3 namespace Shaarli\Security
;
5 use PHPUnit\Framework\TestCase
;
8 * Test coverage for SessionManager
10 class SessionManagerTest
extends TestCase
12 /** @var array Session ID hashes */
13 protected static $sidHashes = null;
15 /** @var \FakeConfigManager ConfigManager substitute for testing */
16 protected $conf = null;
18 /** @var array $_SESSION array for testing */
19 protected $session = [];
21 /** @var SessionManager Server-side session management abstraction */
22 protected $sessionManager = null;
25 * Assign reference data
27 public static function setUpBeforeClass(): void
29 self
::$sidHashes = \ReferenceSessionIdHashes
::getHashes();
33 * Initialize or reset test resources
35 protected function setUp(): void
37 $this->conf
= new \
FakeConfigManager([
38 'credentials.login' => 'johndoe',
39 'credentials.salt' => 'salt',
40 'security.session_protection_disabled' => false,
43 $this->sessionManager
= new SessionManager($this->session
, $this->conf
, 'session_path');
47 * Generate a session token
49 public function testGenerateToken()
51 $token = $this->sessionManager
->generateToken();
53 $this->assertEquals(1, $this->session
['tokens'][$token]);
54 $this->assertEquals(40, strlen($token));
58 * Check a session token
60 public function testCheckToken()
62 $token = '4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b';
68 $sessionManager = new SessionManager($session, $this->conf
, 'session_path');
70 // check and destroy the token
71 $this->assertTrue($sessionManager->checkToken($token));
72 $this->assertFalse(isset($session['tokens'][$token]));
74 // ensure the token has been destroyed
75 $this->assertFalse($sessionManager->checkToken($token));
79 * Generate and check a session token
81 public function testGenerateAndCheckToken()
83 $token = $this->sessionManager
->generateToken();
85 // ensure a token has been generated
86 $this->assertEquals(1, $this->session
['tokens'][$token]);
87 $this->assertEquals(40, strlen($token));
89 // check and destroy the token
90 $this->assertTrue($this->sessionManager
->checkToken($token));
91 $this->assertFalse(isset($this->session
['tokens'][$token]));
93 // ensure the token has been destroyed
94 $this->assertFalse($this->sessionManager
->checkToken($token));
98 * Check an invalid session token
100 public function testCheckInvalidToken()
102 $this->assertFalse($this->sessionManager
->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
106 * Test SessionManager::checkId with a valid ID - TEST ALL THE HASHES!
108 * This tests extensively covers all hash algorithms / bit representations
110 public function testIsAnyHashSessionIdValid()
112 foreach (self
::$sidHashes as $algo => $bpcs) {
113 foreach ($bpcs as $bpc => $hash) {
114 $this->assertTrue(SessionManager
::checkId($hash));
120 * Test checkId with a valid ID - SHA-1 hashes
122 public function testIsSha1SessionIdValid()
124 $this->assertTrue(SessionManager
::checkId(sha1('shaarli')));
128 * Test checkId with a valid ID - SHA-256 hashes
130 public function testIsSha256SessionIdValid()
132 $this->assertTrue(SessionManager
::checkId(hash('sha256', 'shaarli')));
136 * Test checkId with a valid ID - SHA-512 hashes
138 public function testIsSha512SessionIdValid()
140 $this->assertTrue(SessionManager
::checkId(hash('sha512', 'shaarli')));
144 * Test checkId with invalid IDs.
146 public function testIsSessionIdInvalid()
148 $this->assertFalse(SessionManager
::checkId(''));
149 $this->assertFalse(SessionManager
::checkId([]));
151 SessionManager
::checkId('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')
156 * Store login information after a successful login
158 public function testStoreLoginInfo()
160 $this->sessionManager
->storeLoginInfo('ip_id');
162 $this->assertGreaterThan(time(), $this->session
['expires_on']);
163 $this->assertEquals('ip_id', $this->session
['ip']);
164 $this->assertEquals('johndoe', $this->session
['username']);
168 * Extend a server-side session by SessionManager::$SHORT_TIMEOUT
170 public function testExtendSession()
172 $this->sessionManager
->extendSession();
174 $this->assertGreaterThan(time(), $this->session
['expires_on']);
175 $this->assertLessThanOrEqual(
176 time() + SessionManager
::$SHORT_TIMEOUT,
177 $this->session
['expires_on']
182 * Extend a server-side session by SessionManager::$LONG_TIMEOUT
184 public function testExtendSessionStaySignedIn()
186 $this->sessionManager
->setStaySignedIn(true);
187 $this->sessionManager
->extendSession();
189 $this->assertGreaterThan(time(), $this->session
['expires_on']);
190 $this->assertGreaterThan(
191 time() + SessionManager
::$LONG_TIMEOUT - 10,
192 $this->session
['expires_on']
194 $this->assertLessThanOrEqual(
195 time() + SessionManager
::$LONG_TIMEOUT,
196 $this->session
['expires_on']
201 * Unset session variables after logging out
203 public function testLogout()
207 'expires_on' => time() +
1000,
208 'username' => 'johndoe',
209 'visibility' => 'public',
210 'untaggedonly' => true,
212 $this->sessionManager
->logout();
214 $this->assertArrayNotHasKey('ip', $this->session
);
215 $this->assertArrayNotHasKey('expires_on', $this->session
);
216 $this->assertArrayNotHasKey('username', $this->session
);
217 $this->assertArrayNotHasKey('visibility', $this->session
);
218 $this->assertArrayHasKey('untaggedonly', $this->session
);
219 $this->assertTrue($this->session
['untaggedonly']);
223 * The session is active and expiration time has been reached
225 public function testHasExpiredTimeElapsed()
227 $this->session
['expires_on'] = time() - 10;
229 $this->assertTrue($this->sessionManager
->hasSessionExpired());
233 * The session is active and expiration time has not been reached
235 public function testHasNotExpired()
237 $this->session
['expires_on'] = time() +
1000;
239 $this->assertFalse($this->sessionManager
->hasSessionExpired());
243 * Session hijacking protection is disabled, we assume the IP has not changed
245 public function testHasClientIpChangedNoSessionProtection()
247 $this->conf
->set('security.session_protection_disabled', true);
249 $this->assertFalse($this->sessionManager
->hasClientIpChanged(''));
253 * The client IP identifier has not changed
255 public function testHasClientIpChangedNope()
257 $this->session
['ip'] = 'ip_id';
258 $this->assertFalse($this->sessionManager
->hasClientIpChanged('ip_id'));
262 * The client IP identifier has changed
264 public function testHasClientIpChanged()
266 $this->session
['ip'] = 'ip_id_one';
267 $this->assertTrue($this->sessionManager
->hasClientIpChanged('ip_id_two'));
271 * Test creating an entry in the session array
273 public function testSetSessionParameterCreate(): void
275 $this->sessionManager
->setSessionParameter('abc', 'def');
277 static::assertSame('def', $this->session
['abc']);
281 * Test updating an entry in the session array
283 public function testSetSessionParameterUpdate(): void
285 $this->session
['abc'] = 'ghi';
287 $this->sessionManager
->setSessionParameter('abc', 'def');
289 static::assertSame('def', $this->session
['abc']);
293 * Test updating an entry in the session array with null value
295 public function testSetSessionParameterUpdateNull(): void
297 $this->session
['abc'] = 'ghi';
299 $this->sessionManager
->setSessionParameter('abc', null);
301 static::assertArrayHasKey('abc', $this->session
);
302 static::assertNull($this->session
['abc']);
306 * Test deleting an existing entry in the session array
308 public function testDeleteSessionParameter(): void
310 $this->session
['abc'] = 'def';
312 $this->sessionManager
->deleteSessionParameter('abc');
314 static::assertArrayNotHasKey('abc', $this->session
);
318 * Test deleting a non existent entry in the session array
320 public function testDeleteSessionParameterNotExisting(): void
322 $this->sessionManager
->deleteSessionParameter('abc');
324 static::assertArrayNotHasKey('abc', $this->session
);