switch mcrypt to openssl_encrypt; tests

src/Auth/Business/JwtHelper.php

@@ -15,21 +15,24 @@ class JwtHelper
     const EXPIRATION_KEY =  "expiration_date";
     const SETTING_MCRYPT_KEY = "MCRYPT_KEY";
     const SETTING_JWT_KEY = "JWT_KEY";
+    const CRYPT_METHOD = "AES-256-CBC";
 
     public static function decode($token)
     {
         $app = LuticateApplication::getInstance();
         try
         {
-            $jwt = mcrypt_decrypt(MCRYPT_TRIPLEDES, $app->getSetting(self::SETTING_MCRYPT_KEY), base64_decode($token), "cbc");
-            $data = (array)\JWT::decode($jwt, $app->getSetting(self::SETTING_JWT_KEY), ['HS256']);
+            $key = $app->getSetting(static::SETTING_MCRYPT_KEY);
+            $iv = substr($key, 0, 16);
+            $jwt = openssl_decrypt(base64_decode($token), static::CRYPT_METHOD, $key, 0, $iv);
+            $data = (array)\JWT::decode($jwt, $app->getSetting(static::SETTING_JWT_KEY), ['HS256']);
         }
         catch (\Exception $e)
         {
             return null;
         }
 
-        $expiration_date = array_key_exists(self::EXPIRATION_KEY, $data) ? $data[self::EXPIRATION_KEY] : null;
+        $expiration_date = array_key_exists(static::EXPIRATION_KEY, $data) ? $data[static::EXPIRATION_KEY] : null;
         if (!is_numeric($expiration_date) || $expiration_date < time()) {
             return null;
         }
@@ -42,9 +45,11 @@ class JwtHelper
         $app = LuticateApplication::getInstance();
         $date = new \DateTime("now", new \DateTimeZone("Europe/Paris"));
         $date->modify("+${session_time} day");
-        $data[self::EXPIRATION_KEY] = $date->getTimestamp();
+        $data[static::EXPIRATION_KEY] = $date->getTimestamp();
+        $jwt = \JWT::encode($data, $app->getSetting(static::SETTING_JWT_KEY));
+        $key = $app->getSetting(static::SETTING_MCRYPT_KEY);
+        $iv = substr($key, 0, 16);
 
-        return base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, $app->getSetting(self::SETTING_MCRYPT_KEY),
-            \JWT::encode($data, $app->getSetting(self::SETTING_JWT_KEY)), "cbc"));
+        return base64_encode(openssl_encrypt($jwt, static::CRYPT_METHOD, $key, 0, $iv));
     }
 }

src/Auth/Business/LuUsersBusiness.php

@@ -9,13 +9,14 @@
 namespace Luticate\Auth\Business;
 
 use Luticate\Auth\DataAccess\LuUserDataAccess;
+use Luticate\Auth\Dbo\LuBuiltInPermissions;
 use Luticate\Auth\Dbo\Users\LuUsersAddDbo;
 use Luticate\Auth\Dbo\Users\LuUsersDbo;
 use Luticate\Auth\Dbo\Users\LuUsersEditDbo;
-use Luticate\Auth\Dbo\Users\LuUsersLiteDbo;
 use Luticate\Auth\Dbo\Users\LuUsersLoginDbo;
 use Luticate\Auth\Dbo\Users\LuUsersLoginResultDbo;
 use Luticate\Utils\Business\LuBusiness;
+use Luticate\Utils\Business\LuLog;
 use Luticate\Utils\Dbo\LuPaginatedDbo;
 use Luticate\Utils\Dbo\LuQueryDbo;
 
@@ -55,7 +56,7 @@ class LuUsersBusiness extends LuBusiness
         }
     }
 
-    public function getSalt($length = 10)
+    public function getSalt($length = 16)
     {
         $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
         $charactersLength = strlen($characters);
@@ -76,6 +77,50 @@ class LuUsersBusiness extends LuBusiness
         ), $session_time);
     }
 
+    public static function getUserFromToken(string $token)
+    {
+        $user = null;
+        if (!empty($token)) {
+            $data = JwtHelper::decode($token);
+            if ($data != null) {
+                /**
+                 * @var $user LuUsersDbo
+                 */
+                $user_id = intval($data[LuUsersBusiness::KEY_USER_ID]);
+                $salt = $data[LuUsersBusiness::KEY_SALT];
+                $user = LuUsersBusiness::getById($user_id);
+                if ($user->getSalt() !== $salt) {
+                    $user = null;
+                }
+            }
+        }
+        if (is_null($user)) {
+            $user = LuUsersBusiness::getById(0);
+        }
+        return $user;
+    }
+
+    public static function checkUserPermissions(LuUsersDbo $user, $permissions)
+    {
+        $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), LuBuiltInPermissions::USER_LOGIN);
+        if (!$perm) {
+            LuBusiness::unauthorized("Account is disabled");
+        }
+
+        foreach ($permissions as $permission) {
+            try {
+                $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), $permission);
+                if (!$perm) {
+                    LuBusiness::unauthorized("Permission denied");
+                }
+            } catch (\Exception $e)
+            {
+                LuLog::log($e);
+                LuBusiness::unauthorized("Permission denied");
+            }
+        }
+    }
+
     public function login(LuUsersLoginDbo $login)
     {
         $user = static::getDataAccess()->getByUsernameOrEmail($login->getUsername());

src/Auth/Dbo/Users/LuUsersDbo.php

@@ -30,7 +30,6 @@ class LuUsersDbo extends LuDbo
 
     /**
      * @var $_salt string
-     * @between 10 10
      */
     protected $_salt;
 

src/Auth/Middleware/LuAuthMiddleware.php

@@ -23,55 +23,17 @@ class LuAuthMiddleware implements LuAbstractMiddleware
     
     public function onBefore($_parameters, $_headers, $permissions = [])
     {
-        $user = null;
         $token = $_headers[self::TOKEN_HEADER] ?? null;
-        if ($token != null) {
-            $token = trim($token);
-            if ($token == "") {
-                $token = null;
-            }
-        }
-        if ($token != null) {
-            $data = JwtHelper::decode($token);
-            if ($data != null) {
-                /**
-                 * @var $user LuUsersDbo
-                 */
-                $user_id = intval($data[LuUsersBusiness::KEY_USER_ID]);
-                $salt = $data[LuUsersBusiness::KEY_SALT];
-                $user = LuUsersBusiness::getById($user_id);
-                if ($user->getSalt() !== $salt) {
-                    $user = null;
-                }
-            }
-        }
 
-        if (is_null($user)) {
-            if ($token != null) {
-                LuBusiness::unauthorized("Invalid token");
-            }
-            $user = LuUsersBusiness::getById(0);
+        $user = LuUsersBusiness::getUserFromToken($token);
+
+        if ($user->getId() === 0 && !empty($token)) {
+            LuBusiness::unauthorized("Invalid token");
         }
 
         $_parameters["_user"] = $user;
 
-        $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), LuBuiltInPermissions::USER_LOGIN);
-        if (!$perm) {
-            LuBusiness::unauthorized("Account is disabled");
-        }
-        
-        foreach ($permissions as $permission) {
-            try {
-                $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), $permission);
-                if (!$perm) {
-                    LuBusiness::unauthorized("Permission denied");
-                }
-            } catch (\Exception $e)
-            {
-                LuLog::log($e);
-                LuBusiness::unauthorized("Permission denied");
-            }
-        }
+        LuUsersBusiness::checkUserPermissions($user, $permissions);
 
         return $_parameters;
     }

tests/LuUsersTest.php

@@ -1,6 +1,9 @@
 <?php
+use Luticate\Auth\Business\LuUsersBusiness;
 use Luticate\Auth\Controller\LuUsersController;
 use Luticate\Auth\Dbo\Users\LuUsersAddDbo;
+use Luticate\Auth\Dbo\Users\LuUsersLoginDbo;
+use Luticate\Utils\Business\LuBusinessException;
 use Luticate\Utils\Controller\LuticateApplication;
 use Luticate\Utils\DataAccess\LuDataAccess;
 
@@ -28,6 +31,11 @@ class LuUsersTest extends \PHPUnit_Framework_TestCase
         Db::getPdo()->query("DELETE FROM lu_users WHERE username LIKE '_test_%'");
     }
 
+    public static function tearDownAfterClass()
+    {
+        static::setUpBeforeClass();
+    }
+
     public function testUserAdd1()
     {
         $ctrl = static::getCtrl();
@@ -45,11 +53,104 @@ class LuUsersTest extends \PHPUnit_Framework_TestCase
 
         $this->assertNotNull($user);
         $this->assertNotNull($user->getId());
-        $this->assertSame($user->getUsername(), "_test_user1");
-        $this->assertSame($user->getFirstname(), "Test");
-        $this->assertSame($user->getLastname(), "user1");
-        $this->assertSame($user->getEmail(), "test.user1@example.com");
+        $this->assertSame("_test_user1", $user->getUsername());
+        $this->assertSame("Test", $user->getFirstname());
+        $this->assertSame("user1", $user->getLastname());
+        $this->assertSame("test.user1@example.com", $user->getEmail());
+        $this->assertNull($user->getExternalAuth());
+        $this->assertNull($user->getProfileId());
+    }
+
+    public function testUserAdd2()
+    {
+        $ctrl = static::getCtrl();
+
+        $newUser = new LuUsersAddDbo();
+        $newUser->setUsername("_test_user1");
+        $newUser->setPassword("test42");
+        $newUser->setFirstname("Test");
+        $newUser->setLastname("user1");
+        $newUser->setEmail("test.user1@example.com");
+        $newUser->setExternalAuth(null);
+        $newUser->setProfileId(null);
+
+        $this->expectException(LuBusinessException::class);
+        $ctrl->add($newUser);
+    }
+
+    public function testUserAdd3()
+    {
+        $ctrl = static::getCtrl();
+
+        $newUser = new LuUsersAddDbo();
+        $newUser->setUsername("_test_user2");
+        $newUser->setPassword("test42");
+        $newUser->setFirstname("Test");
+        $newUser->setLastname("user1");
+        $newUser->setEmail("test.user1@example.com");
+        $newUser->setExternalAuth(null);
+        $newUser->setProfileId(null);
+
+        $this->expectException(LuBusinessException::class);
+        $ctrl->add($newUser);
+    }
+
+    public function testUserAdd4()
+    {
+        $ctrl = static::getCtrl();
+
+        $newUser = new LuUsersAddDbo();
+        $newUser->setUsername("_test_user2");
+        $newUser->setPassword("test24");
+        $newUser->setFirstname("Test");
+        $newUser->setLastname("user2");
+        $newUser->setEmail("test.user2@example.com");
+        $newUser->setExternalAuth(null);
+        $newUser->setProfileId(null);
+
+        $user = $ctrl->add($newUser);
+
+        $this->assertNotNull($user);
+        $this->assertNotNull($user->getId());
+        $this->assertSame("_test_user2", $user->getUsername());
+        $this->assertSame("Test", $user->getFirstname());
+        $this->assertSame("user2", $user->getLastname());
+        $this->assertSame("test.user2@example.com", $user->getEmail());
         $this->assertNull($user->getExternalAuth());
         $this->assertNull($user->getProfileId());
     }
+
+    public function testUserLogin1()
+    {
+        $ctrl = static::getCtrl();
+
+        $loginDbo = new LuUsersLoginDbo();
+        $loginDbo->setUsername("_test_user1");
+        $loginDbo->setPassword("test42");
+        $loginResult = $ctrl->login($loginDbo);
+
+        $this->assertNotNull($loginResult);
+        $this->assertSame("test.user1@example.com", $loginResult->getEmail());
+
+        $loggedUser = LuUsersBusiness::getUserFromToken($loginResult->getToken());
+
+        $this->assertSame("test.user1@example.com", $loggedUser->getEmail());
+    }
+
+    public function testUserLogin2()
+    {
+        $ctrl = static::getCtrl();
+
+        $loginDbo = new LuUsersLoginDbo();
+        $loginDbo->setUsername("_test_user2");
+        $loginDbo->setPassword("test24");
+        $loginResult = $ctrl->login($loginDbo);
+
+        $this->assertNotNull($loginResult);
+        $this->assertSame("test.user2@example.com", $loginResult->getEmail());
+
+        $loggedUser = LuUsersBusiness::getUserFromToken($loginResult->getToken());
+
+        $this->assertSame("test.user2@example.com", $loggedUser->getEmail());
+    }
 }

tests/data_permissions.sql

@@ -0,0 +1,139 @@
+--
+-- PostgreSQL database dump
+--
+
+SET statement_timeout = 0;
+SET lock_timeout = 0;
+SET client_encoding = 'UTF8';
+SET standard_conforming_strings = on;
+SET check_function_bodies = false;
+SET client_min_messages = warning;
+
+SET search_path = public, pg_catalog;
+
+--
+-- Data for Name: lu_groups; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+INSERT INTO lu_groups VALUES (5, 'ganonymous1_1');
+INSERT INTO lu_groups VALUES (6, 'ganonymous2_1');
+INSERT INTO lu_groups VALUES (7, 'ganonymous2_2');
+INSERT INTO lu_groups VALUES (8, 'ganonymous3_1');
+INSERT INTO lu_groups VALUES (9, 'ganonymous3_2');
+INSERT INTO lu_groups VALUES (10, 'ganonymous4_1');
+INSERT INTO lu_groups VALUES (11, 'ganonymous4_2');
+INSERT INTO lu_groups VALUES (12, 'ganonymous5_1');
+INSERT INTO lu_groups VALUES (13, 'ganonymous5_2');
+INSERT INTO lu_groups VALUES (14, 'ganonymous6_1');
+INSERT INTO lu_groups VALUES (15, 'ganonymous6_2');
+
+
+--
+-- Name: lu_groups_id_seq; Type: SEQUENCE SET; Schema: public; Owner: -
+--
+
+SELECT pg_catalog.setval('lu_groups_id_seq', 15, true);
+
+
+--
+-- Data for Name: lu_permissions; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+INSERT INTO lu_permissions VALUES (3, 'LU_TEST_SIMPLE_TRUE', true);
+INSERT INTO lu_permissions VALUES (4, 'LU_TEST_SIMPLE_FALSE', false);
+INSERT INTO lu_permissions VALUES (5, 'LU_TEST_GROUP_1_TRUE', true);
+INSERT INTO lu_permissions VALUES (6, 'LU_TEST_GROUP_1_FALSE', true);
+INSERT INTO lu_permissions VALUES (7, 'LU_TEST_GROUP_2_TRUE', false);
+INSERT INTO lu_permissions VALUES (8, 'LU_TEST_GROUP_3_FALSE', true);
+INSERT INTO lu_permissions VALUES (9, 'LU_TEST_GROUP_4_FALSE', true);
+INSERT INTO lu_permissions VALUES (10, 'LU_TEST_USER_5_TRUE', false);
+INSERT INTO lu_permissions VALUES (11, 'LU_TEST_USER_6_FALSE', true);
+
+
+--
+-- Data for Name: lu_permissions_groups; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+INSERT INTO lu_permissions_groups VALUES (5, true, 5);
+INSERT INTO lu_permissions_groups VALUES (6, false, 5);
+INSERT INTO lu_permissions_groups VALUES (7, true, 6);
+INSERT INTO lu_permissions_groups VALUES (7, true, 7);
+INSERT INTO lu_permissions_groups VALUES (8, true, 8);
+INSERT INTO lu_permissions_groups VALUES (8, false, 9);
+INSERT INTO lu_permissions_groups VALUES (9, false, 10);
+INSERT INTO lu_permissions_groups VALUES (9, false, 11);
+INSERT INTO lu_permissions_groups VALUES (10, false, 12);
+INSERT INTO lu_permissions_groups VALUES (10, false, 13);
+INSERT INTO lu_permissions_groups VALUES (11, true, 14);
+INSERT INTO lu_permissions_groups VALUES (11, true, 15);
+INSERT INTO lu_permissions_groups VALUES (7, false, 5);
+
+
+--
+-- Name: lu_permissions_id_seq; Type: SEQUENCE SET; Schema: public; Owner: -
+--
+
+SELECT pg_catalog.setval('lu_permissions_id_seq', 11, true);
+
+
+--
+-- Data for Name: lu_users; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+INSERT INTO lu_users VALUES (1, 'anonymous1', NULL, '', NULL, NULL, 'anonymous1@anonymous.com', NULL, NULL);
+INSERT INTO lu_users VALUES (0, 'anonymous0', NULL, '', NULL, NULL, 'anonymous0@anonymous.com', NULL, NULL);
+INSERT INTO lu_users VALUES (2, 'anonymous2', NULL, '', NULL, NULL, 'anonymous2@anonymous.com', NULL, NULL);
+INSERT INTO lu_users VALUES (3, 'anonymous3', NULL, '', NULL, NULL, 'anonymous3@anonymous.com', NULL, NULL);
+INSERT INTO lu_users VALUES (4, 'anonymous4', NULL, '', NULL, NULL, 'anonymous4@anonymous.com', NULL, NULL);
+INSERT INTO lu_users VALUES (5, 'anonymous5', NULL, '', NULL, NULL, 'anonymous5@anonymous.com', NULL, NULL);
+INSERT INTO lu_users VALUES (6, 'anonymous6', NULL, '', NULL, NULL, 'anonymous6@anonymous.com', NULL, NULL);
+
+
+--
+-- Data for Name: lu_permissions_users; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+INSERT INTO lu_permissions_users VALUES (11, false, 6);
+INSERT INTO lu_permissions_users VALUES (10, true, 5);
+
+
+--
+-- Data for Name: lu_settings; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+
+
+--
+-- Data for Name: lu_settings_users; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+
+
+--
+-- Data for Name: lu_users_groups; Type: TABLE DATA; Schema: public; Owner: -
+--
+
+INSERT INTO lu_users_groups VALUES (1, 5);
+INSERT INTO lu_users_groups VALUES (2, 6);
+INSERT INTO lu_users_groups VALUES (2, 7);
+INSERT INTO lu_users_groups VALUES (3, 8);
+INSERT INTO lu_users_groups VALUES (3, 9);
+INSERT INTO lu_users_groups VALUES (4, 10);
+INSERT INTO lu_users_groups VALUES (4, 11);
+INSERT INTO lu_users_groups VALUES (5, 12);
+INSERT INTO lu_users_groups VALUES (5, 13);
+INSERT INTO lu_users_groups VALUES (6, 14);
+INSERT INTO lu_users_groups VALUES (6, 15);
+
+
+--
+-- Name: lu_users_id_seq; Type: SEQUENCE SET; Schema: public; Owner: -
+--
+
+SELECT pg_catalog.setval('lu_users_id_seq', 13, true);
+
+
+--
+-- PostgreSQL database dump complete
+--
+