3 namespace Shaarli\Security
;
5 use Psr\Log\LoggerInterface
;
6 use Shaarli\FakeConfigManager
;
10 * Test coverage for LoginManager
12 class LoginManagerTest
extends TestCase
14 /** @var FakeConfigManager Configuration Manager instance */
15 protected $configManager = null;
17 /** @var LoginManager Login Manager instance */
18 protected $loginManager = null;
20 /** @var SessionManager Session Manager instance */
21 protected $sessionManager = null;
23 /** @var string Banned IP filename */
24 protected $banFile = 'sandbox/ipbans.php';
26 /** @var string Log filename */
27 protected $logFile = 'sandbox/shaarli.log';
29 /** @var array Simulates the $_COOKIE array */
30 protected $cookie = [];
32 /** @var array Simulates the $GLOBALS array */
33 protected $globals = [];
35 /** @var array Simulates the $_SERVER array */
36 protected $server = [];
38 /** @var array Simulates the $_SESSION array */
39 protected $session = [];
41 /** @var string Advertised client IP address */
42 protected $clientIpAddress = '10.1.47.179';
44 /** @var string Local client IP address */
45 protected $ipAddr = '127.0.0.1';
47 /** @var string Trusted proxy IP address */
48 protected $trustedProxy = '10.1.1.100';
50 /** @var string User login */
51 protected $login = 'johndoe';
53 /** @var string User password */
54 protected $password = 'IC4nHazL0g1n?';
56 /** @var string Hash of the salted user password */
57 protected $passwordHash = '';
59 /** @var string Salt used by hash functions */
60 protected $salt = '669e24fa9c5a59a613f98e8e38327384504a4af2';
62 /** @var CookieManager */
63 protected $cookieManager;
65 /** @var BanManager */
66 protected $banManager;
69 * Prepare or reset test resources
71 protected function setUp(): void
73 if (file_exists($this->banFile
)) {
74 unlink($this->banFile
);
77 $this->passwordHash
= sha1($this->password
. $this->login
. $this->salt
);
79 $this->configManager
= new FakeConfigManager([
80 'credentials.login' => $this->login
,
81 'credentials.hash' => $this->passwordHash
,
82 'credentials.salt' => $this->salt
,
83 'resource.ban_file' => $this->banFile
,
84 'resource.log' => $this->logFile
,
85 'security.ban_after' => 2,
86 'security.ban_duration' => 3600,
87 'security.trusted_proxies' => [$this->trustedProxy
],
94 $this->cookieManager
= $this->createMock(CookieManager
::class);
95 $this->cookieManager
->method('getCookieParameter')->willReturnCallback(function (string $key) {
96 return $this->cookie
[$key] ?? null;
98 $this->sessionManager
= new SessionManager($this->session
, $this->configManager
, 'session_path');
99 $this->banManager
= $this->createMock(BanManager
::class);
100 $this->loginManager
= new LoginManager(
101 $this->configManager
,
102 $this->sessionManager
,
103 $this->cookieManager
,
105 $this->createMock(LoggerInterface
::class)
107 $this->server
['REMOTE_ADDR'] = $this->ipAddr
;
111 * Record a failed login attempt
113 public function testHandleFailedLogin(): void
115 $this->banManager
->expects(static::exactly(2))->method('handleFailedAttempt');
116 $this->banManager
->method('isBanned')->willReturn(true);
118 $this->loginManager
->handleFailedLogin($this->server
);
119 $this->loginManager
->handleFailedLogin($this->server
);
121 static::assertFalse($this->loginManager
->canLogin($this->server
));
125 * Record a failed login attempt - IP behind a trusted proxy
127 public function testHandleFailedLoginBehindTrustedProxy()
130 'REMOTE_ADDR' => $this->trustedProxy
,
131 'HTTP_X_FORWARDED_FOR' => $this->ipAddr
,
134 $this->banManager
->expects(static::exactly(2))->method('handleFailedAttempt');
135 $this->banManager
->method('isBanned')->willReturn(true);
137 $this->loginManager
->handleFailedLogin($server);
138 $this->loginManager
->handleFailedLogin($server);
140 $this->assertFalse($this->loginManager
->canLogin($server));
144 * Record a failed login attempt - IP behind a trusted proxy but not forwarded
146 public function testHandleFailedLoginBehindTrustedProxyNoIp()
149 'REMOTE_ADDR' => $this->trustedProxy
,
151 $this->loginManager
->handleFailedLogin($server);
152 $this->loginManager
->handleFailedLogin($server);
153 $this->assertTrue($this->loginManager
->canLogin($server));
159 public function testHandleSuccessfulLogin()
161 $this->assertTrue($this->loginManager
->canLogin($this->server
));
163 $this->loginManager
->handleSuccessfulLogin($this->server
);
164 $this->assertTrue($this->loginManager
->canLogin($this->server
));
168 * Erase failure records after successfully logging in from this IP
170 public function testHandleSuccessfulLoginAfterFailure()
172 $this->loginManager
->handleFailedLogin($this->server
);
173 $this->assertTrue($this->loginManager
->canLogin($this->server
));
175 $this->loginManager
->handleSuccessfulLogin($this->server
);
176 $this->loginManager
->handleFailedLogin($this->server
);
177 $this->assertTrue($this->loginManager
->canLogin($this->server
));
181 * The IP is not banned
183 public function testCanLoginIpNotBanned()
185 $this->assertTrue($this->loginManager
->canLogin($this->server
));
189 * Generate a token depending on the user credentials and client IP
191 public function testGenerateStaySignedInToken()
193 $this->loginManager
->generateStaySignedInToken($this->clientIpAddress
);
196 sha1($this->passwordHash
. $this->clientIpAddress
. $this->salt
),
197 $this->loginManager
->getStaySignedInToken()
202 * Generate a token depending on the user credentials with session protected disabled
204 public function testGenerateStaySignedInTokenSessionProtectionDisabled()
206 $this->configManager
->set('security.session_protection_disabled', true);
207 $this->loginManager
->generateStaySignedInToken($this->clientIpAddress
);
210 sha1($this->passwordHash
. $this->salt
),
211 $this->loginManager
->getStaySignedInToken()
216 * Check user login - Shaarli has not yet been configured
218 public function testCheckLoginStateNotConfigured()
220 $configManager = new FakeConfigManager([
221 'resource.ban_file' => $this->banFile
,
223 $loginManager = new LoginManager(
225 $this->sessionManager
,
226 $this->cookieManager
,
228 $this->createMock(LoggerInterface
::class)
230 $loginManager->checkLoginState('');
232 $this->assertFalse($loginManager->isLoggedIn());
236 * Check user login - the client cookie does not match the server token
238 public function testCheckLoginStateStaySignedInWithInvalidToken()
240 // simulate a previous login
242 'ip' => $this->clientIpAddress
,
243 'expires_on' => time() +
100,
245 $this->loginManager
->generateStaySignedInToken($this->clientIpAddress
);
246 $this->cookie
[CookieManager
::STAY_SIGNED_IN
] = 'nope';
248 $this->loginManager
->checkLoginState($this->clientIpAddress
);
250 $this->assertTrue($this->loginManager
->isLoggedIn());
251 $this->assertTrue(empty($this->session
['username']));
255 * Check user login - the client cookie matches the server token
257 public function testCheckLoginStateStaySignedInWithValidToken()
259 $this->loginManager
->generateStaySignedInToken($this->clientIpAddress
);
260 $this->cookie
[CookieManager
::STAY_SIGNED_IN
] = $this->loginManager
->getStaySignedInToken();
262 $this->loginManager
->checkLoginState($this->clientIpAddress
);
264 $this->assertTrue($this->loginManager
->isLoggedIn());
265 $this->assertEquals($this->login
, $this->session
['username']);
266 $this->assertEquals($this->clientIpAddress
, $this->session
['ip']);
270 * Check user login - the session has expired
272 public function testCheckLoginStateSessionExpired()
274 $this->loginManager
->generateStaySignedInToken($this->clientIpAddress
);
275 $this->session
['expires_on'] = time() - 100;
277 $this->loginManager
->checkLoginState($this->clientIpAddress
);
279 $this->assertFalse($this->loginManager
->isLoggedIn());
283 * Check user login - the remote client IP has changed
285 public function testCheckLoginStateClientIpChanged()
287 $this->loginManager
->generateStaySignedInToken($this->clientIpAddress
);
289 $this->loginManager
->checkLoginState('10.7.157.98');
291 $this->assertFalse($this->loginManager
->isLoggedIn());
295 * Check user credentials - wrong login supplied
297 public function testCheckCredentialsWrongLogin()
300 $this->loginManager
->checkCredentials('', 'b4dl0g1n', $this->password
)
305 * Check user credentials - wrong password supplied
307 public function testCheckCredentialsWrongPassword()
310 $this->loginManager
->checkCredentials('', $this->login
, 'b4dp455wd')
315 * Check user credentials - wrong login and password supplied
317 public function testCheckCredentialsWrongLoginAndPassword()
320 $this->loginManager
->checkCredentials('', 'b4dl0g1n', 'b4dp455wd')
325 * Check user credentials - correct login and password supplied
327 public function testCheckCredentialsGoodLoginAndPassword()
330 $this->loginManager
->checkCredentials('', $this->login
, $this->password
)
335 * Check user credentials through LDAP - server unreachable
337 public function testCheckCredentialsFromUnreachableLdap()
339 $this->configManager
->set('ldap.host', 'dummy');
341 $this->loginManager
->checkCredentials('', $this->login
, $this->password
)
346 * Check user credentials through LDAP - wrong login and password supplied
348 public function testCheckCredentialsFromLdapWrongLoginAndPassword()
350 $this->configManager
->set('ldap.host', 'dummy');
352 $this->loginManager
->checkCredentialsFromLdap($this->login
, $this->password
, function() { return null; }, function() { return false; })
357 * Check user credentials through LDAP - correct login and password supplied
359 public function testCheckCredentialsFromLdapGoodLoginAndPassword()
361 $this->configManager
->set('ldap.host', 'dummy');
363 $this->loginManager
->checkCredentialsFromLdap($this->login
, $this->password
, function() { return null; }, function() { return true; })