refactor: remove source host allowlist from direct login
This commit is contained in:
+1
-15
@@ -5,7 +5,6 @@ require_once PLUGIN_ROOT . '/exec/lib/Settings.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/DirectAdminContext.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/ClientIp.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/KeyName.php';
|
||||
require_once PLUGIN_ROOT . '/exec/lib/SourceAuthorizer.php';
|
||||
|
||||
test('directadmin context derives server name from first host label', function (): void {
|
||||
$settings = Settings::fromArray(['MAIL_LOGIN_SOURCE_SERVER_NAME' => '']);
|
||||
@@ -22,7 +21,7 @@ test('directadmin context derives server name from first host label', function (
|
||||
assert_same('h4', $ctx->serverName());
|
||||
});
|
||||
|
||||
test('directadmin context prefers trusted configured source server name over host header', function (): void {
|
||||
test('directadmin context uses configured source server name and trusts local server name host', function (): void {
|
||||
$settings = Settings::fromArray(['MAIL_LOGIN_SOURCE_SERVER_NAME' => 'h4']);
|
||||
$ctx = DirectAdminContext::fromServer([
|
||||
'USERNAME' => 'mxtest',
|
||||
@@ -100,19 +99,6 @@ test('client ip supports trusted proxy cidr ranges', function (): void {
|
||||
assert_same('203.0.113.20', $ip);
|
||||
});
|
||||
|
||||
test('source authorizer rejects hosts outside allowlist', function (): void {
|
||||
$settings = Settings::fromArray(['MAIL_LOGIN_ALLOWED_SOURCE_HOSTS' => 'h4.domena.pl']);
|
||||
|
||||
SourceAuthorizer::assertAllowed('h4.domena.pl', $settings);
|
||||
|
||||
try {
|
||||
SourceAuthorizer::assertAllowed('evil.example.net', $settings);
|
||||
throw new RuntimeException('Expected disallowed source host to fail');
|
||||
} catch (RuntimeException $e) {
|
||||
assert_contains('source host', strtolower($e->getMessage()));
|
||||
}
|
||||
});
|
||||
|
||||
test('key name uses requested format and truncates long values deterministically', function (): void {
|
||||
assert_same('autologin-h4-mxtest-1782810000', KeyName::build('h4', 'mxtest', 1782810000));
|
||||
|
||||
|
||||
@@ -8,7 +8,7 @@ test('plugin metadata and packaging docs match project rules', function (): void
|
||||
assert_contains('name=mail-login', $conf);
|
||||
assert_contains('id=mail-login', $conf);
|
||||
assert_contains('type=user', $conf);
|
||||
assert_contains('version=1.0.4', $conf);
|
||||
assert_contains('version=1.0.5', $conf);
|
||||
assert_contains('user_run_as=root', $conf);
|
||||
assert_contains('/Users/marek/GPT/ChatGPT/da_plugins/mail-login/src', $packing);
|
||||
assert_contains('/Users/marek/GPT/ChatGPT/da_plugins/mail-login/archives/X.Y.Z/mail-login.tar.gz', $packing);
|
||||
|
||||
@@ -49,12 +49,12 @@ test('settings reject unsupported mx login mode values', function (): void {
|
||||
}
|
||||
});
|
||||
|
||||
test('settings parse allowed source hosts as normalized hostnames', function (): void {
|
||||
$settings = Settings::fromArray([
|
||||
'MAIL_LOGIN_ALLOWED_SOURCE_HOSTS' => 'https://h4.domena.pl:2222, serwer2.example.net:2222',
|
||||
]);
|
||||
test('source plugin settings do not expose local source host allowlist', function (): void {
|
||||
$defaults = Settings::defaults();
|
||||
$config = file_get_contents(PLUGIN_ROOT . '/plugin-settings.conf') ?: '';
|
||||
|
||||
assert_same(['h4.domena.pl', 'serwer2.example.net'], $settings->allowedSourceHosts());
|
||||
assert_false(array_key_exists('MAIL_LOGIN_ALLOWED_SOURCE_HOSTS', $defaults));
|
||||
assert_not_contains('MAIL_LOGIN_ALLOWED_SOURCE_HOSTS', $config);
|
||||
});
|
||||
|
||||
test('settings reject disabled plugin and unsupported methods through access guard', function (): void {
|
||||
|
||||
Reference in New Issue
Block a user