Writing initial test for password breach validation

The goal is to keep an interface clean and simple. Validation against HIBP will either say the password is good for usage or it will tell you it was found in the breached database. If the latter is the case, we don't need to display the amount of found passwords. At this point I'm making use of [dragonbe/hibp](https://packagist.org/packages/dragonbe/hibp) as all the logic for accessing the API and handling exceptions was already implemented in it. The application itself needs to be modified to implement PSR-7 and PSR-18. NOTE: These tests are "integration tests" as I haven't provided a communication mock yet, because I first wanted to pitch the idea.
DragonBe · Apr 6, 2019 · ddc6fa9 · ddc6fa9
1 parent c176c4e
commit ddc6fa9
Showing 1 changed file with 106 additions and 0 deletions.
diff --git a/test/UndisclosedPasswordTest.php b/test/UndisclosedPasswordTest.php
@@ -0,0 +1,106 @@
+<?php
+
+
+namespace ZendTest\Validator;
+
+
+use Dragonbe\Hibp\HibpFactory;
+use PHPUnit\Framework\TestCase;
+use Zend\Validator\UndisclosedPassword;
+
+class UndisclosedPasswordTest extends TestCase
+{
+    /**
+     * @var UndisclosedPassword
+     */
+    private $validator;
+
+    /**
+     * @inheritDoc
+     */
+    public function setUp()
+    {
+        $hibp = HibpFactory::create();
+        $this->validator = new UndisclosedPassword($hibp);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function tearDown()
+    {
+        $this->validator = null;
+    }
+
+    /**
+     * Data provider returning good, strong and unseen
+     * passwords to be used in the validator.
+     *
+     * @return array
+     */
+    public function goodPasswordProvider(): array
+    {
+        return [
+            ['ABi$B47es.Pfg3n9PjPi'],
+            ['potence tipple would frisk shoofly'],
+        ];
+    }
+
+    /**
+     * Data provider for most common used passwords
+     *
+     * @return array
+     * @see https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
+     */
+    public function seenPasswordProvider(): array
+    {
+        return [
+            ['123456'],
+            ['password'],
+            ['123456789'],
+            ['12345678'],
+            ['12345'],
+        ];
+    }
+
+    /**
+     * Test that a given password was not found in the HIBP
+     * API service.
+     *
+     * @param string $password
+     *
+     * @covers \Zend\Validator\UndisclosedPassword::isValid
+     * @dataProvider goodPasswordProvider
+     */
+    public function testStrongUnseenPasswordsPassValidation(string $password)
+    {
+        $this->assertTrue($this->validator->isValid($password));
+    }
+
+    /**
+     * Test that a given password was already seen in the HIBP
+     * AP service.
+     *
+     * @param string $password
+     * @covers \Zend\Validator\UndisclosedPassword::isValid
+     * @dataProvider seenPasswordProvider
+     */
+    public function testBreachedPasswordsDoNotPassValidation(string $password)
+    {
+        $this->assertFalse($this->validator->isValid($password));
+    }
+
+    /**
+     * Testing we are setting error messages when a password was found
+     * in the breach database.
+     *
+     * @param string $password
+     * @depends testBreachedPasswordsDoNotPassValidation
+     * @dataProvider seenPasswordProvider
+     */
+    public function testBreachedPasswordReturnErrorMessages(string $password)
+    {
+        $this->validator->isValid($password);
+        $this->assertCount(1, $this->validator->getMessages());
+    }
+}