Merge branch 'main' into testing6

Author: simonLeary42

.pre-commit-config.yaml

@@ -48,3 +48,9 @@ repos:
         language: system
         files: \.php$
         args: [-l]
+      - id: assert-no-die-exit
+        name: Assert no die()/exit()
+        entry: ./test/assert-no-die-exit.bash
+        language: system
+        files: \.php$
+        exclude: resources/lib/UnitySite\.php$

defaults/config.ini.default

@@ -22,7 +22,7 @@ user_ou = "ou=users,dc=unityhpc,dc=test"  ; User organizational unit
 group_ou = "ou=groups,dc=unityhpc,dc=test"  ; Group organizational unit
 pigroup_ou = "ou=pi_groups,dc=unityhpc,dc=test"  ; PI Group organizational unit
 orggroup_ou = "ou=org_groups,dc=unityhpc,dc=test"  ; ORG group organizational unit
-admin_group = "cn=sudo,dc=unityhpc,dc=test"  ; admin dn (members of this group are admins on the web portal)
+admin_group = "cn=web_admins,dc=unityhpc,dc=test"  ; admin dn (members of this group are admins on the web portal)
 def_user_shell = "/bin/bash"  ; Default shell for new users
 
 [sql]

resources/lib/UnityLDAP.php

@@ -11,10 +11,6 @@
 class UnityLDAP extends ldapConn
 {
   // User Specific Constants
-    private const ID_MAP = array(1000, 9999);
-    private const PI_ID_MAP = array(10000, 19999);
-    private const ORG_ID_MAP = array(20000, 29999);
-
     private const RDN = "cn";  // The defauls RDN for LDAP entries is set to "common name"
 
     public const POSIX_ACCOUNT_CLASS = array(
@@ -315,21 +311,25 @@ public function getAllOrgGroups($UnitySQL, $UnityMailer, $UnityRedis, $UnityWebh
 
     public function getUserEntry($uid)
     {
+        $uid = ldap_escape($uid, LDAP_ESCAPE_DN);
         return $this->getEntry(unityLDAP::RDN . "=$uid," . $this->STR_USEROU);
     }
 
     public function getGroupEntry($gid)
     {
+        $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
         return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_GROUPOU);
     }
 
     public function getPIGroupEntry($gid)
     {
+        $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
         return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_PIGROUPOU);
     }
 
     public function getOrgGroupEntry($gid)
     {
+        $uid = ldap_escape($gid, LDAP_ESCAPE_DN);
         return $this->getEntry(unityLDAP::RDN . "=$gid," . $this->STR_ORGGROUPOU);
     }
 }

resources/lib/UnitySQL.php

@@ -8,9 +8,7 @@ class UnitySQL
 {
     private const TABLE_REQS = "requests";
     private const TABLE_NOTICES = "notices";
-    private const TABLE_SSOLOG = "sso_log";
     private const TABLE_PAGES = "pages";
-    private const TABLE_EVENTS = "events";
     private const TABLE_AUDIT_LOG = "audit_log";
     private const TABLE_ACCOUNT_DELETION_REQUESTS = "account_deletion_requests";
     private const TABLE_SITEVARS = "sitevars";
@@ -21,7 +19,8 @@ class UnitySQL
     private const TABLE_GROUP_JOIN_REQUESTS = "groupJoinRequests";
 
 
-    private const REQUEST_ADMIN = "admin";
+    // FIXME this string should be changed to something more intuitive, requires production sql change
+    private const REQUEST_BECOME_PI = "admin";
 
     private $conn;
 
@@ -39,7 +38,7 @@ public function getConn()
     //
     // requests table methods
     //
-    public function addRequest($requestor, $dest = self::REQUEST_ADMIN)
+    public function addRequest($requestor, $dest = self::REQUEST_BECOME_PI)
     {
         if ($this->requestExists($requestor, $dest)) {
             return;
@@ -54,7 +53,7 @@ public function addRequest($requestor, $dest = self::REQUEST_ADMIN)
         $stmt->execute();
     }
 
-    public function removeRequest($requestor, $dest = self::REQUEST_ADMIN)
+    public function removeRequest($requestor, $dest = self::REQUEST_BECOME_PI)
     {
         if (!$this->requestExists($requestor, $dest)) {
             return;
@@ -69,7 +68,7 @@ public function removeRequest($requestor, $dest = self::REQUEST_ADMIN)
         $stmt->execute();
     }
 
-    public function removeRequests($dest = self::REQUEST_ADMIN)
+    public function removeRequests($dest = self::REQUEST_BECOME_PI)
     {
         $stmt = $this->conn->prepare(
             "DELETE FROM " . self::TABLE_REQS . " WHERE request_for=:request_for"
@@ -79,7 +78,7 @@ public function removeRequests($dest = self::REQUEST_ADMIN)
         $stmt->execute();
     }
 
-    public function requestExists($requestor, $dest = self::REQUEST_ADMIN)
+    public function requestExists($requestor, $dest = self::REQUEST_BECOME_PI)
     {
         $stmt = $this->conn->prepare(
             "SELECT * FROM " . self::TABLE_REQS . " WHERE uid=:uid and request_for=:request_for"
@@ -92,7 +91,7 @@ public function requestExists($requestor, $dest = self::REQUEST_ADMIN)
         return count($stmt->fetchAll()) > 0;
     }
 
-    public function getRequests($dest = self::REQUEST_ADMIN)
+    public function getRequests($dest = self::REQUEST_BECOME_PI)
     {
         $stmt = $this->conn->prepare(
             "SELECT * FROM " . self::TABLE_REQS . " WHERE request_for=:request_for"
@@ -234,18 +233,6 @@ public function editPage($id, $content, $operator)
         );
     }
 
-    public function addEvent($operator, $action, $entity)
-    {
-        $stmt = $this->conn->prepare(
-            "INSERT INTO " . self::TABLE_EVENTS . " (operator, action, entity) VALUE (:operator, :action, :entity)"
-        );
-        $stmt->bindParam(":operator", $operator);
-        $stmt->bindParam(":action", $action);
-        $stmt->bindParam(":entity", $entity);
-
-        $stmt->execute();
-    }
-
     // audit log table methods
     public function addLog($operator, $operator_ip, $action_type, $recipient)
     {

resources/lib/UnitySite.php

@@ -3,17 +3,70 @@
 namespace UnityWebPortal\lib;
 
 use phpseclib3\Crypt\PublicKeyLoader;
+use UnityWebPortal\lib\exceptions\PhpUnitNoDieException;
 
 class UnitySite
 {
+    public static function die($x = null)
+    {
+        if (@$GLOBALS["PHPUNIT_NO_DIE_PLEASE"] == true) {
+            if (is_null($x)) {
+                throw new PhpUnitNoDieException();
+            } else {
+                throw new PhpUnitNoDieException($x);
+            }
+        } else {
+            if (is_null($x)) {
+                die();
+            } else {
+                die($x);
+            }
+        }
+    }
+
     public static function redirect($destination)
     {
         if ($_SERVER["PHP_SELF"] != $destination) {
             header("Location: $destination");
-            die("Redirect failed, click <a href='$destination'>here</a> to continue.");
+            self::die("Redirect failed, click <a href='$destination'>here</a> to continue.");
         }
     }
 
+    private static function headerResponseCode(int $code, string $reason)
+    {
+        $protocol = @$_SERVER["SERVER_PROTOCOL"] ?? "HTTP/1.1";
+        $msg = $protocol . " " . strval($code) . " " . $reason;
+        header($msg, true, $code);
+    }
+
+    public static function errorLog(string $title, string $message)
+    {
+        error_log(
+            "$title: " . json_encode(
+                [
+                    "message" => $message,
+                    "REMOTE_USER" => @$_SERVER["REMOTE_USER"],
+                    "REMOTE_ADDR" => @$_SERVER["REMOTE_ADDR"],
+                    "trace" => (new \Exception())->getTraceAsString()
+                ]
+            )
+        );
+    }
+
+    public static function badRequest($message)
+    {
+        self::headerResponseCode(400, "bad request");
+        self::errorLog("bad request", $message);
+        self::die();
+    }
+
+    public static function forbidden($message)
+    {
+        self::headerResponseCode(403, "forbidden");
+        self::errorLog("forbidden", $message);
+        self::die();
+    }
+
     public static function removeTrailingWhitespace($arr)
     {
         $out = array();

resources/lib/UnityUser.php

@@ -538,7 +538,7 @@ public function getHomeDir($ignorecache = false)
     }
 
     /**
-     * Checks if the current account is an admin (in the sudo group)
+     * Checks if the current account is an admin
      *
      * @return boolean true if admin, false if not
      */

resources/lib/exceptions/PhpUnitNoDieException.php

@@ -0,0 +1,6 @@
+<?php
+namespace UnityWebPortal\lib\exceptions;
+
+class PhpUnitNoDieException extends \Exception
+{
+}

resources/templates/header.php

@@ -2,6 +2,14 @@
 
 use UnityWebPortal\lib\UnitySite;
 
+if ((@$_SESSION["is_admin"] ?? false) == true
+    && $_SERVER["REQUEST_METHOD"] == "POST"
+    && (@$_POST["form_name"] ?? null) == "clearView"
+) {
+    unset($_SESSION["viewUser"]);
+    UnitySite::redirect($CONFIG["site"]["prefix"] . "/admin/user-mgmt.php");
+}
+
 if (isset($SSO)) {
     if (!$_SESSION["user_exists"]) {
         UnitySite::redirect($CONFIG["site"]["prefix"] . "/panel/new_account.php");
@@ -116,23 +124,20 @@
   <main>
 
   <?php
-    if (isset($_SESSION["is_admin"]) && $_SESSION["is_admin"]) {
-        if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["form_name"]) && $_POST["form_name"] == "clearView") {
-            unset($_SESSION["viewUser"]);
-            UnitySite::redirect($CONFIG["site"]["prefix"] . "/admin/user-mgmt.php");
-        }
-
-        if (isset($_SESSION["viewUser"])) {
-            echo "<div id='viewAsBar'>";
-            echo "<span>You are accessing the web portal as the user <strong>" .
-            $_SESSION["viewUser"] . "</strong></span>";
-            echo
-            "<form method='POST' action=''>
-      <input type='hidden' name='form_name' value='clearView'>
-      <input type='hidden' name='uid' value='" . $_SESSION["viewUser"] . "'>
-      <input type='submit' value='Return to My User'>
-      </form>";
-            echo "</div>";
-        }
+    if (isset($_SESSION["is_admin"])
+        && $_SESSION["is_admin"]
+        && isset($_SESSION["viewUser"])
+    ) {
+        $viewUser = $_SESSION["viewUser"];
+        echo "
+          <div id='viewAsBar'>
+            <span>You are accessing the web portal as the user <strong>$viewUser</strong></span>
+            <form method='POST' action=''>
+              <input type='hidden' name='form_name' value='clearView'>
+              <input type='hidden' name='uid' value='$viewUser'>
+              <input type='submit' value='Return to My User'>
+            </form>
+          </div>
+        ";
     }
-    ?>
+    ?>

test/assert-no-die-exit.bash

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+if [[ $# -lt 1 ]]; then
+    echo "at least one argument required"
+    exit 1
+fi
+
+rc=0
+
+# --color=never because magit git output log doesn't support it
+die_occurrences="$(
+    grep -H --color=never --line-number -P '\bdie\s*[\(;]' "$@" | grep -v -P 'UnitySite::die'
+)" || true
+if [ -n "$die_occurrences" ]; then
+    echo "die is not allowed! use UnitySite::die() instead."
+    echo "$die_occurrences"
+    rc=1
+fi
+
+# --color=never because magit git output log doesn't support it
+exit_occurrences="$(grep -H --color=never --line-number -P '\bexit\s*[\(;]' "$@")" || true
+if [ -n "$exit_occurrences" ]; then
+    echo "exit is not allowed! use UnitySite::die() instead."
+    echo "$exit_occurrences"
+    rc=1
+fi
+
+exit "$rc"

test/functional/AccountDeletionRequestTest.php

@@ -38,12 +38,12 @@ public function testRequestAccountDeletionUserHasNoGroups()
         $this->assertEmpty($USER->getGroups());
         $this->assertNumberAccountDeletionRequests(0);
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "account_deletion_request"]
             );
             $this->assertNumberAccountDeletionRequests(1);
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "account_deletion_request"]
             );
@@ -62,7 +62,7 @@ public function testRequestAccountDeletionUserHasGroup()
         $this->assertNotEmpty($USER->getGroups());
         $this->assertNumberAccountDeletionRequests(0);
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "account_deletion_request"]
             );

test/functional/LoginShellSetTest.php

@@ -42,7 +42,7 @@ public function testSetLoginShell(string $shell): void
         if (!$this->isShellValid($shell)) {
             $this->expectException("Exception");
         }
-        post(
+        http_post(
             __DIR__ . "/../../webroot/panel/account.php",
             ["form_type" => "loginshell", "shellSelect" => $shell]
         );

test/functional/PiBecomeRequestTest.php

@@ -38,12 +38,12 @@ public function testRequestBecomePi()
         $this->assertFalse($USER->isPI());
         $this->assertNumberPiBecomeRequests(0);
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "pi_request"]
             );
             $this->assertNumberPiBecomeRequests(1);
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "pi_request"]
             );
@@ -61,7 +61,7 @@ public function testRequestBecomePiUserRequestedAccountDeletion()
         $this->assertNumberPiBecomeRequests(0);
         $this->assertTrue($SQL->accDeletionRequestExists($USER->getUID()));
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "pi_request"]
             );