annotate core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php @ 19:fa3358dc1485 tip

Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents 129ea1e6d783
children
rev   line source
Chris@0 1 <?php
Chris@0 2
Chris@0 3 namespace Drupal\Tests\system\Functional;
Chris@0 4
Chris@0 5 use Drupal\Core\Url;
Chris@0 6 use Drupal\Tests\BrowserTestBase;
Chris@0 7
Chris@0 8 /**
Chris@0 9 * Tests protecting routes by requiring CSRF token in the request header.
Chris@0 10 *
Chris@0 11 * @group system
Chris@0 12 */
Chris@0 13 class CsrfRequestHeaderTest extends BrowserTestBase {
Chris@0 14
Chris@0 15 /**
Chris@0 16 * Modules to enable.
Chris@0 17 *
Chris@0 18 * @var array
Chris@0 19 */
Chris@0 20 public static $modules = ['system', 'csrf_test'];
Chris@0 21
Chris@0 22 /**
Chris@0 23 * Tests access to routes protected by CSRF request header requirements.
Chris@0 24 *
Chris@0 25 * This checks one route that uses _csrf_request_header_token and one that
Chris@0 26 * uses the deprecated _access_rest_csrf.
Chris@0 27 */
Chris@0 28 public function testRouteAccess() {
Chris@17 29 $client = $this->getHttpClient();
Chris@0 30 $csrf_token_paths = ['deprecated/session/token', 'session/token'];
Chris@0 31 // Test using the both the current path and a test path that returns
Chris@0 32 // a token using the deprecated 'rest' value.
Chris@0 33 // Checking /deprecated/session/token can be removed in 8.3.
Chris@0 34 // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access()
Chris@0 35 foreach ($csrf_token_paths as $csrf_token_path) {
Chris@0 36 // Check both test routes.
Chris@0 37 $route_names = ['csrf_test.protected', 'csrf_test.deprecated.protected'];
Chris@0 38 foreach ($route_names as $route_name) {
Chris@0 39 $user = $this->drupalCreateUser();
Chris@0 40 $this->drupalLogin($user);
Chris@0 41
Chris@0 42 $csrf_token = $this->drupalGet($csrf_token_path);
Chris@0 43 $url = Url::fromRoute($route_name)
Chris@0 44 ->setAbsolute(TRUE)
Chris@0 45 ->toString();
Chris@0 46 $post_options = [
Chris@0 47 'headers' => ['Accept' => 'text/plain'],
Chris@0 48 'http_errors' => FALSE,
Chris@0 49 ];
Chris@0 50
Chris@0 51 // Test that access is allowed for anonymous user with no token in header.
Chris@0 52 $result = $client->post($url, $post_options);
Chris@0 53 $this->assertEquals(200, $result->getStatusCode());
Chris@0 54
Chris@0 55 // Add cookies to POST options so that all other requests are for the
Chris@0 56 // authenticated user.
Chris@17 57 $post_options['cookies'] = $this->getSessionCookies();
Chris@0 58
Chris@0 59 // Test that access is denied with no token in header.
Chris@0 60 $result = $client->post($url, $post_options);
Chris@0 61 $this->assertEquals(403, $result->getStatusCode());
Chris@0 62
Chris@0 63 // Test that access is allowed with correct token in header.
Chris@0 64 $post_options['headers']['X-CSRF-Token'] = $csrf_token;
Chris@0 65 $result = $client->post($url, $post_options);
Chris@0 66 $this->assertEquals(200, $result->getStatusCode());
Chris@0 67
Chris@0 68 // Test that access is denied with incorrect token in header.
Chris@0 69 $post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for';
Chris@0 70 $result = $client->post($url, $post_options);
Chris@0 71 $this->assertEquals(403, $result->getStatusCode());
Chris@0 72 }
Chris@0 73 }
Chris@0 74
Chris@0 75 }
Chris@0 76
Chris@0 77 }