Procházet zdrojové kódy

switch mcrypt to openssl_encrypt; tests

develop
Robin Thoni před 8 roky
rodič
revize
46ff16962a

+ 11
- 6
src/Auth/Business/JwtHelper.php Zobrazit soubor

@@ -15,21 +15,24 @@ class JwtHelper
15 15
     const EXPIRATION_KEY =  "expiration_date";
16 16
     const SETTING_MCRYPT_KEY = "MCRYPT_KEY";
17 17
     const SETTING_JWT_KEY = "JWT_KEY";
18
+    const CRYPT_METHOD = "AES-256-CBC";
18 19
 
19 20
     public static function decode($token)
20 21
     {
21 22
         $app = LuticateApplication::getInstance();
22 23
         try
23 24
         {
24
-            $jwt = mcrypt_decrypt(MCRYPT_TRIPLEDES, $app->getSetting(self::SETTING_MCRYPT_KEY), base64_decode($token), "cbc");
25
-            $data = (array)\JWT::decode($jwt, $app->getSetting(self::SETTING_JWT_KEY), ['HS256']);
25
+            $key = $app->getSetting(static::SETTING_MCRYPT_KEY);
26
+            $iv = substr($key, 0, 16);
27
+            $jwt = openssl_decrypt(base64_decode($token), static::CRYPT_METHOD, $key, 0, $iv);
28
+            $data = (array)\JWT::decode($jwt, $app->getSetting(static::SETTING_JWT_KEY), ['HS256']);
26 29
         }
27 30
         catch (\Exception $e)
28 31
         {
29 32
             return null;
30 33
         }
31 34
 
32
-        $expiration_date = array_key_exists(self::EXPIRATION_KEY, $data) ? $data[self::EXPIRATION_KEY] : null;
35
+        $expiration_date = array_key_exists(static::EXPIRATION_KEY, $data) ? $data[static::EXPIRATION_KEY] : null;
33 36
         if (!is_numeric($expiration_date) || $expiration_date < time()) {
34 37
             return null;
35 38
         }
@@ -42,9 +45,11 @@ class JwtHelper
42 45
         $app = LuticateApplication::getInstance();
43 46
         $date = new \DateTime("now", new \DateTimeZone("Europe/Paris"));
44 47
         $date->modify("+${session_time} day");
45
-        $data[self::EXPIRATION_KEY] = $date->getTimestamp();
48
+        $data[static::EXPIRATION_KEY] = $date->getTimestamp();
49
+        $jwt = \JWT::encode($data, $app->getSetting(static::SETTING_JWT_KEY));
50
+        $key = $app->getSetting(static::SETTING_MCRYPT_KEY);
51
+        $iv = substr($key, 0, 16);
46 52
 
47
-        return base64_encode(mcrypt_encrypt(MCRYPT_TRIPLEDES, $app->getSetting(self::SETTING_MCRYPT_KEY),
48
-            \JWT::encode($data, $app->getSetting(self::SETTING_JWT_KEY)), "cbc"));
53
+        return base64_encode(openssl_encrypt($jwt, static::CRYPT_METHOD, $key, 0, $iv));
49 54
     }
50 55
 }

+ 47
- 2
src/Auth/Business/LuUsersBusiness.php Zobrazit soubor

@@ -9,13 +9,14 @@
9 9
 namespace Luticate\Auth\Business;
10 10
 
11 11
 use Luticate\Auth\DataAccess\LuUserDataAccess;
12
+use Luticate\Auth\Dbo\LuBuiltInPermissions;
12 13
 use Luticate\Auth\Dbo\Users\LuUsersAddDbo;
13 14
 use Luticate\Auth\Dbo\Users\LuUsersDbo;
14 15
 use Luticate\Auth\Dbo\Users\LuUsersEditDbo;
15
-use Luticate\Auth\Dbo\Users\LuUsersLiteDbo;
16 16
 use Luticate\Auth\Dbo\Users\LuUsersLoginDbo;
17 17
 use Luticate\Auth\Dbo\Users\LuUsersLoginResultDbo;
18 18
 use Luticate\Utils\Business\LuBusiness;
19
+use Luticate\Utils\Business\LuLog;
19 20
 use Luticate\Utils\Dbo\LuPaginatedDbo;
20 21
 use Luticate\Utils\Dbo\LuQueryDbo;
21 22
 
@@ -55,7 +56,7 @@ class LuUsersBusiness extends LuBusiness
55 56
         }
56 57
     }
57 58
 
58
-    public function getSalt($length = 10)
59
+    public function getSalt($length = 16)
59 60
     {
60 61
         $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
61 62
         $charactersLength = strlen($characters);
@@ -76,6 +77,50 @@ class LuUsersBusiness extends LuBusiness
76 77
         ), $session_time);
77 78
     }
78 79
 
80
+    public static function getUserFromToken(string $token)
81
+    {
82
+        $user = null;
83
+        if (!empty($token)) {
84
+            $data = JwtHelper::decode($token);
85
+            if ($data != null) {
86
+                /**
87
+                 * @var $user LuUsersDbo
88
+                 */
89
+                $user_id = intval($data[LuUsersBusiness::KEY_USER_ID]);
90
+                $salt = $data[LuUsersBusiness::KEY_SALT];
91
+                $user = LuUsersBusiness::getById($user_id);
92
+                if ($user->getSalt() !== $salt) {
93
+                    $user = null;
94
+                }
95
+            }
96
+        }
97
+        if (is_null($user)) {
98
+            $user = LuUsersBusiness::getById(0);
99
+        }
100
+        return $user;
101
+    }
102
+
103
+    public static function checkUserPermissions(LuUsersDbo $user, $permissions)
104
+    {
105
+        $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), LuBuiltInPermissions::USER_LOGIN);
106
+        if (!$perm) {
107
+            LuBusiness::unauthorized("Account is disabled");
108
+        }
109
+
110
+        foreach ($permissions as $permission) {
111
+            try {
112
+                $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), $permission);
113
+                if (!$perm) {
114
+                    LuBusiness::unauthorized("Permission denied");
115
+                }
116
+            } catch (\Exception $e)
117
+            {
118
+                LuLog::log($e);
119
+                LuBusiness::unauthorized("Permission denied");
120
+            }
121
+        }
122
+    }
123
+
79 124
     public function login(LuUsersLoginDbo $login)
80 125
     {
81 126
         $user = static::getDataAccess()->getByUsernameOrEmail($login->getUsername());

+ 0
- 1
src/Auth/Dbo/Users/LuUsersDbo.php Zobrazit soubor

@@ -30,7 +30,6 @@ class LuUsersDbo extends LuDbo
30 30
 
31 31
     /**
32 32
      * @var $_salt string
33
-     * @between 10 10
34 33
      */
35 34
     protected $_salt;
36 35
 

+ 5
- 43
src/Auth/Middleware/LuAuthMiddleware.php Zobrazit soubor

@@ -23,55 +23,17 @@ class LuAuthMiddleware implements LuAbstractMiddleware
23 23
     
24 24
     public function onBefore($_parameters, $_headers, $permissions = [])
25 25
     {
26
-        $user = null;
27 26
         $token = $_headers[self::TOKEN_HEADER] ?? null;
28
-        if ($token != null) {
29
-            $token = trim($token);
30
-            if ($token == "") {
31
-                $token = null;
32
-            }
33
-        }
34
-        if ($token != null) {
35
-            $data = JwtHelper::decode($token);
36
-            if ($data != null) {
37
-                /**
38
-                 * @var $user LuUsersDbo
39
-                 */
40
-                $user_id = intval($data[LuUsersBusiness::KEY_USER_ID]);
41
-                $salt = $data[LuUsersBusiness::KEY_SALT];
42
-                $user = LuUsersBusiness::getById($user_id);
43
-                if ($user->getSalt() !== $salt) {
44
-                    $user = null;
45
-                }
46
-            }
47
-        }
48 27
 
49
-        if (is_null($user)) {
50
-            if ($token != null) {
51
-                LuBusiness::unauthorized("Invalid token");
52
-            }
53
-            $user = LuUsersBusiness::getById(0);
28
+        $user = LuUsersBusiness::getUserFromToken($token);
29
+
30
+        if ($user->getId() === 0 && !empty($token)) {
31
+            LuBusiness::unauthorized("Invalid token");
54 32
         }
55 33
 
56 34
         $_parameters["_user"] = $user;
57 35
 
58
-        $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), LuBuiltInPermissions::USER_LOGIN);
59
-        if (!$perm) {
60
-            LuBusiness::unauthorized("Account is disabled");
61
-        }
62
-        
63
-        foreach ($permissions as $permission) {
64
-            try {
65
-                $perm = LuPermissionsBusiness::getUserEffectivePermissionByName($user->getId(), $permission);
66
-                if (!$perm) {
67
-                    LuBusiness::unauthorized("Permission denied");
68
-                }
69
-            } catch (\Exception $e)
70
-            {
71
-                LuLog::log($e);
72
-                LuBusiness::unauthorized("Permission denied");
73
-            }
74
-        }
36
+        LuUsersBusiness::checkUserPermissions($user, $permissions);
75 37
 
76 38
         return $_parameters;
77 39
     }

+ 105
- 4
tests/LuUsersTest.php Zobrazit soubor

@@ -1,6 +1,9 @@
1 1
 <?php
2
+use Luticate\Auth\Business\LuUsersBusiness;
2 3
 use Luticate\Auth\Controller\LuUsersController;
3 4
 use Luticate\Auth\Dbo\Users\LuUsersAddDbo;
5
+use Luticate\Auth\Dbo\Users\LuUsersLoginDbo;
6
+use Luticate\Utils\Business\LuBusinessException;
4 7
 use Luticate\Utils\Controller\LuticateApplication;
5 8
 use Luticate\Utils\DataAccess\LuDataAccess;
6 9
 
@@ -28,6 +31,11 @@ class LuUsersTest extends \PHPUnit_Framework_TestCase
28 31
         Db::getPdo()->query("DELETE FROM lu_users WHERE username LIKE '_test_%'");
29 32
     }
30 33
 
34
+    public static function tearDownAfterClass()
35
+    {
36
+        static::setUpBeforeClass();
37
+    }
38
+
31 39
     public function testUserAdd1()
32 40
     {
33 41
         $ctrl = static::getCtrl();
@@ -45,11 +53,104 @@ class LuUsersTest extends \PHPUnit_Framework_TestCase
45 53
 
46 54
         $this->assertNotNull($user);
47 55
         $this->assertNotNull($user->getId());
48
-        $this->assertSame($user->getUsername(), "_test_user1");
49
-        $this->assertSame($user->getFirstname(), "Test");
50
-        $this->assertSame($user->getLastname(), "user1");
51
-        $this->assertSame($user->getEmail(), "test.user1@example.com");
56
+        $this->assertSame("_test_user1", $user->getUsername());
57
+        $this->assertSame("Test", $user->getFirstname());
58
+        $this->assertSame("user1", $user->getLastname());
59
+        $this->assertSame("test.user1@example.com", $user->getEmail());
60
+        $this->assertNull($user->getExternalAuth());
61
+        $this->assertNull($user->getProfileId());
62
+    }
63
+
64
+    public function testUserAdd2()
65
+    {
66
+        $ctrl = static::getCtrl();
67
+
68
+        $newUser = new LuUsersAddDbo();
69
+        $newUser->setUsername("_test_user1");
70
+        $newUser->setPassword("test42");
71
+        $newUser->setFirstname("Test");
72
+        $newUser->setLastname("user1");
73
+        $newUser->setEmail("test.user1@example.com");
74
+        $newUser->setExternalAuth(null);
75
+        $newUser->setProfileId(null);
76
+
77
+        $this->expectException(LuBusinessException::class);
78
+        $ctrl->add($newUser);
79
+    }
80
+
81
+    public function testUserAdd3()
82
+    {
83
+        $ctrl = static::getCtrl();
84
+
85
+        $newUser = new LuUsersAddDbo();
86
+        $newUser->setUsername("_test_user2");
87
+        $newUser->setPassword("test42");
88
+        $newUser->setFirstname("Test");
89
+        $newUser->setLastname("user1");
90
+        $newUser->setEmail("test.user1@example.com");
91
+        $newUser->setExternalAuth(null);
92
+        $newUser->setProfileId(null);
93
+
94
+        $this->expectException(LuBusinessException::class);
95
+        $ctrl->add($newUser);
96
+    }
97
+
98
+    public function testUserAdd4()
99
+    {
100
+        $ctrl = static::getCtrl();
101
+
102
+        $newUser = new LuUsersAddDbo();
103
+        $newUser->setUsername("_test_user2");
104
+        $newUser->setPassword("test24");
105
+        $newUser->setFirstname("Test");
106
+        $newUser->setLastname("user2");
107
+        $newUser->setEmail("test.user2@example.com");
108
+        $newUser->setExternalAuth(null);
109
+        $newUser->setProfileId(null);
110
+
111
+        $user = $ctrl->add($newUser);
112
+
113
+        $this->assertNotNull($user);
114
+        $this->assertNotNull($user->getId());
115
+        $this->assertSame("_test_user2", $user->getUsername());
116
+        $this->assertSame("Test", $user->getFirstname());
117
+        $this->assertSame("user2", $user->getLastname());
118
+        $this->assertSame("test.user2@example.com", $user->getEmail());
52 119
         $this->assertNull($user->getExternalAuth());
53 120
         $this->assertNull($user->getProfileId());
54 121
     }
122
+
123
+    public function testUserLogin1()
124
+    {
125
+        $ctrl = static::getCtrl();
126
+
127
+        $loginDbo = new LuUsersLoginDbo();
128
+        $loginDbo->setUsername("_test_user1");
129
+        $loginDbo->setPassword("test42");
130
+        $loginResult = $ctrl->login($loginDbo);
131
+
132
+        $this->assertNotNull($loginResult);
133
+        $this->assertSame("test.user1@example.com", $loginResult->getEmail());
134
+
135
+        $loggedUser = LuUsersBusiness::getUserFromToken($loginResult->getToken());
136
+
137
+        $this->assertSame("test.user1@example.com", $loggedUser->getEmail());
138
+    }
139
+
140
+    public function testUserLogin2()
141
+    {
142
+        $ctrl = static::getCtrl();
143
+
144
+        $loginDbo = new LuUsersLoginDbo();
145
+        $loginDbo->setUsername("_test_user2");
146
+        $loginDbo->setPassword("test24");
147
+        $loginResult = $ctrl->login($loginDbo);
148
+
149
+        $this->assertNotNull($loginResult);
150
+        $this->assertSame("test.user2@example.com", $loginResult->getEmail());
151
+
152
+        $loggedUser = LuUsersBusiness::getUserFromToken($loginResult->getToken());
153
+
154
+        $this->assertSame("test.user2@example.com", $loggedUser->getEmail());
155
+    }
55 156
 }

+ 139
- 0
tests/data_permissions.sql Zobrazit soubor

@@ -0,0 +1,139 @@
1
+--
2
+-- PostgreSQL database dump
3
+--
4
+
5
+SET statement_timeout = 0;
6
+SET lock_timeout = 0;
7
+SET client_encoding = 'UTF8';
8
+SET standard_conforming_strings = on;
9
+SET check_function_bodies = false;
10
+SET client_min_messages = warning;
11
+
12
+SET search_path = public, pg_catalog;
13
+
14
+--
15
+-- Data for Name: lu_groups; Type: TABLE DATA; Schema: public; Owner: -
16
+--
17
+
18
+INSERT INTO lu_groups VALUES (5, 'ganonymous1_1');
19
+INSERT INTO lu_groups VALUES (6, 'ganonymous2_1');
20
+INSERT INTO lu_groups VALUES (7, 'ganonymous2_2');
21
+INSERT INTO lu_groups VALUES (8, 'ganonymous3_1');
22
+INSERT INTO lu_groups VALUES (9, 'ganonymous3_2');
23
+INSERT INTO lu_groups VALUES (10, 'ganonymous4_1');
24
+INSERT INTO lu_groups VALUES (11, 'ganonymous4_2');
25
+INSERT INTO lu_groups VALUES (12, 'ganonymous5_1');
26
+INSERT INTO lu_groups VALUES (13, 'ganonymous5_2');
27
+INSERT INTO lu_groups VALUES (14, 'ganonymous6_1');
28
+INSERT INTO lu_groups VALUES (15, 'ganonymous6_2');
29
+
30
+
31
+--
32
+-- Name: lu_groups_id_seq; Type: SEQUENCE SET; Schema: public; Owner: -
33
+--
34
+
35
+SELECT pg_catalog.setval('lu_groups_id_seq', 15, true);
36
+
37
+
38
+--
39
+-- Data for Name: lu_permissions; Type: TABLE DATA; Schema: public; Owner: -
40
+--
41
+
42
+INSERT INTO lu_permissions VALUES (3, 'LU_TEST_SIMPLE_TRUE', true);
43
+INSERT INTO lu_permissions VALUES (4, 'LU_TEST_SIMPLE_FALSE', false);
44
+INSERT INTO lu_permissions VALUES (5, 'LU_TEST_GROUP_1_TRUE', true);
45
+INSERT INTO lu_permissions VALUES (6, 'LU_TEST_GROUP_1_FALSE', true);
46
+INSERT INTO lu_permissions VALUES (7, 'LU_TEST_GROUP_2_TRUE', false);
47
+INSERT INTO lu_permissions VALUES (8, 'LU_TEST_GROUP_3_FALSE', true);
48
+INSERT INTO lu_permissions VALUES (9, 'LU_TEST_GROUP_4_FALSE', true);
49
+INSERT INTO lu_permissions VALUES (10, 'LU_TEST_USER_5_TRUE', false);
50
+INSERT INTO lu_permissions VALUES (11, 'LU_TEST_USER_6_FALSE', true);
51
+
52
+
53
+--
54
+-- Data for Name: lu_permissions_groups; Type: TABLE DATA; Schema: public; Owner: -
55
+--
56
+
57
+INSERT INTO lu_permissions_groups VALUES (5, true, 5);
58
+INSERT INTO lu_permissions_groups VALUES (6, false, 5);
59
+INSERT INTO lu_permissions_groups VALUES (7, true, 6);
60
+INSERT INTO lu_permissions_groups VALUES (7, true, 7);
61
+INSERT INTO lu_permissions_groups VALUES (8, true, 8);
62
+INSERT INTO lu_permissions_groups VALUES (8, false, 9);
63
+INSERT INTO lu_permissions_groups VALUES (9, false, 10);
64
+INSERT INTO lu_permissions_groups VALUES (9, false, 11);
65
+INSERT INTO lu_permissions_groups VALUES (10, false, 12);
66
+INSERT INTO lu_permissions_groups VALUES (10, false, 13);
67
+INSERT INTO lu_permissions_groups VALUES (11, true, 14);
68
+INSERT INTO lu_permissions_groups VALUES (11, true, 15);
69
+INSERT INTO lu_permissions_groups VALUES (7, false, 5);
70
+
71
+
72
+--
73
+-- Name: lu_permissions_id_seq; Type: SEQUENCE SET; Schema: public; Owner: -
74
+--
75
+
76
+SELECT pg_catalog.setval('lu_permissions_id_seq', 11, true);
77
+
78
+
79
+--
80
+-- Data for Name: lu_users; Type: TABLE DATA; Schema: public; Owner: -
81
+--
82
+
83
+INSERT INTO lu_users VALUES (1, 'anonymous1', NULL, '', NULL, NULL, 'anonymous1@anonymous.com', NULL, NULL);
84
+INSERT INTO lu_users VALUES (0, 'anonymous0', NULL, '', NULL, NULL, 'anonymous0@anonymous.com', NULL, NULL);
85
+INSERT INTO lu_users VALUES (2, 'anonymous2', NULL, '', NULL, NULL, 'anonymous2@anonymous.com', NULL, NULL);
86
+INSERT INTO lu_users VALUES (3, 'anonymous3', NULL, '', NULL, NULL, 'anonymous3@anonymous.com', NULL, NULL);
87
+INSERT INTO lu_users VALUES (4, 'anonymous4', NULL, '', NULL, NULL, 'anonymous4@anonymous.com', NULL, NULL);
88
+INSERT INTO lu_users VALUES (5, 'anonymous5', NULL, '', NULL, NULL, 'anonymous5@anonymous.com', NULL, NULL);
89
+INSERT INTO lu_users VALUES (6, 'anonymous6', NULL, '', NULL, NULL, 'anonymous6@anonymous.com', NULL, NULL);
90
+
91
+
92
+--
93
+-- Data for Name: lu_permissions_users; Type: TABLE DATA; Schema: public; Owner: -
94
+--
95
+
96
+INSERT INTO lu_permissions_users VALUES (11, false, 6);
97
+INSERT INTO lu_permissions_users VALUES (10, true, 5);
98
+
99
+
100
+--
101
+-- Data for Name: lu_settings; Type: TABLE DATA; Schema: public; Owner: -
102
+--
103
+
104
+
105
+
106
+--
107
+-- Data for Name: lu_settings_users; Type: TABLE DATA; Schema: public; Owner: -
108
+--
109
+
110
+
111
+
112
+--
113
+-- Data for Name: lu_users_groups; Type: TABLE DATA; Schema: public; Owner: -
114
+--
115
+
116
+INSERT INTO lu_users_groups VALUES (1, 5);
117
+INSERT INTO lu_users_groups VALUES (2, 6);
118
+INSERT INTO lu_users_groups VALUES (2, 7);
119
+INSERT INTO lu_users_groups VALUES (3, 8);
120
+INSERT INTO lu_users_groups VALUES (3, 9);
121
+INSERT INTO lu_users_groups VALUES (4, 10);
122
+INSERT INTO lu_users_groups VALUES (4, 11);
123
+INSERT INTO lu_users_groups VALUES (5, 12);
124
+INSERT INTO lu_users_groups VALUES (5, 13);
125
+INSERT INTO lu_users_groups VALUES (6, 14);
126
+INSERT INTO lu_users_groups VALUES (6, 15);
127
+
128
+
129
+--
130
+-- Name: lu_users_id_seq; Type: SEQUENCE SET; Schema: public; Owner: -
131
+--
132
+
133
+SELECT pg_catalog.setval('lu_users_id_seq', 13, true);
134
+
135
+
136
+--
137
+-- PostgreSQL database dump complete
138
+--
139
+

Načítá se…
Zrušit
Uložit