diff options
author | ྅༻ Ǭɀħ ༄༆ཉ <ozh@ozh.org> | 2020-04-12 19:52:35 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-12 19:52:35 +0300 |
commit | 7c0a750b1ad49c7ae60f3a37c068ec5dd7dcde3f (patch) | |
tree | 034336dc0a0246e75fe58375295de6018ad3af76 /tests | |
parent | 476ea070a79fe2528087d4fd38d153f5b24f8b72 (diff) |
Accept timestamped signature with arbitrary hash (#2644)
* Allow arbitrary hashed signatures
* Force timestamps to int
* Improve comment
* Test new feature and add more tests
Diffstat (limited to 'tests')
-rw-r--r-- | tests/tests/auth/login_cookie.php | 78 | ||||
-rw-r--r-- | tests/tests/auth/nonces.php | 78 | ||||
-rw-r--r-- | tests/tests/auth/signatures.php | 59 |
3 files changed, 211 insertions, 4 deletions
diff --git a/tests/tests/auth/login_cookie.php b/tests/tests/auth/login_cookie.php new file mode 100644 index 00000000..e26463ef --- /dev/null +++ b/tests/tests/auth/login_cookie.php @@ -0,0 +1,78 @@ +<?php +/** + * Login tests - via Cookies + * + * @group auth + * @group login + * @group cookies + * @since 0.1 + */ +class Auth_Login_Cookie_Tests extends PHPUnit_Framework_TestCase { + + protected $cookie; + protected $request; + + protected function setUp() { + $this->cookie = $_COOKIE; + $this->request = $_REQUEST; + } + + protected function tearDown() { + $_COOKIE = $this->cookie; + $_REQUEST = $this->request; + } + + public static function setUpBeforeClass() { + yourls_add_filter( 'is_API', 'yourls_return_false' ); + } + + public static function tearDownAfterClass() { + yourls_remove_filter( 'is_API', 'yourls_return_false' ); + } + + /** + * Check for valid cookie name + */ + public function test_cookie_name() { + $this->assertTrue( is_string(yourls_cookie_name()) ); + } + + /** + * Check for valid cookie value + */ + public function test_cookie_value() { + $this->assertTrue( is_string(yourls_cookie_value(rand_str())) ); + } + + /** + * Check for valid cookie life + */ + public function test_cookie_life() { + $this->assertTrue( is_int(yourls_get_cookie_life()) ); + } + + /** + * Test login with valid cookie + */ + public function test_login_valid_cookie() { + global $yourls_user_passwords; + $random_user = array_rand($yourls_user_passwords); + $_COOKIE[yourls_cookie_name()] = yourls_cookie_value( $random_user ); + unset($_REQUEST); + + $this->assertTrue(yourls_check_auth_cookie()); + $this->assertTrue(yourls_is_valid_user()); + } + + /** + * Test login with invalid cookie + */ + public function test_login_invalid_cookie() { + $_COOKIE[yourls_cookie_name()] = yourls_cookie_value( rand_str() ); + unset($_REQUEST); + + $this->assertFalse(yourls_check_auth_cookie()); + $this->assertNotTrue(yourls_is_valid_user()); + } + +} diff --git a/tests/tests/auth/nonces.php b/tests/tests/auth/nonces.php new file mode 100644 index 00000000..96456d4a --- /dev/null +++ b/tests/tests/auth/nonces.php @@ -0,0 +1,78 @@ +<?php +/** + * Nonce tests + * + * @group auth + * @group nonces + * @since 0.1 + */ +class Auth_Nonce_Tests extends PHPUnit_Framework_TestCase { + + protected function tearDown() { + yourls_remove_all_actions('pre_yourls_die'); + } + + /** + * Check for valid nonce life + */ + public function test_nonce_life() { + $this->assertTrue( is_int(yourls_get_cookie_life()) ); + } + + /** + * Check for valid tick + */ + public function test_tick() { + $this->assertTrue( is_float(yourls_tick()) ); + } + + /** + * Check nonce creation + */ + public function test_create_nonce() { + $this->assertTrue( is_string(yourls_create_nonce(rand_str(), rand_str())) ); + } + + /** + * Check nonce field creation + */ + public function test_create_nonce_field() { + $field = yourls_nonce_field( rand_str(), rand_str(), rand_str(), false ); + $this->assertTrue( is_string($field) ); + } + + /** + * Check nonce URL creation + */ + public function test_create_nonce_url() { + $url = yourls_nonce_url( rand_str(), rand_str(), rand_str(), rand_str() ); + $this->assertTrue( is_string($url) ); + // $this->assertIsString($url); + } + + /** + * Test valid nonce + */ + public function test_valid_nonce() { + $action = rand_str(); + $user = rand_str(); + + // what nonce should be + $valid = yourls_create_nonce( $action, $user ); + + $this->assertTrue(yourls_verify_nonce($action, $valid, $user)); + } + + /** + * Test invalid nonce + * @expectedException Exception + */ + public function test_invalid_nonce() { + // intercept yourls_die() before it actually dies + yourls_add_action( 'pre_yourls_die', function() { throw new Exception( 'I have died' ); } ); + + // This should trigger yourls_die() + $this->assertTrue(yourls_verify_nonce(rand_str(), rand_str(), rand_str())); + } + +} diff --git a/tests/tests/auth/signatures.php b/tests/tests/auth/signatures.php index 94dae481..caa8b595 100644 --- a/tests/tests/auth/signatures.php +++ b/tests/tests/auth/signatures.php @@ -9,7 +9,7 @@ class Auth_Sig_Tests extends PHPUnit_Framework_TestCase { protected $backup_request; - + protected function setUp() { $this->backup_request = $_REQUEST; } @@ -17,7 +17,7 @@ class Auth_Sig_Tests extends PHPUnit_Framework_TestCase { protected function tearDown() { $_REQUEST = $this->backup_request; } - + /** * Check that empty signature isn't valid * @@ -59,7 +59,58 @@ class Auth_Sig_Tests extends PHPUnit_Framework_TestCase { $_REQUEST['timestamp'] = rand_str(); $this->assertFalse( yourls_check_signature_timestamp() ); } - + + /** + * Check that valid md5 timestamped sig is valid + * + * @since 0.1 + */ + public function test_signature_timestamp_md5() { + $timestamp = time(); + $_REQUEST['timestamp'] = $timestamp; + + global $yourls_user_passwords; + $random_user = array_rand($yourls_user_passwords); + $signature = yourls_auth_signature($random_user); + + $md5 = md5( $timestamp . $signature ); + $_REQUEST['signature'] = $md5; + $this->assertTrue( yourls_check_signature_timestamp() ); + + $md5 = md5( $signature . $timestamp ); + $_REQUEST['signature'] = $md5; + $this->assertTrue( yourls_check_signature_timestamp() ); + } + + /** + * Check that valid hashed timestamped sig is valid + * + * @since 0.1 + */ + public function test_signature_timestamp_hash() { + $timestamp = time(); + $_REQUEST['timestamp'] = $timestamp; + + global $yourls_user_passwords; + $random_user = array_rand($yourls_user_passwords); + $signature = yourls_auth_signature($random_user); + + $algos = hash_algos(); + $random_algo = $algos[array_rand($algos)]; + $_REQUEST['hash'] = $random_algo; + + $hash = hash($random_algo, $timestamp . $signature ); + $_REQUEST['signature'] = $hash; + $this->assertTrue( yourls_check_signature_timestamp() ); + + $hash = hash($random_algo, $signature . $timestamp ); + $_REQUEST['signature'] = $hash; + $this->assertTrue( yourls_check_signature_timestamp() ); + + $_REQUEST['hash'] = rand_str(); + $this->assertFalse( yourls_check_signature_timestamp() ); + } + /** * Provide valid and invalid timestamps as compared to current time and nonce life */ @@ -69,7 +120,7 @@ class Auth_Sig_Tests extends PHPUnit_Framework_TestCase { $little_in_the_past = $now - ( YOURLS_NONCE_LIFE / 2 ); $far_in_the_future = $now + ( YOURLS_NONCE_LIFE * 2 ); $far_in_the_past = $now - ( YOURLS_NONCE_LIFE * 2 ); - + return array( array( 0, false ), array( $now, true ), |