Update the dependencies

Add a everyone_is_admin config parameter for tests purpose Fix DIGEST with liblinphone (split "email" in username + realm) and other adjustments
2026-01-17 10:08:05 +00:00 · 2021-01-05 15:35:51 +01:00 · 2021-01-05 15:35:51 +01:00 · d0e7d10014
commit d0e7d10014
parent ae3f235b46
13 changed files with 243 additions and 216 deletions
--- a/flexiapi/.env.example
+++ b/flexiapi/.env.example
@ -5,6 +5,7 @@ APP_DEBUG=false
 APP_URL=http://localhost
 APP_SIP_DOMAIN=sip.example.com
 APP_FLEXISIP_PROXY_PID=/var/run/flexisip-proxy.pid
+APP_EVERYONE_IS_ADMIN=false

 # SIP server parameters
 ACCOUNT_PROXY_REGISTRAR_ADDRESS=sip.example.com # Proxy registrar address, can be different than the SIP domain
--- a/flexiapi/app/Http/Middleware/AuthenticateAdmin.php
+++ b/flexiapi/app/Http/Middleware/AuthenticateAdmin.php
@ -19,7 +19,7 @@ class AuthenticateAdmin
            return redirect()->route('account.login');
        }

-        if (!$request->user()->isAdmin()) {
+        if (!$request->user()->isAdmin() && !config('app.everyone_is_admin')) {
            return abort(403, 'Unauthorized area');
        }

--- a/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
+++ b/flexiapi/app/Http/Middleware/AuthenticateDigestOrKey.php
@ -92,14 +92,14 @@ class AuthenticateDigestOrKey
                'opaque'    => 'required|in:'.$this->getOpaque(),
                'uri'       => 'in:/'.$request->path(),
                'qop'       => 'required|in:auth',
-                'realm'     => 'required',
+                'realm'     => 'required|in:'.$domain,
                'nc'        => 'required',
                'cnonce'    => 'required',
                'algorithm' => [
                    'required',
                    Rule::in(array_keys(self::ALGORITHMS)),
                ],
-                'username'  => 'required|email',
+                'username'  => 'required|in:'.$username,
            ])->validate();

            // Headers
@ -195,14 +195,14 @@ class AuthenticateDigestOrKey
                foreach (array_keys(self::ALGORITHMS) as $algorithm) {
                    array_push(
                        $headers,
-                        $this->generateAuthHeader($algorithm, $nonce)
+                        $this->generateAuthHeader($account->domain, $algorithm, $nonce)
                    );
                }
                break;
            } else if (\in_array($password->algorithm, array_keys(self::ALGORITHMS))) {
                array_push(
                    $headers,
-                    $this->generateAuthHeader($password->algorithm, $nonce)
+                    $this->generateAuthHeader($account->domain, $password->algorithm, $nonce)
                );
            }
        }
@ -210,15 +210,15 @@ class AuthenticateDigestOrKey
        return $headers;
    }

-    private function generateAuthHeader(string $algorithm, string $nonce): string
+    private function generateAuthHeader(string $realm, string $algorithm, string $nonce): string
    {
-        return 'Digest realm=test,qop=auth,algorithm='.$algorithm.',nonce="'.$nonce.'",opaque="'.$this->getOpaque().'"';
+        return 'Digest realm="'.$realm.'",qop="auth",algorithm='.$algorithm.',nonce="'.$nonce.'",opaque="'.$this->getOpaque().'"';
    }

    private function extractFromHeader(string $string): string
    {
        list($from) = explode(';', \substr($string, 4));
-        return $from;
+        return \rawurldecode($from);
    }

    private function getOpaque(): string
--- a/flexiapi/bootstrap/cache/.gitignore
+++ b/flexiapi/bootstrap/cache/.gitignore
--- a/flexiapi/composer.lock
+++ b/flexiapi/composer.lock
--- a/flexiapi/config/app.php
+++ b/flexiapi/config/app.php
@ -24,6 +24,13 @@ return [
    'proxy_registrar_address' => env('ACCOUNT_PROXY_REGISTRAR_ADDRESS', 'sip.domain.com'),
    'transport_protocol_text' => env('ACCOUNT_TRANSPORT_PROTOCOL_TEXT', 'TLS (recommended), TCP or UDP'),

+    /**
+     * Allow any accounts to request the API as an administrator
+     * This parameter is only the for debug purpose or running the tests
+     * DO NOT ENABLE IT IN PRODUCTION
+     */
+    'everyone_is_admin' => env('APP_EVERYONE_IS_ADMIN', false),
+
    /*
    |--------------------------------------------------------------------------
    | Application Environment
--- a/flexiapi/resources/views/mails/changing_email.blade.php
+++ b/flexiapi/resources/views/mails/changing_email.blade.php
@ -5,7 +5,7 @@
    <body>
        <p>Hello,</p>
        <p>
-            You requested to change your email address from {{ $account->email }} to {{ $account->emailChanged->email }} on {{ config('app.name') }}.
+            You requested to change your email address from {{ $account->email }} to {{ $account->emailChanged->new_email }} on {{ config('app.name') }}.
        </p>
        <p>
            To confirm this change please click on the following link:
--- a/flexiapi/resources/views/mails/changing_email_text.blade.php
+++ b/flexiapi/resources/views/mails/changing_email_text.blade.php
@ -1,6 +1,6 @@
 Hello,

-You requested to change your email address from {{ $account->email }} to {{ $account->emailChanged->email }} on {{ config('app.name') }}.
+You requested to change your email address from {{ $account->email }} to {{ $account->emailChanged->new_email }} on {{ config('app.name') }}.

 To confirm this change please click on the following link: {{ route('account.email.request_update', $account->emailChanged->hash) }}.

--- a/flexiapi/routes/api.php
+++ b/flexiapi/routes/api.php
@ -25,8 +25,9 @@ Route::middleware('auth:api')->get('/user', function (Request $request) {
    return $request->user();
 });

-Route::group(['middleware' => ['auth.digest_or_key']], function () {
 Route::get('ping', 'Api\PingController@ping');
+
+Route::group(['middleware' => ['auth.digest_or_key']], function () {
    Route::get('devices', 'Api\DeviceController@index');
    Route::delete('devices/{uuid}', 'Api\DeviceController@destroy');

--- a/flexiapi/tests/Feature/AccountApiTest.php
+++ b/flexiapi/tests/Feature/AccountApiTest.php
@ -51,6 +51,15 @@ class AccountApiTest extends TestCase
                          ->json($this->method, $this->route);

        $response1->assertStatus(403);
+
+        config()->set('app.everyone_is_admin', true);
+
+        $password = Password::factory()->create();
+        $response0 = $this->generateFirstResponse($password);
+        $response1 = $this->generateSecondResponse($password, $response0)
+                          ->json($this->method, $this->route);
+
+        $response1->assertStatus(422);
    }

    public function testAdminOk()
--- a/flexiapi/tests/Feature/AuthenticateDigestAndKeyTest.php
+++ b/flexiapi/tests/Feature/AuthenticateDigestAndKeyTest.php
@ -29,7 +29,7 @@ class AuthenticateDigestAndKeyTest extends TestCase
 {
    use RefreshDatabase;

-    protected $route = '/api/ping';
+    protected $route = '/api/accounts/me';
    protected $method = 'GET';

    public function testMandatoryFrom()
--- a/flexiapi/tests/TestCase.php
+++ b/flexiapi/tests/TestCase.php
@ -77,7 +77,7 @@ abstract class TestCase extends BaseTestCase

        $digest = \sprintf(
            'username="%s",realm="%s",nonce="%s",nc=%s,cnonce="%s",uri="%s",qop=%s,response="%s",opaque="%s",algorithm=%s',
-            $password->account->identifier,
+            \strstr($password->account->identifier, '@', true),
            $extractedChallenge['realm'],
            $extractedChallenge['nonce'],
            $nc,
--- a/flexisip-account-manager.spec
+++ b/flexisip-account-manager.spec
@ -8,7 +8,7 @@
 #%define _datadir           %{_datarootdir}
 #%define _docdir            %{_datadir}/doc

-%define build_number 38
+%define build_number 39
 %define var_dir /var/opt/belledonne-communications
 %define opt_dir /opt/belledonne-communications/share/flexisip-account-manager
 %define env_file "$RPM_BUILD_ROOT/etc/flexisip-account-manager/flexiapi.env"