104 lines
4.5 KiB
PHP
104 lines
4.5 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
test('mx helper conditionally passes user ip binding to da login-url', function (): void {
|
|
$bin = TEST_TMP . '/fake-da';
|
|
$log = TEST_TMP . '/fake-da.log';
|
|
$audit = TEST_TMP . '/audit.log';
|
|
$state = TEST_TMP . '/state';
|
|
|
|
test_write($bin, "#!/bin/sh\nprintf '%s\\n' \"$@\" >> " . escapeshellarg($log) . "\necho 'URL: https://mx1.domena.pl:2222/api/login/url?key=SECRET'\n");
|
|
chmod($bin, 0755);
|
|
|
|
$script = PLUGIN_ROOT . '/mx-helper/mail-login-authorized-command.sh';
|
|
$cmd = sprintf(
|
|
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s',
|
|
escapeshellarg($bin),
|
|
escapeshellarg($audit),
|
|
escapeshellarg($state),
|
|
escapeshellarg('h4.domena.pl'),
|
|
escapeshellarg($script),
|
|
'mail-login-create-url mxtest h4.domena.pl h4 30 1 198.51.100.10 / 1782810000'
|
|
);
|
|
exec($cmd, $out, $code);
|
|
assert_same(0, $code, implode("\n", $out));
|
|
assert_contains('--ip=198.51.100.10', file_get_contents($log) ?: '');
|
|
assert_contains('autologin-h4-mxtest-', file_get_contents($audit) ?: '');
|
|
|
|
file_put_contents($log, '');
|
|
$cmdNoIp = sprintf(
|
|
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s',
|
|
escapeshellarg($bin),
|
|
escapeshellarg($audit),
|
|
escapeshellarg($state),
|
|
escapeshellarg('h4.domena.pl'),
|
|
escapeshellarg($script),
|
|
'mail-login-create-url mxtest h4.domena.pl h4 30 0 198.51.100.10 / 1782810001'
|
|
);
|
|
exec($cmdNoIp, $outNoIp, $codeNoIp);
|
|
assert_same(0, $codeNoIp, implode("\n", $outNoIp));
|
|
assert_not_contains('--ip=', file_get_contents($log) ?: '');
|
|
assert_contains('ip_bound_disabled', file_get_contents($audit) ?: '');
|
|
});
|
|
|
|
test('mx helper accepts forced command arguments from ssh original command', function (): void {
|
|
$bin = TEST_TMP . '/fake-da-original';
|
|
$log = TEST_TMP . '/fake-da-original.log';
|
|
$audit = TEST_TMP . '/audit-original.log';
|
|
$state = TEST_TMP . '/state-original';
|
|
|
|
test_write($bin, "#!/bin/sh\nprintf '%s\\n' \"$@\" >> " . escapeshellarg($log) . "\necho 'URL: https://mx1.domena.pl:2222/api/login/url?key=SECRET'\n");
|
|
chmod($bin, 0755);
|
|
|
|
$script = PLUGIN_ROOT . '/mx-helper/mail-login-authorized-command.sh';
|
|
$cmd = sprintf(
|
|
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s SSH_ORIGINAL_COMMAND=%s %s',
|
|
escapeshellarg($bin),
|
|
escapeshellarg($audit),
|
|
escapeshellarg($state),
|
|
escapeshellarg('h4.domena.pl'),
|
|
escapeshellarg('mail-login-create-url mxtest h4.domena.pl evil 30 1 198.51.100.10 / 1782810002'),
|
|
escapeshellarg($script)
|
|
);
|
|
exec($cmd, $out, $code);
|
|
|
|
assert_same(0, $code, implode("\n", $out));
|
|
assert_contains('--user=mxtest', file_get_contents($log) ?: '');
|
|
assert_contains('autologin-h4-mxtest-', file_get_contents($audit) ?: '');
|
|
assert_not_contains('autologin-evil-mxtest-', file_get_contents($audit) ?: '');
|
|
});
|
|
|
|
test('mx helper rejects disallowed source hosts and invalid client ips', function (): void {
|
|
$bin = TEST_TMP . '/fake-da-reject';
|
|
$audit = TEST_TMP . '/audit-reject.log';
|
|
$state = TEST_TMP . '/state-reject';
|
|
test_write($bin, "#!/bin/sh\necho 'URL: https://mx1.domena.pl:2222/api/login/url?key=SECRET'\n");
|
|
chmod($bin, 0755);
|
|
$script = PLUGIN_ROOT . '/mx-helper/mail-login-authorized-command.sh';
|
|
|
|
$badHost = sprintf(
|
|
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s 2>/dev/null',
|
|
escapeshellarg($bin),
|
|
escapeshellarg($audit),
|
|
escapeshellarg($state),
|
|
escapeshellarg('h4.domena.pl'),
|
|
escapeshellarg($script),
|
|
'mail-login-create-url mxtest evil.domena.pl evil 30 1 198.51.100.10 / 1782810003'
|
|
);
|
|
exec($badHost, $outHost, $codeHost);
|
|
assert_same(1, $codeHost);
|
|
|
|
$badIp = sprintf(
|
|
'MAIL_LOGIN_DA_BIN=%s MAIL_LOGIN_AUDIT_LOG=%s MAIL_LOGIN_STATE_DIR=%s MAIL_LOGIN_ALLOWED_SOURCE_HOSTS=%s %s %s 2>/dev/null',
|
|
escapeshellarg($bin),
|
|
escapeshellarg($audit),
|
|
escapeshellarg($state),
|
|
escapeshellarg('h4.domena.pl'),
|
|
escapeshellarg($script),
|
|
'mail-login-create-url mxtest h4.domena.pl h4 30 1 999.999.999.999 / 1782810004'
|
|
);
|
|
exec($badIp, $outIp, $codeIp);
|
|
assert_same(1, $codeIp);
|
|
assert_not_contains("\nBROKEN", file_get_contents($audit) ?: '');
|
|
});
|