3 namespace Shaarli\Security
;
5 use Shaarli\FakeConfigManager
;
9 * Test coverage for SessionManager
11 class SessionManagerTest
extends TestCase
13 /** @var array Session ID hashes */
14 protected static $sidHashes = null;
16 /** @var FakeConfigManager ConfigManager substitute for testing */
17 protected $conf = null;
19 /** @var array $_SESSION array for testing */
20 protected $session = [];
22 /** @var SessionManager Server-side session management abstraction */
23 protected $sessionManager = null;
26 * Assign reference data
28 public static function setUpBeforeClass(): void
30 self
::$sidHashes = \ReferenceSessionIdHashes
::getHashes();
34 * Initialize or reset test resources
36 protected function setUp(): void
38 $this->conf
= new FakeConfigManager([
39 'credentials.login' => 'johndoe',
40 'credentials.salt' => 'salt',
41 'security.session_protection_disabled' => false,
44 $this->sessionManager
= new SessionManager($this->session
, $this->conf
, 'session_path');
48 * Generate a session token
50 public function testGenerateToken()
52 $token = $this->sessionManager
->generateToken();
54 $this->assertEquals(1, $this->session
['tokens'][$token]);
55 $this->assertEquals(40, strlen($token));
59 * Check a session token
61 public function testCheckToken()
63 $token = '4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b';
69 $sessionManager = new SessionManager($session, $this->conf
, 'session_path');
71 // check and destroy the token
72 $this->assertTrue($sessionManager->checkToken($token));
73 $this->assertFalse(isset($session['tokens'][$token]));
75 // ensure the token has been destroyed
76 $this->assertFalse($sessionManager->checkToken($token));
80 * Generate and check a session token
82 public function testGenerateAndCheckToken()
84 $token = $this->sessionManager
->generateToken();
86 // ensure a token has been generated
87 $this->assertEquals(1, $this->session
['tokens'][$token]);
88 $this->assertEquals(40, strlen($token));
90 // check and destroy the token
91 $this->assertTrue($this->sessionManager
->checkToken($token));
92 $this->assertFalse(isset($this->session
['tokens'][$token]));
94 // ensure the token has been destroyed
95 $this->assertFalse($this->sessionManager
->checkToken($token));
99 * Check an invalid session token
101 public function testCheckInvalidToken()
103 $this->assertFalse($this->sessionManager
->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
107 * Test SessionManager::checkId with a valid ID - TEST ALL THE HASHES!
109 * This tests extensively covers all hash algorithms / bit representations
111 public function testIsAnyHashSessionIdValid()
113 foreach (self
::$sidHashes as $algo => $bpcs) {
114 foreach ($bpcs as $bpc => $hash) {
115 $this->assertTrue(SessionManager
::checkId($hash));
121 * Test checkId with a valid ID - SHA-1 hashes
123 public function testIsSha1SessionIdValid()
125 $this->assertTrue(SessionManager
::checkId(sha1('shaarli')));
129 * Test checkId with a valid ID - SHA-256 hashes
131 public function testIsSha256SessionIdValid()
133 $this->assertTrue(SessionManager
::checkId(hash('sha256', 'shaarli')));
137 * Test checkId with a valid ID - SHA-512 hashes
139 public function testIsSha512SessionIdValid()
141 $this->assertTrue(SessionManager
::checkId(hash('sha512', 'shaarli')));
145 * Test checkId with invalid IDs.
147 public function testIsSessionIdInvalid()
149 $this->assertFalse(SessionManager
::checkId(''));
150 $this->assertFalse(SessionManager
::checkId([]));
152 SessionManager
::checkId('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')
157 * Store login information after a successful login
159 public function testStoreLoginInfo()
161 $this->sessionManager
->storeLoginInfo('ip_id');
163 $this->assertGreaterThan(time(), $this->session
['expires_on']);
164 $this->assertEquals('ip_id', $this->session
['ip']);
165 $this->assertEquals('johndoe', $this->session
['username']);
169 * Extend a server-side session by SessionManager::$SHORT_TIMEOUT
171 public function testExtendSession()
173 $this->sessionManager
->extendSession();
175 $this->assertGreaterThan(time(), $this->session
['expires_on']);
176 $this->assertLessThanOrEqual(
177 time() + SessionManager
::$SHORT_TIMEOUT,
178 $this->session
['expires_on']
183 * Extend a server-side session by SessionManager::$LONG_TIMEOUT
185 public function testExtendSessionStaySignedIn()
187 $this->sessionManager
->setStaySignedIn(true);
188 $this->sessionManager
->extendSession();
190 $this->assertGreaterThan(time(), $this->session
['expires_on']);
191 $this->assertGreaterThan(
192 time() + SessionManager
::$LONG_TIMEOUT - 10,
193 $this->session
['expires_on']
195 $this->assertLessThanOrEqual(
196 time() + SessionManager
::$LONG_TIMEOUT,
197 $this->session
['expires_on']
202 * Unset session variables after logging out
204 public function testLogout()
208 'expires_on' => time() +
1000,
209 'username' => 'johndoe',
210 'visibility' => 'public',
211 'untaggedonly' => true,
213 $this->sessionManager
->logout();
215 $this->assertArrayNotHasKey('ip', $this->session
);
216 $this->assertArrayNotHasKey('expires_on', $this->session
);
217 $this->assertArrayNotHasKey('username', $this->session
);
218 $this->assertArrayNotHasKey('visibility', $this->session
);
219 $this->assertArrayHasKey('untaggedonly', $this->session
);
220 $this->assertTrue($this->session
['untaggedonly']);
224 * The session is active and expiration time has been reached
226 public function testHasExpiredTimeElapsed()
228 $this->session
['expires_on'] = time() - 10;
230 $this->assertTrue($this->sessionManager
->hasSessionExpired());
234 * The session is active and expiration time has not been reached
236 public function testHasNotExpired()
238 $this->session
['expires_on'] = time() +
1000;
240 $this->assertFalse($this->sessionManager
->hasSessionExpired());
244 * Session hijacking protection is disabled, we assume the IP has not changed
246 public function testHasClientIpChangedNoSessionProtection()
248 $this->conf
->set('security.session_protection_disabled', true);
250 $this->assertFalse($this->sessionManager
->hasClientIpChanged(''));
254 * The client IP identifier has not changed
256 public function testHasClientIpChangedNope()
258 $this->session
['ip'] = 'ip_id';
259 $this->assertFalse($this->sessionManager
->hasClientIpChanged('ip_id'));
263 * The client IP identifier has changed
265 public function testHasClientIpChanged()
267 $this->session
['ip'] = 'ip_id_one';
268 $this->assertTrue($this->sessionManager
->hasClientIpChanged('ip_id_two'));
272 * Test creating an entry in the session array
274 public function testSetSessionParameterCreate(): void
276 $this->sessionManager
->setSessionParameter('abc', 'def');
278 static::assertSame('def', $this->session
['abc']);
282 * Test updating an entry in the session array
284 public function testSetSessionParameterUpdate(): void
286 $this->session
['abc'] = 'ghi';
288 $this->sessionManager
->setSessionParameter('abc', 'def');
290 static::assertSame('def', $this->session
['abc']);
294 * Test updating an entry in the session array with null value
296 public function testSetSessionParameterUpdateNull(): void
298 $this->session
['abc'] = 'ghi';
300 $this->sessionManager
->setSessionParameter('abc', null);
302 static::assertArrayHasKey('abc', $this->session
);
303 static::assertNull($this->session
['abc']);
307 * Test deleting an existing entry in the session array
309 public function testDeleteSessionParameter(): void
311 $this->session
['abc'] = 'def';
313 $this->sessionManager
->deleteSessionParameter('abc');
315 static::assertArrayNotHasKey('abc', $this->session
);
319 * Test deleting a non existent entry in the session array
321 public function testDeleteSessionParameterNotExisting(): void
323 $this->sessionManager
->deleteSessionParameter('abc');
325 static::assertArrayNotHasKey('abc', $this->session
);