diff options
21 files changed, 1010 insertions, 206 deletions
diff --git a/phpBB/includes/captcha/captcha_factory.php b/phpBB/includes/captcha/captcha_factory.php index 1ed8e119b5..af79f059fe 100644 --- a/phpBB/includes/captcha/captcha_factory.php +++ b/phpBB/includes/captcha/captcha_factory.php @@ -50,7 +50,8 @@ class phpbb_captcha_factory { include($phpbb_root_path . "includes/captcha/plugins/{$name}_plugin." . $phpEx); } - call_user_func(array($name, 'garbage_collect'), 0); + $captcha = new $name; + $captcha->garbage_collect(''); } /** diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index e0585b1523..dc33786666 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -1022,7 +1022,8 @@ class phpbb_session { include($phpbb_root_path . "includes/captcha/captcha_factory." . $phpEx); } - phpbb_captcha_factory::garbage_collect($config['captcha_plugin']); + $captcha_factory = new phpbb_captcha_factory(); + $captcha_factory->garbage_collect($config['captcha_plugin']); $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . ' WHERE attempt_time < ' . (time() - (int) $config['ip_login_limit_time']); diff --git a/tests/mock/auth_provider.php b/tests/mock/auth_provider.php new file mode 100644 index 0000000000..e0a2abd2d5 --- /dev/null +++ b/tests/mock/auth_provider.php @@ -0,0 +1,53 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +/** + * Mock auth provider class with basic functions to help test sessions. + */ +class phpbb_mock_auth_provider implements phpbb_auth_provider_interface +{ + function init() + { + return null; + } + + function login($username, $password) + { + return array( + 'status' => "", + 'error_msg' => "", + 'user_row' => "", + ); + } + + function autologin() + { + return array(); + } + + function acp() + { + return array(); + } + + function logout($data, $new_session) + { + return null; + } + + function validate_session($user) + { + return null; + } + + public function get_acp_template($new_config) + { + return null; + } +} diff --git a/tests/mock/session_testable.php b/tests/mock/session_testable.php index 56ff8c8b32..283f9af192 100644 --- a/tests/mock/session_testable.php +++ b/tests/mock/session_testable.php @@ -58,5 +58,9 @@ class phpbb_mock_session_testable extends phpbb_session } } } + + public function setup() + { + } } diff --git a/tests/session/check_ban_test.php b/tests/session/check_ban_test.php new file mode 100644 index 0000000000..6ff688ee3d --- /dev/null +++ b/tests/session/check_ban_test.php @@ -0,0 +1,63 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_check_ban_test extends phpbb_session_test_case +{ + protected $user_id = 4; + protected $key_id = 4; + + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_banlist.xml'); + } + + static function check_banned_data() + { + return array( + array('All false values, should not be banned', + false, false, false, false, /* ?: */ false), + array('Matching values in the database, should be banned', + 4, '127.0.0.1', 'bar@example.org', true, /* ?: */ true), + array('IP Banned, should be banned', + false, '127.1.1.1', false, false, /* ?: */ true), + ); + } + + /** @dataProvider check_banned_data */ + public function test_check_is_banned($test_msg, $user_id, $user_ips, $user_email, $return, $should_be_banned) + { + $session = $this->session_factory->get_session($this->db); + // Change the global cache object for this test because + // the mock cache object does not hit the database as is + // needed for this test. + global $cache, $config, $phpbb_root_path, $php_ext; + $cache = new phpbb_cache_service( + new phpbb_cache_driver_file(), + $config, + $this->db, + $phpbb_root_path, + $php_ext + ); + + try + { + $is_banned = + $session->check_ban($user_id, $user_ips, $user_email, $return); + } catch (PHPUnit_Framework_Error_Notice $e) + { + // User error was triggered, user must have been banned + $is_banned = true; + } + $this->assertEquals($should_be_banned, $is_banned, $test_msg); + + $cache = new phpbb_mock_cache(); + } +} diff --git a/tests/session/check_isvalid_test.php b/tests/session/check_isvalid_test.php new file mode 100644 index 0000000000..6c21359c7d --- /dev/null +++ b/tests/session/check_isvalid_test.php @@ -0,0 +1,71 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2013 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + + +class phpbb_session_check_isvalid_test extends phpbb_session_test_case +{ + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_full.xml'); + } + + protected function access_with($session_id, $user_id, $user_agent, $ip) + { + $this->session_factory->merge_test_data($session_id, $user_id, $user_agent, $ip); + + $session = $this->session_factory->get_session($this->db); + $session->page = array('page' => 'page', 'forum' => 0); + + $session->session_begin(); + $this->session_factory->check($this); + return $session; + } + + protected function check_session_equals($expected_sessions, $message) + { + $sql = 'SELECT session_id, session_user_id + FROM phpbb_sessions + ORDER BY session_user_id'; + + $this->assertSqlResultEquals($expected_sessions, $sql, $message); + } + + public function test_session_valid_session_exists() + { + $session = $this->access_with('bar_session000000000000000000000', '4', 'user agent', '127.0.0.1'); + $session->check_cookies($this, array()); + + $this->check_session_equals(array( + array('session_id' => 'anon_session00000000000000000000', 'session_user_id' => 1), + array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4), + ), + 'If a request comes with a valid session id with matching user agent and IP, no new session should be created.' + ); + } + + public function test_session_invalid_make_new_annon_session() + { + $session = $this->access_with('anon_session00000000000000000000', '4', 'user agent', '127.0.0.1'); + $session->check_cookies($this, array( + 'u' => array('1', null), + 'k' => array(null, null), + 'sid' => array($session->session_id, null), + )); + + $this->check_session_equals(array( + array('session_id' => $session->session_id, 'session_user_id' => 1), // use generated SID + array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4), + ), + 'If a request comes with a valid session id and IP but different user id and user agent, + a new anonymous session is created and the session matching the supplied session id is deleted.' + ); + } +} diff --git a/tests/session/continue_test.php b/tests/session/continue_test.php deleted file mode 100644 index e5a7f7a4a1..0000000000 --- a/tests/session/continue_test.php +++ /dev/null @@ -1,133 +0,0 @@ -<?php -/** -* -* @package testing -* @copyright (c) 2011 phpBB Group -* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 -* -*/ - -require_once dirname(__FILE__) . '/testable_factory.php'; - -class phpbb_session_continue_test extends phpbb_database_test_case -{ - public function getDataSet() - { - return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_full.xml'); - } - - static public function session_begin_attempts() - { - // The session_id field is defined as CHAR(32) in the database schema. - // Thus the data we put in session_id fields has to have a length of 32 characters on stricter DBMSes. - // Thus we fill those strings up with zeroes until they have a string length of 32. - - return array( - array( - 'bar_session000000000000000000000', '4', 'user agent', '127.0.0.1', - array( - array('session_id' => 'anon_session00000000000000000000', 'session_user_id' => 1), - array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4), - ), - array(), - 'If a request comes with a valid session id with matching user agent and IP, no new session should be created.', - ), - array( - 'anon_session00000000000000000000', '4', 'user agent', '127.0.0.1', - array( - array('session_id' => '__new_session_id__', 'session_user_id' => 1), // use generated SID - array('session_id' => 'bar_session000000000000000000000', 'session_user_id' => 4), - ), - array( - 'u' => array('1', null), - 'k' => array(null, null), - 'sid' => array('__new_session_id__', null), - ), - 'If a request comes with a valid session id and IP but different user id and user agent, a new anonymous session is created and the session matching the supplied session id is deleted.', - ), - ); - } - - /** - * @dataProvider session_begin_attempts - */ - public function test_session_begin_valid_session($session_id, $user_id, $user_agent, $ip, $expected_sessions, $expected_cookies, $message) - { - global $phpbb_container, $phpbb_root_path, $phpEx; - - $db = $this->new_dbal(); - $config = new phpbb_config(array()); - $request = $this->getMock('phpbb_request'); - $user = $this->getMock('phpbb_user'); - - $auth_provider = new phpbb_auth_provider_db($db, $config, $request, $user, $phpbb_root_path, $phpEx); - $phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface'); - $phpbb_container->expects($this->any()) - ->method('get') - ->with('auth.provider.db') - ->will($this->returnValue($auth_provider)); - - $session_factory = new phpbb_session_testable_factory; - $session_factory->set_cookies(array( - '_sid' => $session_id, - '_u' => $user_id, - )); - $session_factory->merge_config_data(array( - 'session_length' => time(), // need to do this to allow sessions started at time 0 - )); - $session_factory->merge_server_data(array( - 'HTTP_USER_AGENT' => $user_agent, - 'REMOTE_ADDR' => $ip, - )); - - $session = $session_factory->get_session($db); - $session->page = array('page' => 'page', 'forum' => 0); - - $session->session_begin(); - - $sql = 'SELECT session_id, session_user_id - FROM phpbb_sessions - ORDER BY session_user_id'; - - $expected_sessions = $this->replace_session($expected_sessions, $session->session_id); - $expected_cookies = $this->replace_session($expected_cookies, $session->session_id); - - $this->assertSqlResultEquals( - $expected_sessions, - $sql, - $message - ); - - $session->check_cookies($this, $expected_cookies); - - $session_factory->check($this); - } - - /** - * Replaces recursively the value __new_session_id__ with the given session - * id. - * - * @param array $array An array of data - * @param string $session_id The new session id to use instead of the - * placeholder. - * @return array The input array with all occurances of __new_session_id__ - * replaced. - */ - public function replace_session($array, $session_id) - { - foreach ($array as $key => &$value) - { - if ($value === '__new_session_id__') - { - $value = $session_id; - } - - if (is_array($value)) - { - $value = $this->replace_session($value, $session_id); - } - } - - return $array; - } -} diff --git a/tests/session/create_test.php b/tests/session/create_test.php new file mode 100644 index 0000000000..a8248ae62c --- /dev/null +++ b/tests/session/create_test.php @@ -0,0 +1,43 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_create_test extends phpbb_session_test_case +{ + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_full.xml'); + } + + static function bot($bot_agent, $user_id, $bot_ip) + { + return array(array( + 'bot_agent' => $bot_agent, + 'user_id' => $user_id, + 'bot_ip' => $bot_ip, + )); + } + + function test_bot_session() + { + $output = $this->session_facade->session_create( + false, + false, + false, + false, + array(), + 'user agent', + '127.0.0.1', + self::bot('user agent', 13, '127.0.0.1'), + '' + ); + $this->assertEquals($output->data['is_bot'], true, 'should be a bot'); + } +} diff --git a/tests/session/creation_test.php b/tests/session/creation_test.php deleted file mode 100644 index fde76d6b06..0000000000 --- a/tests/session/creation_test.php +++ /dev/null @@ -1,69 +0,0 @@ -<?php -/** -* -* @package testing -* @copyright (c) 2011 phpBB Group -* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 -* -*/ - -require_once dirname(__FILE__) . '/testable_factory.php'; - -class phpbb_session_creation_test extends phpbb_database_test_case -{ - public function getDataSet() - { - return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_empty.xml'); - } - - // also see security/extract_current_page.php - - public function test_login_session_create() - { - global $phpbb_container, $phpbb_root_path, $phpEx; - - $db = $this->new_dbal(); - $config = new phpbb_config(array()); - $request = $this->getMock('phpbb_request'); - $user = $this->getMock('phpbb_user'); - - $auth_provider = new phpbb_auth_provider_db($db, $config, $request, $user, $phpbb_root_path, $phpEx); - $phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface'); - $phpbb_container->expects($this->any()) - ->method('get') - ->with('auth.provider.db') - ->will($this->returnValue($auth_provider)); - - $session_factory = new phpbb_session_testable_factory; - - $session = $session_factory->get_session($db); - $session->page = array('page' => 'page', 'forum' => 0); - - $session->session_create(3); - - $sql = 'SELECT session_user_id - FROM phpbb_sessions'; - - $this->assertSqlResultEquals( - array(array('session_user_id' => 3)), - $sql, - 'Check if exactly one session for user id 3 was created' - ); - - $one_year_in_seconds = 365 * 24 * 60 * 60; - $cookie_expire = $session->time_now + $one_year_in_seconds; - - $session->check_cookies($this, array( - 'u' => array(null, $cookie_expire), - 'k' => array(null, $cookie_expire), - 'sid' => array($session->session_id, $cookie_expire), - )); - - global $SID, $_SID; - $this->assertEquals($session->session_id, $_SID); - $this->assertEquals('?sid=' . $session->session_id, $SID); - - $session_factory->check($this); - } -} - diff --git a/tests/session/extract_hostname_test.php b/tests/session/extract_hostname_test.php new file mode 100644 index 0000000000..5ff43cbb60 --- /dev/null +++ b/tests/session/extract_hostname_test.php @@ -0,0 +1,51 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_extract_hostname_test extends phpbb_session_test_case +{ + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_empty.xml'); + } + + static public function extract_current_hostname_data() + { + return array ( + // [Input] $host, $server_name_config, $cookie_domain_config, [Expected] $output + // If host is ip use that + // ipv4 + array('127.0.0.1', 'skipped.org', 'skipped.org', '127.0.0.1'), + // ipv6 + array('::1', 'skipped.org', 'skipped.org', ':'), + array('2002::3235:51f9', 'skipped.org', 'skipped.org', '2002::3235'), + // If no host but server name matches cookie_domain use that + array('', 'example.org', 'example.org', 'example.org'), + // If there is a host uri use that + array('example.org', false, false, 'example.org'), + // 'best approach' guessing + array('', 'example.org', false, 'example.org'), + array('', false, '127.0.0.1', '127.0.0.1'), + array('', false, false, php_uname('n')), + ); + } + + /** @dataProvider extract_current_hostname_data */ + function test_extract_current_hostname($host, $server_name_config, $cookie_domain_config, $expected) + { + $output = $this->session_facade->extract_current_hostname( + $host, + $server_name_config, + $cookie_domain_config + ); + + $this->assertEquals($expected, $output); + } +} diff --git a/tests/session/extract_page_test.php b/tests/session/extract_page_test.php new file mode 100644 index 0000000000..4dbbbc9c59 --- /dev/null +++ b/tests/session/extract_page_test.php @@ -0,0 +1,115 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_extract_page_test extends phpbb_session_test_case +{ + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_empty.xml'); + } + + static public function extract_current_page_data() + { + return array( + array( + './', + '/phpBB/index.php', + '', + '/phpBB/', + array( + 'page_name' => 'index.php', + 'page_dir' => '', + 'query_string' => '', + 'script_path' => '/phpBB/', + 'root_script_path' => '/phpBB/', + 'page' => 'index.php', + 'forum' => 0, + ), + ), + array( + './', + '/phpBB/ucp.php', + 'mode=login', + '/phpBB/ucp.php?mode=login', + array( + 'page_name' => 'ucp.php', + 'page_dir' => '', + 'query_string' => 'mode=login', + 'script_path' => '/phpBB/', + 'root_script_path' => '/phpBB/', + 'page' => 'ucp.php?mode=login', + 'forum' => 0, + ), + ), + array( + './', + '/phpBB/ucp.php', + 'mode=register', + '/phpBB/ucp.php?mode=register', + array( + 'page_name' => 'ucp.php', + 'page_dir' => '', + 'query_string' => 'mode=register', + 'script_path' => '/phpBB/', + 'root_script_path' => '/phpBB/', + 'page' => 'ucp.php?mode=register', + 'forum' => 0, + ), + ), + array( + './', + '/phpBB/ucp.php', + 'mode=register', + '/phpBB/ucp.php?mode=register', + array( + 'page_name' => 'ucp.php', + 'page_dir' => '', + 'query_string' => 'mode=register', + 'script_path' => '/phpBB/', + 'root_script_path' => '/phpBB/', + 'page' => 'ucp.php?mode=register', + 'forum' => 0, + ), + ), + array( + './../', + '/phpBB/adm/index.php', + 'sid=e7215d958cdd41a6fc13509bebe53e42', + '/phpBB/adm/index.php?sid=e7215d958cdd41a6fc13509bebe53e42', + array( + 'page_name' => 'index.php', + //'page_dir' => 'adm', + // ^-- Ignored because .. returns different directory in live vs testing + 'query_string' => '', + 'script_path' => '/phpBB/adm/', + 'root_script_path' => '/phpBB/', + //'page' => 'adm/index.php', + 'forum' => 0, + ), + ), + ); + } + + /** @dataProvider extract_current_page_data */ + function test_extract_current_page($root_path, $php_self, $query_string, $request_uri, $expected) + { + $output = $this->session_facade->extract_current_page( + $root_path, + $php_self, + $query_string, + $request_uri + ); + + // This compares the result of the output. + // Any keys that are not in the expected array are overwritten by the output (aka not checked). + $this->assert_array_content_equals(array_merge($output, $expected), $output); + } +} diff --git a/tests/session/fixtures/sessions_banlist.xml b/tests/session/fixtures/sessions_banlist.xml new file mode 100644 index 0000000000..9422fc0665 --- /dev/null +++ b/tests/session/fixtures/sessions_banlist.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<dataset> + <table name="phpbb_users"> + <column>user_id</column> + <column>username_clean</column> + <column>user_permissions</column> + <column>user_sig</column> + <column>user_occ</column> + <column>user_interests</column> + <row> + <value>1</value> + <value>anonymous</value> + <value></value> + <value></value> + <value></value> + <value></value> + </row> + </table> + <table name="phpbb_sessions"> + <column>session_id</column> + <column>session_user_id</column> + <column>session_ip</column> + <column>session_browser</column> + <column>session_admin</column> + <row> + <value>bar_session000000000000000000000</value> + <value>4</value> + <value>127.0.0.1</value> + <value>user agent</value> + <value>1</value> + </row> + </table> + <table name="phpbb_banlist"> + <column>ban_id</column> + <column>ban_userid</column> + <column>ban_ip</column> + <column>ban_email</column> + <column>ban_start</column> + <column>ban_end</column> + <column>ban_exclude</column> + <column>ban_reason</column> + <column>ban_give_reason</column> + <row> + <value>2</value> + <value>4</value> + <value>127.0.0.1</value> + <value>bar@example.org</value> + <value>1111</value> + <value>0</value> + <value>0</value> + <value>HAHAHA</value> + <value>1</value> + </row> + <row> + <value>3</value> + <value>0</value> + <value>127.1.1.1</value> + <value></value> + <value>1111</value> + <value>0</value> + <value>0</value> + <value>HAHAHA</value> + <value>1</value> + </row> + </table> +</dataset> diff --git a/tests/session/fixtures/sessions_garbage.xml b/tests/session/fixtures/sessions_garbage.xml new file mode 100644 index 0000000000..23c44a975b --- /dev/null +++ b/tests/session/fixtures/sessions_garbage.xml @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<dataset> + <table name="phpbb_users"> + <column>user_id</column> + <column>username_clean</column> + <column>user_permissions</column> + <column>user_sig</column> + <column>user_occ</column> + <column>user_interests</column> + <row> + <value>4</value> + <value>bar</value> + <value></value> + <value></value> + <value></value> + <value></value> + </row> + </table> + <table name="phpbb_sessions"> + <column>session_id</column> + <column>session_user_id</column> + <column>session_ip</column> + <column>session_browser</column> + <column>session_admin</column> + <row> + <value>anon_session00000000000000000000</value> + <value>1</value> + <value>127.0.0.1</value> + <value>anonymous user agent</value> + <value>0</value> + </row> + <row> + <value>bar_session000000000000000000000</value> + <value>4</value> + <value>127.0.0.1</value> + <value>user agent</value> + <value>1</value> + </row> + </table> + <table name="phpbb_login_attempts"> + <column>attempt_ip</column> + <column>attempt_browser</column> + <column>attempt_forwarded_for</column> + <column>attempt_time</column> + <column>user_id</column> + <column>username</column> + <column>username_clean</column> + <row> + <value>127.0.0.1</value> + <value>browser</value> + <value></value> + <value>0001</value> + <value>4</value> + <value>bar</value> + <value>bar</value> + </row> + </table> +</dataset> diff --git a/tests/session/fixtures/sessions_key.xml b/tests/session/fixtures/sessions_key.xml new file mode 100644 index 0000000000..246d284557 --- /dev/null +++ b/tests/session/fixtures/sessions_key.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<dataset> + <table name="phpbb_sessions_keys"> + <column>key_id</column> + <column>user_id</column> + <column>last_ip</column> + <column>last_login</column> + <row> + <value>a87ff679a2f3e71d9181a67b7542122c</value> + <value>4</value> + <value>127.0.0.1</value> + <value>0</value> + </row> + </table> + <table name="phpbb_sessions"> + <column>session_id</column> + <column>session_user_id</column> + <column>session_ip</column> + <column>session_browser</column> + <row> + <value>bar_session000000000000000000000</value> + <value>4</value> + <value>127.0.0.1</value> + <value>user agent</value> + <value>1</value> + </row> + </table> + <table name="phpbb_users"> + <column>user_id</column> + <column>username_clean</column> + <column>user_permissions</column> + <column>user_sig</column> + <column>user_occ</column> + <column>user_interests</column> + <row> + <value>4</value> + <value>bar</value> + <value></value> + <value></value> + <value></value> + <value></value> + </row> + </table> +</dataset> diff --git a/tests/session/garbage_collection_test.php b/tests/session/garbage_collection_test.php new file mode 100644 index 0000000000..1b607dfb4f --- /dev/null +++ b/tests/session/garbage_collection_test.php @@ -0,0 +1,63 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_garbage_collection_test extends phpbb_session_test_case +{ + public $session; + + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_garbage.xml'); + } + + public function setUp() + { + parent::setUp(); + $this->session = $this->session_factory->get_session($this->db); + } + + protected function assert_sessions_equal($expected, $msg) + { + $sql = 'SELECT session_id, session_user_id + FROM phpbb_sessions + ORDER BY session_user_id'; + + $this->assertSqlResultEquals($expected, $sql, $msg); + } + + public function test_cleanup_all() + { + $this->assert_sessions_equal( + array( + array + ( + 'session_id' => 'anon_session00000000000000000000', + 'session_user_id' => 1, + ), + array + ( + 'session_id' => 'bar_session000000000000000000000', + 'session_user_id' => 4, + )), + 'Before test, should have some sessions.' + ); + // Set session length so it clears all + global $config; + $config['session_length'] = 0; + // There is an error unless the captcha plugin is set + $config['captcha_plugin'] = 'phpbb_captcha_nogd'; + $this->session->session_gc(); + $this->assert_sessions_equal( + array(), + 'After setting session time to 0, should remove all.' + ); + } +} diff --git a/tests/session/session_key_test.php b/tests/session/session_key_test.php new file mode 100644 index 0000000000..6406742168 --- /dev/null +++ b/tests/session/session_key_test.php @@ -0,0 +1,51 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_login_keys_test extends phpbb_session_test_case +{ + protected $user_id = 4; + protected $key_id = 4; + + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_key.xml'); + } + + public function test_set_key_manually() + { + // With AutoLogin setup + $this->session_factory->merge_config_data(array('allow_autologin' => true)); + $session = $this->session_factory->get_session($this->db); + // Using a user_id and key that is already in the database + $session->cookie_data['u'] = $this->user_id; + $session->cookie_data['k'] = $this->key_id; + // Try to access session + $session->session_create($this->user_id, false, $this->user_id); + + $this->assertEquals($this->user_id, $session->data['user_id'], "session should automatically login"); + } + + public function test_reset_keys() + { + // With AutoLogin setup + $this->session_factory->merge_config_data(array('allow_autologin' => true)); + $session = $this->session_factory->get_session($this->db); + // Reset of the keys for this user + $session->reset_login_keys($this->user_id); + // Using a user_id and key that was in the database (before reset) + $session->cookie_data['u'] = $this->user_id; + $session->cookie_data['k'] = $this->key_id; + // Try to access session + $session->session_create($this->user_id, false, $this->user_id); + + $this->assertNotEquals($this->user_id, $session->data['user_id'], "session should be cleared"); + } +} diff --git a/tests/session/testable_facade.php b/tests/session/testable_facade.php new file mode 100644 index 0000000000..1343b34a79 --- /dev/null +++ b/tests/session/testable_facade.php @@ -0,0 +1,142 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/testable_factory.php'; +require_once dirname(__FILE__) . '/../../phpBB/includes/session.php'; + +/** + * This class exists to expose session.php's functions in a more testable way. + * + * Since many functions in session.php have global variables inside the function, + * this exposes those functions through a testable facade that uses + * testable_factory's mock global variables to modify global variables used in + * the functions. + * + * This is using the facade pattern to provide a testable "front" to the + * functions in sessions.php. + * + */ +class phpbb_session_testable_facade +{ + protected $db; + protected $session_factory; + + function __construct($db, $session_factory) + { + $this->db = $db; + $this->session_factory = $session_factory; + } + + function extract_current_page ( + $root_path, + $php_self, + $query_string, + $request_uri + ) + { + $this->session_factory->get_session($this->db); + global $request; + $request->overwrite('PHP_SELF', $php_self, phpbb_request_interface::SERVER); + $request->overwrite('QUERY_STRING', $query_string, phpbb_request_interface::SERVER); + $request->overwrite('REQUEST_URI', $request_uri, phpbb_request_interface::SERVER); + return phpbb_session::extract_current_page($root_path); + } + + function extract_current_hostname ( + $host, + $server_name_config, + $cookie_domain_config + ) + { + $session = $this->session_factory->get_session($this->db); + global $config, $request; + $config['server_name'] = $server_name_config; + $config['cookie_domain'] = $cookie_domain_config; + $request->overwrite('SERVER_NAME', $host, phpbb_request_interface::SERVER); + $request->overwrite('Host', $host, phpbb_request_interface::SERVER); + // Note: There is a php_uname function used as a fallthrough + // that this function doesn't override + return $session->extract_current_hostname(); + } + + /** + * + * This function has a lot of dependencies, so instead of naming them all, + * just ask for overrides + * + * @param update_session_page Boolean of whether to set page of the session + * @param config_overrides An array of overrides for the global config object + * @param request_overrides An array of overrides for the global request object + * @return boolean False if the user is identified, otherwise true. + */ + function session_begin ( + $update_session_page = true, + $config_overrides = array(), + $request_overrides = array(), + $cookies_overrides = array() + ) + { + $this->session_factory->merge_config_data($config_overrides); + $this->session_factory->merge_server_data($request_overrides); + $this->session_factory->set_cookies($cookies_overrides); + $session = $this->session_factory->get_session($this->db); + $session->session_begin($update_session_page); + return $session; + } + + function session_create ( + $user_id = false, + $set_admin = false, + $persist_login = false, + $viewonline = true, + array $config_overrides = array(), + $user_agent = 'user agent', + $ip_address = '127.0.0.1', + array $bot_overrides = array(), + $uri_sid = "" + ) + { + $this->session_factory->merge_config_data($config_overrides); + // Bots + $this->session_factory->merge_cache_data(array('_bots' => $bot_overrides)); + global $request; + $session = $this->session_factory->get_session($this->db); + $session->browser = $user_agent; + $session->ip = $ip_address; + // Uri sid + if ($uri_sid) + { + $_GET['sid'] = $uri_sid; + } + $session->session_create($user_id, $set_admin, $persist_login, $viewonline); + return $session; + } + + function validate_referer( + $check_script_path, + $referer, + $host, + $force_server_vars, + $server_port, + $server_name, + $root_script_path + ) + { + $session = $this->session_factory->get_session($this->db); + global $config, $request; + $session->referer = $referer; + $session->page['root_script_path'] = $root_script_path; + $session->host = $host; + $config['force_server_vars'] = $force_server_vars; + $config['server_name'] = $server_name; + $request->overwrite('SERVER_PORT', $server_port, phpbb_request_interface::SERVER); + return $session->validate_referer($check_script_path); + } +} + diff --git a/tests/session/testable_factory.php b/tests/session/testable_factory.php index 1e2b194ece..8733ce15ef 100644 --- a/tests/session/testable_factory.php +++ b/tests/session/testable_factory.php @@ -2,11 +2,14 @@ /** * * @package testing -* @copyright (c) 2011 phpBB Group +* @copyright (c) 2013 phpBB Group * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 * */ +require_once dirname(__FILE__) . '/../mock/container_builder.php'; +require_once dirname(__FILE__) . '/../mock/auth_provider.php'; + /** * This class exists to setup an instance of phpbb's session class for testing. * @@ -16,6 +19,7 @@ */ class phpbb_session_testable_factory { + protected $container; protected $config_data; protected $cache_data; protected $cookies; @@ -65,7 +69,7 @@ class phpbb_session_testable_factory public function get_session(phpbb_db_driver $dbal) { // set up all the global variables used by session - global $SID, $_SID, $db, $config, $cache, $request; + global $SID, $_SID, $db, $config, $cache, $request, $phpbb_container; $request = $this->request = new phpbb_mock_request( array(), @@ -83,6 +87,12 @@ class phpbb_session_testable_factory $cache = $this->cache = new phpbb_mock_cache($this->get_cache_data()); $SID = $_SID = null; + $phpbb_container = $this->container = new phpbb_mock_container_builder(); + $phpbb_container->set( + 'auth.provider.db', + new phpbb_mock_auth_provider() + ); + $session = new phpbb_mock_session_testable; return $session; } @@ -165,6 +175,32 @@ class phpbb_session_testable_factory } /** + * Set cookies, merge config and server data in one step. + * + * New values overwrite old ones. + * + * @param $session_id + * @param $user_id + * @param $user_agent + * @param $ip + * @param int $time + */ + public function merge_test_data($session_id, $user_id, $user_agent, $ip, $time = 0) + { + $this->set_cookies(array( + '_sid' => $session_id, + '_u' => $user_id, + )); + $this->merge_config_data(array( + 'session_length' => time() + $time, // need to do this to allow sessions started at time 0 + )); + $this->merge_server_data(array( + 'HTTP_USER_AGENT' => $user_agent, + 'REMOTE_ADDR' => $ip, + )); + } + + /** * Retrieve all server variables to be passed to the session. * * @return array Server variables diff --git a/tests/session/unset_admin_test.php b/tests/session/unset_admin_test.php new file mode 100644 index 0000000000..bbb5eb1439 --- /dev/null +++ b/tests/session/unset_admin_test.php @@ -0,0 +1,48 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_unset_admin_test extends phpbb_session_test_case +{ + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_full.xml'); + } + + function get_test_session() + { + return $this->session_facade->session_begin( + true, + // Config + array( + 'session_length' => time(), // need to do this to allow sessions started at time 0 + ), + // Server + array( + 'HTTP_USER_AGENT' => "user agent", + 'REMOTE_ADDR' => "127.0.0.1", + ), + // Cookies + array( + '_sid' => 'bar_session000000000000000000000', + '_u' => 4, + ) + ); + } + + public function test_unset_admin() + { + $session = $this->get_test_session(); + $this->assertEquals(1, $session->data['session_admin'], 'should be an admin before test starts'); + $session->unset_admin(); + $session = $this->get_test_session(); + $this->assertEquals(0, $session->data['session_admin'], 'should be not be an admin after unset_admin'); + } +} diff --git a/tests/session/validate_referrer_test.php b/tests/session/validate_referrer_test.php new file mode 100644 index 0000000000..b517b668ac --- /dev/null +++ b/tests/session/validate_referrer_test.php @@ -0,0 +1,69 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../test_framework/phpbb_session_test_case.php'; + +class phpbb_session_validate_referrer_test extends phpbb_session_test_case +{ + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/sessions_empty.xml'); + } + + static function referrer_inputs() { + $ex = "example.org"; + $alt = "example.com"; + return array( + // checkpath referrer host forcevars port servername rootpath pass? + // 0 Referrer or host wasn't collected, therefore should validate + array(false, '', $ex, false, 80, $ex, '', true), + array(false, $ex, '', false, 80, $ex, '', true), + // 2 Referrer doesn't match host or server_name + array(false, $alt, $ex, false, 80, $ex, '', false), + // 3 Everything should check out + array(false, $ex, $ex, false, 80, $ex, '', true), + // 4 Check Script Path + array(true, $ex, $ex, false, 80, $ex, '', true), + array(true, "$ex/foo", $ex, false, 80, $ex, "/foo", true), + array(true, "$ex/bar", $ex, false, 80, $ex, "/foo", false), + // 7 Port (This is not checked unless path is checked) + array(true, "$ex:80/foo", "$ex:80", false, 80, "$ex:80", "/foo", true), + array(true, "$ex:80/bar", "$ex:80", false, 80, "$ex:80", "/foo", false), + array(true, "$ex:79/foo", "$ex:81", false, 81, "$ex:81", "/foo", false), + ); + } + + /** @dataProvider referrer_inputs */ + function test_referrer_inputs ( + $check_script_path, + $referrer, + $host, + $force_server_vars, + $server_port, + $server_name, + $root_script_path, + $pass_or_fail + ) + { + // Referrer needs http:// because it's going to get stripped in function. + $referrer = $referrer ? 'http://' . $referrer : ''; + $this->assertEquals( + $pass_or_fail, + $this->session_facade->validate_referer( + $check_script_path, + $referrer, + $host, + $force_server_vars, + $server_port, + $server_name, + $root_script_path + ), + "referrer should" . ($pass_or_fail ? '' : "n't") . " be validated"); + } +} diff --git a/tests/test_framework/phpbb_session_test_case.php b/tests/test_framework/phpbb_session_test_case.php new file mode 100644 index 0000000000..6ff7d8e2ef --- /dev/null +++ b/tests/test_framework/phpbb_session_test_case.php @@ -0,0 +1,27 @@ +<?php +/** + * + * @package testing + * @copyright (c) 2013 phpBB Group + * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 + * + */ + +require_once dirname(__FILE__) . '/../session/testable_factory.php'; +require_once dirname(__FILE__) . '/../session/testable_facade.php'; + +abstract class phpbb_session_test_case extends phpbb_database_test_case +{ + protected $session_factory; + protected $session_facade; + protected $db; + + function setUp() + { + parent::setUp(); + $this->session_factory = new phpbb_session_testable_factory; + $this->db = $this->new_dbal(); + $this->session_facade = + new phpbb_session_testable_facade($this->db, $this->session_factory); + } +} |