nextcloud/tests/lib/Security/SecureRandomTest.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace Test\Security;

use OC\Security\SecureRandom;

class SecureRandomTest extends \Test\TestCase {
	public static function stringGenerationProvider(): array {
		return [
			[1, 1],
			[16, 16],
			[31, 31],
			[64, 64],
			[128, 128],
			[1024, 1024],
		];
	}

	public static function charCombinations(): array {
		return [
			['CHAR_LOWER', '[a-z]'],
			['CHAR_UPPER', '[A-Z]'],
			['CHAR_DIGITS', '[0-9]'],
		];
	}

	/** @var SecureRandom */
	protected $rng;

	protected function setUp(): void {
		parent::setUp();
		$this->rng = new SecureRandom();
	}

	#[\PHPUnit\Framework\Attributes\DataProvider('stringGenerationProvider')]
	public function testGetLowStrengthGeneratorLength($length, $expectedLength): void {
		$generator = $this->rng;

		$this->assertEquals($expectedLength, strlen($generator->generate($length)));
	}

	#[\PHPUnit\Framework\Attributes\DataProvider('stringGenerationProvider')]
	public function testMediumLowStrengthGeneratorLength($length, $expectedLength): void {
		$generator = $this->rng;

		$this->assertEquals($expectedLength, strlen($generator->generate($length)));
	}

	#[\PHPUnit\Framework\Attributes\DataProvider('stringGenerationProvider')]
	public function testUninitializedGenerate($length, $expectedLength): void {
		$this->assertEquals($expectedLength, strlen($this->rng->generate($length)));
	}

	#[\PHPUnit\Framework\Attributes\DataProvider('charCombinations')]
	public function testScheme($charName, $chars): void {
		$generator = $this->rng;
		$scheme = constant('OCP\Security\ISecureRandom::' . $charName);
		$randomString = $generator->generate(100, $scheme);
		$matchesRegex = preg_match('/^' . $chars . '+$/', $randomString);
		$this->assertSame(1, $matchesRegex);
	}

	public static function invalidLengths(): array {
		return [
			[0],
			[-1],
		];
	}

	#[\PHPUnit\Framework\Attributes\DataProvider('invalidLengths')]
	public function testInvalidLengths($length): void {
		$this->expectException(\LengthException::class);
		$generator = $this->rng;
		$generator->generate($length);
	}

	public static function invalidCharProviders(): array {
		return [
			'invalid_too_short' => ['abc'],
			'invalid_duplicates' => ['aabcd'],
			'invalid_non_ascii' => ["abcd\xf0"],
		];
	}

	/**
	 * @dataProvider invalidCharProviders
	 */
	public function testInvalidCharacterSets(string $invalidCharset): void {
		$this->expectException(\InvalidArgumentException::class);
		$this->rng->generate(10, $invalidCharset);
	}

	public function testDefaultCharsetBase64Characters(): void {
		$randomString = $this->rng->generate(100);
		$this->assertMatchesRegularExpression('/^[A-Za-z0-9\+\/]+$/', $randomString);
	}

	public function testAllOutputsAreUnique(): void {
		// While collisions are technically possible, extremely unlikely for these sizes
		$first = $this->rng->generate(1000);
		$second = $this->rng->generate(1000);
		$this->assertNotEquals($first, $second, "Random output should not be repeated.");
	}

	public function testMinimumValidCharset(): void {
		$charset = 'abcd';
		$randomString = $this->rng->generate(500, $charset);
		$this->assertMatchesRegularExpression('/^[abcd]+$/', $randomString);
		$this->assertEquals(500, strlen($randomString));
	}

	public function testLargeCustomCharset(): void {
		$charset = '';
		for ($i = 32; $i <= 126; $i++) { // all printable ASCII
			$charset .= chr($i);
		}
		$randomString = $this->rng->generate(200, $charset);
		foreach (str_split($randomString) as $char) {
			$this->assertStringContainsString($char, $charset);
		}
	}

	public function testUserProvidedValidCharset(): void {
		$charset = '@#$!';
		$randomString = $this->rng->generate(64, $charset);
		$this->assertMatchesRegularExpression('/^[@#$!]+$/', $randomString);
	}
}
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`<?php`
Make Security module strict Signed-off-by: J0WI <J0WI@users.noreply.github.com> 2021-04-19 09:50:30 -04:00
			`declare(strict_types=1);`

Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-05-10 09:09:14 -04:00			`* SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`*/`

Fix namespaces in security/ 2016-05-19 03:02:58 -04:00			`namespace Test\Security;`

Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OC\Security\SecureRandom;`
Refactor tests a little bit 2014-09-03 07:51:44 -04:00
Make remaining files extend the test base 2014-11-10 17:30:38 -05:00			`class SecureRandomTest extends \Test\TestCase {`
test: Fix tests/lib/Security/ Signed-off-by: Joas Schilling <coding@schilljs.com> 2025-05-13 02:49:30 -04:00			`public static function stringGenerationProvider(): array {`
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-26 04:30:18 -04:00			`return [`
			`[1, 1],`
chore: Expand SecureRandomTest unit test scenarios New test coverage for: - charset validation failures (duplicates, too short, non-ASCII). - default charset (CHAR_BASE64_RFC4648). - randomness/unique output. - minimum-sized valid charsets and large printable ASCII charset. - a caller-provided, valid (non-predefined) custom charset. And adjusts the length ranges tests: - Added some smaller / more frequently used ranges. - Added an "oddball" range to possibly catch weird stuff. - Dropped excessive 64K test which does not need to run within our CI during standard PR runs (if deemed desirable maybe add it to an occasional stress tester, but I don't think it's necessary for now) Signed-off-by: Josh <josh.t.richards@gmail.com> 2025-11-05 12:10:14 -05:00			`[16, 16],`
			`[31, 31],`
			`[64, 64],`
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-26 04:30:18 -04:00			`[128, 128],`
			`[1024, 1024],`
			`];`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`}`

test: Fix tests/lib/Security/ Signed-off-by: Joas Schilling <coding@schilljs.com> 2025-05-13 02:49:30 -04:00			`public static function charCombinations(): array {`
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-26 04:30:18 -04:00			`return [`
			`['CHAR_LOWER', '[a-z]'],`
			`['CHAR_UPPER', '[A-Z]'],`
			`['CHAR_DIGITS', '[0-9]'],`
			`];`
Add test for the second argument 2014-09-03 08:13:12 -04:00			`}`

Refactor tests a little bit 2014-09-03 07:51:44 -04:00			`/** @var SecureRandom */`
			`protected $rng;`

Make phpunit8 compatible Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-21 10:40:38 -05:00			`protected function setUp(): void {`
Make remaining files extend the test base 2014-11-10 17:30:38 -05:00			`parent::setUp();`
chore: run rector on tests Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-06-12 12:31:58 -04:00			`$this->rng = new SecureRandom();`
Refactor tests a little bit 2014-09-03 07:51:44 -04:00			`}`

chore: run rector Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-06-30 10:56:59 -04:00			`#[\PHPUnit\Framework\Attributes\DataProvider('stringGenerationProvider')]`
refactor: Add void return type to PHPUnit test methods Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2024-09-15 16:32:31 -04:00			`public function testGetLowStrengthGeneratorLength($length, $expectedLength): void {`
getLowStrengthGenerator does not do anything anymore 2016-01-11 13:59:15 -05:00			`$generator = $this->rng;`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00
			`$this->assertEquals($expectedLength, strlen($generator->generate($length)));`
			`}`

chore: run rector Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-06-30 10:56:59 -04:00			`#[\PHPUnit\Framework\Attributes\DataProvider('stringGenerationProvider')]`
refactor: Add void return type to PHPUnit test methods Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2024-09-15 16:32:31 -04:00			`public function testMediumLowStrengthGeneratorLength($length, $expectedLength): void {`
getMediumStrengthGenerator is deprecated and does not do anything anymore 2016-01-11 14:05:30 -05:00			`$generator = $this->rng;`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00
			`$this->assertEquals($expectedLength, strlen($generator->generate($length)));`
			`}`

chore: run rector Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-06-30 10:56:59 -04:00			`#[\PHPUnit\Framework\Attributes\DataProvider('stringGenerationProvider')]`
refactor: Add void return type to PHPUnit test methods Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2024-09-15 16:32:31 -04:00			`public function testUninitializedGenerate($length, $expectedLength): void {`
Use PHP polyfills 2015-12-11 00:17:47 -05:00			`$this->assertEquals($expectedLength, strlen($this->rng->generate($length)));`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`}`
Add test for the second argument 2014-09-03 08:13:12 -04:00
chore: run rector Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-06-30 10:56:59 -04:00			`#[\PHPUnit\Framework\Attributes\DataProvider('charCombinations')]`
refactor: Add void return type to PHPUnit test methods Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2024-09-15 16:32:31 -04:00			`public function testScheme($charName, $chars): void {`
getMediumStrengthGenerator is deprecated and does not do anything anymore 2016-01-11 14:05:30 -05:00			`$generator = $this->rng;`
Add test for the second argument 2014-09-03 08:13:12 -04:00			`$scheme = constant('OCP\Security\ISecureRandom::' . $charName);`
			`$randomString = $generator->generate(100, $scheme);`
chore(deps): Update nextcloud/coding-standard to v1.3.1 Signed-off-by: provokateurin <kate@provokateurin.de> 2024-09-19 05:10:31 -04:00			`$matchesRegex = preg_match('/^' . $chars . '+$/', $randomString);`
Add test for the second argument 2014-09-03 08:13:12 -04:00			`$this->assertSame(1, $matchesRegex);`
			`}`
Validate requested length is random string generator Signed-off-by: Vincent Petry <vincent@nextcloud.com> 2022-05-12 07:58:18 -04:00
test: Fix tests/lib/Security/ Signed-off-by: Joas Schilling <coding@schilljs.com> 2025-05-13 02:49:30 -04:00			`public static function invalidLengths(): array {`
Validate requested length is random string generator Signed-off-by: Vincent Petry <vincent@nextcloud.com> 2022-05-12 07:58:18 -04:00			`return [`
			`[0],`
			`[-1],`
			`];`
			`}`

chore: run rector Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-06-30 10:56:59 -04:00			`#[\PHPUnit\Framework\Attributes\DataProvider('invalidLengths')]`
refactor: Add void return type to PHPUnit test methods Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at> 2024-09-15 16:32:31 -04:00			`public function testInvalidLengths($length): void {`
Validate requested length is random string generator Signed-off-by: Vincent Petry <vincent@nextcloud.com> 2022-05-12 07:58:18 -04:00			`$this->expectException(\LengthException::class);`
			`$generator = $this->rng;`
			`$generator->generate($length);`
			`}`
chore: Expand SecureRandomTest unit test scenarios New test coverage for: - charset validation failures (duplicates, too short, non-ASCII). - default charset (CHAR_BASE64_RFC4648). - randomness/unique output. - minimum-sized valid charsets and large printable ASCII charset. - a caller-provided, valid (non-predefined) custom charset. And adjusts the length ranges tests: - Added some smaller / more frequently used ranges. - Added an "oddball" range to possibly catch weird stuff. - Dropped excessive 64K test which does not need to run within our CI during standard PR runs (if deemed desirable maybe add it to an occasional stress tester, but I don't think it's necessary for now) Signed-off-by: Josh <josh.t.richards@gmail.com> 2025-11-05 12:10:14 -05:00
			`public static function invalidCharProviders(): array {`
			`return [`
			`'invalid_too_short' => ['abc'],`
			`'invalid_duplicates' => ['aabcd'],`
			`'invalid_non_ascii' => ["abcd\xf0"],`
			`];`
			`}`

			`/**`
			`* @dataProvider invalidCharProviders`
			`*/`
			`public function testInvalidCharacterSets(string $invalidCharset): void {`
			`$this->expectException(\InvalidArgumentException::class);`
			`$this->rng->generate(10, $invalidCharset);`
			`}`

			`public function testDefaultCharsetBase64Characters(): void {`
			`$randomString = $this->rng->generate(100);`
			`$this->assertMatchesRegularExpression('/^[A-Za-z0-9\+\/]+$/', $randomString);`
			`}`

			`public function testAllOutputsAreUnique(): void {`
			`// While collisions are technically possible, extremely unlikely for these sizes`
			`$first = $this->rng->generate(1000);`
			`$second = $this->rng->generate(1000);`
			`$this->assertNotEquals($first, $second, "Random output should not be repeated.");`
			`}`

			`public function testMinimumValidCharset(): void {`
			`$charset = 'abcd';`
			`$randomString = $this->rng->generate(500, $charset);`
			`$this->assertMatchesRegularExpression('/^[abcd]+$/', $randomString);`
			`$this->assertEquals(500, strlen($randomString));`
			`}`

			`public function testLargeCustomCharset(): void {`
			`$charset = '';`
			`for ($i = 32; $i <= 126; $i++) { // all printable ASCII`
			`$charset .= chr($i);`
			`}`
			`$randomString = $this->rng->generate(200, $charset);`
			`foreach (str_split($randomString) as $char) {`
			`$this->assertStringContainsString($char, $charset);`
			`}`
			`}`

			`public function testUserProvidedValidCharset(): void {`
			`$charset = '@#$!';`
			`$randomString = $this->rng->generate(64, $charset);`
			`$this->assertMatchesRegularExpression('/^[@#$!]+$/', $randomString);`
			`}`
Add some security utilities This adds some security utilities to core including: - A library for basic crypto operations (e.g. to encrypt passwords) - A better library for cryptographic actions which allows you to specify the charset - A library for secure string comparisions Remove .htaccess Remove .htaccess Fix typo Add public API Use timing constant comparision Remove CBC constant Adjust code Remove confusing $this 2014-08-26 13:02:40 -04:00			`}`