From d4d57fd631e1d37f9e36d51df5ab4baf71a64749 Mon Sep 17 00:00:00 2001
From: Daniel Seifert <ds@shopmodule.com>
Date: Tue, 8 Nov 2022 10:19:43 +0100
Subject: [PATCH] add webauthn redirect test

---
 .../Admin/d3_LoginController_Webauthn.php     |   4 +-
 src/tests/integration/integrationTestCase.php |   2 +-
 .../integration/passwordAdminAuthTest.php     |  25 ++-
 .../integration/webauthnAdminAuthTest.php     | 145 ++++++++++++++++++
 4 files changed, 160 insertions(+), 16 deletions(-)
 create mode 100644 src/tests/integration/webauthnAdminAuthTest.php

diff --git a/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php b/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php
index ce1f831..def0ba8 100755
--- a/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php
+++ b/src/Modules/Application/Controller/Admin/d3_LoginController_Webauthn.php
@@ -46,7 +46,7 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent
     {
         $lgn_user = Registry::getRequest()->getRequestParameter('user') ?:
             Registry::getSession()->getVariable(WebauthnConf::WEBAUTHN_SESSION_LOGINUSER);
-        $password = Registry::getRequest()->getRequestParameter('pwd', true);
+        $password = Registry::getRequest()->getRequestParameter('pwd');
 
         /** @var d3_User_Webauthn $user */
         $user = $this->d3GetUserObject();
@@ -54,7 +54,7 @@ class d3_LoginController_Webauthn extends d3_LoginController_Webauthn_parent
 
         if ($lgn_user && $userId &&
             false === Registry::getSession()->hasVariable(WebauthnConf::WEBAUTHN_SESSION_AUTH) &&
-            !strlen(trim($password))
+            (!$password || !strlen(trim($password)))
         ) {
             $webauthn = $this->d3GetWebauthnObject();
 
diff --git a/src/tests/integration/integrationTestCase.php b/src/tests/integration/integrationTestCase.php
index a2a84ac..a8ea38e 100644
--- a/src/tests/integration/integrationTestCase.php
+++ b/src/tests/integration/integrationTestCase.php
@@ -132,7 +132,7 @@ abstract class integrationTestCase extends d3ModCfgUnitTestCase
     {
         try {
             /** @var BaseModel $oObject */
-            $oObject = d3GetModCfgDIC()->get($sClass);
+            $oObject = oxNew($sClass);
             if (method_exists($oObject, 'setRights')) {
                 $oObject->setRights(null);
             }
diff --git a/src/tests/integration/passwordAdminAuthTest.php b/src/tests/integration/passwordAdminAuthTest.php
index b5916de..003faa0 100644
--- a/src/tests/integration/passwordAdminAuthTest.php
+++ b/src/tests/integration/passwordAdminAuthTest.php
@@ -16,17 +16,16 @@
 namespace D3\Webauthn\tests\integration;
 
 use OxidEsales\Eshop\Application\Controller\Admin\LoginController;
-use OxidEsales\Eshop\Application\Model\User;
 use OxidEsales\Eshop\Core\DatabaseProvider;
 use OxidEsales\Eshop\Core\Registry;
 
 class passwordAdminAuthTest extends integrationTestCase
 {
     protected $userList = [
-        '1' => 'userId1',
-        '2' => 'userId2',
-        '3' => 'userId3',
-        '4' => 'userId4',
+        1   => 'userId1',
+        2   => 'userId2',
+        3   => 'userId3',
+        4   => 'userId4',
     ];
 
     public function createTestData()
@@ -34,7 +33,7 @@ class passwordAdminAuthTest extends integrationTestCase
         $admin = DatabaseProvider::getDb()->getOne('SELECT oxid FROM oxuser WHERE oxrights = "malladmin"');
         Registry::getSession()->setVariable('auth', $admin);
         $this->createUser(
-            $this->userList['1'],
+            $this->userList[1],
             [
                 'oxactive'      => 1,
                 'oxrights'      => 'user',
@@ -47,7 +46,7 @@ class passwordAdminAuthTest extends integrationTestCase
         );
 
         $this->createUser(
-            $this->userList['2'],
+            $this->userList[2],
             [
                 'oxactive'      => 1,
                 'oxrights'      => 'malladmin',
@@ -60,7 +59,7 @@ class passwordAdminAuthTest extends integrationTestCase
         );
 
         $this->createUser(
-            $this->userList['3'],
+            $this->userList[3],
             [
                 'oxactive'      => 1,
                 'oxrights'      => 'malladmin',
@@ -73,7 +72,7 @@ class passwordAdminAuthTest extends integrationTestCase
         );
 
         $this->createUser(
-            $this->userList['4'],
+            $this->userList[4],
             [
                 'oxactive'      => 0,
                 'oxrights'      => 'malladmin',
@@ -96,9 +95,9 @@ class passwordAdminAuthTest extends integrationTestCase
 
     /**
      * @test
-     * @dataProvider passwordLoginDataProvider
+     * @dataProvider loginDataProvider
      */
-    public function testCantLoginBecauseOfNotExistingAccount($username, $password, $expected)
+    public function testCheckLoginReturn($username, $password, $expected)
     {
         $_POST['user'] = $username;
         $_POST['pwd'] = $password;
@@ -115,11 +114,11 @@ class passwordAdminAuthTest extends integrationTestCase
     /**
      * @return array[]
      */
-    public function passwordLoginDataProvider(): array
+    public function loginDataProvider(): array
     {
         return [
             'not existing account'  => ['unknown@user.localhost', '123456', null],
-            'missing password'      => ['admin@user.localhost', 'null', null],
+            'missing password'      => ['admin@user.localhost', null, null],
             'inactive account'      => ['inactive@user.localhost', '123456', null],
             'no backend account'    => ['noadmin@user.localhost', '123456', null],
             'wrong shop account'    => ['wrongshop@user.localhost', '123456', 'admin_start'],
diff --git a/src/tests/integration/webauthnAdminAuthTest.php b/src/tests/integration/webauthnAdminAuthTest.php
new file mode 100644
index 0000000..f5f2136
--- /dev/null
+++ b/src/tests/integration/webauthnAdminAuthTest.php
@@ -0,0 +1,145 @@
+<?php
+
+/**
+ * This Software is the property of Data Development and is protected
+ * by copyright law - it is NOT Freeware.
+ * Any unauthorized use of this software without a valid license
+ * is a violation of the license agreement and will be prosecuted by
+ * civil and criminal law.
+ * http://www.shopmodule.com
+ *
+ * @copyright (C) D3 Data Development (Inh. Thomas Dartsch)
+ * @author        D3 Data Development - Daniel Seifert <support@shopmodule.com>
+ * @link          http://www.oxidmodule.com
+ */
+
+namespace D3\Webauthn\tests\integration;
+
+use D3\Webauthn\Application\Model\Credential\PublicKeyCredential;
+
+class webauthnAdminAuthTest extends passwordAdminAuthTest
+{
+    protected $userList = [
+        1   => 'userId1',
+        2   => 'userId2',
+        3   => 'userId3',
+        4   => 'userId4',
+        5   => 'userId5',
+    ];
+
+    protected $credentialList = [
+        1   => 'credId1',
+        2   => 'credId2',
+        3   => 'credId3',
+        4   => 'credId4',
+        5   => 'credId5'
+    ];
+
+    public function createTestData()
+    {
+        parent::createTestData();
+
+        $this->createUser(
+            $this->userList[5],
+            [
+                'oxactive'      => 1,
+                'oxrights'      => 'malladmin',
+                'oxshopid'      => 1,
+                'oxusername'    => 'wawrongshopid@user.localhost',
+                'oxpassword'    => '$2y$10$QErMJNHQCoN03tfCUQDRfOvbwvqfzwWw1iI/7bC49fKQrPKoDdnaK',   // 123456
+                'oxstreet'      => __CLASS__
+            ],
+            true
+        );
+
+        $this->createObject(
+            PublicKeyCredential::class,
+            $this->credentialList[1],
+            [
+                'oxuserid'  => $this->userList[1],
+                'oxshopid'  => 1,
+                'name'      => __CLASS__,
+                'credentialid'  => 'ITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAAA==',
+                'credential'=> 'TzozNDoiV2ViYXV0aG5cUHVibGljS2V5Q3JlZGVudGlhbFNvdXJjZSI6MTA6e3M6MjQ6IgAqAHB1YmxpY0tleUNyZWRlbnRpYWxJZCI7czo3MDoiITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAACI7czo3OiIAKgB0eXBlIjtzOjEwOiJwdWJsaWMta2V5IjtzOjEzOiIAKgB0cmFuc3BvcnRzIjthOjA6e31zOjE4OiIAKgBhdHRlc3RhdGlvblR5cGUiO3M6NDoibm9uZSI7czoxMjoiACoAdHJ1c3RQYXRoIjtPOjMzOiJXZWJhdXRoblxUcnVzdFBhdGhcRW1wdHlUcnVzdFBhdGgiOjA6e31zOjk6IgAqAGFhZ3VpZCI7TzozNToiUmFtc2V5XFV1aWRcTGF6eVxMYXp5VXVpZEZyb21TdHJpbmciOjE6e3M6Njoic3RyaW5nIjtzOjM2OiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiO31zOjIyOiIAKgBjcmVkZW50aWFsUHVibGljS2V5IjtzOjc3OiKlAQIDJiABIVggHucXfQh0acwpsffVRM02F7P57mVm6hPX/l8Pjbh0jOwiWCBRT5MMqa909tcXHqG/EKfjXXDd9UEisk+ZF7QSTfwv0CI7czoxMzoiACoAdXNlckhhbmRsZSI7czoxNDoib3hkZWZhdWx0YWRtaW4iO3M6MTA6IgAqAGNvdW50ZXIiO2k6NDI3MTtzOjEwOiIAKgBvdGhlclVJIjtOO30='
+            ]
+        );
+
+        $this->createObject(
+            PublicKeyCredential::class,
+            $this->credentialList[2],
+            [
+                'oxuserid'  => $this->userList[2],
+                'oxshopid'  => 1,
+                'name'      => __CLASS__,
+                'credentialid'  => 'ITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAAA==',
+                'credential'=> 'TzozNDoiV2ViYXV0aG5cUHVibGljS2V5Q3JlZGVudGlhbFNvdXJjZSI6MTA6e3M6MjQ6IgAqAHB1YmxpY0tleUNyZWRlbnRpYWxJZCI7czo3MDoiITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAACI7czo3OiIAKgB0eXBlIjtzOjEwOiJwdWJsaWMta2V5IjtzOjEzOiIAKgB0cmFuc3BvcnRzIjthOjA6e31zOjE4OiIAKgBhdHRlc3RhdGlvblR5cGUiO3M6NDoibm9uZSI7czoxMjoiACoAdHJ1c3RQYXRoIjtPOjMzOiJXZWJhdXRoblxUcnVzdFBhdGhcRW1wdHlUcnVzdFBhdGgiOjA6e31zOjk6IgAqAGFhZ3VpZCI7TzozNToiUmFtc2V5XFV1aWRcTGF6eVxMYXp5VXVpZEZyb21TdHJpbmciOjE6e3M6Njoic3RyaW5nIjtzOjM2OiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiO31zOjIyOiIAKgBjcmVkZW50aWFsUHVibGljS2V5IjtzOjc3OiKlAQIDJiABIVggHucXfQh0acwpsffVRM02F7P57mVm6hPX/l8Pjbh0jOwiWCBRT5MMqa909tcXHqG/EKfjXXDd9UEisk+ZF7QSTfwv0CI7czoxMzoiACoAdXNlckhhbmRsZSI7czoxNDoib3hkZWZhdWx0YWRtaW4iO3M6MTA6IgAqAGNvdW50ZXIiO2k6NDI3MTtzOjEwOiIAKgBvdGhlclVJIjtOO30='
+            ]
+        );
+
+        $this->createObject(
+            PublicKeyCredential::class,
+            $this->credentialList[3],
+            [
+                'oxuserid'  => $this->userList[3],
+                'oxshopid'  => 1,
+                'name'      => __CLASS__,
+                'credentialid'  => 'ITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAAA==',
+                'credential'=> 'TzozNDoiV2ViYXV0aG5cUHVibGljS2V5Q3JlZGVudGlhbFNvdXJjZSI6MTA6e3M6MjQ6IgAqAHB1YmxpY0tleUNyZWRlbnRpYWxJZCI7czo3MDoiITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAACI7czo3OiIAKgB0eXBlIjtzOjEwOiJwdWJsaWMta2V5IjtzOjEzOiIAKgB0cmFuc3BvcnRzIjthOjA6e31zOjE4OiIAKgBhdHRlc3RhdGlvblR5cGUiO3M6NDoibm9uZSI7czoxMjoiACoAdHJ1c3RQYXRoIjtPOjMzOiJXZWJhdXRoblxUcnVzdFBhdGhcRW1wdHlUcnVzdFBhdGgiOjA6e31zOjk6IgAqAGFhZ3VpZCI7TzozNToiUmFtc2V5XFV1aWRcTGF6eVxMYXp5VXVpZEZyb21TdHJpbmciOjE6e3M6Njoic3RyaW5nIjtzOjM2OiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiO31zOjIyOiIAKgBjcmVkZW50aWFsUHVibGljS2V5IjtzOjc3OiKlAQIDJiABIVggHucXfQh0acwpsffVRM02F7P57mVm6hPX/l8Pjbh0jOwiWCBRT5MMqa909tcXHqG/EKfjXXDd9UEisk+ZF7QSTfwv0CI7czoxMzoiACoAdXNlckhhbmRsZSI7czoxNDoib3hkZWZhdWx0YWRtaW4iO3M6MTA6IgAqAGNvdW50ZXIiO2k6NDI3MTtzOjEwOiIAKgBvdGhlclVJIjtOO30='
+            ]
+        );
+
+        $this->createObject(
+            PublicKeyCredential::class,
+            $this->credentialList[4],
+            [
+                'oxuserid'  => $this->userList[4],
+                'oxshopid'  => 1,
+                'name'      => __CLASS__,
+                'credentialid'  => 'ITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAAA==',
+                'credential'=> 'TzozNDoiV2ViYXV0aG5cUHVibGljS2V5Q3JlZGVudGlhbFNvdXJjZSI6MTA6e3M6MjQ6IgAqAHB1YmxpY0tleUNyZWRlbnRpYWxJZCI7czo3MDoiITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAACI7czo3OiIAKgB0eXBlIjtzOjEwOiJwdWJsaWMta2V5IjtzOjEzOiIAKgB0cmFuc3BvcnRzIjthOjA6e31zOjE4OiIAKgBhdHRlc3RhdGlvblR5cGUiO3M6NDoibm9uZSI7czoxMjoiACoAdHJ1c3RQYXRoIjtPOjMzOiJXZWJhdXRoblxUcnVzdFBhdGhcRW1wdHlUcnVzdFBhdGgiOjA6e31zOjk6IgAqAGFhZ3VpZCI7TzozNToiUmFtc2V5XFV1aWRcTGF6eVxMYXp5VXVpZEZyb21TdHJpbmciOjE6e3M6Njoic3RyaW5nIjtzOjM2OiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiO31zOjIyOiIAKgBjcmVkZW50aWFsUHVibGljS2V5IjtzOjc3OiKlAQIDJiABIVggHucXfQh0acwpsffVRM02F7P57mVm6hPX/l8Pjbh0jOwiWCBRT5MMqa909tcXHqG/EKfjXXDd9UEisk+ZF7QSTfwv0CI7czoxMzoiACoAdXNlckhhbmRsZSI7czoxNDoib3hkZWZhdWx0YWRtaW4iO3M6MTA6IgAqAGNvdW50ZXIiO2k6NDI3MTtzOjEwOiIAKgBvdGhlclVJIjtOO30='
+            ]
+        );
+
+        $this->createObject(
+            PublicKeyCredential::class,
+            $this->credentialList[5],
+            [
+                'oxuserid'  => $this->userList[5],
+                'oxshopid'  => 2,
+                'name'      => __CLASS__,
+                'credentialid'  => 'ITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAAA==',
+                'credential'=> 'TzozNDoiV2ViYXV0aG5cUHVibGljS2V5Q3JlZGVudGlhbFNvdXJjZSI6MTA6e3M6MjQ6IgAqAHB1YmxpY0tleUNyZWRlbnRpYWxJZCI7czo3MDoiITSNkDRdN1bfRrb9MDCNOfBNay7YqT3ZxWxxqIQWVvwN0tFOG7SN2JiCfcUfPMBhE9bTLU1Gbb/8+5eHyFR2d5DCrxAAACI7czo3OiIAKgB0eXBlIjtzOjEwOiJwdWJsaWMta2V5IjtzOjEzOiIAKgB0cmFuc3BvcnRzIjthOjA6e31zOjE4OiIAKgBhdHRlc3RhdGlvblR5cGUiO3M6NDoibm9uZSI7czoxMjoiACoAdHJ1c3RQYXRoIjtPOjMzOiJXZWJhdXRoblxUcnVzdFBhdGhcRW1wdHlUcnVzdFBhdGgiOjA6e31zOjk6IgAqAGFhZ3VpZCI7TzozNToiUmFtc2V5XFV1aWRcTGF6eVxMYXp5VXVpZEZyb21TdHJpbmciOjE6e3M6Njoic3RyaW5nIjtzOjM2OiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiO31zOjIyOiIAKgBjcmVkZW50aWFsUHVibGljS2V5IjtzOjc3OiKlAQIDJiABIVggHucXfQh0acwpsffVRM02F7P57mVm6hPX/l8Pjbh0jOwiWCBRT5MMqa909tcXHqG/EKfjXXDd9UEisk+ZF7QSTfwv0CI7czoxMzoiACoAdXNlckhhbmRsZSI7czoxNDoib3hkZWZhdWx0YWRtaW4iO3M6MTA6IgAqAGNvdW50ZXIiO2k6NDI3MTtzOjEwOiIAKgBvdGhlclVJIjtOO30='
+            ]
+        );
+    }
+
+    public function cleanTestData()
+    {
+        parent::cleanTestData();
+
+        $this->deleteUser($this->userList[5]);
+
+        $this->deleteObject(PublicKeyCredential::class, $this->credentialList[1]);
+        $this->deleteObject(PublicKeyCredential::class, $this->credentialList[2]);
+        $this->deleteObject(PublicKeyCredential::class, $this->credentialList[3]);
+        $this->deleteObject(PublicKeyCredential::class, $this->credentialList[4]);
+        $this->deleteObject(PublicKeyCredential::class, $this->credentialList[5]);
+    }
+
+    /**
+     * @return array[]
+     */
+    public function loginDataProvider(): array
+    {
+        return [
+            'not existing account'  => ['unknown@user.localhost', '123456', null],
+            'missing password'      => ['admin@user.localhost', null, 'd3webauthnadminlogin'],
+            'inactive account'      => ['inactive@user.localhost', '123456', null],
+            'no backend account'    => ['noadmin@user.localhost', '123456', null],
+            'wrong shop account'    => ['wrongshop@user.localhost', '123456', 'admin_start'],
+            'account ok'            => ['admin@user.localhost', '123456', 'admin_start'],
+            'cred. wrong shopid'    => ['wawrongshopid@user.localhost', null, null],
+            'credpass. wrong shopid'=> ['wawrongshopid@user.localhost', '123456', 'admin_start'],
+        ];
+    }
+}
\ No newline at end of file