Merge branch 'test-fix' into 'master'

Fix bug with non-HTTP Shib sessions being valid for HTTP sessions Previously, the `PreauthUserDetailsProvider` was only checking that a valid Shib session existed by looking for the regular or HTTP Shib session header. This check is now strengthened by validating the correct header exists for the correct instance. Also renamed and changed some things in the `Preauth` test--it's now called `HTTPPreauthUserDetailsProviderTest` to reflect the fact that it's only testing the HTTP version of `Preauth`. Along those same lines, the test user now uses the HTTP headers and has been renamed to `testuser_http.json`. Please review: @ahoffmann See merge request !7

Merge branch 'test-fix' into 'master'
661a01b1 · Andy Summers · 537fb525 · f5aa2687 · 661a01b1 · 661a01b1
Commit 661a01b1 authored 8 years ago by Andy Summers
--- a/composer.json
+++ b/composer.json
@@ -4,7 +4,7 @@
  "type": "library",
  "homepage": "https://git.doit.wisc.edu/adi-ia/uw-php-security",
  "license": "Apache-2.0",
-  "version": "1.0.2",
+  "version": "1.0.3",
  "authors": [{
    "name": "UW-Madison DoIT ADI Integrated Applications",
    "email": "adi-ia@lists.wisc.edu",

--- a/src/main/edu/wisc/doit/FederatedPreauthUserDetailsProvider.php
+++ b/src/main/edu/wisc/doit/FederatedPreauthUserDetailsProvider.php
@@ -28,8 +28,8 @@ class FederatedPreauthUserDetailsProvider implements UserDetailsProvider
    public function loadUser()
    {
        // Return null if no Shib session is found
-        if (empty(getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID)) &&
+        if ($this->httpHeaders && !getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID_HTTP) ||
-            empty(getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID_HTTP))) {
+            !$this->httpHeaders && !getenv(FederatedPreauthUserDetailsProvider::SHIB_SESSION_ID)) {
            return null;
        }

--- a/src/test/edu/wisc/doit/FederatedPreauthUserDetailsProviderTest.php
+++ b/src/test/edu/wisc/doit/FederatedPreauthUserDetailsProviderTest.php
@@ -6,7 +6,7 @@ use edu\wisc\doit\FederatedPreauthUserDetailsProvider;
 /**
 * Tests for {@link FederatedPreauthUserDetailsProvider}.
 */
-class FederatedPreauthUserDetailsProviderTest extends \PHPUnit_Framework_TestCase
+class HTTPFederatedPreauthUserDetailsProviderTest extends \PHPUnit_Framework_TestCase
 {
    /** @var array */
@@ -21,18 +21,28 @@ class FederatedPreauthUserDetailsProviderTest extends \PHPUnit_Framework_TestCas
    protected function setUp()
    {
        parent::setUp();
-        $jsonString = file_get_contents(__DIR__ . "/../../../resources/testuser.json");
+        $jsonString = file_get_contents(__DIR__ . "/../../../resources/testuser_http.json");
        if ($jsonString === false) {
            return null;
        }
        $this->attributes = json_decode($jsonString, true);
+        $this->userProvider = new FederatedPreauthUserDetailsProvider(true);
+        putenv($this->mapAttribute(UserDetailsProvider::FED_EPPN) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::FED_EPPN)]);
+        putenv($this->mapAttribute(UserDetailsProvider::FED_SPVI) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::FED_SPVI)]);
+        putenv($this->mapAttribute(UserDetailsProvider::FED_FULLNAME) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::FED_FULLNAME)]);
+        putenv($this->mapAttribute(UserDetailsProvider::FED_FIRST_NAME) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::FED_FIRST_NAME)]);
+        putenv($this->mapAttribute(UserDetailsProvider::FED_LAST_NAME) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::FED_LAST_NAME)]);
+        putenv($this->mapAttribute(UserDetailsProvider::UDDS) . '=' . implode(",", $this->attributes[$this->mapAttribute(UserDetailsProvider::UDDS)]));
+        putenv($this->mapAttribute(UserDetailsProvider::FED_EMAIL) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::FED_EMAIL)]);
+        putenv($this->mapAttribute(UserDetailsProvider::SOURCE) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::SOURCE)]);
+        putenv($this->mapAttribute(UserDetailsProvider::ISIS_EMPLID) . '=' . $this->attributes[$this->mapAttribute(UserDetailsProvider::ISIS_EMPLID)]);
+        putenv(UserDetailsProvider::SHIB_SESSION_ID_HTTP  . '=' . $this->attributes[UserDetailsProvider::SHIB_SESSION_ID_HTTP]);
    }
    public function testLoadUser()
    {
-        $this->setupHttpPreauthEnvironment();
-        $this->userProvider = new FederatedPreauthUserDetailsProvider(true);
        $user = $this->userProvider->loadUser();
        $this->assertNotNull($user);
        $this->assertEquals("bbadger@wisc.edu", $user->getEppn());
@@ -47,56 +57,23 @@ class FederatedPreauthUserDetailsProviderTest extends \PHPUnit_Framework_TestCas
    public function testLoadUserWithNoEPPN()
    {
-        $this->setupHttpPreauthEnvironment();
-        $this->userProvider = new FederatedPreauthUserDetailsProvider(true);
        // Clear Shib session ID to simulate no session
-        putenv(UserDetailsProvider::SHIB_SESSION_ID);
+        putenv(UserDetailsProvider::SHIB_SESSION_ID_HTTP);
        $user = $this->userProvider->loadUser();
        $this->assertNull($user);
    }
    public function testLoadUserWithNoEmail()
    {
-        $this->setupHttpPreauthEnvironment();
-        $this->userProvider = new FederatedPreauthUserDetailsProvider(true);
        // Clear email to simulate no email
        putenv('HTTP_' . strtoupper(UserDetailsProvider::FED_EMAIL));
        $user = $this->userProvider->loadUser();
        $this->assertFalse($user->getEmailAddress());
    }
-    /**
+    private function mapAttribute($attribute)
-     * Setup environment to simulate a Preauth (Shib) environment.
-     */
-    private function setupPreauthEnvironment()
-    {
-        putenv(UserDetailsProvider::FED_EPPN . '=' . $this->attributes[UserDetailsProvider::FED_EPPN]);
-        putenv(UserDetailsProvider::FED_SPVI . '=' . $this->attributes[UserDetailsProvider::FED_SPVI]);
-        putenv(UserDetailsProvider::FED_FULLNAME . '=' . $this->attributes[UserDetailsProvider::FED_FULLNAME]);
-        putenv(UserDetailsProvider::FED_FIRST_NAME . '=' . $this->attributes[UserDetailsProvider::FED_FIRST_NAME]);
-        putenv(UserDetailsProvider::FED_LAST_NAME . '=' . $this->attributes[UserDetailsProvider::FED_LAST_NAME]);
-        putenv(UserDetailsProvider::UDDS . '=' . implode(",", $this->attributes[UserDetailsProvider::UDDS]));
-        putenv(UserDetailsProvider::FED_EMAIL . '=' . $this->attributes[UserDetailsProvider::FED_EMAIL]);
-        putenv(UserDetailsProvider::SOURCE . '=' . $this->attributes[UserDetailsProvider::SOURCE]);
-        putenv(UserDetailsProvider::ISIS_EMPLID . '=' . $this->attributes[UserDetailsProvider::ISIS_EMPLID]);
-        putenv(UserDetailsProvider::SHIB_SESSION_ID  . '=' . $this->attributes[UserDetailsProvider::SHIB_SESSION_ID]);
-    }
-    /**
-     * Setup environment to simulate HTTP Preauth.
-     */
-    private function setupHttpPreauthEnvironment()
    {
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::FED_EPPN) . '=' . $this->attributes[UserDetailsProvider::FED_EPPN]);
+        return 'HTTP_' . strtoupper($attribute);
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::FED_SPVI) . '=' . $this->attributes[UserDetailsProvider::FED_SPVI]);
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::FED_FULLNAME) . '=' . $this->attributes[UserDetailsProvider::FED_FULLNAME]);
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::FED_FIRST_NAME) . '=' . $this->attributes[UserDetailsProvider::FED_FIRST_NAME]);
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::FED_LAST_NAME) . '=' . $this->attributes[UserDetailsProvider::FED_LAST_NAME]);
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::UDDS) . '=' . implode(",", $this->attributes[UserDetailsProvider::UDDS]));
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::FED_EMAIL) . '=' . $this->attributes[UserDetailsProvider::FED_EMAIL]);
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::SOURCE) . '=' . $this->attributes[UserDetailsProvider::SOURCE]);
-        putenv('HTTP_' . strtoupper(UserDetailsProvider::ISIS_EMPLID) . '=' . $this->attributes[UserDetailsProvider::ISIS_EMPLID]);
-        putenv(UserDetailsProvider::SHIB_SESSION_ID  . '=' . $this->attributes[UserDetailsProvider::SHIB_SESSION_ID]);
    }
 }
--- a/src/test/edu/wisc/doit/LocalUserDetailsProviderTest.php
+++ b/src/test/edu/wisc/doit/LocalUserDetailsProviderTest.php
@@ -10,7 +10,7 @@ class LocalUserDetailsProviderTest extends \PHPUnit_Framework_TestCase
    public function testLoadUser()
    {
-        $userDetailsService = new LocalUserDetailsProvider(__DIR__ . "/../../../resources/testuser.json");
+        $userDetailsService = new LocalUserDetailsProvider(__DIR__ . "/../../../resources/localuser.json");
        $user = $userDetailsService->loadUser();
        $this->assertEquals("bbadger@wisc.edu", $user->getEppn());
        $this->assertEquals("UW123A456", $user->getPvi());

--- a/src/test/resources/testuser.json
+++ b/src/test/resources/testuser.json
@@ -11,6 +11,5 @@
  ],
  "eduWisconsinEmailAddress": "bucky.badger@wisc.edu",
  "source": "a_source",
-  "isisEmplid": "123456789",
+  "isisEmplid": "123456789"
-  "Shib-Session-Id": "1234567890"
 }
\ No newline at end of file
--- a/src/test/resources/testuser_http.json
+++ b/src/test/resources/testuser_http.json
+{
+  "HTTP_EPPN": "bbadger@wisc.edu",
+  "HTTP_EDUWISCONSINSPVI": "UW123A456",
+  "HTTP_CN": "BUCKINGHAM BADGER",
+  "HTTP_EDUWISCONSINCOMMONNAME": "BUCKINGHAM BADGER",
+  "HTTP_EDUWISCONSINGIVENNAME": "BUCKINGHAM",
+  "HTTP_EDUWISCONSINSURNAME": "BADGER",
+  "HTTP_UDDS": [
+    "UW123A456",
+    "UW234A567"
+  ],
+  "HTTP_EDUWISCONSINEMAILADDRESS": "bucky.badger@wisc.edu",
+  "HTTP_SOURCE": "a_source",
+  "HTTP_ISISEMPLID": "123456789",
+  "HTTP_SHIB_SESSION_ID": "1234567890"
+}
\ No newline at end of file