diff options
Diffstat (limited to 'tests/security/LoginManagerTest.php')
-rw-r--r-- | tests/security/LoginManagerTest.php | 115 |
1 files changed, 20 insertions, 95 deletions
diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index f26cd1eb..eef0f22a 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php | |||
@@ -2,7 +2,8 @@ | |||
2 | namespace Shaarli\Security; | 2 | namespace Shaarli\Security; |
3 | 3 | ||
4 | require_once 'tests/utils/FakeConfigManager.php'; | 4 | require_once 'tests/utils/FakeConfigManager.php'; |
5 | use \PHPUnit\Framework\TestCase; | 5 | |
6 | use PHPUnit\Framework\TestCase; | ||
6 | 7 | ||
7 | /** | 8 | /** |
8 | * Test coverage for LoginManager | 9 | * Test coverage for LoginManager |
@@ -74,54 +75,27 @@ class LoginManagerTest extends TestCase | |||
74 | 'credentials.salt' => $this->salt, | 75 | 'credentials.salt' => $this->salt, |
75 | 'resource.ban_file' => $this->banFile, | 76 | 'resource.ban_file' => $this->banFile, |
76 | 'resource.log' => $this->logFile, | 77 | 'resource.log' => $this->logFile, |
77 | 'security.ban_after' => 4, | 78 | 'security.ban_after' => 2, |
78 | 'security.ban_duration' => 3600, | 79 | 'security.ban_duration' => 3600, |
79 | 'security.trusted_proxies' => [$this->trustedProxy], | 80 | 'security.trusted_proxies' => [$this->trustedProxy], |
80 | ]); | 81 | ]); |
81 | 82 | ||
82 | $this->cookie = []; | 83 | $this->cookie = []; |
83 | |||
84 | $this->globals = &$GLOBALS; | ||
85 | unset($this->globals['IPBANS']); | ||
86 | |||
87 | $this->session = []; | 84 | $this->session = []; |
88 | 85 | ||
89 | $this->sessionManager = new SessionManager($this->session, $this->configManager); | 86 | $this->sessionManager = new SessionManager($this->session, $this->configManager); |
90 | $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); | 87 | $this->loginManager = new LoginManager($this->configManager, $this->sessionManager); |
91 | $this->server['REMOTE_ADDR'] = $this->ipAddr; | 88 | $this->server['REMOTE_ADDR'] = $this->ipAddr; |
92 | } | 89 | } |
93 | 90 | ||
94 | /** | 91 | /** |
95 | * Wipe test resources | ||
96 | */ | ||
97 | public function tearDown() | ||
98 | { | ||
99 | unset($this->globals['IPBANS']); | ||
100 | } | ||
101 | |||
102 | /** | ||
103 | * Instantiate a LoginManager and load ban records | ||
104 | */ | ||
105 | public function testReadBanFile() | ||
106 | { | ||
107 | file_put_contents( | ||
108 | $this->banFile, | ||
109 | "<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>" | ||
110 | ); | ||
111 | new LoginManager($this->globals, $this->configManager, null); | ||
112 | $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']); | ||
113 | } | ||
114 | |||
115 | /** | ||
116 | * Record a failed login attempt | 92 | * Record a failed login attempt |
117 | */ | 93 | */ |
118 | public function testHandleFailedLogin() | 94 | public function testHandleFailedLogin() |
119 | { | 95 | { |
120 | $this->loginManager->handleFailedLogin($this->server); | 96 | $this->loginManager->handleFailedLogin($this->server); |
121 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
122 | |||
123 | $this->loginManager->handleFailedLogin($this->server); | 97 | $this->loginManager->handleFailedLogin($this->server); |
124 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | 98 | $this->assertFalse($this->loginManager->canLogin($this->server)); |
125 | } | 99 | } |
126 | 100 | ||
127 | /** | 101 | /** |
@@ -134,10 +108,8 @@ class LoginManagerTest extends TestCase | |||
134 | 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, | 108 | 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, |
135 | ]; | 109 | ]; |
136 | $this->loginManager->handleFailedLogin($server); | 110 | $this->loginManager->handleFailedLogin($server); |
137 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
138 | |||
139 | $this->loginManager->handleFailedLogin($server); | 111 | $this->loginManager->handleFailedLogin($server); |
140 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | 112 | $this->assertFalse($this->loginManager->canLogin($server)); |
141 | } | 113 | } |
142 | 114 | ||
143 | /** | 115 | /** |
@@ -149,39 +121,8 @@ class LoginManagerTest extends TestCase | |||
149 | 'REMOTE_ADDR' => $this->trustedProxy, | 121 | 'REMOTE_ADDR' => $this->trustedProxy, |
150 | ]; | 122 | ]; |
151 | $this->loginManager->handleFailedLogin($server); | 123 | $this->loginManager->handleFailedLogin($server); |
152 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | ||
153 | |||
154 | $this->loginManager->handleFailedLogin($server); | 124 | $this->loginManager->handleFailedLogin($server); |
155 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | 125 | $this->assertTrue($this->loginManager->canLogin($server)); |
156 | } | ||
157 | |||
158 | /** | ||
159 | * Record a failed login attempt and ban the IP after too many failures | ||
160 | */ | ||
161 | public function testHandleFailedLoginBanIp() | ||
162 | { | ||
163 | $this->loginManager->handleFailedLogin($this->server); | ||
164 | $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
165 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
166 | |||
167 | $this->loginManager->handleFailedLogin($this->server); | ||
168 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
169 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
170 | |||
171 | $this->loginManager->handleFailedLogin($this->server); | ||
172 | $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
173 | $this->assertTrue($this->loginManager->canLogin($this->server)); | ||
174 | |||
175 | $this->loginManager->handleFailedLogin($this->server); | ||
176 | $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
177 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
178 | |||
179 | // handleFailedLogin is not supposed to be called at this point: | ||
180 | // - no login form should be displayed once an IP has been banned | ||
181 | // - yet this could happen when using custom templates / scripts | ||
182 | $this->loginManager->handleFailedLogin($this->server); | ||
183 | $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
184 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
185 | } | 126 | } |
186 | 127 | ||
187 | /** | 128 | /** |
@@ -201,14 +142,11 @@ class LoginManagerTest extends TestCase | |||
201 | public function testHandleSuccessfulLoginAfterFailure() | 142 | public function testHandleSuccessfulLoginAfterFailure() |
202 | { | 143 | { |
203 | $this->loginManager->handleFailedLogin($this->server); | 144 | $this->loginManager->handleFailedLogin($this->server); |
204 | $this->loginManager->handleFailedLogin($this->server); | ||
205 | $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); | ||
206 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 145 | $this->assertTrue($this->loginManager->canLogin($this->server)); |
207 | 146 | ||
208 | $this->loginManager->handleSuccessfulLogin($this->server); | 147 | $this->loginManager->handleSuccessfulLogin($this->server); |
148 | $this->loginManager->handleFailedLogin($this->server); | ||
209 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 149 | $this->assertTrue($this->loginManager->canLogin($this->server)); |
210 | $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); | ||
211 | $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr])); | ||
212 | } | 150 | } |
213 | 151 | ||
214 | /** | 152 | /** |
@@ -220,41 +158,28 @@ class LoginManagerTest extends TestCase | |||
220 | } | 158 | } |
221 | 159 | ||
222 | /** | 160 | /** |
223 | * The IP is banned | 161 | * Generate a token depending on the user credentials and client IP |
224 | */ | ||
225 | public function testCanLoginIpBanned() | ||
226 | { | ||
227 | // ban the IP for an hour | ||
228 | $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; | ||
229 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; | ||
230 | |||
231 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
232 | } | ||
233 | |||
234 | /** | ||
235 | * The IP is banned, and the ban duration is over | ||
236 | */ | 162 | */ |
237 | public function testCanLoginIpBanExpired() | 163 | public function testGenerateStaySignedInToken() |
238 | { | 164 | { |
239 | // ban the IP for an hour | 165 | $this->loginManager->generateStaySignedInToken($this->clientIpAddress); |
240 | $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; | ||
241 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; | ||
242 | $this->assertFalse($this->loginManager->canLogin($this->server)); | ||
243 | 166 | ||
244 | // lift the ban | 167 | $this->assertEquals( |
245 | $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600; | 168 | sha1($this->passwordHash . $this->clientIpAddress . $this->salt), |
246 | $this->assertTrue($this->loginManager->canLogin($this->server)); | 169 | $this->loginManager->getStaySignedInToken() |
170 | ); | ||
247 | } | 171 | } |
248 | 172 | ||
249 | /** | 173 | /** |
250 | * Generate a token depending on the user credentials and client IP | 174 | * Generate a token depending on the user credentials with session protected disabled |
251 | */ | 175 | */ |
252 | public function testGenerateStaySignedInToken() | 176 | public function testGenerateStaySignedInTokenSessionProtectionDisabled() |
253 | { | 177 | { |
178 | $this->configManager->set('security.session_protection_disabled', true); | ||
254 | $this->loginManager->generateStaySignedInToken($this->clientIpAddress); | 179 | $this->loginManager->generateStaySignedInToken($this->clientIpAddress); |
255 | 180 | ||
256 | $this->assertEquals( | 181 | $this->assertEquals( |
257 | sha1($this->passwordHash . $this->clientIpAddress . $this->salt), | 182 | sha1($this->passwordHash . $this->salt), |
258 | $this->loginManager->getStaySignedInToken() | 183 | $this->loginManager->getStaySignedInToken() |
259 | ); | 184 | ); |
260 | } | 185 | } |
@@ -267,7 +192,7 @@ class LoginManagerTest extends TestCase | |||
267 | $configManager = new \FakeConfigManager([ | 192 | $configManager = new \FakeConfigManager([ |
268 | 'resource.ban_file' => $this->banFile, | 193 | 'resource.ban_file' => $this->banFile, |
269 | ]); | 194 | ]); |
270 | $loginManager = new LoginManager($this->globals, $configManager, null); | 195 | $loginManager = new LoginManager($configManager, null); |
271 | $loginManager->checkLoginState([], ''); | 196 | $loginManager->checkLoginState([], ''); |
272 | 197 | ||
273 | $this->assertFalse($loginManager->isLoggedIn()); | 198 | $this->assertFalse($loginManager->isLoggedIn()); |