5 use BookStack\Access\Ldap;
6 use BookStack\Access\LdapService;
7 use BookStack\Exceptions\LdapException;
8 use BookStack\Users\Models\Role;
9 use BookStack\Users\Models\User;
10 use Illuminate\Testing\TestResponse;
11 use Mockery\MockInterface;
14 class LdapTest extends TestCase
16 protected MockInterface $mockLdap;
18 protected User $mockUser;
19 protected string $resourceId = 'resource-test';
21 protected function setUp(): void
24 if (!defined('LDAP_OPT_REFERRALS')) {
25 define('LDAP_OPT_REFERRALS', 1);
28 'auth.method' => 'ldap',
29 'auth.defaults.guard' => 'ldap',
30 'services.ldap.base_dn' => 'dc=ldap,dc=local',
31 'services.ldap.email_attribute' => 'mail',
32 'services.ldap.display_name_attribute' => 'cn',
33 'services.ldap.id_attribute' => 'uid',
34 'services.ldap.user_to_groups' => false,
35 'services.ldap.version' => '3',
36 'services.ldap.user_filter' => '(&(uid={user}))',
37 'services.ldap.follow_referrals' => false,
38 'services.ldap.tls_insecure' => false,
39 'services.ldap.tls_ca_cert' => false,
40 'services.ldap.thumbnail_attribute' => null,
42 $this->mockLdap = $this->mock(Ldap::class);
43 $this->mockUser = User::factory()->make();
46 protected function runFailedAuthLogin()
48 $this->commonLdapMocks(1, 1, 1, 1, 1);
49 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
50 ->andReturn(['count' => 0]);
51 $this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
54 protected function mockEscapes($times = 1)
56 $this->mockLdap->shouldReceive('escape')->times($times)->andReturnUsing(function ($val) {
57 return ldap_escape($val);
61 protected function mockExplodes($times = 1)
63 $this->mockLdap->shouldReceive('explodeDn')->times($times)->andReturnUsing(function ($dn, $withAttrib) {
64 return ldap_explode_dn($dn, $withAttrib);
68 protected function mockUserLogin(?string $email = null): TestResponse
70 return $this->post('/login', [
71 'username' => $this->mockUser->name,
72 'password' => $this->mockUser->password,
73 ] + ($email ? ['email' => $email] : []));
77 * Set LDAP method mocks for things we commonly call without altering.
79 protected function commonLdapMocks(int $connects = 1, int $versions = 1, int $options = 2, int $binds = 4, int $escapes = 2, int $explodes = 0, int $groups = 0)
81 $this->mockLdap->shouldReceive('connect')->times($connects)->andReturn($this->resourceId);
82 $this->mockLdap->shouldReceive('setVersion')->times($versions);
83 $this->mockLdap->shouldReceive('setOption')->times($options);
84 $this->mockLdap->shouldReceive('bind')->times($binds)->andReturn(true);
85 $this->mockEscapes($escapes);
86 $this->mockExplodes($explodes);
87 $this->mockGroupLookups($groups);
90 protected function mockGroupLookups(int $times = 1): void
92 $this->mockLdap->shouldReceive('read')->times($times)->andReturn(['count' => 0]);
93 $this->mockLdap->shouldReceive('getEntries')->times($times)->andReturn(['count' => 0]);
96 public function test_login()
98 $this->commonLdapMocks(1, 1, 2, 4, 2);
99 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
100 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
101 ->andReturn(['count' => 1, 0 => [
102 'uid' => [$this->mockUser->name],
103 'cn' => [$this->mockUser->name],
104 'dn' => 'dc=test' . config('services.ldap.base_dn'),
107 $resp = $this->mockUserLogin();
108 $resp->assertRedirect('/login');
109 $resp = $this->followRedirects($resp);
110 $resp->assertSee('Please enter an email to use for this account.');
111 $resp->assertSee($this->mockUser->name);
113 $resp = $this->followingRedirects()->mockUserLogin($this->mockUser->email);
114 $this->withHtml($resp)->assertElementExists('#home-default');
115 $resp->assertSee($this->mockUser->name);
116 $this->assertDatabaseHas('users', [
117 'email' => $this->mockUser->email,
118 'email_confirmed' => false,
119 'external_auth_id' => $this->mockUser->name,
123 public function test_email_domain_restriction_active_on_new_ldap_login()
126 'registration-restrict' => 'testing.com',
129 $this->commonLdapMocks(1, 1, 2, 4, 2);
130 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
131 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
132 ->andReturn(['count' => 1, 0 => [
133 'uid' => [$this->mockUser->name],
134 'cn' => [$this->mockUser->name],
135 'dn' => 'dc=test' . config('services.ldap.base_dn'),
138 $resp = $this->mockUserLogin();
139 $resp->assertRedirect('/login');
140 $this->followRedirects($resp)->assertSee('Please enter an email to use for this account.');
143 $resp = $this->mockUserLogin($email);
144 $resp->assertRedirect('/login');
145 $this->followRedirects($resp)->assertSee('That email domain does not have access to this application');
147 $this->assertDatabaseMissing('users', ['email' => $email]);
150 public function test_login_works_when_no_uid_provided_by_ldap_server()
152 $ldapDn = 'cn=test-user,dc=test' . config('services.ldap.base_dn');
154 $this->commonLdapMocks(1, 1, 1, 2, 1);
155 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
156 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
157 ->andReturn(['count' => 1, 0 => [
158 'cn' => [$this->mockUser->name],
160 'mail' => [$this->mockUser->email],
163 $resp = $this->mockUserLogin();
164 $resp->assertRedirect('/');
165 $this->followRedirects($resp)->assertSee($this->mockUser->name);
166 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => $ldapDn]);
169 public function test_a_custom_uid_attribute_can_be_specified_and_is_used_properly()
171 config()->set(['services.ldap.id_attribute' => 'my_custom_id']);
173 $this->commonLdapMocks(1, 1, 1, 2, 1);
174 $ldapDn = 'cn=test-user,dc=test' . config('services.ldap.base_dn');
175 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
176 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
177 ->andReturn(['count' => 1, 0 => [
178 'cn' => [$this->mockUser->name],
180 'my_custom_id' => ['cooluser456'],
181 'mail' => [$this->mockUser->email],
184 $resp = $this->mockUserLogin();
185 $resp->assertRedirect('/');
186 $this->followRedirects($resp)->assertSee($this->mockUser->name);
187 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => 'cooluser456']);
190 public function test_user_filter_default_placeholder_format()
192 config()->set('services.ldap.user_filter', '(&(uid={user}))');
193 $this->mockUser->name = 'barryldapuser';
194 $expectedFilter = '(&(uid=\62\61\72\72\79\6c\64\61\70\75\73\65\72))';
196 $this->commonLdapMocks(1, 1, 1, 1, 1);
197 $this->mockLdap->shouldReceive('searchAndGetEntries')
199 ->with($this->resourceId, config('services.ldap.base_dn'), $expectedFilter, \Mockery::type('array'))
200 ->andReturn(['count' => 0, 0 => []]);
202 $resp = $this->mockUserLogin();
203 $resp->assertRedirect('/login');
206 public function test_user_filter_old_placeholder_format()
208 config()->set('services.ldap.user_filter', '(&(username=${user}))');
209 $this->mockUser->name = 'barryldapuser';
210 $expectedFilter = '(&(username=\62\61\72\72\79\6c\64\61\70\75\73\65\72))';
212 $this->commonLdapMocks(1, 1, 1, 1, 1);
213 $this->mockLdap->shouldReceive('searchAndGetEntries')
215 ->with($this->resourceId, config('services.ldap.base_dn'), $expectedFilter, \Mockery::type('array'))
216 ->andReturn(['count' => 0, 0 => []]);
218 $resp = $this->mockUserLogin();
219 $resp->assertRedirect('/login');
222 public function test_initial_incorrect_credentials()
224 $this->commonLdapMocks(1, 1, 1, 0, 1);
225 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
226 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
227 ->andReturn(['count' => 1, 0 => [
228 'uid' => [$this->mockUser->name],
229 'cn' => [$this->mockUser->name],
230 'dn' => 'dc=test' . config('services.ldap.base_dn'),
232 $this->mockLdap->shouldReceive('bind')->times(2)->andReturn(true, false);
234 $resp = $this->mockUserLogin();
235 $resp->assertRedirect('/login');
236 $this->followRedirects($resp)->assertSee('These credentials do not match our records.');
237 $this->assertDatabaseMissing('users', ['external_auth_id' => $this->mockUser->name]);
240 public function test_login_not_found_username()
242 $this->commonLdapMocks(1, 1, 1, 1, 1);
243 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
244 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
245 ->andReturn(['count' => 0]);
247 $resp = $this->mockUserLogin();
248 $resp->assertRedirect('/login');
249 $this->followRedirects($resp)->assertSee('These credentials do not match our records.');
250 $this->assertDatabaseMissing('users', ['external_auth_id' => $this->mockUser->name]);
253 public function test_create_user_form()
255 $userForm = $this->asAdmin()->get('/settings/users/create');
256 $userForm->assertDontSee('Password');
258 $save = $this->post('/settings/users/create', [
259 'name' => $this->mockUser->name,
260 'email' => $this->mockUser->email,
262 $save->assertSessionHasErrors(['external_auth_id' => 'The external auth id field is required.']);
264 $save = $this->post('/settings/users/create', [
265 'name' => $this->mockUser->name,
266 'email' => $this->mockUser->email,
267 'external_auth_id' => $this->mockUser->name,
269 $save->assertRedirect('/settings/users');
270 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'external_auth_id' => $this->mockUser->name, 'email_confirmed' => true]);
273 public function test_user_edit_form()
275 $editUser = $this->users->viewer();
276 $editPage = $this->asAdmin()->get("/settings/users/{$editUser->id}");
277 $editPage->assertSee('Edit User');
278 $editPage->assertDontSee('Password');
280 $update = $this->put("/settings/users/{$editUser->id}", [
281 'name' => $editUser->name,
282 'email' => $editUser->email,
283 'external_auth_id' => 'test_auth_id',
285 $update->assertRedirect('/settings/users');
286 $this->assertDatabaseHas('users', ['email' => $editUser->email, 'external_auth_id' => 'test_auth_id']);
289 public function test_registration_disabled()
291 $resp = $this->followingRedirects()->get('/register');
292 $this->withHtml($resp)->assertElementContains('#content', 'Log In');
295 public function test_non_admins_cannot_change_auth_id()
297 $testUser = $this->users->viewer();
298 $this->actingAs($testUser)
299 ->get('/settings/users/' . $testUser->id)
300 ->assertDontSee('External Authentication');
303 public function test_login_maps_roles_and_retains_existing_roles()
305 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);
306 $roleToReceive2 = Role::factory()->create(['display_name' => 'LdapTester Second']);
307 $existingRole = Role::factory()->create(['display_name' => 'ldaptester-existing']);
308 $this->mockUser->forceFill(['external_auth_id' => $this->mockUser->name])->save();
309 $this->mockUser->attachRole($existingRole);
312 'services.ldap.user_to_groups' => true,
313 'services.ldap.group_attribute' => 'memberOf',
314 'services.ldap.remove_from_groups' => false,
317 $this->commonLdapMocks(1, 1, 4, 5, 2, 2, 2);
318 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
319 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
320 ->andReturn(['count' => 1, 0 => [
321 'uid' => [$this->mockUser->name],
322 'cn' => [$this->mockUser->name],
323 'dn' => 'dc=test' . config('services.ldap.base_dn'),
324 'mail' => [$this->mockUser->email],
327 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',
328 1 => 'cn=ldaptester-second,ou=groups,dc=example,dc=com',
332 $this->mockUserLogin()->assertRedirect('/');
334 $user = User::where('email', $this->mockUser->email)->first();
335 $this->assertDatabaseHas('role_user', [
336 'user_id' => $user->id,
337 'role_id' => $roleToReceive->id,
339 $this->assertDatabaseHas('role_user', [
340 'user_id' => $user->id,
341 'role_id' => $roleToReceive2->id,
343 $this->assertDatabaseHas('role_user', [
344 'user_id' => $user->id,
345 'role_id' => $existingRole->id,
349 public function test_login_maps_roles_and_removes_old_roles_if_set()
351 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);
352 $existingRole = Role::factory()->create(['display_name' => 'ldaptester-existing']);
353 $this->mockUser->forceFill(['external_auth_id' => $this->mockUser->name])->save();
354 $this->mockUser->attachRole($existingRole);
357 'services.ldap.user_to_groups' => true,
358 'services.ldap.group_attribute' => 'memberOf',
359 'services.ldap.remove_from_groups' => true,
362 $this->commonLdapMocks(1, 1, 3, 4, 2, 1, 1);
363 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
364 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
365 ->andReturn(['count' => 1, 0 => [
366 'uid' => [$this->mockUser->name],
367 'cn' => [$this->mockUser->name],
368 'dn' => 'dc=test' . config('services.ldap.base_dn'),
369 'mail' => [$this->mockUser->email],
372 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',
376 $this->mockUserLogin()->assertRedirect('/');
378 $user = User::query()->where('email', $this->mockUser->email)->first();
379 $this->assertDatabaseHas('role_user', [
380 'user_id' => $user->id,
381 'role_id' => $roleToReceive->id,
383 $this->assertDatabaseMissing('role_user', [
384 'user_id' => $user->id,
385 'role_id' => $existingRole->id,
389 public function test_dump_user_groups_shows_group_related_details_as_json()
392 'services.ldap.user_to_groups' => true,
393 'services.ldap.group_attribute' => 'memberOf',
394 'services.ldap.remove_from_groups' => true,
395 'services.ldap.dump_user_groups' => true,
398 $userResp = ['count' => 1, 0 => [
399 'uid' => [$this->mockUser->name],
400 'cn' => [$this->mockUser->name],
401 'dn' => 'dc=test,' . config('services.ldap.base_dn'),
402 'mail' => [$this->mockUser->email],
404 $this->commonLdapMocks(1, 1, 4, 5, 2, 2, 0);
405 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
406 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
407 ->andReturn($userResp, ['count' => 1,
409 'dn' => 'dc=test,' . config('services.ldap.base_dn'),
412 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',
417 $this->mockLdap->shouldReceive('read')->times(2);
418 $this->mockLdap->shouldReceive('getEntries')->times(2)
422 'dn' => 'cn=ldaptester,ou=groups,dc=example,dc=com',
425 0 => 'cn=monsters,ou=groups,dc=example,dc=com',
430 $resp = $this->mockUserLogin();
432 'details_from_ldap' => [
433 'dn' => 'dc=test,' . config('services.ldap.base_dn'),
435 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',
439 'parsed_direct_user_groups' => [
440 'cn=ldaptester,ou=groups,dc=example,dc=com',
442 'parsed_recursive_user_groups' => [
443 'cn=ldaptester,ou=groups,dc=example,dc=com',
444 'cn=monsters,ou=groups,dc=example,dc=com',
446 'parsed_resulting_group_names' => [
453 public function test_recursive_group_search_queries_via_full_dn()
456 'services.ldap.user_to_groups' => true,
457 'services.ldap.group_attribute' => 'memberOf',
460 $userResp = ['count' => 1, 0 => [
461 'uid' => [$this->mockUser->name],
462 'cn' => [$this->mockUser->name],
463 'dn' => 'dc=test,' . config('services.ldap.base_dn'),
464 'mail' => [$this->mockUser->email],
466 $groupResp = ['count' => 1,
468 'dn' => 'dc=test,' . config('services.ldap.base_dn'),
471 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',
476 $this->commonLdapMocks(1, 1, 3, 4, 2, 1);
478 $escapedName = ldap_escape($this->mockUser->name);
479 $this->mockLdap->shouldReceive('searchAndGetEntries')->twice()
480 ->with($this->resourceId, config('services.ldap.base_dn'), "(&(uid={$escapedName}))", \Mockery::type('array'))
481 ->andReturn($userResp, $groupResp);
483 $this->mockLdap->shouldReceive('read')->times(1)
484 ->with($this->resourceId, 'cn=ldaptester,ou=groups,dc=example,dc=com', '(objectClass=*)', ['memberof'])
485 ->andReturn(['count' => 0]);
486 $this->mockLdap->shouldReceive('getEntries')->times(1)
487 ->with($this->resourceId, ['count' => 0])
488 ->andReturn(['count' => 0]);
490 $resp = $this->mockUserLogin();
491 $resp->assertRedirect('/');
494 public function test_external_auth_id_visible_in_roles_page_when_ldap_active()
496 $role = Role::factory()->create(['display_name' => 'ldaptester', 'external_auth_id' => 'ex-auth-a, test-second-param']);
497 $this->asAdmin()->get('/settings/roles/' . $role->id)
498 ->assertSee('ex-auth-a');
501 public function test_login_maps_roles_using_external_auth_ids_if_set()
503 $roleToReceive = Role::factory()->create(['display_name' => 'ldaptester', 'external_auth_id' => 'test-second-param, ex-auth-a']);
504 $roleToNotReceive = Role::factory()->create(['display_name' => 'ex-auth-a', 'external_auth_id' => 'test-second-param']);
507 'services.ldap.user_to_groups' => true,
508 'services.ldap.group_attribute' => 'memberOf',
509 'services.ldap.remove_from_groups' => true,
512 $this->commonLdapMocks(1, 1, 3, 4, 2, 1, 1);
513 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
514 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
515 ->andReturn(['count' => 1, 0 => [
516 'uid' => [$this->mockUser->name],
517 'cn' => [$this->mockUser->name],
518 'dn' => 'dc=test' . config('services.ldap.base_dn'),
519 'mail' => [$this->mockUser->email],
522 0 => 'cn=ex-auth-a,ou=groups,dc=example,dc=com',
526 $this->mockUserLogin()->assertRedirect('/');
528 $user = User::query()->where('email', $this->mockUser->email)->first();
529 $this->assertDatabaseHas('role_user', [
530 'user_id' => $user->id,
531 'role_id' => $roleToReceive->id,
533 $this->assertDatabaseMissing('role_user', [
534 'user_id' => $user->id,
535 'role_id' => $roleToNotReceive->id,
539 public function test_login_group_mapping_does_not_conflict_with_default_role()
541 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);
542 $roleToReceive2 = Role::factory()->create(['display_name' => 'LdapTester Second']);
543 $this->mockUser->forceFill(['external_auth_id' => $this->mockUser->name])->save();
545 setting()->put('registration-role', $roleToReceive->id);
548 'services.ldap.user_to_groups' => true,
549 'services.ldap.group_attribute' => 'memberOf',
550 'services.ldap.remove_from_groups' => true,
553 $this->commonLdapMocks(1, 1, 4, 5, 2, 2, 2);
554 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
555 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
556 ->andReturn(['count' => 1, 0 => [
557 'uid' => [$this->mockUser->name],
558 'cn' => [$this->mockUser->name],
559 'dn' => 'dc=test' . config('services.ldap.base_dn'),
560 'mail' => [$this->mockUser->email],
563 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',
564 1 => 'cn=ldaptester-second,ou=groups,dc=example,dc=com',
568 $this->mockUserLogin()->assertRedirect('/');
570 $user = User::query()->where('email', $this->mockUser->email)->first();
571 $this->assertDatabaseHas('role_user', [
572 'user_id' => $user->id,
573 'role_id' => $roleToReceive->id,
575 $this->assertDatabaseHas('role_user', [
576 'user_id' => $user->id,
577 'role_id' => $roleToReceive2->id,
581 public function test_login_uses_specified_display_name_attribute()
584 'services.ldap.display_name_attribute' => 'displayName',
587 $this->commonLdapMocks(1, 1, 2, 4, 2);
588 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
589 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
590 ->andReturn(['count' => 1, 0 => [
591 'uid' => [$this->mockUser->name],
592 'cn' => [$this->mockUser->name],
593 'dn' => 'dc=test' . config('services.ldap.base_dn'),
594 'displayname' => 'displayNameAttribute',
597 $this->mockUserLogin()->assertRedirect('/login');
598 $this->get('/login')->assertSee('Please enter an email to use for this account.');
600 $resp = $this->mockUserLogin($this->mockUser->email);
601 $resp->assertRedirect('/');
602 $this->get('/')->assertSee('displayNameAttribute');
603 $this->assertDatabaseHas('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => $this->mockUser->name, 'name' => 'displayNameAttribute']);
606 public function test_login_uses_multiple_display_properties_if_defined()
609 'services.ldap.display_name_attribute' => 'firstname|middlename|noname|lastname',
612 $this->commonLdapMocks(1, 1, 1, 2, 1);
613 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
614 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
615 ->andReturn(['count' => 1, 0 => [
616 'uid' => [$this->mockUser->name],
617 'cn' => [$this->mockUser->name],
618 'dn' => 'dc=test' . config('services.ldap.base_dn'),
619 'firstname' => ['Barry'],
620 'middlename' => ['Elliott'],
621 'lastname' => ['Chuckle'],
622 'mail' => [$this->mockUser->email],
625 $this->mockUserLogin();
627 $this->assertDatabaseHas('users', [
628 'email' => $this->mockUser->email,
629 'name' => 'Barry Elliott Chuckle',
633 public function test_login_uses_default_display_name_attribute_if_specified_not_present()
636 'services.ldap.display_name_attribute' => 'displayName',
639 $this->commonLdapMocks(1, 1, 2, 4, 2);
640 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
641 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
642 ->andReturn(['count' => 1, 0 => [
643 'uid' => [$this->mockUser->name],
644 'cn' => [$this->mockUser->name],
645 'dn' => 'dc=test' . config('services.ldap.base_dn'),
648 $this->mockUserLogin()->assertRedirect('/login');
649 $this->get('/login')->assertSee('Please enter an email to use for this account.');
651 $resp = $this->mockUserLogin($this->mockUser->email);
652 $resp->assertRedirect('/');
653 $this->get('/')->assertSee($this->mockUser->name);
654 $this->assertDatabaseHas('users', [
655 'email' => $this->mockUser->email,
656 'email_confirmed' => false,
657 'external_auth_id' => $this->mockUser->name,
658 'name' => $this->mockUser->name,
662 protected function checkLdapReceivesCorrectDetails($serverString, $expectedHostString): void
664 app('config')->set(['services.ldap.server' => $serverString]);
666 $this->mockLdap->shouldReceive('connect')
668 ->with($expectedHostString)
671 $this->mockUserLogin();
674 public function test_ldap_receives_correct_connect_host_from_config()
676 $expectedResultByInput = [
677 'ldaps://bookstack:8080' => 'ldaps://bookstack:8080',
678 'ldap.bookstack.com:8080' => 'ldap://ldap.bookstack.com:8080',
679 'ldap.bookstack.com' => 'ldap://ldap.bookstack.com',
680 'ldaps://ldap.bookstack.com' => 'ldaps://ldap.bookstack.com',
681 'ldaps://ldap.bookstack.com ldap://a.b.com' => 'ldaps://ldap.bookstack.com ldap://a.b.com',
684 foreach ($expectedResultByInput as $input => $expectedResult) {
685 $this->checkLdapReceivesCorrectDetails($input, $expectedResult);
686 $this->refreshApplication();
691 public function test_forgot_password_routes_inaccessible()
693 $resp = $this->get('/password/email');
694 $this->assertPermissionError($resp);
696 $resp = $this->post('/password/email');
697 $this->assertPermissionError($resp);
699 $resp = $this->get('/password/reset/abc123');
700 $this->assertPermissionError($resp);
702 $resp = $this->post('/password/reset');
703 $this->assertPermissionError($resp);
706 public function test_user_invite_routes_inaccessible()
708 $resp = $this->get('/register/invite/abc123');
709 $this->assertPermissionError($resp);
711 $resp = $this->post('/register/invite/abc123');
712 $this->assertPermissionError($resp);
715 public function test_user_register_routes_inaccessible()
717 $resp = $this->get('/register');
718 $this->assertPermissionError($resp);
720 $resp = $this->post('/register');
721 $this->assertPermissionError($resp);
724 public function test_dump_user_details_option_works()
726 config()->set(['services.ldap.dump_user_details' => true, 'services.ldap.thumbnail_attribute' => 'jpegphoto']);
728 $this->commonLdapMocks(1, 1, 1, 1, 1);
729 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
730 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
731 ->andReturn(['count' => 1, 0 => [
732 'uid' => [$this->mockUser->name],
733 'cn' => [$this->mockUser->name],
734 // Test dumping binary data for avatar responses
735 'jpegphoto' => base64_decode('/9j/4AAQSkZJRg=='),
736 'dn' => 'dc=test' . config('services.ldap.base_dn'),
739 $resp = $this->post('/login', [
740 'username' => $this->mockUser->name,
741 'password' => $this->mockUser->password,
743 $resp->assertJsonStructure([
744 'details_from_ldap' => [],
745 'details_bookstack_parsed' => [],
749 public function test_start_tls_called_if_option_set()
751 config()->set(['services.ldap.start_tls' => true]);
752 $this->mockLdap->shouldReceive('startTls')->once()->andReturn(true);
753 $this->runFailedAuthLogin();
756 public function test_connection_fails_if_tls_fails()
758 config()->set(['services.ldap.start_tls' => true]);
759 $this->mockLdap->shouldReceive('startTls')->once()->andReturn(false);
760 $this->commonLdapMocks(1, 1, 0, 0, 0);
761 $resp = $this->post('/login', ['username' => 'timmyjenkins', 'password' => 'cattreedog']);
762 $resp->assertStatus(500);
765 public function test_ldap_attributes_can_be_binary_decoded_if_marked()
767 config()->set(['services.ldap.id_attribute' => 'BIN;uid']);
768 $ldapService = app()->make(LdapService::class);
769 $this->commonLdapMocks(1, 1, 1, 1, 1);
770 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
771 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), ['cn', 'dn', 'uid', 'mail', 'cn'])
772 ->andReturn(['count' => 1, 0 => [
773 'uid' => [hex2bin('FFF8F7')],
774 'cn' => [$this->mockUser->name],
775 'dn' => 'dc=test' . config('services.ldap.base_dn'),
778 $details = $ldapService->getUserDetails('test');
779 $this->assertEquals('fff8f7', $details['uid']);
782 public function test_new_ldap_user_login_with_already_used_email_address_shows_error_message_to_user()
784 $this->commonLdapMocks(1, 1, 2, 4, 2);
785 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2)
786 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
787 ->andReturn(['count' => 1, 0 => [
788 'uid' => [$this->mockUser->name],
789 'cn' => [$this->mockUser->name],
790 'dn' => 'dc=test' . config('services.ldap.base_dn'),
792 ]], ['count' => 1, 0 => [
795 'dn' => 'dc=bscott' . config('services.ldap.base_dn'),
800 $this->mockUserLogin()->assertRedirect('/');
804 $resp = $this->followingRedirects()->post('/login', ['username' => 'bscott', 'password' => 'pass']);
805 $resp->assertSee('A user with the email
[email protected] already exists but with different credentials');
808 public function test_login_with_email_confirmation_required_maps_groups_but_shows_confirmation_screen()
810 $roleToReceive = Role::factory()->create(['display_name' => 'LdapTester']);
811 $user = User::factory()->make();
812 setting()->put('registration-confirmation', 'true');
815 'services.ldap.user_to_groups' => true,
816 'services.ldap.group_attribute' => 'memberOf',
817 'services.ldap.remove_from_groups' => true,
820 $this->commonLdapMocks(1, 1, 6, 8, 4, 2, 2);
821 $this->mockLdap->shouldReceive('searchAndGetEntries')
823 ->andReturn(['count' => 1, 0 => [
824 'uid' => [$user->name],
825 'cn' => [$user->name],
826 'dn' => 'dc=test' . config('services.ldap.base_dn'),
827 'mail' => [$user->email],
830 0 => 'cn=ldaptester,ou=groups,dc=example,dc=com',
834 $login = $this->followingRedirects()->mockUserLogin();
835 $login->assertSee('Thanks for registering!');
836 $this->assertDatabaseHas('users', [
837 'email' => $user->email,
838 'email_confirmed' => false,
841 $user = User::query()->where('email', '=', $user->email)->first();
842 $this->assertDatabaseHas('role_user', [
843 'user_id' => $user->id,
844 'role_id' => $roleToReceive->id,
847 $this->assertNull(auth()->user());
849 $homePage = $this->get('/');
850 $homePage->assertRedirect('/login');
852 $login = $this->followingRedirects()->mockUserLogin();
853 $login->assertSee('Email Address Not Confirmed');
856 public function test_failed_logins_are_logged_when_message_configured()
858 $log = $this->withTestLogger();
859 config()->set(['logging.failed_login.message' => 'Failed login for %u']);
860 $this->runFailedAuthLogin();
861 $this->assertTrue($log->hasWarningThatContains('Failed login for timmyjenkins'));
864 public function test_thumbnail_attribute_used_as_user_avatar_if_configured()
866 config()->set(['services.ldap.thumbnail_attribute' => 'jpegPhoto']);
868 $this->commonLdapMocks(1, 1, 1, 2, 1);
869 $ldapDn = 'cn=test-user,dc=test' . config('services.ldap.base_dn');
870 $this->mockLdap->shouldReceive('searchAndGetEntries')->times(1)
871 ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array'))
872 ->andReturn(['count' => 1, 0 => [
873 'cn' => [$this->mockUser->name],
875 'jpegphoto' => [base64_decode('/9j/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8Q
876 EBEQCgwSExIQEw8QEBD/yQALCAABAAEBAREA/8wABgAQEAX/2gAIAQEAAD8A0s8g/9k=')],
877 'mail' => [$this->mockUser->email],
880 $this->mockUserLogin()
881 ->assertRedirect('/');
883 $user = User::query()->where('email', '=', $this->mockUser->email)->first();
884 $this->assertNotNull($user->avatar);
885 $this->assertEquals('8c90748342f19b195b9c6b4eff742ded', md5_file(public_path($user->avatar->path)));
888 public function test_tls_ca_cert_option_throws_if_set_to_invalid_location()
890 $path = 'non_found_' . time();
891 config()->set(['services.ldap.tls_ca_cert' => $path]);
893 $this->commonLdapMocks(0, 0, 0, 0, 0);
895 $this->assertThrows(function () {
896 $this->withoutExceptionHandling()->mockUserLogin();
897 }, LdapException::class, "Provided path [{$path}] for LDAP TLS CA certs could not be resolved to an existing location");
900 public function test_tls_ca_cert_option_used_if_set_to_a_folder()
902 $path = $this->files->testFilePath('');
903 config()->set(['services.ldap.tls_ca_cert' => $path]);
905 $this->mockLdap->shouldReceive('setOption')->once()->with(null, LDAP_OPT_X_TLS_CACERTDIR, rtrim($path, '/'))->andReturn(true);
906 $this->runFailedAuthLogin();
909 public function test_tls_ca_cert_option_used_if_set_to_a_file()
911 $path = $this->files->testFilePath('test-file.txt');
912 config()->set(['services.ldap.tls_ca_cert' => $path]);
914 $this->mockLdap->shouldReceive('setOption')->once()->with(null, LDAP_OPT_X_TLS_CACERTFILE, $path)->andReturn(true);
915 $this->runFailedAuthLogin();
projects / bookstack / blob