diff options
author | ArthurHoaro <arthur@hoa.ro> | 2019-02-09 16:44:48 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2019-02-09 16:44:48 +0100 |
commit | b49a04f796b9ad8533c53fee541132a4c2214909 (patch) | |
tree | e7948198422b8edbc3ae080a591963afefba3c35 /tests/security/LoginManagerTest.php | |
parent | 905f8675a728841b03b300d2c7dc909a1c4f7f03 (diff) | |
download | Shaarli-b49a04f796b9ad8533c53fee541132a4c2214909.tar.gz Shaarli-b49a04f796b9ad8533c53fee541132a4c2214909.tar.zst Shaarli-b49a04f796b9ad8533c53fee541132a4c2214909.zip |
Rewrite IP ban management
This adds a dedicated manager class to handle all ban interactions, which is instantiated and handled by LoginManager.
IPs are now stored in the same format as the datastore, through FileUtils.
Fixes #1032 #587
Diffstat (limited to 'tests/security/LoginManagerTest.php')
-rw-r--r-- | tests/security/LoginManagerTest.php | 104 |
1 files changed, 7 insertions, 97 deletions
diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index 7b0262b3..eef0f22a 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php | |||
@@ -75,54 +75,27 @@ class LoginManagerTest extends TestCase | |||
75 | 'credentials.salt' => $this->salt, | 75 | 'credentials.salt' => $this->salt, |
76 | 'resource.ban_file' => $this->banFile, | 76 | 'resource.ban_file' => $this->banFile, |
77 | 'resource.log' => $this->logFile, | 77 | 'resource.log' => $this->logFile, |
78 | 'security.ban_after' => 4, | 78 | 'security.ban_after' => 2, |
79 | 'security.ban_duration' => 3600, | 79 | 'security.ban_duration' => 3600, |
80 | 'security.trusted_proxies' => [$this->trustedProxy], | 80 | 'security.trusted_proxies' => [$this->trustedProxy], |
81 | ]); | 81 | ]); |
82 | 82 | ||
83 | $this->cookie = []; | 83 | $this->cookie = []; |
84 | |||
85 | $this->globals = &$GLOBALS; | ||
86 | unset($this->globals['IPBANS']); | ||
87 | |||
88 | $this->session = []; | 84 | $this->session = []; |
89 | 85 | ||
90 | $this->sessionManager = new SessionManager($this->session, $this->configManager); | 86 | $this->sessionManager = new SessionManager($this->session, $this->configManager); |
91 | $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); | 87 | $this->loginManager = new LoginManager($this->configManager, $this->sessionManager); |
92 | $this->server['REMOTE_ADDR'] = $this->ipAddr; | 88 | $this->server['REMOTE_ADDR'] = $this->ipAddr; |
93 | } | 89 | } |
94 | 90 | ||
95 | /** | 91 | /** |
96 | * Wipe test resources | ||
97 | */ | ||
98 | public function tearDown() | ||
99 | { | ||
100 | unset($this->globals['IPBANS']); | ||
101 | } | ||
102 | |||
103 | /** | ||
104 | * Instantiate a LoginManager and load ban records | ||
105 | */ | ||
106 | public function testReadBanFile() | ||
107 | { | ||
108 | file_put_contents( | ||
109 | $this->banFile, | ||
110 | "<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>" | ||
111 | ); | ||
112 | new LoginManager($this->globals, $this->configManager, null); | ||
113 | $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']); | ||
114 | } | ||
115 | |||
116 | /** | ||
117 | * Record a failed login attempt | 92 | * Record a failed login attempt |
118 | */ | 93 | */ |
119 | public function testHandleFailedLogin() | 94 | public function testHandleFailedLogin() |
120 | { | 95 | { |
121 | $this->loginManager->handleFailedLogin($this->server); | 96 | $this->loginManager->handleFailedLogin($this->server); |
122 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
123 | |||
124 | $this->loginManager->handleFailedLogin($this->server); | 97 | $this->loginManager->handleFailedLogin($this->server); |
125 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | 98 | $this->assertFalse($this->loginManager->canLogin($this->server)); |
126 | } | 99 | } |
127 | 100 | ||
128 | /** | 101 | /** |
@@ -135,10 +108,8 @@ class LoginManagerTest extends TestCase | |||
135 | 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, | 108 | 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, |
136 | ]; | 109 | ]; |
137 | $this->loginManager->handleFailedLogin($server); | 110 | $this->loginManager->handleFailedLogin($server); |
138 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
139 | |||
140 | $this->loginManager->handleFailedLogin($server); | 111 | $this->loginManager->handleFailedLogin($server); |
141 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | 112 | $this->assertFalse($this->loginManager->canLogin($server)); |
142 | } | 113 | } |
143 | 114 | ||
144 | /** | 115 | /** |
@@ -150,39 +121,8 @@ class LoginManagerTest extends TestCase | |||
150 | 'REMOTE_ADDR' => $this->trustedProxy, | 121 | 'REMOTE_ADDR' => $this->trustedProxy, |
151 | ]; | 122 | ]; |
152 | $this->loginManager->handleFailedLogin($server); | 123 | $this->loginManager->handleFailedLogin($server); |
153 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | ||
154 | |||
155 | $this->loginManager->handleFailedLogin($server); | 124 | $this->loginManager->handleFailedLogin($server); |
156 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | 125 | $this->assertTrue($this->loginManager->canLogin($server)); |
157 | } | ||
158 | |||
159 | /** | ||
160 | * Record a failed login attempt and ban the IP after too many failures | ||
161 | */ | ||
162 | public function testHandleFailedLoginBanIp() | ||
163 | { | ||
164 | $this->loginManager->handleFailedLogin($this->server); | ||
165 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
166 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
167 | |||
168 | $this->loginManager->handleFailedLogin($this->server); | ||
169 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
170 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
171 | |||
172 | $this->loginManager->handleFailedLogin($this->server); | ||
173 | $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
174 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
175 | |||
176 | $this->loginManager->handleFailedLogin($this->server); | ||
177 | $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
178 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
179 | |||
180 | // handleFailedLogin is not supposed to be called at this point: | ||
181 | // - no login form should be displayed once an IP has been banned | ||
182 | // - yet this could happen when using custom templates / scripts | ||
183 | $this->loginManager->handleFailedLogin($this->server); | ||
184 | $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
185 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
186 | } | 126 | } |
187 | 127 | ||
188 | /** | 128 | /** |
@@ -202,14 +142,11 @@ class LoginManagerTest extends TestCase | |||
202 | public function testHandleSuccessfulLoginAfterFailure() | 142 | public function testHandleSuccessfulLoginAfterFailure() |
203 | { | 143 | { |
204 | $this->loginManager->handleFailedLogin($this->server); | 144 | $this->loginManager->handleFailedLogin($this->server); |
205 | $this->loginManager->handleFailedLogin($this->server); | ||
206 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
207 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 145 | $this->assertTrue($this->loginManager->canLogin($this->server)); |
208 | 146 | ||
209 | $this->loginManager->handleSuccessfulLogin($this->server); | 147 | $this->loginManager->handleSuccessfulLogin($this->server); |
148 | $this->loginManager->handleFailedLogin($this->server); | ||
210 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 149 | $this->assertTrue($this->loginManager->canLogin($this->server)); |
211 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | ||
212 | $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr])); | ||
213 | } | 150 | } |
214 | 151 | ||
215 | /** | 152 | /** |
@@ -221,33 +158,6 @@ class LoginManagerTest extends TestCase | |||
221 | } | 158 | } |
222 | 159 | ||
223 | /** | 160 | /** |
224 | * The IP is banned | ||
225 | */ | ||
226 | public function testCanLoginIpBanned() | ||
227 | { | ||
228 | // ban the IP for an hour | ||
229 | $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; | ||
230 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; | ||
231 | |||
232 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
233 | } | ||
234 | |||
235 | /** | ||
236 | * The IP is banned, and the ban duration is over | ||
237 | */ | ||
238 | public function testCanLoginIpBanExpired() | ||
239 | { | ||
240 | // ban the IP for an hour | ||
241 | $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; | ||
242 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; | ||
243 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
244 | |||
245 | // lift the ban | ||
246 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600; | ||
247 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
248 | } | ||
249 | |||
250 | /** | ||
251 | * Generate a token depending on the user credentials and client IP | 161 | * Generate a token depending on the user credentials and client IP |
252 | */ | 162 | */ |
253 | public function testGenerateStaySignedInToken() | 163 | public function testGenerateStaySignedInToken() |
@@ -282,7 +192,7 @@ class LoginManagerTest extends TestCase | |||
282 | $configManager = new \FakeConfigManager([ | 192 | $configManager = new \FakeConfigManager([ |
283 | 'resource.ban_file' => $this->banFile, | 193 | 'resource.ban_file' => $this->banFile, |
284 | ]); | 194 | ]); |
285 | $loginManager = new LoginManager($this->globals, $configManager, null); | 195 | $loginManager = new LoginManager($configManager, null); |
286 | $loginManager->checkLoginState([], ''); | 196 | $loginManager->checkLoginState([], ''); |
287 | 197 | ||
288 | $this->assertFalse($loginManager->isLoggedIn()); | 198 | $this->assertFalse($loginManager->isLoggedIn()); |