Automating Testing of NTLM Secured Sites
I have a security mechanism that I coded up several years ago. It relies on NTLM Authentication (on a remote IIS server via redirects) and can be implemented in any php script on my Unix/Apache box using three lines of code:
<?php
require_once 'the_lib.php';
session_start();
use_scrty('Application Identifier');
?>
It checks the NTLM authorized user against a database of user id’s that are authorized to access applications, and what access levels they have. If the user is not authorized, it will show an error message and exit. This scheme has worked great for me for ages.
Recently I have been doing Test Driven Development (TDD), and my favorite PHP unit testing library—SimpleTest—does not support NTLM Authentication (nor would I want to ask Marcus to implement this mess). Plus, I am not particularly interested in hard coding my NT Domain user name and password into testing scripts.
So what is left to do? Add a back door to bypass security for the test script. In doing this, I would like it to be as secure as possible while breaking security ;). What I have done is allow an additional url parameter that if present, is tested to see if it matches a md5 hash of the current unix timestamp, salted by the mtime for the directory in which the application lives. When I find a match, I insert enough data into the session to appear to have already passed the authentication. This parameter ought to be random and unguessable by my reckoning (at least by any user who does not have access to the web servers file system, for which you have other bigger problems already). Any holes in this scheme? Are there better alternatives available?
<?php
/**
* check for test user authentication and require security
* @return void
*/
function check_auth_user() {
//if testauth is a md5 hash of the current unix timestamp within the past 2 seconds
$mtime = filemtime('.');
$now = mktime();
if (array_key_exists('testauth', $_GET)
&& ($_GET['testauth'] == md5($now.$mtime)
|| $_GET['testauth'] == md5(($now-1).$mtime)
|| $_GET['testauth'] == md5(($now-2).$mtime)
)
) {
$_SESSION['scrty_data']['scrty_appl'] = APPL;
$_SESSION['scrty']['valid_login'] = true;
$_SESSION['scrty']['appl_acss'] = true;
$_SESSION['scrty']['info'] = array(
'NAME_FIRST' => 'Anonymous'
,'NAME_LAST' => 'User'
,'ACSS_LEVEL' => 'GENERAL'
,'LOGIN_IDFTN' => 'TESTUSER'
);
}
use_scrty(APPL);
}
?>
Any chance of seeing the_lib.php ?
Well…that one is a bit ugly. Maybe I will pull it out of the closet, dust it off, and post a follow up blog entry on it.
Relavant portions of “the_lib.php” posted here.