WIP

core/config.class.inc.php

@@ -1738,6 +1738,14 @@ class Config
 			'source_of_value'     => '',
 			'show_in_conf_sample' => false,
 		],
+		'security.force_login_when_no_execution_policy' => [
+			'type'                => 'bool',
+			'description'         => 'If true, when no execution policy is defined, the user will be forced to log in (instead of being automatically logged in with the default profile)',
+			'default'             => false,
+			'value'               => false,
+			'source_of_value'     => '',
+			'show_in_conf_sample' => true,
+		],
 		'behind_reverse_proxy' => [
 			'type' => 'bool',
 			'description' => 'If true, then proxies custom header (X-Forwarded-*) are taken into account. Use only if the webserver is not publicly accessible (reachable only by the reverse proxy)',

pages/exec.php

@@ -97,4 +97,31 @@ if ($sTargetPage === false) {
 //
 // GO!
 //
+// check module white list
+// check conf param
+// force login if needed
+require_once(APPROOT.'/application/startup.inc.php');
+
+$aModuleDelegatedExecutionPolicy = GetModuleDelegatedExecutionPolicy($sModule);
+if (is_null($aModuleDelegatedExecutionPolicy) || !in_array($sPage, $aModuleDelegatedExecutionPolicy)) {
+	$bForceLoginWhenNoExecutionPolicy = MetaModel::GetConfig()->Get('security.force_login_when_no_execution_policy');
+	// TODO in N°9343 : remove the conf and this 'if' condition to perform login by default when no execution policy is defined
+	if ($bForceLoginWhenNoExecutionPolicy) {
+		LoginWebPage::DoLoginEx();
+	}
+}
+if (is_array($aModuleDelegatedExecutionPolicy) && !in_array($sPage, $aModuleDelegatedExecutionPolicy)) {
+	// if module defined a delegated execution policy but not for the current page, we consider that the page is not allowed to be executed without login
+	LoginWebPage::DoLoginEx();
+}
+
 require_once($sTargetPage);
+
+function GetModuleDelegatedExecutionPolicy(string $sModuleName): ?array
+{
+	$sModuleFile =  APPROOT.'/env-'.utils::GetCurrentEnvironment().'/'.$sModuleName.'/module.'.$sModuleName.'.php';
+
+	$oExtensionMap = new iTopExtensionsMap();
+	$aModuleParam = $oExtensionMap->GetModuleInfo($sModuleFile)[2];
+	return $aModuleParam['execution_policy'] ?? null;
+}

setup/extensionsmap.class.inc.php

@@ -390,7 +390,7 @@ class iTopExtensionsMap
 	 * @param string $sModuleFile
 	 * @return array
 	 */
-	protected function GetModuleInfo($sModuleFile)
+	public function GetModuleInfo($sModuleFile)
 	{
 		static $iDummyClassIndex = 0;
 

tests/php-unit-tests/integration-tests/login-tests/LoginWebPageTest.php

@@ -0,0 +1,158 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Combodo\iTop\Test\UnitTest\Application;
+
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+use Exception;
+use MetaModel;
+
+class LoginWebPageTest extends ItopDataTestCase
+{
+	public const USE_TRANSACTION = false;
+
+	public const PASSWORD = 'a209320P!ù;ralùqpi,pàcqi"nr';
+
+	public function setUp(): void
+	{
+		parent::setUp();
+		$this->BackupConfiguration();
+		$sFolderPath = APPROOT.'env-production/extension-with-execution-policy';
+		if (file_exists($sFolderPath)) {
+			throw new Exception("Folder $sFolderPath already exists, please remove it before running the test");
+		}
+		mkdir($sFolderPath);
+		$this->RecurseCopy(__DIR__.'/extension-with-execution-policy', $sFolderPath);
+
+		$sFolderPath = APPROOT.'env-production/extension-without-execution-policy';
+		if (file_exists($sFolderPath)) {
+			throw new Exception("Folder $sFolderPath already exists, please remove it before running the test");
+		}
+		mkdir($sFolderPath);
+		$this->RecurseCopy(__DIR__.'/extension-without-execution-policy', $sFolderPath);
+	}
+	public function tearDown(): void
+	{
+		parent::tearDown();
+		$sFolderPath = APPROOT.'env-production/extension-with-execution-policy';
+		if (file_exists($sFolderPath)) {
+			$this->RecurseRmdir($sFolderPath);
+		} else {
+			throw new Exception("Folder $sFolderPath does not exist, it should have been created in setUp");
+		}
+		$sFolderPath = APPROOT.'env-production/extension-without-execution-policy';
+		if (file_exists($sFolderPath)) {
+			$this->RecurseRmdir($sFolderPath);
+		} else {
+			throw new Exception("Folder $sFolderPath does not exist, it should have been created in setUp");
+		}
+	}
+
+	protected function GivenConfigFileAllowedLoginTypes($aAllowedLoginTypes): void
+	{
+		@chmod(MetaModel::GetConfig()->GetLoadedFile(), 0770);
+		MetaModel::GetConfig()->SetAllowedLoginTypes($aAllowedLoginTypes);
+		MetaModel::GetConfig()->WriteToFile();
+		@chmod(MetaModel::GetConfig()->GetLoadedFile(), 0444);
+	}
+
+	/**
+	 *
+	 * @throws \Exception
+	 */
+	public function testInExecutionPolicyFile()
+	{
+		// generate random login
+		$sUserLogin = 'user-'.date('YmdHis');
+		$this->CreateUser($sUserLogin, self::$aURP_Profiles['Administrator'], self::PASSWORD);
+		$this->GivenConfigFileAllowedLoginTypes(explode('|', 'form'));
+
+		$sPageContent = $this->CallItopUri(
+			"pages/exec.php?exec_module=extension-with-execution-policy&exec_page=src/Controller/CheckAnything.php",
+			[
+				'auth_user' => $sUserLogin,
+				'auth_pwd' => self::PASSWORD,
+			],
+			[],
+			true
+		);
+
+		$this->assertStringNotContainsString('<title>iTop login</title>', $sPageContent); // in execution policy file (in the module), login should not be proposed, file handle its own policy
+	}
+
+	public function testNotInExecutionPolicyFileWithForceLoginConf()
+	{
+		MetaModel::GetConfig()->Set('security.force_login_when_no_execution_policy', true);
+
+		$sPageContent = $this->CallItopUri(
+			"pages/exec.php?exec_module=extension-with-execution-policy&exec_page=src/Controller/AnotherFile.php",
+		);
+
+		$this->assertStringContainsString('<title>iTop login</title>', $sPageContent); // if itop is configured to force login when no execution policy, then login should be proposed since file is not in execution policy file
+	}
+
+	public function testNotInExecutionPolicyFileWithoutForceLoginConf()
+	{
+		$sPageContent = $this->CallItopUri(
+			"pages/exec.php?exec_module=extension-without-execution-policy&exec_page=src/Controller/AnotherFile.php",
+			[],
+			[],
+			true
+		);
+
+		$this->assertStringNotContainsString('<title>iTop login</title>', $sPageContent); // by default (until N°9343) if no execution policy is defined, login is not forced
+	}
+
+	public function testNotInExecutionPolicyFileWithoutForceLoginConfButWithExecutionPolicy()
+	{
+		$sPageContent = $this->CallItopUri(
+			"pages/exec.php?exec_module=extension-with-execution-policy&exec_page=src/Controller/AnotherFile.php",
+			[],
+			[],
+			true
+		);
+
+		$this->assertStringContainsString('<title>iTop login</title>', $sPageContent); // Since an execution policy is defined and AnotherFile.php isn't in it, login should be proposed
+	}
+
+	/**
+	 * @dataProvider InExecutionPolicyFileWithAdminRequiredProvider
+	 *
+	 * @throws \Exception
+	 */
+	public function testInExecutionPolicyFileWithAdminRequired($iProfileId, $ForbiddenPageShouldBeDisplayed)
+	{
+		// generate random login
+		$sUserLogin = 'user-'.date('YmdHis');
+		$this->CreateUser($sUserLogin, $iProfileId, self::PASSWORD);
+		$this->GivenConfigFileAllowedLoginTypes(explode('|', 'form'));
+
+		$sPageContent = $this->CallItopUri(
+			"pages/exec.php?exec_module=extension-with-execution-policy&exec_page=src/Controller/CheckAnythingButAdminRequired.php",
+			[
+				'auth_user' => $sUserLogin,
+				'auth_pwd' => self::PASSWORD,
+			],
+			[],
+			true
+		);
+		$ForbiddenPageShouldBeDisplayed ?
+			$this->assertStringContainsString('Yo !', $sPageContent) :
+			$this->assertStringNotContainsString('<title>Access restricted to people having administrator privileges</title>', $sPageContent); // in execution policy file (in the module), login should not be proposed, file handle its own policy
+	}
+
+	public function InExecutionPolicyFileWithAdminRequiredProvider()
+	{
+		return [
+			'Administrator profile' => [
+				self::$aURP_Profiles['Administrator'],
+				true,
+			],
+			'ReadOnly profile' => [
+				self::$aURP_Profiles['Service Desk Agent'],
+				false,
+			],
+		];
+	}
+}

tests/php-unit-tests/integration-tests/login-tests/extension-with-execution-policy/module.extension-with-execution-policy.php

@@ -0,0 +1,51 @@
+<?php
+
+SetupWebPage::AddModule(
+	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
+	'extension-with-execution-policy/0.0.1',
+	[
+		// Identification
+		//
+		'label'                => 'Templates foundation',
+		'category'             => 'business',
+
+		// Setup
+		//
+		'dependencies'         => [],
+		'mandatory'            => true,
+		'visible'              => false,
+		'installer'            => 'TemplatesBaseInstaller',
+
+		// Security
+		'execution_policy' => [
+			'src/Controller/CheckAnything.php',
+			'src/Controller/CheckAnythingButAdminRequired.php',
+		],
+
+		// Components
+		//
+		'datamodel'            => [
+			'model.templates-base.php',
+		],
+		'webservice'           => [],
+		'data.struct'          => [// add your 'structure' definition XML files here,
+		],
+		'data.sample'          => [// add your sample data XML files here,
+		],
+
+		// Documentation
+		//
+		'doc.manual_setup'     => '', // hyperlink to manual setup documentation, if any
+		'doc.more_information' => '', // hyperlink to more information, if any
+
+		// Default settings
+		//
+		'settings'             => [
+			// Select where, in the main UI, the extra data should be displayed:
+			//     tab (dedicated tab)
+			//     properties (right after the properties, but before the log if any)
+			//     none (extra data accessed only by programs)
+			'view_extra_data' => 'relations',
+		],
+	]
+);

tests/php-unit-tests/integration-tests/login-tests/extension-with-execution-policy/src/Controller/AnotherFile.php

@@ -0,0 +1,3 @@
+<?php
+
+echo 'Yo !';

tests/php-unit-tests/integration-tests/login-tests/extension-with-execution-policy/src/Controller/CheckAnything.php

@@ -0,0 +1,3 @@
+<?php
+
+echo 'Yo !';

tests/php-unit-tests/integration-tests/login-tests/extension-with-execution-policy/src/Controller/CheckAnythingButAdminRequired.php

@@ -0,0 +1,5 @@
+<?php
+
+LoginWebPage::DoLogin(true);
+
+echo 'Yo !';

tests/php-unit-tests/integration-tests/login-tests/extension-without-execution-policy/module.extension-without-execution-policy.php

@@ -0,0 +1,45 @@
+<?php
+
+SetupWebPage::AddModule(
+	__FILE__, // Path to the current file, all other file names are relative to the directory containing this file
+	'extension-without-execution-policy/0.0.1',
+	[
+		// Identification
+		//
+		'label'                => 'Templates foundation',
+		'category'             => 'business',
+
+		// Setup
+		//
+		'dependencies'         => [],
+		'mandatory'            => true,
+		'visible'              => false,
+		'installer'            => 'TemplatesBaseInstaller',
+
+		// Components
+		//
+		'datamodel'            => [
+			'model.templates-base.php',
+		],
+		'webservice'           => [],
+		'data.struct'          => [// add your 'structure' definition XML files here,
+		],
+		'data.sample'          => [// add your sample data XML files here,
+		],
+
+		// Documentation
+		//
+		'doc.manual_setup'     => '', // hyperlink to manual setup documentation, if any
+		'doc.more_information' => '', // hyperlink to more information, if any
+
+		// Default settings
+		//
+		'settings'             => [
+			// Select where, in the main UI, the extra data should be displayed:
+			//     tab (dedicated tab)
+			//     properties (right after the properties, but before the log if any)
+			//     none (extra data accessed only by programs)
+			'view_extra_data' => 'relations',
+		],
+	]
+);

tests/php-unit-tests/integration-tests/login-tests/extension-without-execution-policy/src/Controller/AnotherFile.php

@@ -0,0 +1,3 @@
+<?php
+
+echo 'Yo !';

tests/php-unit-tests/integration-tests/login-tests/extension-without-execution-policy/src/Controller/CheckAnything.php

@@ -0,0 +1,3 @@
+<?php
+
+echo 'Yo !';