmin()->get('/settings/users/create');

219 $userForm->assertDontSee('Password');

220

221 $save = $this->post('/settings/users/create', [

222 'name' => $this->mockUser->name,

223 'email' => $this->mockUser->email,

224 ]);

225 $save->assertSessionHasErrors(['external_auth_id' => 'The external auth id field is required.']);

226

227 $save = $this->post('/settings/users/create', [

228 'name' => $this->mockUser->name,

229 'email' => $this->mockUser->email,

230 'external_auth_id' => $this->mockUser->name,

231 ]);

232 $save->assertRedirect('/settings/users');

233 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'external_auth_id' => $this->mockUser->name, 'email_confirmed' => true]);

234 }

235

236 public function test_user_edit_form()

237 {

238 $editUser = $this->getNormalUser();

239 $editPage = $this->asAdmin()->get("/settings/users/{$editUser->id}");

240 $editPage->assertSee('Edit User');

241 $editPage->assertDontSee('Password');

242

243 $update = $this->put("/settings/users/{$editUser->id}", [

244 'name' => $editUser->name,

245 'email' => $editUser->email,

246 'external_auth_id' => 'test_auth_id',

247 ]);

248 $update->assertRedirect('/settings/users');

249 $this->assertDatabaseHas('users', ['email' => $editUser->email, 'external_auth_id' => 'test_auth_id']);

250 }

251

252 public function test_registration_disabled()

253 {

254 $this->followingRedirects()->get('/register')->assertElementContains('#content', 'Log In');

255 }

256

257 public function test_non_admins_cannot_change_auth_id()

258 {

259 $testUser = $this->getNormalUser();

260 $this->actingAs($testUser)

261 ->get('/settings/users/' . $testUser->id)

262 ->assertDontSee('External Authentication');

263 }

264

265 public function test_login_maps_roles_and_retains_existing_roles()

266 {

267 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);

268 $roleToReceive2 = Role::factory()->create(['display_name' => 'LdapTester Second']);

269 $existingRole = Role::factory()->create(['display_name' => 'ldaptester-existing']);

270 $this->mockUser->forceFill(['external_auth_id' => $this->mockUser->name])->save();

271 $this->mockUser->attachRole($existingRole);

272

273 app('config')->set([

274 'services.ldap.user_to_groups' => true,

275 'services.ldap.group_attribute' => 'memberOf',

276 'services.ldap.remove_from_groups' => false,

277 ]);

278

279 $this->commonLdapMocks(1, 1, 4, 5, 4, 6);

280 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(4)

281 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

282 ->andReturn(['count' => 1, 0 => [

283 'uid' => [$this->mockUser->name],

284 'cn' => [$this->mockUser->name],

285 'dn' => ['dc=test' . config('services.ldap.base_dn')],

286 'mail' => [$this->mockUser->email],

287 'memberof' => [

288 'count' => 2,

289 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',

290 1 => 'cn=ldaptester-second,ou=groups,dc=example,dc=com',

291 ],

292 ]]);

293

294 $this->mockUserLogin()->assertRedirect('/');

295

296 $user = User::where('email', $this->mockUser->email)->first();

297 $this->assertDatabaseHas('role_user', [

298 'user_id' => $user->id,

299 'role_id' => $roleToReceive->id,

300 ]);

301 $this->assertDatabaseHas('role_user', [

302 'user_id' => $user->id,

303 'role_id' => $roleToReceive2->id,

304 ]);

305 $this->assertDatabaseHas('role_user', [

306 'user_id' => $user->id,

307 'role_id' => $existingRole->id,

308 ]);

309 }

310

311 public function test_login_maps_roles_and_removes_old_roles_if_set()

312 {

313 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);

314 $existingRole = Role::factory()->create(['display_name' => 'ldaptester-existing']);

315 $this->mockUser->forceFill(['external_auth_id' => $this->mockUser->name])->save();

316 $this->mockUser->attachRole($existingRole);

317

318 app('config')->set([

319 'services.ldap.user_to_groups' => true,

320 'services.ldap.group_attribute' => 'memberOf',

321 'services.ldap.remove_from_groups' => true,

322 ]);

323

324 $this->commonLdapMocks(1, 1, 3, 4, 3, 2);

325 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(3)

326 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

327 ->andReturn(['count' => 1, 0 => [

328 'uid' => [$this->mockUser->name],

329 'cn' => [$this->mockUser->name],

330 'dn' => ['dc=test' . config('services.ldap.base_dn')],

331 'mail' => [$this->mockUser->email],

332 'memberof' => [

333 'count' => 1,

334 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',

335 ],

336 ]]);

337

338 $this->mockUserLogin()->assertRedirect('/');

339

340 $user = User::query()->where('email', $this->mockUser->email)->first();

341 $this->assertDatabaseHas('role_user', [

342 'user_id' => $user->id,

343 'role_id' => $roleToReceive->id,

344 ]);

345 $this->assertDatabaseMissing('role_user', [

346 'user_id' => $user->id,

347 'role_id' => $existingRole->id,

348 ]);

349 }

350

351 public function test_dump_user_groups_shows_group_related_details_as_json()

352 {

353 app('config')->set([

354 'services.ldap.user_to_groups' => true,

355 'services.ldap.group_attribute' => 'memberOf',

356 'services.ldap.remove_from_groups' => true,

357 'services.ldap.dump_user_groups' => true,

358 ]);

359

360 $userResp = ['count' => 1, 0 => [

361 'uid' => [$this->mockUser->name],

362 'cn' => [$this->mockUser->name],

363 'dn' => 'dc=test,' . config('services.ldap.base_dn'),

364 'mail' => [$this->mockUser->email],

365 ]];

366 $this->commonLdapMocks(1, 1, 4, 5, 4, 2);

367 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(4)

368 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

369 ->andReturn($userResp, ['count' => 1,

370 0 => [

371 'dn' => 'dc=test,' . config('services.ldap.base_dn'),

372 'memberof' => [

373 'count' => 1,

374 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',

375 ],

376 ],

377 ], [

378 'count' => 1,

379 0 => [

380 'dn' => 'cn=ldaptester,ou=groups,dc=example,dc=com',

381 'memberof' => [

382 'count' => 1,

383 0 => 'cn=monsters,ou=groups,dc=example,dc=com',

384 ],

385 ],

386 ], ['count' => 0]);

387

388 $resp = $this->mockUserLogin();

389 $resp->assertJson([

390 'details_from_ldap' => [

391 'dn' => 'dc=test,' . config('services.ldap.base_dn'),

392 'memberof' => [

393 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',

394 'count' => 1,

395 ],

396 ],

397 'parsed_direct_user_groups' => [

398 'ldaptester',

399 ],

400 'parsed_recursive_user_groups' => [

401 'ldaptester',

402 'monsters',

403 ],

404 ]);

405 }

406

407 public function test_external_auth_id_visible_in_roles_page_when_ldap_active()

408 {

409 $role = Role::factory()->create(['display_name' => 'ldaptester', 'external_auth_id' => 'ex-auth-a, test-second-param']);

410 $this->asAdmin()->get('/settings/roles/' . $role->id)

411 ->assertSee('ex-auth-a');

412 }

413

414 public function test_login_maps_roles_using_external_auth_ids_if_set()

415 {

416 $roleToReceive = Role::factory()->create(['display_name' => 'ldaptester', 'external_auth_id' => 'test-second-param, ex-auth-a']);

417 $roleToNotReceive = Role::factory()->create(['display_name' => 'ex-auth-a', 'external_auth_id' => 'test-second-param']);

418

419 app('config')->set([

420 'services.ldap.user_to_groups' => true,

421 'services.ldap.group_attribute' => 'memberOf',

422 'services.ldap.remove_from_groups' => true,

423 ]);

424

425 $this->commonLdapMocks(1, 1, 3, 4, 3, 2);

426 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(3)

427 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

428 ->andReturn(['count' => 1, 0 => [

429 'uid' => [$this->mockUser->name],

430 'cn' => [$this->mockUser->name],

431 'dn' => ['dc=test' . config('services.ldap.base_dn')],

432 'mail' => [$this->mockUser->email],

433 'memberof' => [

434 'count' => 1,

435 0 => 'cn=ex-auth-a,ou=groups,dc=example,dc=com',

436 ],

437 ]]);

438

439 $this->mockUserLogin()->assertRedirect('/');

440

441 $user = User::query()->where('email', $this->mockUser->email)->first();

442 $this->assertDatabaseHas('role_user', [

443 'user_id' => $user->id,

444 'role_id' => $roleToReceive->id,

445 ]);

446 $this->assertDatabaseMissing('role_user', [

447 'user_id' => $user->id,

448 'role_id' => $roleToNotReceive->id,

449 ]);

450 }

451

452 public function test_login_group_mapping_does_not_conflict_with_default_role()

453 {

454 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);

455 $roleToReceive2 = Role::factory()->create(['display_name' => 'LdapTester Second']);

456 $this->mockUser->forceFill(['external_auth_id' => $this->mockUser->name])->save();

457

458 setting()->put('registration-role', $roleToReceive->id);

459

460 app('config')->set([

461 'services.ldap.user_to_groups' => true,

462 'services.ldap.group_attribute' => 'memberOf',

463 'services.ldap.remove_from_groups' => true,

464 ]);

465

466 $this->commonLdapMocks(1, 1, 4, 5, 4, 6);

467 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(4)

468 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

469 ->andReturn(['count' => 1, 0 => [

470 'uid' => [$this->mockUser->name],

471 'cn' => [$this->mockUser->name],

472 'dn' => ['dc=test' . config('services.ldap.base_dn')],

473 'mail' => [$this->mockUser->email],

474 'memberof' => [

475 'count' => 2,

476 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',

477 1 => 'cn=ldaptester-second,ou=groups,dc=example,dc=com',

478 ],

479 ]]);

480

481 $this->mockUserLogin()->assertRedirect('/');

482

483 $user = User::query()->where('email', $this->mockUser->email)->first();

484 $this->assertDatabaseHas('role_user', [

485 'user_id' => $user->id,

486 'role_id' => $roleToReceive->id,

487 ]);

488 $this->assertDatabaseHas('role_user', [

489 'user_id' => $user->id,

490 'role_id' => $roleToReceive2->id,

491 ]);

492 }

493

494 public function test_login_uses_specified_display_name_attribute()

495 {

496 app('config')->set([

497 'services.ldap.display_name_attribute' => 'displayName',

498 ]);

499

500 $this->commonLdapMocks(1, 1, 2, 4, 2);

501 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)

502 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

503 ->andReturn(['count' => 1, 0 => [

504 'uid' => [$this->mockUser->name],

505 'cn' => [$this->mockUser->name],

506 'dn' => ['dc=test' . config('services.ldap.base_dn')],

507 'displayname' => 'displayNameAttribute',

508 ]]);

509

510 $this->mockUserLogin()->assertRedirect('/login');

511 $this->get('/login')->assertSee('Please enter an email to use for this account.');

512

513 $resp = $this->mockUserLogin($this->mockUser->email);

514 $resp->assertRedirect('/');

515 $this->get('/')->assertSee('displayNameAttribute');

516 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => $this->mockUser->name, 'name' => 'displayNameAttribute']);

517 }

518

519 public function test_login_uses_default_display_name_attribute_if_specified_not_present()

520 {

521 app('config')->set([

522 'services.ldap.display_name_attribute' => 'displayName',

523 ]);

524

525 $this->commonLdapMocks(1, 1, 2, 4, 2);

526 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)

527 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

528 ->andReturn(['count' => 1, 0 => [

529 'uid' => [$this->mockUser->name],

530 'cn' => [$this->mockUser->name],

531 'dn' => ['dc=test' . config('services.ldap.base_dn')],

532 ]]);

533

534 $this->mockUserLogin()->assertRedirect('/login');

535 $this->get('/login')->assertSee('Please enter an email to use for this account.');

536

537 $resp = $this->mockUserLogin($this->mockUser->email);

538 $resp->assertRedirect('/');

539 $this->get('/')->assertSee($this->mockUser->name);

540 $this->assertDatabaseHas('users', [

541 'email' => $this->mockUser->email,

542 'email_confirmed' => false,

543 'external_auth_id' => $this->mockUser->name,

544 'name' => $this->mockUser->name,

545 ]);

546 }

547

548 protected function checkLdapReceivesCorrectDetails($serverString, $expectedHost, $expectedPort)

549 {

550 app('config')->set([

551 'services.ldap.server' => $serverString,

552 ]);

553

554 // Standard mocks

555 $this->commonLdapMocks(0, 1, 1, 2, 1);

556 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)->andReturn(['count' => 1, 0 => [

557 'uid' => [$this->mockUser->name],

558 'cn' => [$this->mockUser->name],

559 'dn' => ['dc=test' . config('services.ldap.base_dn')],

560 ]]);

561

562 $this->mockLdap->shouldReceive('connect')->once()

563 ->with($expectedHost, $expectedPort)->andReturn($this->resourceId);

564 $this->mockUserLogin();

565 }

566

567 public function test_ldap_port_provided_on_host_if_host_is_full_uri()

568 {

569 $hostName = 'ldaps://bookstack:8080';

570 $this->checkLdapReceivesCorrectDetails($hostName, $hostName, 389);

571 }

572

573 public function test_ldap_port_parsed_from_server_if_host_is_not_full_uri()

574 {

575 $this->checkLdapReceivesCorrectDetails('ldap.bookstack.com:8080', 'ldap.bookstack.com', 8080);

576 }

577

578 public function test_default_ldap_port_used_if_not_in_server_string_and_not_uri()

579 {

580 $this->checkLdapReceivesCorrectDetails('ldap.bookstack.com', 'ldap.bookstack.com', 389);

581 }

582

583 public function test_forgot_password_routes_inaccessible()

584 {

585 $resp = $this->get('/password/email');

586 $this->assertPermissionError($resp);

587

588 $resp = $this->post('/password/email');

589 $this->assertPermissionError($resp);

590

591 $resp = $this->get('/password/reset/abc123');

592 $this->assertPermissionError($resp);

593

594 $resp = $this->post('/password/reset');

595 $this->assertPermissionError($resp);

596 }

597

598 public function test_user_invite_routes_inaccessible()

599 {

600 $resp = $this->get('/register/invite/abc123');

601 $this->assertPermissionError($resp);

602

603 $resp = $this->post('/register/invite/abc123');

604 $this->assertPermissionError($resp);

605 }

606

607 public function test_user_register_routes_inaccessible()

608 {

609 $resp = $this->get('/register');

610 $this->assertPermissionError($resp);

611

612 $resp = $this->post('/register');

613 $this->assertPermissionError($resp);

614 }

615

616 public function test_dump_user_details_option_works()

617 {

618 config()->set(['services.ldap.dump_user_details' => true, 'services.ldap.thumbnail_attribute' => 'jpegphoto']);

619

620 $this->commonLdapMocks(1, 1, 1, 1, 1);

621 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

622 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

623 ->andReturn(['count' => 1, 0 => [

624 'uid' => [$this->mockUser->name],

625 'cn' => [$this->mockUser->name],

626 // Test dumping binary data for avatar responses

627 'jpegphoto' => base64_decode('/9j/4AAQSkZJRg=='),

628 'dn' => ['dc=test' . config('services.ldap.base_dn')],

629 ]]);

630

631 $resp = $this->post('/login', [

632 'username' => $this->mockUser->name,

633 'password' => $this->mockUser->password,

634 ]);

635 $resp->assertJsonStructure([

636 'details_from_ldap' => [],

637 'details_bookstack_parsed' => [],

638 ]);

639 }

640

641 public function test_start_tls_called_if_option_set()

642 {

643 config()->set(['services.ldap.start_tls' => true]);

644 $this->mockLdap->shouldReceive('startTls')->once()->andReturn(true);

645 $this->runFailedAuthLogin();

646 }

647

648 public function test_connection_fails_if_tls_fails()

649 {

650 config()->set(['services.ldap.start_tls' => true]);

651 $this->mockLdap->shouldReceive('startTls')->once()->andReturn(false);

652 $this->commonLdapMocks(1, 1, 0, 0, 0);

653 $resp = $this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);

654 $resp->assertStatus(500);

655 }

656

657 public function test_ldap_attributes_can_be_binary_decoded_if_marked()

658 {

659 config()->set(['services.ldap.id_attribute' => 'BIN;uid']);

660 $ldapService = app()->make(LdapService::class);

661 $this->commonLdapMocks(1, 1, 1, 1, 1);

662 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

663 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), ['cn', 'dn', 'uid', 'mail', 'cn'])

664 ->andReturn(['count' => 1, 0 => [

665 'uid' => [hex2bin('FFF8F7')],

666 'cn' => [$this->mockUser->name],

667 'dn' => ['dc=test' . config('services.ldap.base_dn')],

668 ]]);

669

670 $details = $ldapService->getUserDetails('test');

671 $this->assertEquals('fff8f7', $details['uid']);

672 }

673

674 public function test_new_ldap_user_login_with_already_used_email_address_shows_error_message_to_user()

675 {

676 $this->commonLdapMocks(1, 1, 2, 4, 2);

677 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)

678 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

679 ->andReturn(['count' => 1, 0 => [

680 'uid' => [$this->mockUser->name],

681 'cn' => [$this->mockUser->name],

682 'dn' => ['dc=test' . config('services.ldap.base_dn')],

683 'mail' => 'tester@example.com',

684 ]], ['count' => 1, 0 => [

685 'uid' => ['Barry'],

686 'cn' => ['Scott'],

687 'dn' => ['dc=bscott' . config('services.ldap.base_dn')],

688 'mail' => 'tester@example.com',

689 ]]);

690

691 // First user login

692 $this->mockUserLogin()->assertRedirect('/');

693

694 // Second user login

695 auth()->logout();

696 $resp = $this->followingRedirects()->post('/login', ['username' => 'bscott', 'password' => 'pass']);

697 $resp->assertSee('A user with the email tester@example.com already exists but with different credentials');

698 }

699

700 public function test_login_with_email_confirmation_required_maps_groups_but_shows_confirmation_screen()

701 {

702 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);

703 $user = User::factory()->make();

704 setting()->put('registration-confirmation', 'true');

705

706 app('config')->set([

707 'services.ldap.user_to_groups' => true,

708 'services.ldap.group_attribute' => 'memberOf',

709 'services.ldap.remove_from_groups' => true,

710 ]);

711

712 $this->commonLdapMocks(1, 1, 6, 8, 6, 4);

713 $this->mockLdap->shouldReceive('searchAndGetEntries')

714 ->times(6)

715 ->andReturn(['count' => 1, 0 => [

716 'uid' => [$user->name],

717 'cn' => [$user->name],

718 'dn' => ['dc=test' . config('services.ldap.base_dn')],

719 'mail' => [$user->email],

720 'memberof' => [

721 'count' => 1,

722 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',

723 ],

724 ]]);

725

726 $login = $this->followingRedirects()->mockUserLogin();

727 $login->assertSee('Thanks for registering!');

728 $this->assertDatabaseHas('users', [

729 'email' => $user->email,

730 'email_confirmed' => false,

731 ]);

732

733 $user = User::query()->where('email', '=', $user->email)->first();

734 $this->assertDatabaseHas('role_user', [

735 'user_id' => $user->id,

736 'role_id' => $roleToReceive->id,

737 ]);

738

739 $this->assertNull(auth()->user());

740

741 $homePage = $this->get('/');

742 $homePage->assertRedirect('/login');

743

744 $login = $this->followingRedirects()->mockUserLogin();

745 $login->assertSee('Email Address Not Confirmed');

746 }

747

748 public function test_failed_logins_are_logged_when_message_configured()

749 {

750 $log = $this->withTestLogger();

751 config()->set(['logging.failed_login.message' => 'Failed login for %u']);

752 $this->runFailedAuthLogin();

753 $this->assertTrue($log->hasWarningThatContains('Failed login for timmyjenkins'));

754 }

755

756 public function test_thumbnail_attribute_used_as_user_avatar_if_configured()

757 {

758 config()->set(['services.ldap.thumbnail_attribute' => 'jpegPhoto']);

759

760 $this->commonLdapMocks(1, 1, 1, 2, 1);

761 $ldapDn = 'cn=test-user,dc=test' . config('services.ldap.base_dn');

762 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)

763 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))

764 ->andReturn(['count' => 1, 0 => [

765 'cn' => [$this->mockUser->name],

766 'dn' => $ldapDn,

767 'jpegphoto' => [base64_decode('/9j/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8Q

768 EBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=')],

769 'mail' => [$this->mockUser->email],

770 ]]);

771

772 $this->mockUserLogin()

773 ->assertRedirect('/');

774

775 $user = User::query()->where('email', '=', $this->mockUser->email)->first();

776 $this->assertNotNull($user->avatar);

777 $this->assertEquals('8c90748342f19b195b9c6b4eff742ded', md5_file(public_path($user->avatar->path)));

778 }

779 }