Update testin settings

Update PHPUnit to a newer version and Create a new set of feature tests to make sure that the behaviour with possible account takeovers is handled appropriately
heiglandreas · Oct 10, 2024 · c08021a · c08021a
1 parent c380559
commit c08021a
Show file tree

Hide file tree

Showing 10 changed files with 120 additions and 58 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
       context: dockersetup
       dockerfile: Dockerfile_wordpress
       args:
-        PHP_VERSION: ${PHP_VERSION:-8.4-rc}
+        PHP_VERSION: ${PHP_VERSION:-8.3}
         WORDPRESS_VERSION: ${WORDPRESS_VERSION:-6.6}
     volumes:
       - .:/var/www/html/wp-content/plugins/authldap
@@ -82,7 +82,7 @@ services:
     volumes:
       - ./.ci/50-init.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/50-bootstrap.ldif
     command: "--copy-service --loglevel debug"
-    restart: always
+    restart: unless-stopped
     environment:
       LDAP_LOG_LEVEL: "0"
       LDAP_TLS: "false"

diff --git a/features/bootstrap/FeatureContext.php b/features/bootstrap/FeatureContext.php
@@ -191,6 +191,32 @@ public function aWordpressUserWithNameAndEmailExists($arg1, $arg2, $arg3)
 		));
 	}
 
+	/**
+	 * @Given a WordPress user :arg1 with name :arg2, email :arg3 and password :arg4 exists
+	 */
+	public function aWordpressUserWithNameEmailAndPasswordExists($arg1, $arg2, $arg3, $arg4)
+	{
+		exec(sprintf(
+			'wp --allow-root user get %1$s',
+			$arg1
+		), $result, $code);
+		if ($code === 0) {
+
+			exec(sprintf(
+				'wp --allow-root user delete %1$s --yes',
+				$arg1
+			));
+		}
+
+		exec(sprintf(
+			'wp --allow-root user create %1$s %3$s --display_name=%2$s --user_pass=%4$s --porcelain',
+			$arg1,
+			$arg2,
+			$arg3,
+			$arg4,
+		));
+	}
+
 	/**
 	 * @Given a WordPress role :arg1 exists
 	 */
@@ -221,9 +247,9 @@ public function wordpressUserHasRole($arg1, $arg2)
 	}
 
 	/**
-	 * @When LDAP user :arg1 logs in with password :arg2
+	 * @When user :arg1 logs in with password :arg2
 	 */
-	public function ldapUserLogsInWithPassword($arg1, $arg2)
+	public function userLogsInWithPassword($arg1, $arg2)
 	{
 		//  curl -i 'http://localhost/wp-login.php' -X POST -H 'Cookie: wordpress_test_cookie=test' --data-raw 'log=localadmin&pwd=P%40ssw0rd'
 		$client = new Client();
@@ -251,6 +277,15 @@ public function theLoginSuceeds()
 		Assert::startsWith($this->res->getHeader('Location')[0], 'http://localhost/wp-admin');
 	}
 
+	/**
+	 * @Then the login fails
+	 */
+	public function theLoginFails()
+	{
+		Assert::isInstanceOf($this->res, Response::class);
+		Assert::notEq( $this->res->getStatusCode(), 302);
+	}
+
 	/**
 	 * @Then a new WordPress user :arg1 was created with name :arg2 and email :arg3
 	 */

diff --git a/features/log in as LDAP user without wpaccount take over.feature b/features/log in as LDAP user without wpaccount take over.feature
@@ -0,0 +1,31 @@
+Feature: log in as LDAP user when WP users can not log in
+	Scenario: When existing wordpress users are not allowed to be overwritten
+		an LDAP user that logs in will be created and log in.
+		Given a default configuration
+		And configuration value "DoNotOverwriteNonLdapUsers" is set to "true"
+		And configuration value "DefaultRole" is set to "subscriber"
+		And an LDAP user "ldapuser" with name "LDAP User", password "P@ssw0rd" and email "[email protected]" exists
+		And a WordPress user "ldapuser" does not exist
+		When user "ldapuser" logs in with password "P@ssw0rd"
+		Then the login suceeds
+	Scenario: When existing wordpress users are not allowed to be overwritten
+	a WordPress user will still be able to log in.
+		Given a default configuration
+		And configuration value "DoNotOverwriteNonLdapUsers" is set to "true"
+		And configuration value "DefaultRole" is set to "subscriber"
+		And a WordPress user "wordpressuser" with name "WordPress_User", email "[email protected]" and password "P@ssw0rd" exists
+		And a WordPress role "wordpressrole" exists
+		And WordPress user "wordpressuser" has role "wordpressrole"
+		When user "wordpressuser" logs in with password "P@ssw0rd"
+		Then the login suceeds
+	Scenario: When existing wordpress users are not allowed to be overwritten
+	an LDAP user that logs in that has the same username as an existing WordPress
+	userwill not be created and login fails
+		Given a default configuration
+		And configuration value "DoNotOverwriteNonLdapUsers" is set to "true"
+		And configuration value "DefaultRole" is set to "subscriber"
+		And an LDAP user "ldapuser" with name "LDAP_User", password "P@ssw0rd" and email "[email protected]" exists
+		And a WordPress user "ldapuser" with name "WordPress_User" and email "[email protected]" exists
+		When user "ldapuser" logs in with password "P@ssw0rd"
+		Then the login fails
+
diff --git a/features/log in using no groups at all.feature b/features/log in using no groups at all.feature
@@ -10,7 +10,7 @@ Feature: Log in without group assignment
 		And a WordPress role "wordpressrole" exists
 		And WordPress user "wordpressuser" has role "wordpressrole"
 		And a WordPress user "ldapuser" does not exist
-		When LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		When user "ldapuser" logs in with password "P@ssw0rd"
 		Then the login suceeds
 		And a new WordPress user "ldapuser" was created with name "LDAP User" and email "[email protected]"
 		And the WordPress user "ldapuser" is member of role "subscriber"
@@ -30,7 +30,7 @@ Feature: Log in without group assignment
 		And a WordPress role "wordpressrole" exists
 		And WordPress user "wordpressuser" has role "wordpressrole"
 		And a WordPress user "ldapuser" does not exist
-		When LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		When user "ldapuser" logs in with password "P@ssw0rd"
 		Then the login suceeds
 		And a new WordPress user "ldapuser" was created with name "LDAP User" and email "[email protected]"
 		And the WordPress user "ldapuser" is member of role "administrator"
@@ -52,10 +52,10 @@ Feature: Log in without group assignment
 		And a WordPress role "wordpressrole" exists
 		And WordPress user "wordpressuser" has role "wordpressrole"
 		And a WordPress user "ldapuser" does not exist
-		And LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		And user "ldapuser" logs in with password "P@ssw0rd"
 		And WordPress user "ldapuser" has role "wordpressrole"
 		And the WordPress user "ldapuser" is member of role "wordpressrole"
-		When LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		When user "ldapuser" logs in with password "P@ssw0rd"
 		Then the login suceeds
 		And the WordPress user "ldapuser" is member of role "administrator"
 		And the WordPress user "ldapuser" is member of role "wordpressrole"
@@ -74,10 +74,10 @@ Feature: Log in without group assignment
 		And an LDAP group "ldapgroup1" exists
 		And an LDAP group "ldapgroup2" exists
 		And LDAP user "ldapuser" is member of LDAP group "ldapgroup1"
-		And LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		And user "ldapuser" logs in with password "P@ssw0rd"
 		And LDAP user "ldapuser" is member of LDAP group "ldapgroup2"
 		And LDAP user "ldapuser" is not member of LDAP group "ldapgroup1"
-		When LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		When user "ldapuser" logs in with password "P@ssw0rd"
 		Then the login suceeds
 		And the WordPress user "ldapuser" is member of role "editor"
 		And the WordPress user "ldapuser" is not member of role "administrator"

diff --git a/features/log in with multiple role-assignements in LDAP.feature b/features/log in with multiple role-assignements in LDAP.feature
@@ -13,7 +13,7 @@ Feature: Log in with multiple role-assignements in LDAP
 		And LDAP user "ldapuser" is member of LDAP group "ldapgroup2"
 		And a WordPress user "ldapuser" does not exist
 		And a WordPress filter "authLdap_allow_multiple_roles" with implementation "function():bool { return true;}"
-		When LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		When user "ldapuser" logs in with password "P@ssw0rd"
 		Then the login suceeds
 		And the WordPress user "ldapuser" is member of role "subscriber"
 		And the WordPress user "ldapuser" is member of role "editor"
diff --git a/phpunit.xml.dist b/phpunit.xml.dist
@@ -1,39 +1,37 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-		 bootstrap="tests/bootstrap.php"
-		 testdox="true"
-		 xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.5/phpunit.xsd"
->
-	<coverage>
-		<include>
-			<directory suffix=".php">src</directory>
-			<file>authLdap.php</file>
-		</include>
-		<exclude>
-			<directory>src/Wrapper</directory>
-		</exclude>
-		<report>
-			<html outputDirectory="build/coverage" lowUpperBound="35" highLowerBound="70"/>
-		</report>
-	</coverage>
-	<testsuite name="authLdap Test-Suite">
-		<directory>tests</directory>
-	</testsuite>
-	<groups>
-		<exclude>
-			<group>disable</group>
-		</exclude>
-	</groups>
-	<logging>
-		<!--log type="coverage-xml" target="../report/coverage.xml"/-->
-		<!--log type="graphviz" target="../report/logfile.dot"/-->
-		<!--log type="json" target="../report/logfile.json"/-->
-		<!--log type="metrics-xml" target="../report/metrics.xml"/-->
-		<!--log type="plain" target="../report/logfile.txt"/-->
-		<!--log type="pmd-xml" target="../report/pmd.xml" cpdMinLines="5" cpdMinMatches="70"/-->
-		<!--log type="tap" target="../report/logfile.tap"/-->
-		<!--log type="test-xml" target="../report/logfile.xml" logIncompleteSkipped="false"/-->
-		<!--log type="testdox-html" target="../report/testdox.html"/-->
-		<!--log type="testdox-text" target="../report/testdox.txt"/-->
-	</logging>
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="tests/bootstrap.php" testdox="true" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/11.3/phpunit.xsd">
+  <coverage>
+    <report>
+      <html outputDirectory="build/coverage" lowUpperBound="35" highLowerBound="70"/>
+    </report>
+  </coverage>
+  <testsuite name="authLdap Test-Suite">
+    <directory>tests</directory>
+  </testsuite>
+  <groups>
+    <exclude>
+      <group>disable</group>
+    </exclude>
+  </groups>
+  <logging>
+    <!--log type="coverage-xml" target="../report/coverage.xml"/-->
+    <!--log type="graphviz" target="../report/logfile.dot"/-->
+    <!--log type="json" target="../report/logfile.json"/-->
+    <!--log type="metrics-xml" target="../report/metrics.xml"/-->
+    <!--log type="plain" target="../report/logfile.txt"/-->
+    <!--log type="pmd-xml" target="../report/pmd.xml" cpdMinLines="5" cpdMinMatches="70"/-->
+    <!--log type="tap" target="../report/logfile.tap"/-->
+    <!--log type="test-xml" target="../report/logfile.xml" logIncompleteSkipped="false"/-->
+    <!--log type="testdox-html" target="../report/testdox.html"/-->
+    <!--log type="testdox-text" target="../report/testdox.txt"/-->
+  </logging>
+  <source>
+    <include>
+      <directory suffix=".php">src</directory>
+      <file>authLdap.php</file>
+    </include>
+    <exclude>
+      <directory>src/Wrapper</directory>
+    </exclude>
+  </source>
 </phpunit>
diff --git a/tests/LdapTest.php b/tests/LdapTest.php
@@ -64,7 +64,7 @@ public function testExceptionsWhenInstantiatingLdapClass(string $expected)
 		new Ldap(new LdapFactory(), LdapUri::fromString($expected));
 	}
 
-	public function dpInstantiateLdapClass(): Generator
+	public static function dpInstantiateLdapClass(): Generator
 	{
 		yield [
 			'ldap://uid=jondoe,cn=users,cn=example,c=org:[email protected]/cn=example,c=org',
@@ -140,7 +140,7 @@ public function dpInstantiateLdapClass(): Generator
 		];
 	}
 
-	public function dpExceptionsWhenInstantiatingLdapClass(): Generator
+	public static function dpExceptionsWhenInstantiatingLdapClass(): Generator
 	{
 		yield ['ldap://ldap.example.org'];
 		yield ['ldap://foo:bar@/cn=example,c=org'];

diff --git a/tests/LdapUriTest.php b/tests/LdapUriTest.php
@@ -13,7 +13,7 @@
 
 class LdapUriTest extends TestCase
 {
-	public function toStringProvider(): Generator
+	public static function toStringProvider(): Generator
 	{
 		yield ['ldaps://foo:[email protected]/baz', 'ldaps://foo.bar:636', 'foo', 'bar', 'baz'];
 		yield ['env:LDAP_URI', 'ldaps://foo.bar:636', 'foo', 'bar', 'baz', [
@@ -27,7 +27,7 @@ public function toStringProvider(): Generator
         ]];
     }
 
-	public function fromStringProvider(): Generator
+	public static function fromStringProvider(): Generator
 	{
 		yield ['ldaps://foo:[email protected]/baz', false];
 		yield ['env:LDAP_URI', false];
@@ -82,7 +82,7 @@ public function testUriIsAnonymous(string $uri): void
 		Assert::assertTrue($uri->isAnonymous());
 	}
 
-	public function anonymousProvider(): Generator
+	public static function anonymousProvider(): Generator
 	{
 		yield ['ldaps://test.example.com/dc=com'];
 		yield ['ldaps://[email protected]/dc=com'];

diff --git a/tests/Manager/LDAPBaseTest.php b/tests/Manager/LDAPBaseTest.php
@@ -78,7 +78,7 @@ public function testThatBindingWithPasswordWorks($user, $password, $filter, $uri
         $this->assertTrue($ldap->authenticate($user, $password, $filter));
     }
 
-    public function bindingWithPasswordProvider()
+    public static function bindingWithPasswordProvider()
     {
         return [
             [
@@ -140,7 +140,7 @@ public function testThatInitialBindingToMultipleLdapsWorks($uri)
         $this->assertTrue($list->bind());
     }
 
-    public function initialBindingToLdapServerWorksProvider()
+    public static function initialBindingToLdapServerWorksProvider()
     {
         return [
             ['ldap://uid=user%205,dc=test%20space,dc=example,dc=org:user!"' .
@@ -159,7 +159,6 @@ public function testThatPassedDataIsEscaped($unescaped, $escaped): void
 
 		$this->wrapper->expects($this->exactly(2))
 			->method('bind')
-			->withConsecutive(
 				['cn=admin,dc=example,dc=org', 'insecure'],
 				['foo', 'password'],
 			)
@@ -174,7 +173,7 @@ public function testThatPassedDataIsEscaped($unescaped, $escaped): void
         $ldap->authenticate($unescaped, 'password');
     }
 
-    public function provideUnescapedData(): array
+    public static function provideUnescapedData(): array
     {
         return [
             ['\’foobar', '(uid=\5c’foobar)'],

diff --git a/wordpress/info.php b/wordpress/info.php