tests/security/LoginManagerTest.php

   1 <?php
   2 namespace Shaarli\Security;
   3
   4 require_once 'tests/utils/FakeConfigManager.php';
   5
   6 use PHPUnit\Framework\TestCase;
   7
   8 /**
   9  * Test coverage for LoginManager
  10  */
  11 class LoginManagerTest extends TestCase
  12 {
  13     /** @var \FakeConfigManager Configuration Manager instance */
  14     protected $configManager = null;
  15
  16     /** @var LoginManager Login Manager instance */
  17     protected $loginManager = null;
  18
  19     /** @var SessionManager Session Manager instance */
  20     protected $sessionManager = null;
  21
  22     /** @var string Banned IP filename */
  23     protected $banFile = 'sandbox/ipbans.php';
  24
  25     /** @var string Log filename */
  26     protected $logFile = 'sandbox/shaarli.log';
  27
  28     /** @var array Simulates the $_COOKIE array */
  29     protected $cookie = [];
  30
  31     /** @var array Simulates the $GLOBALS array */
  32     protected $globals = [];
  33
  34     /** @var array Simulates the $_SERVER array */
  35     protected $server = [];
  36
  37     /** @var array Simulates the $_SESSION array */
  38     protected $session = [];
  39
  40     /** @var string Advertised client IP address */
  41     protected $clientIpAddress = '10.1.47.179';
  42
  43     /** @var string Local client IP address */
  44     protected $ipAddr = '127.0.0.1';
  45
  46     /** @var string Trusted proxy IP address */
  47     protected $trustedProxy = '10.1.1.100';
  48
  49     /** @var string User login */
  50     protected $login = 'johndoe';
  51
  52     /** @var string User password */
  53     protected $password = 'IC4nHazL0g1n?';
  54
  55     /** @var string Hash of the salted user password */
  56     protected $passwordHash = '';
  57
  58     /** @var string Salt used by hash functions */
  59     protected $salt = '669e24fa9c5a59a613f98e8e38327384504a4af2';
  60
  61     /**
  62      * Prepare or reset test resources
  63      */
  64     public function setUp()
  65     {
  66         if (file_exists($this->banFile)) {
  67             unlink($this->banFile);
  68         }
  69
  70         $this->passwordHash = sha1($this->password . $this->login . $this->salt);
  71
  72         $this->configManager = new \FakeConfigManager([
  73             'credentials.login' => $this->login,
  74             'credentials.hash' => $this->passwordHash,
  75             'credentials.salt' => $this->salt,
  76             'resource.ban_file' => $this->banFile,
  77             'resource.log' => $this->logFile,
  78             'security.ban_after' => 4,
  79             'security.ban_duration' => 3600,
  80             'security.trusted_proxies' => [$this->trustedProxy],
  81         ]);
  82
  83         $this->cookie = [];
  84
  85         $this->globals = &$GLOBALS;
  86         unset($this->globals['IPBANS']);
  87
  88         $this->session = [];
  89
  90         $this->sessionManager = new SessionManager($this->session, $this->configManager);
  91         $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager);
  92         $this->server['REMOTE_ADDR'] = $this->ipAddr;
  93     }
  94
  95     /**
  96      * Wipe test resources
  97      */
  98     public function tearDown()
  99     {
 100         unset($this->globals['IPBANS']);
 101     }
 102
 103     /**
 104      * Instantiate a LoginManager and load ban records
 105      */
 106     public function testReadBanFile()
 107     {
 108         file_put_contents(
 109             $this->banFile,
 110             "<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>"
 111         );
 112         new LoginManager($this->globals, $this->configManager, null);
 113         $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']);
 114     }
 115
 116     /**
 117      * Record a failed login attempt
 118      */
 119     public function testHandleFailedLogin()
 120     {
 121         $this->loginManager->handleFailedLogin($this->server);
 122         $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 123
 124         $this->loginManager->handleFailedLogin($this->server);
 125         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 126     }
 127
 128     /**
 129      * Record a failed login attempt - IP behind a trusted proxy
 130      */
 131     public function testHandleFailedLoginBehindTrustedProxy()
 132     {
 133         $server = [
 134             'REMOTE_ADDR' => $this->trustedProxy,
 135             'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
 136         ];
 137         $this->loginManager->handleFailedLogin($server);
 138         $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 139
 140         $this->loginManager->handleFailedLogin($server);
 141         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 142     }
 143
 144     /**
 145      * Record a failed login attempt - IP behind a trusted proxy but not forwarded
 146      */
 147     public function testHandleFailedLoginBehindTrustedProxyNoIp()
 148     {
 149         $server = [
 150             'REMOTE_ADDR' => $this->trustedProxy,
 151         ];
 152         $this->loginManager->handleFailedLogin($server);
 153         $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
 154
 155         $this->loginManager->handleFailedLogin($server);
 156         $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
 157     }
 158
 159     /**
 160      * Record a failed login attempt and ban the IP after too many failures
 161      */
 162     public function testHandleFailedLoginBanIp()
 163     {
 164         $this->loginManager->handleFailedLogin($this->server);
 165         $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 166         $this->assertTrue($this->loginManager->canLogin($this->server));
 167
 168         $this->loginManager->handleFailedLogin($this->server);
 169         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 170         $this->assertTrue($this->loginManager->canLogin($this->server));
 171
 172         $this->loginManager->handleFailedLogin($this->server);
 173         $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 174         $this->assertTrue($this->loginManager->canLogin($this->server));
 175
 176         $this->loginManager->handleFailedLogin($this->server);
 177         $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 178         $this->assertFalse($this->loginManager->canLogin($this->server));
 179
 180         // handleFailedLogin is not supposed to be called at this point:
 181         // - no login form should be displayed once an IP has been banned
 182         // - yet this could happen when using custom templates / scripts
 183         $this->loginManager->handleFailedLogin($this->server);
 184         $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 185         $this->assertFalse($this->loginManager->canLogin($this->server));
 186     }
 187
 188     /**
 189      * Nothing to do
 190      */
 191     public function testHandleSuccessfulLogin()
 192     {
 193         $this->assertTrue($this->loginManager->canLogin($this->server));
 194
 195         $this->loginManager->handleSuccessfulLogin($this->server);
 196         $this->assertTrue($this->loginManager->canLogin($this->server));
 197     }
 198
 199     /**
 200      * Erase failure records after successfully logging in from this IP
 201      */
 202     public function testHandleSuccessfulLoginAfterFailure()
 203     {
 204         $this->loginManager->handleFailedLogin($this->server);
 205         $this->loginManager->handleFailedLogin($this->server);
 206         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 207         $this->assertTrue($this->loginManager->canLogin($this->server));
 208
 209         $this->loginManager->handleSuccessfulLogin($this->server);
 210         $this->assertTrue($this->loginManager->canLogin($this->server));
 211         $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
 212         $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr]));
 213     }
 214
 215     /**
 216      * The IP is not banned
 217      */
 218     public function testCanLoginIpNotBanned()
 219     {
 220         $this->assertTrue($this->loginManager->canLogin($this->server));
 221     }
 222
 223     /**
 224      * The IP is banned
 225      */
 226     public function testCanLoginIpBanned()
 227     {
 228         // ban the IP for an hour
 229         $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
 230         $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
 231
 232         $this->assertFalse($this->loginManager->canLogin($this->server));
 233     }
 234
 235     /**
 236      * The IP is banned, and the ban duration is over
 237      */
 238     public function testCanLoginIpBanExpired()
 239     {
 240         // ban the IP for an hour
 241         $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
 242         $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
 243         $this->assertFalse($this->loginManager->canLogin($this->server));
 244
 245         // lift the ban
 246         $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600;
 247         $this->assertTrue($this->loginManager->canLogin($this->server));
 248     }
 249
 250     /**
 251      * Generate a token depending on the user credentials and client IP
 252      */
 253     public function testGenerateStaySignedInToken()
 254     {
 255         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 256
 257         $this->assertEquals(
 258             sha1($this->passwordHash . $this->clientIpAddress . $this->salt),
 259             $this->loginManager->getStaySignedInToken()
 260         );
 261     }
 262
 263     /**
 264      * Generate a token depending on the user credentials with session protected disabled
 265      */
 266     public function testGenerateStaySignedInTokenSessionProtectionDisabled()
 267     {
 268         $this->configManager->set('security.session_protection_disabled', true);
 269         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 270
 271         $this->assertEquals(
 272             sha1($this->passwordHash . $this->salt),
 273             $this->loginManager->getStaySignedInToken()
 274         );
 275     }
 276
 277     /**
 278      * Check user login - Shaarli has not yet been configured
 279      */
 280     public function testCheckLoginStateNotConfigured()
 281     {
 282         $configManager = new \FakeConfigManager([
 283             'resource.ban_file' => $this->banFile,
 284         ]);
 285         $loginManager = new LoginManager($this->globals, $configManager, null);
 286         $loginManager->checkLoginState([], '');
 287
 288         $this->assertFalse($loginManager->isLoggedIn());
 289     }
 290
 291     /**
 292      * Check user login - the client cookie does not match the server token
 293      */
 294     public function testCheckLoginStateStaySignedInWithInvalidToken()
 295     {
 296         // simulate a previous login
 297         $this->session = [
 298             'ip' => $this->clientIpAddress,
 299             'expires_on' => time() + 100,
 300         ];
 301         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 302         $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = 'nope';
 303
 304         $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
 305
 306         $this->assertTrue($this->loginManager->isLoggedIn());
 307         $this->assertTrue(empty($this->session['username']));
 308     }
 309
 310     /**
 311      * Check user login - the client cookie matches the server token
 312      */
 313     public function testCheckLoginStateStaySignedInWithValidToken()
 314     {
 315         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 316         $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = $this->loginManager->getStaySignedInToken();
 317
 318         $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
 319
 320         $this->assertTrue($this->loginManager->isLoggedIn());
 321         $this->assertEquals($this->login, $this->session['username']);
 322         $this->assertEquals($this->clientIpAddress, $this->session['ip']);
 323     }
 324
 325     /**
 326      * Check user login - the session has expired
 327      */
 328     public function testCheckLoginStateSessionExpired()
 329     {
 330         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 331         $this->session['expires_on'] = time() - 100;
 332
 333         $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
 334
 335         $this->assertFalse($this->loginManager->isLoggedIn());
 336     }
 337
 338     /**
 339      * Check user login - the remote client IP has changed
 340      */
 341     public function testCheckLoginStateClientIpChanged()
 342     {
 343         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 344
 345         $this->loginManager->checkLoginState($this->cookie, '10.7.157.98');
 346
 347         $this->assertFalse($this->loginManager->isLoggedIn());
 348     }
 349
 350     /**
 351      * Check user credentials - wrong login supplied
 352      */
 353     public function testCheckCredentialsWrongLogin()
 354     {
 355         $this->assertFalse(
 356             $this->loginManager->checkCredentials('', '', 'b4dl0g1n', $this->password)
 357         );
 358     }
 359
 360     /**
 361      * Check user credentials - wrong password supplied
 362      */
 363     public function testCheckCredentialsWrongPassword()
 364     {
 365         $this->assertFalse(
 366             $this->loginManager->checkCredentials('', '', $this->login, 'b4dp455wd')
 367         );
 368     }
 369
 370     /**
 371      * Check user credentials - wrong login and password supplied
 372      */
 373     public function testCheckCredentialsWrongLoginAndPassword()
 374     {
 375         $this->assertFalse(
 376             $this->loginManager->checkCredentials('', '', 'b4dl0g1n', 'b4dp455wd')
 377         );
 378     }
 379
 380     /**
 381      * Check user credentials - correct login and password supplied
 382      */
 383     public function testCheckCredentialsGoodLoginAndPassword()
 384     {
 385         $this->assertTrue(
 386             $this->loginManager->checkCredentials('', '', $this->login, $this->password)
 387         );
 388     }
 389 }