Refactor session and cookie timeout control

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
author: VirtualTam <virtualtam@flibidi.net> 2018-04-27 23:17:38 +0200
committer: VirtualTam <virtualtam@flibidi.net> 2018-06-02 16:46:06 +0200
commit: 51f0128cdba52099c40693379e72f094b42a6f80 (patch)
tree: 57f71dc7d38611aaf91e77703acfd7ffbd0ac7c1 /tests/security
parent: fab87c2696b9d6a26310f1bfc024b018ca5184fe (diff)
download: Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.gz
Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.zst
Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.zip
1 files changed, 159 insertions, 22 deletions
diff --git a/tests/security/SessionManagerTest.php b/tests/security/SessionManagerTest.php
index e4e1cfbc..e1c72707 100644
--- a/tests/security/SessionManagerTest.php
+++ b/tests/security/SessionManagerTest.php
@@ -14,11 +14,17 @@ use \PHPUnit\Framework\TestCase;
 */
 class SessionManagerTest extends TestCase
 {
-    // Session ID hashes
+    /** @var array Session ID hashes */
    protected static $sidHashes = null;
-    // Fake ConfigManager
+    /** @var FakeConfigManager ConfigManager substitute for testing */
-    protected static $conf = null;
+    protected $conf = null;
+    /** @var array $_SESSION array for testing */
+    protected $session = [];
+    /** @var SessionManager Server-side session management abstraction */
+    protected $sessionManager = null;
    /**
     * Assign reference data
@@ -26,7 +32,20 @@ class SessionManagerTest extends TestCase
    public static function setUpBeforeClass()
    {
        self::$sidHashes = ReferenceSessionIdHashes::getHashes();
-        self::$conf = new FakeConfigManager();
+    }
+    /**
+     * Initialize or reset test resources
+     */
+    public function setUp()
+    {
+        $this->conf = new FakeConfigManager([
+            'credentials.login' => 'johndoe',
+            'credentials.salt' => 'salt',
+            'security.session_protection_disabled' => false,
+        ]);
+        $this->session = [];
+        $this->sessionManager = new SessionManager($this->session, $this->conf);
    }
    /**
@@ -34,12 +53,9 @@ class SessionManagerTest extends TestCase
     */
    public function testGenerateToken()
    {
-        $session = [];
+        $token = $this->sessionManager->generateToken();
-        $sessionManager = new SessionManager($session, self::$conf);
-        $token = $sessionManager->generateToken();
-        $this->assertEquals(1, $session['tokens'][$token]);
+        $this->assertEquals(1, $this->session['tokens'][$token]);
        $this->assertEquals(40, strlen($token));
    }
@@ -54,7 +70,7 @@ class SessionManagerTest extends TestCase
                $token => 1,
            ],
        ];
-        $sessionManager = new SessionManager($session, self::$conf);
+        $sessionManager = new SessionManager($session, $this->conf);
        // check and destroy the token
        $this->assertTrue($sessionManager->checkToken($token));
@@ -69,21 +85,18 @@ class SessionManagerTest extends TestCase
     */
    public function testGenerateAndCheckToken()
    {
-        $session = [];
+        $token = $this->sessionManager->generateToken();
-        $sessionManager = new SessionManager($session, self::$conf);
-        $token = $sessionManager->generateToken();
        // ensure a token has been generated
-        $this->assertEquals(1, $session['tokens'][$token]);
+        $this->assertEquals(1, $this->session['tokens'][$token]);
        $this->assertEquals(40, strlen($token));
        // check and destroy the token
-        $this->assertTrue($sessionManager->checkToken($token));
+        $this->assertTrue($this->sessionManager->checkToken($token));
-        $this->assertFalse(isset($session['tokens'][$token]));
+        $this->assertFalse(isset($this->session['tokens'][$token]));
        // ensure the token has been destroyed
-        $this->assertFalse($sessionManager->checkToken($token));
+        $this->assertFalse($this->sessionManager->checkToken($token));
    }
    /**
@@ -91,10 +104,7 @@ class SessionManagerTest extends TestCase
     */
    public function testCheckInvalidToken()
    {
-        $session = [];
+        $this->assertFalse($this->sessionManager->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
-        $sessionManager = new SessionManager($session, self::$conf);
-        $this->assertFalse($sessionManager->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
    }
    /**
@@ -146,4 +156,131 @@ class SessionManagerTest extends TestCase
            SessionManager::checkId('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')
        );
    }
+    /**
+     * Store login information after a successful login
+     */
+    public function testStoreLoginInfo()
+    {
+        $this->sessionManager->storeLoginInfo('ip_id');
+        $this->assertTrue(isset($this->session['uid']));
+        $this->assertGreaterThan(time(), $this->session['expires_on']);
+        $this->assertEquals('ip_id', $this->session['ip']);
+        $this->assertEquals('johndoe', $this->session['username']);
+    }
+    /**
+     * Extend a server-side session by SessionManager::$SHORT_TIMEOUT
+     */
+    public function testExtendSession()
+    {
+        $this->sessionManager->extendSession();
+        $this->assertGreaterThan(time(), $this->session['expires_on']);
+        $this->assertLessThanOrEqual(
+            time() + SessionManager::$SHORT_TIMEOUT,
+            $this->session['expires_on']
+        );
+    }
+    /**
+     * Extend a server-side session by SessionManager::$LONG_TIMEOUT
+     */
+    public function testExtendSessionStaySignedIn()
+    {
+        $this->sessionManager->setStaySignedIn(true);
+        $this->sessionManager->extendSession();
+        $this->assertGreaterThan(time(), $this->session['expires_on']);
+        $this->assertGreaterThan(
+            time() + SessionManager::$LONG_TIMEOUT - 10,
+            $this->session['expires_on']
+        );
+        $this->assertLessThanOrEqual(
+            time() + SessionManager::$LONG_TIMEOUT,
+            $this->session['expires_on']
+        );
+    }
+    /**
+     * Unset session variables after logging out
+     */
+    public function testLogout()
+    {
+        $this->session = [
+            'uid' => 'some-uid',
+            'ip' => 'ip_id',
+            'expires_on' => time() + 1000,
+            'username' => 'johndoe',
+            'visibility' => 'public',
+            'untaggedonly' => false,
+        ];
+        $this->sessionManager->logout();
+        $this->assertFalse(isset($this->session['uid']));
+        $this->assertFalse(isset($this->session['ip']));
+        $this->assertFalse(isset($this->session['expires_on']));
+        $this->assertFalse(isset($this->session['username']));
+        $this->assertFalse(isset($this->session['visibility']));
+        $this->assertFalse(isset($this->session['untaggedonly']));
+    }
+    /**
+     * The session is considered as expired because the UID is missing
+     */
+    public function testHasExpiredNoUid()
+    {
+        $this->assertTrue($this->sessionManager->hasSessionExpired());
+    }
+    /**
+     * The session is active and expiration time has been reached
+     */
+    public function testHasExpiredTimeElapsed()
+    {
+        $this->session['uid'] = 'some-uid';
+        $this->session['expires_on'] = time() - 10;
+        $this->assertTrue($this->sessionManager->hasSessionExpired());
+    }
+    /**
+     * The session is active and expiration time has not been reached
+     */
+    public function testHasNotExpired()
+    {
+        $this->session['uid'] = 'some-uid';
+        $this->session['expires_on'] = time() + 1000;
+        $this->assertFalse($this->sessionManager->hasSessionExpired());
+    }
+    /**
+     * Session hijacking protection is disabled, we assume the IP has not changed
+     */
+    public function testHasClientIpChangedNoSessionProtection()
+    {
+        $this->conf->set('security.session_protection_disabled', true);
+        $this->assertFalse($this->sessionManager->hasClientIpChanged(''));
+    }
+    /**
+     * The client IP identifier has not changed
+     */
+    public function testHasClientIpChangedNope()
+    {
+        $this->session['ip'] = 'ip_id';
+        $this->assertFalse($this->sessionManager->hasClientIpChanged('ip_id'));
+    }
+    /**
+     * The client IP identifier has changed
+     */
+    public function testHasClientIpChanged()
+    {
+        $this->session['ip'] = 'ip_id_one';
+        $this->assertTrue($this->sessionManager->hasClientIpChanged('ip_id_two'));
+    }
 }
author	VirtualTam <virtualtam@flibidi.net>	2018-04-27 23:17:38 +0200
committer	VirtualTam <virtualtam@flibidi.net>	2018-06-02 16:46:06 +0200
commit	51f0128cdba52099c40693379e72f094b42a6f80 (patch)
tree	57f71dc7d38611aaf91e77703acfd7ffbd0ac7c1 /tests/security
parent	fab87c2696b9d6a26310f1bfc024b018ca5184fe (diff)
download	Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.gz Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.tar.zst Shaarli-51f0128cdba52099c40693379e72f094b42a6f80.zip

diff --git a/tests/security/SessionManagerTest.php b/tests/security/SessionManagerTest.php index e4e1cfbc..e1c72707 100644 --- a/tests/security/SessionManagerTest.php +++ b/tests/security/SessionManagerTest.php
@@ -14,11 +14,17 @@ use \PHPUnit\Framework\TestCase;
14	*/	14	*/
15	class SessionManagerTest extends TestCase	15	class SessionManagerTest extends TestCase
16	{	16	{
17	// Session ID hashes	17	/** @var array Session ID hashes */
18	protected static $sidHashes = null;	18	protected static $sidHashes = null;
19		19
20	// Fake ConfigManager	20	/** @var FakeConfigManager ConfigManager substitute for testing */
21	protected static $conf = null;	21	protected $conf = null;
		22
		23	/** @var array $_SESSION array for testing */
		24	protected $session = [];
		25
		26	/** @var SessionManager Server-side session management abstraction */
		27	protected $sessionManager = null;
22		28
23	/**	29	/**
24	* Assign reference data	30	* Assign reference data
@@ -26,7 +32,20 @@ class SessionManagerTest extends TestCase
26	public static function setUpBeforeClass()	32	public static function setUpBeforeClass()
27	{	33	{
28	self::$sidHashes = ReferenceSessionIdHashes::getHashes();	34	self::$sidHashes = ReferenceSessionIdHashes::getHashes();
29	self::$conf = new FakeConfigManager();	35	}
		36
		37	/**
		38	* Initialize or reset test resources
		39	*/
		40	public function setUp()
		41	{
		42	$this->conf = new FakeConfigManager([
		43	'credentials.login' => 'johndoe',
		44	'credentials.salt' => 'salt',
		45	'security.session_protection_disabled' => false,
		46	]);
		47	$this->session = [];
		48	$this->sessionManager = new SessionManager($this->session, $this->conf);
30	}	49	}
31		50
32	/**	51	/**
@@ -34,12 +53,9 @@ class SessionManagerTest extends TestCase
34	*/	53	*/
35	public function testGenerateToken()	54	public function testGenerateToken()
36	{	55	{
37	$session = [];	56	$token = $this->sessionManager->generateToken();
38	$sessionManager = new SessionManager($session, self::$conf);
39
40	$token = $sessionManager->generateToken();
41		57
42	$this->assertEquals(1, $session['tokens'][$token]);	58	$this->assertEquals(1, $this->session['tokens'][$token]);
43	$this->assertEquals(40, strlen($token));	59	$this->assertEquals(40, strlen($token));
44	}	60	}
45		61
@@ -54,7 +70,7 @@ class SessionManagerTest extends TestCase
54	$token => 1,	70	$token => 1,
55	],	71	],
56	];	72	];
57	$sessionManager = new SessionManager($session, self::$conf);	73	$sessionManager = new SessionManager($session, $this->conf);
58		74
59	// check and destroy the token	75	// check and destroy the token
60	$this->assertTrue($sessionManager->checkToken($token));	76	$this->assertTrue($sessionManager->checkToken($token));
@@ -69,21 +85,18 @@ class SessionManagerTest extends TestCase
69	*/	85	*/
70	public function testGenerateAndCheckToken()	86	public function testGenerateAndCheckToken()
71	{	87	{
72	$session = [];	88	$token = $this->sessionManager->generateToken();
73	$sessionManager = new SessionManager($session, self::$conf);
74
75	$token = $sessionManager->generateToken();
76		89
77	// ensure a token has been generated	90	// ensure a token has been generated
78	$this->assertEquals(1, $session['tokens'][$token]);	91	$this->assertEquals(1, $this->session['tokens'][$token]);
79	$this->assertEquals(40, strlen($token));	92	$this->assertEquals(40, strlen($token));
80		93
81	// check and destroy the token	94	// check and destroy the token
82	$this->assertTrue($sessionManager->checkToken($token));	95	$this->assertTrue($this->sessionManager->checkToken($token));
83	$this->assertFalse(isset($session['tokens'][$token]));	96	$this->assertFalse(isset($this->session['tokens'][$token]));
84		97
85	// ensure the token has been destroyed	98	// ensure the token has been destroyed
86	$this->assertFalse($sessionManager->checkToken($token));	99	$this->assertFalse($this->sessionManager->checkToken($token));
87	}	100	}
88		101
89	/**	102	/**
@@ -91,10 +104,7 @@ class SessionManagerTest extends TestCase
91	*/	104	*/
92	public function testCheckInvalidToken()	105	public function testCheckInvalidToken()
93	{	106	{
94	$session = [];	107	$this->assertFalse($this->sessionManager->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
95	$sessionManager = new SessionManager($session, self::$conf);
96
97	$this->assertFalse($sessionManager->checkToken('4dccc3a45ad9d03e5542b90c37d8db6d10f2b38b'));
98	}	108	}
99		109
100	/**	110	/**
@@ -146,4 +156,131 @@ class SessionManagerTest extends TestCase
146	SessionManager::checkId('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')	156	SessionManager::checkId('c0ZqcWF3VFE2NmJBdm1HMVQ0ZHJ3UmZPbTFsNGhkNHI=')
147	);	157	);
148	}	158	}
		159
		160	/**
		161	* Store login information after a successful login
		162	*/
		163	public function testStoreLoginInfo()
		164	{
		165	$this->sessionManager->storeLoginInfo('ip_id');
		166
		167	$this->assertTrue(isset($this->session['uid']));
		168	$this->assertGreaterThan(time(), $this->session['expires_on']);
		169	$this->assertEquals('ip_id', $this->session['ip']);
		170	$this->assertEquals('johndoe', $this->session['username']);
		171	}
		172
		173	/**
		174	* Extend a server-side session by SessionManager::$SHORT_TIMEOUT
		175	*/
		176	public function testExtendSession()
		177	{
		178	$this->sessionManager->extendSession();
		179
		180	$this->assertGreaterThan(time(), $this->session['expires_on']);
		181	$this->assertLessThanOrEqual(
		182	time() + SessionManager::$SHORT_TIMEOUT,
		183	$this->session['expires_on']
		184	);
		185	}
		186
		187	/**
		188	* Extend a server-side session by SessionManager::$LONG_TIMEOUT
		189	*/
		190	public function testExtendSessionStaySignedIn()
		191	{
		192	$this->sessionManager->setStaySignedIn(true);
		193	$this->sessionManager->extendSession();
		194
		195	$this->assertGreaterThan(time(), $this->session['expires_on']);
		196	$this->assertGreaterThan(
		197	time() + SessionManager::$LONG_TIMEOUT - 10,
		198	$this->session['expires_on']
		199	);
		200	$this->assertLessThanOrEqual(
		201	time() + SessionManager::$LONG_TIMEOUT,
		202	$this->session['expires_on']
		203	);
		204	}
		205
		206	/**
		207	* Unset session variables after logging out
		208	*/
		209	public function testLogout()
		210	{
		211	$this->session = [
		212	'uid' => 'some-uid',
		213	'ip' => 'ip_id',
		214	'expires_on' => time() + 1000,
		215	'username' => 'johndoe',
		216	'visibility' => 'public',
		217	'untaggedonly' => false,
		218	];
		219	$this->sessionManager->logout();
		220
		221	$this->assertFalse(isset($this->session['uid']));
		222	$this->assertFalse(isset($this->session['ip']));
		223	$this->assertFalse(isset($this->session['expires_on']));
		224	$this->assertFalse(isset($this->session['username']));
		225	$this->assertFalse(isset($this->session['visibility']));
		226	$this->assertFalse(isset($this->session['untaggedonly']));
		227	}
		228
		229	/**
		230	* The session is considered as expired because the UID is missing
		231	*/
		232	public function testHasExpiredNoUid()
		233	{
		234	$this->assertTrue($this->sessionManager->hasSessionExpired());
		235	}
		236
		237	/**
		238	* The session is active and expiration time has been reached
		239	*/
		240	public function testHasExpiredTimeElapsed()
		241	{
		242	$this->session['uid'] = 'some-uid';
		243	$this->session['expires_on'] = time() - 10;
		244
		245	$this->assertTrue($this->sessionManager->hasSessionExpired());
		246	}
		247
		248	/**
		249	* The session is active and expiration time has not been reached
		250	*/
		251	public function testHasNotExpired()
		252	{
		253	$this->session['uid'] = 'some-uid';
		254	$this->session['expires_on'] = time() + 1000;
		255
		256	$this->assertFalse($this->sessionManager->hasSessionExpired());
		257	}
		258
		259	/**
		260	* Session hijacking protection is disabled, we assume the IP has not changed
		261	*/
		262	public function testHasClientIpChangedNoSessionProtection()
		263	{
		264	$this->conf->set('security.session_protection_disabled', true);
		265
		266	$this->assertFalse($this->sessionManager->hasClientIpChanged(''));
		267	}
		268
		269	/**
		270	* The client IP identifier has not changed
		271	*/
		272	public function testHasClientIpChangedNope()
		273	{
		274	$this->session['ip'] = 'ip_id';
		275	$this->assertFalse($this->sessionManager->hasClientIpChanged('ip_id'));
		276	}
		277
		278	/**
		279	* The client IP identifier has changed
		280	*/
		281	public function testHasClientIpChanged()
		282	{
		283	$this->session['ip'] = 'ip_id_one';
		284	$this->assertTrue($this->sessionManager->hasClientIpChanged('ip_id_two'));
		285	}
149	}	286	}