AuthTest.php 3.53 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
<?php

/**
 * @file
 * Definition of Drupal\rest\test\AuthTest.
 */

namespace Drupal\rest\Tests;

use Drupal\rest\Tests\RESTTestBase;

/**
 * Tests authenticated operations on test entities.
 */
class AuthTest extends RESTTestBase {

  /**
   * Modules to enable.
   *
   * @var array
   */
22
  public static $modules = array('basic_auth', 'hal', 'rest', 'entity_test');
23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41

  /**
   * {@inheritdoc}
   */
  public static function getInfo() {
    return array(
      'name' => 'Resource authentication',
      'description' => 'Tests authentication provider restrictions.',
      'group' => 'REST',
    );
  }

  /**
   * Tests reading from an authenticated resource.
   */
  public function testRead() {
    $entity_type = 'entity_test';

    // Enable a test resource through GET method and basic HTTP authentication.
42
    $this->enableService('entity:' . $entity_type, 'GET', NULL, array('basic_auth'));
43 44 45 46 47 48 49 50 51 52

    // Create an entity programmatically.
    $entity = $this->entityCreate($entity_type);
    $entity->save();

    // Try to read the resource as an anonymous user, which should not work.
    $response = $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'GET', NULL, $this->defaultMimeType);
    $this->assertResponse('401', 'HTTP response code is 401 when the request is not authenticated and the user is anonymous.');
    $this->assertText('A fatal error occurred: No authentication credentials provided.');

53 54 55
    // Ensure that cURL settings/headers aren't carried over to next request.
    unset($this->curlHandle);

56 57 58 59 60 61 62 63 64 65 66
    // Create a user account that has the required permissions to read
    // resources via the REST API, but the request is authenticated
    // with session cookies.
    $permissions = $this->entityPermissions($entity_type, 'view');
    $permissions[] = 'restful get entity:' . $entity_type;
    $account = $this->drupalCreateUser($permissions);
    $this->drupalLogin($account);

    // Try to read the resource with session cookie authentication, which is
    // not enabled and should not work.
    $response = $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'GET', NULL, $this->defaultMimeType);
67
    $this->assertResponse('401', 'HTTP response code is 401 when the request is authenticated but not authorized.');
68

69 70 71
    // Ensure that cURL settings/headers aren't carried over to next request.
    unset($this->curlHandle);

72 73 74
    // Now read it with the Basic authentication which is enabled and should
    // work.
    $response = $this->basicAuthGet('entity/' . $entity_type . '/' . $entity->id(), $account->getUsername(), $account->pass_raw);
75
    $this->assertResponse('200', 'HTTP response code is 200 for successfully authorized requests.');
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
    $this->curlClose();
  }

  /**
   * Performs a HTTP request with Basic authentication.
   *
   * We do not use \Drupal\simpletest\WebTestBase::drupalGet because we need to
   * set curl settings for basic authentication.
   *
   * @param string $path
   *   The request path.
   * @param string $username
   *   The user name to authenticate with.
   * @param string $password
   *   The password.
   *
   * @return string
   *   Curl output.
   */
  protected function basicAuthGet($path, $username, $password) {
    $out = $this->curlExec(
      array(
        CURLOPT_HTTPGET => TRUE,
        CURLOPT_URL => url($path, array('absolute' => TRUE)),
        CURLOPT_NOBODY => FALSE,
        CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
        CURLOPT_USERPWD => $username . ':' . $password,
      )
    );

    $this->verbose('GET request to: ' . $path .
      '<hr />' . $out);

    return $out;
  }

}