From d9ba1cdd44a7eec9e7f4d429087c6ba838ad473e Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Tue, 17 Jul 2018 14:13:37 +0200 Subject: Do not check the IP address with session protection disabled This allows the user to stay logged in if his IP changes. Fixes #1106 --- tests/security/LoginManagerTest.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'tests/security/LoginManagerTest.php') diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index f26cd1eb..b9ab5ec4 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php @@ -259,6 +259,20 @@ class LoginManagerTest extends TestCase ); } + /** + * Generate a token depending on the user credentials with session protected disabled + */ + public function testGenerateStaySignedInTokenSessionProtectionDisabled() + { + $this->configManager->set('security.session_protection_disabled', true); + $this->loginManager->generateStaySignedInToken($this->clientIpAddress); + + $this->assertEquals( + sha1($this->passwordHash . $this->salt), + $this->loginManager->getStaySignedInToken() + ); + } + /** * Check user login - Shaarli has not yet been configured */ -- cgit v1.2.3 From dea72c711ff740b3b829d238fcf85648465143a0 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sat, 12 Jan 2019 23:55:38 +0100 Subject: Optimize and cleanup imports Signed-off-by: VirtualTam --- tests/security/LoginManagerTest.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'tests/security/LoginManagerTest.php') diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index f26cd1eb..de8055ed 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php @@ -2,7 +2,8 @@ namespace Shaarli\Security; require_once 'tests/utils/FakeConfigManager.php'; -use \PHPUnit\Framework\TestCase; + +use PHPUnit\Framework\TestCase; /** * Test coverage for LoginManager -- cgit v1.2.3 From b49a04f796b9ad8533c53fee541132a4c2214909 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Sat, 9 Feb 2019 16:44:48 +0100 Subject: Rewrite IP ban management This adds a dedicated manager class to handle all ban interactions, which is instantiated and handled by LoginManager. IPs are now stored in the same format as the datastore, through FileUtils. Fixes #1032 #587 --- tests/security/LoginManagerTest.php | 104 +++--------------------------------- 1 file changed, 7 insertions(+), 97 deletions(-) (limited to 'tests/security/LoginManagerTest.php') diff --git a/tests/security/LoginManagerTest.php b/tests/security/LoginManagerTest.php index 7b0262b3..eef0f22a 100644 --- a/tests/security/LoginManagerTest.php +++ b/tests/security/LoginManagerTest.php @@ -75,54 +75,27 @@ class LoginManagerTest extends TestCase 'credentials.salt' => $this->salt, 'resource.ban_file' => $this->banFile, 'resource.log' => $this->logFile, - 'security.ban_after' => 4, + 'security.ban_after' => 2, 'security.ban_duration' => 3600, 'security.trusted_proxies' => [$this->trustedProxy], ]); $this->cookie = []; - - $this->globals = &$GLOBALS; - unset($this->globals['IPBANS']); - $this->session = []; $this->sessionManager = new SessionManager($this->session, $this->configManager); - $this->loginManager = new LoginManager($this->globals, $this->configManager, $this->sessionManager); + $this->loginManager = new LoginManager($this->configManager, $this->sessionManager); $this->server['REMOTE_ADDR'] = $this->ipAddr; } - /** - * Wipe test resources - */ - public function tearDown() - { - unset($this->globals['IPBANS']); - } - - /** - * Instantiate a LoginManager and load ban records - */ - public function testReadBanFile() - { - file_put_contents( - $this->banFile, - " array('127.0.0.1' => 99));\n?>" - ); - new LoginManager($this->globals, $this->configManager, null); - $this->assertEquals(99, $this->globals['IPBANS']['FAILURES']['127.0.0.1']); - } - /** * Record a failed login attempt */ public function testHandleFailedLogin() { $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); + $this->assertFalse($this->loginManager->canLogin($this->server)); } /** @@ -135,10 +108,8 @@ class LoginManagerTest extends TestCase 'HTTP_X_FORWARDED_FOR' => $this->ipAddr, ]; $this->loginManager->handleFailedLogin($server); - $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->loginManager->handleFailedLogin($server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); + $this->assertFalse($this->loginManager->canLogin($server)); } /** @@ -150,39 +121,8 @@ class LoginManagerTest extends TestCase 'REMOTE_ADDR' => $this->trustedProxy, ]; $this->loginManager->handleFailedLogin($server); - $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); - $this->loginManager->handleFailedLogin($server); - $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); - } - - /** - * Record a failed login attempt and ban the IP after too many failures - */ - public function testHandleFailedLoginBanIp() - { - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(1, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertTrue($this->loginManager->canLogin($this->server)); - - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertTrue($this->loginManager->canLogin($this->server)); - - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(3, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertTrue($this->loginManager->canLogin($this->server)); - - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(4, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertFalse($this->loginManager->canLogin($this->server)); - - // handleFailedLogin is not supposed to be called at this point: - // - no login form should be displayed once an IP has been banned - // - yet this could happen when using custom templates / scripts - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(5, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); - $this->assertFalse($this->loginManager->canLogin($this->server)); + $this->assertTrue($this->loginManager->canLogin($server)); } /** @@ -202,14 +142,11 @@ class LoginManagerTest extends TestCase public function testHandleSuccessfulLoginAfterFailure() { $this->loginManager->handleFailedLogin($this->server); - $this->loginManager->handleFailedLogin($this->server); - $this->assertEquals(2, $this->globals['IPBANS']['FAILURES'][$this->ipAddr]); $this->assertTrue($this->loginManager->canLogin($this->server)); $this->loginManager->handleSuccessfulLogin($this->server); + $this->loginManager->handleFailedLogin($this->server); $this->assertTrue($this->loginManager->canLogin($this->server)); - $this->assertFalse(isset($this->globals['IPBANS']['FAILURES'][$this->ipAddr])); - $this->assertFalse(isset($this->globals['IPBANS']['BANS'][$this->ipAddr])); } /** @@ -220,33 +157,6 @@ class LoginManagerTest extends TestCase $this->assertTrue($this->loginManager->canLogin($this->server)); } - /** - * The IP is banned - */ - public function testCanLoginIpBanned() - { - // ban the IP for an hour - $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; - $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; - - $this->assertFalse($this->loginManager->canLogin($this->server)); - } - - /** - * The IP is banned, and the ban duration is over - */ - public function testCanLoginIpBanExpired() - { - // ban the IP for an hour - $this->globals['IPBANS']['FAILURES'][$this->ipAddr] = 10; - $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() + 3600; - $this->assertFalse($this->loginManager->canLogin($this->server)); - - // lift the ban - $this->globals['IPBANS']['BANS'][$this->ipAddr] = time() - 3600; - $this->assertTrue($this->loginManager->canLogin($this->server)); - } - /** * Generate a token depending on the user credentials and client IP */ @@ -282,7 +192,7 @@ class LoginManagerTest extends TestCase $configManager = new \FakeConfigManager([ 'resource.ban_file' => $this->banFile, ]); - $loginManager = new LoginManager($this->globals, $configManager, null); + $loginManager = new LoginManager($configManager, null); $loginManager->checkLoginState([], ''); $this->assertFalse($loginManager->isLoggedIn()); -- cgit v1.2.3