aboutsummaryrefslogtreecommitdiffhomepage
path: root/tests/security/LoginManagerTest.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2020-10-13 12:07:13 +0200
committerArthurHoaro <arthur@hoa.ro>2020-10-13 12:07:13 +0200
commitd9f6275ebca035fec8331652c677981056793ccc (patch)
tree37a64baf4f0eba6b781040605965383d8aded2cc /tests/security/LoginManagerTest.php
parent38672ba0d1c722e5d6d33a58255ceb55e9410e46 (diff)
parentd63ff87a009313141ae684ec447b902562ff6ee7 (diff)
downloadShaarli-d9f6275ebca035fec8331652c677981056793ccc.tar.gz
Shaarli-d9f6275ebca035fec8331652c677981056793ccc.tar.zst
Shaarli-d9f6275ebca035fec8331652c677981056793ccc.zip
Merge branch 'v0.11' into stablestable
Diffstat (limited to 'tests/security/LoginManagerTest.php')
-rw-r--r--tests/security/LoginManagerTest.php115
1 files changed, 20 insertions, 95 deletions
diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php
index f26cd1eb..eef0f22a 100644
--- a/tests/security/LoginManagerTest.php
+++ b/tests/security/LoginManagerTest.php
@@ -2,7 +2,8 @@
2namespace Shaarli\Security; 2namespace Shaarli\Security;
3 3
4require_once 'tests/utils/FakeConfigManager.php'; 4require_once 'tests/utils/FakeConfigManager.php';
5use \PHPUnit\Framework\TestCase; 5
6use PHPUnit\Framework\TestCase;
6 7
7/** 8/**
8 * Test coverage for LoginManager 9 * Test coverage for LoginManager
@@ -74,54 +75,27 @@ class LoginManagerTest extends TestCase
74 'credentials.salt' => $this->salt, 75 'credentials.salt' => $this->salt,
75 'resource.ban_file' => $this->banFile, 76 'resource.ban_file' => $this->banFile,
76 'resource.log' => $this->logFile, 77 'resource.log' => $this->logFile,
77 'security.ban_after' => 4, 78 'security.ban_after' => 2,
78 'security.ban_duration' => 3600, 79 'security.ban_duration' => 3600,
79 'security.trusted_proxies' => [$this->trustedProxy], 80 'security.trusted_proxies' => [$this->trustedProxy],
80 ]); 81 ]);
81 82
82 $this->cookie = []; 83 $this->cookie = [];
83
84 $this->globals = &$GLOBALS;
85 unset($this->globals['IPBANS']);
86
87 $this->session = []; 84 $this->session = [];
88 85
89 $this->sessionManager = new SessionManager($this->session, $this->configManager); 86 $this->sessionManager = new SessionManager($this->session, $this->configManager);
90 $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); 87 $this->loginManager = new LoginManager($this->configManager, $this->sessionManager);
91 $this->server['REMOTE_ADDR'] = $this->ipAddr; 88 $this->server['REMOTE_ADDR'] = $this->ipAddr;
92 } 89 }
93 90
94 /** 91 /**
95 * Wipe test resources
96 */
97 public function tearDown()
98 {
99 unset($this->globals['IPBANS']);
100 }
101
102 /**
103 * Instantiate a LoginManager and load ban records
104 */
105 public function testReadBanFile()
106 {
107 file_put_contents(
108 $this->banFile,
109 "<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>"
110 );
111 new LoginManager($this->globals, $this->configManager, null);
112 $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']);
113 }
114
115 /**
116 * Record a failed login attempt 92 * Record a failed login attempt
117 */ 93 */
118 public function testHandleFailedLogin() 94 public function testHandleFailedLogin()
119 { 95 {
120 $this->loginManager->handleFailedLogin($this->server); 96 $this->loginManager->handleFailedLogin($this->server);
121 $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
122
123 $this->loginManager->handleFailedLogin($this->server); 97 $this->loginManager->handleFailedLogin($this->server);
124 $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); 98 $this->assertFalse($this->loginManager->canLogin($this->server));
125 } 99 }
126 100
127 /** 101 /**
@@ -134,10 +108,8 @@ class LoginManagerTest extends TestCase
134 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, 108 'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
135 ]; 109 ];
136 $this->loginManager->handleFailedLogin($server); 110 $this->loginManager->handleFailedLogin($server);
137 $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
138
139 $this->loginManager->handleFailedLogin($server); 111 $this->loginManager->handleFailedLogin($server);
140 $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); 112 $this->assertFalse($this->loginManager->canLogin($server));
141 } 113 }
142 114
143 /** 115 /**
@@ -149,39 +121,8 @@ class LoginManagerTest extends TestCase
149 'REMOTE_ADDR' => $this->trustedProxy, 121 'REMOTE_ADDR' => $this->trustedProxy,
150 ]; 122 ];
151 $this->loginManager->handleFailedLogin($server); 123 $this->loginManager->handleFailedLogin($server);
152 $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
153
154 $this->loginManager->handleFailedLogin($server); 124 $this->loginManager->handleFailedLogin($server);
155 $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); 125 $this->assertTrue($this->loginManager->canLogin($server));
156 }
157
158 /**
159 * Record a failed login attempt and ban the IP after too many failures
160 */
161 public function testHandleFailedLoginBanIp()
162 {
163 $this->loginManager->handleFailedLogin($this->server);
164 $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
165 $this->assertTrue($this->loginManager->canLogin($this->server));
166
167 $this->loginManager->handleFailedLogin($this->server);
168 $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
169 $this->assertTrue($this->loginManager->canLogin($this->server));
170
171 $this->loginManager->handleFailedLogin($this->server);
172 $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
173 $this->assertTrue($this->loginManager->canLogin($this->server));
174
175 $this->loginManager->handleFailedLogin($this->server);
176 $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
177 $this->assertFalse($this->loginManager->canLogin($this->server));
178
179 // handleFailedLogin is not supposed to be called at this point:
180 // - no login form should be displayed once an IP has been banned
181 // - yet this could happen when using custom templates / scripts
182 $this->loginManager->handleFailedLogin($this->server);
183 $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
184 $this->assertFalse($this->loginManager->canLogin($this->server));
185 } 126 }
186 127
187 /** 128 /**
@@ -201,14 +142,11 @@ class LoginManagerTest extends TestCase
201 public function testHandleSuccessfulLoginAfterFailure() 142 public function testHandleSuccessfulLoginAfterFailure()
202 { 143 {
203 $this->loginManager->handleFailedLogin($this->server); 144 $this->loginManager->handleFailedLogin($this->server);
204 $this->loginManager->handleFailedLogin($this->server);
205 $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
206 $this->assertTrue($this->loginManager->canLogin($this->server)); 145 $this->assertTrue($this->loginManager->canLogin($this->server));
207 146
208 $this->loginManager->handleSuccessfulLogin($this->server); 147 $this->loginManager->handleSuccessfulLogin($this->server);
148 $this->loginManager->handleFailedLogin($this->server);
209 $this->assertTrue($this->loginManager->canLogin($this->server)); 149 $this->assertTrue($this->loginManager->canLogin($this->server));
210 $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
211 $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr]));
212 } 150 }
213 151
214 /** 152 /**
@@ -220,41 +158,28 @@ class LoginManagerTest extends TestCase
220 } 158 }
221 159
222 /** 160 /**
223 * The IP is banned 161 * Generate a token depending on the user credentials and client IP
224 */
225 public function testCanLoginIpBanned()
226 {
227 // ban the IP for an hour
228 $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
229 $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
230
231 $this->assertFalse($this->loginManager->canLogin($this->server));
232 }
233
234 /**
235 * The IP is banned, and the ban duration is over
236 */ 162 */
237 public function testCanLoginIpBanExpired() 163 public function testGenerateStaySignedInToken()
238 { 164 {
239 // ban the IP for an hour 165 $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
240 $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
241 $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
242 $this->assertFalse($this->loginManager->canLogin($this->server));
243 166
244 // lift the ban 167 $this->assertEquals(
245 $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600; 168 sha1($this->passwordHash . $this->clientIpAddress . $this->salt),
246 $this->assertTrue($this->loginManager->canLogin($this->server)); 169 $this->loginManager->getStaySignedInToken()
170 );
247 } 171 }
248 172
249 /** 173 /**
250 * Generate a token depending on the user credentials and client IP 174 * Generate a token depending on the user credentials with session protected disabled
251 */ 175 */
252 public function testGenerateStaySignedInToken() 176 public function testGenerateStaySignedInTokenSessionProtectionDisabled()
253 { 177 {
178 $this->configManager->set('security.session_protection_disabled', true);
254 $this->loginManager->generateStaySignedInToken($this->clientIpAddress); 179 $this->loginManager->generateStaySignedInToken($this->clientIpAddress);
255 180
256 $this->assertEquals( 181 $this->assertEquals(
257 sha1($this->passwordHash . $this->clientIpAddress . $this->salt), 182 sha1($this->passwordHash . $this->salt),
258 $this->loginManager->getStaySignedInToken() 183 $this->loginManager->getStaySignedInToken()
259 ); 184 );
260 } 185 }
@@ -267,7 +192,7 @@ class LoginManagerTest extends TestCase
267 $configManager = new \FakeConfigManager([ 192 $configManager = new \FakeConfigManager([
268 'resource.ban_file' => $this->banFile, 193 'resource.ban_file' => $this->banFile,
269 ]); 194 ]);
270 $loginManager = new LoginManager($this->globals, $configManager, null); 195 $loginManager = new LoginManager($configManager, null);
271 $loginManager->checkLoginState([], ''); 196 $loginManager->checkLoginState([], '');
272 197
273 $this->assertFalse($loginManager->isLoggedIn()); 198 $this->assertFalse($loginManager->isLoggedIn());