X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=tests%2Fsecurity%2FLoginManagerTest.php;h=d302983de2b013e8ec91e79e9c04eb62f59b75fb;hb=a5a9cf23acd1248585173aa32757d9720b5f2d62;hp=b9ab5ec45929025d0de81040c8c9521f2785b4b0;hpb=d9ba1cdd44a7eec9e7f4d429087c6ba838ad473e;p=github%2Fshaarli%2FShaarli.git diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index b9ab5ec4..d302983d 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php @@ -1,8 +1,8 @@ banFile)) { unlink($this->banFile); @@ -74,54 +77,32 @@ class LoginManagerTest extends TestCase 'credentials.salt' => $this->salt, 'resource.ban_file' => $this->banFile, 'resource.log' => $this->logFile, - 'security.ban_after' => 4, + 'security.ban_after' => 2, 'security.ban_duration' => 3600, 'security.trusted_proxies' => [$this->trustedProxy], + 'ldap.host' => '', ]); $this->cookie = []; - - $this->globals = &$GLOBALS; - unset($this->globals['IPBANS']); - $this->session = []; - $this->sessionManager = new SessionManager($this->session, $this->configManager); - $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); + $this->cookieManager = $this->createMock(CookieManager::class); + $this->cookieManager->method('getCookieParameter')->willReturnCallback(function (string $key) { + return $this->cookie[$key] ?? null; + }); + $this->sessionManager = new SessionManager($this->session, $this->configManager, 'session_path'); + $this->loginManager = new LoginManager($this->configManager, $this->sessionManager, $this->cookieManager); $this->server['REMOTE_ADDR'] = $this->ipAddr; } - /** - * Wipe test resources - */ - public function tearDown() - { - unset($this->globals['IPBANS']); - } - - /** - * Instantiate a LoginManager and load ban records - */ - public function testReadBanFile() - { - file_put_contents( - $this->banFile, - " array('127.0.0.1' => 99));\n?>" - ); - new LoginManager($this->globals, $this->configManager, null); - $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']); - } - /** * Record a failed login attempt */ public function testHandleFailedLogin() { $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); + $this->assertFalse($this->loginManager->canLogin($this->server)); } /** @@ -134,10 +115,8 @@ class LoginManagerTest extends TestCase 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, ]; $this->loginManager->handleFailedLogin($server); - $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->loginManager->handleFailedLogin($server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); + $this->assertFalse($this->loginManager->canLogin($server)); } /** @@ -149,39 +128,8 @@ class LoginManagerTest extends TestCase 'REMOTE_ADDR' => $this->trustedProxy, ]; $this->loginManager->handleFailedLogin($server); - $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); - $this->loginManager->handleFailedLogin($server); - $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); - } - - /** - * Record a failed login attempt and ban the IP after too many failures - */ - public function testHandleFailedLoginBanIp() - { - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertTrue($this->loginManager->canLogin($this->server)); - - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertTrue($this->loginManager->canLogin($this->server)); - - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertTrue($this->loginManager->canLogin($this->server)); - - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertFalse($this->loginManager->canLogin($this->server)); - - // handleFailedLogin is not supposed to be called at this point: - // - no login form should be displayed once an IP has been banned - // - yet this could happen when using custom templates / scripts - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertFalse($this->loginManager->canLogin($this->server)); + $this->assertTrue($this->loginManager->canLogin($server)); } /** @@ -201,14 +149,11 @@ class LoginManagerTest extends TestCase public function testHandleSuccessfulLoginAfterFailure() { $this->loginManager->handleFailedLogin($this->server); - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); $this->assertTrue($this->loginManager->canLogin($this->server)); $this->loginManager->handleSuccessfulLogin($this->server); + $this->loginManager->handleFailedLogin($this->server); $this->assertTrue($this->loginManager->canLogin($this->server)); - $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); - $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr])); } /** @@ -219,33 +164,6 @@ class LoginManagerTest extends TestCase $this->assertTrue($this->loginManager->canLogin($this->server)); } - /** - * The IP is banned - */ - public function testCanLoginIpBanned() - { - // ban the IP for an hour - $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; - $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; - - $this->assertFalse($this->loginManager->canLogin($this->server)); - } - - /** - * The IP is banned, and the ban duration is over - */ - public function testCanLoginIpBanExpired() - { - // ban the IP for an hour - $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; - $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; - $this->assertFalse($this->loginManager->canLogin($this->server)); - - // lift the ban - $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600; - $this->assertTrue($this->loginManager->canLogin($this->server)); - } - /** * Generate a token depending on the user credentials and client IP */ @@ -281,8 +199,8 @@ class LoginManagerTest extends TestCase $configManager = new \FakeConfigManager([ 'resource.ban_file' => $this->banFile, ]); - $loginManager = new LoginManager($this->globals, $configManager, null); - $loginManager->checkLoginState([], ''); + $loginManager = new LoginManager($configManager, null, $this->cookieManager); + $loginManager->checkLoginState(''); $this->assertFalse($loginManager->isLoggedIn()); } @@ -298,9 +216,9 @@ class LoginManagerTest extends TestCase 'expires_on' => time() + 100, ]; $this->loginManager->generateStaySignedInToken($this->clientIpAddress); - $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = 'nope'; + $this->cookie[CookieManager::STAY_SIGNED_IN] = 'nope'; - $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress); + $this->loginManager->checkLoginState($this->clientIpAddress); $this->assertTrue($this->loginManager->isLoggedIn()); $this->assertTrue(empty($this->session['username'])); @@ -312,9 +230,9 @@ class LoginManagerTest extends TestCase public function testCheckLoginStateStaySignedInWithValidToken() { $this->loginManager->generateStaySignedInToken($this->clientIpAddress); - $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = $this->loginManager->getStaySignedInToken(); + $this->cookie[CookieManager::STAY_SIGNED_IN] = $this->loginManager->getStaySignedInToken(); - $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress); + $this->loginManager->checkLoginState($this->clientIpAddress); $this->assertTrue($this->loginManager->isLoggedIn()); $this->assertEquals($this->login, $this->session['username']); @@ -329,7 +247,7 @@ class LoginManagerTest extends TestCase $this->loginManager->generateStaySignedInToken($this->clientIpAddress); $this->session['expires_on'] = time() - 100; - $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress); + $this->loginManager->checkLoginState($this->clientIpAddress); $this->assertFalse($this->loginManager->isLoggedIn()); } @@ -341,7 +259,7 @@ class LoginManagerTest extends TestCase { $this->loginManager->generateStaySignedInToken($this->clientIpAddress); - $this->loginManager->checkLoginState($this->cookie, '10.7.157.98'); + $this->loginManager->checkLoginState('10.7.157.98'); $this->assertFalse($this->loginManager->isLoggedIn()); } @@ -385,4 +303,37 @@ class LoginManagerTest extends TestCase $this->loginManager->checkCredentials('', '', $this->login, $this->password) ); } + + /** + * Check user credentials through LDAP - server unreachable + */ + public function testCheckCredentialsFromUnreachableLdap() + { + $this->configManager->set('ldap.host', 'dummy'); + $this->assertFalse( + $this->loginManager->checkCredentials('', '', $this->login, $this->password) + ); + } + + /** + * Check user credentials through LDAP - wrong login and password supplied + */ + public function testCheckCredentialsFromLdapWrongLoginAndPassword() + { + $this->configManager->set('ldap.host', 'dummy'); + $this->assertFalse( + $this->loginManager->checkCredentialsFromLdap($this->login, $this->password, function() { return null; }, function() { return false; }) + ); + } + + /** + * Check user credentials through LDAP - correct login and password supplied + */ + public function testCheckCredentialsFromLdapGoodLoginAndPassword() + { + $this->configManager->set('ldap.host', 'dummy'); + $this->assertTrue( + $this->loginManager->checkCredentialsFromLdap($this->login, $this->password, function() { return null; }, function() { return true; }) + ); + } }