test(auth): remove ui test skips and ensure proper password auth testing

adamoutler · adamoutler · commit fca5548db9f2 · 2026-04-18T21:30:58.000-04:00
- Fixed PHP config parsing regex to prevent __metadata fields from interfering with API_TOKEN and SETPWD booleans.
- Re-enabled hard assertions instead of skips for login tests.
- Made test_ui_login.py securely and atomically toggle SETPWD_enable_password via python during setup to force UI login triggers.
- Updated maintenance.php UI test to initialize appConfig correctly.
- Added missing host args to fritzbox tests.
- Prevented test_ui_login fixture from accidentally stripping API_TOKEN from app.conf.
- Added explicit invalidation of SETTINGS_SECONDARYCACHE in server/initialise.py.
- Fixed getSettingValue fallback logic in PHP auth layers to reliably use the token generated by the backend.
diff --git a/.env b/.env
@@ -13,7 +13,7 @@ PORT=20211
 # LDAP_SERVER=ldap.example.com
 # LDAP_PORT=389
 # LDAP_USE_SSL=false
-# LDAP_USE_START_TLS=false
+# LDAP_USE_START_TLS=true
 # LDAP_TLS_VERIFY_CERT=true
 # LDAP_CA_CERT_PATH=/etc/ssl/certs/ca-certificates.crt
 # LDAP_DISABLE_LOCAL_ADMIN=false
diff --git a/front/index.php b/front/index.php
@@ -4,6 +4,7 @@
 <?php
 
 require_once $_SERVER['DOCUMENT_ROOT'].'/php/server/db.php';
+require_once $_SERVER['DOCUMENT_ROOT'].'/php/server/util.php';
 require_once $_SERVER['DOCUMENT_ROOT'].'/php/templates/language/lang.php';
 require_once $_SERVER['DOCUMENT_ROOT'].'/php/templates/security.php';
 
@@ -37,16 +38,17 @@
 } else {
     $ldap_enabled_line = getConfigLine('/^LDAP_enabled.*=/', $configLines);
     if ($ldap_enabled_line !== null && isset($ldap_enabled_line[1])) {
-        $ldap_enabled = strtolower(trim($ldap_enabled_line[1])) === 'true';
+        $ldap_enabled_value = strtolower(trim($ldap_enabled_line[1]));
+        $ldap_enabled = $ldap_enabled_value === 'true' || $ldap_enabled_value === '1';
     }
 }
 
 /**
  * Derive the Python API port from the GRAPHQL_PORT setting in app.conf.
- * Falls back to 20211 (the default) when not set.
+ * Falls back to 20212 (the default) when not set.
  */
 $gql_line = getConfigLine('/^GRAPHQL_PORT.*=/', $configLines);
-$graphql_port = 20211;
+$graphql_port = 20212;
 if ($gql_line !== null && isset($gql_line[1])) {
     $parsed_port = (int) preg_replace('/[^0-9]/', '', $gql_line[1]);
     if ($parsed_port >= 1 && $parsed_port <= 65535) {
@@ -129,8 +131,16 @@ function login_user(): void {
     session_regenerate_id(true);
     $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
 
+    $resolved_api_token = !empty($api_token)
+        ? $api_token
+        : (function_exists('getSettingValue') ? getSettingValue('API_TOKEN') : '');
+
+    if (empty($resolved_api_token)) {
+        throw new RuntimeException('API_TOKEN is not configured');
+    }
+
     // Set remember-me cookie with HMAC (not raw password hash)
-    $cookie_value = hash_hmac('sha256', $nax_Password, $api_token);
+    $cookie_value = hash_hmac('sha256', $nax_Password, $resolved_api_token);
     setcookie(COOKIE_SAVE_LOGIN_NAME, $cookie_value, [
         'expires'  => time() + 3600 * 24 * 7,
         'path'     => '/',
@@ -174,6 +184,14 @@ function logout_user(): void {
     if ($ldap_enabled) {
         // LDAP path: delegate credential validation to the Python API.
         // The API token is required so only server-side callers can reach the endpoint.
+        $resolved_api_token = !empty($api_token)
+            ? $api_token
+            : (function_exists('getSettingValue') ? getSettingValue('API_TOKEN') : '');
+
+        if (empty($resolved_api_token)) {
+            throw new RuntimeException('API_TOKEN is not configured');
+        }
+
         $ldap_payload = json_encode([
             'username' => isset($_POST['loginusername']) ? trim($_POST['loginusername']) : '',
             'password' => $_POST['loginpassword'],
@@ -182,7 +200,7 @@ function logout_user(): void {
             'http' => [
                 'method'        => 'POST',
                 'header'        => "Content-Type: application/json\r\n"
-                                 . "Authorization: Bearer " . $api_token . "\r\n"
+                                 . "Authorization: Bearer " . $resolved_api_token . "\r\n"
                                  . "X-Forwarded-For: " . ($_SERVER['REMOTE_ADDR'] ?? '127.0.0.1') . "\r\n",
                 'content'       => $ldap_payload,
                 'timeout'       => 5,
diff --git a/front/php/server/query_graphql.php b/front/php/server/query_graphql.php
@@ -12,6 +12,9 @@
 // Helper function to get GraphQL URL (you can replace this with environment variables)
 function getGraphQLUrl() {
     $port = getSettingValue("GRAPHQL_PORT");  // Port for the GraphQL server
+    if (empty($port) || !is_numeric($port)) {
+        $port = 20211;
+    }
     return "0.0.0.0:$port/graphql";  // Full URL to the GraphQL endpoint
 }
 
diff --git a/front/php/templates/auth.php b/front/php/templates/auth.php
@@ -29,12 +29,26 @@
 }
 
 $config_file_lines = file($config_file);
-$config_file_lines_pw = array_values(preg_grep('/^SETPWD_password.*=/', $config_file_lines));
-$password_line = explode("'", $config_file_lines_pw[0]);
+$config_file_lines_pw = array_values(preg_grep('/^SETPWD_password\s*=/', $config_file_lines ?: []));
+if (empty($config_file_lines_pw) || substr_count($config_file_lines_pw[0], "'") < 2) {
+    http_response_code(401);
+    echo 'Unauthorized 401';
+    exit;
+}
+$password_line = explode("'", $config_file_lines_pw[0], 3);
 $nax_Password = $password_line[1];
 
-$config_file_lines_token = array_values(preg_grep('/^API_TOKEN.*=/', $config_file_lines));
-$api_token = !empty($config_file_lines_token) ? explode("'", $config_file_lines_token[0])[1] : '';
+$config_file_lines_token = array_values(preg_grep('/^API_TOKEN\s*=/', $config_file_lines ?: []));
+$token_line = !empty($config_file_lines_token) ? explode("'", $config_file_lines_token[0], 3) : [];
+$api_token = $token_line[1] ?? '';
+if (empty($api_token)) {
+    $api_token = getenv('API_TOKEN') ?: '';
+}
+if ($api_token === '') {
+    http_response_code(401);
+    echo 'Unauthorized 401';
+    exit;
+}
 
 $expected_cookie = hash_hmac('sha256', $nax_Password, $api_token);
 if (isset($_COOKIE[$CookieSaveLoginName]) && hash_equals($expected_cookie, $_COOKIE[$CookieSaveLoginName])) {
diff --git a/front/php/templates/security.php b/front/php/templates/security.php
@@ -75,7 +75,7 @@ function redirect($url) {
 $configLines = file(CONFIG_PATH);
 
 // Handle web protection and password
-$nax_WebProtection = strtolower(trim(getConfigLine('/^SETPWD_enable_password.*=/', $configLines)[1] ?? 'false'));
+$nax_WebProtection = strtolower(trim(getConfigValue('/^SETPWD_enable_password\s*=/', $configLines)));
 
 $ldap_enabled = false;
 $env_ldap = getenv('LDAP_ENABLED');
@@ -84,14 +84,18 @@ function redirect($url) {
 if ($env_ldap !== false && $env_ldap !== '') {
     $ldap_enabled = strtolower(trim($env_ldap)) === 'true' || trim($env_ldap) === '1';
 } else {
-    $ldap_enabled = strtolower(trim(getConfigLine('/^LDAP_enabled.*=/', $configLines)[1] ?? 'false')) === 'true';
+    $val = strtolower(trim(getConfigValue('/^LDAP_enabled\s*=/', $configLines)));
+    $ldap_enabled = $val === 'true' || $val === '1';
 }
 
 if ($ldap_enabled) {
     $nax_WebProtection = 'true';
 }
-$nax_Password = getConfigValue('/^SETPWD_password.*=/', $configLines);
-$api_token = getConfigValue('/^API_TOKEN.*=/', $configLines, "'");
+$nax_Password = getConfigValue('/^SETPWD_password\s*=/', $configLines);
+$api_token = getConfigValue('/^API_TOKEN\s*=/', $configLines, "'");
+if (empty($api_token)) {
+    $api_token = getenv('API_TOKEN') ?: '';
+}
 
 $expectedToken = 'Bearer ' . $api_token;
 
diff --git a/scripts/run_tests_in_docker_environment.sh b/scripts/run_tests_in_docker_environment.sh
@@ -80,7 +80,7 @@ docker exec netalertx-test-container /bin/bash -c " \
 # --- 9. Execute Tests ---
 echo "--- Executing tests inside the container ---"
 docker exec netalertx-test-container /bin/bash -c " \
-    cd /workspaces/NetAlertX && pytest -m 'not (docker or compose or feature_complete)' --cache-clear -o cache_dir=/tmp/.pytest_cache; \
+    cd /workspaces/NetAlertX && pytest test/ -m 'not (docker or compose or feature_complete)' --cache-clear -o cache_dir=/tmp/.pytest_cache; \
 "
 
 # --- 10. Final Teardown ---
diff --git a/server/__main__.py b/server/__main__.py
@@ -128,7 +128,6 @@ def main():
 
         # proceed if 1 minute passed
         if conf.last_scan_run + datetime.timedelta(minutes=1) < conf.loop_start_time:
-            is_idle_this_loop = False
             # last time any scan or maintenance/upkeep was run
             conf.last_scan_run = loop_start_time
 
@@ -166,6 +165,7 @@ def main():
             mylog("debug", [f"[MAIN] processScan: {processScan}"])
 
             if processScan is True:
+                is_idle_this_loop = False
                 mylog("debug", "[MAIN] start processing scan results")
                 process_scan(db)
                 updateState("Scan processed", None, None, None, None, False)
@@ -275,8 +275,11 @@ def main():
             mylog("verbose", ["[MAIN] System is fully idle. All processes finished."])
             now = time.time()
             if now - last_idle_notification_ts > (IDLE_NOTIFICATION_COOLDOWN_HOURS * 3600):
-                write_notification("All processes are idle", "info")
-                last_idle_notification_ts = now
+                try:
+                    write_notification("All processes are idle", "info")
+                    last_idle_notification_ts = now
+                except Exception as e:
+                    mylog("none", [f"[MAIN] Failed to write idle notification: {e}"])
             was_idle = True
         elif not is_idle_this_loop:
             was_idle = False
diff --git a/server/api_server/api_server_start.py b/server/api_server/api_server_start.py
@@ -1965,7 +1965,7 @@ def _get_client_ip():
     """Return the client IP, trusting X-Forwarded-For only from local/proxy callers."""
     remote_addr = request.remote_addr or ""
     forwarded = request.headers.get("X-Forwarded-For", "")
-    trusted_proxies = {"127.0.0.1", "::1", "localhost"}
+    trusted_proxies = {"127.0.0.1", "::1"}
     if forwarded and remote_addr in trusted_proxies:
         return forwarded.split(",")[0].strip()
     return remote_addr
@@ -2030,8 +2030,7 @@ def api_auth_login(payload=None):
     if result.success:
         # Clear failures on success
         with _failed_logins_lock:
-            if client_ip in FAILED_LOGINS:
-                del FAILED_LOGINS[client_ip]
+            FAILED_LOGINS.pop(client_ip, None)
         return jsonify({
             "success": True,
             "message": "Authentication successful",
diff --git a/server/auth/ldap_provider.py b/server/auth/ldap_provider.py
@@ -85,6 +85,7 @@ class LdapProvider(AuthProvider):
     """Authenticate against an LDAP / Active Directory server."""
 
     name = "ldap"
+    USER_NOT_FOUND = "User not found"
 
     # ------------------------------------------------------------------
     # Public interface
@@ -131,7 +132,7 @@ def authenticate(self, username: str, password: str) -> AuthResult:
                 user_dn = self._resolve_user_dn(ldap3, server_obj, cfg, username)
 
             if user_dn is None:
-                return AuthResult.fail(self.name, "User not found")
+                return AuthResult.fail(self.name, self.USER_NOT_FOUND)
 
             return self._bind_as_user(ldap3, server_obj, cfg, user_dn, username, password)
 
@@ -287,7 +288,7 @@ def _resolve_user_dn(self, ldap3, server_obj, cfg: dict, username: str) -> Optio
             entries = conn.entries
             if len(entries) != 1:
                 mylog("verbose", [
-                    f"[auth.ldap] User '{username}' not found "
+                    f"[auth.ldap] User '{_sanitize_for_log(username)}' not found "
                     f"(got {len(entries)} entries for filter {search_filter})"
                 ])
                 return None
@@ -316,7 +317,7 @@ def _bind_as_user(
             if bind_success:
                 return AuthResult.ok(username, self.name)
 
-            mylog("verbose", [f"[auth.ldap] User bind failed for DN '{user_dn}': {conn.result}"])
+            mylog("verbose", [f"[auth.ldap] User bind failed for DN '{_sanitize_for_log(user_dn)}': {conn.result}"])
             return AuthResult.fail(self.name)
 
         finally:
diff --git a/server/auth/manager.py b/server/auth/manager.py
@@ -50,8 +50,10 @@ def authenticate(self, username: str, password: str) -> AuthResult:
                     return ldap_result
 
                 # If the user doesn't exist in LDAP, we can fallback to local auth
-                if ldap_result.error == "User not found":
+                if ldap_result.error == LdapProvider.USER_NOT_FOUND:
                     if not disable_local:
+                        # Only the built-in local admin is a recovery account;
+                        # all other identities must exist in LDAP.
                         if username != "admin":
                             mylog("verbose", [f"[auth.manager] Local fallback denied for non-admin user '{_sanitize_for_log(username)}'"])
                             return ldap_result
diff --git a/server/initialise.py b/server/initialise.py
@@ -227,6 +227,13 @@ def importConfigs(pm, db, all_plugins):
     mylog("debug", ["[Import Config] importing config file"])
     conf.mySettings = []  # reset settings
     conf.mySettingsSQLsafe = []  # same as above but safe to be passed into a SQL query
+    
+    # Invalidate secondary cache from helper since conf.mySettings changed
+    try:
+        import helper
+        helper.SETTINGS_SECONDARYCACHE = {}
+    except Exception:
+        pass
 
     # User values loaded from now
     c_d = read_config_file(config_file)
diff --git a/test/api_endpoints/test_auth_endpoints.py b/test/api_endpoints/test_auth_endpoints.py
@@ -76,12 +76,13 @@ def test_auth_invalid_token(client):
 _DEFAULT_PW_HASH = hashlib.sha256(_DEFAULT_PW.encode()).hexdigest()
 
 
-def test_login_valid_local_credentials(client):
+def test_login_valid_local_credentials(client, api_token):
     """POST /api/auth/login with correct local password returns 200."""
     with patch("auth.local_provider.get_setting_value", return_value=_DEFAULT_PW_HASH), \
          patch("auth.manager.get_setting_value", return_value=False):
         resp = client.post(
             "/api/auth/login",
+            headers=auth_headers(api_token),
             json={"username": "admin", "password": _DEFAULT_PW},
         )
     assert resp.status_code == 200
@@ -92,12 +93,13 @@ def test_login_valid_local_credentials(client):
     assert data.get("username") == "admin"
 
 
-def test_login_wrong_local_password(client):
+def test_login_wrong_local_password(client, api_token):
     """POST /api/auth/login with incorrect password returns 401."""
     with patch("auth.local_provider.get_setting_value", return_value=_DEFAULT_PW_HASH), \
          patch("auth.manager.get_setting_value", return_value=False):
         resp = client.post(
             "/api/auth/login",
+            headers=auth_headers(api_token),
             json={"username": "admin", "password": "totally_wrong"},
         )
     assert resp.status_code == 401
@@ -106,28 +108,29 @@ def test_login_wrong_local_password(client):
     assert data.get("success") is False
 
 
-def test_login_missing_password_field(client):
+def test_login_missing_password_field(client, api_token):
     """POST /api/auth/login without password returns 422 validation error."""
-    resp = client.post("/api/auth/login", json={"username": "admin"})
+    resp = client.post("/api/auth/login", headers=auth_headers(api_token), json={"username": "admin"})
     assert resp.status_code == 422
 
 
-def test_login_missing_username_field(client):
+def test_login_missing_username_field(client, api_token):
     """POST /api/auth/login without username returns 422 validation error."""
-    resp = client.post("/api/auth/login", json={"password": "secret"})
+    resp = client.post("/api/auth/login", headers=auth_headers(api_token), json={"password": "secret"})
     assert resp.status_code == 422
 
 
-def test_login_empty_body(client):
+def test_login_empty_body(client, api_token):
     """POST /api/auth/login with empty JSON object returns 422."""
-    resp = client.post("/api/auth/login", json={})
+    resp = client.post("/api/auth/login", headers=auth_headers(api_token), json={})
     assert resp.status_code == 422
 
 
-def test_login_no_json_content_type(client):
+def test_login_no_json_content_type(client, api_token):
     """POST /api/auth/login with wrong content-type returns 415."""
     resp = client.post(
         "/api/auth/login",
+        headers=auth_headers(api_token),
         data="username=admin&password=123456",
         content_type="application/x-www-form-urlencoded",
     )
diff --git a/test/backend/test_auth_providers.py b/test/backend/test_auth_providers.py
@@ -289,6 +289,7 @@ def mock_settings(key):
     def test_authenticate_fallback_to_local(self):
         from auth.manager import AuthManager
         from auth.base import AuthResult
+        from auth.ldap_provider import LdapProvider
 
         def mock_settings(key):
             if key == "LDAP_enabled":
@@ -302,12 +303,11 @@ def mock_settings(key):
         manager = AuthManager()
         with patch("auth.manager.LdapProvider._read_config", return_value={"enabled": True, "disable_local_admin": False}), \
              patch("auth.manager.get_setting_value", side_effect=mock_settings), \
-             patch("auth.manager.LdapProvider.authenticate", return_value=AuthResult.fail("ldap", "User not found")), \
+             patch("auth.manager.LdapProvider.authenticate", return_value=AuthResult.fail("ldap", LdapProvider.USER_NOT_FOUND)), \
              patch("auth.manager.LocalProvider.authenticate", return_value=AuthResult.ok("admin", "local")) as mock_local_auth:
             result = manager.authenticate("admin", "pass")
             
         mock_local_auth.assert_called_once_with("admin", "pass")
         assert result.success is True
         assert result.provider == "local"
-"local"
 
diff --git a/test/docker_tests/test_ldap_ui.py b/test/docker_tests/test_ldap_ui.py
diff --git a/test/plugins/test_fritzbox.py b/test/plugins/test_fritzbox.py
diff --git a/test/ui/test_ui_ldap_login.py b/test/ui/test_ui_ldap_login.py
diff --git a/test/ui/test_ui_login.py b/test/ui/test_ui_login.py
diff --git a/test/ui/test_ui_maintenance.py b/test/ui/test_ui_maintenance.py

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,9 @@`
`12`	`12`	`// Helper function to get GraphQL URL (you can replace this with environment variables)`
`13`	`13`	`function getGraphQLUrl() {`
`14`	`14`	`$port = getSettingValue("GRAPHQL_PORT"); // Port for the GraphQL server`
	`15`	`+ if (empty($port) \|\| !is_numeric($port)) {`
	`16`	`+ $port = 20211;`
	`17`	`+ }`
`15`	`18`	`return "0.0.0.0:$port/graphql"; // Full URL to the GraphQL endpoint`
`16`	`19`	`}`
`17`	`20`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ docker exec netalertx-test-container /bin/bash -c " \`
`80`	`80`	`# --- 9. Execute Tests ---`
`81`	`81`	`echo "--- Executing tests inside the container ---"`
`82`	`82`	`docker exec netalertx-test-container /bin/bash -c " \`
`83`		`- cd /workspaces/NetAlertX && pytest -m 'not (docker or compose or feature_complete)' --cache-clear -o cache_dir=/tmp/.pytest_cache; \`
	`83`	`+ cd /workspaces/NetAlertX && pytest test/ -m 'not (docker or compose or feature_complete)' --cache-clear -o cache_dir=/tmp/.pytest_cache; \`
`84`	`84`	`"`
`85`	`85`
`86`	`86`	`# --- 10. Final Teardown ---`