From 8af88f3f729b7bcfd2a106f858b5445deafe5ed0 Mon Sep 17 00:00:00 2001
From: Taufan Aditya <toopay@taufanaditya.com>
Date: Tue, 15 May 2012 21:52:53 +0700
Subject: Security Code coverage

---
 tests/Bootstrap.php                      |  3 ++
 tests/codeigniter/core/Security_test.php | 79 ++++++++++++++++++++++++++++++++
 tests/mocks/core/security.php            | 27 +++++++++++
 tests/mocks/libraries/table.php          |  2 +-
 4 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 tests/codeigniter/core/Security_test.php
 create mode 100644 tests/mocks/core/security.php

diff --git a/tests/Bootstrap.php b/tests/Bootstrap.php
index 9f89d1be8..2bec364ef 100644
--- a/tests/Bootstrap.php
+++ b/tests/Bootstrap.php
@@ -12,6 +12,9 @@ define('BASEPATH',		PROJECT_BASE.'system/');
 define('APPPATH',		PROJECT_BASE.'application/');
 define('VIEWPATH',		PROJECT_BASE.'');
 
+// Set cookie for security test
+$_COOKIE['ci_csrf_cookie'] = md5(uniqid(rand(), TRUE));
+
 // Prep our test environment
 require_once 'vfsStream/vfsStream.php';
 include_once $dir.'/mocks/core/common.php';
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
new file mode 100644
index 000000000..c3b526965
--- /dev/null
+++ b/tests/codeigniter/core/Security_test.php
@@ -0,0 +1,79 @@
+<?php
+
+class Security_test extends CI_TestCase {
+	
+	public function set_up()
+	{
+		$this->ci_set_config('csrf_protection', TRUE);
+		$this->ci_set_config('csrf_token_name', 'ci_csrf_token');
+		// @see : ./Bootstrap.php Line 16
+		$this->ci_set_config('csrf_cookie_name', 'ci_csrf_cookie');
+		$this->ci_set_config('csrf_expire', 7200);
+		$this->ci_set_config('csrf_regenerate', TRUE);
+		$this->ci_set_config('csrf_exclude_uris', array());
+
+		$this->ci_set_config('cookie_prefix', "");
+		$this->ci_set_config('cookie_domain', "");
+		$this->ci_set_config('cookie_path', "/");
+		$this->ci_set_config('cookie_secure', FALSE);
+		$this->ci_set_config('cookie_httponly',	FALSE);
+
+		$this->security = new Mock_Core_Security();
+	}
+	
+	// --------------------------------------------------------------------
+	
+	public function test_csrf_verify()
+	{
+		$_SERVER['REQUEST_METHOD'] = 'GET';
+
+		$this->assertInstanceOf('CI_Security', $this->security->csrf_verify());
+	}
+
+	// --------------------------------------------------------------------
+	
+	public function test_csrf_verify_invalid()
+	{
+		// Without issuing $_POST[csrf_token_name], this request will triggering CSRF error
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+
+		$this->setExpectedException('RuntimeException', 'CI Error: The action you have requested is not allowed');
+
+		$this->security->csrf_verify();
+	}
+
+	// --------------------------------------------------------------------
+	
+	public function test_csrf_verify_valid()
+	{
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_POST[$this->security->csrf_token_name] = $this->security->csrf_hash;
+
+		$this->assertInstanceOf('CI_Security', $this->security->csrf_verify());
+	}
+
+	// --------------------------------------------------------------------
+	
+	public function test_get_csrf_hash()
+	{
+		$this->assertEquals($this->security->csrf_hash, $this->security->get_csrf_hash());
+	}
+
+	// --------------------------------------------------------------------
+	
+	public function test_get_csrf_token_name()
+	{
+		$this->assertEquals('ci_csrf_token', $this->security->get_csrf_token_name());
+	}
+
+	// --------------------------------------------------------------------
+	
+	public function test_xss_clean()
+	{
+		$harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
+
+		$harmless_string = $this->security->xss_clean($harm_string);
+
+		$this->assertEquals("Hello, i try to [removed]alert&#40;'Hack'&#41;;[removed] your site", $harmless_string);
+	}
+}
\ No newline at end of file
diff --git a/tests/mocks/core/security.php b/tests/mocks/core/security.php
new file mode 100644
index 000000000..de8e44710
--- /dev/null
+++ b/tests/mocks/core/security.php
@@ -0,0 +1,27 @@
+<?php
+
+class Mock_Core_Security extends CI_Security {
+	
+	public function csrf_set_cookie()
+	{
+		return $this;
+	}
+
+	// Overide inaccesible protected properties
+	public function __get($property)
+	{
+		return isset($this->{'_'.$property}) ? $this->{'_'.$property} : NULL;
+	}
+
+	// Overide inaccesible protected method
+	public function __call($method, $params)
+	{
+		if (is_callable(array($this, '_'.$method)))
+		{
+			return call_user_func_array(array($this, '_'.$method), $params);
+		}
+
+		throw new BadMethodCallException('Method '.$method.' was not found');
+	}
+
+}
\ No newline at end of file
diff --git a/tests/mocks/libraries/table.php b/tests/mocks/libraries/table.php
index 1a6ff8d35..97fbb30bd 100644
--- a/tests/mocks/libraries/table.php
+++ b/tests/mocks/libraries/table.php
@@ -2,7 +2,7 @@
 
 class Mock_Libraries_Table extends CI_Table {
 	
-	// Overide inaccesible private or protected method
+	// Overide inaccesible protected method
 	public function __call($method, $params)
 	{
 		if (is_callable(array($this, '_'.$method)))
-- 
cgit v1.2.3-24-g4f1b