diff options
| author | ArthurHoaro <arthur@hoa.ro> | 2020-10-13 12:07:13 +0200 |
|---|---|---|
| committer | ArthurHoaro <arthur@hoa.ro> | 2020-10-13 12:07:13 +0200 |
| commit | d9f6275ebca035fec8331652c677981056793ccc (patch) | |
| tree | 37a64baf4f0eba6b781040605965383d8aded2cc /tests/security/LoginManagerTest.php | |
| parent | 38672ba0d1c722e5d6d33a58255ceb55e9410e46 (diff) | |
| parent | d63ff87a009313141ae684ec447b902562ff6ee7 (diff) | |
| download | Shaarli-d9f6275ebca035fec8331652c677981056793ccc.tar.gz Shaarli-d9f6275ebca035fec8331652c677981056793ccc.tar.zst Shaarli-d9f6275ebca035fec8331652c677981056793ccc.zip | |
Merge branch 'v0.11' into stablestable
Diffstat (limited to 'tests/security/LoginManagerTest.php')
| -rw-r--r-- | tests/security/LoginManagerTest.php | 115 |
1 files changed, 20 insertions, 95 deletions
diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index f26cd1eb..eef0f22a 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php | |||
| @@ -2,7 +2,8 @@ | |||
| 2 | namespace Shaarli\Security; | 2 | namespace Shaarli\Security; |
| 3 | 3 | ||
| 4 | require_once 'tests/utils/FakeConfigManager.php'; | 4 | require_once 'tests/utils/FakeConfigManager.php'; |
| 5 | use \PHPUnit\Framework\TestCase; | 5 | |
| 6 | use PHPUnit\Framework\TestCase; | ||
| 6 | 7 | ||
| 7 | /** | 8 | /** |
| 8 | * Test coverage for LoginManager | 9 | * Test coverage for LoginManager |
| @@ -74,54 +75,27 @@ class LoginManagerTest extends TestCase | |||
| 74 | 'credentials.salt' => $this->salt, | 75 | 'credentials.salt' => $this->salt, |
| 75 | 'resource.ban_file' => $this->banFile, | 76 | 'resource.ban_file' => $this->banFile, |
| 76 | 'resource.log' => $this->logFile, | 77 | 'resource.log' => $this->logFile, |
| 77 | 'security.ban_after' => 4, | 78 | 'security.ban_after' => 2, |
| 78 | 'security.ban_duration' => 3600, | 79 | 'security.ban_duration' => 3600, |
| 79 | 'security.trusted_proxies' => [$this->trustedProxy], | 80 | 'security.trusted_proxies' => [$this->trustedProxy], |
| 80 | ]); | 81 | ]); |
| 81 | 82 | ||
| 82 | $this->cookie = []; | 83 | $this->cookie = []; |
| 83 | |||
| 84 | $this->globals = &$GLOBALS; | ||
| 85 | unset($this->globals['IPBANS']); | ||
| 86 | |||
| 87 | $this->session = []; | 84 | $this->session = []; |
| 88 | 85 | ||
| 89 | $this->sessionManager = new SessionManager($this->session, $this->configManager); | 86 | $this->sessionManager = new SessionManager($this->session, $this->configManager); |
| 90 | $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); | 87 | $this->loginManager = new LoginManager($this->configManager, $this->sessionManager); |
| 91 | $this->server['REMOTE_ADDR'] = $this->ipAddr; | 88 | $this->server['REMOTE_ADDR'] = $this->ipAddr; |
| 92 | } | 89 | } |
| 93 | 90 | ||
| 94 | /** | 91 | /** |
| 95 | * Wipe test resources | ||
| 96 | */ | ||
| 97 | public function tearDown() | ||
| 98 | { | ||
| 99 | unset($this->globals['IPBANS']); | ||
| 100 | } | ||
| 101 | |||
| 102 | /** | ||
| 103 | * Instantiate a LoginManager and load ban records | ||
| 104 | */ | ||
| 105 | public function testReadBanFile() | ||
| 106 | { | ||
| 107 | file_put_contents( | ||
| 108 | $this->banFile, | ||
| 109 | "<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>" | ||
| 110 | ); | ||
| 111 | new LoginManager($this->globals, $this->configManager, null); | ||
| 112 | $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']); | ||
| 113 | } | ||
| 114 | |||
| 115 | /** | ||
| 116 | * Record a failed login attempt | 92 | * Record a failed login attempt |
| 117 | */ | 93 | */ |
| 118 | public function testHandleFailedLogin() | 94 | public function testHandleFailedLogin() |
| 119 | { | 95 | { |
| 120 | $this->loginManager->handleFailedLogin($this->server); | 96 | $this->loginManager->handleFailedLogin($this->server); |
| 121 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 122 | |||
| 123 | $this->loginManager->handleFailedLogin($this->server); | 97 | $this->loginManager->handleFailedLogin($this->server); |
| 124 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | 98 | $this->assertFalse($this->loginManager->canLogin($this->server)); |
| 125 | } | 99 | } |
| 126 | 100 | ||
| 127 | /** | 101 | /** |
| @@ -134,10 +108,8 @@ class LoginManagerTest extends TestCase | |||
| 134 | 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, | 108 | 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, |
| 135 | ]; | 109 | ]; |
| 136 | $this->loginManager->handleFailedLogin($server); | 110 | $this->loginManager->handleFailedLogin($server); |
| 137 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 138 | |||
| 139 | $this->loginManager->handleFailedLogin($server); | 111 | $this->loginManager->handleFailedLogin($server); |
| 140 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | 112 | $this->assertFalse($this->loginManager->canLogin($server)); |
| 141 | } | 113 | } |
| 142 | 114 | ||
| 143 | /** | 115 | /** |
| @@ -149,39 +121,8 @@ class LoginManagerTest extends TestCase | |||
| 149 | 'REMOTE_ADDR' => $this->trustedProxy, | 121 | 'REMOTE_ADDR' => $this->trustedProxy, |
| 150 | ]; | 122 | ]; |
| 151 | $this->loginManager->handleFailedLogin($server); | 123 | $this->loginManager->handleFailedLogin($server); |
| 152 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | ||
| 153 | |||
| 154 | $this->loginManager->handleFailedLogin($server); | 124 | $this->loginManager->handleFailedLogin($server); |
| 155 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | 125 | $this->assertTrue($this->loginManager->canLogin($server)); |
| 156 | } | ||
| 157 | |||
| 158 | /** | ||
| 159 | * Record a failed login attempt and ban the IP after too many failures | ||
| 160 | */ | ||
| 161 | public function testHandleFailedLoginBanIp() | ||
| 162 | { | ||
| 163 | $this->loginManager->handleFailedLogin($this->server); | ||
| 164 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 165 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
| 166 | |||
| 167 | $this->loginManager->handleFailedLogin($this->server); | ||
| 168 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 169 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
| 170 | |||
| 171 | $this->loginManager->handleFailedLogin($this->server); | ||
| 172 | $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 173 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
| 174 | |||
| 175 | $this->loginManager->handleFailedLogin($this->server); | ||
| 176 | $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 177 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
| 178 | |||
| 179 | // handleFailedLogin is not supposed to be called at this point: | ||
| 180 | // - no login form should be displayed once an IP has been banned | ||
| 181 | // - yet this could happen when using custom templates / scripts | ||
| 182 | $this->loginManager->handleFailedLogin($this->server); | ||
| 183 | $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 184 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
| 185 | } | 126 | } |
| 186 | 127 | ||
| 187 | /** | 128 | /** |
| @@ -201,14 +142,11 @@ class LoginManagerTest extends TestCase | |||
| 201 | public function testHandleSuccessfulLoginAfterFailure() | 142 | public function testHandleSuccessfulLoginAfterFailure() |
| 202 | { | 143 | { |
| 203 | $this->loginManager->handleFailedLogin($this->server); | 144 | $this->loginManager->handleFailedLogin($this->server); |
| 204 | $this->loginManager->handleFailedLogin($this->server); | ||
| 205 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
| 206 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 145 | $this->assertTrue($this->loginManager->canLogin($this->server)); |
| 207 | 146 | ||
| 208 | $this->loginManager->handleSuccessfulLogin($this->server); | 147 | $this->loginManager->handleSuccessfulLogin($this->server); |
| 148 | $this->loginManager->handleFailedLogin($this->server); | ||
| 209 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 149 | $this->assertTrue($this->loginManager->canLogin($this->server)); |
| 210 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | ||
| 211 | $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr])); | ||
| 212 | } | 150 | } |
| 213 | 151 | ||
| 214 | /** | 152 | /** |
| @@ -220,41 +158,28 @@ class LoginManagerTest extends TestCase | |||
| 220 | } | 158 | } |
| 221 | 159 | ||
| 222 | /** | 160 | /** |
| 223 | * The IP is banned | 161 | * Generate a token depending on the user credentials and client IP |
| 224 | */ | ||
| 225 | public function testCanLoginIpBanned() | ||
| 226 | { | ||
| 227 | // ban the IP for an hour | ||
| 228 | $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; | ||
| 229 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; | ||
| 230 | |||
| 231 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
| 232 | } | ||
| 233 | |||
| 234 | /** | ||
| 235 | * The IP is banned, and the ban duration is over | ||
| 236 | */ | 162 | */ |
| 237 | public function testCanLoginIpBanExpired() | 163 | public function testGenerateStaySignedInToken() |
| 238 | { | 164 | { |
| 239 | // ban the IP for an hour | 165 | $this->loginManager->generateStaySignedInToken($this->clientIpAddress); |
| 240 | $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; | ||
| 241 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; | ||
| 242 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
| 243 | 166 | ||
| 244 | // lift the ban | 167 | $this->assertEquals( |
| 245 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600; | 168 | sha1($this->passwordHash . $this->clientIpAddress . $this->salt), |
| 246 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 169 | $this->loginManager->getStaySignedInToken() |
| 170 | ); | ||
| 247 | } | 171 | } |
| 248 | 172 | ||
| 249 | /** | 173 | /** |
| 250 | * Generate a token depending on the user credentials and client IP | 174 | * Generate a token depending on the user credentials with session protected disabled |
| 251 | */ | 175 | */ |
| 252 | public function testGenerateStaySignedInToken() | 176 | public function testGenerateStaySignedInTokenSessionProtectionDisabled() |
| 253 | { | 177 | { |
| 178 | $this->configManager->set('security.session_protection_disabled', true); | ||
| 254 | $this->loginManager->generateStaySignedInToken($this->clientIpAddress); | 179 | $this->loginManager->generateStaySignedInToken($this->clientIpAddress); |
| 255 | 180 | ||
| 256 | $this->assertEquals( | 181 | $this->assertEquals( |
| 257 | sha1($this->passwordHash . $this->clientIpAddress . $this->salt), | 182 | sha1($this->passwordHash . $this->salt), |
| 258 | $this->loginManager->getStaySignedInToken() | 183 | $this->loginManager->getStaySignedInToken() |
| 259 | ); | 184 | ); |
| 260 | } | 185 | } |
| @@ -267,7 +192,7 @@ class LoginManagerTest extends TestCase | |||
| 267 | $configManager = new \FakeConfigManager([ | 192 | $configManager = new \FakeConfigManager([ |
| 268 | 'resource.ban_file' => $this->banFile, | 193 | 'resource.ban_file' => $this->banFile, |
| 269 | ]); | 194 | ]); |
| 270 | $loginManager = new LoginManager($this->globals, $configManager, null); | 195 | $loginManager = new LoginManager($configManager, null); |
| 271 | $loginManager->checkLoginState([], ''); | 196 | $loginManager->checkLoginState([], ''); |
| 272 | 197 | ||
| 273 | $this->assertFalse($loginManager->isLoggedIn()); | 198 | $this->assertFalse($loginManager->isLoggedIn()); |