2 require_once 'tests/utils/FakeConfigManager.php';
4 // Initialize reference data _before_ PHPUnit starts a session
5 require_once 'tests/utils/ReferenceSessionIdHashes.php';
6 ReferenceSessionIdHashes
::genAllHashes();
8 use \Shaarli\Security\SessionManager
;
9 use \PHPUnit\Framework\TestCase
;
13 * Test coverage for SessionManager
15 class SessionManagerTest
extends TestCase
17 /** @var array Session ID hashes */
18 protected static $sidHashes = null;
20 /** @var FakeConfigManager ConfigManager substitute for testing */
21 protected $conf = null;
23 /** @var array $_SESSION array for testing */
24 protected $session = [];
26 /** @var SessionManager Server-side session management abstraction */
27 protected $sessionManager = null;
30 * Assign reference data
32 public static function setUpBeforeClass()
34 self
::$sidHashes = ReferenceSessionIdHashes
::getHashes();
38 * Initialize or reset test resources
40 public function setUp()
42 $this->conf
= new FakeConfigManager([
43 'credentials.login' => 'johndoe',
44 'credentials.salt' => 'salt',
45 'security.session_protection_disabled' => false,
48 $this->sessionManager
= new SessionManager($this->session
, $this->conf
);
52 * Generate a session token
54 public function testGenerateToken()
56 $token = $this->sessionManager
->generateToken();
58 $this->assertEquals(1, $this->session
['tokens'][$token]);
59 $this->assertEquals(40, strlen($token));
63 * Check a session token
65 public function testCheckToken()
67 $token = '4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b';
73 $sessionManager = new SessionManager($session, $this->conf
);
75 // check and destroy the token
76 $this->assertTrue($sessionManager->checkToken($token));
77 $this->assertFalse(isset($session['tokens'][$token]));
79 // ensure the token has been destroyed
80 $this->assertFalse($sessionManager->checkToken($token));
84 * Generate and check a session token
86 public function testGenerateAndCheckToken()
88 $token = $this->sessionManager
->generateToken();
90 // ensure a token has been generated
91 $this->assertEquals(1, $this->session
['tokens'][$token]);
92 $this->assertEquals(40, strlen($token));
94 // check and destroy the token
95 $this->assertTrue($this->sessionManager
->checkToken($token));
96 $this->assertFalse(isset($this->session
['tokens'][$token]));
98 // ensure the token has been destroyed
99 $this->assertFalse($this->sessionManager
->checkToken($token));
103 * Check an invalid session token
105 public function testCheckInvalidToken()
107 $this->assertFalse($this->sessionManager
->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
111 * Test SessionManager::checkId with a valid ID - TEST ALL THE HASHES!
113 * This tests extensively covers all hash algorithms / bit representations
115 public function testIsAnyHashSessionIdValid()
117 foreach (self
::$sidHashes as $algo => $bpcs) {
118 foreach ($bpcs as $bpc => $hash) {
119 $this->assertTrue(SessionManager
::checkId($hash));
125 * Test checkId with a valid ID - SHA-1 hashes
127 public function testIsSha1SessionIdValid()
129 $this->assertTrue(SessionManager
::checkId(sha1('shaarli')));
133 * Test checkId with a valid ID - SHA-256 hashes
135 public function testIsSha256SessionIdValid()
137 $this->assertTrue(SessionManager
::checkId(hash('sha256', 'shaarli')));
141 * Test checkId with a valid ID - SHA-512 hashes
143 public function testIsSha512SessionIdValid()
145 $this->assertTrue(SessionManager
::checkId(hash('sha512', 'shaarli')));
149 * Test checkId with invalid IDs.
151 public function testIsSessionIdInvalid()
153 $this->assertFalse(SessionManager
::checkId(''));
154 $this->assertFalse(SessionManager
::checkId([]));
156 SessionManager
::checkId('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')
161 * Store login information after a successful login
163 public function testStoreLoginInfo()
165 $this->sessionManager
->storeLoginInfo('ip_id');
167 $this->assertTrue(isset($this->session
['uid']));
168 $this->assertGreaterThan(time(), $this->session
['expires_on']);
169 $this->assertEquals('ip_id', $this->session
['ip']);
170 $this->assertEquals('johndoe', $this->session
['username']);
174 * Extend a server-side session by SessionManager::$SHORT_TIMEOUT
176 public function testExtendSession()
178 $this->sessionManager
->extendSession();
180 $this->assertGreaterThan(time(), $this->session
['expires_on']);
181 $this->assertLessThanOrEqual(
182 time() + SessionManager
::$SHORT_TIMEOUT,
183 $this->session
['expires_on']
188 * Extend a server-side session by SessionManager::$LONG_TIMEOUT
190 public function testExtendSessionStaySignedIn()
192 $this->sessionManager
->setStaySignedIn(true);
193 $this->sessionManager
->extendSession();
195 $this->assertGreaterThan(time(), $this->session
['expires_on']);
196 $this->assertGreaterThan(
197 time() + SessionManager
::$LONG_TIMEOUT - 10,
198 $this->session
['expires_on']
200 $this->assertLessThanOrEqual(
201 time() + SessionManager
::$LONG_TIMEOUT,
202 $this->session
['expires_on']
207 * Unset session variables after logging out
209 public function testLogout()
214 'expires_on' => time() +
1000,
215 'username' => 'johndoe',
216 'visibility' => 'public',
217 'untaggedonly' => false,
219 $this->sessionManager
->logout();
221 $this->assertFalse(isset($this->session
['uid']));
222 $this->assertFalse(isset($this->session
['ip']));
223 $this->assertFalse(isset($this->session
['expires_on']));
224 $this->assertFalse(isset($this->session
['username']));
225 $this->assertFalse(isset($this->session
['visibility']));
226 $this->assertFalse(isset($this->session
['untaggedonly']));
230 * The session is considered as expired because the UID is missing
232 public function testHasExpiredNoUid()
234 $this->assertTrue($this->sessionManager
->hasSessionExpired());
238 * The session is active and expiration time has been reached
240 public function testHasExpiredTimeElapsed()
242 $this->session
['uid'] = 'some-uid';
243 $this->session
['expires_on'] = time() - 10;
245 $this->assertTrue($this->sessionManager
->hasSessionExpired());
249 * The session is active and expiration time has not been reached
251 public function testHasNotExpired()
253 $this->session
['uid'] = 'some-uid';
254 $this->session
['expires_on'] = time() +
1000;
256 $this->assertFalse($this->sessionManager
->hasSessionExpired());
260 * Session hijacking protection is disabled, we assume the IP has not changed
262 public function testHasClientIpChangedNoSessionProtection()
264 $this->conf
->set('security.session_protection_disabled', true);
266 $this->assertFalse($this->sessionManager
->hasClientIpChanged(''));
270 * The client IP identifier has not changed
272 public function testHasClientIpChangedNope()
274 $this->session
['ip'] = 'ip_id';
275 $this->assertFalse($this->sessionManager
->hasClientIpChanged('ip_id'));
279 * The client IP identifier has changed
281 public function testHasClientIpChanged()
283 $this->session
['ip'] = 'ip_id_one';
284 $this->assertTrue($this->sessionManager
->hasClientIpChanged('ip_id_two'));