Skip to content

Commit

Permalink
Merge pull request from GHSA-wmwf-49vv-p3mr
Browse files Browse the repository at this point in the history
* Fix AuthenticationHandler return inner exception message

* Add funcctional test case for AuthenticationHandlerTest

* Sync security bundle and sulu skeleton security config

* Remove not longer used LoginControllerTest via form_login

* Add test for success and fail login
  • Loading branch information
alexander-schranz committed Aug 3, 2023
1 parent 7c58c06 commit 5f6c98b
Show file tree
Hide file tree
Showing 5 changed files with 95 additions and 38 deletions.
5 changes: 2 additions & 3 deletions config/packages/security.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,13 @@ security:
- { path: ^/admin/reset, roles: PUBLIC_ACCESS }
- { path: ^/admin/security/reset, roles: PUBLIC_ACCESS }
- { path: ^/admin/login$, roles: PUBLIC_ACCESS }
- { path: ^/admin/2fa, roles: PUBLIC_ACCESS }
- { path: ^/admin/_wdt, roles: PUBLIC_ACCESS }
- { path: ^/admin/_profiler, roles: PUBLIC_ACCESS }
- { path: ^/admin/translations, roles: PUBLIC_ACCESS }
- { path: ^/admin$, roles: PUBLIC_ACCESS }
- { path: ^/admin/$, roles: PUBLIC_ACCESS }
- { path: ^/admin/p/, roles: PUBLIC_ACCESS }
- { path: ^/admin/logout, role: PUBLIC_ACCESS }
- { path: ^/admin/_profiler, role: PUBLIC_ACCESS }
- { path: ^/admin/2fa, role: PUBLIC_ACCESS }
- { path: ^/admin, roles: ROLE_USER }

firewalls:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
{
if ($request->isXmlHttpRequest()) {
// if AJAX login
$array = ['message' => $exception->getMessage()];
$array = ['message' => $exception->getMessageKey()];
$response = new JsonResponse($array, 401);
} else {
// if form login
Expand Down
15 changes: 10 additions & 5 deletions src/Sulu/Bundle/SecurityBundle/Tests/Application/config/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,22 +8,27 @@ security:
access_control:
- { path: ^/admin/reset, roles: PUBLIC_ACCESS }
- { path: ^/admin/security/reset, roles: PUBLIC_ACCESS }
- { path: ^/admin/login, roles: PUBLIC_ACCESS }
- { path: ^/admin/2fa, role: PUBLIC_ACCESS }
- { path: ^/admin/login$, roles: PUBLIC_ACCESS }
- { path: ^/admin/2fa, roles: PUBLIC_ACCESS }
- { path: ^/admin/_wdt, roles: PUBLIC_ACCESS }
- { path: ^/admin/_profiler, roles: PUBLIC_ACCESS }
- { path: ^/admin/translations, roles: PUBLIC_ACCESS }
- { path: ^/admin$, roles: PUBLIC_ACCESS }
- { path: ^/admin/$, roles: PUBLIC_ACCESS }
- { path: ^/admin/p/, roles: PUBLIC_ACCESS }
- { path: ^/admin, roles: ROLE_USER }

firewalls:
test:
pattern: ^/
lazy: true
entry_point: sulu_security.authentication_entry_point
form_login:
json_login:
check_path: sulu_admin.login_check
success_handler: sulu_security.authentication_handler
failure_handler: sulu_security.authentication_handler
logout:
path: /admin/logout
target: /admin/
path: sulu_admin.logout
two_factor:
prepare_on_login: true
prepare_on_access_denied: true
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
<?php

/*
* This file is part of Sulu.
*
* (c) Sulu GmbH
*
* This source file is subject to the MIT license that is bundled
* with this source code in the file LICENSE.
*/

namespace Sulu\Bundle\SecurityBundle\Tests\Functional\Security;

use Sulu\Bundle\TestBundle\Testing\SuluTestCase;

class AuthenticationHandlerTest extends SuluTestCase
{
public function testLoginFail(): void
{
$client = $this->createClient([], [
'CONTENT_TYPE' => 'application/json',
'HTTP_ACCEPT' => 'application/json',
'HTTP_X-Requested-With' => 'XMLHttpRequest',
]);

$client->request('POST', '/admin/login', [], [], [], '{"username": "not-existing-user", "password": "wrong"}');

$response = $client->getResponse();
$this->assertHttpStatusCode(401, $response);
$notExistUserContent = $response->getContent();

$this->assertSame('{"message":"Invalid credentials."}', $notExistUserContent);
}

public function testLoginSuccess(): void
{
$client = $this->createClient([], [
'CONTENT_TYPE' => 'application/json',
'HTTP_ACCEPT' => 'application/json',
'HTTP_X-Requested-With' => 'XMLHttpRequest',
]);

$testUser = $this->getTestUser();

$client->request('POST', '/admin/login', [], [], [], '{"username": "' . $testUser->getUsername() . '", "password": "test"}');

$response = $client->getResponse();
$this->assertHttpStatusCode(200, $response);
$notExistUserContent = $response->getContent();

$this->assertSame(
'{"url":"\/admin\/","username":"test","completed":true,"twoFactorMethods":["trusted_devices"]}',
$notExistUserContent
);
}

public function testLoginFailExistUserHasSameMessageAsNotExist(): void
{
$client = $this->createClient([], [
'CONTENT_TYPE' => 'application/json',
'HTTP_ACCEPT' => 'application/json',
'HTTP_X-Requested-With' => 'XMLHttpRequest',
]);

$testUser = $this->getTestUser();

$client->request('POST', '/admin/login', [], [], [], '{"username": "not-existing-user", "password": "wrong"}');

$response = $client->getResponse();
$this->assertHttpStatusCode(401, $response);
$notExistUserContent = $response->getContent();

$client->request('POST', '/admin/login', [], [], [], '{"username": "' . $testUser->getUsername() . '", "password": "wrong"}');

$response = $client->getResponse();
$this->assertHttpStatusCode(401, $response);
$existUserContent = $response->getContent();

$this->assertSame($notExistUserContent, $existUserContent);
$this->assertSame('{"message":"Invalid credentials."}', $notExistUserContent);
}
}

0 comments on commit 5f6c98b

Please sign in to comment.