AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
corentin_wakdo/tests/Unit/Auth/PinVerifierTest.php
Imugiii 75dd98668c
Some checks failed
CI / secret-scan (push) Successful in 9s
Details
CI / php-lint (push) Successful in 17s
Details
CI / static-tests (pull_request) Successful in 29s
Details
CI / auto-merge (push) Has been skipped
Details
CI / static-tests (push) Successful in 28s
Details
CI / secret-scan (pull_request) Successful in 7s
Details
CI / php-lint (pull_request) Successful in 16s
Details
CI / auto-merge (pull_request) Failing after 7s
Details
feat(pin): primitif de verification du PIN d'action sensible (RG-T13) 
PinVerifier verifie un PIN soumis contre user.pin_hash (argon2id, default-deny, filtre
is_active = 1) et porte la politique de longueur (chiffres ASCII, bornes min/max STAFF_PIN_*, RG-T18).
Primitif reutilise par chaque operation sensible en P3 (annulation, prix/TVA, suppressions, inventaire,
gestion user/RBAC, effacement PII) ; le flux PIN + audit_log dans la meme transaction est specifie
dans docs/uml/security-sequence.md. Un decoy argon2id sur le chemin sans PIN egalise le timing
(anti-enumeration). Tests unit + integration (auto-skippee), dont la garde du filtre is_active contre
le vrai schema.
2026-06-15 18:57:01 +00:00

112 lines
3.5 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Tests\Unit\Auth;
use PHPUnit\Framework\TestCase;
use App\Auth\PasswordHasher;
use App\Auth\PinVerifier;
use App\Core\Config;
use App\Tests\Support\FakeDatabase;
/**
* Verification du PIN d'action sensible (RG-T13) avec un FakeDatabase et un vrai
* PasswordHasher a cout reduit.
*/
final class PinVerifierTest extends TestCase
{
/** @var list<string> */
private array $touchedKeys = [];
private FakeDatabase $db;
private PasswordHasher $hasher;
protected function setUp(): void
{
$this->setEnv('STAFF_PIN_MIN_LENGTH', '4');
$this->setEnv('STAFF_PIN_MAX_LENGTH', '12');
$this->setEnv('ARGON2_MEMORY_COST', '1024');
$this->setEnv('ARGON2_TIME_COST', '1');
$this->setEnv('ARGON2_THREADS', '1');
$this->db = new FakeDatabase();
$this->hasher = new PasswordHasher(new Config());
}
protected function tearDown(): void
{
foreach ($this->touchedKeys as $key) {
putenv($key);
}
$this->touchedKeys = [];
}
private function setEnv(string $key, string $value): void
{
$this->touchedKeys[] = $key;
putenv($key . '=' . $value);
}
private function verifier(): PinVerifier
{
return new PinVerifier($this->db, new Config(), $this->hasher);
}
public function testVerifyTrueWhenPinMatches(): void
{
$this->db->pinUserRow = ['pin_hash' => $this->hasher->hash('4729')];
self::assertTrue($this->verifier()->verify(7, '4729'));
// Garde RG-T13 : la lecture filtre bien is_active = 1 (retirer le predicat
// ferait echouer ce cas via le routage durci du FakeDatabase).
self::assertStringContainsString('is_active = 1', $this->db->reads[0]['sql']);
}
public function testVerifyFalseWhenPinWrong(): void
{
$this->db->pinUserRow = ['pin_hash' => $this->hasher->hash('4729')];
self::assertFalse($this->verifier()->verify(7, '0000'));
}
public function testVerifyFalseWhenPinHashNull(): void
{
// PIN non defini sur le compte.
$this->db->pinUserRow = ['pin_hash' => null];
self::assertFalse($this->verifier()->verify(7, '4729'));
}
public function testVerifyFalseWhenUserAbsentOrInactive(): void
{
// La requete filtre is_active = 1 : un compte inactif/absent ne renvoie rien.
$this->db->pinUserRow = null;
self::assertFalse($this->verifier()->verify(7, '4729'));
}
public function testVerifyFalseWhenPinEmpty(): void
{
$this->db->pinUserRow = ['pin_hash' => $this->hasher->hash('4729')];
self::assertFalse($this->verifier()->verify(7, ''));
}
public function testMeetsLengthPolicy(): void
{
$verifier = $this->verifier();
// Sous le minimum / au minimum / dans les bornes.
self::assertFalse($verifier->meetsLengthPolicy('123'));
self::assertTrue($verifier->meetsLengthPolicy('1234'));
self::assertTrue($verifier->meetsLengthPolicy('123456'));
// Au max (12) accepte, au-dela refuse (RG-T18 borne haute).
self::assertTrue($verifier->meetsLengthPolicy('123456789012'));
self::assertFalse($verifier->meetsLengthPolicy('1234567890123'));
// Charset : chiffres uniquement ; vide refuse.
self::assertFalse($verifier->meetsLengthPolicy('abcd'));
self::assertFalse($verifier->meetsLengthPolicy('12ab'));
self::assertFalse($verifier->meetsLengthPolicy(''));
}
}
Reference in a new issue View git blame Copy permalink