/**
* Tests that CSRF check is not triggered for Basic Auth requests.
*/
public function testBasicAuth()
{
$curl_options = $this->getCurlOptions();
$curl_options[CURLOPT_HTTPAUTH] = CURLAUTH_BASIC;
$curl_options[CURLOPT_USERPWD] = $this->account->getUsername() . ':' . $this->account->pass_raw;
$this->curlExec($curl_options);
$this->assertResponse(201);
// Ensure that the entity was created.
$loaded_entity = $this->loadEntityFromLocationHeader($this->drupalGetHeader('location'));
$this->assertTrue($loaded_entity, 'An entity was created in the database');
}
/**
* Test the user list items.
*/
public function testSwitchUserListItems()
{
$anonymous = \Drupal::config('user.settings')->get('anonymous');
$this->setBlockConfiguration('list_size', 2);
// Login as web user so we are sure that this account is prioritized
// in the list if not enougth user with 'switch users' permission are
// present.
$this->drupalLogin($this->webUser);
$this->drupalLogin($this->develUser);
$this->drupalGet('');
// Ensure that user with 'switch users' permission are prioritized.
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->develUser->getUsername());
$this->assertSwitchUserListContainsUser($this->switchUser->getUsername());
// Ensure that blocked users are not shown in the list.
$this->switchUser->set('status', 0)->save();
$this->drupalGet('');
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->develUser->getUsername());
$this->assertSwitchUserListContainsUser($this->webUser->getUsername());
$this->assertSwitchUserListNoContainsUser($this->switchUser->getUsername());
// Ensure that anonymous user are prioritized if include_anon is set to true.
$this->setBlockConfiguration('include_anon', TRUE);
$this->drupalGet('');
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->develUser->getUsername());
$this->assertSwitchUserListContainsUser($anonymous);
}
/**
* Helper function, which creates node of type person
*
* @param \Drupal\user\Entity\User $user
* @param bool $isIndividualSponsor
*/
public function createUserProfile(User $user, $isIndividualSponsor = FALSE)
{
$values = ['type' => 'person', 'title' => $user->getUsername(), 'uid' => 1, 'field_referenced_user' => ['target_id' => $user->id()]];
if ($isIndividualSponsor) {
$values['field_person_type'] = ['target_id' => 8];
}
$node = entity_create('node', $values);
$node->save();
}
/**
* Sets new hash password in smf
*
* @param \Drupal\User\Entity\User $drupalUser
* @param \stdClass $smfMember
*/
protected function syncSmfPassword(\Drupal\User\Entity\User $drupalUser, \stdClass $smfMember)
{
/**
* @var \Drupal\Core\Database\Connection $this ->smfConnection
*/
$hashedPasswd = sha1($drupalUser->getPassword());
$id_member = $this->smfConnection->select('members', 'm')->fields('m', ['id_member'])->condition('m.member_name', $drupalUser->getUsername())->condition('m.passwd', $hashedPasswd)->execute()->fetchField();
if (!$id_member) {
$updateResult = $this->smfConnection->update('members')->fields(['passwd' => $hashedPasswd, 'password_salt' => ''])->condition('member_name', $drupalUser->getUsername())->execute();
if ($updateResult) {
$smfMember->passwd = $hashedPasswd;
}
}
}
/**
* Check that a basic authentication session does not leak.
*
* Regression test for a bug that caused a session initiated by basic
* authentication to persist over subsequent unauthorized requests.
*/
public function testSessionFromBasicAuthenticationDoesNotLeak()
{
// This route is authorized through basic_auth only, not cookie.
$protected_url = Url::fromRoute('session_test.get_session_basic_auth');
// This route is not protected.
$unprotected_url = Url::fromRoute('session_test.get_session_no_auth');
// Test that the route is not accessible as an anonymous user.
$this->drupalGet($protected_url);
$this->assertResponse(401, 'An anonymous user cannot access a route protected with basic authentication.');
// We should be able to access the route with basic authentication.
$this->basicAuthGet($protected_url, $this->user->getUsername(), $this->user->pass_raw);
$this->assertResponse(200, 'A route protected with basic authentication can be accessed by an authenticated user.');
// Check that the correct user is logged in.
$this->assertEqual($this->user->id(), json_decode($this->getRawContent())->user, 'The correct user is authenticated on a route with basic authentication.');
// If we now try to access a page without basic authentication then we
// should no longer be logged in.
$this->drupalGet($unprotected_url);
$this->assertResponse(200, 'An unprotected route can be accessed without basic authentication.');
$this->assertFalse(json_decode($this->getRawContent())->user, 'The user is no longer authenticated after visiting a page without basic authentication.');
// If we access the protected page again without basic authentication we
// should get 401 Unauthorized.
$this->drupalGet($protected_url);
$this->assertResponse(401, 'A subsequent request to the same route without basic authentication is not authorized.');
}
/**
* Executes the save tests for the given entity type.
*
* @param string $entity_type
* The entity type to run the tests with.
*/
protected function assertSave($entity_type)
{
$entity = $this->createTestEntity($entity_type);
$entity->save();
$this->assertTrue((bool) $entity->id(), format_string('%entity_type: Entity has received an id.', array('%entity_type' => $entity_type)));
$entity = entity_load($entity_type, $entity->id());
$this->assertTrue((bool) $entity->id(), format_string('%entity_type: Entity loaded.', array('%entity_type' => $entity_type)));
// Access the name field.
$this->assertEqual(1, $entity->id->value, format_string('%entity_type: ID value can be read.', array('%entity_type' => $entity_type)));
$this->assertTrue(is_string($entity->uuid->value), format_string('%entity_type: UUID value can be read.', array('%entity_type' => $entity_type)));
$this->assertEqual('en', $entity->langcode->value, format_string('%entity_type: Language code can be read.', array('%entity_type' => $entity_type)));
$this->assertEqual(\Drupal::languageManager()->getLanguage('en'), $entity->langcode->language, format_string('%entity_type: Language object can be read.', array('%entity_type' => $entity_type)));
$this->assertEqual($this->entity_user->id(), $entity->user_id->target_id, format_string('%entity_type: User id can be read.', array('%entity_type' => $entity_type)));
$this->assertEqual($this->entity_user->getUsername(), $entity->user_id->entity->name->value, format_string('%entity_type: User name can be read.', array('%entity_type' => $entity_type)));
$this->assertEqual($this->entity_field_text, $entity->field_test_text->value, format_string('%entity_type: Text field can be read.', array('%entity_type' => $entity_type)));
}
/**
* Test the user list items.
*/
public function testSwitchUserListItems()
{
$anonymous = \Drupal::config('user.settings')->get('anonymous');
$this->setBlockConfiguration('list_size', 2);
// Login as web user so we are sure that this account is prioritized
// in the list if not enougth user with 'switch users' permission are
// present.
$this->drupalLogin($this->webUser);
$this->drupalLogin($this->develUser);
$this->drupalGet('');
// Ensure that user with 'switch users' permission are prioritized.
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->develUser->getUsername());
$this->assertSwitchUserListContainsUser($this->switchUser->getUsername());
// Ensure that blocked users are not shown in the list.
$this->switchUser->set('status', 0)->save();
$this->drupalGet('');
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->develUser->getUsername());
$this->assertSwitchUserListContainsUser($this->webUser->getUsername());
$this->assertSwitchUserListNoContainsUser($this->switchUser->getUsername());
// Ensure that anonymous user are prioritized if include_anon is set to true.
$this->setBlockConfiguration('include_anon', TRUE);
$this->drupalGet('');
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->develUser->getUsername());
$this->assertSwitchUserListContainsUser($anonymous);
// Ensure that the switch user block works properly even if no prioritized
// users are found (special handling for user 1).
$this->drupalLogout();
$this->develUser->delete();
$this->drupalLogin($this->rootUser);
$this->drupalGet('');
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->rootUser->getUsername());
$this->assertSwitchUserListContainsUser($anonymous);
// Ensure that the switch user block works properly even if no roles have
// the 'switch users' permission associated (special handling for user 1).
$roles = user_roles(TRUE, 'switch users');
\Drupal::entityTypeManager()->getStorage('user_role')->delete($roles);
$this->drupalGet('');
$this->assertSwitchUserListCount(2);
$this->assertSwitchUserListContainsUser($this->rootUser->getUsername());
$this->assertSwitchUserListContainsUser($anonymous);
}
/**
* Tests that a session is not started automatically by basic authentication.
*/
public function testBasicAuthNoSession()
{
// A route that is authorized through basic_auth only, not cookie.
$no_cookie_url = Url::fromRoute('session_test.get_session_basic_auth');
// A route that is authorized with standard cookie authentication.
$cookie_url = '<front>';
// If we authenticate with a third party authentication system then no
// session cookie should be set, the third party system is responsible for
// sustaining the session.
$this->basicAuthGet($no_cookie_url, $this->user->getUsername(), $this->user->pass_raw);
$this->assertResponse(200, 'The user is successfully authenticated using basic authentication.');
$this->assertFalse($this->drupalGetHeader('set-cookie', TRUE), 'No cookie is set on a route protected with basic authentication.');
// On the other hand, authenticating using Cookie sets a cookie.
$edit = ['name' => $this->user->getUsername(), 'pass' => $this->user->pass_raw];
$this->drupalPostForm($cookie_url, $edit, t('Log in'));
$this->assertResponse(200, 'The user is successfully authenticated using cookie authentication.');
$this->assertTrue($this->drupalGetHeader('set-cookie', TRUE), 'A cookie is set on a route protected with cookie authentication.');
}
/**
* Make an unsuccessful login attempt.
*
* @param \Drupal\user\Entity\User $account
* A user object with name and pass_raw attributes for the login attempt.
* @param mixed $flood_trigger
* (optional) Whether or not to expect that the flood control mechanism
* will be triggered. Defaults to NULL.
* - Set to 'user' to expect a 'too many failed logins error.
* - Set to any value to expect an error for too many failed logins per IP
* .
* - Set to NULL to expect a failed login.
*/
function assertFailedLogin($account, $flood_trigger = NULL)
{
$edit = array('name' => $account->getUsername(), 'pass' => $account->pass_raw);
$this->drupalPostForm('user/login', $edit, t('Log in'));
$this->assertNoFieldByXPath("//input[@name='pass' and @value!='']", NULL, 'Password value attribute is blank.');
if (isset($flood_trigger)) {
if ($flood_trigger == 'user') {
$this->assertRaw(\Drupal::translation()->formatPlural($this->config('user.flood')->get('user_limit'), 'There has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', 'There have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', array(':url' => \Drupal::url('user.pass'))));
} else {
// No uid, so the limit is IP-based.
$this->assertRaw(t('Too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', array(':url' => \Drupal::url('user.pass'))));
}
} else {
$this->assertText(t('Unrecognized username or password. Have you forgotten your password?'));
}
}
