|
Chris@0
|
1 <?php
|
|
Chris@0
|
2
|
|
Chris@0
|
3 namespace Drupal\Tests\system\Functional;
|
|
Chris@0
|
4
|
|
Chris@0
|
5 use Drupal\Core\Url;
|
|
Chris@0
|
6 use Drupal\Tests\BrowserTestBase;
|
|
Chris@0
|
7 use GuzzleHttp\Cookie\CookieJar;
|
|
Chris@0
|
8
|
|
Chris@0
|
9 /**
|
|
Chris@0
|
10 * Tests protecting routes by requiring CSRF token in the request header.
|
|
Chris@0
|
11 *
|
|
Chris@0
|
12 * @group system
|
|
Chris@0
|
13 */
|
|
Chris@0
|
14 class CsrfRequestHeaderTest extends BrowserTestBase {
|
|
Chris@0
|
15
|
|
Chris@0
|
16 /**
|
|
Chris@0
|
17 * Modules to enable.
|
|
Chris@0
|
18 *
|
|
Chris@0
|
19 * @var array
|
|
Chris@0
|
20 */
|
|
Chris@0
|
21 public static $modules = ['system', 'csrf_test'];
|
|
Chris@0
|
22
|
|
Chris@0
|
23 /**
|
|
Chris@0
|
24 * Tests access to routes protected by CSRF request header requirements.
|
|
Chris@0
|
25 *
|
|
Chris@0
|
26 * This checks one route that uses _csrf_request_header_token and one that
|
|
Chris@0
|
27 * uses the deprecated _access_rest_csrf.
|
|
Chris@0
|
28 */
|
|
Chris@0
|
29 public function testRouteAccess() {
|
|
Chris@0
|
30 $client = \Drupal::httpClient();
|
|
Chris@0
|
31 $csrf_token_paths = ['deprecated/session/token', 'session/token'];
|
|
Chris@0
|
32 // Test using the both the current path and a test path that returns
|
|
Chris@0
|
33 // a token using the deprecated 'rest' value.
|
|
Chris@0
|
34 // Checking /deprecated/session/token can be removed in 8.3.
|
|
Chris@0
|
35 // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
|
|
Chris@0
|
36 foreach ($csrf_token_paths as $csrf_token_path) {
|
|
Chris@0
|
37 // Check both test routes.
|
|
Chris@0
|
38 $route_names = ['csrf_test.protected', 'csrf_test.deprecated.protected'];
|
|
Chris@0
|
39 foreach ($route_names as $route_name) {
|
|
Chris@0
|
40 $user = $this->drupalCreateUser();
|
|
Chris@0
|
41 $this->drupalLogin($user);
|
|
Chris@0
|
42
|
|
Chris@0
|
43 $csrf_token = $this->drupalGet($csrf_token_path);
|
|
Chris@0
|
44 $url = Url::fromRoute($route_name)
|
|
Chris@0
|
45 ->setAbsolute(TRUE)
|
|
Chris@0
|
46 ->toString();
|
|
Chris@0
|
47 $domain = parse_url($url, PHP_URL_HOST);
|
|
Chris@0
|
48
|
|
Chris@0
|
49 $session_id = $this->getSession()->getCookie($this->getSessionName());
|
|
Chris@0
|
50 /** @var \GuzzleHttp\Cookie\CookieJar $cookies */
|
|
Chris@0
|
51 $cookies = CookieJar::fromArray([$this->getSessionName() => $session_id], $domain);
|
|
Chris@0
|
52 $post_options = [
|
|
Chris@0
|
53 'headers' => ['Accept' => 'text/plain'],
|
|
Chris@0
|
54 'http_errors' => FALSE,
|
|
Chris@0
|
55 ];
|
|
Chris@0
|
56
|
|
Chris@0
|
57 // Test that access is allowed for anonymous user with no token in header.
|
|
Chris@0
|
58 $result = $client->post($url, $post_options);
|
|
Chris@0
|
59 $this->assertEquals(200, $result->getStatusCode());
|
|
Chris@0
|
60
|
|
Chris@0
|
61 // Add cookies to POST options so that all other requests are for the
|
|
Chris@0
|
62 // authenticated user.
|
|
Chris@0
|
63 $post_options['cookies'] = $cookies;
|
|
Chris@0
|
64
|
|
Chris@0
|
65 // Test that access is denied with no token in header.
|
|
Chris@0
|
66 $result = $client->post($url, $post_options);
|
|
Chris@0
|
67 $this->assertEquals(403, $result->getStatusCode());
|
|
Chris@0
|
68
|
|
Chris@0
|
69 // Test that access is allowed with correct token in header.
|
|
Chris@0
|
70 $post_options['headers']['X-CSRF-Token'] = $csrf_token;
|
|
Chris@0
|
71 $result = $client->post($url, $post_options);
|
|
Chris@0
|
72 $this->assertEquals(200, $result->getStatusCode());
|
|
Chris@0
|
73
|
|
Chris@0
|
74 // Test that access is denied with incorrect token in header.
|
|
Chris@0
|
75 $post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
|
|
Chris@0
|
76 $result = $client->post($url, $post_options);
|
|
Chris@0
|
77 $this->assertEquals(403, $result->getStatusCode());
|
|
Chris@0
|
78 }
|
|
Chris@0
|
79 }
|
|
Chris@0
|
80
|
|
Chris@0
|
81 }
|
|
Chris@0
|
82
|
|
Chris@0
|
83 }
|
