From cbc66c41401a785e512dbf19aa64af13f8bfa685 Mon Sep 17 00:00:00 2001 From: Joshua Ramon Enslin Date: Thu, 11 Jul 2024 15:32:50 +0200 Subject: [PATCH] Improve test coverage for MD_STD_SEC --- src/MD_STD_SEC.php | 6 +++- tests/MD_STD_SECTest.php | 73 ++++++++++++++++++++++++++++++++++++++-- tests/bootstrap.php | 1 + 3 files changed, 77 insertions(+), 3 deletions(-) diff --git a/src/MD_STD_SEC.php b/src/MD_STD_SEC.php index 64e47b9..e080ca5 100644 --- a/src/MD_STD_SEC.php +++ b/src/MD_STD_SEC.php @@ -25,6 +25,10 @@ final class MD_STD_SEC { */ public static function getAntiCsrfToken():string { + if(session_status() !== PHP_SESSION_ACTIVE) { + throw new Exception("Session needs to be started to get csrf token"); + } + if (empty($_SESSION['csrf-token'])) { $_SESSION['csrf-token'] = bin2hex(random_bytes(32)); } @@ -105,7 +109,7 @@ final class MD_STD_SEC { // Unstable but working way to get the user's IP. If the IP is falsified, // this can't be found out anyway and security is established by _common. - $ip = \filter_var($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']), \FILTER_VALIDATE_IP) ?: "Failed to find"; + $ip = \filter_var($_SERVER['REMOTE_ADDR'] ?? ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['HTTP_CLIENT_IP'] ?? ""), \FILTER_VALIDATE_IP) ?: "Failed to find"; // Set name of log file $logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json"; diff --git a/tests/MD_STD_SECTest.php b/tests/MD_STD_SECTest.php index 3d8c822..8594b2f 100644 --- a/tests/MD_STD_SECTest.php +++ b/tests/MD_STD_SECTest.php @@ -7,12 +7,14 @@ declare(strict_types = 1); use PHPUnit\Framework\TestCase; - -require __DIR__ . '/../src/MD_STD_SEC.php'; +use PHPUnit\Framework\Attributes\Large; +use PHPUnit\Framework\Attributes\CoversClass; /** * Tests for MD_STD_SEC. */ +#[large] +#[CoversClass(\MD_STD_SEC::class)] final class MD_STD_SECTest extends TestCase { /** * Function for testing if the page can be opened using invalid values for objektnum. @@ -32,4 +34,71 @@ final class MD_STD_SECTest extends TestCase { self::assertLessThan(3 * 1000000, $delay_reduced); // Smaller than 10 seconds } + + /** + * Ensure getAntiCsrfToken does not work without a + * started session. + * + * @return void + */ + public function testGetAntiCsrfTokenFailsWithoutActiveSession():void { + + self::expectException(Exception::class); + MD_STD_SEC::getAntiCsrfToken(); + + } + + /** + * Ensure getAntiCsrfToken works. + * + * @return void + */ + public function testGetAntiCsrfTokenWorks():void { + + session_start(); + self::assertEmpty($_SESSION); + $token = MD_STD_SEC::getAntiCsrfToken(); + self::assertNotEmpty($_SESSION['csrf-token']); + self::assertEquals($token, MD_STD_SEC::getAntiCsrfToken()); + + $_POST = [ + 'csrf-token' => $token, + ]; + self::assertTrue(MD_STD_SEC::validateAntiCsrfToken()); + + } + + /** + * Ensure preventBruteForce works. + * + * @return void + */ + public function testPreventBruteForce():void { + + self::assertTrue(MD_STD_SEC::preventBruteForce("MD_STD_TEST_SUCCESS", "test_user", 0)); + + $logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_SUCCESS.json"; + self::assertFileExists($logFile); + MD_STD::unlink($logFile); + + } + + /** + * Ensure preventBruteForce returns false on many requests. + * + * @return void + */ + public function testPreventBruteForceReturnsFalseOnManyRequests():void { + + for ($i = 0; $i < 10; $i++) { + MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3); + } + + self::assertFalse(MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3)); + + $logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_FAILURE.json"; + self::assertFileExists($logFile); + MD_STD::unlink($logFile); + + } } diff --git a/tests/bootstrap.php b/tests/bootstrap.php index 0915775..b440b9b 100644 --- a/tests/bootstrap.php +++ b/tests/bootstrap.php @@ -1,5 +1,6 @@