silverstripe-framework/tests/php/Security/BasicAuthTest.php

<?php

namespace SilverStripe\Security\Tests;

use SilverStripe\Security\Member;
use SilverStripe\Security\Security;
use SilverStripe\Dev\FunctionalTest;
use SilverStripe\Control\Director;
use SilverStripe\Security\Tests\BasicAuthTest\ControllerSecuredWithoutPermission;
use SilverStripe\Security\Tests\BasicAuthTest\ControllerSecuredWithPermission;

/**
 * @skipUpgrade
 */
class BasicAuthTest extends FunctionalTest
{

    static $original_unique_identifier_field;

    protected static $fixture_file = 'BasicAuthTest.yml';

    protected $extraControllers = [
        ControllerSecuredWithPermission::class,
        ControllerSecuredWithoutPermission::class,
    ];

    public function setUp()
    {
        parent::setUp();

        // Fixtures assume Email is the field used to identify the log in identity
        Member::config()->unique_identifier_field = 'Email';
        Security::$force_database_is_ready = true; // Prevents Member test subclasses breaking ready test
        Member::config()->lock_out_after_incorrect_logins = 10;
    }

    public function testBasicAuthEnabledWithoutLogin()
    {
        $origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
        $origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;

        unset($_SERVER['PHP_AUTH_USER']);
        unset($_SERVER['PHP_AUTH_PW']);

        $response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');
        $this->assertEquals(401, $response->getStatusCode());

        $_SERVER['PHP_AUTH_USER'] = $origUser;
        $_SERVER['PHP_AUTH_PW'] = $origPw;
    }

    public function testBasicAuthDoesntCallActionOrFurtherInitOnAuthFailure()
    {
        $origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
        $origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;

        unset($_SERVER['PHP_AUTH_USER']);
        unset($_SERVER['PHP_AUTH_PW']);
        $response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');
        $this->assertFalse(BasicAuthTest\ControllerSecuredWithPermission::$index_called);
        $this->assertFalse(BasicAuthTest\ControllerSecuredWithPermission::$post_init_called);

        $_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'test';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');
        $this->assertTrue(BasicAuthTest\ControllerSecuredWithPermission::$index_called);
        $this->assertTrue(BasicAuthTest\ControllerSecuredWithPermission::$post_init_called);

        $_SERVER['PHP_AUTH_USER'] = $origUser;
        $_SERVER['PHP_AUTH_PW'] = $origPw;
    }

    public function testBasicAuthEnabledWithPermission()
    {
        $origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
        $origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;

        $_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'wrongpassword';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');
        $this->assertEquals(401, $response->getStatusCode(), 'Invalid users dont have access');

        $_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'test';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');
        $this->assertEquals(401, $response->getStatusCode(), 'Valid user without required permission has no access');

        $_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'test';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');
        $this->assertEquals(200, $response->getStatusCode(), 'Valid user with required permission has access');

        $_SERVER['PHP_AUTH_USER'] = $origUser;
        $_SERVER['PHP_AUTH_PW'] = $origPw;
    }

    public function testBasicAuthEnabledWithoutPermission()
    {
        $origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;
        $origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;

        $_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'wrongpassword';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
        $this->assertEquals(401, $response->getStatusCode(), 'Invalid users dont have access');

        $_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'test';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
        $this->assertEquals(200, $response->getStatusCode(), 'All valid users have access');

        $_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'test';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
        $this->assertEquals(200, $response->getStatusCode(), 'All valid users have access');

        $_SERVER['PHP_AUTH_USER'] = $origUser;
        $_SERVER['PHP_AUTH_PW'] = $origPw;
    }

    public function testBasicAuthFailureIncreasesFailedLoginCount()
    {
        // Prior to login
        $check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
        $this->assertEquals(0, $check->FailedLoginCount);

        // First failed attempt
        $_SERVER['PHP_AUTH_USER'] = 'failedlogin@test.com';
        $_SERVER['PHP_AUTH_PW'] = 'test';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
        $check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
        $this->assertEquals(1, $check->FailedLoginCount);

        // Second failed attempt
        $_SERVER['PHP_AUTH_PW'] = 'testwrong';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
        $check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
        $this->assertEquals(2, $check->FailedLoginCount);

        // successful basic auth should reset failed login count
        $_SERVER['PHP_AUTH_PW'] = 'Password';
        $response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');
        $check = Member::get()->filter('Email', 'failedlogin@test.com')->first();
        $this->assertEquals(0, $check->FailedLoginCount);
    }
}
ENHANCEMENT Allowing custom messages and permission codes in BasicAuth::protect_entire_site() ENHANCEMENT Making $permissionCode argument optional for BasicAuth::requireLogin(). If not set the logic only checks for a valid account (but no group memberships) ENHANCEMENT Using SS_HTTPResponse_Exception instead of header()/die() in BasicAuth::requireLogin() to make it more testable (from r107867) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112701 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-19 00:29:35 +02:00			`<?php`
API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00
API Namespace framework tests 2016-10-14 03:30:05 +02:00			`namespace SilverStripe\Security\Tests;`

API Apply Framework\Security namespace 2016-06-23 01:37:22 +02:00			`use SilverStripe\Security\Member;`
			`use SilverStripe\Security\Security;`
API Namespace all classes Namespace all templates Move difflib and BBCodeParser2 to thirdparty Remove deprecated API marked for removal in 4.0 2016-08-19 00:51:35 +02:00			`use SilverStripe\Dev\FunctionalTest;`
			`use SilverStripe\Control\Director;`
API Namespace framework tests 2016-10-14 03:30:05 +02:00			`use SilverStripe\Security\Tests\BasicAuthTest\ControllerSecuredWithoutPermission;`
			`use SilverStripe\Security\Tests\BasicAuthTest\ControllerSecuredWithPermission;`
API Namespace all classes Namespace all templates Move difflib and BBCodeParser2 to thirdparty Remove deprecated API marked for removal in 4.0 2016-08-19 00:51:35 +02:00
ENHANCEMENT Allowing custom messages and permission codes in BasicAuth::protect_entire_site() ENHANCEMENT Making $permissionCode argument optional for BasicAuth::requireLogin(). If not set the logic only checks for a valid account (but no group memberships) ENHANCEMENT Using SS_HTTPResponse_Exception instead of header()/die() in BasicAuth::requireLogin() to make it more testable (from r107867) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112701 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-19 00:29:35 +02:00			`/**`
API Namespace all classes Namespace all templates Move difflib and BBCodeParser2 to thirdparty Remove deprecated API marked for removal in 4.0 2016-08-19 00:51:35 +02:00			`* @skipUpgrade`
ENHANCEMENT Allowing custom messages and permission codes in BasicAuth::protect_entire_site() ENHANCEMENT Making $permissionCode argument optional for BasicAuth::requireLogin(). If not set the logic only checks for a valid account (but no group memberships) ENHANCEMENT Using SS_HTTPResponse_Exception instead of header()/die() in BasicAuth::requireLogin() to make it more testable (from r107867) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112701 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-19 00:29:35 +02:00			`*/`
Apply PSR2 / Namespace to remaining admin / tests 2016-12-16 05:34:21 +01:00			`class BasicAuthTest extends FunctionalTest`
			`{`

			`static $original_unique_identifier_field;`

			`protected static $fixture_file = 'BasicAuthTest.yml';`

			`protected $extraControllers = [`
			`ControllerSecuredWithPermission::class,`
			`ControllerSecuredWithoutPermission::class,`
			`];`

			`public function setUp()`
			`{`
			`parent::setUp();`

			`// Fixtures assume Email is the field used to identify the log in identity`
			`Member::config()->unique_identifier_field = 'Email';`
			`Security::$force_database_is_ready = true; // Prevents Member test subclasses breaking ready test`
			`Member::config()->lock_out_after_incorrect_logins = 10;`
			`}`

			`public function testBasicAuthEnabledWithoutLogin()`
			`{`
			`$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;`
			`$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;`

			`unset($_SERVER['PHP_AUTH_USER']);`
			`unset($_SERVER['PHP_AUTH_PW']);`

			`$response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');`
			`$this->assertEquals(401, $response->getStatusCode());`

			`$_SERVER['PHP_AUTH_USER'] = $origUser;`
			`$_SERVER['PHP_AUTH_PW'] = $origPw;`
			`}`

			`public function testBasicAuthDoesntCallActionOrFurtherInitOnAuthFailure()`
			`{`
			`$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;`
			`$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;`

			`unset($_SERVER['PHP_AUTH_USER']);`
			`unset($_SERVER['PHP_AUTH_PW']);`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');`
			`$this->assertFalse(BasicAuthTest\ControllerSecuredWithPermission::$index_called);`
			`$this->assertFalse(BasicAuthTest\ControllerSecuredWithPermission::$post_init_called);`

			`$_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'test';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');`
			`$this->assertTrue(BasicAuthTest\ControllerSecuredWithPermission::$index_called);`
			`$this->assertTrue(BasicAuthTest\ControllerSecuredWithPermission::$post_init_called);`

			`$_SERVER['PHP_AUTH_USER'] = $origUser;`
			`$_SERVER['PHP_AUTH_PW'] = $origPw;`
			`}`

			`public function testBasicAuthEnabledWithPermission()`
			`{`
			`$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;`
			`$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;`

			`$_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'wrongpassword';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');`
			`$this->assertEquals(401, $response->getStatusCode(), 'Invalid users dont have access');`

			`$_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'test';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');`
			`$this->assertEquals(401, $response->getStatusCode(), 'Valid user without required permission has no access');`

			`$_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'test';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithPermission');`
			`$this->assertEquals(200, $response->getStatusCode(), 'Valid user with required permission has access');`

			`$_SERVER['PHP_AUTH_USER'] = $origUser;`
			`$_SERVER['PHP_AUTH_PW'] = $origPw;`
			`}`

			`public function testBasicAuthEnabledWithoutPermission()`
			`{`
			`$origUser = isset($_SERVER['PHP_AUTH_USER']) ? $_SERVER['PHP_AUTH_USER'] : null;`
			`$origPw = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : null;`

			`$_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'wrongpassword';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');`
			`$this->assertEquals(401, $response->getStatusCode(), 'Invalid users dont have access');`

			`$_SERVER['PHP_AUTH_USER'] = 'user-without-groups@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'test';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');`
			`$this->assertEquals(200, $response->getStatusCode(), 'All valid users have access');`

			`$_SERVER['PHP_AUTH_USER'] = 'user-in-mygroup@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'test';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');`
			`$this->assertEquals(200, $response->getStatusCode(), 'All valid users have access');`

			`$_SERVER['PHP_AUTH_USER'] = $origUser;`
			`$_SERVER['PHP_AUTH_PW'] = $origPw;`
			`}`

			`public function testBasicAuthFailureIncreasesFailedLoginCount()`
			`{`
			`// Prior to login`
			`$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();`
			`$this->assertEquals(0, $check->FailedLoginCount);`

			`// First failed attempt`
			`$_SERVER['PHP_AUTH_USER'] = 'failedlogin@test.com';`
			`$_SERVER['PHP_AUTH_PW'] = 'test';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');`
			`$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();`
			`$this->assertEquals(1, $check->FailedLoginCount);`

			`// Second failed attempt`
			`$_SERVER['PHP_AUTH_PW'] = 'testwrong';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');`
			`$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();`
			`$this->assertEquals(2, $check->FailedLoginCount);`

			`// successful basic auth should reset failed login count`
			`$_SERVER['PHP_AUTH_PW'] = 'Password';`
			`$response = Director::test('BasicAuthTest_ControllerSecuredWithoutPermission');`
			`$check = Member::get()->filter('Email', 'failedlogin@test.com')->first();`
			`$this->assertEquals(0, $check->FailedLoginCount);`
			`}`
ENHANCEMENT Allowing custom messages and permission codes in BasicAuth::protect_entire_site() ENHANCEMENT Making $permissionCode argument optional for BasicAuth::requireLogin(). If not set the logic only checks for a valid account (but no group memberships) ENHANCEMENT Using SS_HTTPResponse_Exception instead of header()/die() in BasicAuth::requireLogin() to make it more testable (from r107867) git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@112701 467b73ca-7a2a-4603-9d3b-597d59a354a9 2010-10-19 00:29:35 +02:00			`}`