Merge pull request #116 from creative-commoners/pulls/4/authenticator…

…-update

SS4 security changes and unit test fixes

.gitattributes

@@ -4,3 +4,4 @@
 /.gitignore export-ignore
 /.travis.yml export-ignore
 /.scrutinizer.yml export-ignore
+/codecov.yml export-ignore

.travis.yml

@@ -1,28 +1,34 @@
-# See https://github.com/silverstripe/silverstripe-travis-support for setup details
-
 language: php
 
-dist: precise
-
-sudo: false
-
-php:
-  - 5.6
-  - 7.0
-  - 7.1
-
 env:
-  - DB=MYSQL CORE_RELEASE=4
+  global:
+    - COMPOSER_ROOT_VERSION="4.0.x-dev"
+
+matrix:
+  include:
+    - php: 5.6
+      env: DB=MYSQL PHPCS_TEST=1 PHPUNIT_TEST=1
+    - php: 7.0
+      env: DB=PGSQL PHPUNIT_TEST=1
+    - php: 7.1
+      env: DB=MYSQL PHPUNIT_COVERAGE_TEST=1
 
 before_install:
   - echo "extension=ldap.so" >> ~/.phpenv/versions/$(phpenv version-name)/etc/php.ini
 
 before_script:
-  - composer self-update || true
   - phpenv rehash
-  - git clone git://github.com/silverstripe/silverstripe-travis-support.git ~/travis-support
-  - php ~/travis-support/travis_setup.php --source `pwd` --target ~/builds/ss
-  - cd ~/builds/ss
+  - phpenv config-rm xdebug.ini
+
+  - composer install --prefer-dist
+  - composer require --prefer-dist --no-update silverstripe/recipe-cms:1.0.x-dev
+  - if [[ $DB == PGSQL ]]; then composer require --prefer-dist --no-update silverstripe/postgresql:2.0.x-dev; fi
+  - composer update
 
 script:
-  - vendor/bin/phpunit activedirectory/tests/
+  - if [[ $PHPUNIT_TEST ]]; then vendor/bin/phpunit tests/; fi
+  - if [[ $PHPUNIT_COVERAGE_TEST ]]; then phpdbg -qrr vendor/bin/phpunit --coverage-clover=coverage.xml; fi
+  - if [[ $PHPCS_TEST ]]; then vendor/bin/phpcs --standard=framework/phpcs.xml.dist src/ tests/ ; fi
+
+after_success:
+  - if [[ $PHPUNIT_COVERAGE_TEST ]]; then bash <(curl -s https://codecov.io/bash) -f coverage.xml; fi

.upgrade.yml

@@ -1,11 +1,10 @@
 mappings:
   LDAPAuthenticator: SilverStripe\ActiveDirectory\Authenticators\LDAPAuthenticator
-  LDAPLoginForm: SilverStripe\ActiveDirectory\Authenticators\LDAPLoginForm
+  LDAPLoginForm: SilverStripe\ActiveDirectory\Forms\LDAPLoginForm
   SAMLAuthenticator: SilverStripe\ActiveDirectory\Authenticators\SAMLAuthenticator
   SAMLLoginForm: SilverStripe\ActiveDirectory\Authenticators\SAMLLoginForm
   SAMLSecurityExtension: SilverStripe\ActiveDirectory\Authenticators\SAMLSecurityExtension
   LDAPDebugController: SilverStripe\ActiveDirectory\Control\LDAPDebugController
-  LDAPSecurityController: SilverStripe\ActiveDirectory\Control\LDAPSecurityController
   SAMLController: SilverStripe\ActiveDirectory\Control\SAMLController
   LDAPGroupExtension: SilverStripe\ActiveDirectory\Extensions\LDAPGroupExtension
   LDAPMemberExtension: SilverStripe\ActiveDirectory\Extensions\LDAPMemberExtension

_config.php

@@ -1,2 +1 @@
 <?php
-

_config/ldap.yml

@@ -3,7 +3,6 @@ Name: ldapconfig
 ---
 SilverStripe\Control\Director:
   rules:
-    'LDAPSecurity': SilverStripe\ActiveDirectory\Control\LDAPSecurityController
     'LDAPDebug': SilverStripe\ActiveDirectory\Control\LDAPDebugController
 
 SilverStripe\Security\Group:

codecov.yml

@@ -0,0 +1 @@
+comment: false

composer.json

@@ -16,16 +16,17 @@
     ],
     "require": {
         "php": ">=5.6",
-        "silverstripe/framework": "^4",
-        "silverstripe/cms": "^4",
-        "silverstripe/queuedjobs": "^4.0@dev",
+        "silverstripe/framework": "^4@dev",
+        "silverstripe/cms": "^4@dev",
+        "symbiote/silverstripe-queuedjobs": "^4@dev",
         "zendframework/zend-ldap": "^2.5.1",
         "zendframework/zend-authentication": "^2.5.1",
         "zendframework/zend-session": "^2.5.1",
         "onelogin/php-saml": "^2.10.7"
     },
     "require-dev": {
-        "phpunit/phpunit": "~5.7"
+        "phpunit/phpunit": "^5.7",
+        "squizlabs/php_codesniffer": "^3.0"
     },
     "extra": {
         "branch-alias": {
@@ -34,7 +35,8 @@
     },
     "autoload": {
         "psr-4": {
-            "SilverStripe\\ActiveDirectory\\": "src/"
+            "SilverStripe\\ActiveDirectory\\": "src/",
+            "SilverStripe\\ActiveDirectory\\Tests\\": "tests/"
         }
     },
     "minimum-stability": "dev",

docs/en/developer.md

@@ -135,33 +135,32 @@ ADFS should now be configured to extract the SP certificate from SilverStripe's
 
 ## Configure SilverStripe Authenticators
 
-To be able to use the SAML or the LDAP authenticator you will need to set them up in the `mysite/_config.php`.
+To be able to use the SAML or the LDAP authenticator you will need to set them up in the `mysite/_config/active-directory.yml`.
 
 You can choose which authenticators you would like to display on the login form.
 
-    // Show the SAML Login button on login form
-    \SilverStripe\Security\Authenticator::register_authenticator(
-        'SilverStripe\\ActiveDirectory\\Authenticators\\SAMLAuthenticator'
-    );
-    // Show the LDAP Login form
-    \SilverStripe\Security\Authenticator::register_authenticator(
-        'SilverStripe\\ActiveDirectory\\Authenticators\\LDAPAuthenticator'
-    );
-
-You can unregister the default authenticator by adding this line:
-
-    \SilverStripe\Security\Authenticator::unregister('SilverStripe\\Security\\MemberAuthenticator');
+### Show the SAML Login button on login form
+```yaml
+SilverStripe\Core\Injector\Injector:
+    SilverStripe\Security\Security:
+      properties:
+          Authenticators:
+            default: %$SilverStripe\ActiveDirectory\Authenticators\SAMLAuthenticator
+```
+### Show the LDAP Login button on login form
+```yaml
+SilverStripe\Core\Injector\Injector:
+    SilverStripe\Security\Security:
+      properties:
+          Authenticators:
+            default: %$SilverStripe\ActiveDirectory\Authenticators\LDAPAuthenticator
+```
 
 To prevent locking yourself out, before you remove the "MemberAuthenticator" make sure you map at least one LDAP group to the SilverStripe `Administrator` Security Group. Consult [CMS usage docs](usage.md) for how to do it.
 
 ### Bypass auto login
 
 If you register the SAMLAuthenticator as the default authenticator, it will automatically send users to the ADFS login server when they are required to login.
-
-    \SilverStripe\Security\Authenticator::set_default_authenticator(
-        'SilverStripe\\ActiveDirectory\\Authenticators\\SAMLAuthenticator'
-    );
-
 Should you need to access the login form with all the configured Authenticators, go to:
 
     /Security/login?showloginform=1
@@ -472,7 +471,7 @@ The fallback authenticator will be used in the following conditions:
 
 If the LDAP bind user that is configured under 'Connect with LDAP' section has permission to write attributes to the AD, it's possible to allow users to update their password via the internet site.
 
-Word of caution, you will potentially open a security hole by exposing an AD user that can write passwords. Normally you would only bind to LDAP via a read-only user. Windows AD stores passwords in a hashed format that is very hard to brute-force. A user with write access can take over an accounts, create objects, delete and have access to all systems that authenticate with AD.
+Word of caution, you will potentially open a security hole by exposing an AD user that can write passwords. Normally you would only bind to LDAP via a read-only user. Windows AD stores passwords in a hashed format that is very hard to brute-force. A user with write access can take over an account, create objects, delete and have access to all systems that authenticate with AD.
 
 If you still need this feature, we recommend that you use a combination of encryption, scheduled password rotation and limit permission for the bind user to minimum required permissions.
 

phpunit.xml.dist

@@ -0,0 +1,16 @@
+<phpunit bootstrap="framework/tests/bootstrap.php" colors="true">
+
+    <testsuite name="Default">
+        <directory>tests</directory>
+    </testsuite>
+
+    <filter>
+        <whitelist addUncoveredFilesFromWhitelist="true">
+            <directory suffix=".php">src/.</directory>
+            <exclude>
+                <directory suffix=".php">tests/</directory>
+            </exclude>
+        </whitelist>
+    </filter>
+
+</phpunit>