Password validity by policy per group

Make password policies defined in a configurable policy, which is defined by group. A user's password policy will be the maximum of each group policy that the user belongs to. Bug: T94774 Change-Id: Iad8e49ffcffed38df6293db0ef31a227d3962003
author: csteipp <csteipp@wikimedia.org> 2015-04-22 18:48:48 -0700
committer: csteipp <csteipp@wikimedia.org> 2015-06-10 10:34:17 -0700
commit: 1a20dc936256b10a3744f216f091a70fd441edea (patch)
tree: aa15a749d949f6ad450f6cad5a482610ad99eec6 /tests/phpunit
parent: 77c73301727a29bb8f34559de60a6f5b81c27bd8 (diff)
download: mediawikicore-1a20dc936256b10a3744f216f091a70fd441edea.tar.gz
mediawikicore-1a20dc936256b10a3744f216f091a70fd441edea.zip
3 files changed, 393 insertions, 2 deletions
diff --git a/tests/phpunit/includes/UserTest.php b/tests/phpunit/includes/UserTest.php
index 370b5b2c5bc3..a1f8361a7379 100644
--- a/tests/phpunit/includes/UserTest.php
+++ b/tests/phpunit/includes/UserTest.php
@@ -307,9 +307,30 @@ class UserTest extends MediaWikiTestCase {
 	 */
 	public function testCheckPasswordValidity() {
 		$this->setMwGlobals( array(
-			'wgMinimalPasswordLength' => 6,
-			'wgMaximalPasswordLength' => 30,
+			'wgPasswordPolicy' => array(
+				'policies' => array(
+					'sysop' => array(
+						'MinimalPasswordLength' => 8,
+						'MinimumPasswordLengthToLogin' => 1,
+						'PasswordCannotMatchUsername' => 1,
+					),
+					'default' => array(
+						'MinimalPasswordLength' => 6,
+						'PasswordCannotMatchUsername' => true,
+						'PasswordCannotMatchBlacklist' => true,
+						'MaximalPasswordLength' => 30,
+					),
+				),
+				'checks' => array(
+					'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
+					'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
+					'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
+					'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
+					'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
+				),
+			),
 		) );
+
 		$user = User::newFromName( 'Useruser' );
 		// Sanity
 		$this->assertTrue( $user->isValidPassword( 'Password1234' ) );
diff --git a/tests/phpunit/includes/password/PasswordPolicyChecksTest.php b/tests/phpunit/includes/password/PasswordPolicyChecksTest.php
new file mode 100644
index 000000000000..af34282fb316
--- /dev/null
+++ b/tests/phpunit/includes/password/PasswordPolicyChecksTest.php
@@ -0,0 +1,136 @@
+<?php
+/**
+ * Testing password-policy check functions
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+class PasswordPolicyChecksTest extends MediaWikiTestCase {
+
+	/**
+	 * @covers PasswordPolicyChecks::checkMinimalPasswordLength
+	 */
+	public function testCheckMinimalPasswordLength() {
+		$statusOK = PasswordPolicyChecks::checkMinimalPasswordLength(
+			3, // policy value
+			User::newFromName( 'user' ), // User
+			'password'  // password
+		);
+		$this->assertTrue( $statusOK->isGood(), 'Password is longer than minimal policy' );
+		$statusShort = PasswordPolicyChecks::checkMinimalPasswordLength(
+			10, // policy value
+			User::newFromName( 'user' ), // User
+			'password'  // password
+		);
+		$this->assertFalse(
+			$statusShort->isGood(),
+			'Password is shorter than minimal policy'
+		);
+		$this->assertTrue(
+			$statusShort->isOk(),
+			'Password is shorter than minimal policy, not fatal'
+		);
+	}
+
+	/**
+	 * @covers PasswordPolicyChecks::checkMinimumPasswordLengthToLogin
+	 */
+	public function testCheckMinimumPasswordLengthToLogin() {
+		$statusOK = PasswordPolicyChecks::checkMinimumPasswordLengthToLogin(
+			3, // policy value
+			User::newFromName( 'user' ), // User
+			'password'  // password
+		);
+		$this->assertTrue( $statusOK->isGood(), 'Password is longer than minimal policy' );
+		$statusShort = PasswordPolicyChecks::checkMinimumPasswordLengthToLogin(
+			10, // policy value
+			User::newFromName( 'user' ), // User
+			'password'  // password
+		);
+		$this->assertFalse(
+			$statusShort->isGood(),
+			'Password is shorter than minimum login policy'
+		);
+		$this->assertFalse(
+			$statusShort->isOk(),
+			'Password is shorter than minimum login policy, fatal'
+		);
+	}
+
+	/**
+	 * @covers PasswordPolicyChecks::checkMaximalPasswordLength
+	 */
+	public function testCheckMaximalPasswordLength() {
+		$statusOK = PasswordPolicyChecks::checkMaximalPasswordLength(
+			100, // policy value
+			User::newFromName( 'user' ), // User
+			'password'  // password
+		);
+		$this->assertTrue( $statusOK->isGood(), 'Password is shorter than maximal policy' );
+		$statusLong = PasswordPolicyChecks::checkMaximalPasswordLength(
+			4, // policy value
+			User::newFromName( 'user' ), // User
+			'password'  // password
+		);
+		$this->assertFalse( $statusLong->isGood(),
+			'Password is longer than maximal policy'
+		);
+		$this->assertFalse( $statusLong->isOk(),
+			'Password is longer than maximal policy, fatal'
+		);
+	}
+
+	/**
+	 * @covers PasswordPolicyChecks::checkPasswordCannotMatchUsername
+	 */
+	public function testCheckPasswordCannotMatchUsername() {
+		$statusOK = PasswordPolicyChecks::checkPasswordCannotMatchUsername(
+			1, // policy value
+			User::newFromName( 'user' ), // User
+			'password'  // password
+		);
+		$this->assertTrue( $statusOK->isGood(), 'Password does not match username' );
+		$statusLong = PasswordPolicyChecks::checkPasswordCannotMatchUsername(
+			1, // policy value
+			User::newFromName( 'user' ), // User
+			'user'  // password
+		);
+		$this->assertFalse( $statusLong->isGood(), 'Password matches username' );
+		$this->assertTrue( $statusLong->isOk(), 'Password matches username, not fatal' );
+	}
+
+	/**
+	 * @covers PasswordPolicyChecks::checkPasswordCannotMatchBlacklist
+	 */
+	public function testCheckPasswordCannotMatchBlacklist() {
+		$statusOK = PasswordPolicyChecks::checkPasswordCannotMatchBlacklist(
+			true, // policy value
+			User::newFromName( 'Username' ), // User
+			'AUniquePassword'  // password
+		);
+		$this->assertTrue( $statusOK->isGood(), 'Password is not on blacklist' );
+		$statusLong = PasswordPolicyChecks::checkPasswordCannotMatchBlacklist(
+			true, // policy value
+			User::newFromName( 'Useruser1' ), // User
+			'Passpass1'  // password
+		);
+		$this->assertFalse( $statusLong->isGood(), 'Password matches blacklist' );
+		$this->assertTrue( $statusLong->isOk(), 'Password matches blacklist, not fatal' );
+	}
+
+}
diff --git a/tests/phpunit/includes/password/UserPasswordPolicyTest.php b/tests/phpunit/includes/password/UserPasswordPolicyTest.php
new file mode 100644
index 000000000000..ce4e30abb67d
--- /dev/null
+++ b/tests/phpunit/includes/password/UserPasswordPolicyTest.php
@@ -0,0 +1,234 @@
+<?php
+/**
+ * Testing for password-policy enforcement, based on a user's groups.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ *
+ * @file
+ */
+
+class UserPasswordPolicyTest extends MediaWikiTestCase {
+
+	protected $policies = array(
+		'checkuser' => array(
+			'MinimalPasswordLength' => 10,
+			'MinimumPasswordLengthToLogin' => 6,
+			'PasswordCannotMatchUsername' => true,
+		),
+		'sysop' => array(
+			'MinimalPasswordLength' => 8,
+			'MinimumPasswordLengthToLogin' => 1,
+			'PasswordCannotMatchUsername' => true,
+		),
+		'default' => array(
+			'MinimalPasswordLength' => 4,
+			'MinimumPasswordLengthToLogin' => 1,
+			'PasswordCannotMatchBlacklist' => true,
+			'MaximalPasswordLength' => 4096,
+		),
+	);
+
+	protected $checks = array(
+		'MinimalPasswordLength' => 'PasswordPolicyChecks::checkMinimalPasswordLength',
+		'MinimumPasswordLengthToLogin' => 'PasswordPolicyChecks::checkMinimumPasswordLengthToLogin',
+		'PasswordCannotMatchUsername' => 'PasswordPolicyChecks::checkPasswordCannotMatchUsername',
+		'PasswordCannotMatchBlacklist' => 'PasswordPolicyChecks::checkPasswordCannotMatchBlacklist',
+		'MaximalPasswordLength' => 'PasswordPolicyChecks::checkMaximalPasswordLength',
+	);
+
+	private function getUserPasswordPolicy() {
+		return new UserPasswordPolicy( $this->policies, $this->checks );
+	}
+
+	/**
+	 * @covers UserPasswordPolicy::getPoliciesForUser
+	 */
+	public function testGetPoliciesForUser() {
+
+		$upp = $this->getUserPasswordPolicy();
+
+		$user = User::newFromName( 'TestUserPolicy' );
+		$user->addGroup( 'sysop' );
+
+		$this->assertArrayEquals(
+			array(
+				'MinimalPasswordLength' => 8,
+				'MinimumPasswordLengthToLogin' => 1,
+				'PasswordCannotMatchUsername' => 1,
+				'PasswordCannotMatchBlacklist' => true,
+				'MaximalPasswordLength' => 4096,
+			),
+			$upp->getPoliciesForUser( $user )
+		);
+	}
+
+	/**
+	 * @covers UserPasswordPolicy::getPoliciesForGroups
+	 */
+	public function testGetPoliciesForGroups() {
+		$effective = UserPasswordPolicy::getPoliciesForGroups(
+			$this->policies,
+			array( 'user', 'checkuser' ),
+			$this->policies['default']
+		);
+
+		$this->assertArrayEquals(
+			array(
+				'MinimalPasswordLength' => 10,
+				'MinimumPasswordLengthToLogin' => 6,
+				'PasswordCannotMatchUsername' => true,
+				'PasswordCannotMatchBlacklist' => true,
+				'MaximalPasswordLength' => 4096,
+			),
+			$effective
+		);
+	}
+
+	/**
+	 * @dataProvider provideCheckUserPassword
+	 * @covers UserPasswordPolicy::checkUserPassword
+	 */
+	public function testCheckUserPassword( $username, $groups, $password, $valid, $ok, $msg ) {
+
+		$upp = $this->getUserPasswordPolicy();
+
+		$user = User::newFromName( $username );
+		foreach ( $groups as $group ) {
+			$user->addGroup( $group );
+		}
+
+		$status = $upp->checkUserPassword( $user, $password );
+		$this->assertSame( $valid, $status->isGood(), $msg . ' - password valid' );
+		$this->assertSame( $ok, $status->isOk(), $msg . ' - can login' );
+	}
+
+	public function provideCheckUserPassword() {
+		return array(
+			array(
+				'PassPolicyUser',
+				array(),
+				'',
+				false,
+				false,
+				'No groups, default policy, password too short to login'
+			),
+			array(
+				'PassPolicyUser',
+				array( 'user' ),
+				'aaa',
+				false,
+				true,
+				'Default policy, short password'
+			),
+			array(
+				'PassPolicyUser',
+				array( 'sysop' ),
+				'abcdabcdabcd',
+				true,
+				true,
+				'Sysop with good password'
+			),
+			array(
+				'PassPolicyUser',
+				array( 'sysop' ),
+				'abcd',
+				false,
+				true,
+				'Sysop with short password'
+			),
+			array(
+				'PassPolicyUser',
+				array( 'sysop', 'checkuser' ),
+				'abcdabcd',
+				false,
+				true,
+				'Checkuser with short password'
+			),
+			array(
+				'PassPolicyUser',
+				array( 'sysop', 'checkuser' ),
+				'abcd',
+				false,
+				false,
+				'Checkuser with too short password to login'
+			),
+			array(
+				'Useruser',
+				array( 'user' ),
+				'Passpass',
+				false,
+				true,
+				'Username & password on blacklist'
+			),
+		);
+	}
+
+	/**
+	 * @dataProvider provideMaxOfPolicies
+	 * @covers UserPasswordPolicy::maxOfPolicies
+	 */
+	public function testMaxOfPolicies( $p1, $p2, $max, $msg ) {
+		$this->assertArrayEquals(
+			$max,
+			UserPasswordPolicy::maxOfPolicies( $p1, $p2 ),
+			$msg
+		);
+	}
+
+	public function provideMaxOfPolicies() {
+		return array(
+			array(
+				array( 'MinimalPasswordLength' => 8 ), //p1
+				array( 'MinimalPasswordLength' => 2 ), //p2
+				array( 'MinimalPasswordLength' => 8 ), //max
+				'Basic max in p1'
+			),
+			array(
+				array( 'MinimalPasswordLength' => 2 ), //p1
+				array( 'MinimalPasswordLength' => 8 ), //p2
+				array( 'MinimalPasswordLength' => 8 ), //max
+				'Basic max in p2'
+			),
+			array(
+				array( 'MinimalPasswordLength' => 8 ), //p1
+				array(
+					'MinimalPasswordLength' => 2,
+					'PasswordCannotMatchUsername' => 1,
+				), //p2
+				array(
+					'MinimalPasswordLength' => 8,
+					'PasswordCannotMatchUsername' => 1,
+				), //max
+				'Missing items in p1'
+			),
+			array(
+				array(
+					'MinimalPasswordLength' => 8,
+					'PasswordCannotMatchUsername' => 1,
+				), //p1
+				array(
+					'MinimalPasswordLength' => 2,
+				), //p2
+				array(
+					'MinimalPasswordLength' => 8,
+					'PasswordCannotMatchUsername' => 1,
+				), //max
+				'Missing items in p2'
+			),
+		);
+	}
+
+}
author	csteipp <csteipp@wikimedia.org>	2015-04-22 18:48:48 -0700
committer	csteipp <csteipp@wikimedia.org>	2015-06-10 10:34:17 -0700
commit	1a20dc936256b10a3744f216f091a70fd441edea (patch)
tree	aa15a749d949f6ad450f6cad5a482610ad99eec6 /tests/phpunit
parent	77c73301727a29bb8f34559de60a6f5b81c27bd8 (diff)
download	mediawikicore-1a20dc936256b10a3744f216f091a70fd441edea.tar.gz mediawikicore-1a20dc936256b10a3744f216f091a70fd441edea.zip