From 2f2e440eaa8bbd4583afabeba7a682cd225c3b09 Mon Sep 17 00:00:00 2001 From: Andreas Heigl Date: Wed, 6 Mar 2024 04:11:41 +0100 Subject: [PATCH 1/7] Add test to verify issue #250 When users change their groups in LDAP that is not followed up in WordPress. THis newly added test verifies that. Next up is fixing this problem --- .github/workflows/behat.yml | 2 +- features/bootstrap/FeatureContext.php | 21 +++++++++++++++++- .../log in using no groups at all.feature | 22 +++++++++++++++++++ 3 files changed, 43 insertions(+), 2 deletions(-) diff --git a/.github/workflows/behat.yml b/.github/workflows/behat.yml index eef5a87..f670992 100644 --- a/.github/workflows/behat.yml +++ b/.github/workflows/behat.yml @@ -48,7 +48,7 @@ jobs: - name: install tools run: | mkdir -p tools - curl -o tools/behat https://github.com/Behat/Behat/releases/download/v3.13.0/behat.phar + curl -Lo tools/behat https://github.com/Behat/Behat/releases/download/v3.13.0/behat.phar chmod 755 tools/behat - name: run behat run: docker compose exec wp bash -c "cd wp-content/plugins/authldap && ./tools/behat" diff --git a/features/bootstrap/FeatureContext.php b/features/bootstrap/FeatureContext.php index 1e495b2..a2d109c 100644 --- a/features/bootstrap/FeatureContext.php +++ b/features/bootstrap/FeatureContext.php @@ -284,6 +284,25 @@ public function theWordpressUserIsNotMemberOfRole($arg1, $arg2) return trim($item); }, explode(',', $user['roles'])); Assert::false(in_array($arg2, $roles)); - } + + /** + * @Given LDAP user :arg1 is not member of LDAP group :arg2 + */ + public function ldapUserIsNotMemberOfLdapGroup($arg1, $arg2) + { + exec(sprintf( + 'ldapmodify -x -H %1$s -D "%2$s" -w %3$s 2>&1 < Date: Fri, 17 May 2024 14:58:51 +0200 Subject: [PATCH 2/7] Fix group-assignment in certain conditions When the LDAP-group assignements change between logins and the admin has set the LDAP-roles to overwrite the wordpress-roles, then the LDAP-Roles now actually overwrite the WordPress roles. --- authLdap.php | 10 +++++----- features/log in using no groups at all.feature | 3 +-- wordpress/info.php | 1 + 3 files changed, 7 insertions(+), 7 deletions(-) create mode 100644 wordpress/info.php diff --git a/authLdap.php b/authLdap.php index d8d3044..178fc4f 100644 --- a/authLdap.php +++ b/authLdap.php @@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false) $authLDAPUidAttr = authLdap_get_option('UidAttr'); $authLDAPWebAttr = authLdap_get_option('WebAttr'); $authLDAPDefaultRole = authLdap_get_option('DefaultRole'); - $authLDAPGroupEnable = authLdap_get_option('GroupEnable'); - $authLDAPGroupOverUser = authLdap_get_option('GroupOverUser'); + $authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN); + $authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN); $authLDAPUseUserAccount = authLdap_get_option('UserRead'); if (!$username) { @@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false) // we only need this if either LDAP groups are disabled or // if the WordPress role of the user overrides LDAP groups - if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) { + if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) { $userRoles = authLdap_user_role($uid); if ($userRoles !== []) { $roles = array_merge($roles, $userRoles); @@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false) } // do LDAP group mapping if needed - // (if LDAP groups override worpress user role, $role is still empty) - if (empty($roles) && $authLDAPGroupEnable) { + // (if LDAP groups override wordpress user role, $role is still empty) + if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) { $mappedRoles = authLdap_groupmap($realuid, $dn); if ($mappedRoles !== []) { $roles = $mappedRoles; diff --git a/features/log in using no groups at all.feature b/features/log in using no groups at all.feature index b469f13..1d2e0da 100644 --- a/features/log in using no groups at all.feature +++ b/features/log in using no groups at all.feature @@ -69,7 +69,7 @@ Feature: Log in without group assignment And configuration value "Groups" is set to "administrator=ldapgroup1" and "editor=ldapgroup2" And configuration value "GroupAttr" is set to "cn" And configuration value "GroupFilter" is set to "uniquemember=%dn%" - And configuration value "GroupOverUser" is set to "false" + And configuration value "GroupOverUser" is set to "true" And an LDAP user "ldapuser" with name "LDAP User", password "P@ssw0rd" and email "ldapuser@example.com" exists And an LDAP group "ldapgroup1" exists And an LDAP group "ldapgroup2" exists @@ -80,6 +80,5 @@ Feature: Log in without group assignment When LDAP user "ldapuser" logs in with password "P@ssw0rd" Then the login suceeds And the WordPress user "ldapuser" is member of role "editor" - And the WordPress user "ldapuser" is member of role "wordpressrole" And the WordPress user "ldapuser" is not member of role "administrator" And the WordPress user "ldapuser" is not member of role "subscriber" diff --git a/wordpress/info.php b/wordpress/info.php new file mode 100644 index 0000000..b3d9bbc --- /dev/null +++ b/wordpress/info.php @@ -0,0 +1 @@ + Date: Fri, 17 May 2024 15:05:59 +0200 Subject: [PATCH 3/7] Add WordPress 6.5 --- .github/workflows/behat.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/behat.yml b/.github/workflows/behat.yml index f670992..0a8628f 100644 --- a/.github/workflows/behat.yml +++ b/.github/workflows/behat.yml @@ -11,8 +11,8 @@ jobs: strategy: fail-fast: false matrix: - php-version: [ '8.0', '8.1', '8.2', '8.3' ] - wordpress-version: ['6.2', '6.3', '6.4'] + php-version: ['8.0', '8.1', '8.2', '8.3'] + wordpress-version: ['6.2', '6.3', '6.4', '6.5''] exclude: - php-version: 8.3 wordpress-version: 6.2 @@ -26,6 +26,8 @@ jobs: wordpress-version: 6.2 - php-version: 8.0 wordpress-version: 6.2 + - php-version: 8.0 + wordpress-version: 6.5 name: Test on PHP ${{ matrix.php-version }}/WordPress ${{ matrix.wordpress-version }} steps: From e318768480ead48dd6474281a72b95f309d08f92 Mon Sep 17 00:00:00 2001 From: Andreas Heigl Date: Fri, 17 May 2024 15:22:15 +0200 Subject: [PATCH 4/7] Update docker command --- .github/workflows/behat.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/behat.yml b/.github/workflows/behat.yml index 0a8628f..428520b 100644 --- a/.github/workflows/behat.yml +++ b/.github/workflows/behat.yml @@ -32,6 +32,10 @@ jobs: name: Test on PHP ${{ matrix.php-version }}/WordPress ${{ matrix.wordpress-version }} steps: - uses: actions/checkout@v1 + - name: Docker Compose Pull + run: docker compose pull + - uses: jpribyl/action-docker-layer-caching@v0.1.1 + continue-on-error: true - name: Build the docker-compose stack run: docker compose build --build-arg PHP_VERSION=${{ matrix.php-version }} --build-arg WORDPRESS_VERSION=${{ matrix.wordpress-version }} wp - name: run the stack From 30ffed4c476430bc5a7b8c7b5189cae3946c4d8f Mon Sep 17 00:00:00 2001 From: Andreas Heigl Date: Sat, 18 May 2024 11:39:29 +0200 Subject: [PATCH 5/7] Improve the health-check So that it will work better on github actions --- .github/workflows/behat.yml | 2 +- docker-compose.yml | 16 ++++++++++------ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/behat.yml b/.github/workflows/behat.yml index 428520b..f98aa52 100644 --- a/.github/workflows/behat.yml +++ b/.github/workflows/behat.yml @@ -12,7 +12,7 @@ jobs: fail-fast: false matrix: php-version: ['8.0', '8.1', '8.2', '8.3'] - wordpress-version: ['6.2', '6.3', '6.4', '6.5''] + wordpress-version: ['6.2', '6.3', '6.4', '6.5'] exclude: - php-version: 8.3 wordpress-version: 6.2 diff --git a/docker-compose.yml b/docker-compose.yml index 94bb617..903036f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,10 +21,12 @@ services: WORDPRESS_DB_PASSWORD: "wppasswd" WORDPRESS_DEBUG: 0 depends_on: - db: - condition: service_healthy - openldap: - condition: service_healthy + # db: + # condition: service_healthy + # openldap: + # condition: service_healthy + - db + - openldap links: - db @@ -61,7 +63,8 @@ services: healthcheck: test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ] timeout: 1s - retries: 5 + retries: 10 + interval: 2s openldap: image: osixia/openldap:latest @@ -81,7 +84,8 @@ services: healthcheck: test: ["CMD", "/usr/bin/ldapsearch", "-H", "ldap://localhost/", "-x", "-s", "base", "-LLL", "+"] timeout: 1s - retries: 5 + retries: 10 + interval: 2s volumes: db_data: From 1b36b91d538887f0ba49b76b7b108a5dc79b82f4 Mon Sep 17 00:00:00 2001 From: Andreas Heigl Date: Sat, 18 May 2024 12:20:00 +0200 Subject: [PATCH 6/7] Only start required containers for test --- .github/workflows/tests.yml | 8 ++++++-- docker-compose.yml | 10 ++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index bf1f27e..ce6d75e 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -11,12 +11,16 @@ jobs: strategy: matrix: # operating-system: [ubuntu-latest, windows-latest, macos-latest] - php-versions: [ '7.4', '8.0', '8.1', '8.2', '8.3' ] + php-versions: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ] name: Test on ${{ matrix.php-versions }} steps: - uses: actions/checkout@v1 + - name: Docker Compose Pull + run: docker compose pull + - uses: jpribyl/action-docker-layer-caching@v0.1.1 + continue-on-error: true - name: Build the docker-compose stack - run: docker-compose -f docker-compose.yml up -d + run: docker-compose -f docker-compose.yml up -d db openldap - name: Check running containers run: docker ps -a - name: Check logs diff --git a/docker-compose.yml b/docker-compose.yml index 903036f..198c467 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -21,12 +21,10 @@ services: WORDPRESS_DB_PASSWORD: "wppasswd" WORDPRESS_DEBUG: 0 depends_on: - # db: - # condition: service_healthy - # openldap: - # condition: service_healthy - - db - - openldap + db: + condition: service_healthy + openldap: + condition: service_healthy links: - db From 0ba593221a30b49e87e62fb099f50f4efb278727 Mon Sep 17 00:00:00 2001 From: Andreas Heigl Date: Sat, 18 May 2024 12:27:10 +0200 Subject: [PATCH 7/7] Fix MySQL8.4 command Since MySQL8.4 the default_authentication_plugin doesn't work any more and needs to be replaced with mysql_native_password as described in https://stackoverflow.com/questions/78445419/unknown-variable-default-authentication-plugin-mysql-native-password --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 198c467..a8b860f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -48,7 +48,7 @@ services: ports: - 3306:3306 # change ip if required command: [ - '--default_authentication_plugin=mysql_native_password', + '--mysql_native_password=ON', '--character-set-server=utf8mb4', '--collation-server=utf8mb4_unicode_ci' ]