Improve test coverage for MD_STD_SEC

2024-07-11 15:32:50 +02:00 · 2024-07-11 15:32:50 +02:00 · cbc66c4140
commit cbc66c4140
parent 11faeaa7e7
3 changed files with 77 additions and 3 deletions
--- a/src/MD_STD_SEC.php
+++ b/src/MD_STD_SEC.php
@ -25,6 +25,10 @@ final class MD_STD_SEC {
     */
    public static function getAntiCsrfToken():string {
        if(session_status() !== PHP_SESSION_ACTIVE) {
            throw new Exception("Session needs to be started to get csrf token");
        }
        if (empty($_SESSION['csrf-token'])) {
            $_SESSION['csrf-token'] = bin2hex(random_bytes(32));
        }
@ -105,7 +109,7 @@ final class MD_STD_SEC {
        // Unstable but working way to get the user's IP. If the IP is falsified,
        // this can't be found out anyway and security is established by _common.
-        $ip = \filter_var($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']), \FILTER_VALIDATE_IP) ?: "Failed to find";
+        $ip = \filter_var($_SERVER['REMOTE_ADDR'] ?? ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['HTTP_CLIENT_IP'] ?? ""), \FILTER_VALIDATE_IP) ?: "Failed to find";
        // Set name of log file
        $logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json";
--- a/tests/MD_STD_SECTest.php
+++ b/tests/MD_STD_SECTest.php
@ -7,12 +7,14 @@
 declare(strict_types = 1);
 use PHPUnit\Framework\TestCase;
-
+use PHPUnit\Framework\Attributes\Large;
-require __DIR__ . '/../src/MD_STD_SEC.php';
+use PHPUnit\Framework\Attributes\CoversClass;
 /**
 * Tests for MD_STD_SEC.
 */
 #[large]
 #[CoversClass(\MD_STD_SEC::class)]
 final class MD_STD_SECTest extends TestCase {
    /**
     * Function for testing if the page can be opened using invalid values for objektnum.
@ -32,4 +34,71 @@ final class MD_STD_SECTest extends TestCase {
        self::assertLessThan(3 * 1000000, $delay_reduced); // Smaller than 10 seconds
    }
    /**
     * Ensure getAntiCsrfToken does not work without a
     * started session.
     *
     * @return void
     */
    public function testGetAntiCsrfTokenFailsWithoutActiveSession():void {
        self::expectException(Exception::class);
        MD_STD_SEC::getAntiCsrfToken();
    }
    /**
     * Ensure getAntiCsrfToken works.
     *
     * @return void
     */
    public function testGetAntiCsrfTokenWorks():void {
        session_start();
        self::assertEmpty($_SESSION);
        $token = MD_STD_SEC::getAntiCsrfToken();
        self::assertNotEmpty($_SESSION['csrf-token']);
        self::assertEquals($token, MD_STD_SEC::getAntiCsrfToken());
        $_POST = [
            'csrf-token' => $token,
        ];
        self::assertTrue(MD_STD_SEC::validateAntiCsrfToken());
    }
    /**
     * Ensure preventBruteForce works.
     *
     * @return void
     */
    public function testPreventBruteForce():void {
        self::assertTrue(MD_STD_SEC::preventBruteForce("MD_STD_TEST_SUCCESS", "test_user", 0));
        $logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_SUCCESS.json";
        self::assertFileExists($logFile);
        MD_STD::unlink($logFile);
    }
    /**
     * Ensure preventBruteForce returns false on many requests.
     *
     * @return void
     */
    public function testPreventBruteForceReturnsFalseOnManyRequests():void {
        for ($i = 0; $i < 10; $i++) {
            MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3);
        }
        self::assertFalse(MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3));
        $logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_FAILURE.json";
        self::assertFileExists($logFile);
        MD_STD::unlink($logFile);
    }
 }
--- a/tests/bootstrap.php
+++ b/tests/bootstrap.php
@ -1,5 +1,6 @@
 <?PHP
 declare(strict_types = 1);
 ini_set( 'error_log', '/dev/stdout' );
 /**
 * Autoloader for musdb.