tests/security/LoginManagerTest.php

   1 <?php
   2 namespace Shaarli\Security;
   3
   4 require_once 'tests/utils/FakeConfigManager.php';
   5 use \PHPUnit\Framework\TestCase;
   6
   7 /**
   8  * Test coverage for LoginManager
   9  */
  10 class LoginManagerTest extends TestCase
  11 {
  12     /** @var \FakeConfigManager Configuration Manager instance */
  13     protected $configManager = null;
  14
  15     /** @var LoginManager Login Manager instance */
  16     protected $loginManager = null;
  17
  18     /** @var SessionManager Session Manager instance */
  19     protected $sessionManager = null;
  20
  21     /** @var string Banned IP filename */
  22     protected $banFile = 'sandbox/ipbans.php';
  23
  24     /** @var string Log filename */
  25     protected $logFile = 'sandbox/shaarli.log';
  26
  27     /** @var array Simulates the $_COOKIE array */
  28     protected $cookie = [];
  29
  30     /** @var array Simulates the $GLOBALS array */
  31     protected $globals = [];
  32
  33     /** @var array Simulates the $_SERVER array */
  34     protected $server = [];
  35
  36     /** @var array Simulates the $_SESSION array */
  37     protected $session = [];
  38
  39     /** @var string Advertised client IP address */
  40     protected $clientIpAddress = '10.1.47.179';
  41
  42     /** @var string Local client IP address */
  43     protected $ipAddr = '127.0.0.1';
  44
  45     /** @var string Trusted proxy IP address */
  46     protected $trustedProxy = '10.1.1.100';
  47
  48     /** @var string User login */
  49     protected $login = 'johndoe';
  50
  51     /** @var string User password */
  52     protected $password = 'IC4nHazL0g1n?';
  53
  54     /** @var string Hash of the salted user password */
  55     protected $passwordHash = '';
  56
  57     /** @var string Salt used by hash functions */
  58     protected $salt = '669e24fa9c5a59a613f98e8e38327384504a4af2';
  59
  60     /**
  61      * Prepare or reset test resources
  62      */
  63     public function setUp()
  64     {
  65         if (file_exists($this->banFile)) {
  66             unlink($this->banFile);
  67         }
  68
  69         $this->passwordHash = sha1($this->password . $this->login . $this->salt);
  70
  71         $this->configManager = new \FakeConfigManager([
  72             'credentials.login' => $this->login,
  73             'credentials.hash' => $this->passwordHash,
  74             'credentials.salt' => $this->salt,
  75             'resource.ban_file' => $this->banFile,
  76             'resource.log' => $this->logFile,
  77             'security.ban_after' => 4,
  78             'security.ban_duration' => 3600,
  79             'security.trusted_proxies' => [$this->trustedProxy],
  80         ]);
  81
  82         $this->cookie = [];
  83
  84         $this->globals = &$GLOBALS;
  85         unset($this->globals['IPBANS']);
  86
  87         $this->session = [];
  88
  89         $this->sessionManager = new SessionManager($this->session, $this->configManager);
  90         $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager);
  91         $this->server['REMOTE_ADDR'] = $this->ipAddr;
  92     }
  93
  94     /**
  95      * Wipe test resources
  96      */
  97     public function tearDown()
  98     {
  99         unset($this->globals['IPBANS']);
 100     }
 101
 102     /**
 103      * Instantiate a LoginManager and load ban records
 104      */
 105     public function testReadBanFile()
 106     {
 107         file_put_contents(
 108             $this->banFile,
 109             "<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>"
 110         );
 111         new LoginManager($this->globals, $this->configManager, null);
 112         $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']);
 113     }
 114
 115     /**
 116      * Record a failed login attempt
 117      */
 118     public function testHandleFailedLogin()
 119     {
 120         $this->loginManager->handleFailedLogin($this->server);
 121         $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 122
 123         $this->loginManager->handleFailedLogin($this->server);
 124         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 125     }
 126
 127     /**
 128      * Record a failed login attempt - IP behind a trusted proxy
 129      */
 130     public function testHandleFailedLoginBehindTrustedProxy()
 131     {
 132         $server = [
 133             'REMOTE_ADDR' => $this->trustedProxy,
 134             'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
 135         ];
 136         $this->loginManager->handleFailedLogin($server);
 137         $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 138
 139         $this->loginManager->handleFailedLogin($server);
 140         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 141     }
 142
 143     /**
 144      * Record a failed login attempt - IP behind a trusted proxy but not forwarded
 145      */
 146     public function testHandleFailedLoginBehindTrustedProxyNoIp()
 147     {
 148         $server = [
 149             'REMOTE_ADDR' => $this->trustedProxy,
 150         ];
 151         $this->loginManager->handleFailedLogin($server);
 152         $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
 153
 154         $this->loginManager->handleFailedLogin($server);
 155         $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
 156     }
 157
 158     /**
 159      * Record a failed login attempt and ban the IP after too many failures
 160      */
 161     public function testHandleFailedLoginBanIp()
 162     {
 163         $this->loginManager->handleFailedLogin($this->server);
 164         $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 165         $this->assertTrue($this->loginManager->canLogin($this->server));
 166
 167         $this->loginManager->handleFailedLogin($this->server);
 168         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 169         $this->assertTrue($this->loginManager->canLogin($this->server));
 170
 171         $this->loginManager->handleFailedLogin($this->server);
 172         $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 173         $this->assertTrue($this->loginManager->canLogin($this->server));
 174
 175         $this->loginManager->handleFailedLogin($this->server);
 176         $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 177         $this->assertFalse($this->loginManager->canLogin($this->server));
 178
 179         // handleFailedLogin is not supposed to be called at this point:
 180         // - no login form should be displayed once an IP has been banned
 181         // - yet this could happen when using custom templates / scripts
 182         $this->loginManager->handleFailedLogin($this->server);
 183         $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 184         $this->assertFalse($this->loginManager->canLogin($this->server));
 185     }
 186
 187     /**
 188      * Nothing to do
 189      */
 190     public function testHandleSuccessfulLogin()
 191     {
 192         $this->assertTrue($this->loginManager->canLogin($this->server));
 193
 194         $this->loginManager->handleSuccessfulLogin($this->server);
 195         $this->assertTrue($this->loginManager->canLogin($this->server));
 196     }
 197
 198     /**
 199      * Erase failure records after successfully logging in from this IP
 200      */
 201     public function testHandleSuccessfulLoginAfterFailure()
 202     {
 203         $this->loginManager->handleFailedLogin($this->server);
 204         $this->loginManager->handleFailedLogin($this->server);
 205         $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
 206         $this->assertTrue($this->loginManager->canLogin($this->server));
 207
 208         $this->loginManager->handleSuccessfulLogin($this->server);
 209         $this->assertTrue($this->loginManager->canLogin($this->server));
 210         $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
 211         $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr]));
 212     }
 213
 214     /**
 215      * The IP is not banned
 216      */
 217     public function testCanLoginIpNotBanned()
 218     {
 219         $this->assertTrue($this->loginManager->canLogin($this->server));
 220     }
 221
 222     /**
 223      * The IP is banned
 224      */
 225     public function testCanLoginIpBanned()
 226     {
 227         // ban the IP for an hour
 228         $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
 229         $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
 230
 231         $this->assertFalse($this->loginManager->canLogin($this->server));
 232     }
 233
 234     /**
 235      * The IP is banned, and the ban duration is over
 236      */
 237     public function testCanLoginIpBanExpired()
 238     {
 239         // ban the IP for an hour
 240         $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
 241         $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
 242         $this->assertFalse($this->loginManager->canLogin($this->server));
 243
 244         // lift the ban
 245         $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600;
 246         $this->assertTrue($this->loginManager->canLogin($this->server));
 247     }
 248
 249     /**
 250      * Generate a token depending on the user credentials and client IP
 251      */
 252     public function testGenerateStaySignedInToken()
 253     {
 254         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 255
 256         $this->assertEquals(
 257             sha1($this->passwordHash . $this->clientIpAddress . $this->salt),
 258             $this->loginManager->getStaySignedInToken()
 259         );
 260     }
 261
 262     /**
 263      * Check user login - Shaarli has not yet been configured
 264      */
 265     public function testCheckLoginStateNotConfigured()
 266     {
 267         $configManager = new \FakeConfigManager([
 268             'resource.ban_file' => $this->banFile,
 269         ]);
 270         $loginManager = new LoginManager($this->globals, $configManager, null);
 271         $loginManager->checkLoginState([], '');
 272
 273         $this->assertFalse($loginManager->isLoggedIn());
 274     }
 275
 276     /**
 277      * Check user login - the client cookie does not match the server token
 278      */
 279     public function testCheckLoginStateStaySignedInWithInvalidToken()
 280     {
 281         // simulate a previous login
 282         $this->session = [
 283             'ip' => $this->clientIpAddress,
 284             'expires_on' => time() + 100,
 285         ];
 286         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 287         $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = 'nope';
 288
 289         $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
 290
 291         $this->assertTrue($this->loginManager->isLoggedIn());
 292         $this->assertTrue(empty($this->session['username']));
 293     }
 294
 295     /**
 296      * Check user login - the client cookie matches the server token
 297      */
 298     public function testCheckLoginStateStaySignedInWithValidToken()
 299     {
 300         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 301         $this->cookie[LoginManager::$STAY_SIGNED_IN_COOKIE] = $this->loginManager->getStaySignedInToken();
 302
 303         $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
 304
 305         $this->assertTrue($this->loginManager->isLoggedIn());
 306         $this->assertEquals($this->login, $this->session['username']);
 307         $this->assertEquals($this->clientIpAddress, $this->session['ip']);
 308     }
 309
 310     /**
 311      * Check user login - the session has expired
 312      */
 313     public function testCheckLoginStateSessionExpired()
 314     {
 315         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 316         $this->session['expires_on'] = time() - 100;
 317
 318         $this->loginManager->checkLoginState($this->cookie, $this->clientIpAddress);
 319
 320         $this->assertFalse($this->loginManager->isLoggedIn());
 321     }
 322
 323     /**
 324      * Check user login - the remote client IP has changed
 325      */
 326     public function testCheckLoginStateClientIpChanged()
 327     {
 328         $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
 329
 330         $this->loginManager->checkLoginState($this->cookie, '10.7.157.98');
 331
 332         $this->assertFalse($this->loginManager->isLoggedIn());
 333     }
 334
 335     /**
 336      * Check user credentials - wrong login supplied
 337      */
 338     public function testCheckCredentialsWrongLogin()
 339     {
 340         $this->assertFalse(
 341             $this->loginManager->checkCredentials('', '', 'b4dl0g1n', $this->password)
 342         );
 343     }
 344
 345     /**
 346      * Check user credentials - wrong password supplied
 347      */
 348     public function testCheckCredentialsWrongPassword()
 349     {
 350         $this->assertFalse(
 351             $this->loginManager->checkCredentials('', '', $this->login, 'b4dp455wd')
 352         );
 353     }
 354
 355     /**
 356      * Check user credentials - wrong login and password supplied
 357      */
 358     public function testCheckCredentialsWrongLoginAndPassword()
 359     {
 360         $this->assertFalse(
 361             $this->loginManager->checkCredentials('', '', 'b4dl0g1n', 'b4dp455wd')
 362         );
 363     }
 364
 365     /**
 366      * Check user credentials - correct login and password supplied
 367      */
 368     public function testCheckCredentialsGoodLoginAndPassword()
 369     {
 370         $this->assertTrue(
 371             $this->loginManager->checkCredentials('', '', $this->login, $this->password)
 372         );
 373     }
 374 }