Api bump last login (#640)

Author: simonLeary42

.gitignore

@@ -22,6 +22,9 @@ deployment/**/*
 !deployment/overrides/course-creator/
 !deployment/overrides/course-creator/config/
 !deployment/overrides/course-creator/config/config.ini
+!deployment/overrides/account-portal-docker-web:8000/
+!deployment/overrides/account-portal-docker-web:8000/config/
+!deployment/overrides/account-portal-docker-web:8000/config/config.ini
 !deployment/overrides/account-portal-docker-web-green:8000/
 !deployment/overrides/account-portal-docker-web-green:8000/config/
 !deployment/overrides/account-portal-docker-web-green:8000/config/config.ini

CHANGELOG.md

@@ -34,6 +34,7 @@ For details on the changes in each release, see [the Releases page](https://gith
 - a new location `/lan` needs to be configured in your webserver
   - authorization: only IP addresses in your local area network should be allowed
   - authentication: none
+  - `CGIPassAuth On`
 - a new LDAP posixGroup needs to be created for "immortal" users, who are exempt from automatic account expiration
   - the `[ldap]user_flag_groups[immortal]` open must also be defined
 - the `[site]account_policy_url` option has been renamed to `[site]pi_qualification_docs_url`
@@ -42,6 +43,7 @@ For details on the changes in each release, see [the Releases page](https://gith
   ```sql
   drop trigger update_last_login;
   ```
+- `[api]keys` can now be specified in the config file
 
 ### 1.5 -> 1.6
 

README.md

@@ -67,6 +67,8 @@ See the Docker Compose environment (`tools/docker-dev/`) for an (unsafe for prod
    - `httpd` Authorization
      - Restricted access to `webroot/admin/`
      - Global access (with valid authentication) to `webroot/`
+     - IP-based access (no authentication) to `lan/`
+      - any IP address in your local area network should be authorized
      - No access anywhere else
 1. Authorization for your other services based on user flag groups
    - in order to access your services, a user should be in the `qualified` group and should not be in the `locked`, `idlelocked`, or `disabled` groups

defaults/config.ini.default

@@ -130,3 +130,6 @@ disable_warning_days[] = 360
 disable_warning_days[] = 380
 disable_warning_days[] = 399
 disable_day = 400
+
+[api]
+; keys[] = "INSERT_KEY_HERE_AND_UNCOMMENT"

deployment/overrides/account-portal-docker-web:8000/config/config.ini

@@ -0,0 +1,2 @@
+[api]
+keys[] = "dev_environment_api_key"

deployment/overrides/phpunit/config/config.ini

@@ -15,3 +15,6 @@ idlelock_day = 4
 disable_warning_days[] = 6
 disable_warning_days[] = 7
 disable_day = 8
+
+[api]
+keys[] = "phpunit_api_key"

resources/lib/UnityHTTPD.php

@@ -81,7 +81,10 @@ public static function gracefulDie(
             $user_message_body .= " $suffix";
         }
         self::errorLog($log_title, $log_message, data: $data, error: $error, errorid: $errorid);
-        if (($_SERVER["REQUEST_METHOD"] ?? "") == "POST") {
+        if (
+            ($_SERVER["REQUEST_METHOD"] ?? "") == "POST" &&
+            !str_starts_with($_SERVER["REQUEST_URI"], "/lan/api/")
+        ) {
             self::messageError($user_message_title, $user_message_body);
             self::redirect();
         } else {
@@ -420,4 +423,20 @@ public static function getCSRFTokenHiddenFormInput(): string
         $token = htmlspecialchars(CSRFToken::generate());
         return "<input type='hidden' name='csrf_token' value='$token'>";
     }
+
+    public static function validateAPIKey(): void
+    {
+        $authorization = $_SERVER["HTTP_AUTHORIZATION"] ?? "";
+        if (!str_starts_with($authorization, "Bearer ")) {
+            // this can happen when you don't enable apache CGIPassAuth
+            self::badRequest("HTTP_AUTHORIZATION is not Bearer", "invalid HTTP_AUTHORIZATION");
+        }
+        $key = trim(substr($authorization, strlen("Bearer ")));
+        if ($key === "") {
+            self::forbidden("empty API key", "forbidden");
+        }
+        if (!in_array($key, CONFIG["api"]["keys"])) {
+            self::forbidden("API key not found in config", "forbidden");
+        }
+    }
 }

test/functional/BumpLastLoginApiTest.php

@@ -0,0 +1,28 @@
+<?php
+
+class BumpLastLoginApiTest extends UnityWebPortalTestCase
+{
+    public function testBumpLastLoginApi()
+    {
+        global $USER, $SQL;
+        $this->switchUser("Blank");
+        $last_login_before = $SQL->getUserLastLogin($USER->uid);
+        try {
+            $this_year = date("Y");
+            // set last login to one day after epoch
+            callPrivateMethod($SQL, "setUserLastLogin", $USER->uid, 1 * 24 * 60 * 60);
+            $old_timestamp_year = date("Y", $SQL->getUserLastLogin($USER->uid));
+            $this->assertNotEquals($this_year, $old_timestamp_year);
+            $this->http_post(
+                __DIR__ . "/../../webroot/lan/api/bump-last-login.php",
+                [],
+                query_params: ["uid" => $USER->uid],
+                bearer_token: "phpunit_api_key",
+            );
+            $new_timestamp_year = date("Y", $SQL->getUserLastLogin($USER->uid));
+            $this->assertEquals($this_year, $new_timestamp_year);
+        } finally {
+            callPrivateMethod($SQL, "setUserLastLogin", $USER->uid, $last_login_before);
+        }
+    }
+}

test/phpunit-bootstrap.php

@@ -559,9 +559,10 @@ function assertNoWarningErrorMessages()
     function http_post(
         string $phpfile,
         array $post_data,
-        array $query_parameters = [],
+        array $query_params = [],
         bool $do_generate_csrf_token = true,
         bool $do_validate_messages = true,
+        ?string $bearer_token = null,
     ): string {
         global $LDAP,
             $SQL,
@@ -580,11 +581,14 @@ function http_post(
         $_SERVER["REQUEST_METHOD"] = "POST";
         $_SERVER["PHP_SELF"] = _preg_replace("/.*webroot\//", "/", $phpfile);
         $_SERVER["REQUEST_URI"] = _preg_replace("/.*webroot\//", "/", $phpfile); // Slightly imprecise because it doesn't include get parameters
+        if ($bearer_token !== null) {
+            $_SERVER["HTTP_AUTHORIZATION"] = "Bearer $bearer_token";
+        }
         if (!array_key_exists("csrf_token", $post_data) && $do_generate_csrf_token) {
             $post_data["csrf_token"] = CSRFToken::generate();
         }
         $_POST = $post_data;
-        $_GET = $query_parameters;
+        $_GET = $query_params;
         ob_start();
         try {
             $post_did_redirect_or_die = false;
@@ -609,8 +613,9 @@ function http_post(
 
     function http_get(
         string $phpfile,
-        array $get_data = [],
+        array $query_params = [],
         bool $ignore_die = false,
+        ?string $bearer_token = null,
         $do_validate_messages = true,
     ): string {
         global $LDAP,
@@ -630,7 +635,10 @@ function http_get(
         $_SERVER["REQUEST_METHOD"] = "GET";
         $_SERVER["PHP_SELF"] = _preg_replace("/.*webroot\//", "/", $phpfile);
         $_SERVER["REQUEST_URI"] = _preg_replace("/.*webroot\//", "/", $phpfile); // Slightly imprecise because it doesn't include get parameters
-        $_GET = $get_data;
+        if ($bearer_token !== null) {
+            $_SERVER["HTTP_AUTHORIZATION"] = "Bearer $bearer_token";
+        }
+        $_GET = $query_params;
         ob_start();
         try {
             include $phpfile;

tools/docker-dev/web/unity-apache.conf

@@ -1,4 +1,6 @@
 <VirtualHost _default_:80>
+    ServerName account-portal-docker-web
+    UseCanonicalName On
     DocumentRoot /var/www/unity-web-portal/webroot
     <LocationMatch '^/(panel|admin)'>
         AuthType Basic
@@ -13,5 +15,6 @@
         # in production you should require an address in your LAN, example "Require ip 10.0.0.0/8"
         AuthType basic
         Require all granted
+        CGIPassAuth On
     </Location>
 </VirtualHost>