webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-07-28 17:02:04 +03:00
Code Activity

Tweaked LDAP TLS Implementation

Browse Source 
- Moved the ldap function out to our separate service for easier
  testing.
- Added testing for the option.
- Moved tls_insecure part back up above connection start as found more
  reliable there.

Done a lot of real-connection testing during this review.
Used wireshare to ensure TLS connection does take place.
Found LDAP_TLS_INSECURE=false can action unreliably, restarting php-fpm
helped.
Tested both trusted and untrusted certificates.
This commit is contained in:
Dan Brown
2021-02-07 20:00:04 +00:00
parent f177b02cae
commit af032f8993
4 changed files with 51 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
tests/Auth/LdapTest.php
View File

@ -4,6 +4,7 @@ use BookStack\Auth\Access\LdapService;
use BookStack\Auth\Role;
use BookStack\Auth\Access\Ldap;
use BookStack\Auth\User;
use BookStack\Exceptions\LdapException;
use Mockery\MockInterface;
use Tests\BrowserKitTest;
@ -40,6 +41,14 @@ class LdapTest extends BrowserKitTest
$this->mockUser = factory(User::class)->make();
}
protected function runFailedAuthLogin()
{
$this->commonLdapMocks(1, 1, 1, 1, 1);
$this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
->andReturn(['count' => 0]);
$this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
}
protected function mockEscapes($times = 1)
{
$this->mockLdap->shouldReceive('escape')->times($times)->andReturnUsing(function($val) {
@ -550,6 +559,22 @@ class LdapTest extends BrowserKitTest
]);
}
public function test_start_tls_called_if_option_set()
{
config()->set(['services.ldap.start_tls' => true]);
$this->mockLdap->shouldReceive('startTls')->once()->andReturn(true);
$this->runFailedAuthLogin();
}
public function test_connection_fails_if_tls_fails()
{
config()->set(['services.ldap.start_tls' => true]);
$this->mockLdap->shouldReceive('startTls')->once()->andReturn(false);
$this->commonLdapMocks(1, 1, 0, 0, 0);
$this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
$this->assertResponseStatus(500);
}
public function test_ldap_attributes_can_be_binary_decoded_if_marked()
{
config()->set(['services.ldap.id_attribute' => 'BIN;uid']);
@ -640,12 +665,7 @@ class LdapTest extends BrowserKitTest
{
$log = $this->withTestLogger();
config()->set(['logging.failed_login.message' => 'Failed login for %u']);
$this->commonLdapMocks(1, 1, 1, 1, 1);
$this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
->andReturn(['count' => 0]);
$this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
$this->runFailedAuthLogin();
$this->assertTrue($log->hasWarningThatContains('Failed login for timmyjenkins'));
}
}