Mercurial > hg > isophonics-drupal-site
comparison core/modules/system/tests/src/Functional/CsrfRequestHeaderTest.php @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children | 129ea1e6d783 |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4c8ae668cc8c |
|---|---|
| 1 <?php | |
| 2 | |
| 3 namespace Drupal\Tests\system\Functional; | |
| 4 | |
| 5 use Drupal\Core\Url; | |
| 6 use Drupal\Tests\BrowserTestBase; | |
| 7 use GuzzleHttp\Cookie\CookieJar; | |
| 8 | |
| 9 /** | |
| 10 * Tests protecting routes by requiring CSRF token in the request header. | |
| 11 * | |
| 12 * @group system | |
| 13 */ | |
| 14 class CsrfRequestHeaderTest extends BrowserTestBase { | |
| 15 | |
| 16 /** | |
| 17 * Modules to enable. | |
| 18 * | |
| 19 * @var array | |
| 20 */ | |
| 21 public static $modules = ['system', 'csrf_test']; | |
| 22 | |
| 23 /** | |
| 24 * Tests access to routes protected by CSRF request header requirements. | |
| 25 * | |
| 26 * This checks one route that uses _csrf_request_header_token and one that | |
| 27 * uses the deprecated _access_rest_csrf. | |
| 28 */ | |
| 29 public function testRouteAccess() { | |
| 30 $client = \Drupal::httpClient(); | |
| 31 $csrf_token_paths = ['deprecated/session/token', 'session/token']; | |
| 32 // Test using the both the current path and a test path that returns | |
| 33 // a token using the deprecated 'rest' value. | |
| 34 // Checking /deprecated/session/token can be removed in 8.3. | |
| 35 // @see \Drupal\Core\Access\CsrfRequestHeaderAccessCheck::access() | |
| 36 foreach ($csrf_token_paths as $csrf_token_path) { | |
| 37 // Check both test routes. | |
| 38 $route_names = ['csrf_test.protected', 'csrf_test.deprecated.protected']; | |
| 39 foreach ($route_names as $route_name) { | |
| 40 $user = $this->drupalCreateUser(); | |
| 41 $this->drupalLogin($user); | |
| 42 | |
| 43 $csrf_token = $this->drupalGet($csrf_token_path); | |
| 44 $url = Url::fromRoute($route_name) | |
| 45 ->setAbsolute(TRUE) | |
| 46 ->toString(); | |
| 47 $domain = parse_url($url, PHP_URL_HOST); | |
| 48 | |
| 49 $session_id = $this->getSession()->getCookie($this->getSessionName()); | |
| 50 /** @var \GuzzleHttp\Cookie\CookieJar $cookies */ | |
| 51 $cookies = CookieJar::fromArray([$this->getSessionName() => $session_id], $domain); | |
| 52 $post_options = [ | |
| 53 'headers' => ['Accept' => 'text/plain'], | |
| 54 'http_errors' => FALSE, | |
| 55 ]; | |
| 56 | |
| 57 // Test that access is allowed for anonymous user with no token in header. | |
| 58 $result = $client->post($url, $post_options); | |
| 59 $this->assertEquals(200, $result->getStatusCode()); | |
| 60 | |
| 61 // Add cookies to POST options so that all other requests are for the | |
| 62 // authenticated user. | |
| 63 $post_options['cookies'] = $cookies; | |
| 64 | |
| 65 // Test that access is denied with no token in header. | |
| 66 $result = $client->post($url, $post_options); | |
| 67 $this->assertEquals(403, $result->getStatusCode()); | |
| 68 | |
| 69 // Test that access is allowed with correct token in header. | |
| 70 $post_options['headers']['X-CSRF-Token'] = $csrf_token; | |
| 71 $result = $client->post($url, $post_options); | |
| 72 $this->assertEquals(200, $result->getStatusCode()); | |
| 73 | |
| 74 // Test that access is denied with incorrect token in header. | |
| 75 $post_options['headers']['X-CSRF-Token'] = 'this-is-not-the-token-you-are-looking-for'; | |
| 76 $result = $client->post($url, $post_options); | |
| 77 $this->assertEquals(403, $result->getStatusCode()); | |
| 78 } | |
| 79 } | |
| 80 | |
| 81 } | |
| 82 | |
| 83 } |