Check if service account has role admin (#49)

* Update PrivacyIDEA.php * Update PrivacyIDEA.php * Create ErrorMissingAuthorizationHeaderTest.php * Update Utils.php * Update composer.json

Check if service account has role admin (#49)
ebc52bb3 · lukasmatusiewicz · GitHub · 5ff092b4 · ebc52bb3 · ebc52bb3
Unverified Commit ebc52bb3 authored 1 year ago by lukasmatusiewicz Committed by GitHub 1 year ago
--- a/composer.json
+++ b/composer.json
@@ -21,7 +21,7 @@
    }
  ],
  "require": {
-    "php": ">=7.1",
+    "php": ">=7.3",
    "curl/curl": "*",
    "ext-json": "*",
    "ext-curl": "*"

--- a/src/PrivacyIDEA.php
+++ b/src/PrivacyIDEA.php
@@ -69,7 +69,7 @@ class PrivacyIDEA
     * @return PIResponse|null null if response was empty or malformed, or parameter missing
     * @throws PIBadRequestException
     */
-    public function validateCheck($username, $pass, $transactionID = null, $headers=null)
+    public function validateCheck($username, $pass, $transactionID = null, $headers = null)
    {
        assert('string' === gettype($username));
        assert('string' === gettype($pass));
@@ -401,13 +401,49 @@ class PrivacyIDEA

        if (!empty($response['result']['value']))
        {
-            return @$response['result']['value']['token'] ?: "";
+            // Ensure an admin account
+            if (!empty($response['result']['value']['token']))
+            {
+                if ($this->findRecursive($response, 'role') != 'admin')
+                {
+                    $this->debugLog("Auth token was of a user without admin role.");
+                    return "";
+                }
+                return $response['result']['value']['token'];
+            }
        }
-
-        $this->debugLog("/auth response did not contain a auth token.");
+        $this->debugLog("/auth response did not contain the auth token.");
        return "";
    }

+    /**
+     * Find a key in array recursively.
+     *
+     * @param array $haystack The array which will be searched.
+     * @param string $needle Search string.
+     * @return mixed Result of key search.
+     */
+    public function findRecursive($haystack, $needle)
+    {
+        assert(is_array($haystack));
+        assert(is_string($needle));
+
+        $iterator = new RecursiveArrayIterator($haystack);
+        $recursive = new RecursiveIteratorIterator(
+            $iterator,
+            RecursiveIteratorIterator::SELF_FIRST
+        );
+
+        foreach ($recursive as $key => $value)
+        {
+            if ($key === $needle)
+            {
+                return $value;
+            }
+        }
+        return false;
+    }
+
    /**
     * Send a request to an endpoint with the specified parameters and headers.
     *
@@ -440,7 +476,7 @@ class PrivacyIDEA
                }
            }
        }
-        
+
        $this->debugLog("Sending " . http_build_query($params, '', ', ') . " to " . $endpoint);

        $completeUrl = $this->serverURL . $endpoint;

--- a/test/ErrorMissingAuthorizationHeaderTest.php
+++ b/test/ErrorMissingAuthorizationHeaderTest.php
+<?php
+
+//require_once(__DIR__ . '/../src/Client-Autoloader.php');
+require_once(__DIR__ . '/../vendor/autoload.php');
+require_once('utils/Utils.php');
+
+use InterNations\Component\HttpMock\PHPUnit\HttpMockTrait;
+use PHPUnit\Framework\TestCase;
+use utils\Utils;
+
+class ErrorMissingAuthorizationHeaderTest extends TestCase implements PILog
+{
+    private $pi;
+
+    use HttpMockTrait;
+
+    public static function setUpBeforeClass(): void
+    {
+        static::setUpHttpMockBeforeClass('8082', 'localhost');
+    }
+
+    public static function tearDownAfterClass(): void
+    {
+        static::tearDownHttpMockAfterClass();
+    }
+
+    public function setUp(): void
+    {
+        $this->setUpHttpMock();
+        $this->pi = new PrivacyIDEA('testUserAgent', "localhost:8082");
+        $this->pi->logger = $this;
+        $this->pi->realm = "testRealm";
+    }
+
+    public function tearDown(): void
+    {
+        $this->tearDownHttpMock();
+    }
+
+    /**
+     * @throws PIBadRequestException
+     */
+    public function testErrorMissingAuthorizationHeader()
+    {
+        $this->http->mock
+            ->when()
+            ->methodIs('POST')
+            ->pathIs('/validate/triggerchallenge')
+            ->then()
+            ->body(Utils::errorMissingAuthorizationHeaderResponseBody())
+            ->end();
+        $this->http->setUp();
+
+        $this->http->mock
+            ->when()
+            ->methodIs('POST')
+            ->pathIs('/auth')
+            ->then()
+            ->body(Utils::postAuthNoRoleAdminResponseBody())
+            ->end();
+        $this->http->setUp();
+
+        $this->pi->serviceAccountName = "testServiceAccount";
+        $this->pi->serviceAccountPass = "testServicePass";
+        $this->pi->serviceAccountRealm = "testServiceRealm";
+
+        $response = $this->pi->triggerchallenge("testUser");
+
+        $this->assertEquals("4033", $response->errorCode);
+        $this->assertEquals("Authentication failure. Missing Authorization header.", $response->errorMessage);
+        $this->assertFalse($response->status);
+        $this->assertEquals("", $response->otpMessage());
+    }
+
+    public function piDebug($message)
+    {
+        echo $message . "\n";
+    }
+
+    public function piError($message)
+    {
+        echo "error: " . $message . "\n";
+    }
+}
\ No newline at end of file
--- a/test/utils/Utils.php
+++ b/test/utils/Utils.php
@@ -109,6 +109,31 @@ class Utils
            "    \"signature\": \"rsa_sha256_pss:\"\n" . "}";
    }

+    /**
+     * @return string
+     */
+    public static function postAuthNoRoleAdminResponseBody()
+    {
+        return "{\n" . "    \"id\": 1,\n" . "    \"jsonrpc\": \"2.0\",\n" .
+            "    \"result\": {\n" . "        \"status\": true,\n" .
+            "        \"value\": {\n" . "            \"log_level\": 20,\n" .
+            "            \"menus\": [\n" . "                \"components\",\n" .
+            "                \"machines\"\n" . "            ],\n" .
+            "            \"realm\": \"\",\n" . "            \"rights\": [\n" .
+            "                \"policydelete\",\n" .
+            "                \"resync\"\n" . "            ],\n" .
+            "            \"role\": \"user\",\n" . "            \"token\": \"" .
+            self::authToken() . "\",\n" . "            \"username\": \"admin\",\n" .
+            "            \"logout_time\": 120,\n" .
+            "            \"default_tokentype\": \"hotp\",\n" .
+            "            \"user_details\": false,\n" .
+            "            \"subscription_status\": 0\n" . "        }\n" .
+            "    },\n" . "    \"time\": 1589446794.8502703,\n" .
+            "    \"version\": \"privacyIDEA 3.2.1\",\n" .
+            "    \"versionnumber\": \"3.2.1\",\n" .
+            "    \"signature\": \"rsa_sha256_pss:\"\n" . "}";
+    }
+
    /**
     * @return string
     */
@@ -234,6 +259,17 @@ class Utils
            "\"signature\":\"rsa_sha256_pss:1c64db29cad0dc127d6...5ec143ee52a7804ea1dc8e23ab2fc90ac0ac147c0\"}";
    }

+    /**
+     * @return string
+     */
+    public static function errorMissingAuthorizationHeaderResponseBody()
+    {
+        return "{" . "\"detail\":null," . "\"id\":1," . "\"jsonrpc\":\"2.0\"," . "\"result\":{" . "\"error\":{" .
+            "\"code\":4033," . "\"message\":\"Authentication failure. Missing Authorization header.\"}," .
+            "\"status\":false}," . "\"time\":1649752303.65651," . "\"version\":\"privacyIDEA 3.6.3\"," .
+            "\"signature\":\"rsa_sha256_pss:1c64db29cad0dc127d6...5ec143ee52a7804ea1dc8e23ab2fc90ac0ac147c0\"}";
+    }
+
    /**
     * @return string
     */