add api to bump last login date

Author: simonLeary42

.gitignore

@@ -22,6 +22,9 @@ deployment/**/*
 !deployment/overrides/course-creator/
 !deployment/overrides/course-creator/config/
 !deployment/overrides/course-creator/config/config.ini
+!deployment/overrides/account-portal-docker-web/
+!deployment/overrides/account-portal-docker-web/config/
+!deployment/overrides/account-portal-docker-web/config/config.ini
 !deployment/overrides/account-portal-docker-web-green:8000/
 !deployment/overrides/account-portal-docker-web-green:8000/config/
 !deployment/overrides/account-portal-docker-web-green:8000/config/config.ini

CHANGELOG.md

@@ -34,6 +34,7 @@ For details on the changes in each release, see [the Releases page](https://gith
 - a new location `/lan` needs to be configured in your webserver
   - authorization: only IP addresses in your local area network should be allowed
   - authentication: none
+  - `CGIPassAuth On`
 - a new LDAP posixGroup needs to be created for "immortal" users, who are exempt from automatic account expiration
   - the `[ldap]user_flag_groups[immortal]` open must also be defined
 - the `[site]account_policy_url` option has been renamed to `[site]pi_qualification_docs_url`
@@ -42,6 +43,9 @@ For details on the changes in each release, see [the Releases page](https://gith
   ```sql
   drop trigger update_last_login;
   ```
+- `[api]keys` can now be specified in the config file
+- `ServerName` must be specified in apache site if not already
+- `UseCanonicalName` must be set to `On` in apache site
 
 ### 1.5 -> 1.6
 
@@ -74,7 +78,7 @@ Now, LDAP entries are created immediately for every user, so this is no longer n
 - Create LDAP entries for all existing requests
   ```php
   use UnityWebPortal\lib\UnityUser;
-  $_SERVER["HTTP_HOST"] = "worker"; // see deployment/overrides/worker/
+  $_SERVER["SERVER_NAME"] = "worker"; // see deployment/overrides/worker/
   $_SERVER["REMOTE_ADDR"] = "127.0.0.1";
   require_once __DIR__ . "/../resources/autoload.php";
   foreach ($SQL->getAllRequests() as $request) {

README.md

@@ -67,6 +67,8 @@ See the Docker Compose environment (`tools/docker-dev/`) for an (unsafe for prod
    - `httpd` Authorization
      - Restricted access to `webroot/admin/`
      - Global access (with valid authentication) to `webroot/`
+     - IP-based access (no authentication) to `lan/`
+      - any IP address in your local area network should be authorized
      - No access anywhere else
 1. Authorization for your other services based on user flag groups
    - in order to access your services, a user should be in the `qualified` group and should not be in the `locked`, `idlelocked`, or `disabled` groups

defaults/config.ini.default

@@ -130,3 +130,6 @@ disable_warning_days[] = 360
 disable_warning_days[] = 380
 disable_warning_days[] = 399
 disable_day = 400
+
+[api]
+; keys[] = "INSERT_KEY_HERE_AND_UNCOMMENT"

deployment/overrides/account-portal-docker-web/config/config.ini

@@ -0,0 +1,2 @@
+[api]
+keys[] = "dev_environment_api_key"

deployment/overrides/phpunit/config/config.ini

@@ -15,3 +15,6 @@ idlelock_day = 4
 disable_warning_days[] = 6
 disable_warning_days[] = 7
 disable_day = 8
+
+[api]
+keys[] = "phpunit_api_key"

resources/lib/UnityConfig.php

@@ -11,10 +11,10 @@ public static function getConfig(string $def_config_loc, string $deploy_loc): ar
     {
         $CONFIG = _parse_ini_file($def_config_loc . "/config.ini.default", true, INI_SCANNER_TYPED);
         $CONFIG = self::pullConfig($CONFIG, $deploy_loc);
-        if (array_key_exists("HTTP_HOST", $_SERVER)) {
-            $cur_url = $_SERVER["HTTP_HOST"];
-            self::assertHttpHostValid($cur_url);
-            $url_override_path = $deploy_loc . "/overrides/" . $cur_url;
+        if (array_key_exists("SERVER_NAME", $_SERVER)) {
+            $server_name = $_SERVER["SERVER_NAME"];
+            self::validateServerName($server_name);
+            $url_override_path = $deploy_loc . "/overrides/" . $server_name;
             if (is_dir($url_override_path)) {
                 $CONFIG = self::pullConfig($CONFIG, $url_override_path);
             }
@@ -126,10 +126,10 @@ public static function validateConfig(array $CONFIG): void
         }
     }
 
-    private static function assertHttpHostValid(string $host): void
+    private static function validateServerName(string $server_name): void
     {
-        if (!_preg_match("/^[a-zA-Z0-9._:-]+$/", $host)) {
-            throw new \Exception("HTTP_HOST '$host' contains invalid characters!");
+        if (!_preg_match("/^[a-zA-Z0-9._:-]+$/", $server_name)) {
+            throw new \Exception("SERVER_NAME '$server_name' contains invalid characters!");
         }
     }
 }

resources/lib/UnityHTTPD.php

@@ -81,7 +81,10 @@ public static function gracefulDie(
             $user_message_body .= " $suffix";
         }
         self::errorLog($log_title, $log_message, data: $data, error: $error, errorid: $errorid);
-        if (($_SERVER["REQUEST_METHOD"] ?? "") == "POST") {
+        if (
+            ($_SERVER["REQUEST_METHOD"] ?? "") == "POST" &&
+            !str_starts_with($_SERVER["REQUEST_URI"], "/lan/api/")
+        ) {
             self::messageError($user_message_title, $user_message_body);
             self::redirect();
         } else {
@@ -420,4 +423,19 @@ public static function getCSRFTokenHiddenFormInput(): string
         $token = htmlspecialchars(CSRFToken::generate());
         return "<input type='hidden' name='csrf_token' value='$token'>";
     }
+
+    public static function validateAPIKey(): void
+    {
+        $authorization = $_SERVER["HTTP_AUTHORIZATION"] ?? "";
+        if (!str_starts_with($authorization, "Bearer ")) {
+            self::badRequest("HTTP_AUTHORIZATION is not Bearer", "invalid HTTP_AUTHORIZATION");
+        }
+        $key = trim(substr($authorization, strlen("Bearer ")));
+        if ($key === "") {
+            self::forbidden("empty API key", "forbidden");
+        }
+        if (!in_array($key, CONFIG["api"]["keys"])) {
+            self::forbidden("API key not found in config", "forbidden");
+        }
+    }
 }

test/functional/BumpLastLoginApiTest.php

@@ -0,0 +1,28 @@
+<?php
+
+class BumpLastLoginApiTest extends UnityWebPortalTestCase
+{
+    public function testBumpLastLoginApi()
+    {
+        global $USER, $SQL;
+        $this->switchUser("Blank");
+        $last_login_before = $SQL->getUserLastLogin($USER->uid);
+        try {
+            $this_year = date("Y");
+            // set last login to one day after epoch
+            callPrivateMethod($SQL, "setUserLastLogin", $USER->uid, 1 * 24 * 60 * 60);
+            $old_timestamp_year = date("Y", $SQL->getUserLastLogin($USER->uid));
+            $this->assertNotEquals($this_year, $old_timestamp_year);
+            $this->http_post(
+                __DIR__ . "/../../webroot/lan/api/bump-last-login.php",
+                [],
+                query_params: ["uid" => $USER->uid],
+                bearer_token: "phpunit_api_key",
+            );
+            $new_timestamp_year = date("Y", $SQL->getUserLastLogin($USER->uid));
+            $this->assertEquals($this_year, $new_timestamp_year);
+        } finally {
+            callPrivateMethod($SQL, "setUserLastLogin", $USER->uid, $last_login_before);
+        }
+    }
+}

test/phpunit-bootstrap.php

@@ -39,7 +39,7 @@
 use PHPUnit\Framework\TestCase;
 use TRegx\PhpUnit\DataProviders\DataProvider as TRegxDataProvider;
 
-$_SERVER["HTTP_HOST"] = "phpunit"; // used for config override
+$_SERVER["SERVER_NAME"] = "phpunit"; // used for config override
 require_once __DIR__ . "/../resources/config.php";
 
 global $HTTP_HEADER_TEST_INPUTS;
@@ -82,7 +82,7 @@ function executeWorker(
 ): array {
     global $LDAP;
     $command = sprintf(
-        "HTTP_HOST=phpunit %s %s %s 2>&1",
+        "SERVER_NAME=phpunit %s %s %s 2>&1",
         escapeshellarg(PHP_BINARY),
         escapeshellarg(__DIR__ . "/../workers/" . $basename),
         $args,
@@ -513,7 +513,7 @@ function switchUser(
         // session_start will be called on the first post()
         $_SERVER["REMOTE_USER"] = $eppn;
         $_SERVER["REMOTE_ADDR"] = "127.0.0.1";
-        $_SERVER["HTTP_HOST"] = "phpunit"; // used for config override
+        $_SERVER["SERVER_NAME"] = "phpunit"; // used for config override
         $_SERVER["eppn"] = $eppn;
         $_SERVER["givenName"] = $given_name;
         $_SERVER["sn"] = $sn;
@@ -559,9 +559,10 @@ function assertNoWarningErrorMessages()
     function http_post(
         string $phpfile,
         array $post_data,
-        array $query_parameters = [],
+        array $query_params = [],
         bool $do_generate_csrf_token = true,
         bool $do_validate_messages = true,
+        ?string $bearer_token = null,
     ): string {
         global $LDAP,
             $SQL,
@@ -580,11 +581,14 @@ function http_post(
         $_SERVER["REQUEST_METHOD"] = "POST";
         $_SERVER["PHP_SELF"] = _preg_replace("/.*webroot\//", "/", $phpfile);
         $_SERVER["REQUEST_URI"] = _preg_replace("/.*webroot\//", "/", $phpfile); // Slightly imprecise because it doesn't include get parameters
+        if ($bearer_token !== null) {
+            $_SERVER["HTTP_AUTHORIZATION"] = "Bearer $bearer_token";
+        }
         if (!array_key_exists("csrf_token", $post_data) && $do_generate_csrf_token) {
             $post_data["csrf_token"] = CSRFToken::generate();
         }
         $_POST = $post_data;
-        $_GET = $query_parameters;
+        $_GET = $query_params;
         ob_start();
         try {
             $post_did_redirect_or_die = false;
@@ -609,8 +613,9 @@ function http_post(
 
     function http_get(
         string $phpfile,
-        array $get_data = [],
+        array $query_params = [],
         bool $ignore_die = false,
+        ?string $bearer_token = null,
         $do_validate_messages = true,
     ): string {
         global $LDAP,
@@ -630,7 +635,10 @@ function http_get(
         $_SERVER["REQUEST_METHOD"] = "GET";
         $_SERVER["PHP_SELF"] = _preg_replace("/.*webroot\//", "/", $phpfile);
         $_SERVER["REQUEST_URI"] = _preg_replace("/.*webroot\//", "/", $phpfile); // Slightly imprecise because it doesn't include get parameters
-        $_GET = $get_data;
+        if ($bearer_token !== null) {
+            $_SERVER["HTTP_AUTHORIZATION"] = "Bearer $bearer_token";
+        }
+        $_GET = $query_params;
         ob_start();
         try {
             include $phpfile;