Chris@0: user = $this->drupalCreateUser(['administer site configuration']); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Check that a basic authentication session does not leak. Chris@0: * Chris@0: * Regression test for a bug that caused a session initiated by basic Chris@0: * authentication to persist over subsequent unauthorized requests. Chris@0: */ Chris@0: public function testSessionFromBasicAuthenticationDoesNotLeak() { Chris@0: // This route is authorized through basic_auth only, not cookie. Chris@0: $protected_url = Url::fromRoute('session_test.get_session_basic_auth'); Chris@0: Chris@0: // This route is not protected. Chris@0: $unprotected_url = Url::fromRoute('session_test.get_session_no_auth'); Chris@0: Chris@0: // Test that the route is not accessible as an anonymous user. Chris@0: $this->drupalGet($protected_url); Chris@0: $this->assertResponse(401, 'An anonymous user cannot access a route protected with basic authentication.'); Chris@0: Chris@0: // We should be able to access the route with basic authentication. Chris@0: $this->basicAuthGet($protected_url, $this->user->getUsername(), $this->user->pass_raw); Chris@0: $this->assertResponse(200, 'A route protected with basic authentication can be accessed by an authenticated user.'); Chris@0: Chris@0: // Check that the correct user is logged in. Chris@0: $this->assertEqual($this->user->id(), json_decode($this->getRawContent())->user, 'The correct user is authenticated on a route with basic authentication.'); Chris@0: Chris@0: // If we now try to access a page without basic authentication then we Chris@0: // should no longer be logged in. Chris@0: $this->drupalGet($unprotected_url); Chris@0: $this->assertResponse(200, 'An unprotected route can be accessed without basic authentication.'); Chris@0: $this->assertFalse(json_decode($this->getRawContent())->user, 'The user is no longer authenticated after visiting a page without basic authentication.'); Chris@0: Chris@0: // If we access the protected page again without basic authentication we Chris@0: // should get 401 Unauthorized. Chris@0: $this->drupalGet($protected_url); Chris@0: $this->assertResponse(401, 'A subsequent request to the same route without basic authentication is not authorized.'); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests if a session can be initiated through basic authentication. Chris@0: */ Chris@0: public function testBasicAuthSession() { Chris@0: // Set a session value on a request through basic auth. Chris@0: $test_value = 'alpaca'; Chris@0: $response = $this->basicAuthGet('session-test/set-session/' . $test_value, $this->user->getUsername(), $this->user->pass_raw); Chris@0: $this->assertSessionData($response, $test_value); Chris@0: $this->assertResponse(200, 'The request to set a session value was successful.'); Chris@0: Chris@0: // Test that on a subsequent request the session value is still present. Chris@0: $response = $this->basicAuthGet('session-test/get-session', $this->user->getUsername(), $this->user->pass_raw); Chris@0: $this->assertSessionData($response, $test_value); Chris@0: $this->assertResponse(200, 'The request to get a session value was successful.'); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Checks the session data returned by the session test routes. Chris@0: * Chris@0: * @param string $response Chris@0: * A response object containing the session values and the user ID. Chris@0: * @param string $expected Chris@0: * The expected session value. Chris@0: */ Chris@0: protected function assertSessionData($response, $expected) { Chris@0: $response = json_decode($response, TRUE); Chris@0: $this->assertEqual(['test_value' => $expected], $response['session'], 'The session data matches the expected value.'); Chris@0: Chris@0: // Check that we are logged in as the correct user. Chris@0: $this->assertEqual($this->user->id(), $response['user'], 'The correct user is logged in.'); Chris@0: } Chris@0: Chris@0: /** Chris@0: * Tests that a session is not started automatically by basic authentication. Chris@0: */ Chris@0: public function testBasicAuthNoSession() { Chris@0: // A route that is authorized through basic_auth only, not cookie. Chris@0: $no_cookie_url = Url::fromRoute('session_test.get_session_basic_auth'); Chris@0: Chris@0: // A route that is authorized with standard cookie authentication. Chris@0: $cookie_url = ''; Chris@0: Chris@0: // If we authenticate with a third party authentication system then no Chris@0: // session cookie should be set, the third party system is responsible for Chris@0: // sustaining the session. Chris@0: $this->basicAuthGet($no_cookie_url, $this->user->getUsername(), $this->user->pass_raw); Chris@0: $this->assertResponse(200, 'The user is successfully authenticated using basic authentication.'); Chris@0: $this->assertFalse($this->drupalGetHeader('set-cookie', TRUE), 'No cookie is set on a route protected with basic authentication.'); Chris@0: Chris@0: // On the other hand, authenticating using Cookie sets a cookie. Chris@0: $edit = ['name' => $this->user->getUsername(), 'pass' => $this->user->pass_raw]; Chris@0: $this->drupalPostForm($cookie_url, $edit, t('Log in')); Chris@0: $this->assertResponse(200, 'The user is successfully authenticated using cookie authentication.'); Chris@0: $this->assertTrue($this->drupalGetHeader('set-cookie', TRUE), 'A cookie is set on a route protected with cookie authentication.'); Chris@0: } Chris@0: Chris@0: }