Improve test coverage for MD_STD_SEC
This commit is contained in:
parent
11faeaa7e7
commit
cbc66c4140
|
@ -25,6 +25,10 @@ final class MD_STD_SEC {
|
||||||
*/
|
*/
|
||||||
public static function getAntiCsrfToken():string {
|
public static function getAntiCsrfToken():string {
|
||||||
|
|
||||||
|
if(session_status() !== PHP_SESSION_ACTIVE) {
|
||||||
|
throw new Exception("Session needs to be started to get csrf token");
|
||||||
|
}
|
||||||
|
|
||||||
if (empty($_SESSION['csrf-token'])) {
|
if (empty($_SESSION['csrf-token'])) {
|
||||||
$_SESSION['csrf-token'] = bin2hex(random_bytes(32));
|
$_SESSION['csrf-token'] = bin2hex(random_bytes(32));
|
||||||
}
|
}
|
||||||
|
@ -105,7 +109,7 @@ final class MD_STD_SEC {
|
||||||
|
|
||||||
// Unstable but working way to get the user's IP. If the IP is falsified,
|
// Unstable but working way to get the user's IP. If the IP is falsified,
|
||||||
// this can't be found out anyway and security is established by _common.
|
// this can't be found out anyway and security is established by _common.
|
||||||
$ip = \filter_var($_SERVER['REMOTE_ADDR'] ?: ($_SERVER['HTTP_X_FORWARDED_FOR'] ?: $_SERVER['HTTP_CLIENT_IP']), \FILTER_VALIDATE_IP) ?: "Failed to find";
|
$ip = \filter_var($_SERVER['REMOTE_ADDR'] ?? ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['HTTP_CLIENT_IP'] ?? ""), \FILTER_VALIDATE_IP) ?: "Failed to find";
|
||||||
|
|
||||||
// Set name of log file
|
// Set name of log file
|
||||||
$logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json";
|
$logfile_common = \sys_get_temp_dir() . "/logins_{$tool_name}.json";
|
||||||
|
|
|
@ -7,12 +7,14 @@
|
||||||
declare(strict_types = 1);
|
declare(strict_types = 1);
|
||||||
|
|
||||||
use PHPUnit\Framework\TestCase;
|
use PHPUnit\Framework\TestCase;
|
||||||
|
use PHPUnit\Framework\Attributes\Large;
|
||||||
require __DIR__ . '/../src/MD_STD_SEC.php';
|
use PHPUnit\Framework\Attributes\CoversClass;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Tests for MD_STD_SEC.
|
* Tests for MD_STD_SEC.
|
||||||
*/
|
*/
|
||||||
|
#[large]
|
||||||
|
#[CoversClass(\MD_STD_SEC::class)]
|
||||||
final class MD_STD_SECTest extends TestCase {
|
final class MD_STD_SECTest extends TestCase {
|
||||||
/**
|
/**
|
||||||
* Function for testing if the page can be opened using invalid values for objektnum.
|
* Function for testing if the page can be opened using invalid values for objektnum.
|
||||||
|
@ -32,4 +34,71 @@ final class MD_STD_SECTest extends TestCase {
|
||||||
self::assertLessThan(3 * 1000000, $delay_reduced); // Smaller than 10 seconds
|
self::assertLessThan(3 * 1000000, $delay_reduced); // Smaller than 10 seconds
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensure getAntiCsrfToken does not work without a
|
||||||
|
* started session.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function testGetAntiCsrfTokenFailsWithoutActiveSession():void {
|
||||||
|
|
||||||
|
self::expectException(Exception::class);
|
||||||
|
MD_STD_SEC::getAntiCsrfToken();
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensure getAntiCsrfToken works.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function testGetAntiCsrfTokenWorks():void {
|
||||||
|
|
||||||
|
session_start();
|
||||||
|
self::assertEmpty($_SESSION);
|
||||||
|
$token = MD_STD_SEC::getAntiCsrfToken();
|
||||||
|
self::assertNotEmpty($_SESSION['csrf-token']);
|
||||||
|
self::assertEquals($token, MD_STD_SEC::getAntiCsrfToken());
|
||||||
|
|
||||||
|
$_POST = [
|
||||||
|
'csrf-token' => $token,
|
||||||
|
];
|
||||||
|
self::assertTrue(MD_STD_SEC::validateAntiCsrfToken());
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensure preventBruteForce works.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function testPreventBruteForce():void {
|
||||||
|
|
||||||
|
self::assertTrue(MD_STD_SEC::preventBruteForce("MD_STD_TEST_SUCCESS", "test_user", 0));
|
||||||
|
|
||||||
|
$logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_SUCCESS.json";
|
||||||
|
self::assertFileExists($logFile);
|
||||||
|
MD_STD::unlink($logFile);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Ensure preventBruteForce returns false on many requests.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function testPreventBruteForceReturnsFalseOnManyRequests():void {
|
||||||
|
|
||||||
|
for ($i = 0; $i < 10; $i++) {
|
||||||
|
MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3);
|
||||||
|
}
|
||||||
|
|
||||||
|
self::assertFalse(MD_STD_SEC::preventBruteForce("MD_STD_TEST_FAILURE", "test_user", 3));
|
||||||
|
|
||||||
|
$logFile = \sys_get_temp_dir() . "/logins_MD_STD_TEST_FAILURE.json";
|
||||||
|
self::assertFileExists($logFile);
|
||||||
|
MD_STD::unlink($logFile);
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
<?PHP
|
<?PHP
|
||||||
declare(strict_types = 1);
|
declare(strict_types = 1);
|
||||||
|
ini_set( 'error_log', '/dev/stdout' );
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Autoloader for musdb.
|
* Autoloader for musdb.
|
||||||
|
|
Loading…
Reference in New Issue
Block a user