2008-04-26 08:31:52 +02:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* Test the security class, including log-in form, change password form, etc
|
2008-06-15 15:33:53 +02:00
|
|
|
*
|
2012-04-12 08:02:46 +02:00
|
|
|
* @package framework
|
2008-06-15 15:33:53 +02:00
|
|
|
* @subpackage tests
|
2008-04-26 08:31:52 +02:00
|
|
|
*/
|
2008-08-11 07:27:18 +02:00
|
|
|
class SecurityTest extends FunctionalTest {
|
2013-03-21 19:48:54 +01:00
|
|
|
protected static $fixture_file = 'MemberTest.yml';
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
protected $autoFollowRedirection = false;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-10-08 04:00:12 +02:00
|
|
|
protected $priorAuthenticators = array();
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-10-08 04:00:12 +02:00
|
|
|
protected $priorDefaultAuthenticator = null;
|
2010-10-15 01:53:44 +02:00
|
|
|
|
|
|
|
protected $priorUniqueIdentifierField = null;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2014-04-09 01:41:25 +02:00
|
|
|
protected $priorRememberUsername = null;
|
2010-10-15 01:53:44 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function setUp() {
|
2008-10-08 04:00:12 +02:00
|
|
|
// This test assumes that MemberAuthenticator is present and the default
|
|
|
|
$this->priorAuthenticators = Authenticator::get_authenticators();
|
|
|
|
$this->priorDefaultAuthenticator = Authenticator::get_default_authenticator();
|
2011-01-11 10:19:38 +01:00
|
|
|
foreach($this->priorAuthenticators as $authenticator) {
|
|
|
|
Authenticator::unregister($authenticator);
|
|
|
|
}
|
2010-10-15 01:53:44 +02:00
|
|
|
|
2008-10-08 04:00:12 +02:00
|
|
|
Authenticator::register('MemberAuthenticator');
|
|
|
|
Authenticator::set_default_authenticator('MemberAuthenticator');
|
2010-10-15 01:53:44 +02:00
|
|
|
|
|
|
|
// And that the unique identified field is 'Email'
|
2013-03-21 19:48:54 +01:00
|
|
|
$this->priorUniqueIdentifierField = Member::config()->unique_identifier_field;
|
2014-04-09 01:41:25 +02:00
|
|
|
$this->priorRememberUsername = Security::config()->remember_username;
|
2013-03-21 19:48:54 +01:00
|
|
|
Member::config()->unique_identifier_field = 'Email';
|
2010-10-15 01:53:44 +02:00
|
|
|
|
2008-10-08 04:00:12 +02:00
|
|
|
parent::setUp();
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function tearDown() {
|
2008-10-08 04:00:12 +02:00
|
|
|
// Restore selected authenticator
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-10-08 04:00:12 +02:00
|
|
|
// MemberAuthenticator might not actually be present
|
|
|
|
if(!in_array('MemberAuthenticator', $this->priorAuthenticators)) {
|
|
|
|
Authenticator::unregister('MemberAuthenticator');
|
|
|
|
}
|
2011-01-11 10:19:38 +01:00
|
|
|
foreach($this->priorAuthenticators as $authenticator) {
|
|
|
|
Authenticator::register($authenticator);
|
|
|
|
}
|
2008-10-08 04:00:12 +02:00
|
|
|
Authenticator::set_default_authenticator($this->priorDefaultAuthenticator);
|
2010-10-15 01:53:44 +02:00
|
|
|
|
|
|
|
// Restore unique identifier field
|
2013-03-21 19:48:54 +01:00
|
|
|
Member::config()->unique_identifier_field = $this->priorUniqueIdentifierField;
|
2014-04-09 01:41:25 +02:00
|
|
|
Security::config()->remember_username = $this->priorRememberUsername;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-10-08 04:00:12 +02:00
|
|
|
parent::tearDown();
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testAccessingAuthenticatedPageRedirectsToLoginForm() {
|
2011-03-28 07:23:06 +02:00
|
|
|
$this->autoFollowRedirection = false;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2011-03-28 07:23:06 +02:00
|
|
|
$response = $this->get('SecurityTest_SecuredController');
|
|
|
|
$this->assertEquals(302, $response->getStatusCode());
|
2011-03-16 04:13:14 +01:00
|
|
|
$this->assertContains(
|
2014-08-15 08:53:05 +02:00
|
|
|
Config::inst()->get('Security', 'login_url'),
|
2011-03-16 04:13:14 +01:00
|
|
|
$response->getHeader('Location')
|
|
|
|
);
|
2011-03-28 07:23:06 +02:00
|
|
|
|
2014-08-15 08:53:05 +02:00
|
|
|
$this->logInWithPermission('ADMIN');
|
2011-03-28 07:23:06 +02:00
|
|
|
$response = $this->get('SecurityTest_SecuredController');
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
|
|
$this->assertContains('Success', $response->getBody());
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2011-03-28 07:23:06 +02:00
|
|
|
$this->autoFollowRedirection = true;
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2015-03-11 15:20:57 +01:00
|
|
|
public function testPermissionFailureSetsCorrectFormMessages() {
|
|
|
|
Config::nest();
|
|
|
|
|
|
|
|
// Controller that doesn't attempt redirections
|
|
|
|
$controller = new SecurityTest_NullController();
|
|
|
|
$controller->response = new SS_HTTPResponse();
|
|
|
|
|
|
|
|
Security::permissionFailure($controller, array('default' => 'Oops, not allowed'));
|
|
|
|
$this->assertEquals('Oops, not allowed', Session::get('Security.Message.message'));
|
|
|
|
|
|
|
|
// Test that config values are used correctly
|
|
|
|
Config::inst()->update('Security', 'default_message_set', 'stringvalue');
|
|
|
|
Security::permissionFailure($controller);
|
|
|
|
$this->assertEquals('stringvalue', Session::get('Security.Message.message'),
|
|
|
|
'Default permission failure message value was not present');
|
|
|
|
|
|
|
|
Config::inst()->remove('Security', 'default_message_set');
|
|
|
|
Config::inst()->update('Security', 'default_message_set', array('default' => 'arrayvalue'));
|
|
|
|
Security::permissionFailure($controller);
|
|
|
|
$this->assertEquals('arrayvalue', Session::get('Security.Message.message'),
|
|
|
|
'Default permission failure message value was not present');
|
|
|
|
|
|
|
|
// Test that non-default messages work.
|
|
|
|
// NOTE: we inspect the response body here as the session message has already
|
|
|
|
// been fetched and output as part of it, so has been removed from the session
|
|
|
|
$this->logInWithPermission('EDITOR');
|
|
|
|
|
|
|
|
Config::inst()->update('Security', 'default_message_set',
|
|
|
|
array('default' => 'default', 'alreadyLoggedIn' => 'You are already logged in!'));
|
|
|
|
Security::permissionFailure($controller);
|
|
|
|
$this->assertContains('You are already logged in!', $controller->response->getBody(),
|
|
|
|
'Custom permission failure message was ignored');
|
|
|
|
|
|
|
|
Security::permissionFailure($controller,
|
|
|
|
array('default' => 'default', 'alreadyLoggedIn' => 'One-off failure message'));
|
|
|
|
$this->assertContains('One-off failure message', $controller->response->getBody(),
|
|
|
|
"Message set passed to Security::permissionFailure() didn't override Config values");
|
|
|
|
|
|
|
|
Config::unnest();
|
|
|
|
}
|
2015-03-31 07:06:00 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Follow all redirects recursively
|
|
|
|
*
|
|
|
|
* @param string $url
|
|
|
|
* @param int $limit Max number of requests
|
|
|
|
* @return SS_HTTPResponse
|
|
|
|
*/
|
|
|
|
protected function getRecursive($url, $limit = 10) {
|
|
|
|
$this->cssParser = null;
|
|
|
|
$response = $this->mainSession->get($url);
|
|
|
|
while(--$limit > 0 && $response instanceof SS_HTTPResponse && $response->getHeader('Location')) {
|
|
|
|
$response = $this->mainSession->followRedirection();
|
|
|
|
}
|
|
|
|
return $response;
|
|
|
|
}
|
2011-03-28 07:23:06 +02:00
|
|
|
|
2015-03-31 07:06:00 +02:00
|
|
|
public function testAutomaticRedirectionOnLogin() {
|
|
|
|
// BackURL with permission error (not authenticated) should not redirect
|
|
|
|
if($member = Member::currentUser()) $member->logOut();
|
|
|
|
$response = $this->getRecursive('SecurityTest_SecuredController');
|
|
|
|
$this->assertContains(Convert::raw2xml("That page is secured."), $response->getBody());
|
|
|
|
$this->assertContains('<input type="submit" name="action_dologin"', $response->getBody());
|
|
|
|
|
|
|
|
// Non-logged in user should not be redirected, but instead shown the login form
|
|
|
|
// No message/context is available as the user has not attempted to view the secured controller
|
|
|
|
$response = $this->getRecursive('Security/login?BackURL=SecurityTest_SecuredController/');
|
|
|
|
$this->assertNotContains(Convert::raw2xml("That page is secured."), $response->getBody());
|
|
|
|
$this->assertNotContains(Convert::raw2xml("You don't have access to this page"), $response->getBody());
|
|
|
|
$this->assertContains('<input type="submit" name="action_dologin"', $response->getBody());
|
|
|
|
|
|
|
|
// BackURL with permission error (wrong permissions) should not redirect
|
|
|
|
$this->logInAs('grouplessmember');
|
|
|
|
$response = $this->getRecursive('SecurityTest_SecuredController');
|
|
|
|
$this->assertContains(Convert::raw2xml("You don't have access to this page"), $response->getBody());
|
|
|
|
$this->assertContains(
|
|
|
|
'<input type="submit" name="action_logout" value="Log in as someone else"',
|
|
|
|
$response->getBody()
|
|
|
|
);
|
|
|
|
|
|
|
|
// Directly accessing this page should attempt to follow the BackURL, but stop when it encounters the error
|
|
|
|
$response = $this->getRecursive('Security/login?BackURL=SecurityTest_SecuredController/');
|
|
|
|
$this->assertContains(Convert::raw2xml("You don't have access to this page"), $response->getBody());
|
|
|
|
$this->assertContains(
|
|
|
|
'<input type="submit" name="action_logout" value="Log in as someone else"',
|
|
|
|
$response->getBody()
|
|
|
|
);
|
|
|
|
|
|
|
|
// Check correctly logged in admin doesn't generate the same errors
|
|
|
|
$this->logInAs('admin');
|
|
|
|
$response = $this->getRecursive('SecurityTest_SecuredController');
|
|
|
|
$this->assertContains(Convert::raw2xml("Success"), $response->getBody());
|
|
|
|
|
|
|
|
// Directly accessing this page should attempt to follow the BackURL and succeed
|
|
|
|
$response = $this->getRecursive('Security/login?BackURL=SecurityTest_SecuredController/');
|
|
|
|
$this->assertContains(Convert::raw2xml("Success"), $response->getBody());
|
|
|
|
}
|
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testLogInAsSomeoneElse() {
|
2009-04-29 02:07:39 +02:00
|
|
|
$member = DataObject::get_one('Member');
|
|
|
|
|
|
|
|
/* Log in with any user that we can find */
|
|
|
|
$this->session()->inst_set('loggedInAs', $member->ID);
|
|
|
|
|
|
|
|
/* View the Security/login page */
|
2011-03-16 04:13:14 +01:00
|
|
|
$response = $this->get(Config::inst()->get('Security', 'login_url'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-04-29 02:07:39 +02:00
|
|
|
$items = $this->cssParser()->getBySelector('#MemberLoginForm_LoginForm input.action');
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-04-29 02:07:39 +02:00
|
|
|
/* We have only 1 input, one to allow the user to log in as someone else */
|
|
|
|
$this->assertEquals(count($items), 1, 'There is 1 input, allowing the user to log in as someone else.');
|
|
|
|
|
|
|
|
$this->autoFollowRedirection = true;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-04-29 02:07:39 +02:00
|
|
|
/* Submit the form, using only the logout action and a hidden field for the authenticator */
|
|
|
|
$response = $this->submitForm(
|
2014-08-15 08:53:05 +02:00
|
|
|
'MemberLoginForm_LoginForm',
|
2009-04-29 02:07:39 +02:00
|
|
|
null,
|
|
|
|
array(
|
|
|
|
'AuthenticationMethod' => 'MemberAuthenticator',
|
|
|
|
'action_dologout' => 1,
|
|
|
|
)
|
|
|
|
);
|
|
|
|
|
|
|
|
/* We get a good response */
|
|
|
|
$this->assertEquals($response->getStatusCode(), 200, 'We have a 200 OK response');
|
|
|
|
$this->assertNotNull($response->getBody(), 'There is body content on the page');
|
|
|
|
|
|
|
|
/* Log the user out */
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testMemberIDInSessionDoesntExistInDatabaseHasToLogin() {
|
2009-04-29 02:07:39 +02:00
|
|
|
/* Log in with a Member ID that doesn't exist in the DB */
|
|
|
|
$this->session()->inst_set('loggedInAs', 500);
|
|
|
|
|
|
|
|
$this->autoFollowRedirection = true;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-04-29 02:07:39 +02:00
|
|
|
/* Attempt to get into the admin section */
|
2011-03-16 04:13:14 +01:00
|
|
|
$response = $this->get(Config::inst()->get('Security', 'login_url'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-04-29 02:07:39 +02:00
|
|
|
$items = $this->cssParser()->getBySelector('#MemberLoginForm_LoginForm input.text');
|
|
|
|
|
|
|
|
/* We have 2 text inputs - one for email, and another for the password */
|
|
|
|
$this->assertEquals(count($items), 2, 'There are 2 inputs - one for email, another for password');
|
|
|
|
|
|
|
|
$this->autoFollowRedirection = false;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-04-29 02:07:39 +02:00
|
|
|
/* Log the user out */
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2014-04-09 01:41:25 +02:00
|
|
|
public function testLoginUsernamePersists() {
|
|
|
|
// Test that username does not persist
|
|
|
|
$this->session()->inst_set('SessionForms.MemberLoginForm.Email', 'myuser@silverstripe.com');
|
|
|
|
Security::config()->remember_username = false;
|
|
|
|
$this->get(Config::inst()->get('Security', 'login_url'));
|
2014-04-22 03:28:44 +02:00
|
|
|
$items = $this
|
|
|
|
->cssParser()
|
|
|
|
->getBySelector('#MemberLoginForm_LoginForm #MemberLoginForm_LoginForm_Email');
|
2014-04-09 01:41:25 +02:00
|
|
|
$this->assertEquals(1, count($items));
|
|
|
|
$this->assertEmpty((string)$items[0]->attributes()->value);
|
|
|
|
$this->assertEquals('off', (string)$items[0]->attributes()->autocomplete);
|
|
|
|
$form = $this->cssParser()->getBySelector('#MemberLoginForm_LoginForm');
|
|
|
|
$this->assertEquals(1, count($form));
|
|
|
|
$this->assertEquals('off', (string)$form[0]->attributes()->autocomplete);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2014-04-09 01:41:25 +02:00
|
|
|
// Test that username does persist when necessary
|
|
|
|
$this->session()->inst_set('SessionForms.MemberLoginForm.Email', 'myuser@silverstripe.com');
|
|
|
|
Security::config()->remember_username = true;
|
|
|
|
$this->get(Config::inst()->get('Security', 'login_url'));
|
2014-04-22 03:28:44 +02:00
|
|
|
$items = $this
|
|
|
|
->cssParser()
|
|
|
|
->getBySelector('#MemberLoginForm_LoginForm #MemberLoginForm_LoginForm_Email');
|
2014-04-09 01:41:25 +02:00
|
|
|
$this->assertEquals(1, count($items));
|
|
|
|
$this->assertEquals('myuser@silverstripe.com', (string)$items[0]->attributes()->value);
|
|
|
|
$this->assertNotEquals('off', (string)$items[0]->attributes()->autocomplete);
|
|
|
|
$form = $this->cssParser()->getBySelector('#MemberLoginForm_LoginForm');
|
|
|
|
$this->assertEquals(1, count($form));
|
|
|
|
$this->assertNotEquals('off', (string)$form[0]->attributes()->autocomplete);
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testExternalBackUrlRedirectionDisallowed() {
|
2009-02-11 22:08:28 +01:00
|
|
|
// Test internal relative redirect
|
|
|
|
$response = $this->doTestLoginForm('noexpiry@silverstripe.com', '1nitialPassword', 'testpage');
|
|
|
|
$this->assertEquals(302, $response->getStatusCode());
|
|
|
|
$this->assertRegExp('/testpage/', $response->getHeader('Location'),
|
|
|
|
"Internal relative BackURLs work when passed through to login form"
|
|
|
|
);
|
|
|
|
// Log the user out
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-02-11 22:08:28 +01:00
|
|
|
// Test internal absolute redirect
|
2012-09-26 23:34:00 +02:00
|
|
|
$response = $this->doTestLoginForm('noexpiry@silverstripe.com', '1nitialPassword',
|
|
|
|
Director::absoluteBaseURL() . 'testpage');
|
2009-02-11 22:08:28 +01:00
|
|
|
// for some reason the redirect happens to a relative URL
|
2012-09-26 23:34:00 +02:00
|
|
|
$this->assertRegExp('/^' . preg_quote(Director::absoluteBaseURL(), '/') . 'testpage/',
|
|
|
|
$response->getHeader('Location'),
|
2009-02-11 22:08:28 +01:00
|
|
|
"Internal absolute BackURLs work when passed through to login form"
|
|
|
|
);
|
|
|
|
// Log the user out
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-02-11 22:08:28 +01:00
|
|
|
// Test external redirect
|
|
|
|
$response = $this->doTestLoginForm('noexpiry@silverstripe.com', '1nitialPassword', 'http://myspoofedhost.com');
|
2012-09-26 23:34:00 +02:00
|
|
|
$this->assertNotRegExp('/^' . preg_quote('http://myspoofedhost.com', '/') . '/',
|
|
|
|
(string)$response->getHeader('Location'),
|
2009-02-11 22:08:28 +01:00
|
|
|
"Redirection to external links in login form BackURL gets prevented as a measure against spoofing attacks"
|
|
|
|
);
|
2010-10-13 05:39:04 +02:00
|
|
|
|
|
|
|
// Test external redirection on ChangePasswordForm
|
|
|
|
$this->get('Security/changepassword?BackURL=http://myspoofedhost.com');
|
|
|
|
$changedResponse = $this->doTestChangepasswordForm('1nitialPassword', 'changedPassword');
|
2012-09-26 23:34:00 +02:00
|
|
|
$this->assertNotRegExp('/^' . preg_quote('http://myspoofedhost.com', '/') . '/',
|
|
|
|
(string)$changedResponse->getHeader('Location'),
|
|
|
|
"Redirection to external links in change password form BackURL gets prevented to stop spoofing attacks"
|
2010-10-13 05:39:04 +02:00
|
|
|
);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2009-02-11 22:08:28 +01:00
|
|
|
// Log the user out
|
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:31:52 +02:00
|
|
|
/**
|
|
|
|
* Test that the login form redirects to the change password form after logging in with an expired password
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testExpiredPassword() {
|
2008-04-26 08:32:52 +02:00
|
|
|
/* BAD PASSWORDS ARE LOCKED OUT */
|
2008-08-12 01:04:25 +02:00
|
|
|
$badResponse = $this->doTestLoginForm('sam@silverstripe.com' , 'badpassword');
|
2008-04-26 08:31:52 +02:00
|
|
|
$this->assertEquals(302, $badResponse->getStatusCode());
|
|
|
|
$this->assertRegExp('/Security\/login/', $badResponse->getHeader('Location'));
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->assertNull($this->session()->inst_get('loggedInAs'));
|
2008-04-26 08:31:52 +02:00
|
|
|
|
2008-04-26 08:32:52 +02:00
|
|
|
/* UNEXPIRED PASSWORD GO THROUGH WITHOUT A HITCH */
|
2008-08-12 01:04:25 +02:00
|
|
|
$goodResponse = $this->doTestLoginForm('sam@silverstripe.com' , '1nitialPassword');
|
2008-04-26 08:31:52 +02:00
|
|
|
$this->assertEquals(302, $goodResponse->getStatusCode());
|
|
|
|
$this->assertEquals(Director::baseURL() . 'test/link', $goodResponse->getHeader('Location'));
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->assertEquals($this->idFromFixture('Member', 'test'), $this->session()->inst_get('loggedInAs'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:32:52 +02:00
|
|
|
/* EXPIRED PASSWORDS ARE SENT TO THE CHANGE PASSWORD FORM */
|
2008-08-12 01:04:25 +02:00
|
|
|
$expiredResponse = $this->doTestLoginForm('expired@silverstripe.com' , '1nitialPassword');
|
2008-04-26 08:32:05 +02:00
|
|
|
$this->assertEquals(302, $expiredResponse->getStatusCode());
|
|
|
|
$this->assertEquals(Director::baseURL() . 'Security/changepassword', $expiredResponse->getHeader('Location'));
|
2014-08-15 08:53:05 +02:00
|
|
|
$this->assertEquals($this->idFromFixture('Member', 'expiredpassword'),
|
2012-09-26 23:34:00 +02:00
|
|
|
$this->session()->inst_get('loggedInAs'));
|
2010-10-13 05:39:04 +02:00
|
|
|
|
|
|
|
// Make sure it redirects correctly after the password has been changed
|
|
|
|
$this->mainSession->followRedirection();
|
|
|
|
$changedResponse = $this->doTestChangepasswordForm('1nitialPassword', 'changedPassword');
|
|
|
|
$this->assertEquals(302, $changedResponse->getStatusCode());
|
|
|
|
$this->assertEquals(Director::baseURL() . 'test/link', $changedResponse->getHeader('Location'));
|
2008-04-26 08:32:05 +02:00
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testChangePasswordForLoggedInUsers() {
|
2010-10-13 05:39:04 +02:00
|
|
|
$goodResponse = $this->doTestLoginForm('sam@silverstripe.com' , '1nitialPassword');
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-10-13 05:39:04 +02:00
|
|
|
// Change the password
|
|
|
|
$this->get('Security/changepassword?BackURL=test/back');
|
|
|
|
$changedResponse = $this->doTestChangepasswordForm('1nitialPassword', 'changedPassword');
|
|
|
|
$this->assertEquals(302, $changedResponse->getStatusCode());
|
|
|
|
$this->assertEquals(Director::baseURL() . 'test/back', $changedResponse->getHeader('Location'));
|
|
|
|
$this->assertEquals($this->idFromFixture('Member', 'test'), $this->session()->inst_get('loggedInAs'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-10-13 05:39:04 +02:00
|
|
|
// Check if we can login with the new password
|
|
|
|
$goodResponse = $this->doTestLoginForm('sam@silverstripe.com' , 'changedPassword');
|
|
|
|
$this->assertEquals(302, $goodResponse->getStatusCode());
|
|
|
|
$this->assertEquals(Director::baseURL() . 'test/link', $goodResponse->getHeader('Location'));
|
|
|
|
$this->assertEquals($this->idFromFixture('Member', 'test'), $this->session()->inst_get('loggedInAs'));
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testChangePasswordFromLostPassword() {
|
2010-12-09 22:18:49 +01:00
|
|
|
$admin = $this->objFromFixture('Member', 'test');
|
2014-03-03 05:46:02 +01:00
|
|
|
$admin->FailedLoginCount = 99;
|
|
|
|
$admin->LockedOutUntil = SS_Datetime::now()->Format('Y-m-d H:i:s');
|
|
|
|
$admin->write();
|
2010-12-09 22:18:49 +01:00
|
|
|
|
|
|
|
$this->assertNull($admin->AutoLoginHash, 'Hash is empty before lost password');
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-12-09 22:18:49 +01:00
|
|
|
// Request new password by email
|
|
|
|
$response = $this->get('Security/lostpassword');
|
2012-04-20 05:02:43 +02:00
|
|
|
$response = $this->post('Security/LostPasswordForm', array('Email' => 'sam@silverstripe.com'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-12-09 22:18:49 +01:00
|
|
|
$this->assertEmailSent('sam@silverstripe.com');
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-12-09 22:18:49 +01:00
|
|
|
// Load password link from email
|
|
|
|
$admin = DataObject::get_by_id('Member', $admin->ID);
|
|
|
|
$this->assertNotNull($admin->AutoLoginHash, 'Hash has been written after lost password');
|
2012-11-08 04:33:19 +01:00
|
|
|
|
|
|
|
// We don't have access to the token - generate a new token and hash pair.
|
|
|
|
$token = $admin->generateAutologinTokenAndStoreHash();
|
|
|
|
|
|
|
|
// Check.
|
|
|
|
$response = $this->get('Security/changepassword/?m='.$admin->ID.'&t=' . $token);
|
2010-12-09 22:18:49 +01:00
|
|
|
$this->assertEquals(302, $response->getStatusCode());
|
|
|
|
$this->assertEquals(Director::baseUrl() . 'Security/changepassword', $response->getHeader('Location'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-12-09 22:18:49 +01:00
|
|
|
// Follow redirection to form without hash in GET parameter
|
|
|
|
$response = $this->get('Security/changepassword');
|
|
|
|
$changedResponse = $this->doTestChangepasswordForm('1nitialPassword', 'changedPassword');
|
|
|
|
$this->assertEquals($this->idFromFixture('Member', 'test'), $this->session()->inst_get('loggedInAs'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-12-09 22:18:49 +01:00
|
|
|
// Check if we can login with the new password
|
|
|
|
$goodResponse = $this->doTestLoginForm('sam@silverstripe.com' , 'changedPassword');
|
|
|
|
$this->assertEquals(302, $goodResponse->getStatusCode());
|
|
|
|
$this->assertEquals($this->idFromFixture('Member', 'test'), $this->session()->inst_get('loggedInAs'));
|
2014-03-03 05:46:02 +01:00
|
|
|
|
|
|
|
$admin = DataObject::get_by_id('Member', $admin->ID, false);
|
|
|
|
$this->assertNull($admin->LockedOutUntil);
|
|
|
|
$this->assertEquals(0, $admin->FailedLoginCount);
|
2010-12-09 22:18:49 +01:00
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testRepeatedLoginAttemptsLockingPeopleOut() {
|
2010-10-19 00:33:41 +02:00
|
|
|
$local = i18n::get_locale();
|
|
|
|
i18n::set_locale('en_US');
|
|
|
|
|
2013-03-21 19:48:54 +01:00
|
|
|
Member::config()->lock_out_after_incorrect_logins = 5;
|
2013-07-11 01:17:02 +02:00
|
|
|
Member::config()->lock_out_delay_mins = 15;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2013-07-11 01:17:02 +02:00
|
|
|
// Login with a wrong password for more than the defined threshold
|
|
|
|
for($i = 1; $i <= Member::config()->lock_out_after_incorrect_logins+1; $i++) {
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , 'incorrectpassword');
|
2008-04-26 08:32:05 +02:00
|
|
|
$member = DataObject::get_by_id("Member", $this->idFromFixture('Member', 'test'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2013-07-11 01:17:02 +02:00
|
|
|
if($i < Member::config()->lock_out_after_incorrect_logins) {
|
|
|
|
$this->assertNull(
|
|
|
|
$member->LockedOutUntil,
|
|
|
|
'User does not have a lockout time set if under threshold for failed attempts'
|
|
|
|
);
|
2014-01-30 22:38:34 +01:00
|
|
|
$this->assertContains($this->loginErrorMessage(), Convert::raw2xml(_t('Member.ERRORWRONGCRED')));
|
2013-07-11 01:17:02 +02:00
|
|
|
} else {
|
|
|
|
// Fuzzy matching for time to avoid side effects from slow running tests
|
|
|
|
$this->assertGreaterThan(
|
2014-08-15 08:53:05 +02:00
|
|
|
time() + 14*60,
|
2013-07-11 01:17:02 +02:00
|
|
|
strtotime($member->LockedOutUntil),
|
|
|
|
'User has a lockout time set after too many failed attempts'
|
|
|
|
);
|
2008-04-26 08:32:05 +02:00
|
|
|
}
|
|
|
|
|
2013-07-11 01:17:02 +02:00
|
|
|
$msg = _t(
|
|
|
|
'Member.ERRORLOCKEDOUT2',
|
|
|
|
'Your account has been temporarily disabled because of too many failed attempts at ' .
|
|
|
|
'logging in. Please try again in {count} minutes.',
|
|
|
|
null,
|
|
|
|
array('count' => Member::config()->lock_out_delay_mins)
|
2014-08-15 08:53:05 +02:00
|
|
|
);
|
2013-07-11 01:17:02 +02:00
|
|
|
if($i > Member::config()->lock_out_after_incorrect_logins) {
|
|
|
|
$this->assertContains($msg, $this->loginErrorMessage());
|
2008-04-26 08:32:05 +02:00
|
|
|
}
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , '1nitialPassword');
|
2013-07-11 01:17:02 +02:00
|
|
|
$this->assertNull(
|
|
|
|
$this->session()->inst_get('loggedInAs'),
|
|
|
|
'The user can\'t log in after being locked out, even with the right password'
|
|
|
|
);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:32:05 +02:00
|
|
|
// (We fake this by re-setting LockedOutUntil)
|
|
|
|
$member = DataObject::get_by_id("Member", $this->idFromFixture('Member', 'test'));
|
2008-07-21 14:21:53 +02:00
|
|
|
$member->LockedOutUntil = date('Y-m-d H:i:s', time() - 30);
|
2008-04-26 08:32:05 +02:00
|
|
|
$member->write();
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , '1nitialPassword');
|
2013-07-11 01:17:02 +02:00
|
|
|
$this->assertEquals(
|
2014-08-15 08:53:05 +02:00
|
|
|
$this->session()->inst_get('loggedInAs'),
|
2013-07-11 01:17:02 +02:00
|
|
|
$member->ID,
|
|
|
|
'After lockout expires, the user can login again'
|
|
|
|
);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:32:05 +02:00
|
|
|
// Log the user out
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->session()->inst_set('loggedInAs', null);
|
2008-04-26 08:32:05 +02:00
|
|
|
|
2013-07-11 01:17:02 +02:00
|
|
|
// Login again with wrong password, but less attempts than threshold
|
|
|
|
for($i = 1; $i < Member::config()->lock_out_after_incorrect_logins; $i++) {
|
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , 'incorrectpassword');
|
|
|
|
}
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->assertNull($this->session()->inst_get('loggedInAs'));
|
2014-08-22 07:50:36 +02:00
|
|
|
$this->assertContains(
|
|
|
|
$this->loginErrorMessage(),
|
|
|
|
Convert::raw2xml(_t('Member.ERRORWRONGCRED')),
|
2013-07-11 01:17:02 +02:00
|
|
|
'The user can retry with a wrong password after the lockout expires'
|
|
|
|
);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , '1nitialPassword');
|
2013-07-11 01:17:02 +02:00
|
|
|
$this->assertEquals(
|
2014-08-15 08:53:05 +02:00
|
|
|
$this->session()->inst_get('loggedInAs'),
|
2013-07-11 01:17:02 +02:00
|
|
|
$member->ID,
|
|
|
|
'The user can login successfully after lockout expires, if staying below the threshold'
|
|
|
|
);
|
2010-10-19 00:33:41 +02:00
|
|
|
|
|
|
|
i18n::set_locale($local);
|
2008-04-26 08:32:05 +02:00
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testAlternatingRepeatedLoginAttempts() {
|
2013-03-21 19:48:54 +01:00
|
|
|
Member::config()->lock_out_after_incorrect_logins = 3;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:32:05 +02:00
|
|
|
// ATTEMPTING LOG-IN TWICE WITH ONE ACCOUNT AND TWICE WITH ANOTHER SHOULDN'T LOCK ANYBODY OUT
|
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , 'incorrectpassword');
|
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , 'incorrectpassword');
|
2008-04-26 08:32:05 +02:00
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('noexpiry@silverstripe.com' , 'incorrectpassword');
|
|
|
|
$this->doTestLoginForm('noexpiry@silverstripe.com' , 'incorrectpassword');
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:32:05 +02:00
|
|
|
$member1 = DataObject::get_by_id("Member", $this->idFromFixture('Member', 'test'));
|
|
|
|
$member2 = DataObject::get_by_id("Member", $this->idFromFixture('Member', 'noexpiry'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:32:05 +02:00
|
|
|
$this->assertNull($member1->LockedOutUntil);
|
|
|
|
$this->assertNull($member2->LockedOutUntil);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-26 23:34:00 +02:00
|
|
|
// BUT, DOING AN ADDITIONAL LOG-IN WITH EITHER OF THEM WILL LOCK OUT, SINCE THAT IS THE 3RD FAILURE IN
|
|
|
|
// THIS SESSION
|
2008-04-26 08:32:05 +02:00
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com' , 'incorrectpassword');
|
2008-04-26 08:32:05 +02:00
|
|
|
$member1 = DataObject::get_by_id("Member", $this->idFromFixture('Member', 'test'));
|
|
|
|
$this->assertNotNull($member1->LockedOutUntil);
|
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('noexpiry@silverstripe.com' , 'incorrectpassword');
|
2008-04-26 08:32:05 +02:00
|
|
|
$member2 = DataObject::get_by_id("Member", $this->idFromFixture('Member', 'noexpiry'));
|
|
|
|
$this->assertNotNull($member2->LockedOutUntil);
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testUnsuccessfulLoginAttempts() {
|
2013-03-21 19:48:54 +01:00
|
|
|
Security::config()->login_recording = true;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-11 02:14:48 +02:00
|
|
|
/* UNSUCCESSFUL ATTEMPTS WITH WRONG PASSWORD FOR EXISTING USER ARE LOGGED */
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com', 'wrongpassword');
|
2013-06-21 00:32:08 +02:00
|
|
|
$attempt = DataObject::get_one('LoginAttempt', array(
|
|
|
|
'"LoginAttempt"."Email"' => 'sam@silverstripe.com'
|
|
|
|
));
|
2008-08-11 02:14:48 +02:00
|
|
|
$this->assertTrue(is_object($attempt));
|
2013-06-21 00:32:08 +02:00
|
|
|
$member = DataObject::get_one('Member', array(
|
|
|
|
'"Member"."Email"' => 'sam@silverstripe.com'
|
|
|
|
));
|
2008-08-11 02:14:48 +02:00
|
|
|
$this->assertEquals($attempt->Status, 'Failure');
|
|
|
|
$this->assertEquals($attempt->Email, 'sam@silverstripe.com');
|
|
|
|
$this->assertEquals($attempt->Member(), $member);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-11 02:14:48 +02:00
|
|
|
/* UNSUCCESSFUL ATTEMPTS WITH NONEXISTING USER ARE LOGGED */
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('wronguser@silverstripe.com', 'wrongpassword');
|
2013-06-21 00:32:08 +02:00
|
|
|
$attempt = DataObject::get_one('LoginAttempt', array(
|
|
|
|
'"LoginAttempt"."Email"' => 'wronguser@silverstripe.com'
|
|
|
|
));
|
2008-08-11 02:14:48 +02:00
|
|
|
$this->assertTrue(is_object($attempt));
|
|
|
|
$this->assertEquals($attempt->Status, 'Failure');
|
|
|
|
$this->assertEquals($attempt->Email, 'wronguser@silverstripe.com');
|
2010-10-13 03:35:19 +02:00
|
|
|
$this->assertNotNull(
|
|
|
|
$this->loginErrorMessage(), 'An invalid email returns a message.'
|
|
|
|
);
|
2008-08-11 02:14:48 +02:00
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testSuccessfulLoginAttempts() {
|
2013-03-21 19:48:54 +01:00
|
|
|
Security::config()->login_recording = true;
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-11 02:14:48 +02:00
|
|
|
/* SUCCESSFUL ATTEMPTS ARE LOGGED */
|
2008-08-12 01:04:25 +02:00
|
|
|
$this->doTestLoginForm('sam@silverstripe.com', '1nitialPassword');
|
2013-06-21 00:32:08 +02:00
|
|
|
$attempt = DataObject::get_one('LoginAttempt', array(
|
|
|
|
'"LoginAttempt"."Email"' => 'sam@silverstripe.com'
|
|
|
|
));
|
|
|
|
$member = DataObject::get_one('Member', array(
|
|
|
|
'"Member"."Email"' => 'sam@silverstripe.com'
|
|
|
|
));
|
2008-08-11 02:14:48 +02:00
|
|
|
$this->assertTrue(is_object($attempt));
|
|
|
|
$this->assertEquals($attempt->Status, 'Success');
|
|
|
|
$this->assertEquals($attempt->Email, 'sam@silverstripe.com');
|
|
|
|
$this->assertEquals($attempt->Member(), $member);
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function testDatabaseIsReadyWithInsufficientMemberColumns() {
|
2010-12-06 00:12:44 +01:00
|
|
|
$old = Security::$force_database_is_ready;
|
|
|
|
Security::$force_database_is_ready = null;
|
2013-10-20 14:23:23 +02:00
|
|
|
Security::$database_is_ready = false;
|
|
|
|
DataObject::clear_classname_spec_cache();
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-04-12 23:17:07 +02:00
|
|
|
// Assumption: The database has been built correctly by the test runner,
|
|
|
|
// and has all columns present in the ORM
|
2013-06-21 00:32:08 +02:00
|
|
|
DB::get_schema()->renameField('Member', 'Email', 'Email_renamed');
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-04-12 23:17:07 +02:00
|
|
|
// Email column is now missing, which means we're not ready to do permission checks
|
|
|
|
$this->assertFalse(Security::database_is_ready());
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-04-12 23:17:07 +02:00
|
|
|
// Rebuild the database (which re-adds the Email column), and try again
|
|
|
|
$this->resetDBSchema(true);
|
|
|
|
$this->assertTrue(Security::database_is_ready());
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-12-06 00:12:44 +01:00
|
|
|
Security::$force_database_is_ready = $old;
|
2010-04-12 23:17:07 +02:00
|
|
|
}
|
2008-04-26 08:32:05 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Execute a log-in form using Director::test().
|
|
|
|
* Helper method for the tests above
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public function doTestLoginForm($email, $password, $backURL = 'test/link') {
|
2013-12-20 22:55:54 +01:00
|
|
|
$this->get(Config::inst()->get('Security', 'logout_url'));
|
2010-10-19 02:47:19 +02:00
|
|
|
$this->session()->inst_set('BackURL', $backURL);
|
2011-03-16 04:13:14 +01:00
|
|
|
$this->get(Config::inst()->get('Security', 'login_url'));
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-08-12 01:04:25 +02:00
|
|
|
return $this->submitForm(
|
2014-08-15 08:53:05 +02:00
|
|
|
"MemberLoginForm_LoginForm",
|
2008-08-11 02:14:48 +02:00
|
|
|
null,
|
|
|
|
array(
|
2014-08-15 08:53:05 +02:00
|
|
|
'Email' => $email,
|
|
|
|
'Password' => $password,
|
2008-08-11 02:14:48 +02:00
|
|
|
'AuthenticationMethod' => 'MemberAuthenticator',
|
|
|
|
'action_dologin' => 1,
|
|
|
|
)
|
2010-10-19 02:47:19 +02:00
|
|
|
);
|
2008-08-11 02:14:48 +02:00
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2010-10-13 05:39:04 +02:00
|
|
|
/**
|
|
|
|
* Helper method to execute a change password form
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public function doTestChangepasswordForm($oldPassword, $newPassword) {
|
2010-10-13 05:39:04 +02:00
|
|
|
return $this->submitForm(
|
2014-08-15 08:53:05 +02:00
|
|
|
"ChangePasswordForm_ChangePasswordForm",
|
2010-10-13 05:39:04 +02:00
|
|
|
null,
|
|
|
|
array(
|
2014-08-15 08:53:05 +02:00
|
|
|
'OldPassword' => $oldPassword,
|
|
|
|
'NewPassword1' => $newPassword,
|
2010-10-13 05:39:04 +02:00
|
|
|
'NewPassword2' => $newPassword,
|
|
|
|
'action_doChangePassword' => 1,
|
|
|
|
)
|
|
|
|
);
|
|
|
|
}
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2008-04-26 08:32:05 +02:00
|
|
|
/**
|
|
|
|
* Get the error message on the login form
|
|
|
|
*/
|
2012-09-19 12:07:39 +02:00
|
|
|
public function loginErrorMessage() {
|
2008-08-12 01:04:25 +02:00
|
|
|
return $this->session()->inst_get('FormInfo.MemberLoginForm_LoginForm.formError.message');
|
2014-08-15 08:53:05 +02:00
|
|
|
}
|
|
|
|
|
2008-08-11 02:14:48 +02:00
|
|
|
}
|
2011-03-28 07:23:06 +02:00
|
|
|
|
|
|
|
class SecurityTest_SecuredController extends Controller implements TestOnly {
|
2013-06-20 11:40:55 +02:00
|
|
|
|
|
|
|
private static $allowed_actions = array('index');
|
|
|
|
|
2012-09-19 12:07:39 +02:00
|
|
|
public function index() {
|
2011-03-28 07:23:06 +02:00
|
|
|
if(!Permission::check('ADMIN')) return Security::permissionFailure($this);
|
2014-08-15 08:53:05 +02:00
|
|
|
|
2011-03-28 07:23:06 +02:00
|
|
|
return 'Success';
|
|
|
|
}
|
2012-03-24 04:04:52 +01:00
|
|
|
}
|
2015-03-11 15:20:57 +01:00
|
|
|
|
|
|
|
class SecurityTest_NullController extends Controller implements TestOnly {
|
|
|
|
|
|
|
|
public function redirect($url, $code = 302) {
|
|
|
|
// NOOP
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|