RISCI_ATOM
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295
							<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2021 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace Test\Security\VerificationToken;

use OC\Security\VerificationToken\VerificationToken;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\BackgroundJob\IJobList;
use OCP\IConfig;
use OCP\IUser;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;
use OCP\Security\VerificationToken\InvalidTokenException;
use PHPUnit\Framework\MockObject\MockObject;
use Test\TestCase;

class VerificationTokenTest extends TestCase {
	/** @var VerificationToken */
	protected $token;
	/** @var IConfig|MockObject */
	protected $config;
	/** @var ISecureRandom|MockObject */
	protected $secureRandom;
	/** @var ICrypto|MockObject */
	protected $crypto;
	/** @var ITimeFactory|MockObject */
	protected $timeFactory;
	/** @var IJobList|MockObject */
	protected $jobList;

	protected function setUp(): void {
		parent::setUp();

		$this->config = $this->createMock(IConfig::class);
		$this->crypto = $this->createMock(ICrypto::class);
		$this->timeFactory = $this->createMock(ITimeFactory::class);
		$this->secureRandom = $this->createMock(ISecureRandom::class);
		$this->jobList = $this->createMock(IJobList::class);

		$this->token = new VerificationToken(
			$this->config,
			$this->crypto,
			$this->timeFactory,
			$this->secureRandom,
			$this->jobList
		);
	}

	public function testTokenUserUnknown(): void {
		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::USER_UNKNOWN);
		$this->token->check('encryptedToken', null, 'fingerprintToken', 'foobar');
	}

	public function testTokenUserUnknown2(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(false);

		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::USER_UNKNOWN);
		$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
	}

	public function testTokenNotFound(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(true);
		$user->expects($this->atLeastOnce())
			->method('getUID')
			->willReturn('alice');

		// implicit: IConfig::getUserValue returns null by default

		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::TOKEN_NOT_FOUND);
		$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
	}

	public function testTokenDecryptionError(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(true);
		$user->expects($this->atLeastOnce())
			->method('getUID')
			->willReturn('alice');

		$this->config->expects($this->atLeastOnce())
			->method('getUserValue')
			->with('alice', 'core', 'fingerprintToken', null)
			->willReturn('encryptedToken');
		$this->config->expects($this->any())
			->method('getSystemValueString')
			->with('secret')
			->willReturn('357111317');

		$this->crypto->method('decrypt')
			->with('encryptedToken', 'foobar' . '357111317')
			->willThrowException(new \Exception('decryption failed'));

		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::TOKEN_DECRYPTION_ERROR);
		$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
	}

	public function testTokenInvalidFormat(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(true);
		$user->expects($this->atLeastOnce())
			->method('getUID')
			->willReturn('alice');

		$this->config->expects($this->atLeastOnce())
			->method('getUserValue')
			->with('alice', 'core', 'fingerprintToken', null)
			->willReturn('encryptedToken');
		$this->config->expects($this->any())
			->method('getSystemValueString')
			->with('secret')
			->willReturn('357111317');

		$this->crypto->method('decrypt')
			->with('encryptedToken', 'foobar' . '357111317')
			->willReturn('decrypted^nonsense');

		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::TOKEN_INVALID_FORMAT);
		$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
	}

	public function testTokenExpired(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(true);
		$user->expects($this->atLeastOnce())
			->method('getUID')
			->willReturn('alice');
		$user->expects($this->any())
			->method('getLastLogin')
			->willReturn(604803);

		$this->config->expects($this->atLeastOnce())
			->method('getUserValue')
			->with('alice', 'core', 'fingerprintToken', null)
			->willReturn('encryptedToken');
		$this->config->expects($this->any())
			->method('getSystemValueString')
			->with('secret')
			->willReturn('357111317');

		$this->crypto->method('decrypt')
			->with('encryptedToken', 'foobar' . '357111317')
			->willReturn('604800:mY70K3n');

		$this->timeFactory->expects($this->any())
			->method('getTime')
			->willReturn(604800 * 3);

		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::TOKEN_EXPIRED);
		$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
	}

	public function testTokenExpiredByLogin(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(true);
		$user->expects($this->atLeastOnce())
			->method('getUID')
			->willReturn('alice');
		$user->expects($this->any())
			->method('getLastLogin')
			->willReturn(604803);

		$this->config->expects($this->atLeastOnce())
			->method('getUserValue')
			->with('alice', 'core', 'fingerprintToken', null)
			->willReturn('encryptedToken');
		$this->config->expects($this->any())
			->method('getSystemValueString')
			->with('secret')
			->willReturn('357111317');

		$this->crypto->method('decrypt')
			->with('encryptedToken', 'foobar' . '357111317')
			->willReturn('604800:mY70K3n');

		$this->timeFactory->expects($this->any())
			->method('getTime')
			->willReturn(604801);

		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::TOKEN_EXPIRED);
		$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar', true);
	}

	public function testTokenMismatch(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(true);
		$user->expects($this->atLeastOnce())
			->method('getUID')
			->willReturn('alice');
		$user->expects($this->any())
			->method('getLastLogin')
			->willReturn(604703);

		$this->config->expects($this->atLeastOnce())
			->method('getUserValue')
			->with('alice', 'core', 'fingerprintToken', null)
			->willReturn('encryptedToken');
		$this->config->expects($this->any())
			->method('getSystemValueString')
			->with('secret')
			->willReturn('357111317');

		$this->crypto->method('decrypt')
			->with('encryptedToken', 'foobar' . '357111317')
			->willReturn('604802:mY70K3n');

		$this->timeFactory->expects($this->any())
			->method('getTime')
			->willReturn(604801);

		$this->expectException(InvalidTokenException::class);
		$this->expectExceptionCode(InvalidTokenException::TOKEN_MISMATCH);
		$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
	}

	public function testTokenSuccess(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->atLeastOnce())
			->method('isEnabled')
			->willReturn(true);
		$user->expects($this->atLeastOnce())
			->method('getUID')
			->willReturn('alice');
		$user->expects($this->any())
			->method('getLastLogin')
			->willReturn(604703);

		$this->config->expects($this->atLeastOnce())
			->method('getUserValue')
			->with('alice', 'core', 'fingerprintToken', null)
			->willReturn('encryptedToken');
		$this->config->expects($this->any())
			->method('getSystemValueString')
			->with('secret')
			->willReturn('357111317');

		$this->crypto->method('decrypt')
			->with('encryptedToken', 'foobar' . '357111317')
			->willReturn('604802:barfoo');

		$this->timeFactory->expects($this->any())
			->method('getTime')
			->willReturn(604801);

		$this->token->check('barfoo', $user, 'fingerprintToken', 'foobar');
	}

	public function testCreate(): void {
		$user = $this->createMock(IUser::class);
		$user->expects($this->any())
			->method('getUID')
			->willReturn('alice');

		$this->secureRandom->expects($this->atLeastOnce())
			->method('generate')
			->willReturn('barfoo');
		$this->crypto->expects($this->atLeastOnce())
			->method('encrypt')
			->willReturn('encryptedToken');
		$this->config->expects($this->atLeastOnce())
			->method('setUserValue')
			->with('alice', 'core', 'fingerprintToken', 'encryptedToken');

		$vToken = $this->token->create($user, 'fingerprintToken', 'foobar');
		$this->assertSame('barfoo', $vToken);
	}
}