2022-08-14 13:08:40 +02:00
|
|
|
<?PHP
|
|
|
|
/**
|
|
|
|
* Tests for MD_STD_SEC.
|
|
|
|
*
|
|
|
|
* @author Joshua Ramon Enslin <joshua@museum-digital.de>
|
|
|
|
*/
|
|
|
|
declare(strict_types = 1);
|
|
|
|
|
|
|
|
use PHPUnit\Framework\TestCase;
|
2024-07-11 15:32:50 +02:00
|
|
|
use PHPUnit\Framework\Attributes\Large;
|
|
|
|
use PHPUnit\Framework\Attributes\CoversClass;
|
2022-08-14 13:08:40 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Tests for MD_STD_SEC.
|
|
|
|
*/
|
2024-07-11 15:32:50 +02:00
|
|
|
#[large]
|
|
|
|
#[CoversClass(\MD_STD_SEC::class)]
|
2022-08-14 13:08:40 +02:00
|
|
|
final class MD_STD_SECTest extends TestCase {
|
|
|
|
/**
|
|
|
|
* Function for testing if the page can be opened using invalid values for objektnum.
|
|
|
|
*
|
2023-11-06 23:26:21 +01:00
|
|
|
* @small
|
2022-08-14 13:08:40 +02:00
|
|
|
*
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
public function testComputeAntiBruteForceDelayDoesNotGoOverMax():void {
|
|
|
|
|
|
|
|
$delay = MD_STD_SEC::computeAntiBruteForceDelay(100, 100, 100);
|
|
|
|
self::assertGreaterThan(0, $delay);
|
|
|
|
# self::assertLessThan(10 * 1000000, $delay); // Smaller than 10 seconds
|
|
|
|
|
|
|
|
$delay_reduced = MD_STD_SEC::computeAntiBruteForceDelay(100, 100, 100, 3);
|
|
|
|
self::assertGreaterThan(0, $delay_reduced);
|
|
|
|
self::assertLessThan(3 * 1000000, $delay_reduced); // Smaller than 10 seconds
|
|
|
|
|
|
|
|
}
|
2024-07-11 15:32:50 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Ensure getAntiCsrfToken does not work without a
|
|
|
|
* started session.
|
|
|
|
*
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
public function testGetAntiCsrfTokenFailsWithoutActiveSession():void {
|
|
|
|
|
|
|
|
self::expectException(Exception::class);
|
|
|
|
MD_STD_SEC::getAntiCsrfToken();
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Ensure getAntiCsrfToken works.
|
|
|
|
*
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
public function testGetAntiCsrfTokenWorks():void {
|
|
|
|
|
|
|
|
session_start();
|
|
|
|
self::assertEmpty($_SESSION);
|
|
|
|
$token = MD_STD_SEC::getAntiCsrfToken();
|
|
|
|
self::assertNotEmpty($_SESSION['csrf-token']);
|
|
|
|
self::assertEquals($token, MD_STD_SEC::getAntiCsrfToken());
|
|
|
|
|
|
|
|
$_POST = [
|
|
|
|
'csrf-token' => $token,
|
|
|
|
];
|
|
|
|
self::assertTrue(MD_STD_SEC::validateAntiCsrfToken());
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Ensure preventBruteForce works.
|
|
|
|
*
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
public function testPreventBruteForce():void {
|
|
|
|
|
|
|
|
self::assertTrue(MD_STD_SEC::preventBruteForce("MD_STD_TEST_SUCCESS", "test_user", 0));
|
|
|
|
|
|
|
|
$logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_SUCCESS.json";
|
|
|
|
self::assertFileExists($logFile);
|
|
|
|
MD_STD::unlink($logFile);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Ensure preventBruteForce returns false on many requests.
|
|
|
|
*
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
public function testPreventBruteForceReturnsFalseOnManyRequests():void {
|
|
|
|
|
|
|
|
for ($i = 0; $i < 10; $i++) {
|
|
|
|
MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3);
|
|
|
|
}
|
|
|
|
|
|
|
|
self::assertFalse(MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3));
|
|
|
|
|
|
|
|
$logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_FAILURE.json";
|
|
|
|
self::assertFileExists($logFile);
|
|
|
|
MD_STD::unlink($logFile);
|
|
|
|
|
|
|
|
}
|
2022-08-14 13:08:40 +02:00
|
|
|
}
|