ilBcryptPasswordEncoderTest.php

Go to the documentation of this file.

<?php
/* Copyright (c) 1998-2014 ILIAS open source, Extended GPL, see docs/LICENSE */

require_once 'Services/Password/classes/encoders/class.ilBcryptPasswordEncoder.php';
require_once 'Services/Password/test/ilPasswordBaseTest.php';

use org\bovigo\vfs;

class ilBcryptPasswordEncoderTest extends ilPasswordBaseTest
{
        const VALID_COSTS = '08';

        const PASSWORD = 'password';

        const WRONG_PASSWORD = 'wrong_password';

        const CLIENT_SALT = 'homer!12345_/';

        const PASSWORD_SALT = 'salt';

        protected $test_directory;

        public function getTestDirectory()
        {
                return $this->test_directory;
        }

        public function setTestDirectory($test_directory)
        {
                $this->test_directory = $test_directory;
        }

        protected function setUp()
        {
                vfs\vfsStream::setup();
                $this->setTestDirectory(vfs\vfsStream::newDirectory('tests')->at(vfs\vfsStreamWrapper::getRoot()));

                if(!defined('CLIENT_DATA_DIR'))
                {
                        define('CLIENT_DATA_DIR', vfs\vfsStream::url('root/tests'));
                }

                parent::setUp();
        }

        private function skipIfPhpVersionIsNotSupported()
        {
                if(version_compare(phpversion(), '5.3.7', '<'))
                {
                        $this->markTestSkipped('Requires PHP >= 5.3.7');
                }
        }

        public function costsProvider()
        {
                $data = array();
                for($i = 4; $i <= 31; $i++)
                {
                        $data[] = array($i);
                }
                return $data;
        }

        public function testInstanceCanBeCreated()
        {
                $security_flaw_ignoring_encoder = new ilBcryptPasswordEncoder(array(
                        'ignore_security_flaw' => true
                ));
                $this->assertTrue($security_flaw_ignoring_encoder->isSecurityFlawIgnored());

                $security_flaw_respecting_encoder = new ilBcryptPasswordEncoder(array(
                        'ignore_security_flaw' => false
                ));
                $this->assertFalse($security_flaw_respecting_encoder->isSecurityFlawIgnored());

                $encoder = new ilBcryptPasswordEncoder(array(
                        'cost' => self::VALID_COSTS
                ));
                $this->assertInstanceOf('ilBcryptPasswordEncoder', $encoder);
                $this->assertEquals(self::VALID_COSTS, $encoder->getCosts());
                $this->assertFalse($encoder->isSecurityFlawIgnored());
                $encoder->setClientSalt(self::CLIENT_SALT);
                return $encoder;
        }

        public function testCostsCanBeRetrievedWhenCostsAreSet(ilBcryptPasswordEncoder $encoder)
        {
                $encoder->setCosts(4);
                $this->assertEquals(4, $encoder->getCosts());
        }

        public function testCostsCannotBeSetAboveRange(ilBcryptPasswordEncoder $encoder)
        {
                $this->assertException(ilPasswordException::class);
                $encoder->setCosts(32);
        }

        public function testCostsCannotBeSetBelowRange(ilBcryptPasswordEncoder $encoder)
        {
                $this->assertException(ilPasswordException::class);
                $encoder->setCosts(3);
        }

        public function testCostsCanBeSetInRange($costs, ilBcryptPasswordEncoder $encoder)
        {
                $encoder->setCosts($costs);
        }

        public function testPasswordShouldBeCorrectlyEncodedAndVerified(ilBcryptPasswordEncoder $encoder)
        {
                $encoder->setCosts(self::VALID_COSTS);
                $encoded_password = $encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
                $this->assertTrue($encoder->isPasswordValid($encoded_password, self::PASSWORD, self::PASSWORD_SALT));
                $this->assertFalse($encoder->isPasswordValid($encoded_password, self::WRONG_PASSWORD, self::PASSWORD_SALT));
                return $encoder;
        }

        public function testExceptionIsRaisedIfThePasswordExceedsTheSupportedLengthOnEncoding(ilBcryptPasswordEncoder $encoder)
        {
                $this->assertException(ilPasswordException::class);
                $encoder->setCosts(self::VALID_COSTS);
                $encoder->encodePassword(str_repeat('a', 5000), self::PASSWORD_SALT);
        }

        public function testPasswordVerificationShouldFailIfTheRawPasswordExceedsTheSupportedLength(ilBcryptPasswordEncoder $encoder)
        {
                $encoder->setCosts(self::VALID_COSTS);
                $this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), self::PASSWORD_SALT));
        }

        public function testEncoderReliesOnSalts(ilBcryptPasswordEncoder $encoder)
        {
                $this->assertTrue($encoder->requiresSalt());
        }

        public function testEncoderDoesNotSupportReencoding(ilBcryptPasswordEncoder $encoder)
        {
                $this->assertFalse($encoder->requiresReencoding('hello'));
        }

        public function testNameShouldBeBcrypt(ilBcryptPasswordEncoder $encoder)
        {
                $this->assertEquals('bcrypt', $encoder->getName());
        }

        public function testExceptionIsRaisedIfSaltIsMissingIsOnEncoding()
        {
                $this->assertException(ilPasswordException::class);
                $encoder = new ilBcryptPasswordEncoder();
                $encoder->setClientSalt(null);
                $encoder->setCosts(self::VALID_COSTS);
                $encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
        }

        public function testExceptionIsRaisedIfSaltIsMissingIsOnVerification()
        {
                $this->assertException(ilPasswordException::class);
                $encoder = new ilBcryptPasswordEncoder();
                $encoder->setClientSalt(null);
                $encoder->setCosts(self::VALID_COSTS);
                $encoder->isPasswordValid('12121212', self::PASSWORD, self::PASSWORD_SALT);
        }

        public function testInstanceCanBeCreatedAndInitializedWithClientSalt()
        {
                $this->getTestDirectory()->chmod(0777);
                vfs\vfsStream::newFile(ilBcryptPasswordEncoder::SALT_STORAGE_FILENAME)->withContent(self::CLIENT_SALT)->at($this->getTestDirectory());

                $encoder = new ilBcryptPasswordEncoder();
                $this->assertEquals(self::CLIENT_SALT, $encoder->getClientSalt());
        }

        public function testClientSaltIsGeneratedWhenNoClientSaltExistsYet()
        {
                $this->getTestDirectory()->chmod(0777);

                $encoder = new ilBcryptPasswordEncoder();
                $this->assertNotNull($encoder->getClientSalt());
        }

        public function testExceptionIsRaisedWhenClientSaltCouldNotBeGeneratedInCaseNoClientSaltExistsYet()
        {
                $this->assertException(ilPasswordException::class);
                $this->getTestDirectory()->chmod(0000);

                $encoder = new ilBcryptPasswordEncoder();
        }

        public function testBackwardCompatibilityCanBeRetrievedWhenBackwardCompatibilityIsSet()
        {
                $encoder = new ilBcryptPasswordEncoder();
                $encoder->setBackwardCompatibility(true);
                $this->assertTrue($encoder->isBackwardCompatibilityEnabled());
                $encoder->setBackwardCompatibility(false);
                $this->assertFalse($encoder->isBackwardCompatibilityEnabled());
        }

        public function testBackwardCompatibility()
        {
                $this->skipIfPhpVersionIsNotSupported();

                $encoder = new ilBcryptPasswordEncoder();
                $encoder->setClientSalt(self::CLIENT_SALT);
                $encoder->setBackwardCompatibility(true);
                $encoded_password = $encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
                $this->assertTrue($encoder->isPasswordValid($encoded_password, self::PASSWORD, self::PASSWORD_SALT));
                $this->assertEquals('$2a$', substr($encoded_password, 0, 4));

                $another_encoder = new ilBcryptPasswordEncoder();
                $another_encoder->setClientSalt(self::CLIENT_SALT);
                $another_encoder->setBackwardCompatibility(false);
                $another_encoded_password = $another_encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
                $this->assertEquals('$2y$', substr($another_encoded_password, 0, 4));
                $this->assertTrue($another_encoder->isPasswordValid($encoded_password, self::PASSWORD, self::PASSWORD_SALT));
        }

        public function testExceptionIsRaisedIfTheRawPasswordContainsA8BitCharacterAndBackwardCompatibilityIsEnabled()
        {
                $this->assertException(ilPasswordException::class);
                $encoder = new ilBcryptPasswordEncoder();
                $encoder->setClientSalt(self::CLIENT_SALT);
                $encoder->setBackwardCompatibility(true);
                $encoder->encodePassword(self::PASSWORD . chr(195), self::PASSWORD_SALT);
        }

        public function testExceptionIsNotRaisedIfTheRawPasswordContainsA8BitCharacterAndBackwardCompatibilityIsEnabledWithIgnoredSecurityFlaw()
        {
                $encoder = new ilBcryptPasswordEncoder();
                $encoder->setClientSalt(self::CLIENT_SALT);
                $encoder->setBackwardCompatibility(true);
                $encoder->setIsSecurityFlawIgnored(true);
                $encoder->encodePassword(self::PASSWORD . chr(195), self::PASSWORD_SALT);
        }
}