00db83d1bf
In this commit, there are couple of fixes based on the report: 1. Removed legacy polyfill from provider.php 2. Fixed phpunit warning detected by CodeChecker 3. Removed unused files 4. Fixed the PHPunit failures by removing "securityquestions" from the data_provider due to it has not been included as one of the factors 5. Added PHPunit test to the factors that can be unittested 6. Removed !important rule from tool_mfa/styles.css 7. Added (int) type to sleep method within sleep_timer method due to a php deprecation in too_mfa/classes/manager.php 8. Changed last param form bool to string in not_enough_factors() when initiating a new single_button object in tool_mfa/renderer.php 9. Add explanation text to login page 10. Fixed "Access to an undefined property .." from PHPStan 12. Fixed all the "Variable $.. might not be defined" from PHPStan 13. Fixed the issue from https://github.com/catalyst/moodle-tool_mfa/issues/379
266 lines
11 KiB
PHP
266 lines
11 KiB
PHP
<?php
|
|
// This file is part of Moodle - http://moodle.org/
|
|
//
|
|
// Moodle is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// Moodle is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
namespace tool_mfa;
|
|
|
|
/**
|
|
* Tests for MFA secret manager class.
|
|
*
|
|
* @package tool_mfa
|
|
* @author Peter Burnett <peterburnett@catalyst-au.net>
|
|
* @copyright Catalyst IT
|
|
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
|
|
*/
|
|
class secret_manager_test extends \advanced_testcase {
|
|
|
|
/**
|
|
* Tests create factor's secret
|
|
*
|
|
* @covers ::create_secret
|
|
*/
|
|
public function test_create_secret() {
|
|
global $DB;
|
|
|
|
$this->resetAfterTest(true);
|
|
$this->setUser($this->getDataGenerator()->create_user());
|
|
|
|
// Test adding secret to DB.
|
|
$secman = new \tool_mfa\local\secret_manager('mock');
|
|
|
|
// Mutate the sessionid using reflection.
|
|
$reflectedsessionid = new \ReflectionProperty($secman, 'sessionid');
|
|
$reflectedsessionid->setAccessible(true);
|
|
$reflectedsessionid->setValue($secman, 'fakesession');
|
|
|
|
$sec1 = $secman->create_secret(1800, false);
|
|
$count1 = $DB->count_records('tool_mfa_secrets', ['factor' => 'mock']);
|
|
$record1 = $DB->get_record('tool_mfa_secrets', []);
|
|
$this->assertEquals(1, $count1);
|
|
$this->assertNotEquals('', $sec1);
|
|
$this->assertTrue(empty($record1->sessionid));
|
|
$sec2 = $secman->create_secret(1800, false);
|
|
$count2 = $DB->count_records('tool_mfa_secrets', ['factor' => 'mock']);
|
|
$this->assertEquals(1, $count2);
|
|
$this->assertEquals('', $sec2);
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Now adding secret to session.
|
|
$sec1 = $secman->create_secret(1800, true);
|
|
$count1 = $DB->count_records('tool_mfa_secrets', ['factor' => 'mock']);
|
|
$record1 = $DB->get_record('tool_mfa_secrets', []);
|
|
$this->assertEquals(1, $count1);
|
|
$this->assertNotEquals('', $sec1);
|
|
$this->assertEquals('fakesession', $record1->sessionid);
|
|
$sec2 = $secman->create_secret(1800, true);
|
|
$this->assertEquals('', $sec2);
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Now test adding a forced code.
|
|
$sec1 = $secman->create_secret(1800, false);
|
|
$count1 = $DB->count_records('tool_mfa_secrets', ['factor' => 'mock']);
|
|
$this->assertEquals(1, $count1);
|
|
$this->assertNotEquals('', $sec1);
|
|
$sec2 = $secman->create_secret(1800, false, 'code');
|
|
$count2 = $DB->count_records('tool_mfa_secrets', ['factor' => 'mock']);
|
|
$this->assertEquals(2, $count2);
|
|
$this->assertEquals('code', $sec2);
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
}
|
|
|
|
/**
|
|
* Tests add factor's secret to database
|
|
*
|
|
* @covers ::get_record
|
|
* @covers ::delete_records
|
|
*/
|
|
public function test_add_secret_to_db() {
|
|
global $DB, $USER;
|
|
|
|
$this->resetAfterTest(true);
|
|
$secman = new \tool_mfa\local\secret_manager('mock');
|
|
$this->setUser($this->getDataGenerator()->create_user());
|
|
$sid = 'fakeid';
|
|
|
|
// Let's make stuff public using reflection.
|
|
$reflectedscanner = new \ReflectionClass($secman);
|
|
$reflectedmethod = $reflectedscanner->getMethod('add_secret_to_db');
|
|
$reflectedmethod->setAccessible(true);
|
|
|
|
// Now add a secret and confirm it creates the correct record.
|
|
$reflectedmethod->invoke($secman, 'code', 1800);
|
|
$record = $DB->get_record('tool_mfa_secrets', []);
|
|
$this->assertEquals('code', $record->secret);
|
|
$this->assertEquals($USER->id, $record->userid);
|
|
$this->assertEquals('mock', $record->factor);
|
|
$this->assertGreaterThanOrEqual(time(), (int) $record->expiry);
|
|
$this->assertEquals(0, $record->revoked);
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Now add a sessionid and confirm it is added correctly.
|
|
$reflectedmethod->invoke($secman, 'code', 1800, $sid);
|
|
$record = $DB->get_record('tool_mfa_secrets', []);
|
|
$this->assertEquals('code', $record->secret);
|
|
$this->assertGreaterThanOrEqual(time(), (int) $record->expiry);
|
|
$this->assertEquals(0, $record->revoked);
|
|
$this->assertEquals($sid, $record->sessionid);
|
|
}
|
|
|
|
/**
|
|
* Tests validating factor's secret
|
|
*
|
|
* @covers ::validate_secret
|
|
* @covers ::create_secret
|
|
*/
|
|
public function test_validate_secret() {
|
|
global $DB;
|
|
|
|
// Test adding a code and getting it returned, then validated.
|
|
$this->resetAfterTest(true);
|
|
$this->setUser($this->getDataGenerator()->create_user());
|
|
$secman = new \tool_mfa\local\secret_manager('mock');
|
|
|
|
$secret = $secman->create_secret(1800, false);
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::VALID, $secman->validate_secret($secret));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Test a manual forced code.
|
|
$secret = $secman->create_secret(1800, false, 'code');
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::VALID, $secman->validate_secret($secret));
|
|
$this->assertEquals('code', $secret);
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Test bad codes.
|
|
$secret = $secman->create_secret(1800, false);
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::NONVALID, $secman->validate_secret('nonvalid'));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Test validate when no secrets present.
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::NONVALID, $secman->validate_secret('nonvalid'));
|
|
|
|
// Test revoked secrets.
|
|
$secret = $secman->create_secret(1800, false);
|
|
$DB->set_field('tool_mfa_secrets', 'revoked', 1, []);
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::REVOKED, $secman->validate_secret($secret));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Test expired secrets.
|
|
$secret = $secman->create_secret(-1, false);
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::NONVALID, $secman->validate_secret($secret));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Session locked code from the same session id.
|
|
// Mutate the sessionid using reflection.
|
|
$reflectedsessionid = new \ReflectionProperty($secman, 'sessionid');
|
|
$reflectedsessionid->setAccessible(true);
|
|
$reflectedsessionid->setValue($secman, 'fakesession');
|
|
|
|
$secret = $secman->create_secret(1800, true);
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::VALID, $secman->validate_secret($secret));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Now test a session locked code from a different sessionid.
|
|
$secret = $secman->create_secret(1800, true);
|
|
$reflectedsessionid->setValue($secman, 'diffsession');
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::NONVALID, $secman->validate_secret($secret));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
}
|
|
|
|
/**
|
|
* Tests revoking factor's secret
|
|
*
|
|
* @covers ::validate_secret
|
|
* @covers ::create_secret
|
|
* @covers ::revoke_secret
|
|
*/
|
|
public function test_revoke_secret() {
|
|
global $DB, $SESSION;
|
|
|
|
$this->resetAfterTest(true);
|
|
$secman = new \tool_mfa\local\secret_manager('mock');
|
|
$this->setUser($this->getDataGenerator()->create_user());
|
|
|
|
// Session secrets.
|
|
$secret = $secman->create_secret(1800, true);
|
|
$secman->revoke_secret($secret);
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::REVOKED, $secman->validate_secret($secret));
|
|
unset($SESSION->tool_mfa_secrets_mock);
|
|
|
|
// DB secrets.
|
|
$secret = $secman->create_secret(1800, false);
|
|
$secman->revoke_secret($secret);
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::REVOKED, $secman->validate_secret($secret));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
|
|
// Revoke a non-valid secret.
|
|
$secret = $secman->create_secret(1800, false);
|
|
$secman->revoke_secret('nonvalid');
|
|
$this->assertEquals(\tool_mfa\local\secret_manager::NONVALID, $secman->validate_secret('nonvalid'));
|
|
}
|
|
|
|
/**
|
|
* Tests checking if factor has an active secret
|
|
*
|
|
* @covers ::create_secret
|
|
* @covers ::revoke_secret
|
|
*/
|
|
public function test_has_active_secret() {
|
|
global $DB;
|
|
|
|
$this->resetAfterTest(true);
|
|
$secman = new \tool_mfa\local\secret_manager('mock');
|
|
$this->setUser($this->getDataGenerator()->create_user());
|
|
|
|
// Let's make stuff public using reflection.
|
|
$reflectedscanner = new \ReflectionClass($secman);
|
|
|
|
$reflectedmethod = $reflectedscanner->getMethod('has_active_secret');
|
|
$reflectedmethod->setAccessible(true);
|
|
|
|
// DB secrets.
|
|
$this->assertFalse($reflectedmethod->invoke($secman));
|
|
$secman->create_secret(1800, false);
|
|
$this->assertTrue($reflectedmethod->invoke($secman));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
$secman->create_secret(-1, false);
|
|
$this->assertFalse($reflectedmethod->invoke($secman));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
$secret = $secman->create_secret(1800, false);
|
|
$secman->revoke_secret($secret);
|
|
$this->assertFalse($reflectedmethod->invoke($secman));
|
|
|
|
// Now check a secret with session involvement.
|
|
// Mutate the sessionid using reflection.
|
|
$reflectedsessionid = new \ReflectionProperty($secman, 'sessionid');
|
|
$reflectedsessionid->setAccessible(true);
|
|
$reflectedsessionid->setValue($secman, 'fakesession');
|
|
|
|
$this->assertFalse($reflectedmethod->invoke($secman, true));
|
|
$secman->create_secret(1800, true);
|
|
$this->assertTrue($reflectedmethod->invoke($secman, true));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
$secman->create_secret(-1, true);
|
|
$this->assertFalse($reflectedmethod->invoke($secman, true));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
$secret = $secman->create_secret(1800, true);
|
|
$secman->revoke_secret($secret);
|
|
$this->assertFalse($reflectedmethod->invoke($secman, true));
|
|
$DB->delete_records('tool_mfa_secrets', []);
|
|
$secret = $secman->create_secret(1800, true);
|
|
$reflectedsessionid->setValue($secman, 'diffsession');
|
|
$this->assertFalse($reflectedmethod->invoke($secman, true));
|
|
}
|
|
}
|