tests/phpunit/includes/password/UserPasswordPolicyTest.php

   1 <?php
   2 /**
   3  * Testing for password-policy enforcement, based on a user's groups.
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License as published by
   7  * the Free Software Foundation; either version 2 of the License, or
   8  * (at your option) any later version.
   9  *
  10  * This program is distributed in the hope that it will be useful,
  11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13  * GNU General Public License for more details.
  14  *
  15  * You should have received a copy of the GNU General Public License along
  16  * with this program; if not, write to the Free Software Foundation, Inc.,
  17  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
  18  * http://www.gnu.org/copyleft/gpl.html
  19  *
  20  * @file
  21  */
  22
  23 class UserPasswordPolicyTest extends MediaWikiTestCase {
  24
  25         protected $policies = [
  26                 'checkuser' => [
  27                         'MinimalPasswordLength' => 10,
  28                         'MinimumPasswordLengthToLogin' => 6,
  29                         'PasswordCannotMatchUsername' => true,
  30                 ],
  31                 'sysop' => [
  32                         'MinimalPasswordLength' => 8,
  33                         'MinimumPasswordLengthToLogin' => 1,
  34                         'PasswordCannotMatchUsername' => true,
  35                 ],
  36                 'default' => [
  37                         'MinimalPasswordLength' => 4,
  38                         'MinimumPasswordLengthToLogin' => 1,
  39                         'PasswordCannotMatchBlacklist' => true,
  40                         'MaximalPasswordLength' => 4096,
  41                 ],
  42         ];
  43
  44         protected $checks = [
  45                 'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
  46                 'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
  47                 'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
  48                 'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
  49                 'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
  50         ];
  51
  52         private function getUserPasswordPolicy() {
  53                 return new UserPasswordPolicy( $this->policies, $this->checks );
  54         }
  55
  56         /**
  57          * @covers UserPasswordPolicy::getPoliciesForUser
  58          */
  59         public function testGetPoliciesForUser() {
  60
  61                 $upp = $this->getUserPasswordPolicy();
  62
  63                 $user = User::newFromName( 'TestUserPolicy' );
  64                 $user->addGroup( 'sysop' );
  65
  66                 $this->assertArrayEquals(
  67                         [
  68                                 'MinimalPasswordLength' => 8,
  69                                 'MinimumPasswordLengthToLogin' => 1,
  70                                 'PasswordCannotMatchUsername' => 1,
  71                                 'PasswordCannotMatchBlacklist' => true,
  72                                 'MaximalPasswordLength' => 4096,
  73                         ],
  74                         $upp->getPoliciesForUser( $user )
  75                 );
  76         }
  77
  78         /**
  79          * @covers UserPasswordPolicy::getPoliciesForGroups
  80          */
  81         public function testGetPoliciesForGroups() {
  82                 $effective = UserPasswordPolicy::getPoliciesForGroups(
  83                         $this->policies,
  84                         [ 'user', 'checkuser' ],
  85                         $this->policies['default']
  86                 );
  87
  88                 $this->assertArrayEquals(
  89                         [
  90                                 'MinimalPasswordLength' => 10,
  91                                 'MinimumPasswordLengthToLogin' => 6,
  92                                 'PasswordCannotMatchUsername' => true,
  93                                 'PasswordCannotMatchBlacklist' => true,
  94                                 'MaximalPasswordLength' => 4096,
  95                         ],
  96                         $effective
  97                 );
  98         }
  99
 100         /**
 101          * @dataProvider provideCheckUserPassword
 102          * @covers UserPasswordPolicy::checkUserPassword
 103          */
 104         public function testCheckUserPassword( $username, $groups, $password, $valid, $ok, $msg ) {
 105
 106                 $upp = $this->getUserPasswordPolicy();
 107
 108                 $user = User::newFromName( $username );
 109                 foreach ( $groups as $group ) {
 110                         $user->addGroup( $group );
 111                 }
 112
 113                 $status = $upp->checkUserPassword( $user, $password );
 114                 $this->assertSame( $valid, $status->isGood(), $msg . ' - password valid' );
 115                 $this->assertSame( $ok, $status->isOK(), $msg . ' - can login' );
 116         }
 117
 118         public function provideCheckUserPassword() {
 119                 return [
 120                         [
 121                                 'PassPolicyUser',
 122                                 [],
 123                                 '',
 124                                 false,
 125                                 false,
 126                                 'No groups, default policy, password too short to login'
 127                         ],
 128                         [
 129                                 'PassPolicyUser',
 130                                 [ 'user' ],
 131                                 'aaa',
 132                                 false,
 133                                 true,
 134                                 'Default policy, short password'
 135                         ],
 136                         [
 137                                 'PassPolicyUser',
 138                                 [ 'sysop' ],
 139                                 'abcdabcdabcd',
 140                                 true,
 141                                 true,
 142                                 'Sysop with good password'
 143                         ],
 144                         [
 145                                 'PassPolicyUser',
 146                                 [ 'sysop' ],
 147                                 'abcd',
 148                                 false,
 149                                 true,
 150                                 'Sysop with short password'
 151                         ],
 152                         [
 153                                 'PassPolicyUser',
 154                                 [ 'sysop', 'checkuser' ],
 155                                 'abcdabcd',
 156                                 false,
 157                                 true,
 158                                 'Checkuser with short password'
 159                         ],
 160                         [
 161                                 'PassPolicyUser',
 162                                 [ 'sysop', 'checkuser' ],
 163                                 'abcd',
 164                                 false,
 165                                 false,
 166                                 'Checkuser with too short password to login'
 167                         ],
 168                         [
 169                                 'Useruser',
 170                                 [ 'user' ],
 171                                 'Passpass',
 172                                 false,
 173                                 true,
 174                                 'Username & password on blacklist'
 175                         ],
 176                 ];
 177         }
 178
 179         /**
 180          * @dataProvider provideMaxOfPolicies
 181          * @covers UserPasswordPolicy::maxOfPolicies
 182          */
 183         public function testMaxOfPolicies( $p1, $p2, $max, $msg ) {
 184                 $this->assertArrayEquals(
 185                         $max,
 186                         UserPasswordPolicy::maxOfPolicies( $p1, $p2 ),
 187                         $msg
 188                 );
 189         }
 190
 191         public function provideMaxOfPolicies() {
 192                 return [
 193                         [
 194                                 [ 'MinimalPasswordLength' => 8 ], // p1
 195                                 [ 'MinimalPasswordLength' => 2 ], // p2
 196                                 [ 'MinimalPasswordLength' => 8 ], // max
 197                                 'Basic max in p1'
 198                         ],
 199                         [
 200                                 [ 'MinimalPasswordLength' => 2 ], // p1
 201                                 [ 'MinimalPasswordLength' => 8 ], // p2
 202                                 [ 'MinimalPasswordLength' => 8 ], // max
 203                                 'Basic max in p2'
 204                         ],
 205                         [
 206                                 [ 'MinimalPasswordLength' => 8 ], // p1
 207                                 [
 208                                         'MinimalPasswordLength' => 2,
 209                                         'PasswordCannotMatchUsername' => 1,
 210                                 ], // p2
 211                                 [
 212                                         'MinimalPasswordLength' => 8,
 213                                         'PasswordCannotMatchUsername' => 1,
 214                                 ], // max
 215                                 'Missing items in p1'
 216                         ],
 217                         [
 218                                 [
 219                                         'MinimalPasswordLength' => 8,
 220                                         'PasswordCannotMatchUsername' => 1,
 221                                 ], // p1
 222                                 [
 223                                         'MinimalPasswordLength' => 2,
 224                                 ], // p2
 225                                 [
 226                                         'MinimalPasswordLength' => 8,
 227                                         'PasswordCannotMatchUsername' => 1,
 228                                 ], // max
 229                                 'Missing items in p2'
 230                         ],
 231                 ];
 232         }
 233
 234 }