diff options
author | Thomas Steur <tsteur@users.noreply.github.com> | 2020-10-01 23:12:31 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-01 23:12:31 +0300 |
commit | 82186597b37e255a5b13f6b9c7e53d323b2c501b (patch) | |
tree | 5f30ed30c5cd63d6451280e7a6b8081245be6316 /plugins/CoreHome | |
parent | 13cda22af49f616d1e5967364a041215f864d0c5 (diff) |
Rename login_whitelist_ip config to login_allowlist_ip (#16413)
Diffstat (limited to 'plugins/CoreHome')
-rw-r--r-- | plugins/CoreHome/CoreHome.php | 6 | ||||
-rw-r--r-- | plugins/CoreHome/LoginAllowlist.php (renamed from plugins/CoreHome/LoginWhitelist.php) | 28 | ||||
-rw-r--r-- | plugins/CoreHome/lang/en.json | 2 | ||||
-rw-r--r-- | plugins/CoreHome/tests/Integration/LoginAllowlistTest.php | 238 | ||||
-rw-r--r-- | plugins/CoreHome/tests/Integration/LoginWhitelistTest.php | 219 |
5 files changed, 256 insertions, 237 deletions
diff --git a/plugins/CoreHome/CoreHome.php b/plugins/CoreHome/CoreHome.php index 6b6b7bceb0..72d4aec660 100644 --- a/plugins/CoreHome/CoreHome.php +++ b/plugins/CoreHome/CoreHome.php @@ -82,10 +82,10 @@ class CoreHome extends \Piwik\Plugin return; } - $whitelist = new LoginWhitelist(); - if ($whitelist->shouldCheckWhitelist()) { + $list = new LoginAllowlist(); + if ($list->shouldCheckAllowlist()) { $ip = IP::getIpFromHeader(); - $whitelist->checkIsWhitelisted($ip); + $list->checkIsAllowed($ip); } } diff --git a/plugins/CoreHome/LoginWhitelist.php b/plugins/CoreHome/LoginAllowlist.php index 8621e5a502..5101e7e3d9 100644 --- a/plugins/CoreHome/LoginWhitelist.php +++ b/plugins/CoreHome/LoginAllowlist.php @@ -20,15 +20,15 @@ use Piwik\SettingsServer; * This class is in CoreHome since some alternative Login plugins disable the Login plugin and we want to ensure the * feature works for all login plugins. */ -class LoginWhitelist +class LoginAllowlist { - public function shouldWhitelistApplyToAPI() + public function shouldAllowlistApplyToAPI() { $general = $this->getGeneralConfig(); - return !empty($general['login_whitelist_apply_to_reporting_api_requests']); + return !empty($general['login_allowlist_apply_to_reporting_api_requests']) || !empty($general['login_whitelist_apply_to_reporting_api_requests']); } - public function shouldCheckWhitelist() + public function shouldCheckAllowlist() { if (Common::isPhpCliMode()) { return false; @@ -39,35 +39,35 @@ class LoginWhitelist return false; } - $ips = $this->getWhitelistedLoginIps(); + $ips = $this->getAllowlistedLoginIps(); return !empty($ips); } - public function checkIsWhitelisted($ipString) + public function checkIsAllowed($ipString) { - if (!$this->isIpWhitelisted($ipString)) { - throw new NoAccessException(Piwik::translate('CoreHome_ExceptionNotWhitelistedIP', $ipString)); + if (!$this->isIpAllowed($ipString)) { + throw new NoAccessException(Piwik::translate('CoreHome_ExceptionNotAllowlistedIP', $ipString)); } } - public function isIpWhitelisted($userIpString) + public function isIpAllowed($userIpString) { $userIp = NetworkIp::fromStringIP($userIpString); - $ipsWhitelisted = $this->getWhitelistedLoginIps(); + $ipsAllowed = $this->getAllowlistedLoginIps(); - if (empty($ipsWhitelisted)) { + if (empty($ipsAllowed)) { return false; } - return $userIp->isInRanges($ipsWhitelisted); + return $userIp->isInRanges($ipsAllowed); } /** * @return array */ - protected function getWhitelistedLoginIps() + protected function getAllowlistedLoginIps() { - $ips = StaticContainer::get('login.whitelist.ips'); + $ips = StaticContainer::get('login.allowlist.ips'); if (!empty($ips) && is_array($ips)) { $ips = array_map(function ($ip) { diff --git a/plugins/CoreHome/lang/en.json b/plugins/CoreHome/lang/en.json index 730834fcf9..fb1ae8c3ec 100644 --- a/plugins/CoreHome/lang/en.json +++ b/plugins/CoreHome/lang/en.json @@ -23,7 +23,7 @@ "EndShortcut": "End", "EnterZenMode": "Enter Zen mode (hide the menus)", "ExitZenMode": "Exit Zen mode (show the menus)", - "ExceptionNotWhitelistedIP": "You cannot use this Matomo as your IP %s is not whitelisted", + "ExceptionNotAllowlistedIP": "You cannot use this Matomo as your IP %s is not allowed.", "ExcludeRowsWithLowPopulation": "All rows are shown %s Exclude low population", "ExternalHelp": "Help (opens in new tab)", "FlattenDataTable": "The report is hierarchical %s Make it flat", diff --git a/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php new file mode 100644 index 0000000000..993a722648 --- /dev/null +++ b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php @@ -0,0 +1,238 @@ +<?php +/** + * Matomo - free/libre analytics platform + * + * @link https://matomo.org + * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later + */ + +namespace Piwik\Plugins\CoreHome\tests\Integration; + +use Piwik\Common; +use Piwik\Config; +use Piwik\NoAccessException; +use Piwik\Plugins\CoreHome\LoginAllowlist; +use Piwik\Tests\Framework\Mock\FakeAccess; +use Piwik\Tests\Framework\TestCase\IntegrationTestCase; + +class CustomLoginAllowlist extends LoginAllowlist { + + public function getAllowlistedLoginIps() + { + return parent::getAllowlistedLoginIps(); + } + + public function isIpAllowed($ip) + { + return parent::isIpAllowed($ip); + } +} + +/** + * @group Plugins + * @group LoginAllowlist + * @group LoginAllowlistTest + */ +class LoginAllowlistTest extends IntegrationTestCase +{ + /** + * @var CustomLoginAllowlist + */ + private $allowlist; + + private $cliMode; + + public function setUp(): void + { + parent::setUp(); + + $this->cliMode = Common::$isCliMode; + Common::$isCliMode = false; + + $this->allowlist = new CustomLoginAllowlist(); + } + + public function tearDown(): void + { + Common::$isCliMode = $this->cliMode; + parent::tearDown(); + } + + public function test_shouldAllowlistApplyToAPI_shouldBeEnabledByDefault() + { + $this->assertTrue($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldAllowlistApplyToAPI_canBeDisabled() + { + $this->setGeneralConfig('login_allowlist_apply_to_reporting_api_requests', '0'); + $this->assertFalse($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldAllowlistApplyToAPI_enabled() + { + $this->setGeneralConfig('login_allowlist_apply_to_reporting_api_requests', '1'); + $this->assertTrue($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldWhitelistApplyToAPI_enabledBC() + { + $this->setGeneralConfig('login_whitelist_apply_to_reporting_api_requests', '1'); + $this->assertTrue($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldCheckWhitelist_shouldNotBeCheckedByDefaultAndNotHaveAnyIps() + { + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckAllowlist_shouldBeCheckedIfHasAtLeastOneIp() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1']); + $this->assertTrue($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckAllowlist_shouldNotBeCheckedIfExecutedFromCLI() + { + Common::$isCliMode = true; + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1']); + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckWhitelist_shouldBeCheckedIfHasAtLeastOneIp_forBC() + { + $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); + $this->assertTrue($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckWhitelist_shouldNotBeCheckedIfExecutedFromCLI_forBC() + { + Common::$isCliMode = true; + $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckWhitelist_shouldNotBeCheckedIfOnlyEmptyEntries() + { + $this->setGeneralConfig('login_allowlist_ip', ['', ' ']); + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_getAllowlistedLoginIps_shouldReturnEmptyArrayByDefault() + { + $this->assertSame($this->allowlist->getAllowlistedLoginIps(), []); + } + + public function test_getAllowlistedLoginIps_shouldReturnIpsAndTrimIfNeeded() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', ' 127.0.0.1 ', '2001:0db8:85a3:0000:0000:8a2e:0370:7334']); + $this->assertSame(['192.168.33.1', '127.0.0.1', '2001:0db8:85a3:0000:0000:8a2e:0370:7334'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldResolveIp() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', 'matomo.org', '127.0.0.1']); + $this->assertSame(['192.168.33.1', '185.31.40.177', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldNotBeCheckedIfOnlyEmptyEntries() + { + $this->setGeneralConfig('login_allowlist_ip', ['', '192.168.33.1 ', ' ']); + $this->assertSame(['192.168.33.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldNotReturnDuplicates() + { + $this->setGeneralConfig('login_allowlist_ip', [' 192.168.33.1', '192.168.33.1 ', ' 192.168.33.1 ', '192.168.33.1']); + $this->assertSame(['192.168.33.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + /** + * @dataProvider getIpAllowlistedTests + */ + public function test_isIpAllowlisted($expectedIsAllowlisted, $ipString) + { + $ipsAllowlisted = [ + '127.0.0.1', + '192.168.33.1', + '2001:0db8:85a3:0000:0000:8a2e:0370:7334', + '204.93.240.*', + '204.93.177.0/25', + '2001:db9::/48' + ]; + $this->setGeneralConfig('login_allowlist_ip', $ipsAllowlisted); + $this->assertSame($expectedIsAllowlisted, $this->allowlist->isIpAllowed($ipString)); + } + + /** + * @dataProvider getIpAllowlistedTests + */ + public function test_isIpAllowed_WhenNoIpsConfigured_AllIpsAreAllowed($expectedIsWhitelisted, $ipString) + { + $this->assertFalse($this->allowlist->isIpAllowed($ipString)); + } + + /** + * @dataProvider getIpAllowlistedTests + */ + public function test_checkIsAllowed($expectedIsAllowed, $ipString) + { + $ipsAllowed = [ + '127.0.0.1', + '192.168.33.1', + '2001:0db8:85a3:0000:0000:8a2e:0370:7334', + '204.93.240.*', + '204.93.177.0/25', + '2001:db9::/48' + ]; + $this->setGeneralConfig('login_allowlist_ip', $ipsAllowed); + + if ($expectedIsAllowed) { + $this->allowlist->checkIsAllowed($ipString); + $this->assertTrue(true); + } else { + try { + $this->allowlist->checkIsAllowed($ipString); + $this->fail('An expected exception has not been thrown'); + } catch (NoAccessException $e) { + $this->assertTrue(true); + } + } + } + + public function getIpAllowlistedTests() + { + return array( + array(true, '127.0.0.1'), + array(true, '192.168.33.1'), + array(true, '2001:0db8:85a3:0000:0000:8a2e:0370:7334'), + array(true, '204.93.240.5'), + array(true, '204.93.177.5'), + array(true, '2001:db9:0000:ffff:ffff:ffff:ffff:ffff'), + + + array(false, '127.0.0.2'), + array(false, '192.168.33.2'), + array(false, '2001:0db8:85a3:0000:0000:8a2e:0370:7333'), + array(false, '204.93.239.5'), + array(false, '204.93.177.255'), + array(false, '2001:db8:0000:ffff:ffff:ffff:ffff:ffff'), + ); + } + + private function setGeneralConfig($name, $value) + { + $config = Config::getInstance(); + $general = $config->General; + $general[$name] = $value; + $config->General = $general; + $config->forceSave(); + } + + public function provideContainerConfig() + { + return array( + 'Piwik\Access' => new FakeAccess() + ); + } +} diff --git a/plugins/CoreHome/tests/Integration/LoginWhitelistTest.php b/plugins/CoreHome/tests/Integration/LoginWhitelistTest.php deleted file mode 100644 index 7753f17080..0000000000 --- a/plugins/CoreHome/tests/Integration/LoginWhitelistTest.php +++ /dev/null @@ -1,219 +0,0 @@ -<?php -/** - * Matomo - free/libre analytics platform - * - * @link https://matomo.org - * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later - */ - -namespace Piwik\Plugins\CoreHome\tests\Integration; - -use Piwik\Common; -use Piwik\Config; -use Piwik\NoAccessException; -use Piwik\Plugins\CoreHome\LoginWhitelist; -use Piwik\Tests\Framework\Mock\FakeAccess; -use Piwik\Tests\Framework\TestCase\IntegrationTestCase; - -class CustomLoginWhitelist extends LoginWhitelist { - - public function getWhitelistedLoginIps() - { - return parent::getWhitelistedLoginIps(); - } - - public function isIpWhitelisted($ip) - { - return parent::isIpWhitelisted($ip); - } -} - -/** - * @group Plugins - * @group LoginWhitelist - * @group LoginWhitelistTest - */ -class LoginWhitelistTest extends IntegrationTestCase -{ - /** - * @var CustomLoginWhitelist - */ - private $whitelist; - - private $cliMode; - - public function setUp(): void - { - parent::setUp(); - - $this->cliMode = Common::$isCliMode; - Common::$isCliMode = false; - - $this->whitelist = new CustomLoginWhitelist(); - } - - public function tearDown(): void - { - Common::$isCliMode = $this->cliMode; - parent::tearDown(); - } - - public function test_shouldWhitelistApplyToAPI_shouldBeEnabledByDefault() - { - $this->assertTrue($this->whitelist->shouldWhitelistApplyToAPI()); - } - - public function test_shouldWhitelistApplyToAPI_canBeDisabled() - { - $this->setGeneralConfig('login_whitelist_apply_to_reporting_api_requests', '0'); - $this->assertFalse($this->whitelist->shouldWhitelistApplyToAPI()); - } - - public function test_shouldWhitelistApplyToAPI_enabled() - { - $this->setGeneralConfig('login_whitelist_apply_to_reporting_api_requests', '1'); - $this->assertTrue($this->whitelist->shouldWhitelistApplyToAPI()); - } - - public function test_shouldCheckWhitelist_shouldNotBeCheckedByDefaultAndNotHaveAnyIps() - { - $this->assertFalse($this->whitelist->shouldCheckWhitelist()); - } - - public function test_shouldCheckWhitelist_shouldBeCheckedIfHasAtLeastOneIp() - { - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); - $this->assertTrue($this->whitelist->shouldCheckWhitelist()); - } - - public function test_shouldCheckWhitelist_shouldNotBeCheckedIfExecutedFromCLI() - { - Common::$isCliMode = true; - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); - $this->assertFalse($this->whitelist->shouldCheckWhitelist()); - } - - public function test_shouldCheckWhitelist_shouldNotBeCheckedIfOnlyEmptyEntries() - { - $this->setGeneralConfig('login_whitelist_ip', ['', ' ']); - $this->assertFalse($this->whitelist->shouldCheckWhitelist()); - } - - public function test_getWhitelistedLoginIps_shouldReturnEmptyArrayByDefault() - { - $this->assertSame($this->whitelist->getWhitelistedLoginIps(), []); - } - - public function test_getWhitelistedLoginIps_shouldReturnIpsAndTrimIfNeeded() - { - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1', ' 127.0.0.1 ', '2001:0db8:85a3:0000:0000:8a2e:0370:7334']); - $this->assertSame(['192.168.33.1', '127.0.0.1', '2001:0db8:85a3:0000:0000:8a2e:0370:7334'], $this->whitelist->getWhitelistedLoginIps()); - } - - public function test_getWhitelistedLoginIps_shouldResolveIp() - { - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1', 'matomo.org', '127.0.0.1']); - $this->assertSame(['192.168.33.1', '185.31.40.177', '127.0.0.1'], $this->whitelist->getWhitelistedLoginIps()); - } - - public function test_getWhitelistedLoginIps_shouldNotBeCheckedIfOnlyEmptyEntries() - { - $this->setGeneralConfig('login_whitelist_ip', ['', '192.168.33.1 ', ' ']); - $this->assertSame(['192.168.33.1'], $this->whitelist->getWhitelistedLoginIps()); - } - - public function test_getWhitelistedLoginIps_shouldNotReturnDuplicates() - { - $this->setGeneralConfig('login_whitelist_ip', [' 192.168.33.1', '192.168.33.1 ', ' 192.168.33.1 ', '192.168.33.1']); - $this->assertSame(['192.168.33.1'], $this->whitelist->getWhitelistedLoginIps()); - } - - /** - * @dataProvider getIpWhitelistedTests - */ - public function test_isIpWhitelisted($expectedIsWhitelisted, $ipString) - { - $ipsWhitelisted = [ - '127.0.0.1', - '192.168.33.1', - '2001:0db8:85a3:0000:0000:8a2e:0370:7334', - '204.93.240.*', - '204.93.177.0/25', - '2001:db9::/48' - ]; - $this->setGeneralConfig('login_whitelist_ip', $ipsWhitelisted); - $this->assertSame($expectedIsWhitelisted, $this->whitelist->isIpWhitelisted($ipString)); - } - - /** - * @dataProvider getIpWhitelistedTests - */ - public function test_isIpWhitelisted_WhenNoIpsConfigured_AllIpsAreWhitelisted($expectedIsWhitelisted, $ipString) - { - $this->assertFalse($this->whitelist->isIpWhitelisted($ipString)); - } - - /** - * @dataProvider getIpWhitelistedTests - */ - public function test_checkIsWhitelisted($expectedIsWhitelisted, $ipString) - { - $ipsWhitelisted = [ - '127.0.0.1', - '192.168.33.1', - '2001:0db8:85a3:0000:0000:8a2e:0370:7334', - '204.93.240.*', - '204.93.177.0/25', - '2001:db9::/48' - ]; - $this->setGeneralConfig('login_whitelist_ip', $ipsWhitelisted); - - if ($expectedIsWhitelisted) { - $this->whitelist->checkIsWhitelisted($ipString); - $this->assertTrue(true); - } else { - try { - $this->whitelist->checkIsWhitelisted($ipString); - $this->fail('An expected exception has not been thrown'); - } catch (NoAccessException $e) { - $this->assertTrue(true); - } - } - } - - public function getIpWhitelistedTests() - { - return array( - array(true, '127.0.0.1'), - array(true, '192.168.33.1'), - array(true, '2001:0db8:85a3:0000:0000:8a2e:0370:7334'), - array(true, '204.93.240.5'), - array(true, '204.93.177.5'), - array(true, '2001:db9:0000:ffff:ffff:ffff:ffff:ffff'), - - - array(false, '127.0.0.2'), - array(false, '192.168.33.2'), - array(false, '2001:0db8:85a3:0000:0000:8a2e:0370:7333'), - array(false, '204.93.239.5'), - array(false, '204.93.177.255'), - array(false, '2001:db8:0000:ffff:ffff:ffff:ffff:ffff'), - ); - } - - private function setGeneralConfig($name, $value) - { - $config = Config::getInstance(); - $general = $config->General; - $general[$name] = $value; - $config->General = $general; - $config->forceSave(); - } - - public function provideContainerConfig() - { - return array( - 'Piwik\Access' => new FakeAccess() - ); - } -} |