2 files changed, 400 insertions, 97 deletions
diff --git a/tests/security/BanManagerTest.php b/tests/security/BanManagerTest.php
new file mode 100644
index 00000000..bba7c8ad
--- /dev/null
+++ b/tests/security/BanManagerTest.php
@@ -0,0 +1,393 @@
+<?php
+namespace Shaarli\Security;
+use PHPUnit\Framework\TestCase;
+use Shaarli\FileUtils;
+/**
+ * Test coverage for BanManager
+ */
+class BanManagerTest extends TestCase
+{
+    /** @var BanManager Ban Manager instance */
+    protected $banManager;
+    /** @var string Banned IP filename */
+    protected $banFile = 'sandbox/ipbans.php';
+    /** @var string Log filename */
+    protected $logFile = 'sandbox/shaarli.log';
+    /** @var string Local client IP address */
+    protected $ipAddr = '127.0.0.1';
+    /** @var string Trusted proxy IP address */
+    protected $trustedProxy = '10.1.1.100';
+    /** @var array Simulates the $_SERVER array */
+    protected $server = [];
+    /**
+     * Prepare or reset test resources
+     */
+    public function setUp()
+    {
+        if (file_exists($this->banFile)) {
+            unlink($this->banFile);
+        }
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->server['REMOTE_ADDR'] = $this->ipAddr;
+    }
+    /**
+     * Test constructor with initial file.
+     */
+    public function testInstantiateFromFile()
+    {
+        $time = time() + 10;
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'failures' => [
+                    $this->ipAddr => 2,
+                    $ip = '1.2.3.4' => 1,
+                ],
+                'bans' => [
+                    $ip2 = '8.8.8.8' => $time,
+                    $ip3 = '1.1.1.1' => $time + 1,
+                ],
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(2, $this->banManager->getFailures());
+        $this->assertEquals(2, $this->banManager->getFailures()[$this->ipAddr]);
+        $this->assertEquals(1, $this->banManager->getFailures()[$ip]);
+        $this->assertCount(2, $this->banManager->getBans());
+        $this->assertEquals($time, $this->banManager->getBans()[$ip2]);
+        $this->assertEquals($time + 1, $this->banManager->getBans()[$ip3]);
+    }
+    /**
+     * Test constructor with initial file with invalid values
+     */
+    public function testInstantiateFromCrappyFile()
+    {
+        FileUtils::writeFlatDB($this->banFile, 'plop');
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertEquals([], $this->banManager->getFailures());
+        $this->assertEquals([], $this->banManager->getBans());
+    }
+    /**
+     * Test failed attempt with a direct IP.
+     */
+    public function testHandleFailedAttempt()
+    {
+        $this->assertCount(0, $this->banManager->getFailures());
+        $this->banManager->handleFailedAttempt($this->server);
+        $this->assertCount(1, $this->banManager->getFailures());
+        $this->assertEquals(1, $this->banManager->getFailures()[$this->ipAddr]);
+        $this->banManager->handleFailedAttempt($this->server);
+        $this->assertCount(1, $this->banManager->getFailures());
+        $this->assertEquals(2, $this->banManager->getFailures()[$this->ipAddr]);
+    }
+    /**
+     * Test failed attempt behind a trusted proxy IP (with proper IP forwarding).
+     */
+    public function testHandleFailedAttemptBehingProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+            'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
+        ];
+        $this->assertCount(0, $this->banManager->getFailures());
+        $this->banManager->handleFailedAttempt($server);
+        $this->assertCount(1, $this->banManager->getFailures());
+        $this->assertEquals(1, $this->banManager->getFailures()[$this->ipAddr]);
+        $this->banManager->handleFailedAttempt($server);
+        $this->assertCount(1, $this->banManager->getFailures());
+        $this->assertEquals(2, $this->banManager->getFailures()[$this->ipAddr]);
+    }
+    /**
+     * Test failed attempt behind a trusted proxy IP but without IP forwarding.
+     */
+    public function testHandleFailedAttemptBehindNotConfiguredProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+        ];
+        $this->assertCount(0, $this->banManager->getFailures());
+        $this->banManager->handleFailedAttempt($server);
+        $this->assertCount(0, $this->banManager->getFailures());
+        $this->banManager->handleFailedAttempt($server);
+        $this->assertCount(0, $this->banManager->getFailures());
+    }
+    /**
+     * Test failed attempts with multiple direct IP.
+     */
+    public function testHandleFailedAttemptMultipleIp()
+    {
+        $this->assertCount(0, $this->banManager->getFailures());
+        $this->banManager->handleFailedAttempt($this->server);
+        $this->server['REMOTE_ADDR'] = '1.2.3.4';
+        $this->banManager->handleFailedAttempt($this->server);
+        $this->banManager->handleFailedAttempt($this->server);
+        $this->assertCount(2, $this->banManager->getFailures());
+        $this->assertEquals(1, $this->banManager->getFailures()[$this->ipAddr]);
+        $this->assertEquals(2, $this->banManager->getFailures()[$this->server['REMOTE_ADDR']]);
+    }
+    /**
+     * Test clear failure for provided IP without any additional data.
+     */
+    public function testClearFailuresEmpty()
+    {
+        $this->assertCount(0, $this->banManager->getFailures());
+        $this->banManager->clearFailures($this->server);
+        $this->assertCount(0, $this->banManager->getFailures());
+    }
+    /**
+     * Test clear failure for provided IP with failed attempts.
+     */
+    public function testClearFailuresFromFile()
+    {
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'failures' => [
+                    $this->ipAddr => 2,
+                    $ip = '1.2.3.4' => 1,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(2, $this->banManager->getFailures());
+        $this->banManager->clearFailures($this->server);
+        $this->assertCount(1, $this->banManager->getFailures());
+        $this->assertEquals(1, $this->banManager->getFailures()[$ip]);
+    }
+    /**
+     * Test clear failure for provided IP with failed attempts, behind a reverse proxy.
+     */
+    public function testClearFailuresFromFileBehindProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+            'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
+        ];
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'failures' => [
+                    $this->ipAddr => 2,
+                    $ip = '1.2.3.4' => 1,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(2, $this->banManager->getFailures());
+        $this->banManager->clearFailures($server);
+        $this->assertCount(1, $this->banManager->getFailures());
+        $this->assertEquals(1, $this->banManager->getFailures()[$ip]);
+    }
+    /**
+     * Test clear failure for provided IP with failed attempts,
+     * behind a reverse proxy without forwarding.
+     */
+    public function testClearFailuresFromFileBehindNotConfiguredProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+        ];
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'failures' => [
+                    $this->ipAddr => 2,
+                    $ip = '1.2.3.4' => 1,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(2, $this->banManager->getFailures());
+        $this->banManager->clearFailures($server);
+        $this->assertCount(2, $this->banManager->getFailures());
+    }
+    /**
+     * Test isBanned without any data
+     */
+    public function testIsBannedEmpty()
+    {
+        $this->assertFalse($this->banManager->isBanned($this->server));
+    }
+    /**
+     * Test isBanned with banned IP from file data
+     */
+    public function testBannedFromFile()
+    {
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'bans' => [
+                    $this->ipAddr => time() + 10,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(1, $this->banManager->getBans());
+        $this->assertTrue($this->banManager->isBanned($this->server));
+    }
+    /**
+     * Test isBanned with banned IP from file data behind a reverse proxy
+     */
+    public function testBannedFromFileBehindProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+            'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
+        ];
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'bans' => [
+                    $this->ipAddr => time() + 10,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(1, $this->banManager->getBans());
+        $this->assertTrue($this->banManager->isBanned($server));
+    }
+    /**
+     * Test isBanned with banned IP from file data behind a reverse proxy,
+     * without IP forwarding
+     */
+    public function testBannedFromFileBehindNotConfiguredProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+        ];
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'bans' => [
+                    $this->ipAddr => time() + 10,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(1, $this->banManager->getBans());
+        $this->assertFalse($this->banManager->isBanned($server));
+    }
+    /**
+     * Test isBanned with an expired ban
+     */
+    public function testLiftBan()
+    {
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'bans' => [
+                    $this->ipAddr => time() - 10,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(1, $this->banManager->getBans());
+        $this->assertFalse($this->banManager->isBanned($this->server));
+    }
+    /**
+     * Test isBanned with an expired ban behind a reverse proxy
+     */
+    public function testLiftBanBehindProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+            'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
+        ];
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'bans' => [
+                    $this->ipAddr => time() - 10,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(1, $this->banManager->getBans());
+        $this->assertFalse($this->banManager->isBanned($server));
+    }
+    /**
+     * Test isBanned with an expired ban behind a reverse proxy
+     */
+    public function testLiftBanBehindNotConfiguredProxy()
+    {
+        $server = [
+            'REMOTE_ADDR' => $this->trustedProxy,
+        ];
+        FileUtils::writeFlatDB(
+            $this->banFile,
+            [
+                'bans' => [
+                    $this->ipAddr => time() - 10,
+                ]
+            ]
+        );
+        $this->banManager = $this->getNewBanManagerInstance();
+        $this->assertCount(1, $this->banManager->getBans());
+        $this->assertFalse($this->banManager->isBanned($server));
+    }
+    /**
+     * Build a new instance of BanManager, which will reread the ban file.
+     *
+     * @return BanManager instance
+     */
+    protected function getNewBanManagerInstance()
+    {
+        return new BanManager(
+            [$this->trustedProxy],
+            3,
+            1800,
+            $this->banFile,
+            $this->logFile
+        );
+    }
+}
diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php
index 7b0262b3..eef0f22a 100644
--- a/tests/security/LoginManagerTest.php
+++ b/tests/security/LoginManagerTest.php
@@ -75,54 +75,27 @@ class LoginManagerTest extends TestCase
            'credentials.salt' => $this->salt,
            'resource.ban_file' => $this->banFile,
            'resource.log' => $this->logFile,
-            'security.ban_after' => 4,
+            'security.ban_after' => 2,
            'security.ban_duration' => 3600,
            'security.trusted_proxies' => [$this->trustedProxy],
        ]);
        $this->cookie = [];
-        $this->globals = &$GLOBALS;
-        unset($this->globals['IPBANS']);
        $this->session = [];
        $this->sessionManager = new SessionManager($this->session, $this->configManager);
-        $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager);
+        $this->loginManager = new LoginManager($this->configManager, $this->sessionManager);
        $this->server['REMOTE_ADDR'] = $this->ipAddr;
    }
    /**
-     * Wipe test resources
-     */
-    public function tearDown()
-    {
-        unset($this->globals['IPBANS']);
-    }
-    /**
-     * Instantiate a LoginManager and load ban records
-     */
-    public function testReadBanFile()
-    {
-        file_put_contents(
-            $this->banFile,
-            "<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>"
-        );
-        new LoginManager($this->globals, $this->configManager, null);
-        $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']);
-    }
-    /**
     * Record a failed login attempt
     */
    public function testHandleFailedLogin()
    {
        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
+        $this->assertFalse($this->loginManager->canLogin($this->server));
    }
    /**
@@ -135,10 +108,8 @@ class LoginManagerTest extends TestCase
            'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
        ];
        $this->loginManager->handleFailedLogin($server);
-        $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
        $this->loginManager->handleFailedLogin($server);
-        $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
+        $this->assertFalse($this->loginManager->canLogin($server));
    }
    /**
@@ -150,39 +121,8 @@ class LoginManagerTest extends TestCase
            'REMOTE_ADDR' => $this->trustedProxy,
        ];
        $this->loginManager->handleFailedLogin($server);
-        $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
        $this->loginManager->handleFailedLogin($server);
-        $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
+        $this->assertTrue($this->loginManager->canLogin($server));
-    }
-    /**
-     * Record a failed login attempt and ban the IP after too many failures
-     */
-    public function testHandleFailedLoginBanIp()
-    {
-        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
-        $this->assertTrue($this->loginManager->canLogin($this->server));
-        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
-        $this->assertTrue($this->loginManager->canLogin($this->server));
-        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
-        $this->assertTrue($this->loginManager->canLogin($this->server));
-        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
-        $this->assertFalse($this->loginManager->canLogin($this->server));
-        // handleFailedLogin is not supposed to be called at this point:
-        // - no login form should be displayed once an IP has been banned
-        // - yet this could happen when using custom templates / scripts
-        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
-        $this->assertFalse($this->loginManager->canLogin($this->server));
    }
    /**
@@ -202,14 +142,11 @@ class LoginManagerTest extends TestCase
    public function testHandleSuccessfulLoginAfterFailure()
    {
        $this->loginManager->handleFailedLogin($this->server);
-        $this->loginManager->handleFailedLogin($this->server);
-        $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
        $this->assertTrue($this->loginManager->canLogin($this->server));
        $this->loginManager->handleSuccessfulLogin($this->server);
+        $this->loginManager->handleFailedLogin($this->server);
        $this->assertTrue($this->loginManager->canLogin($this->server));
-        $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
-        $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr]));
    }
    /**
@@ -221,33 +158,6 @@ class LoginManagerTest extends TestCase
    }
    /**
-     * The IP is banned
-     */
-    public function testCanLoginIpBanned()
-    {
-        // ban the IP for an hour
-        $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
-        $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
-        $this->assertFalse($this->loginManager->canLogin($this->server));
-    }
-    /**
-     * The IP is banned, and the ban duration is over
-     */
-    public function testCanLoginIpBanExpired()
-    {
-        // ban the IP for an hour
-        $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
-        $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
-        $this->assertFalse($this->loginManager->canLogin($this->server));
-        // lift the ban
-        $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600;
-        $this->assertTrue($this->loginManager->canLogin($this->server));
-    }
-    /**
     * Generate a token depending on the user credentials and client IP
     */
    public function testGenerateStaySignedInToken()
@@ -282,7 +192,7 @@ class LoginManagerTest extends TestCase
        $configManager = new \FakeConfigManager([
            'resource.ban_file' => $this->banFile,
        ]);
-        $loginManager = new LoginManager($this->globals, $configManager, null);
+        $loginManager = new LoginManager($configManager, null);
        $loginManager->checkLoginState([], '');
        $this->assertFalse($loginManager->isLoggedIn());

diff --git a/tests/security/BanManagerTest.php b/tests/security/BanManagerTest.php new file mode 100644 index 00000000..bba7c8ad --- /dev/null +++ b/tests/security/BanManagerTest.php
@@ -0,0 +1,393 @@
		1	<?php
		2
		3
		4	namespace Shaarli\Security;
		5
		6	use PHPUnit\Framework\TestCase;
		7	use Shaarli\FileUtils;
		8
		9	/**
		10	* Test coverage for BanManager
		11	*/
		12	class BanManagerTest extends TestCase
		13	{
		14	/** @var BanManager Ban Manager instance */
		15	protected $banManager;
		16
		17	/** @var string Banned IP filename */
		18	protected $banFile = 'sandbox/ipbans.php';
		19
		20	/** @var string Log filename */
		21	protected $logFile = 'sandbox/shaarli.log';
		22
		23	/** @var string Local client IP address */
		24	protected $ipAddr = '127.0.0.1';
		25
		26	/** @var string Trusted proxy IP address */
		27	protected $trustedProxy = '10.1.1.100';
		28
		29	/** @var array Simulates the $_SERVER array */
		30	protected $server = [];
		31
		32	/**
		33	* Prepare or reset test resources
		34	*/
		35	public function setUp()
		36	{
		37	if (file_exists($this->banFile)) {
		38	unlink($this->banFile);
		39	}
		40
		41	$this->banManager = $this->getNewBanManagerInstance();
		42	$this->server['REMOTE_ADDR'] = $this->ipAddr;
		43	}
		44
		45	/**
		46	* Test constructor with initial file.
		47	*/
		48	public function testInstantiateFromFile()
		49	{
		50	$time = time() + 10;
		51	FileUtils::writeFlatDB(
		52	$this->banFile,
		53	[
		54	'failures' => [
		55	$this->ipAddr => 2,
		56	$ip = '1.2.3.4' => 1,
		57	],
		58	'bans' => [
		59	$ip2 = '8.8.8.8' => $time,
		60	$ip3 = '1.1.1.1' => $time + 1,
		61	],
		62	]
		63	);
		64	$this->banManager = $this->getNewBanManagerInstance();
		65
		66	$this->assertCount(2, $this->banManager->getFailures());
		67	$this->assertEquals(2, $this->banManager->getFailures()[$this->ipAddr]);
		68	$this->assertEquals(1, $this->banManager->getFailures()[$ip]);
		69	$this->assertCount(2, $this->banManager->getBans());
		70	$this->assertEquals($time, $this->banManager->getBans()[$ip2]);
		71	$this->assertEquals($time + 1, $this->banManager->getBans()[$ip3]);
		72	}
		73
		74	/**
		75	* Test constructor with initial file with invalid values
		76	*/
		77	public function testInstantiateFromCrappyFile()
		78	{
		79	FileUtils::writeFlatDB($this->banFile, 'plop');
		80	$this->banManager = $this->getNewBanManagerInstance();
		81
		82	$this->assertEquals([], $this->banManager->getFailures());
		83	$this->assertEquals([], $this->banManager->getBans());
		84	}
		85
		86	/**
		87	* Test failed attempt with a direct IP.
		88	*/
		89	public function testHandleFailedAttempt()
		90	{
		91	$this->assertCount(0, $this->banManager->getFailures());
		92
		93	$this->banManager->handleFailedAttempt($this->server);
		94	$this->assertCount(1, $this->banManager->getFailures());
		95	$this->assertEquals(1, $this->banManager->getFailures()[$this->ipAddr]);
		96
		97	$this->banManager->handleFailedAttempt($this->server);
		98	$this->assertCount(1, $this->banManager->getFailures());
		99	$this->assertEquals(2, $this->banManager->getFailures()[$this->ipAddr]);
		100	}
		101
		102	/**
		103	* Test failed attempt behind a trusted proxy IP (with proper IP forwarding).
		104	*/
		105	public function testHandleFailedAttemptBehingProxy()
		106	{
		107	$server = [
		108	'REMOTE_ADDR' => $this->trustedProxy,
		109	'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
		110	];
		111	$this->assertCount(0, $this->banManager->getFailures());
		112
		113	$this->banManager->handleFailedAttempt($server);
		114	$this->assertCount(1, $this->banManager->getFailures());
		115	$this->assertEquals(1, $this->banManager->getFailures()[$this->ipAddr]);
		116
		117	$this->banManager->handleFailedAttempt($server);
		118	$this->assertCount(1, $this->banManager->getFailures());
		119	$this->assertEquals(2, $this->banManager->getFailures()[$this->ipAddr]);
		120	}
		121
		122	/**
		123	* Test failed attempt behind a trusted proxy IP but without IP forwarding.
		124	*/
		125	public function testHandleFailedAttemptBehindNotConfiguredProxy()
		126	{
		127	$server = [
		128	'REMOTE_ADDR' => $this->trustedProxy,
		129	];
		130	$this->assertCount(0, $this->banManager->getFailures());
		131
		132	$this->banManager->handleFailedAttempt($server);
		133	$this->assertCount(0, $this->banManager->getFailures());
		134
		135	$this->banManager->handleFailedAttempt($server);
		136	$this->assertCount(0, $this->banManager->getFailures());
		137	}
		138
		139	/**
		140	* Test failed attempts with multiple direct IP.
		141	*/
		142	public function testHandleFailedAttemptMultipleIp()
		143	{
		144	$this->assertCount(0, $this->banManager->getFailures());
		145	$this->banManager->handleFailedAttempt($this->server);
		146	$this->server['REMOTE_ADDR'] = '1.2.3.4';
		147	$this->banManager->handleFailedAttempt($this->server);
		148	$this->banManager->handleFailedAttempt($this->server);
		149	$this->assertCount(2, $this->banManager->getFailures());
		150	$this->assertEquals(1, $this->banManager->getFailures()[$this->ipAddr]);
		151	$this->assertEquals(2, $this->banManager->getFailures()[$this->server['REMOTE_ADDR']]);
		152	}
		153
		154	/**
		155	* Test clear failure for provided IP without any additional data.
		156	*/
		157	public function testClearFailuresEmpty()
		158	{
		159	$this->assertCount(0, $this->banManager->getFailures());
		160	$this->banManager->clearFailures($this->server);
		161	$this->assertCount(0, $this->banManager->getFailures());
		162	}
		163
		164	/**
		165	* Test clear failure for provided IP with failed attempts.
		166	*/
		167	public function testClearFailuresFromFile()
		168	{
		169	FileUtils::writeFlatDB(
		170	$this->banFile,
		171	[
		172	'failures' => [
		173	$this->ipAddr => 2,
		174	$ip = '1.2.3.4' => 1,
		175	]
		176	]
		177	);
		178	$this->banManager = $this->getNewBanManagerInstance();
		179
		180	$this->assertCount(2, $this->banManager->getFailures());
		181	$this->banManager->clearFailures($this->server);
		182	$this->assertCount(1, $this->banManager->getFailures());
		183	$this->assertEquals(1, $this->banManager->getFailures()[$ip]);
		184	}
		185
		186	/**
		187	* Test clear failure for provided IP with failed attempts, behind a reverse proxy.
		188	*/
		189	public function testClearFailuresFromFileBehindProxy()
		190	{
		191	$server = [
		192	'REMOTE_ADDR' => $this->trustedProxy,
		193	'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
		194	];
		195
		196	FileUtils::writeFlatDB(
		197	$this->banFile,
		198	[
		199	'failures' => [
		200	$this->ipAddr => 2,
		201	$ip = '1.2.3.4' => 1,
		202	]
		203	]
		204	);
		205	$this->banManager = $this->getNewBanManagerInstance();
		206
		207	$this->assertCount(2, $this->banManager->getFailures());
		208	$this->banManager->clearFailures($server);
		209	$this->assertCount(1, $this->banManager->getFailures());
		210	$this->assertEquals(1, $this->banManager->getFailures()[$ip]);
		211	}
		212
		213	/**
		214	* Test clear failure for provided IP with failed attempts,
		215	* behind a reverse proxy without forwarding.
		216	*/
		217	public function testClearFailuresFromFileBehindNotConfiguredProxy()
		218	{
		219	$server = [
		220	'REMOTE_ADDR' => $this->trustedProxy,
		221	];
		222
		223	FileUtils::writeFlatDB(
		224	$this->banFile,
		225	[
		226	'failures' => [
		227	$this->ipAddr => 2,
		228	$ip = '1.2.3.4' => 1,
		229	]
		230	]
		231	);
		232	$this->banManager = $this->getNewBanManagerInstance();
		233
		234	$this->assertCount(2, $this->banManager->getFailures());
		235	$this->banManager->clearFailures($server);
		236	$this->assertCount(2, $this->banManager->getFailures());
		237	}
		238
		239	/**
		240	* Test isBanned without any data
		241	*/
		242	public function testIsBannedEmpty()
		243	{
		244	$this->assertFalse($this->banManager->isBanned($this->server));
		245	}
		246
		247	/**
		248	* Test isBanned with banned IP from file data
		249	*/
		250	public function testBannedFromFile()
		251	{
		252	FileUtils::writeFlatDB(
		253	$this->banFile,
		254	[
		255	'bans' => [
		256	$this->ipAddr => time() + 10,
		257	]
		258	]
		259	);
		260	$this->banManager = $this->getNewBanManagerInstance();
		261
		262	$this->assertCount(1, $this->banManager->getBans());
		263	$this->assertTrue($this->banManager->isBanned($this->server));
		264	}
		265
		266	/**
		267	* Test isBanned with banned IP from file data behind a reverse proxy
		268	*/
		269	public function testBannedFromFileBehindProxy()
		270	{
		271	$server = [
		272	'REMOTE_ADDR' => $this->trustedProxy,
		273	'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
		274	];
		275	FileUtils::writeFlatDB(
		276	$this->banFile,
		277	[
		278	'bans' => [
		279	$this->ipAddr => time() + 10,
		280	]
		281	]
		282	);
		283	$this->banManager = $this->getNewBanManagerInstance();
		284
		285	$this->assertCount(1, $this->banManager->getBans());
		286	$this->assertTrue($this->banManager->isBanned($server));
		287	}
		288
		289	/**
		290	* Test isBanned with banned IP from file data behind a reverse proxy,
		291	* without IP forwarding
		292	*/
		293	public function testBannedFromFileBehindNotConfiguredProxy()
		294	{
		295	$server = [
		296	'REMOTE_ADDR' => $this->trustedProxy,
		297	];
		298	FileUtils::writeFlatDB(
		299	$this->banFile,
		300	[
		301	'bans' => [
		302	$this->ipAddr => time() + 10,
		303	]
		304	]
		305	);
		306	$this->banManager = $this->getNewBanManagerInstance();
		307
		308	$this->assertCount(1, $this->banManager->getBans());
		309	$this->assertFalse($this->banManager->isBanned($server));
		310	}
		311
		312	/**
		313	* Test isBanned with an expired ban
		314	*/
		315	public function testLiftBan()
		316	{
		317	FileUtils::writeFlatDB(
		318	$this->banFile,
		319	[
		320	'bans' => [
		321	$this->ipAddr => time() - 10,
		322	]
		323	]
		324	);
		325	$this->banManager = $this->getNewBanManagerInstance();
		326
		327	$this->assertCount(1, $this->banManager->getBans());
		328	$this->assertFalse($this->banManager->isBanned($this->server));
		329	}
		330
		331	/**
		332	* Test isBanned with an expired ban behind a reverse proxy
		333	*/
		334	public function testLiftBanBehindProxy()
		335	{
		336	$server = [
		337	'REMOTE_ADDR' => $this->trustedProxy,
		338	'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
		339	];
		340
		341	FileUtils::writeFlatDB(
		342	$this->banFile,
		343	[
		344	'bans' => [
		345	$this->ipAddr => time() - 10,
		346	]
		347	]
		348	);
		349	$this->banManager = $this->getNewBanManagerInstance();
		350
		351	$this->assertCount(1, $this->banManager->getBans());
		352	$this->assertFalse($this->banManager->isBanned($server));
		353	}
		354
		355	/**
		356	* Test isBanned with an expired ban behind a reverse proxy
		357	*/
		358	public function testLiftBanBehindNotConfiguredProxy()
		359	{
		360	$server = [
		361	'REMOTE_ADDR' => $this->trustedProxy,
		362	];
		363
		364	FileUtils::writeFlatDB(
		365	$this->banFile,
		366	[
		367	'bans' => [
		368	$this->ipAddr => time() - 10,
		369	]
		370	]
		371	);
		372	$this->banManager = $this->getNewBanManagerInstance();
		373
		374	$this->assertCount(1, $this->banManager->getBans());
		375	$this->assertFalse($this->banManager->isBanned($server));
		376	}
		377
		378	/**
		379	* Build a new instance of BanManager, which will reread the ban file.
		380	*
		381	* @return BanManager instance
		382	*/
		383	protected function getNewBanManagerInstance()
		384	{
		385	return new BanManager(
		386	[$this->trustedProxy],
		387	3,
		388	1800,
		389	$this->banFile,
		390	$this->logFile
		391	);
		392	}
		393	}


diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index 7b0262b3..eef0f22a 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php
@@ -75,54 +75,27 @@ class LoginManagerTest extends TestCase
75	'credentials.salt' => $this->salt,	75	'credentials.salt' => $this->salt,
76	'resource.ban_file' => $this->banFile,	76	'resource.ban_file' => $this->banFile,
77	'resource.log' => $this->logFile,	77	'resource.log' => $this->logFile,
78	'security.ban_after' => 4,	78	'security.ban_after' => 2,
79	'security.ban_duration' => 3600,	79	'security.ban_duration' => 3600,
80	'security.trusted_proxies' => [$this->trustedProxy],	80	'security.trusted_proxies' => [$this->trustedProxy],
81	]);	81	]);
82		82
83	$this->cookie = [];	83	$this->cookie = [];
84
85	$this->globals = &$GLOBALS;
86	unset($this->globals['IPBANS']);
87
88	$this->session = [];	84	$this->session = [];
89		85
90	$this->sessionManager = new SessionManager($this->session, $this->configManager);	86	$this->sessionManager = new SessionManager($this->session, $this->configManager);
91	$this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager);	87	$this->loginManager = new LoginManager($this->configManager, $this->sessionManager);
92	$this->server['REMOTE_ADDR'] = $this->ipAddr;	88	$this->server['REMOTE_ADDR'] = $this->ipAddr;
93	}	89	}
94		90
95	/**	91	/**
96	* Wipe test resources
97	*/
98	public function tearDown()
99	{
100	unset($this->globals['IPBANS']);
101	}
102
103	/**
104	* Instantiate a LoginManager and load ban records
105	*/
106	public function testReadBanFile()
107	{
108	file_put_contents(
109	$this->banFile,
110	"<?php\n\$GLOBALS['IPBANS']=array('FAILURES' => array('127.0.0.1' => 99));\n?>"
111	);
112	new LoginManager($this->globals, $this->configManager, null);
113	$this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']);
114	}
115
116	/**
117	* Record a failed login attempt	92	* Record a failed login attempt
118	*/	93	*/
119	public function testHandleFailedLogin()	94	public function testHandleFailedLogin()
120	{	95	{
121	$this->loginManager->handleFailedLogin($this->server);	96	$this->loginManager->handleFailedLogin($this->server);
122	$this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
123
124	$this->loginManager->handleFailedLogin($this->server);	97	$this->loginManager->handleFailedLogin($this->server);
125	$this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);	98	$this->assertFalse($this->loginManager->canLogin($this->server));
126	}	99	}
127		100
128	/**	101	/**
@@ -135,10 +108,8 @@ class LoginManagerTest extends TestCase
135	'HTTP_X_FORWARDED_FOR' => $this->ipAddr,	108	'HTTP_X_FORWARDED_FOR' => $this->ipAddr,
136	];	109	];
137	$this->loginManager->handleFailedLogin($server);	110	$this->loginManager->handleFailedLogin($server);
138	$this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
139
140	$this->loginManager->handleFailedLogin($server);	111	$this->loginManager->handleFailedLogin($server);
141	$this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);	112	$this->assertFalse($this->loginManager->canLogin($server));
142	}	113	}
143		114
144	/**	115	/**
@@ -150,39 +121,8 @@ class LoginManagerTest extends TestCase
150	'REMOTE_ADDR' => $this->trustedProxy,	121	'REMOTE_ADDR' => $this->trustedProxy,
151	];	122	];
152	$this->loginManager->handleFailedLogin($server);	123	$this->loginManager->handleFailedLogin($server);
153	$this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
154
155	$this->loginManager->handleFailedLogin($server);	124	$this->loginManager->handleFailedLogin($server);
156	$this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));	125	$this->assertTrue($this->loginManager->canLogin($server));
157	}
158
159	/**
160	* Record a failed login attempt and ban the IP after too many failures
161	*/
162	public function testHandleFailedLoginBanIp()
163	{
164	$this->loginManager->handleFailedLogin($this->server);
165	$this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
166	$this->assertTrue($this->loginManager->canLogin($this->server));
167
168	$this->loginManager->handleFailedLogin($this->server);
169	$this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
170	$this->assertTrue($this->loginManager->canLogin($this->server));
171
172	$this->loginManager->handleFailedLogin($this->server);
173	$this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
174	$this->assertTrue($this->loginManager->canLogin($this->server));
175
176	$this->loginManager->handleFailedLogin($this->server);
177	$this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
178	$this->assertFalse($this->loginManager->canLogin($this->server));
179
180	// handleFailedLogin is not supposed to be called at this point:
181	// - no login form should be displayed once an IP has been banned
182	// - yet this could happen when using custom templates / scripts
183	$this->loginManager->handleFailedLogin($this->server);
184	$this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
185	$this->assertFalse($this->loginManager->canLogin($this->server));
186	}	126	}
187		127
188	/**	128	/**
@@ -202,14 +142,11 @@ class LoginManagerTest extends TestCase
202	public function testHandleSuccessfulLoginAfterFailure()	142	public function testHandleSuccessfulLoginAfterFailure()
203	{	143	{
204	$this->loginManager->handleFailedLogin($this->server);	144	$this->loginManager->handleFailedLogin($this->server);
205	$this->loginManager->handleFailedLogin($this->server);
206	$this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]);
207	$this->assertTrue($this->loginManager->canLogin($this->server));	145	$this->assertTrue($this->loginManager->canLogin($this->server));
208		146
209	$this->loginManager->handleSuccessfulLogin($this->server);	147	$this->loginManager->handleSuccessfulLogin($this->server);
		148	$this->loginManager->handleFailedLogin($this->server);
210	$this->assertTrue($this->loginManager->canLogin($this->server));	149	$this->assertTrue($this->loginManager->canLogin($this->server));
211	$this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr]));
212	$this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr]));
213	}	150	}
214		151
215	/**	152	/**
@@ -221,33 +158,6 @@ class LoginManagerTest extends TestCase
221	}	158	}
222		159
223	/**	160	/**
224	* The IP is banned
225	*/
226	public function testCanLoginIpBanned()
227	{
228	// ban the IP for an hour
229	$this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
230	$this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
231
232	$this->assertFalse($this->loginManager->canLogin($this->server));
233	}
234
235	/**
236	* The IP is banned, and the ban duration is over
237	*/
238	public function testCanLoginIpBanExpired()
239	{
240	// ban the IP for an hour
241	$this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10;
242	$this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600;
243	$this->assertFalse($this->loginManager->canLogin($this->server));
244
245	// lift the ban
246	$this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600;
247	$this->assertTrue($this->loginManager->canLogin($this->server));
248	}
249
250	/**
251	* Generate a token depending on the user credentials and client IP	161	* Generate a token depending on the user credentials and client IP
252	*/	162	*/
253	public function testGenerateStaySignedInToken()	163	public function testGenerateStaySignedInToken()
@@ -282,7 +192,7 @@ class LoginManagerTest extends TestCase
282	$configManager = new \FakeConfigManager([	192	$configManager = new \FakeConfigManager([
283	'resource.ban_file' => $this->banFile,	193	'resource.ban_file' => $this->banFile,
284	]);	194	]);
285	$loginManager = new LoginManager($this->globals, $configManager, null);	195	$loginManager = new LoginManager($configManager, null);
286	$loginManager->checkLoginState([], '');	196	$loginManager->checkLoginState([], '');
287		197
288	$this->assertFalse($loginManager->isLoggedIn());	198	$this->assertFalse($loginManager->isLoggedIn());