Home Verkennen Help
Registreren Inloggen
oleg
/
pixelfed
spiegel van https://github.com/pixelfed/pixelfed.git
1
0
Vork 0
Bestanden Issues 0 Wiki
Boom: fce6d60a7d
Aftakkingen Labels
pixelfed
/
tests
/
Unit
/
HttpSignatures
/
VerifierHmacTest.php

VerifierHmacTest.php 3.4 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116 
  1. <?php
    2. 

  2. 

  3. namespace Tests\Unit\HttpSignatures;
    4. 

  4. 

  5. use GuzzleHttp\Psr7\Request;
    6. 

  6. use App\Util\HttpSignatures\KeyStore;
    7. 

  7. use App\Util\HttpSignatures\Verifier;
    8. 

  8. 

  9. class VerifierHmacTest extends \PHPUnit\Framework\TestCase
    10. 

  10. {
    11. 

  11.     const DATE = 'Fri, 01 Aug 2014 13:44:32 -0700';
    12. 

  12.     const DATE_DIFFERENT = 'Fri, 01 Aug 2014 13:44:33 -0700';
    13. 

  13. 

  14.     /**
    15. 

  15.      * @var Verifier
    16. 

  16.      */
    17. 

  17.     private $verifier;
    18. 

  18. 

  19.     /**
    20. 

  20.      * @var Request
    21. 

  21.      */
    22. 

  22.     private $message;
    23. 

  23. 

  24.     public function setUp()
    25. 

  25.     {
    26. 

  26.         $this->setUpHmacVerifier();
    27. 

  27.         $this->setUpValidHmacMessage();
    28. 

  28.     }
    29. 

  29. 

  30.     private function setUpHmacVerifier()
    31. 

  31.     {
    32. 

  32.         $keyStore = new KeyStore(['secret1' => 'secret']);
    33. 

  33.         $this->verifier = new Verifier($keyStore);
    34. 

  34.     }
    35. 

  35. 

  36.     private function setUpValidHmacMessage()
    37. 

  37.     {
    38. 

  38.         $signatureHeader = sprintf(
    39. 

  39.             'keyId="%s",algorithm="%s",headers="%s",signature="%s"',
    40. 

  40.             'secret1',
    41. 

  41.             'hmac-sha256',
    42. 

  42.             '(request-target) date',
    43. 

  43.             'cS2VvndvReuTLy52Ggi4j6UaDqGm9hMb4z0xJZ6adqU='
    44. 

  44.         );
    45. 

  45. 

  46.         $this->message = new Request('GET', '/path?query=123', [
    47. 

  47.             'Date' => self::DATE,
    48. 

  48.             'Signature' => $signatureHeader,
    49. 

  49.         ]);
    50. 

  50.     }
    51. 

  51. 

  52.     public function testVerifyValidHmacMessage()
    53. 

  53.     {
    54. 

  54.         $this->assertTrue($this->verifier->isValid($this->message));
    55. 

  55.     }
    56. 

  56. 

  57.     public function testVerifyValidHmacMessageAuthorizationHeader()
    58. 

  58.     {
    59. 

  59.         $message = $this->message->withHeader('Authorization', "Signature {$this->message->getHeader('Signature')[0]}");
    60. 

  60.         $message = $message->withoutHeader('Signature');
    61. 

  61. 

  62.         $this->assertTrue($this->verifier->isValid($this->message));
    63. 

  63.     }
    64. 

  64. 

  65.     public function testRejectTamperedHmacRequestMethod()
    66. 

  66.     {
    67. 

  67.         $message = $this->message->withMethod('POST');
    68. 

  68.         $this->assertFalse($this->verifier->isValid($message));
    69. 

  69.     }
    70. 

  70. 

  71.     public function testRejectTamperedHmacDate()
    72. 

  72.     {
    73. 

  73.         $message = $this->message->withHeader('Date', self::DATE_DIFFERENT);
    74. 

  74.         $this->assertFalse($this->verifier->isValid($message));
    75. 

  75.     }
    76. 

  76. 

  77.     public function testRejectTamperedHmacSignature()
    78. 

  78.     {
    79. 

  79.         $message = $this->message->withHeader(
    80. 

  80.             'Signature',
    81. 

  81.             preg_replace('/signature="/', 'signature="x', $this->message->getHeader('Signature')[0])
    82. 

  82.         );
    83. 

  83.         $this->assertFalse($this->verifier->isValid($message));
    84. 

  84.     }
    85. 

  85. 

  86.     public function testRejectHmacMessageWithoutSignatureHeader()
    87. 

  87.     {
    88. 

  88.         $message = $this->message->withoutHeader('Signature');
    89. 

  89.         $this->assertFalse($this->verifier->isValid($message));
    90. 

  90.     }
    91. 

  91. 

  92.     public function testRejectHmacMessageWithGarbageSignatureHeader()
    93. 

  93.     {
    94. 

  94.         $message = $this->message->withHeader('Signature', 'not="a",valid="signature"');
    95. 

  95.         $this->assertFalse($this->verifier->isValid($message));
    96. 

  96.     }
    97. 

  97. 

  98.     public function testRejectHmacMessageWithPartialSignatureHeader()
    99. 

  99.     {
    100. 

  100.         $message = $this->message->withHeader('Signature', 'keyId="aa",algorithm="bb"');
    101. 

  101.         $this->assertFalse($this->verifier->isValid($message));
    102. 

  102.     }
    103. 

  103. 

  104.     public function testRejectsHmacMessageWithUnknownKeyId()
    105. 

  105.     {
    106. 

  106.         $keyStore = new KeyStore(['nope' => 'secret']);
    107. 

  107.         $verifier = new Verifier($keyStore);
    108. 

  108.         $this->assertFalse($verifier->isValid($this->message));
    109. 

  109.     }
    110. 

  110. 

  111.     public function testRejectsHmacMessageMissingSignedHeaders()
    112. 

  112.     {
    113. 

  113.         $message = $this->message->withoutHeader('Date');
    114. 

  114.         $this->assertFalse($this->verifier->isValid($message));
    115. 

  115.     }
    116. 

  116. }
    117.