refactor: remove source host allowlist from direct login

This commit is contained in:
Marek Miklewicz
2026-06-30 15:25:54 +02:00
parent b27c5c774a
commit c115b2861d
10 changed files with 11 additions and 83 deletions
+1 -15
View File
@@ -5,7 +5,6 @@ require_once PLUGIN_ROOT . '/exec/lib/Settings.php';
require_once PLUGIN_ROOT . '/exec/lib/DirectAdminContext.php';
require_once PLUGIN_ROOT . '/exec/lib/ClientIp.php';
require_once PLUGIN_ROOT . '/exec/lib/KeyName.php';
require_once PLUGIN_ROOT . '/exec/lib/SourceAuthorizer.php';
test('directadmin context derives server name from first host label', function (): void {
$settings = Settings::fromArray(['MAIL_LOGIN_SOURCE_SERVER_NAME' => '']);
@@ -22,7 +21,7 @@ test('directadmin context derives server name from first host label', function (
assert_same('h4', $ctx->serverName());
});
test('directadmin context prefers trusted configured source server name over host header', function (): void {
test('directadmin context uses configured source server name and trusts local server name host', function (): void {
$settings = Settings::fromArray(['MAIL_LOGIN_SOURCE_SERVER_NAME' => 'h4']);
$ctx = DirectAdminContext::fromServer([
'USERNAME' => 'mxtest',
@@ -100,19 +99,6 @@ test('client ip supports trusted proxy cidr ranges', function (): void {
assert_same('203.0.113.20', $ip);
});
test('source authorizer rejects hosts outside allowlist', function (): void {
$settings = Settings::fromArray(['MAIL_LOGIN_ALLOWED_SOURCE_HOSTS' => 'h4.domena.pl']);
SourceAuthorizer::assertAllowed('h4.domena.pl', $settings);
try {
SourceAuthorizer::assertAllowed('evil.example.net', $settings);
throw new RuntimeException('Expected disallowed source host to fail');
} catch (RuntimeException $e) {
assert_contains('source host', strtolower($e->getMessage()));
}
});
test('key name uses requested format and truncates long values deterministically', function (): void {
assert_same('autologin-h4-mxtest-1782810000', KeyName::build('h4', 'mxtest', 1782810000));