Commit a4fac14a authored by xjm's avatar xjm
Browse files

Issue #2468873 by pfrenssen, Dom., dawehner, znerol, xjm: Test that the...

Issue #2468873 by pfrenssen, Dom., dawehner, znerol, xjm: Test that the authentication provider doesn't leak authentication credentials from the previous request
parent 4bc5aa83
<?php
/**
* @file
* Contains \Drupal\basic_auth\Tests\BasicAuthTestTrait.
*/
namespace Drupal\basic_auth\Tests;
/**
* Provides common functionality for Basic Authentication test classes.
*/
trait BasicAuthTestTrait {
/**
* Retrieves a Drupal path or an absolute path using basic authentication.
*
* @param \Drupal\Core\Url|string $path
* Drupal path or URL to load into the internal browser.
* @param string $username
* The username to use for basic authentication.
* @param string $password
* The password to use for basic authentication.
* @param array $options
* (optional) Options to be forwarded to the url generator.
*
* @return string
* The retrieved HTML string, also available as $this->getRawContent().
*/
protected function basicAuthGet($path, $username, $password, array $options = []) {
// Set up Curl to use basic authentication with the test user's credentials.
$headers = ['Authorization: Basic ' . base64_encode("$username:$password")];
return $this->drupalGet($path, $options, $headers);
}
}
<?php
/**
* @file
* Contains \Drupal\system\Tests\Session\SessionAuthenticationTest.
*/
namespace Drupal\system\Tests\Session;
use Drupal\Core\Url;
use Drupal\basic_auth\Tests\BasicAuthTestTrait;
use Drupal\simpletest\WebTestBase;
/**
* Tests if sessions are correctly handled when a user authenticates.
*
* @group Session
*/
class SessionAuthenticationTest extends WebTestBase {
use BasicAuthTestTrait;
/**
* A test user.
*
* @var \Drupal\user\Entity\User
*/
protected $user;
/**
* {@inheritdoc}
*/
public static $modules = ['basic_auth', 'session_test'];
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
// Create a test administrator user.
$this->user = $this->drupalCreateUser(['administer site configuration']);
}
/**
* Check that a basic authentication session does not leak.
*
* Regression test for a bug that caused a session initiated by basic
* authentication to persist over subsequent unauthorized requests.
*/
public function testSessionFromBasicAuthenticationDoesNotLeak() {
// This route is authorized through basic_auth only, not cookie.
$protected_url = Url::fromRoute('session_test.get_session_basic_auth');
// This route is not protected.
$unprotected_url = Url::fromRoute('session_test.get_session_no_auth');
// Test that the route is not accessible as an anonymous user.
$this->drupalGet($protected_url);
$this->assertResponse(401, 'An anonymous user cannot access a route protected with basic authentication.');
// We should be able to access the route with basic authentication.
$this->basicAuthGet($protected_url, $this->user->getUsername(), $this->user->pass_raw);
$this->assertResponse(200, 'A route protected with basic authentication can be accessed by an authenticated user.');
// Check that the correct user is logged in.
$this->assertEqual($this->user->id(), json_decode($this->getRawContent())->user, 'The correct user is authenticated on a route with basic authentication.');
// If we now try to access a page without basic authentication then we
// should no longer be logged in.
$this->drupalGet($unprotected_url);
$this->assertResponse(200, 'An unprotected route can be accessed without basic authentication.');
$this->assertFalse(json_decode($this->getRawContent())->user, 'The user is no longer authenticated after visiting a page without basic authentication.');
// If we access the protected page again without basic authentication we
// should get 401 Unauthorized.
$this->drupalGet($protected_url);
$this->assertResponse(401, 'A subsequent request to the same route without basic authentication is not authorized.');
}
}
......@@ -89,3 +89,21 @@ session_test.trace_handler:
_controller: '\Drupal\session_test\Controller\SessionTestController::traceHandler'
requirements:
_access: 'TRUE'
session_test.get_session_basic_auth:
path: '/session-test/get-session'
defaults:
_title: 'Get session information using basic authentication'
_controller: '\Drupal\session_test\Controller\SessionTestController::getSession'
options:
_auth: ['basic_auth']
requirements:
_permission: 'administer site configuration'
session_test.get_session_no_auth:
path: '/session-test/get-session-no-auth'
defaults:
_title: 'Get session information'
_controller: '\Drupal\session_test\Controller\SessionTestController::getSession'
requirements:
_access: 'TRUE'
......@@ -162,4 +162,17 @@ public function traceHandler() {
return new JsonResponse($trace);
}
/**
* Returns the values stored in the active session and the user ID.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* The request object.
*
* @return \Symfony\Component\HttpFoundation\JsonResponse
* A response object containing the session values and the user ID.
*/
public function getSession(Request $request) {
return new JsonResponse(['session' => $request->getSession()->all(), 'user' => $this->currentUser()->id()]);
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment