Initial tests for authorize:authorize

435c438e · Patrick Radtke · ad1184b2 · 435c438e · 435c438e
Commit 435c438e authored 6 years ago by Patrick Radtke
--- a/modules/authorize/docs/authorize.md
+++ b/modules/authorize/docs/authorize.md
@@ -50,14 +50,17 @@ Note: If regex is enabled, you must use the preg_match format, i.e. you have to
   (as far as I know), you have to close the browser.
 ### Examples ###
-To use this filter configure it in `config/config.php`:
+To use this filter configure it in `config/config.php`.
+For unstructured attributes use `^` and `$` to anchor your regex as necessary:
 ```php
 'authproc.sp' => [
    60 => [
        'class' => 'authorize:Authorize',
        'uid'   =>  [
-            '/.*@example.com/',
+            '/^.*@example.com$/',
-            '/(user1|user2|user3)@example.edu/',
+            // Use anchors to prevent matching 'wronguser1@exampled.edu.attacker.com'
+            '/^(user1|user2|user3)@example.edu$/',
        ],
        'schacUserStatus' => '@urn:mace:terena.org:userStatus:' .
        'example.org:service:active.*@',
@@ -72,10 +75,10 @@ An alternate way of using this filter is to deny certain users. Or even use mult
 'authproc.sp' => [
    60 => array[
        'class' => 'authorize:Authorize',
-        'deny'  => TRUE,
+        'deny'  => true,
        'uid'   =>  [
-            '/.*@students.example.edu/',
+            '/.*@students.example.edu$/',
-            '/(stu1|stu2|stu3)@example.edu/',
+            '/^(stu1|stu2|stu3)@example.edu$/',
        ]
    ]
 ]
@@ -89,7 +92,7 @@ Additionally, some helpful instructions are shown.
 'authproc.sp' => [
    60 => [
        'class' => 'authorize:Authorize',
-        'regex' => FALSE,
+        'regex' => false,
        'group' => [
            'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu',
            'CN=All Teachers,OU=Staff,DC=example,DC=edu',

--- a/tests/modules/authorize/lib/Auth/Process/AuthorizeTest.php
+++ b/tests/modules/authorize/lib/Auth/Process/AuthorizeTest.php
+<?php
+/**
+ * Test for the authorize:Authorize authproc filter.
+ */
+namespace SimpleSAML\Test\Module\consent\Auth\Process;
+use PHPUnit\Framework\TestCase;
+use SimpleSAML\Module\authorize\Auth\Process\Authorize;
+use SimpleSAML\Utils\Attributes;
+class AuthorizeTest extends TestCase
+{
+    /**
+     * Helper function to run the filter with a given configuration.
+     *
+     * @param array $config The filter configuration.
+     * @param array $request The request state.
+     * @return array  The state array after processing.
+     */
+    private function processFilter(array $config, array $request)
+    {
+        $filter = new TestableAuthorize($config, null);
+        $filter->process($request);
+        return $request;
+    }
+    /**
+     * Test that having a matching attribute grants access
+     * @dataProvider allowScenarioProvider
+     * @param array $userAttributes The attributes to test
+     * @param bool $isAuthorized Should the user be authorized
+     */
+    public function testAllowScenarios($userAttributes, $isAuthorized)
+    {
+        $userAttributes = Attributes::normalizeAttributesArray($userAttributes);
+        $config = [
+            'uid' => [
+                '/^.*@example.com$/',
+                '/^(user1|user2|user3)@example.edu$/',
+            ],
+            'schacUserStatus' => '@urn:mace:terena.org:userStatus:example.org:service:active.*@',
+        ];
+        $resultState = $this->processFilter($config, ['Attributes' => $userAttributes]);
+        $resultAuthorized = isset($resultState['NOT_AUTHORIZED']) ? false : true;
+        $this->assertEquals($isAuthorized, $resultAuthorized);
+    }
+    public function allowScenarioProvider()
+    {
+        return [
+            // Should be allowed
+            [['uid' => 'anything@example.com'], true],
+            [['uid' => 'user2@example.edu'], true],
+            [['schacUserStatus' => 'urn:mace:terena.org:userStatus:example.org:service:active.my.service'], true],
+            [
+                [
+                    'uid' => ['wrongValue', 'user2@example.edu', 'wrongValue2'],
+                    'schacUserStatus' => 'incorrectstatus'
+                ],
+                true
+            ],
+            //Should be denied
+            [['wrongAttributes' => ['abc']], false],
+            [
+                [
+                    'uid' => [
+                        'anything@example.com.wrong',
+                        'wronguser@example.edu',
+                        'user2@example.edu.wrong',
+                        'prefixuser2@example.edu'
+                    ]
+                ],
+                false
+            ],
+        ];
+    }
+    /**
+     * Test that having a matching attribute prevents access
+     * @dataProvider invertScenarioProvider
+     * @param array $userAttributes The attributes to test
+     * @param bool $isAuthorized Should the user be authorized
+     */
+    public function testInvertAllowScenarios($userAttributes, $isAuthorized)
+    {
+        $userAttributes = Attributes::normalizeAttributesArray($userAttributes);
+        $config = [
+            'deny' => true,
+            'uid' => [
+                '/.*@students.example.edu$/',
+                '/^(stu1|stu2|stu3)@example.edu$/',
+            ],
+            'schacUserStatus' => '@urn:mace:terena.org:userStatus:example.org:service:blocked.*@',
+        ];
+        $resultState = $this->processFilter($config, ['Attributes' => $userAttributes]);
+        $resultAuthorized = isset($resultState['NOT_AUTHORIZED']) ? false : true;
+        $this->assertEquals($isAuthorized, $resultAuthorized);
+    }
+    public function invertScenarioProvider()
+    {
+        return [
+            // Should be allowed
+            [['noMatch' => 'abc'], true],
+            [['uid' => 'anything@example.edu'], true],
+            //Should be denied
+            [['uid' => 'anything@students.example.edu'], false],
+            [['uid' => 'stu3@example.edu'], false],
+            [['schacUserStatus' => 'urn:mace:terena.org:userStatus:example.org:service:blocked'], false],
+            // Matching any of the attributes results in denial
+            [
+                [
+                    'uid' => ['noMatch', 'abc@students.example.edu', 'noMatch2'],
+                    'schacUserStatus' => 'noMatch'
+                ],
+                false
+            ],
+        ];
+    }
+    /**
+     * Test that having a matching attribute prevents access
+     * @dataProvider noregexScenarioProvider
+     * @param array $userAttributes The attributes to test
+     * @param bool $isAuthorized Should the user be authorized
+     */
+    public function testDisableRegex($userAttributes, $isAuthorized)
+    {
+        $userAttributes = Attributes::normalizeAttributesArray($userAttributes);
+        $config = [
+            'regex' => false,
+            'group' => [
+                'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu',
+                'CN=All Teachers,OU=Staff,DC=example,DC=edu',
+            ],
+        ];
+        $resultState = $this->processFilter($config, ['Attributes' => $userAttributes]);
+        $resultAuthorized = isset($resultState['NOT_AUTHORIZED']) ? false : true;
+        $this->assertEquals($isAuthorized, $resultAuthorized);
+    }
+    public function noregexScenarioProvider()
+    {
+        return [
+            // Should be allowed
+            [['group' => 'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu'], true],
+            //Should be denied
+            [['wrongAttribute' => 'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu'], false],
+            [['group' => 'CN=wrongCN=SimpleSAML Students,CN=Users,DC=example,DC=edu'], false],
+        ];
+    }
+}
+// phpcs:ignore
+class TestableAuthorize extends Authorize
+{
+    /**
+     * Override the redirect behavior since its difficult to test
+     * @param array $request the state
+     */
+    protected function unauthorized(&$request)
+    {
+        $request['NOT_AUTHORIZED'] = true;
+    }
+}