Mercurial > hg > isophonics-drupal-site

view core/modules/system/src/Tests/Session/SessionHttpsTest.php @ 17:129ea1e6d783

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update, including to Drupal core 8.6.10
author Chris Cannam
date Thu, 28 Feb 2019 13:21:36 +0000
parents 4c8ae668cc8c
children
line wrap: on
line source
<?php

namespace Drupal\system\Tests\Session;

use Drupal\simpletest\WebTestBase;
use Symfony\Component\HttpFoundation\Request;
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Session\AccountInterface;

/**
 * Ensure that when running under HTTPS two session cookies are generated.
 *
 * @group Session
 */
class SessionHttpsTest extends WebTestBase {

  /**
   * The name of the session cookie when using HTTP.
   *
   * @var string
   */
  protected $insecureSessionName;

  /**
   * The name of the session cookie when using HTTPS.
   *
   * @var string
   */
  protected $secureSessionName;

  /**
   * Modules to enable.
   *
   * @var array
   */
  public static $modules = ['session_test'];

  protected function setUp() {
    parent::setUp();

    $request = Request::createFromGlobals();
    if ($request->isSecure()) {
      $this->secureSessionName = $this->getSessionName();
      $this->insecureSessionName = substr($this->getSessionName(), 1);
    }
    else {
      $this->secureSessionName = 'S' . $this->getSessionName();
      $this->insecureSessionName = $this->getSessionName();
    }
  }

  public function testHttpsSession() {
    $user = $this->drupalCreateUser(['access administration pages']);

    // Test HTTPS session handling by altering the form action to submit the
    // login form through https.php, which creates a mock HTTPS request.
    $this->loginHttps($user);

    // Test a second concurrent session.
    $this->curlClose();
    $this->curlCookies = [];
    $this->loginHttps($user);

    // Check secure cookie on secure page.
    $this->assertTrue($this->cookies[$this->secureSessionName]['secure'], 'The secure cookie has the secure attribute');
    // Check insecure cookie is not set.
    $this->assertFalse(isset($this->cookies[$this->insecureSessionName]));
    $ssid = $this->cookies[$this->secureSessionName]['value'];
    $this->assertSessionIds($ssid, 'Session has a non-empty SID and a correct secure SID.');

    // Verify that user is logged in on secure URL.
    $this->drupalGet($this->httpsUrl('admin/config'));
    $this->assertText(t('Configuration'));
    $this->assertResponse(200);

    // Verify that user is not logged in on non-secure URL.
    $this->drupalGet($this->httpUrl('admin/config'));
    $this->assertNoText(t('Configuration'));
    $this->assertResponse(403);

    // Verify that empty SID cannot be used on the non-secure site.
    $this->curlClose();
    $this->curlCookies = [$this->insecureSessionName . '='];
    $this->drupalGet($this->httpUrl('admin/config'));
    $this->assertResponse(403);

    // Test HTTP session handling by altering the form action to submit the
    // login form through http.php, which creates a mock HTTP request on HTTPS
    // test environments.
    $this->curlClose();
    $this->curlCookies = [];
    $this->loginHttp($user);
    $this->drupalGet($this->httpUrl('admin/config'));
    $this->assertResponse(200);
    $sid = $this->cookies[$this->insecureSessionName]['value'];
    $this->assertSessionIds($sid, '', 'Session has the correct SID and an empty secure SID.');

    // Verify that empty secure SID cannot be used on the secure site.
    $this->curlClose();
    $this->curlCookies = [$this->secureSessionName . '='];
    $this->drupalGet($this->httpsUrl('admin/config'));
    $this->assertResponse(403);

    // Clear browser cookie jar.
    $this->cookies = [];
  }

  /**
   * Log in a user via HTTP.
   *
   * Note that the parents $session_id and $loggedInUser is not updated.
   */
  protected function loginHttp(AccountInterface $account) {
    $this->drupalGet('user/login');

    // Alter the form action to submit the login form through http.php, which
    // creates a mock HTTP request on HTTPS test environments.
    $form = $this->xpath('//form[@id="user-login-form"]');
    $form[0]['action'] = $this->httpUrl('user/login');
    $edit = ['name' => $account->getUsername(), 'pass' => $account->pass_raw];

    // When posting directly to the HTTP or HTTPS mock front controller, the
    // location header on the returned response is an absolute URL. That URL
    // needs to be converted into a request to the respective mock front
    // controller in order to retrieve the target page. Because the URL in the
    // location header needs to be modified, it is necessary to disable the
    // automatic redirects normally performed by parent::curlExec().
    $maximum_redirects = $this->maximumRedirects;
    $this->maximumRedirects = 0;
    $this->drupalPostForm(NULL, $edit, t('Log in'));
    $this->maximumRedirects = $maximum_redirects;

    // Follow the location header.
    $path = $this->getPathFromLocationHeader(FALSE);
    $this->drupalGet($this->httpUrl($path));
    $this->assertResponse(200);
  }

  /**
   * Log in a user via HTTPS.
   *
   * Note that the parents $session_id and $loggedInUser is not updated.
   */
  protected function loginHttps(AccountInterface $account) {
    $this->drupalGet('user/login');

    // Alter the form action to submit the login form through https.php, which
    // creates a mock HTTPS request on HTTP test environments.
    $form = $this->xpath('//form[@id="user-login-form"]');
    $form[0]['action'] = $this->httpsUrl('user/login');
    $edit = ['name' => $account->getUsername(), 'pass' => $account->pass_raw];

    // When posting directly to the HTTP or HTTPS mock front controller, the
    // location header on the returned response is an absolute URL. That URL
    // needs to be converted into a request to the respective mock front
    // controller in order to retrieve the target page. Because the URL in the
    // location header needs to be modified, it is necessary to disable the
    // automatic redirects normally performed by parent::curlExec().
    $maximum_redirects = $this->maximumRedirects;
    $this->maximumRedirects = 0;
    $this->drupalPostForm(NULL, $edit, t('Log in'));
    $this->maximumRedirects = $maximum_redirects;

    // When logging in via the HTTPS mock, the child site will issue a session
    // cookie with the secure attribute set. While this cookie will be stored in
    // the curl handle, it will not be used on subsequent requests via the HTTPS
    // mock, unless when operating in a true HTTPS environment. Therefore it is
    // necessary to manually collect the session cookie and add it to the
    // curlCookies property such that it will be used on subsequent requests via
    // the HTTPS mock.
    $this->curlCookies = [$this->secureSessionName . '=' . $this->cookies[$this->secureSessionName]['value']];

    // Follow the location header.
    $path = $this->getPathFromLocationHeader(TRUE);
    $this->drupalGet($this->httpsUrl($path));
    $this->assertResponse(200);
  }

  /**
   * Extract internal path from the location header on the response.
   */
  protected function getPathFromLocationHeader($https = FALSE, $response_code = 303) {
    // Generate the base_url.
    $base_url = $this->container->get('url_generator')->generateFromRoute('<front>', [], ['absolute' => TRUE]);
    if ($https) {
      $base_url = str_replace('http://', 'https://', $base_url);
    }
    else {
      $base_url = str_replace('https://', 'http://', $base_url);
    }

    // The mock front controllers (http.php and https.php) add the script name
    // to $_SERVER['REQUEST_URI'] and friends. Therefore it is necessary to
    // strip that also.
    $base_url .= 'index.php/';

    // Extract relative path from location header.
    $this->assertResponse($response_code);
    $location = $this->drupalGetHeader('location');

    $this->assertIdentical(strpos($location, $base_url), 0, 'Location header contains expected base URL');
    return substr($location, strlen($base_url));
  }

  /**
   * Test that there exists a session with two specific session IDs.
   *
   * @param $sid
   *   The insecure session ID to search for.
   * @param $assertion_text
   *   The text to display when we perform the assertion.
   *
   * @return
   *   The result of assertTrue() that there's a session in the system that
   *   has the given insecure and secure session IDs.
   */
  protected function assertSessionIds($sid, $assertion_text) {
    $args = [
      ':sid' => Crypt::hashBase64($sid),
    ];
    return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid', $args)->fetchField(), $assertion_text);
  }

  /**
   * Builds a URL for submitting a mock HTTPS request to HTTP test environments.
   *
   * @param $url
   *   A Drupal path such as 'user/login'.
   *
   * @return
   *   URL prepared for the https.php mock front controller.
   */
  protected function httpsUrl($url) {
    return 'core/modules/system/tests/https.php/' . $url;
  }

  /**
   * Builds a URL for submitting a mock HTTP request to HTTPS test environments.
   *
   * @param $url
   *   A Drupal path such as 'user/login'.
   *
   * @return
   *   URL prepared for the http.php mock front controller.
   */
  protected function httpUrl($url) {
    return 'core/modules/system/tests/http.php/' . $url;
  }

}