"view as user" test, rework uses of die() (#212)

* replace die with exception

* use if/then instead of die

* set unique session cache location for each phpunit run

* viewAsUser test

* UnitySite not static

* remove pointless file

* ajax php don't initialize entire stack

* every switchUser has a fresh session by default

* get post always discard output

* Revert "UnitySite not static"

This reverts commit 01e7581.

* add UnitySite::die

* Revert "replace die with exception"

This reverts commit fa5d021.

* add functions errorLog, badRequest

* update ViewAsUserTest

* get test working

* add exceptions

* delete comments

* unused import

* rename post to http_post, get to http_get

* fix die

* add pre commit check for usage of die

* no color in die checker

* dont print to stderr

* ignore phpunit result cache

* don't allow exit() either

* refactor

* show both die and exit

* get -> http_get

* revert conditional

* revert conditional 2

* add message

* remove unused exception class

* exclude UnitySite from die check

* use unauthorized function, don't print anything to use

* allow empty die(), rename unauthorized to forbidden

* don't explode trace

* remove broken magic response code reason

* httpResponseCode private

* more tests

* allow undefined server protocol

* more tests

* clear view before redirect nonexistent user

* remove comment

Author: simonLeary42

.gitignore

@@ -16,3 +16,5 @@ composer.lock
 deployment/*
 !deployment/**/README.md
 !deployment/deploy.sh
+
+.phpunit.result.cache

.pre-commit-config.yaml

@@ -48,3 +48,9 @@ repos:
         language: system
         files: \.php$
         args: [-l]
+      - id: assert-no-die-exit
+        name: Assert no die()/exit()
+        entry: ./test/assert-no-die-exit.bash
+        language: system
+        files: \.php$
+        exclude: resources/lib/UnitySite\.php$

resources/lib/UnitySite.php

@@ -3,17 +3,70 @@
 namespace UnityWebPortal\lib;
 
 use phpseclib3\Crypt\PublicKeyLoader;
+use UnityWebPortal\lib\exceptions\PhpUnitNoDieException;
 
 class UnitySite
 {
+    public static function die($x = null)
+    {
+        if (@$GLOBALS["PHPUNIT_NO_DIE_PLEASE"] == true) {
+            if (is_null($x)) {
+                throw new PhpUnitNoDieException();
+            } else {
+                throw new PhpUnitNoDieException($x);
+            }
+        } else {
+            if (is_null($x)) {
+                die();
+            } else {
+                die($x);
+            }
+        }
+    }
+
     public static function redirect($destination)
     {
         if ($_SERVER["PHP_SELF"] != $destination) {
             header("Location: $destination");
-            die("Redirect failed, click <a href='$destination'>here</a> to continue.");
+            self::die("Redirect failed, click <a href='$destination'>here</a> to continue.");
         }
     }
 
+    private static function headerResponseCode(int $code, string $reason)
+    {
+        $protocol = @$_SERVER["SERVER_PROTOCOL"] ?? "HTTP/1.1";
+        $msg = $protocol . " " . strval($code) . " " . $reason;
+        header($msg, true, $code);
+    }
+
+    public static function errorLog(string $title, string $message)
+    {
+        error_log(
+            "$title: " . json_encode(
+                [
+                    "message" => $message,
+                    "REMOTE_USER" => @$_SERVER["REMOTE_USER"],
+                    "REMOTE_ADDR" => @$_SERVER["REMOTE_ADDR"],
+                    "trace" => (new \Exception())->getTraceAsString()
+                ]
+            )
+        );
+    }
+
+    public static function badRequest($message)
+    {
+        self::headerResponseCode(400, "bad request");
+        self::errorLog("bad request", $message);
+        self::die();
+    }
+
+    public static function forbidden($message)
+    {
+        self::headerResponseCode(403, "forbidden");
+        self::errorLog("forbidden", $message);
+        self::die();
+    }
+
     public static function removeTrailingWhitespace($arr)
     {
         $out = array();

resources/lib/exceptions/PhpUnitNoDieException.php

@@ -0,0 +1,6 @@
+<?php
+namespace UnityWebPortal\lib\exceptions;
+
+class PhpUnitNoDieException extends \Exception
+{
+}

resources/templates/header.php

@@ -2,6 +2,14 @@
 
 use UnityWebPortal\lib\UnitySite;
 
+if ((@$_SESSION["is_admin"] ?? false) == true
+    && $_SERVER["REQUEST_METHOD"] == "POST"
+    && (@$_POST["form_name"] ?? null) == "clearView"
+) {
+    unset($_SESSION["viewUser"]);
+    UnitySite::redirect($CONFIG["site"]["prefix"] . "/admin/user-mgmt.php");
+}
+
 if (isset($SSO)) {
     if (!$_SESSION["user_exists"]) {
         UnitySite::redirect($CONFIG["site"]["prefix"] . "/panel/new_account.php");
@@ -116,23 +124,20 @@
   <main>
 
   <?php
-    if (isset($_SESSION["is_admin"]) && $_SESSION["is_admin"]) {
-        if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_POST["form_name"]) && $_POST["form_name"] == "clearView") {
-            unset($_SESSION["viewUser"]);
-            UnitySite::redirect($CONFIG["site"]["prefix"] . "/admin/user-mgmt.php");
-        }
-
-        if (isset($_SESSION["viewUser"])) {
-            echo "<div id='viewAsBar'>";
-            echo "<span>You are accessing the web portal as the user <strong>" .
-            $_SESSION["viewUser"] . "</strong></span>";
-            echo
-            "<form method='POST' action=''>
-      <input type='hidden' name='form_name' value='clearView'>
-      <input type='hidden' name='uid' value='" . $_SESSION["viewUser"] . "'>
-      <input type='submit' value='Return to My User'>
-      </form>";
-            echo "</div>";
-        }
+    if (isset($_SESSION["is_admin"])
+        && $_SESSION["is_admin"]
+        && isset($_SESSION["viewUser"])
+    ) {
+        $viewUser = $_SESSION["viewUser"];
+        echo "
+          <div id='viewAsBar'>
+            <span>You are accessing the web portal as the user <strong>$viewUser</strong></span>
+            <form method='POST' action=''>
+              <input type='hidden' name='form_name' value='clearView'>
+              <input type='hidden' name='uid' value='$viewUser'>
+              <input type='submit' value='Return to My User'>
+            </form>
+          </div>
+        ";
     }
-    ?>
+    ?>

test/assert-no-die-exit.bash

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+if [[ $# -lt 1 ]]; then
+    echo "at least one argument required"
+    exit 1
+fi
+
+rc=0
+
+# --color=never because magit git output log doesn't support it
+die_occurrences="$(
+    grep -H --color=never --line-number -P '\bdie\s*[\(;]' "$@" | grep -v -P 'UnitySite::die'
+)" || true
+if [ -n "$die_occurrences" ]; then
+    echo "die is not allowed! use UnitySite::die() instead."
+    echo "$die_occurrences"
+    rc=1
+fi
+
+# --color=never because magit git output log doesn't support it
+exit_occurrences="$(grep -H --color=never --line-number -P '\bexit\s*[\(;]' "$@")" || true
+if [ -n "$exit_occurrences" ]; then
+    echo "exit is not allowed! use UnitySite::die() instead."
+    echo "$exit_occurrences"
+    rc=1
+fi
+
+exit "$rc"

test/functional/AccountDeletionRequestTest.php

@@ -38,12 +38,12 @@ public function testRequestAccountDeletionUserHasNoGroups()
         $this->assertEmpty($USER->getGroups());
         $this->assertNumberAccountDeletionRequests(0);
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "account_deletion_request"]
             );
             $this->assertNumberAccountDeletionRequests(1);
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "account_deletion_request"]
             );
@@ -62,7 +62,7 @@ public function testRequestAccountDeletionUserHasGroup()
         $this->assertNotEmpty($USER->getGroups());
         $this->assertNumberAccountDeletionRequests(0);
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "account_deletion_request"]
             );

test/functional/LoginShellSetTest.php

@@ -44,7 +44,7 @@ public function testSetLoginShell(string $shell): void
         if (!$this->isShellValid($shell)) {
             $this->expectException("Exception");
         }
-        post(
+        http_post(
             __DIR__ . "/../../webroot/panel/account.php",
             ["form_type" => "loginshell", "shellSelect" => $shell]
         );

test/functional/PiBecomeRequestTest.php

@@ -38,12 +38,12 @@ public function testRequestBecomePi()
         $this->assertFalse($USER->isPI());
         $this->assertNumberPiBecomeRequests(0);
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "pi_request"]
             );
             $this->assertNumberPiBecomeRequests(1);
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "pi_request"]
             );
@@ -61,7 +61,7 @@ public function testRequestBecomePiUserRequestedAccountDeletion()
         $this->assertNumberPiBecomeRequests(0);
         $this->assertTrue($SQL->accDeletionRequestExists($USER->getUID()));
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 ["form_type" => "pi_request"]
             );

test/functional/SSHKeyAddTest.php

@@ -9,7 +9,7 @@ class SSHKeyAddTest extends TestCase
 {
     private function addSshKeysPaste(array $keys): void {
         foreach ($keys as $key) {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 [
                     "form_type" => "addKey",
@@ -27,7 +27,7 @@ private function addSshKeysImport(array $keys): void {
             fwrite($tmp, $key);
             $_FILES["keyfile"] = ["tmp_name" => $tmp_path];
             try {
-                post(
+                http_post(
                     __DIR__ . "/../../webroot/panel/account.php",
                     ["form_type" => "addKey", "add_type" => "import"]
                 );
@@ -40,7 +40,7 @@ private function addSshKeysImport(array $keys): void {
 
     private function addSshKeysGenerate(array $keys): void {
         foreach ($keys as $key) {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 [
                     "form_type" => "addKey",
@@ -57,7 +57,7 @@ private function addSshKeysGithub(array $keys): void {
         $GITHUB = $this->createMock(UnityGithub::class);
         $GITHUB->method("getSshPublicKeys")->willReturn($keys);
         try {
-            post(
+            http_post(
                 __DIR__ . "/../../webroot/panel/account.php",
                 [
                     "form_type" => "addKey",

test/functional/SSHKeyDeleteTest.php

@@ -13,7 +13,7 @@ public static function setUpBeforeClass(): void{
     }
 
     private function deleteKey(string $index): void {
-        post(
+        http_post(
             __DIR__ . "/../../webroot/panel/account.php",
             ["form_type" => "delKey", "delIndex" => $index]
         );

test/functional/ViewAsUserTest.php

@@ -0,0 +1,83 @@
+<?php
+
+use UnityWebPortal\lib\UnitySite;
+use UnityWebPortal\lib\exceptions\PhpUnitNoDieException;
+use PHPUnit\Framework\TestCase;
+
+class ViewAsUserTest extends TestCase
+{
+    public function _testViewAsUser(array $beforeUser, array $afterUser)
+    {
+        global $USER;
+        switchUser(...$afterUser);
+        $afterUid = $USER->getUID();
+        switchUser(...$beforeUser);
+        // $this->assertTrue($USER->isAdmin());
+        $beforeUid = $USER->getUID();
+        // $this->assertNotEquals($afterUid, $beforeUid);
+        try {
+            http_post(
+                __DIR__ . "/../../webroot/admin/user-mgmt.php",
+                [
+                    "form_name" => "viewAsUser",
+                    "uid" => $afterUid,
+                ],
+            );
+        } catch (PhpUnitNoDieException) {}
+        $this->assertArrayHasKey("viewUser", $_SESSION);
+        // redirect means that php process dies and user's browser will initiate a new one
+        // this makes `require_once autoload.php` run again and init.php changes $USER
+        session_write_close();
+        http_get(__DIR__ . "/../../resources/init.php");
+        // now we should be new user
+        $this->assertEquals($afterUid, $USER->getUID());
+        // $this->assertTrue($_SESSION["user_exists"]);
+        try {
+            http_post(
+                __DIR__ . "/../../resources/templates/header.php",
+                ["form_name" => "clearView"],
+            );
+        } catch (PhpUnitNoDieException) {}
+        $this->assertArrayNotHasKey("viewUser", $_SESSION);
+        // redirect means that php process dies and user's browser will initiate a new one
+        // this makes `require_once autoload.php` run again and init.php changes $USER
+        session_write_close();
+        http_get(__DIR__ . "/../../resources/init.php");
+        // now we should be back to original user
+        $this->assertEquals($beforeUid, $USER->getUID());
+    }
+
+    public function testViewAsUser()
+    {
+        $this->_testViewAsUser(getAdminUser(), getNormalUser());
+    }
+
+    public function testViewAsNonExistentUser()
+    {
+        $this->_testViewAsUser(getAdminUser(), getNonExistentUser());
+    }
+
+    public function testViewAsSelf()
+    {
+        $this->_testViewAsUser(getAdminUser(), getAdminUser());
+    }
+
+    public function testNonAdminViewAsAdmin()
+    {
+        global $USER;
+        switchUser(...getAdminUser());
+        $adminUid = $USER->getUID();
+        $this->assertTrue($USER->isAdmin());
+        switchUser(...getNormalUser());
+        try {
+            http_post(
+                __DIR__ . "/../../webroot/admin/user-mgmt.php",
+                [
+                    "form_name" => "viewAsUser",
+                    "uid" => $adminUid,
+                ],
+            );
+        } catch (PhpUnitNoDieException) {}
+        $this->assertArrayNotHasKey("viewUser", $_SESSION);
+    }
+}