diff options
24 files changed, 368 insertions, 285 deletions
diff --git a/config/global.ini.php b/config/global.ini.php index fdba741a40..568c5910a5 100755 --- a/config/global.ini.php +++ b/config/global.ini.php @@ -426,22 +426,22 @@ login_password_recovery_replyto_email_name = "No-reply" ; When configured, only users from a configured IP can log into your Matomo. You can define one or multiple ; IPv4, IPv6, and IP ranges. You may also define hostnames. However, resolving hostnames in each request ; may slightly slow down your Matomo. -; This whitelist also affects API requests unless you disabled it via the setting -; "login_whitelist_apply_to_reporting_api_requests" below. Note that neither this setting, nor the -; "login_whitelist_apply_to_reporting_api_requests" restricts authenticated tracking requests (tracking requests +; This allowlist also affects API requests unless you disabled it via the setting +; "login_allowlist_apply_to_reporting_api_requests" below. Note that neither this setting, nor the +; "login_allowlist_apply_to_reporting_api_requests" restricts authenticated tracking requests (tracking requests ; with a "token_auth" URL parameter). ; ; Examples: -; login_whitelist_ip[] = 204.93.240.* -; login_whitelist_ip[] = 204.93.177.0/24 -; login_whitelist_ip[] = 199.27.128.0/21 -; login_whitelist_ip[] = 2001:db8::/48 -; login_whitelist_ip[] = matomo.org - -; By default, if a whitelisted IP address is specified via "login_whitelist_ip[]", the reporting user interface as -; well as HTTP Reporting API requests will only work for these whitelisted IPs. +; login_allowlist_ip[] = 204.93.240.* +; login_allowlist_ip[] = 204.93.177.0/24 +; login_allowlist_ip[] = 199.27.128.0/21 +; login_allowlist_ip[] = 2001:db8::/48 +; login_allowlist_ip[] = matomo.org + +; By default, if an allowlisted IP address is specified via "login_allowlist_ip[]", the reporting user interface as +; well as HTTP Reporting API requests will only work for these allowlisted IPs. ; Set this setting to "0" to allow HTTP Reporting API requests from any IP address. -login_whitelist_apply_to_reporting_api_requests = 1 +login_allowlist_apply_to_reporting_api_requests = 1 ; By default when user logs out they are redirected to Matomo "homepage" usually the Login form. ; Uncomment the next line to set a URL to redirect the user to after they log out of Matomo. diff --git a/config/global.php b/config/global.php index bd51022f7f..3d3f9c195f 100644 --- a/config/global.php +++ b/config/global.php @@ -146,13 +146,16 @@ return array( 'Piwik\EventDispatcher' => DI\autowire()->constructorParameter('observers', DI\get('observers.global')), - 'login.whitelist.ips' => function (ContainerInterface $c) { + 'login.allowlist.ips' => function (ContainerInterface $c) { /** @var Piwik\Config\ $config */ $config = $c->get('Piwik\Config'); $general = $config->General; $ips = array(); - if (!empty($general['login_whitelist_ip']) && is_array($general['login_whitelist_ip'])) { + if (!empty($general['login_allowlist_ip']) && is_array($general['login_allowlist_ip'])) { + $ips = $general['login_allowlist_ip']; + } elseif (!empty($general['login_whitelist_ip']) && is_array($general['login_whitelist_ip'])) { + // for BC $ips = $general['login_whitelist_ip']; } diff --git a/core/API/CORSHandler.php b/core/API/CORSHandler.php index 06e0af1f12..fb60b9a78e 100644 --- a/core/API/CORSHandler.php +++ b/core/API/CORSHandler.php @@ -45,7 +45,7 @@ class CORSHandler return; } - // specifically allow if it is one of the whitelisted CORS domains + // specifically allow if it is one of the allowlisted CORS domains if (!empty($_SERVER['HTTP_ORIGIN'])) { $origin = $_SERVER['HTTP_ORIGIN']; if (in_array($origin, $this->domains, true)) { diff --git a/core/API/Request.php b/core/API/Request.php index 7850e91aaf..b64723db70 100644 --- a/core/API/Request.php +++ b/core/API/Request.php @@ -19,7 +19,7 @@ use Piwik\Exception\PluginDeactivatedException; use Piwik\IP; use Piwik\Piwik; use Piwik\Plugin\Manager as PluginManager; -use Piwik\Plugins\CoreHome\LoginWhitelist; +use Piwik\Plugins\CoreHome\LoginAllowlist; use Piwik\SettingsServer; use Piwik\Url; use Piwik\UrlHelper; @@ -237,11 +237,11 @@ class Request // IP check is needed here as we cannot listen to API.Request.authenticate as it would then not return proper API format response. // We can also not do it by listening to API.Request.dispatch as by then the user is already authenticated and we want to make sure - // to not expose any information in case the IP is not whitelisted. - $whitelist = new LoginWhitelist(); - if ($whitelist->shouldCheckWhitelist() && $whitelist->shouldWhitelistApplyToAPI()) { + // to not expose any information in case the IP is not allowed. + $list = new LoginAllowlist(); + if ($list->shouldCheckAllowlist() && $list->shouldAllowlistApplyToAPI()) { $ip = IP::getIpFromHeader(); - $whitelist->checkIsWhitelisted($ip); + $list->checkIsAllowed($ip); } // read parameters diff --git a/core/DataTable/Filter/ColumnDelete.php b/core/DataTable/Filter/ColumnDelete.php index 336e0faa3f..89aaa6663c 100644 --- a/core/DataTable/Filter/ColumnDelete.php +++ b/core/DataTable/Filter/ColumnDelete.php @@ -13,7 +13,7 @@ use Piwik\DataTable\BaseFilter; /** * Filter that will remove columns from a {@link DataTable} using either a blacklist, - * whitelist or both. + * allowlist or both. * * This filter is used to handle the **hideColumn** and **showColumn** query parameters. * @@ -129,7 +129,7 @@ class ColumnDelete extends BaseFilter } if (!$keep - && $name !== 'label' // label cannot be removed via whitelisting + && $name !== 'label' // label cannot be removed via allowlisting && !isset($this->columnsToKeep[$name]) ) { // we cannot remove row directly to prevent notice "ArrayIterator::next(): Array was modified diff --git a/core/Metrics/Formatter.php b/core/Metrics/Formatter.php index e98a93f4aa..25d306e7e5 100644 --- a/core/Metrics/Formatter.php +++ b/core/Metrics/Formatter.php @@ -167,7 +167,7 @@ class Formatter * * @param DataTable $dataTable The table to format metrics for. * @param Report|null $report The report the table belongs to. - * @param string[]|null $metricsToFormat Whitelist of names of metrics to format. + * @param string[]|null $metricsToFormat Allow a list of names of metrics to format. * @param boolean $formatAll If true, will also apply formatting to non-processed metrics like revenue. * This parameter is not currently supported and subject to change. * @api diff --git a/core/Updates/3.0.0-b1.php b/core/Updates/3.0.0-b1.php index 11d24eadbc..2613a95e16 100644 --- a/core/Updates/3.0.0-b1.php +++ b/core/Updates/3.0.0-b1.php @@ -62,7 +62,7 @@ class Updates_3_0_0_b1 extends Updates $updater->executeMigrations(__FILE__, $this->getMigrations($updater)); $this->migratePluginEmailUpdateSetting(); - // added .woff and woff2 whitelisted file for apache webserver + // added .woff and woff2 allowlisted file for apache webserver ServerFilesGenerator::deleteHtAccessFiles(); ServerFilesGenerator::createHtAccessFiles(); diff --git a/core/Updates/4.0.0-b3.php b/core/Updates/4.0.0-b3.php new file mode 100644 index 0000000000..b2fa6fcaf0 --- /dev/null +++ b/core/Updates/4.0.0-b3.php @@ -0,0 +1,60 @@ +<?php +/** + * Matomo - free/libre analytics platform + * + * @link https://matomo.org + * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later + * + */ + +namespace Piwik\Updates; + +use Piwik\Config; +use Piwik\Updater; +use Piwik\Updates as PiwikUpdates; +use Piwik\Updater\Migration\Factory as MigrationFactory; + +/** + * Update for version 4.0.0-b3. + */ +class Updates_4_0_0_b3 extends PiwikUpdates +{ + /** + * @var MigrationFactory + */ + private $migration; + + public function __construct(MigrationFactory $factory) + { + $this->migration = $factory; + } + + public function getMigrations(Updater $updater) + { + $migrations = []; + + $config = Config::getInstance(); + $general = $config->General; + if (empty($general['login_whitelist_apply_to_reporting_api_requests'])) { + $migrations[] = $this->migration->config->set('General', 'login_allowlist_apply_to_reporting_api_requests', '0'); + } + + return $migrations; + } + + public function doUpdate(Updater $updater) + { + $updater->executeMigrations(__FILE__, $this->getMigrations($updater)); + + $config = Config::getInstance(); + $general = $config->General; + if (!empty($general['login_whitelist_ip'])) { + // the migration->config->set does not support arrays yet so we do it here. + $general['login_allowlist_ip'] = $general['login_whitelist_ip']; + $config->General = $general; + $config->forceSave(); + } + + } + +} diff --git a/core/Url.php b/core/Url.php index dbbf4dc98d..1ea88e17aa 100644 --- a/core/Url.php +++ b/core/Url.php @@ -219,7 +219,7 @@ class Url } } - // if host is in hardcoded whitelist, assume it's valid + // if host is in hardcoded allowlist, assume it's valid if (in_array($host, self::getAlwaysTrustedHosts())) { return true; } diff --git a/core/Version.php b/core/Version.php index 0a14caf528..7e45dd4d91 100644 --- a/core/Version.php +++ b/core/Version.php @@ -20,7 +20,7 @@ final class Version * The current Matomo version. * @var string */ - const VERSION = '4.0.0-b2'; + const VERSION = '4.0.0-b3'; const MAJOR_VERSION = 4; public function isStableVersion($version) diff --git a/js/piwik.js b/js/piwik.js index bf18d318ef..2014d9dc7f 100644 --- a/js/piwik.js +++ b/js/piwik.js @@ -35,7 +35,7 @@ /*global Blob */ /*members Piwik, Matomo, encodeURIComponent, decodeURIComponent, getElementsByTagName, shift, unshift, piwikAsyncInit, matomoAsyncInit, matomoPluginAsyncInit , frameElement, self, hasFocus, - createElement, appendChild, characterSet, charset, all, + createElement, appendChild, characterSet, charset, all, piwik_log, AnalyticsTracker, addEventListener, attachEvent, removeEventListener, detachEvent, disableCookies, setCookieConsentGiven, areCookiesEnabled, getRememberedCookieConsent, rememberCookieConsentGiven, forgetCookieConsentGiven, requireCookieConsent, cookie, domain, readyState, documentElement, doScroll, title, text, contentWindow, postMessage, diff --git a/plugins/CoreConsole/Commands/GenerateVisualizationPlugin.php b/plugins/CoreConsole/Commands/GenerateVisualizationPlugin.php index 1040b84287..43b92b4cf9 100644 --- a/plugins/CoreConsole/Commands/GenerateVisualizationPlugin.php +++ b/plugins/CoreConsole/Commands/GenerateVisualizationPlugin.php @@ -49,7 +49,7 @@ class GenerateVisualizationPlugin extends GeneratePlugin 'ExampleVisualizationDescription' => $description ); - $this->copyTemplateToPlugin($exampleFolder, $pluginName, $replace, $whitelistFiles = array()); + $this->copyTemplateToPlugin($exampleFolder, $pluginName, $replace, $allowListFiles = array()); $this->writeSuccessMessage($output, array( sprintf('Visualization plugin %s %s generated.', $pluginName, $version), diff --git a/plugins/CoreHome/CoreHome.php b/plugins/CoreHome/CoreHome.php index 6b6b7bceb0..72d4aec660 100644 --- a/plugins/CoreHome/CoreHome.php +++ b/plugins/CoreHome/CoreHome.php @@ -82,10 +82,10 @@ class CoreHome extends \Piwik\Plugin return; } - $whitelist = new LoginWhitelist(); - if ($whitelist->shouldCheckWhitelist()) { + $list = new LoginAllowlist(); + if ($list->shouldCheckAllowlist()) { $ip = IP::getIpFromHeader(); - $whitelist->checkIsWhitelisted($ip); + $list->checkIsAllowed($ip); } } diff --git a/plugins/CoreHome/LoginWhitelist.php b/plugins/CoreHome/LoginAllowlist.php index 8621e5a502..5101e7e3d9 100644 --- a/plugins/CoreHome/LoginWhitelist.php +++ b/plugins/CoreHome/LoginAllowlist.php @@ -20,15 +20,15 @@ use Piwik\SettingsServer; * This class is in CoreHome since some alternative Login plugins disable the Login plugin and we want to ensure the * feature works for all login plugins. */ -class LoginWhitelist +class LoginAllowlist { - public function shouldWhitelistApplyToAPI() + public function shouldAllowlistApplyToAPI() { $general = $this->getGeneralConfig(); - return !empty($general['login_whitelist_apply_to_reporting_api_requests']); + return !empty($general['login_allowlist_apply_to_reporting_api_requests']) || !empty($general['login_whitelist_apply_to_reporting_api_requests']); } - public function shouldCheckWhitelist() + public function shouldCheckAllowlist() { if (Common::isPhpCliMode()) { return false; @@ -39,35 +39,35 @@ class LoginWhitelist return false; } - $ips = $this->getWhitelistedLoginIps(); + $ips = $this->getAllowlistedLoginIps(); return !empty($ips); } - public function checkIsWhitelisted($ipString) + public function checkIsAllowed($ipString) { - if (!$this->isIpWhitelisted($ipString)) { - throw new NoAccessException(Piwik::translate('CoreHome_ExceptionNotWhitelistedIP', $ipString)); + if (!$this->isIpAllowed($ipString)) { + throw new NoAccessException(Piwik::translate('CoreHome_ExceptionNotAllowlistedIP', $ipString)); } } - public function isIpWhitelisted($userIpString) + public function isIpAllowed($userIpString) { $userIp = NetworkIp::fromStringIP($userIpString); - $ipsWhitelisted = $this->getWhitelistedLoginIps(); + $ipsAllowed = $this->getAllowlistedLoginIps(); - if (empty($ipsWhitelisted)) { + if (empty($ipsAllowed)) { return false; } - return $userIp->isInRanges($ipsWhitelisted); + return $userIp->isInRanges($ipsAllowed); } /** * @return array */ - protected function getWhitelistedLoginIps() + protected function getAllowlistedLoginIps() { - $ips = StaticContainer::get('login.whitelist.ips'); + $ips = StaticContainer::get('login.allowlist.ips'); if (!empty($ips) && is_array($ips)) { $ips = array_map(function ($ip) { diff --git a/plugins/CoreHome/lang/en.json b/plugins/CoreHome/lang/en.json index 730834fcf9..fb1ae8c3ec 100644 --- a/plugins/CoreHome/lang/en.json +++ b/plugins/CoreHome/lang/en.json @@ -23,7 +23,7 @@ "EndShortcut": "End", "EnterZenMode": "Enter Zen mode (hide the menus)", "ExitZenMode": "Exit Zen mode (show the menus)", - "ExceptionNotWhitelistedIP": "You cannot use this Matomo as your IP %s is not whitelisted", + "ExceptionNotAllowlistedIP": "You cannot use this Matomo as your IP %s is not allowed.", "ExcludeRowsWithLowPopulation": "All rows are shown %s Exclude low population", "ExternalHelp": "Help (opens in new tab)", "FlattenDataTable": "The report is hierarchical %s Make it flat", diff --git a/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php new file mode 100644 index 0000000000..993a722648 --- /dev/null +++ b/plugins/CoreHome/tests/Integration/LoginAllowlistTest.php @@ -0,0 +1,238 @@ +<?php +/** + * Matomo - free/libre analytics platform + * + * @link https://matomo.org + * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later + */ + +namespace Piwik\Plugins\CoreHome\tests\Integration; + +use Piwik\Common; +use Piwik\Config; +use Piwik\NoAccessException; +use Piwik\Plugins\CoreHome\LoginAllowlist; +use Piwik\Tests\Framework\Mock\FakeAccess; +use Piwik\Tests\Framework\TestCase\IntegrationTestCase; + +class CustomLoginAllowlist extends LoginAllowlist { + + public function getAllowlistedLoginIps() + { + return parent::getAllowlistedLoginIps(); + } + + public function isIpAllowed($ip) + { + return parent::isIpAllowed($ip); + } +} + +/** + * @group Plugins + * @group LoginAllowlist + * @group LoginAllowlistTest + */ +class LoginAllowlistTest extends IntegrationTestCase +{ + /** + * @var CustomLoginAllowlist + */ + private $allowlist; + + private $cliMode; + + public function setUp(): void + { + parent::setUp(); + + $this->cliMode = Common::$isCliMode; + Common::$isCliMode = false; + + $this->allowlist = new CustomLoginAllowlist(); + } + + public function tearDown(): void + { + Common::$isCliMode = $this->cliMode; + parent::tearDown(); + } + + public function test_shouldAllowlistApplyToAPI_shouldBeEnabledByDefault() + { + $this->assertTrue($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldAllowlistApplyToAPI_canBeDisabled() + { + $this->setGeneralConfig('login_allowlist_apply_to_reporting_api_requests', '0'); + $this->assertFalse($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldAllowlistApplyToAPI_enabled() + { + $this->setGeneralConfig('login_allowlist_apply_to_reporting_api_requests', '1'); + $this->assertTrue($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldWhitelistApplyToAPI_enabledBC() + { + $this->setGeneralConfig('login_whitelist_apply_to_reporting_api_requests', '1'); + $this->assertTrue($this->allowlist->shouldAllowlistApplyToAPI()); + } + + public function test_shouldCheckWhitelist_shouldNotBeCheckedByDefaultAndNotHaveAnyIps() + { + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckAllowlist_shouldBeCheckedIfHasAtLeastOneIp() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1']); + $this->assertTrue($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckAllowlist_shouldNotBeCheckedIfExecutedFromCLI() + { + Common::$isCliMode = true; + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1']); + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckWhitelist_shouldBeCheckedIfHasAtLeastOneIp_forBC() + { + $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); + $this->assertTrue($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckWhitelist_shouldNotBeCheckedIfExecutedFromCLI_forBC() + { + Common::$isCliMode = true; + $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_shouldCheckWhitelist_shouldNotBeCheckedIfOnlyEmptyEntries() + { + $this->setGeneralConfig('login_allowlist_ip', ['', ' ']); + $this->assertFalse($this->allowlist->shouldCheckAllowlist()); + } + + public function test_getAllowlistedLoginIps_shouldReturnEmptyArrayByDefault() + { + $this->assertSame($this->allowlist->getAllowlistedLoginIps(), []); + } + + public function test_getAllowlistedLoginIps_shouldReturnIpsAndTrimIfNeeded() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', ' 127.0.0.1 ', '2001:0db8:85a3:0000:0000:8a2e:0370:7334']); + $this->assertSame(['192.168.33.1', '127.0.0.1', '2001:0db8:85a3:0000:0000:8a2e:0370:7334'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldResolveIp() + { + $this->setGeneralConfig('login_allowlist_ip', ['192.168.33.1', 'matomo.org', '127.0.0.1']); + $this->assertSame(['192.168.33.1', '185.31.40.177', '127.0.0.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldNotBeCheckedIfOnlyEmptyEntries() + { + $this->setGeneralConfig('login_allowlist_ip', ['', '192.168.33.1 ', ' ']); + $this->assertSame(['192.168.33.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + public function test_getAllowlistedLoginIps_shouldNotReturnDuplicates() + { + $this->setGeneralConfig('login_allowlist_ip', [' 192.168.33.1', '192.168.33.1 ', ' 192.168.33.1 ', '192.168.33.1']); + $this->assertSame(['192.168.33.1'], $this->allowlist->getAllowlistedLoginIps()); + } + + /** + * @dataProvider getIpAllowlistedTests + */ + public function test_isIpAllowlisted($expectedIsAllowlisted, $ipString) + { + $ipsAllowlisted = [ + '127.0.0.1', + '192.168.33.1', + '2001:0db8:85a3:0000:0000:8a2e:0370:7334', + '204.93.240.*', + '204.93.177.0/25', + '2001:db9::/48' + ]; + $this->setGeneralConfig('login_allowlist_ip', $ipsAllowlisted); + $this->assertSame($expectedIsAllowlisted, $this->allowlist->isIpAllowed($ipString)); + } + + /** + * @dataProvider getIpAllowlistedTests + */ + public function test_isIpAllowed_WhenNoIpsConfigured_AllIpsAreAllowed($expectedIsWhitelisted, $ipString) + { + $this->assertFalse($this->allowlist->isIpAllowed($ipString)); + } + + /** + * @dataProvider getIpAllowlistedTests + */ + public function test_checkIsAllowed($expectedIsAllowed, $ipString) + { + $ipsAllowed = [ + '127.0.0.1', + '192.168.33.1', + '2001:0db8:85a3:0000:0000:8a2e:0370:7334', + '204.93.240.*', + '204.93.177.0/25', + '2001:db9::/48' + ]; + $this->setGeneralConfig('login_allowlist_ip', $ipsAllowed); + + if ($expectedIsAllowed) { + $this->allowlist->checkIsAllowed($ipString); + $this->assertTrue(true); + } else { + try { + $this->allowlist->checkIsAllowed($ipString); + $this->fail('An expected exception has not been thrown'); + } catch (NoAccessException $e) { + $this->assertTrue(true); + } + } + } + + public function getIpAllowlistedTests() + { + return array( + array(true, '127.0.0.1'), + array(true, '192.168.33.1'), + array(true, '2001:0db8:85a3:0000:0000:8a2e:0370:7334'), + array(true, '204.93.240.5'), + array(true, '204.93.177.5'), + array(true, '2001:db9:0000:ffff:ffff:ffff:ffff:ffff'), + + + array(false, '127.0.0.2'), + array(false, '192.168.33.2'), + array(false, '2001:0db8:85a3:0000:0000:8a2e:0370:7333'), + array(false, '204.93.239.5'), + array(false, '204.93.177.255'), + array(false, '2001:db8:0000:ffff:ffff:ffff:ffff:ffff'), + ); + } + + private function setGeneralConfig($name, $value) + { + $config = Config::getInstance(); + $general = $config->General; + $general[$name] = $value; + $config->General = $general; + $config->forceSave(); + } + + public function provideContainerConfig() + { + return array( + 'Piwik\Access' => new FakeAccess() + ); + } +} diff --git a/plugins/CoreHome/tests/Integration/LoginWhitelistTest.php b/plugins/CoreHome/tests/Integration/LoginWhitelistTest.php deleted file mode 100644 index 7753f17080..0000000000 --- a/plugins/CoreHome/tests/Integration/LoginWhitelistTest.php +++ /dev/null @@ -1,219 +0,0 @@ -<?php -/** - * Matomo - free/libre analytics platform - * - * @link https://matomo.org - * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later - */ - -namespace Piwik\Plugins\CoreHome\tests\Integration; - -use Piwik\Common; -use Piwik\Config; -use Piwik\NoAccessException; -use Piwik\Plugins\CoreHome\LoginWhitelist; -use Piwik\Tests\Framework\Mock\FakeAccess; -use Piwik\Tests\Framework\TestCase\IntegrationTestCase; - -class CustomLoginWhitelist extends LoginWhitelist { - - public function getWhitelistedLoginIps() - { - return parent::getWhitelistedLoginIps(); - } - - public function isIpWhitelisted($ip) - { - return parent::isIpWhitelisted($ip); - } -} - -/** - * @group Plugins - * @group LoginWhitelist - * @group LoginWhitelistTest - */ -class LoginWhitelistTest extends IntegrationTestCase -{ - /** - * @var CustomLoginWhitelist - */ - private $whitelist; - - private $cliMode; - - public function setUp(): void - { - parent::setUp(); - - $this->cliMode = Common::$isCliMode; - Common::$isCliMode = false; - - $this->whitelist = new CustomLoginWhitelist(); - } - - public function tearDown(): void - { - Common::$isCliMode = $this->cliMode; - parent::tearDown(); - } - - public function test_shouldWhitelistApplyToAPI_shouldBeEnabledByDefault() - { - $this->assertTrue($this->whitelist->shouldWhitelistApplyToAPI()); - } - - public function test_shouldWhitelistApplyToAPI_canBeDisabled() - { - $this->setGeneralConfig('login_whitelist_apply_to_reporting_api_requests', '0'); - $this->assertFalse($this->whitelist->shouldWhitelistApplyToAPI()); - } - - public function test_shouldWhitelistApplyToAPI_enabled() - { - $this->setGeneralConfig('login_whitelist_apply_to_reporting_api_requests', '1'); - $this->assertTrue($this->whitelist->shouldWhitelistApplyToAPI()); - } - - public function test_shouldCheckWhitelist_shouldNotBeCheckedByDefaultAndNotHaveAnyIps() - { - $this->assertFalse($this->whitelist->shouldCheckWhitelist()); - } - - public function test_shouldCheckWhitelist_shouldBeCheckedIfHasAtLeastOneIp() - { - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); - $this->assertTrue($this->whitelist->shouldCheckWhitelist()); - } - - public function test_shouldCheckWhitelist_shouldNotBeCheckedIfExecutedFromCLI() - { - Common::$isCliMode = true; - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1']); - $this->assertFalse($this->whitelist->shouldCheckWhitelist()); - } - - public function test_shouldCheckWhitelist_shouldNotBeCheckedIfOnlyEmptyEntries() - { - $this->setGeneralConfig('login_whitelist_ip', ['', ' ']); - $this->assertFalse($this->whitelist->shouldCheckWhitelist()); - } - - public function test_getWhitelistedLoginIps_shouldReturnEmptyArrayByDefault() - { - $this->assertSame($this->whitelist->getWhitelistedLoginIps(), []); - } - - public function test_getWhitelistedLoginIps_shouldReturnIpsAndTrimIfNeeded() - { - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1', ' 127.0.0.1 ', '2001:0db8:85a3:0000:0000:8a2e:0370:7334']); - $this->assertSame(['192.168.33.1', '127.0.0.1', '2001:0db8:85a3:0000:0000:8a2e:0370:7334'], $this->whitelist->getWhitelistedLoginIps()); - } - - public function test_getWhitelistedLoginIps_shouldResolveIp() - { - $this->setGeneralConfig('login_whitelist_ip', ['192.168.33.1', 'matomo.org', '127.0.0.1']); - $this->assertSame(['192.168.33.1', '185.31.40.177', '127.0.0.1'], $this->whitelist->getWhitelistedLoginIps()); - } - - public function test_getWhitelistedLoginIps_shouldNotBeCheckedIfOnlyEmptyEntries() - { - $this->setGeneralConfig('login_whitelist_ip', ['', '192.168.33.1 ', ' ']); - $this->assertSame(['192.168.33.1'], $this->whitelist->getWhitelistedLoginIps()); - } - - public function test_getWhitelistedLoginIps_shouldNotReturnDuplicates() - { - $this->setGeneralConfig('login_whitelist_ip', [' 192.168.33.1', '192.168.33.1 ', ' 192.168.33.1 ', '192.168.33.1']); - $this->assertSame(['192.168.33.1'], $this->whitelist->getWhitelistedLoginIps()); - } - - /** - * @dataProvider getIpWhitelistedTests - */ - public function test_isIpWhitelisted($expectedIsWhitelisted, $ipString) - { - $ipsWhitelisted = [ - '127.0.0.1', - '192.168.33.1', - '2001:0db8:85a3:0000:0000:8a2e:0370:7334', - '204.93.240.*', - '204.93.177.0/25', - '2001:db9::/48' - ]; - $this->setGeneralConfig('login_whitelist_ip', $ipsWhitelisted); - $this->assertSame($expectedIsWhitelisted, $this->whitelist->isIpWhitelisted($ipString)); - } - - /** - * @dataProvider getIpWhitelistedTests - */ - public function test_isIpWhitelisted_WhenNoIpsConfigured_AllIpsAreWhitelisted($expectedIsWhitelisted, $ipString) - { - $this->assertFalse($this->whitelist->isIpWhitelisted($ipString)); - } - - /** - * @dataProvider getIpWhitelistedTests - */ - public function test_checkIsWhitelisted($expectedIsWhitelisted, $ipString) - { - $ipsWhitelisted = [ - '127.0.0.1', - '192.168.33.1', - '2001:0db8:85a3:0000:0000:8a2e:0370:7334', - '204.93.240.*', - '204.93.177.0/25', - '2001:db9::/48' - ]; - $this->setGeneralConfig('login_whitelist_ip', $ipsWhitelisted); - - if ($expectedIsWhitelisted) { - $this->whitelist->checkIsWhitelisted($ipString); - $this->assertTrue(true); - } else { - try { - $this->whitelist->checkIsWhitelisted($ipString); - $this->fail('An expected exception has not been thrown'); - } catch (NoAccessException $e) { - $this->assertTrue(true); - } - } - } - - public function getIpWhitelistedTests() - { - return array( - array(true, '127.0.0.1'), - array(true, '192.168.33.1'), - array(true, '2001:0db8:85a3:0000:0000:8a2e:0370:7334'), - array(true, '204.93.240.5'), - array(true, '204.93.177.5'), - array(true, '2001:db9:0000:ffff:ffff:ffff:ffff:ffff'), - - - array(false, '127.0.0.2'), - array(false, '192.168.33.2'), - array(false, '2001:0db8:85a3:0000:0000:8a2e:0370:7333'), - array(false, '204.93.239.5'), - array(false, '204.93.177.255'), - array(false, '2001:db8:0000:ffff:ffff:ffff:ffff:ffff'), - ); - } - - private function setGeneralConfig($name, $value) - { - $config = Config::getInstance(); - $general = $config->General; - $general[$name] = $value; - $config->General = $general; - $config->forceSave(); - } - - public function provideContainerConfig() - { - return array( - 'Piwik\Access' => new FakeAccess() - ); - } -} diff --git a/plugins/Installation/Installation.php b/plugins/Installation/Installation.php index d66f009ad9..d92dd2d3a4 100644 --- a/plugins/Installation/Installation.php +++ b/plugins/Installation/Installation.php @@ -133,10 +133,10 @@ class Installation extends \Piwik\Plugin private function isAllowedAction($action) { $controller = $this->getInstallationController(); - $isActionWhiteListed = in_array($action, array('saveLanguage', 'getInstallationCss', 'getInstallationJs', 'reuseTables')); + $isActionAllowed = in_array($action, array('saveLanguage', 'getInstallationCss', 'getInstallationJs', 'reuseTables')); return in_array($action, array_keys($controller->getInstallationSteps())) - || $isActionWhiteListed; + || $isActionAllowed; } /** diff --git a/plugins/Login/tests/UI/Login_spec.js b/plugins/Login/tests/UI/Login_spec.js index 89fc353559..0825646f8b 100644 --- a/plugins/Login/tests/UI/Login_spec.js +++ b/plugins/Login/tests/UI/Login_spec.js @@ -198,7 +198,7 @@ describe("Login", function () { }); it('should not show login page when ips whitelisted and ip is not matching', async function() { - testEnvironment.overrideConfig('General', 'login_whitelist_ip', ['199.199.199.199']); + testEnvironment.overrideConfig('General', 'login_allowlist_ip', ['199.199.199.199']); testEnvironment.save(); await page.goto(''); await page.waitForNetworkIdle(); @@ -212,7 +212,7 @@ describe("Login", function () { delete testEnvironment.queryParamOverride; delete testEnvironment.bruteForceBlockThisIp; delete testEnvironment.bruteForceBlockIps; - testEnvironment.overrideConfig('General', 'login_whitelist_ip', []); + testEnvironment.overrideConfig('General', 'login_allowlist_ip', []); testEnvironment.save(); await page.goto(bruteForceLogUrl); diff --git a/plugins/Login/tests/UI/expected-screenshots/Login_ip_not_whitelisted.png b/plugins/Login/tests/UI/expected-screenshots/Login_ip_not_whitelisted.png index a840320928..1fd4733ba8 100644 --- a/plugins/Login/tests/UI/expected-screenshots/Login_ip_not_whitelisted.png +++ b/plugins/Login/tests/UI/expected-screenshots/Login_ip_not_whitelisted.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:bb3990f1d246584578cb0ea6778dd4384e0034b31de6b17465d9a1e7d5c74654 -size 34062 +oid sha256:f668dbd2e6ed9b1ebbd825898c5957638825799668b23330454bef9d5f2b7440 +size 33192 diff --git a/tests/PHPUnit/Integration/CronArchiveTest.php b/tests/PHPUnit/Integration/CronArchiveTest.php index beb920193e..8b2e3a05d5 100644 --- a/tests/PHPUnit/Integration/CronArchiveTest.php +++ b/tests/PHPUnit/Integration/CronArchiveTest.php @@ -419,10 +419,11 @@ Total API requests: 5 done: 5 req, %d ms, no error Time elapsed: %fs LOG; + $version = Version::VERSION; $expected = <<<LOG --------------------------- INIT -Running Matomo 4.0.0-b2 as Super User +Running Matomo $version as Super User --------------------------- NOTES - If you execute this script at least once per hour (or more often) in a crontab, you may disable 'Browser trigger archiving' in Matomo UI > Settings > General Settings. diff --git a/tests/PHPUnit/Integration/ReleaseCheckListTest.php b/tests/PHPUnit/Integration/ReleaseCheckListTest.php index cf0214b2e9..2f7b258b6d 100644 --- a/tests/PHPUnit/Integration/ReleaseCheckListTest.php +++ b/tests/PHPUnit/Integration/ReleaseCheckListTest.php @@ -216,14 +216,14 @@ class ReleaseCheckListTest extends \PHPUnit\Framework\TestCase $patternFailIfFound = 'jquery'; // known files that will for sure not contain a "buggy" $patternFailIfFound - $whiteListedFiles = array( + $allowedFiles = array( PIWIK_INCLUDE_PATH . '/plugins/TestRunner/templates/travis.yml.twig', PIWIK_INCLUDE_PATH . '/plugins/CoreUpdater/templates/layout.twig', PIWIK_INCLUDE_PATH . '/plugins/Installation/templates/layout.twig', PIWIK_INCLUDE_PATH . '/plugins/Login/templates/loginLayout.twig', PIWIK_INCLUDE_PATH . '/tests/UI/screenshot-diffs/singlediff.html', - // Note: entries below are paths and any file within these paths will be automatically whitelisted + // Note: entries below are paths and any file within these paths will be automatically allowed PIWIK_INCLUDE_PATH . '/tests/resources/overlay-test-site-real/', PIWIK_INCLUDE_PATH . '/tests/resources/overlay-test-site/', PIWIK_INCLUDE_PATH . '/vendor/lox/xhprof/xhprof_html/docs/', @@ -233,19 +233,19 @@ class ReleaseCheckListTest extends \PHPUnit\Framework\TestCase ); $files = Filesystem::globr(PIWIK_INCLUDE_PATH, '*.' . $extension); - $this->assertFilesDoNotContain($files, $patternFailIfFound, $whiteListedFiles); + $this->assertFilesDoNotContain($files, $patternFailIfFound, $allowedFiles); } /** * @param $files * @param $patternFailIfFound - * @param $whiteListedFiles + * @param $allowedFiles */ - private function assertFilesDoNotContain($files, $patternFailIfFound, $whiteListedFiles) + private function assertFilesDoNotContain($files, $patternFailIfFound, $allowedFiles) { $foundPatterns = array(); foreach ($files as $file) { - if($this->isFileOrPathWhitelisted($whiteListedFiles, $file)) { + if($this->isFileOrPathAllowed($allowedFiles, $file)) { continue; } $content = file_get_contents($file); @@ -265,14 +265,14 @@ class ReleaseCheckListTest extends \PHPUnit\Framework\TestCase } /** - * @param $whiteListedFiles + * @param $allowedFiles * @param $file * @return bool */ - private function isFileOrPathWhitelisted($whiteListedFiles, $file) + private function isFileOrPathAllowed($allowedFiles, $file) { - foreach ($whiteListedFiles as $whitelistFile) { - if (strpos($file, $whitelistFile) === 0) { + foreach ($allowedFiles as $allowedFile) { + if (strpos($file, $allowedFile) === 0) { return true; } } diff --git a/tests/PHPUnit/Integration/Settings/Measurable/MeasurablePropertyTest.php b/tests/PHPUnit/Integration/Settings/Measurable/MeasurablePropertyTest.php index 7c72668309..b057162632 100644 --- a/tests/PHPUnit/Integration/Settings/Measurable/MeasurablePropertyTest.php +++ b/tests/PHPUnit/Integration/Settings/Measurable/MeasurablePropertyTest.php @@ -49,7 +49,7 @@ class MeasurablePropertyTest extends IntegrationTestCase $this->assertNotDbConnectionCreated(); } - public function test_constructor_shouldThrowAnExceptionWhenNotWhitelistedNameIsUsed() + public function test_constructor_shouldThrowAnExceptionWhenNotAllowedNameIsUsed() { $this->expectException(\Exception::class); $this->expectExceptionMessage('Name "name" is not allowed to be used'); diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png index ce1c85007a..fe89e281d0 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:5da65bc1d8b3188aef4387c78e857839a279d6ddddc3f0f1f3b2dfb3615ef83e -size 4448506 +oid sha256:f1107da0ab9dad0819d7190b7bd11045507bc9232e5be6d7506ce057058351e7 +size 4449780 |