tests/phpunit/includes/password/UserPasswordPolicyTest.php

   1 <?php
   2 /**
   3  * Testing for password-policy enforcement, based on a user's groups.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 /**
  24  * @group Database
  25  */
  26 class UserPasswordPolicyTest extends MediaWikiTestCase {
  27
  28         protected $policies = [
  29                 'checkuser' => [
  30                         'MinimalPasswordLength' => 10,
  31                         'MinimumPasswordLengthToLogin' => 6,
  32                         'PasswordCannotMatchUsername' => true,
  33                 ],
  34                 'sysop' => [
  35                         'MinimalPasswordLength' => 8,
  36                         'MinimumPasswordLengthToLogin' => 1,
  37                         'PasswordCannotMatchUsername' => true,
  38                 ],
  39                 'default' => [
  40                         'MinimalPasswordLength' => 4,
  41                         'MinimumPasswordLengthToLogin' => 1,
  42                         'PasswordCannotMatchBlacklist' => true,
  43                         'MaximalPasswordLength' => 4096,
  44                 ],
  45         ];
  46
  47         protected $checks = [
  48                 'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
  49                 'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
  50                 'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
  51                 'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
  52                 'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
  53         ];
  54
  55         private function getUserPasswordPolicy() {
  56                 return new UserPasswordPolicy( $this->policies, $this->checks );
  57         }
  58
  59         /**
  60          * @covers UserPasswordPolicy::getPoliciesForUser
  61          */
  62         public function testGetPoliciesForUser() {
  63
  64                 $upp = $this->getUserPasswordPolicy();
  65
  66                 $user = User::newFromName( 'TestUserPolicy' );
  67                 $user->addToDatabase();
  68                 $user->addGroup( 'sysop' );
  69
  70                 $this->assertArrayEquals(
  71                         [
  72                                 'MinimalPasswordLength' => 8,
  73                                 'MinimumPasswordLengthToLogin' => 1,
  74                                 'PasswordCannotMatchUsername' => 1,
  75                                 'PasswordCannotMatchBlacklist' => true,
  76                                 'MaximalPasswordLength' => 4096,
  77                         ],
  78                         $upp->getPoliciesForUser( $user )
  79                 );
  80         }
  81
  82         /**
  83          * @covers UserPasswordPolicy::getPoliciesForGroups
  84          */
  85         public function testGetPoliciesForGroups() {
  86                 $effective = UserPasswordPolicy::getPoliciesForGroups(
  87                         $this->policies,
  88                         [ 'user', 'checkuser' ],
  89                         $this->policies['default']
  90                 );
  91
  92                 $this->assertArrayEquals(
  93                         [
  94                                 'MinimalPasswordLength' => 10,
  95                                 'MinimumPasswordLengthToLogin' => 6,
  96                                 'PasswordCannotMatchUsername' => true,
  97                                 'PasswordCannotMatchBlacklist' => true,
  98                                 'MaximalPasswordLength' => 4096,
  99                         ],
 100                         $effective
 101                 );
 102         }
 103
 104         /**
 105          * @dataProvider provideCheckUserPassword
 106          * @covers UserPasswordPolicy::checkUserPassword
 107          */
 108         public function testCheckUserPassword( $username, $groups, $password, $valid, $ok, $msg ) {
 109
 110                 $upp = $this->getUserPasswordPolicy();
 111
 112                 $user = User::newFromName( $username );
 113                 $user->addToDatabase();
 114                 foreach ( $groups as $group ) {
 115                         $user->addGroup( $group );
 116                 }
 117
 118                 $status = $upp->checkUserPassword( $user, $password );
 119                 $this->assertSame( $valid, $status->isGood(), $msg . ' - password valid' );
 120                 $this->assertSame( $ok, $status->isOK(), $msg . ' - can login' );
 121         }
 122
 123         public function provideCheckUserPassword() {
 124                 return [
 125                         [
 126                                 'PassPolicyUser',
 127                                 [],
 128                                 '',
 129                                 false,
 130                                 false,
 131                                 'No groups, default policy, password too short to login'
 132                         ],
 133                         [
 134                                 'PassPolicyUser',
 135                                 [ 'user' ],
 136                                 'aaa',
 137                                 false,
 138                                 true,
 139                                 'Default policy, short password'
 140                         ],
 141                         [
 142                                 'PassPolicyUser',
 143                                 [ 'sysop' ],
 144                                 'abcdabcdabcd',
 145                                 true,
 146                                 true,
 147                                 'Sysop with good password'
 148                         ],
 149                         [
 150                                 'PassPolicyUser',
 151                                 [ 'sysop' ],
 152                                 'abcd',
 153                                 false,
 154                                 true,
 155                                 'Sysop with short password'
 156                         ],
 157                         [
 158                                 'PassPolicyUser',
 159                                 [ 'sysop', 'checkuser' ],
 160                                 'abcdabcd',
 161                                 false,
 162                                 true,
 163                                 'Checkuser with short password'
 164                         ],
 165                         [
 166                                 'PassPolicyUser',
 167                                 [ 'sysop', 'checkuser' ],
 168                                 'abcd',
 169                                 false,
 170                                 false,
 171                                 'Checkuser with too short password to login'
 172                         ],
 173                         [
 174                                 'Useruser',
 175                                 [ 'user' ],
 176                                 'Passpass',
 177                                 false,
 178                                 true,
 179                                 'Username & password on blacklist'
 180                         ],
 181                 ];
 182         }
 183
 184         /**
 185          * @dataProvider provideMaxOfPolicies
 186          * @covers UserPasswordPolicy::maxOfPolicies
 187          */
 188         public function testMaxOfPolicies( $p1, $p2, $max, $msg ) {
 189                 $this->assertArrayEquals(
 190                         $max,
 191                         UserPasswordPolicy::maxOfPolicies( $p1, $p2 ),
 192                         $msg
 193                 );
 194         }
 195
 196         public function provideMaxOfPolicies() {
 197                 return [
 198                         [
 199                                 [ 'MinimalPasswordLength' => 8 ], // p1
 200                                 [ 'MinimalPasswordLength' => 2 ], // p2
 201                                 [ 'MinimalPasswordLength' => 8 ], // max
 202                                 'Basic max in p1'
 203                         ],
 204                         [
 205                                 [ 'MinimalPasswordLength' => 2 ], // p1
 206                                 [ 'MinimalPasswordLength' => 8 ], // p2
 207                                 [ 'MinimalPasswordLength' => 8 ], // max
 208                                 'Basic max in p2'
 209                         ],
 210                         [
 211                                 [ 'MinimalPasswordLength' => 8 ], // p1
 212                                 [
 213                                         'MinimalPasswordLength' => 2,
 214                                         'PasswordCannotMatchUsername' => 1,
 215                                 ], // p2
 216                                 [
 217                                         'MinimalPasswordLength' => 8,
 218                                         'PasswordCannotMatchUsername' => 1,
 219                                 ], // max
 220                                 'Missing items in p1'
 221                         ],
 222                         [
 223                                 [
 224                                         'MinimalPasswordLength' => 8,
 225                                         'PasswordCannotMatchUsername' => 1,
 226                                 ], // p1
 227                                 [
 228                                         'MinimalPasswordLength' => 2,
 229                                 ], // p2
 230                                 [
 231                                         'MinimalPasswordLength' => 8,
 232                                         'PasswordCannotMatchUsername' => 1,
 233                                 ], // max
 234                                 'Missing items in p2'
 235                         ],
 236                 ];
 237         }
 238
 239 }