tests/phpunit/includes/password/UserPasswordPolicyTest.php

   1 <?php
   2 /**
   3  * Testing for password-policy enforcement, based on a user's groups.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 class UserPasswordPolicyTest extends MediaWikiTestCase {
  24
  25         protected $policies = [
  26                 'checkuser' => [
  27                         'MinimalPasswordLength' => 10,
  28                         'MinimumPasswordLengthToLogin' => 6,
  29                         'PasswordCannotMatchUsername' => true,
  30                 ],
  31                 'sysop' => [
  32                         'MinimalPasswordLength' => 8,
  33                         'MinimumPasswordLengthToLogin' => 1,
  34                         'PasswordCannotMatchUsername' => true,
  35                 ],
  36                 'default' => [
  37                         'MinimalPasswordLength' => 4,
  38                         'MinimumPasswordLengthToLogin' => 1,
  39                         'PasswordCannotMatchBlacklist' => true,
  40                         'MaximalPasswordLength' => 4096,
  41                 ],
  42         ];
  43
  44         protected $checks = [
  45                 'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
  46                 'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
  47                 'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
  48                 'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
  49                 'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
  50         ];
  51
  52         private function getUserPasswordPolicy() {
  53                 return new UserPasswordPolicy( $this->policies, $this->checks );
  54         }
  55
  56         /**
  57          * @covers UserPasswordPolicy::getPoliciesForUser
  58          */
  59         public function testGetPoliciesForUser() {
  60
  61                 $upp = $this->getUserPasswordPolicy();
  62
  63                 $user = User::newFromName( 'TestUserPolicy' );
  64                 $user->addToDatabase();
  65                 $user->addGroup( 'sysop' );
  66
  67                 $this->assertArrayEquals(
  68                         [
  69                                 'MinimalPasswordLength' => 8,
  70                                 'MinimumPasswordLengthToLogin' => 1,
  71                                 'PasswordCannotMatchUsername' => 1,
  72                                 'PasswordCannotMatchBlacklist' => true,
  73                                 'MaximalPasswordLength' => 4096,
  74                         ],
  75                         $upp->getPoliciesForUser( $user )
  76                 );
  77         }
  78
  79         /**
  80          * @covers UserPasswordPolicy::getPoliciesForGroups
  81          */
  82         public function testGetPoliciesForGroups() {
  83                 $effective = UserPasswordPolicy::getPoliciesForGroups(
  84                         $this->policies,
  85                         [ 'user', 'checkuser' ],
  86                         $this->policies['default']
  87                 );
  88
  89                 $this->assertArrayEquals(
  90                         [
  91                                 'MinimalPasswordLength' => 10,
  92                                 'MinimumPasswordLengthToLogin' => 6,
  93                                 'PasswordCannotMatchUsername' => true,
  94                                 'PasswordCannotMatchBlacklist' => true,
  95                                 'MaximalPasswordLength' => 4096,
  96                         ],
  97                         $effective
  98                 );
  99         }
 100
 101         /**
 102          * @dataProvider provideCheckUserPassword
 103          * @covers UserPasswordPolicy::checkUserPassword
 104          */
 105         public function testCheckUserPassword( $username, $groups, $password, $valid, $ok, $msg ) {
 106
 107                 $upp = $this->getUserPasswordPolicy();
 108
 109                 $user = User::newFromName( $username );
 110                 $user->addToDatabase();
 111                 foreach ( $groups as $group ) {
 112                         $user->addGroup( $group );
 113                 }
 114
 115                 $status = $upp->checkUserPassword( $user, $password );
 116                 $this->assertSame( $valid, $status->isGood(), $msg . ' - password valid' );
 117                 $this->assertSame( $ok, $status->isOK(), $msg . ' - can login' );
 118         }
 119
 120         public function provideCheckUserPassword() {
 121                 return [
 122                         [
 123                                 'PassPolicyUser',
 124                                 [],
 125                                 '',
 126                                 false,
 127                                 false,
 128                                 'No groups, default policy, password too short to login'
 129                         ],
 130                         [
 131                                 'PassPolicyUser',
 132                                 [ 'user' ],
 133                                 'aaa',
 134                                 false,
 135                                 true,
 136                                 'Default policy, short password'
 137                         ],
 138                         [
 139                                 'PassPolicyUser',
 140                                 [ 'sysop' ],
 141                                 'abcdabcdabcd',
 142                                 true,
 143                                 true,
 144                                 'Sysop with good password'
 145                         ],
 146                         [
 147                                 'PassPolicyUser',
 148                                 [ 'sysop' ],
 149                                 'abcd',
 150                                 false,
 151                                 true,
 152                                 'Sysop with short password'
 153                         ],
 154                         [
 155                                 'PassPolicyUser',
 156                                 [ 'sysop', 'checkuser' ],
 157                                 'abcdabcd',
 158                                 false,
 159                                 true,
 160                                 'Checkuser with short password'
 161                         ],
 162                         [
 163                                 'PassPolicyUser',
 164                                 [ 'sysop', 'checkuser' ],
 165                                 'abcd',
 166                                 false,
 167                                 false,
 168                                 'Checkuser with too short password to login'
 169                         ],
 170                         [
 171                                 'Useruser',
 172                                 [ 'user' ],
 173                                 'Passpass',
 174                                 false,
 175                                 true,
 176                                 'Username & password on blacklist'
 177                         ],
 178                 ];
 179         }
 180
 181         /**
 182          * @dataProvider provideMaxOfPolicies
 183          * @covers UserPasswordPolicy::maxOfPolicies
 184          */
 185         public function testMaxOfPolicies( $p1, $p2, $max, $msg ) {
 186                 $this->assertArrayEquals(
 187                         $max,
 188                         UserPasswordPolicy::maxOfPolicies( $p1, $p2 ),
 189                         $msg
 190                 );
 191         }
 192
 193         public function provideMaxOfPolicies() {
 194                 return [
 195                         [
 196                                 [ 'MinimalPasswordLength' => 8 ], // p1
 197                                 [ 'MinimalPasswordLength' => 2 ], // p2
 198                                 [ 'MinimalPasswordLength' => 8 ], // max
 199                                 'Basic max in p1'
 200                         ],
 201                         [
 202                                 [ 'MinimalPasswordLength' => 2 ], // p1
 203                                 [ 'MinimalPasswordLength' => 8 ], // p2
 204                                 [ 'MinimalPasswordLength' => 8 ], // max
 205                                 'Basic max in p2'
 206                         ],
 207                         [
 208                                 [ 'MinimalPasswordLength' => 8 ], // p1
 209                                 [
 210                                         'MinimalPasswordLength' => 2,
 211                                         'PasswordCannotMatchUsername' => 1,
 212                                 ], // p2
 213                                 [
 214                                         'MinimalPasswordLength' => 8,
 215                                         'PasswordCannotMatchUsername' => 1,
 216                                 ], // max
 217                                 'Missing items in p1'
 218                         ],
 219                         [
 220                                 [
 221                                         'MinimalPasswordLength' => 8,
 222                                         'PasswordCannotMatchUsername' => 1,
 223                                 ], // p1
 224                                 [
 225                                         'MinimalPasswordLength' => 2,
 226                                 ], // p2
 227                                 [
 228                                         'MinimalPasswordLength' => 8,
 229                                         'PasswordCannotMatchUsername' => 1,
 230                                 ], // max
 231                                 'Missing items in p2'
 232                         ],
 233                 ];
 234         }
 235
 236 }