typo3/sysext/saltedpasswords/Tests/Unit/Salt/Md5SaltTest.php

   1 <?php
   2 namespace TYPO3\CMS\Saltedpasswords\Tests\Unit\Salt;
   3
   4 /*
   5  * This file is part of the TYPO3 CMS project.
   6  *
   7  * It is free software; you can redistribute it and/or modify it under
   8  * the terms of the GNU General Public License, either version 2
   9  * of the License, or any later version.
  10  *
  11  * For the full copyright and license information, please read the
  12  * LICENSE.txt file that was distributed with this source code.
  13  *
  14  * The TYPO3 project - inspiring people to share!
  15  */
  16
  17 use TYPO3\CMS\Core\Crypto\Random;
  18 use TYPO3\CMS\Core\Utility\GeneralUtility;
  19
  20 /**
  21  * Testcases for Md5Salt
  22  */
  23 class Md5SaltTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
  24 {
  25     /**
  26      * Keeps instance of object to test.
  27      *
  28      * @var \TYPO3\CMS\Saltedpasswords\Salt\Md5Salt
  29      */
  30     protected $objectInstance = null;
  31
  32     /**
  33      * Sets up the fixtures for this testcase.
  34      *
  35      * @return void
  36      */
  37     protected function setUp()
  38     {
  39         $this->objectInstance = $this->getMockBuilder(\TYPO3\CMS\Saltedpasswords\Salt\Md5Salt::class)
  40             ->setMethods(array('dummy'))
  41             ->getMock();
  42     }
  43
  44     /**
  45      * Prepares a message to be shown when a salted hashing is not supported.
  46      *
  47      * @return string Empty string if salted hashing method is available, otherwise an according warning
  48      */
  49     protected function getWarningWhenMethodUnavailable()
  50     {
  51         $warningMsg = '';
  52         if (!CRYPT_MD5) {
  53             $warningMsg = 'MD5 is not supported on your platform. ' . 'Then, some of the md5 tests will fail.';
  54         }
  55         return $warningMsg;
  56     }
  57
  58     /**
  59      * @test
  60      */
  61     public function hasCorrectBaseClass()
  62     {
  63         $hasCorrectBaseClass = get_class($this->objectInstance) === \TYPO3\CMS\Saltedpasswords\Salt\Md5Salt::class;
  64         // XCLASS ?
  65         if (!$hasCorrectBaseClass && false != get_parent_class($this->objectInstance)) {
  66             $hasCorrectBaseClass = is_subclass_of($this->objectInstance, \TYPO3\CMS\Saltedpasswords\Salt\Md5Salt::class);
  67         }
  68         $this->assertTrue($hasCorrectBaseClass);
  69     }
  70
  71     /**
  72      * @test
  73      */
  74     public function nonZeroSaltLength()
  75     {
  76         $this->assertTrue($this->objectInstance->getSaltLength() > 0);
  77     }
  78
  79     /**
  80      * @test
  81      */
  82     public function emptyPasswordResultsInNullSaltedPassword()
  83     {
  84         $password = '';
  85         $this->assertNull($this->objectInstance->getHashedPassword($password));
  86     }
  87
  88     /**
  89      * @test
  90      */
  91     public function nonEmptyPasswordResultsInNonNullSaltedPassword()
  92     {
  93         $password = 'a';
  94         $this->assertNotNull($this->objectInstance->getHashedPassword($password), $this->getWarningWhenMethodUnavailable());
  95     }
  96
  97     /**
  98      * @test
  99      */
 100     public function createdSaltedHashOfProperStructure()
 101     {
 102         $password = 'password';
 103         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 104         $this->assertTrue($this->objectInstance->isValidSaltedPW($saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 105     }
 106
 107     /**
 108      * @test
 109      */
 110     public function createdSaltedHashOfProperStructureForCustomSaltWithoutSetting()
 111     {
 112         $password = 'password';
 113         // custom salt without setting
 114         $randomBytes = GeneralUtility::makeInstance(Random::class)->generateRandomBytes($this->objectInstance->getSaltLength());
 115         $salt = $this->objectInstance->base64Encode($randomBytes, $this->objectInstance->getSaltLength());
 116         $this->assertTrue($this->objectInstance->isValidSalt($salt), $this->getWarningWhenMethodUnavailable());
 117         $saltedHashPassword = $this->objectInstance->getHashedPassword($password, $salt);
 118         $this->assertTrue($this->objectInstance->isValidSaltedPW($saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 119     }
 120
 121     /**
 122      * Tests authentication procedure with alphabet characters.
 123      *
 124      * Checks if a "plain-text password" is every time mapped to the
 125      * same "salted password hash" when using the same salt.
 126      *
 127      * @test
 128      */
 129     public function authenticationWithValidAlphaCharClassPassword()
 130     {
 131         $password = 'aEjOtY';
 132         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 133         $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 134     }
 135
 136     /**
 137      * Tests authentication procedure with numeric characters.
 138      *
 139      * Checks if a "plain-text password" is every time mapped to the
 140      * same "salted password hash" when using the same salt.
 141      *
 142      * @test
 143      */
 144     public function authenticationWithValidNumericCharClassPassword()
 145     {
 146         $password = '01369';
 147         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 148         $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 149     }
 150
 151     /**
 152      * Tests authentication procedure with US-ASCII special characters.
 153      *
 154      * Checks if a "plain-text password" is every time mapped to the
 155      * same "salted password hash" when using the same salt.
 156      *
 157      * @test
 158      */
 159     public function authenticationWithValidAsciiSpecialCharClassPassword()
 160     {
 161         $password = ' !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~';
 162         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 163         $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 164     }
 165
 166     /**
 167      * Tests authentication procedure with latin1 special characters.
 168      *
 169      * Checks if a "plain-text password" is every time mapped to the
 170      * same "salted password hash" when using the same salt.
 171      *
 172      * @test
 173      */
 174     public function authenticationWithValidLatin1SpecialCharClassPassword()
 175     {
 176         $password = '';
 177         for ($i = 160; $i <= 191; $i++) {
 178             $password .= chr($i);
 179         }
 180         $password .= chr(215) . chr(247);
 181         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 182         $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 183     }
 184
 185     /**
 186      * Tests authentication procedure with latin1 umlauts.
 187      *
 188      * Checks if a "plain-text password" is every time mapped to the
 189      * same "salted password hash" when using the same salt.
 190      *
 191      * @test
 192      */
 193     public function authenticationWithValidLatin1UmlautCharClassPassword()
 194     {
 195         $password = '';
 196         for ($i = 192; $i <= 214; $i++) {
 197             $password .= chr($i);
 198         }
 199         for ($i = 216; $i <= 246; $i++) {
 200             $password .= chr($i);
 201         }
 202         for ($i = 248; $i <= 255; $i++) {
 203             $password .= chr($i);
 204         }
 205         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 206         $this->assertTrue($this->objectInstance->checkPassword($password, $saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 207     }
 208
 209     /**
 210      * @test
 211      */
 212     public function authenticationWithNonValidPassword()
 213     {
 214         $password = 'password';
 215         $password1 = $password . 'INVALID';
 216         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 217         $this->assertFalse($this->objectInstance->checkPassword($password1, $saltedHashPassword), $this->getWarningWhenMethodUnavailable());
 218     }
 219
 220     /**
 221      * @test
 222      */
 223     public function passwordVariationsResultInDifferentHashes()
 224     {
 225         $pad = 'a';
 226         $criticalPwLength = 0;
 227         // We're using a constant salt.
 228         $saltedHashPasswordCurrent = $salt = $this->objectInstance->getHashedPassword($pad);
 229         for ($i = 0; $i <= 128; $i += 8) {
 230             $password = str_repeat($pad, max($i, 1));
 231             $saltedHashPasswordPrevious = $saltedHashPasswordCurrent;
 232             $saltedHashPasswordCurrent = $this->objectInstance->getHashedPassword($password, $salt);
 233             if ($i > 0 && $saltedHashPasswordPrevious === $saltedHashPasswordCurrent) {
 234                 $criticalPwLength = $i;
 235                 break;
 236             }
 237         }
 238         $this->assertTrue($criticalPwLength == 0 || $criticalPwLength > 32, $this->getWarningWhenMethodUnavailable() . 'Duplicates of hashed passwords with plaintext password of length ' . $criticalPwLength . '+.');
 239     }
 240
 241     /**
 242      * @test
 243      */
 244     public function noUpdateNecessityForMd5()
 245     {
 246         $password = 'password';
 247         $saltedHashPassword = $this->objectInstance->getHashedPassword($password);
 248         $this->assertFalse($this->objectInstance->isHashUpdateNeeded($saltedHashPassword));
 249     }
 250 }