1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
<?php
/**
* @file
* Provides unit tests for password.inc.
*/
/**
* Unit tests for password hashing API.
*/
class PasswordHashingTest extends DrupalWebTestCase {
protected $profile = 'testing';
public static function getInfo() {
return array(
'name' => 'Password hashing',
'description' => 'Password hashing unit tests.',
'group' => 'System',
);
}
function setUp() {
require_once DRUPAL_ROOT . '/' . variable_get('password_inc', 'includes/password.inc');
parent::setUp();
}
/**
* Test password hashing.
*/
function testPasswordHashing() {
// Set a log2 iteration count that is deliberately out of bounds to test
// that it is corrected to be within bounds.
variable_set('password_count_log2', 1);
// Set up a fake $account with a password 'baz', hashed with md5.
$password = 'baz';
$account = (object) array('name' => 'foo', 'pass' => md5($password));
// The md5 password should be flagged as needing an update.
$this->assertTrue(user_needs_new_hash($account), 'User with md5 password needs a new hash.');
// Re-hash the password.
$old_hash = $account->pass;
$account->pass = user_hash_password($password);
$this->assertIdentical(_password_get_count_log2($account->pass), DRUPAL_MIN_HASH_COUNT, 'Re-hashed password has the minimum number of log2 iterations.');
$this->assertTrue($account->pass != $old_hash, 'Password hash changed.');
$this->assertTrue(user_check_password($password, $account), 'Password check succeeds.');
// Since the log2 setting hasn't changed and the user has a valid password,
// user_needs_new_hash() should return FALSE.
$this->assertFalse(user_needs_new_hash($account), 'User does not need a new hash.');
// Increment the log2 iteration to MIN + 1.
variable_set('password_count_log2', DRUPAL_MIN_HASH_COUNT + 1);
$this->assertTrue(user_needs_new_hash($account), 'User needs a new hash after incrementing the log2 count.');
// Re-hash the password.
$old_hash = $account->pass;
$account->pass = user_hash_password($password);
$this->assertIdentical(_password_get_count_log2($account->pass), DRUPAL_MIN_HASH_COUNT + 1, 'Re-hashed password has the correct number of log2 iterations.');
$this->assertTrue($account->pass != $old_hash, 'Password hash changed again.');
// Now the hash should be OK.
$this->assertFalse(user_needs_new_hash($account), 'Re-hashed password does not need a new hash.');
$this->assertTrue(user_check_password($password, $account), 'Password check succeeds with re-hashed password.');
}
/**
* Verifies that passwords longer than 512 bytes are not hashed.
*/
public function testLongPassword() {
$password = str_repeat('x', 512);
$result = user_hash_password($password);
$this->assertFalse(empty($result), '512 byte long password is allowed.');
$password = str_repeat('x', 513);
$result = user_hash_password($password);
$this->assertFalse($result, '513 byte long password is not allowed.');
// Check a string of 3-byte UTF-8 characters.
$password = str_repeat('€', 170);
$result = user_hash_password($password);
$this->assertFalse(empty($result), '510 byte long password is allowed.');
$password .= 'xx';
$this->assertFalse(empty($result), '512 byte long password is allowed.');
$password = str_repeat('€', 171);
$result = user_hash_password($password);
$this->assertFalse($result, '513 byte long password is not allowed.');
}
}
|
