ilBcryptPasswordEncoderTest.php

Go to the documentation of this file.

<?php
/* Copyright (c) 1998-2014 ILIAS open source, Extended GPL, see docs/LICENSE */
 
require_once 'Services/Password/classes/encoders/class.ilBcryptPasswordEncoder.php';
require_once 'Services/Password/test/ilPasswordBaseTest.php';
 
use org\bovigo\vfs;
 
class ilBcryptPasswordEncoderTest extends ilPasswordBaseTest
{
    const VALID_COSTS = '08';
 
    const PASSWORD = 'password';
 
    const WRONG_PASSWORD = 'wrong_password';
 
    const CLIENT_SALT = 'homer!12345_/';
 
    const PASSWORD_SALT = 'salt';
 
    protected $test_directory;
    
    protected $test_directory_url;
 
    public function getTestDirectory()
    {
        return $this->test_directory;
    }
 
    public function setTestDirectory($test_directory)
    {
        $this->test_directory = $test_directory;
    }
 
    public function getTestDirectoryUrl()
    {
        return $this->test_directory_url;
    }
 
    public function setTestDirectoryUrl($test_directory_url)
    {
        $this->test_directory_url = $test_directory_url;
    }
 
    protected function setUp()
    {
        vfs\vfsStream::setup();
        $this->setTestDirectory(vfs\vfsStream::newDirectory('tests')->at(vfs\vfsStreamWrapper::getRoot()));
        $this->setTestDirectoryUrl(vfs\vfsStream::url('root/tests'));
 
        parent::setUp();
    }
 
    private function skipIfPhpVersionIsNotSupported()
    {
        if (version_compare(phpversion(), '5.3.7', '<')) {
            $this->markTestSkipped('Requires PHP >= 5.3.7');
        }
    }
 
    public function costsProvider()
    {
        $data = array();
        for ($i = 4; $i <= 31; $i++) {
            $data[] = array($i);
        }
        return $data;
    }
 
    private function getInstanceWithConfiguredDataDirectory()
    {
        $encoder = new ilBcryptPasswordEncoder(array(
            'data_directory' => $this->getTestDirectoryUrl()
        ));
 
        return $encoder;
    }
 
    public function testInstanceCanBeCreated()
    {
        $security_flaw_ignoring_encoder = new ilBcryptPasswordEncoder(array(
            'ignore_security_flaw' => true,
            'data_directory' => $this->getTestDirectoryUrl()
        ));
        $this->assertTrue($security_flaw_ignoring_encoder->isSecurityFlawIgnored());
 
        $security_flaw_respecting_encoder = new ilBcryptPasswordEncoder(array(
            'ignore_security_flaw' => false,
            'data_directory' => $this->getTestDirectoryUrl()
        ));
        $this->assertFalse($security_flaw_respecting_encoder->isSecurityFlawIgnored());
 
        $encoder = new ilBcryptPasswordEncoder(array(
            'cost' => self::VALID_COSTS,
            'data_directory' => $this->getTestDirectoryUrl()
        ));
        $this->assertInstanceOf('ilBcryptPasswordEncoder', $encoder);
        $this->assertEquals(self::VALID_COSTS, $encoder->getCosts());
        $this->assertFalse($encoder->isSecurityFlawIgnored());
        $encoder->setClientSalt(self::CLIENT_SALT);
 
        return $encoder;
    }
 
    public function testCostsCanBeRetrievedWhenCostsAreSet(ilBcryptPasswordEncoder $encoder)
    {
        $encoder->setCosts(4);
        $this->assertEquals(4, $encoder->getCosts());
    }
 
    public function testCostsCannotBeSetAboveRange(ilBcryptPasswordEncoder $encoder)
    {
        $this->assertException(ilPasswordException::class);
        $encoder->setCosts(32);
    }
 
    public function testCostsCannotBeSetBelowRange(ilBcryptPasswordEncoder $encoder)
    {
        $this->assertException(ilPasswordException::class);
        $encoder->setCosts(3);
    }
 
    public function testCostsCanBeSetInRange($costs, ilBcryptPasswordEncoder $encoder)
    {
        $encoder->setCosts($costs);
    }
 
    public function testPasswordShouldBeCorrectlyEncodedAndVerified(ilBcryptPasswordEncoder $encoder)
    {
        $encoder->setCosts(self::VALID_COSTS);
        $encoded_password = $encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
        $this->assertTrue($encoder->isPasswordValid($encoded_password, self::PASSWORD, self::PASSWORD_SALT));
        $this->assertFalse($encoder->isPasswordValid($encoded_password, self::WRONG_PASSWORD, self::PASSWORD_SALT));
        return $encoder;
    }
 
    public function testExceptionIsRaisedIfThePasswordExceedsTheSupportedLengthOnEncoding(ilBcryptPasswordEncoder $encoder)
    {
        $this->assertException(ilPasswordException::class);
        $encoder->setCosts(self::VALID_COSTS);
        $encoder->encodePassword(str_repeat('a', 5000), self::PASSWORD_SALT);
    }
 
    public function testPasswordVerificationShouldFailIfTheRawPasswordExceedsTheSupportedLength(ilBcryptPasswordEncoder $encoder)
    {
        $encoder->setCosts(self::VALID_COSTS);
        $this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), self::PASSWORD_SALT));
    }
 
    public function testEncoderReliesOnSalts(ilBcryptPasswordEncoder $encoder)
    {
        $this->assertTrue($encoder->requiresSalt());
    }
 
    public function testEncoderDoesNotSupportReencoding(ilBcryptPasswordEncoder $encoder)
    {
        $this->assertFalse($encoder->requiresReencoding('hello'));
    }
 
    public function testNameShouldBeBcrypt(ilBcryptPasswordEncoder $encoder)
    {
        $this->assertEquals('bcrypt', $encoder->getName());
    }
 
    public function testExceptionIsRaisedIfSaltIsMissingIsOnEncoding()
    {
        $this->assertException(ilPasswordException::class);
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $encoder->setClientSalt(null);
        $encoder->setCosts(self::VALID_COSTS);
        $encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
    }
 
    public function testExceptionIsRaisedIfSaltIsMissingIsOnVerification()
    {
        $this->assertException(ilPasswordException::class);
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $encoder->setClientSalt(null);
        $encoder->setCosts(self::VALID_COSTS);
        $encoder->isPasswordValid('12121212', self::PASSWORD, self::PASSWORD_SALT);
    }
 
    public function testInstanceCanBeCreatedAndInitializedWithClientSalt()
    {
        $this->getTestDirectory()->chmod(0777);
        vfs\vfsStream::newFile(ilBcryptPasswordEncoder::SALT_STORAGE_FILENAME)->withContent(self::CLIENT_SALT)->at($this->getTestDirectory());
 
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $this->assertEquals(self::CLIENT_SALT, $encoder->getClientSalt());
    }
 
    public function testClientSaltIsGeneratedWhenNoClientSaltExistsYet()
    {
        $this->getTestDirectory()->chmod(0777);
 
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $this->assertNotNull($encoder->getClientSalt());
    }
 
    public function testExceptionIsRaisedWhenClientSaltCouldNotBeGeneratedInCaseNoClientSaltExistsYet()
    {
        $this->assertException(ilPasswordException::class);
        $this->getTestDirectory()->chmod(0000);
 
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
    }
 
    public function testBackwardCompatibilityCanBeRetrievedWhenBackwardCompatibilityIsSet()
    {
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $encoder->setBackwardCompatibility(true);
        $this->assertTrue($encoder->isBackwardCompatibilityEnabled());
        $encoder->setBackwardCompatibility(false);
        $this->assertFalse($encoder->isBackwardCompatibilityEnabled());
    }
 
    public function testBackwardCompatibility()
    {
        $this->skipIfPhpVersionIsNotSupported();
 
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $encoder->setClientSalt(self::CLIENT_SALT);
        $encoder->setBackwardCompatibility(true);
        $encoded_password = $encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
        $this->assertTrue($encoder->isPasswordValid($encoded_password, self::PASSWORD, self::PASSWORD_SALT));
        $this->assertEquals('$2a$', substr($encoded_password, 0, 4));
 
        $another_encoder = $this->getInstanceWithConfiguredDataDirectory();
        $another_encoder->setClientSalt(self::CLIENT_SALT);
        $another_encoder->setBackwardCompatibility(false);
        $another_encoded_password = $another_encoder->encodePassword(self::PASSWORD, self::PASSWORD_SALT);
        $this->assertEquals('$2y$', substr($another_encoded_password, 0, 4));
        $this->assertTrue($another_encoder->isPasswordValid($encoded_password, self::PASSWORD, self::PASSWORD_SALT));
    }
 
    public function testExceptionIsRaisedIfTheRawPasswordContainsA8BitCharacterAndBackwardCompatibilityIsEnabled()
    {
        $this->assertException(ilPasswordException::class);
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $encoder->setClientSalt(self::CLIENT_SALT);
        $encoder->setBackwardCompatibility(true);
        $encoder->encodePassword(self::PASSWORD . chr(195), self::PASSWORD_SALT);
    }
 
    public function testExceptionIsNotRaisedIfTheRawPasswordContainsA8BitCharacterAndBackwardCompatibilityIsEnabledWithIgnoredSecurityFlaw()
    {
        $encoder = $this->getInstanceWithConfiguredDataDirectory();
        $encoder->setClientSalt(self::CLIENT_SALT);
        $encoder->setBackwardCompatibility(true);
        $encoder->setIsSecurityFlawIgnored(true);
        $encoder->encodePassword(self::PASSWORD . chr(195), self::PASSWORD_SALT);
    }
}