aboutsummaryrefslogtreecommitdiffstats
path: root/tests/lib/Security
Commit message (Collapse)AuthorAgeFilesLines
* Format control structures, classes, methods and functionChristoph Wurst2020-04-1012-23/+6
| | | | | | | | | | | | | | | To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Unify function spacing to PSR2 recommendationChristoph Wurst2020-04-094-8/+8
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Use a blank line after the opening tagChristoph Wurst2020-04-093-0/+3
| | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Use exactly one empty line after the namespace declarationChristoph Wurst2020-04-091-1/+0
| | | | | | For PSR2 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Merge pull request #20170 from nextcloud/techdebt/remove-unused-importsChristoph Wurst2020-03-275-11/+0
|\ | | | | Remove unused imports
| * Remove unused importsChristoph Wurst2020-03-255-11/+0
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Use the short array syntax, everywhereChristoph Wurst2020-03-263-21/+21
| | | | | | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* | Use the shorter phpunit syntax for mocked return valuesChristoph Wurst2020-03-253-6/+6
|/ | | | Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
* Add Argon2id supportRoeland Jago Douma2020-02-071-18/+56
| | | | | | When available we should use argon2id for hashing. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Allow selecting the hashing algorithmRoeland Jago Douma2020-02-031-2/+63
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Move overwritehost check to isTrustedDomainJulius Härtl2019-12-071-1/+16
| | | | Signed-off-by: Julius Härtl <jus@bitgrid.net>
* Mode to modern phpunitRoeland Jago Douma2019-11-2716-52/+54
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make phpunit8 compatibleRoeland Jago Douma2019-11-2720-21/+21
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Some php-cs fixesRoeland Jago Douma2019-11-2211-9/+12
| | | | | | | | | | | * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* make TrustedDomainHelper case insensitiveJohannes Koenig2019-10-061-0/+5
| | | | Signed-off-by: Johannes Koenig <mail@jokoenig.de>
* Harden identifyproof openssl codeRoeland Jago Douma2019-09-141-7/+14
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix report of phpstan in LimiterRoeland Jago Douma2019-08-191-8/+0
| | | | | | | | * unneeded arguments to constructor * added return types * let automatic DI do its work Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add testsRoeland Jago Douma2019-08-102-0/+137
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Update CSP test cases to handle the new form-actionRoeland Jago Douma2019-07-311-2/+6
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add support for CSP_NONCE server variableSam Bull2019-07-181-2/+21
| | | | | | | Allow passing a nonce from the web server, allowing the possibility to enforce a strict CSP from the web server. Signed-off-by: Sam Bull <git@sambull.org> Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add an event to edit the CSPRoeland Jago Douma2019-07-082-2/+96
| | | | | | | | This introduces and event that can be listend to when we actually use the CSP. This means that apps no longer have to always inject their CSP but only do so when it is required. Yay for being lazy. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Merge pull request #13327 from ↵Morris Jobke2019-03-061-0/+4
|\ | | | | | | | | nextcloud/allow-bracket-notation-for-remove-ipv6-address Allow bracket IPv6 address format inside IPAdress Normalizer
| * Allow bracket IPv6 address format inside IPAdress NormalizerThomas Citharel2019-01-031-0/+4
| | | | | | | | | | | | When run with php's build-in server (for instance on localhost:8080), IP provided through $this->server['REMOTE_ADDR'] is [::1], which is not an acceptable format for \inet_pton. This removes the brackets if there's any. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* | Fix the thorrtler whitelist bitmaskRoeland Jago Douma2019-02-111-0/+29
| | | | | | | | | | | | Before we actually didn't check each bit of the bitmask. Now we do. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | Set default frame-ancestors to 'self'Roeland Jago Douma2019-01-081-1/+1
| | | | | | | | | | | | For #13042 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* | CSP: Allow fonts to be provided in dataRoeland Jago Douma2019-01-071-1/+1
|/ | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Disallow unsafe-eval by defaultRoeland Jago Douma2018-10-141-0/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix testsRoeland Jago Douma2018-05-141-1/+2
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add ARGON2I support to the hasherRoeland Jago Douma2018-04-041-36/+86
| | | | | | | | | When on php7.2 we can use the new and improved ARGON2I hashing. This adds support for that to the hasher. When verifying an old hash we'll update rehash to move all hashes eventually to the new hash function. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix risky tests without assertionsJoas Schilling2018-01-251-0/+1
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Make OCP\Security stricterRoeland Jago Douma2018-01-161-4/+0
| | | | | | | | | | | * Add typehints * Add return types * Opcode opts from phpstorm * Made strict * Fixed tests: No need to test bogus values anymore strict typing fixes this Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Make OC\Security\RateLimiting strictRoeland Jago Douma2018-01-141-2/+2
| | | | | | | | | * Add return types * Add scalar argument types * Made strict * Cleaned up phpstorm inspections Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix testsRoeland Jago Douma2017-12-181-1/+1
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Use ::class in test mocks of encryption appMorris Jobke2017-10-261-1/+2
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Use ::class in test mocksMorris Jobke2017-10-243-4/+5
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* add prefix to user and system keys to avoid name collisionsBjoern Schiessle2017-08-101-5/+5
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* extend the identity proof manager to allow system wide key pairsBjoern Schiessle2017-08-101-11/+62
| | | | Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
* Add bruteforce capabilitiesRoeland Jago Douma2017-07-131-0/+68
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Write cert bundle to tmp file firstRoeland Jago Douma2017-07-121-2/+15
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Automatic creation of Identity managerJoas Schilling2017-05-101-3/+14
| | | | Signed-off-by: Joas Schilling <coding@schilljs.com>
* Add missing spaceLukas Reschke2017-05-011-1/+1
| | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Mark IP as whitelisted if brute force protection is disabledLukas Reschke2017-05-011-8/+51
| | | | | | | | Currently, when disabling the brute force protection no new brute force attempts are logged. However, the ones logged within the last 24 hours will still be used for throttling. This is quite an unexpected behaviour and caused some support issues. With this change when the brute force protection is disabled also the existing attempts within the last 24 hours will be disregarded. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Remove expired attemptsLukas Reschke2017-04-131-5/+13
| | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Add support for ratelimiting via annotationsLukas Reschke2017-04-134-45/+358
| | | | | | | | | | | | | This allows adding rate limiting via annotations to controllers, as one example: ``` @UserRateThrottle(limit=5, period=100) @AnonRateThrottle(limit=1, period=100) ``` Would mean that logged-in users can access the page 5 times within 100 seconds, and anonymous users 1 time within 100 seconds. If only an AnonRateThrottle is specified that one will also be applied to logged-in users. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* Respect bruteforce settings in the ThrottlerRoeland Jago Douma2017-04-021-1/+89
| | | | Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Fix unit testsMorris Jobke2017-03-281-1/+1
| | | | Signed-off-by: Morris Jobke <hey@morrisjobke.de>
* Add base-uri to CSP policyLukas Reschke2017-03-161-1/+1
| | | | | | As per https://twitter.com/we1x/status/842032709543333890 a nice security hardening Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
* dont write a certificate bundle if the shipped ca bundle is emptyRobin Appelman2017-01-091-3/+4
| | | | Signed-off-by: Robin Appelman <robin@icewind.nl>
* Add Identityproof testsRoeland Jago Douma2016-11-243-1/+250
| | | | | | | | | * Add tests for Key * Add tests for Manager * Add tests for Signer * Removed URLGenerator from Signer Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
* Add a signer class for signingLukas Reschke2016-11-211-0/+166
| | | | Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-12 14:33:07 +0000