PageRenderTime 60ms CodeModel.GetById 25ms RepoModel.GetById 1ms app.codeStats 0ms

/trunk/cake/cake/tests/cases/libs/controller/components/security.test.php

http://goldcat.googlecode.com/
PHP | 1163 lines | 675 code | 113 blank | 375 comment | 5 complexity | f52cd270a0a9dde94535669099f696c5 MD5 | raw file
Possible License(s): AGPL-3.0, AGPL-1.0, BSD-3-Clause
  1. <?php
  2. /* SVN FILE: $Id$ */
  3. /**
  4. * SecurityComponentTest file
  5. *
  6. * Long description for file
  7. *
  8. * PHP versions 4 and 5
  9. *
  10. * CakePHP(tm) Tests <https://trac.cakephp.org/wiki/Developement/TestSuite>
  11. * Copyright 2005-2008, Cake Software Foundation, Inc. (http://www.cakefoundation.org)
  12. *
  13. * Licensed under The Open Group Test Suite License
  14. * Redistributions of files must retain the above copyright notice.
  15. *
  16. * @filesource
  17. * @copyright Copyright 2005-2008, Cake Software Foundation, Inc. (http://www.cakefoundation.org)
  18. * @link https://trac.cakephp.org/wiki/Developement/TestSuite CakePHP(tm) Tests
  19. * @package cake
  20. * @subpackage cake.tests.cases.libs.controller.components
  21. * @since CakePHP(tm) v 1.2.0.5435
  22. * @version $Revision$
  23. * @modifiedby $LastChangedBy$
  24. * @lastmodified $Date$
  25. * @license http://www.opensource.org/licenses/opengroup.php The Open Group Test Suite License
  26. */
  27. App::import('Component', 'Security');
  28. /**
  29. * TestSecurityComponent
  30. *
  31. * @package cake
  32. * @subpackage cake.tests.cases.libs.controller.components
  33. */
  34. class TestSecurityComponent extends SecurityComponent {
  35. /**
  36. * validatePost method
  37. *
  38. * @param Controller $controller
  39. * @return unknown
  40. */
  41. function validatePost(&$controller) {
  42. return $this->_validatePost($controller);
  43. }
  44. }
  45. /**
  46. * SecurityTestController
  47. *
  48. * @package cake
  49. * @subpackage cake.tests.cases.libs.controller.components
  50. */
  51. class SecurityTestController extends Controller {
  52. /**
  53. * name property
  54. *
  55. * @var string 'SecurityTest'
  56. * @access public
  57. */
  58. var $name = 'SecurityTest';
  59. /**
  60. * components property
  61. *
  62. * @var array
  63. * @access public
  64. */
  65. var $components = array('TestSecurity');
  66. /**
  67. * failed property
  68. *
  69. * @var bool false
  70. * @access public
  71. */
  72. var $failed = false;
  73. /**
  74. * Used for keeping track of headers in test
  75. *
  76. * @var array
  77. * @access public
  78. */
  79. var $testHeaders = array();
  80. /**
  81. * fail method
  82. *
  83. * @access public
  84. * @return void
  85. */
  86. function fail() {
  87. $this->failed = true;
  88. }
  89. /**
  90. * redirect method
  91. *
  92. * @param mixed $option
  93. * @param mixed $code
  94. * @param mixed $exit
  95. * @access public
  96. * @return void
  97. */
  98. function redirect($option, $code, $exit) {
  99. return $code;
  100. }
  101. /**
  102. * Conveinence method for header()
  103. *
  104. * @param string $status
  105. * @return void
  106. * @access public
  107. */
  108. function header($status) {
  109. $this->testHeaders[] = $status;
  110. }
  111. }
  112. /**
  113. * SecurityComponentTest class
  114. *
  115. * @package cake
  116. * @subpackage cake.tests.cases.libs.controller.components
  117. */
  118. class SecurityComponentTest extends CakeTestCase {
  119. /**
  120. * Controller property
  121. *
  122. * @var SecurityTestController
  123. * @access public
  124. */
  125. var $Controller;
  126. /**
  127. * oldSalt property
  128. *
  129. * @var string
  130. * @access public
  131. */
  132. var $oldSalt;
  133. /**
  134. * setUp method
  135. *
  136. * @access public
  137. * @return void
  138. */
  139. function setUp() {
  140. $this->Controller =& new SecurityTestController();
  141. $this->Controller->Component->init($this->Controller);
  142. $this->Controller->Security =& $this->Controller->TestSecurity;
  143. $this->Controller->Security->blackHoleCallback = 'fail';
  144. $this->oldSalt = Configure::read('Security.salt');
  145. Configure::write('Security.salt', 'foo!');
  146. }
  147. /**
  148. * Tear-down method. Resets environment state.
  149. *
  150. * @access public
  151. * @return void
  152. */
  153. function tearDown() {
  154. Configure::write('Security.salt', $this->oldSalt);
  155. $this->Controller->Session->del('_Token');
  156. unset($this->Controller->Security);
  157. unset($this->Controller->Component);
  158. unset($this->Controller);
  159. }
  160. /**
  161. * testStartup method
  162. *
  163. * @access public
  164. * @return void
  165. */
  166. function testStartup() {
  167. $this->Controller->Security->startup($this->Controller);
  168. $result = $this->Controller->params['_Token']['key'];
  169. $this->assertNotNull($result);
  170. $this->assertTrue($this->Controller->Session->check('_Token'));
  171. }
  172. /**
  173. * testRequirePostFail method
  174. *
  175. * @access public
  176. * @return void
  177. */
  178. function testRequirePostFail() {
  179. $_SERVER['REQUEST_METHOD'] = 'GET';
  180. $this->Controller->action = 'posted';
  181. $this->Controller->Security->requirePost('posted');
  182. $this->Controller->Security->startup($this->Controller);
  183. $this->assertTrue($this->Controller->failed);
  184. }
  185. /**
  186. * testRequirePostSucceed method
  187. *
  188. * @access public
  189. * @return void
  190. */
  191. function testRequirePostSucceed() {
  192. $_SERVER['REQUEST_METHOD'] = 'POST';
  193. $this->Controller->action = 'posted';
  194. $this->Controller->Security->requirePost('posted');
  195. $this->Controller->Security->startup($this->Controller);
  196. $this->assertFalse($this->Controller->failed);
  197. }
  198. /**
  199. * testRequireSecureFail method
  200. *
  201. * @access public
  202. * @return void
  203. */
  204. function testRequireSecureFail() {
  205. $_SERVER['REQUEST_METHOD'] = 'POST';
  206. $this->Controller->action = 'posted';
  207. $this->Controller->Security->requireSecure('posted');
  208. $this->Controller->Security->startup($this->Controller);
  209. $this->assertTrue($this->Controller->failed);
  210. }
  211. /**
  212. * testRequireSecureSucceed method
  213. *
  214. * @access public
  215. * @return void
  216. */
  217. function testRequireSecureSucceed() {
  218. $_SERVER['REQUEST_METHOD'] = 'Secure';
  219. $this->Controller->action = 'posted';
  220. $_SERVER['HTTPS'] = 'on';
  221. $this->Controller->Security->requireSecure('posted');
  222. $this->Controller->Security->startup($this->Controller);
  223. $this->assertFalse($this->Controller->failed);
  224. }
  225. /**
  226. * testRequireAuthFail method
  227. *
  228. * @access public
  229. * @return void
  230. */
  231. function testRequireAuthFail() {
  232. $_SERVER['REQUEST_METHOD'] = 'AUTH';
  233. $this->Controller->action = 'posted';
  234. $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
  235. $this->Controller->Security->requireAuth('posted');
  236. $this->Controller->Security->startup($this->Controller);
  237. $this->assertTrue($this->Controller->failed);
  238. $this->Controller->Session->write('_Token', array('allowedControllers' => array()));
  239. $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
  240. $this->Controller->action = 'posted';
  241. $this->Controller->Security->requireAuth('posted');
  242. $this->Controller->Security->startup($this->Controller);
  243. $this->assertTrue($this->Controller->failed);
  244. $this->Controller->Session->write('_Token', array(
  245. 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
  246. ));
  247. $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
  248. $this->Controller->action = 'posted';
  249. $this->Controller->Security->requireAuth('posted');
  250. $this->Controller->Security->startup($this->Controller);
  251. $this->assertTrue($this->Controller->failed);
  252. }
  253. /**
  254. * testRequireAuthSucceed method
  255. *
  256. * @access public
  257. * @return void
  258. */
  259. function testRequireAuthSucceed() {
  260. $_SERVER['REQUEST_METHOD'] = 'AUTH';
  261. $this->Controller->action = 'posted';
  262. $this->Controller->Security->requireAuth('posted');
  263. $this->Controller->Security->startup($this->Controller);
  264. $this->assertFalse($this->Controller->failed);
  265. $this->Controller->Security->Session->write('_Token', serialize(array(
  266. 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted')
  267. )));
  268. $this->Controller->params['controller'] = 'SecurityTest';
  269. $this->Controller->params['action'] = 'posted';
  270. $this->Controller->data = array(
  271. 'username' => 'willy', 'password' => 'somePass', '_Token' => ''
  272. );
  273. $this->Controller->action = 'posted';
  274. $this->Controller->Security->requireAuth('posted');
  275. $this->Controller->Security->startup($this->Controller);
  276. $this->assertFalse($this->Controller->failed);
  277. }
  278. /**
  279. * testRequirePostSucceedWrongMethod method
  280. *
  281. * @access public
  282. * @return void
  283. */
  284. function testRequirePostSucceedWrongMethod() {
  285. $_SERVER['REQUEST_METHOD'] = 'GET';
  286. $this->Controller->action = 'getted';
  287. $this->Controller->Security->requirePost('posted');
  288. $this->Controller->Security->startup($this->Controller);
  289. $this->assertFalse($this->Controller->failed);
  290. }
  291. /**
  292. * testRequireGetFail method
  293. *
  294. * @access public
  295. * @return void
  296. */
  297. function testRequireGetFail() {
  298. $_SERVER['REQUEST_METHOD'] = 'POST';
  299. $this->Controller->action = 'getted';
  300. $this->Controller->Security->requireGet('getted');
  301. $this->Controller->Security->startup($this->Controller);
  302. $this->assertTrue($this->Controller->failed);
  303. }
  304. /**
  305. * testRequireGetSucceed method
  306. *
  307. * @access public
  308. * @return void
  309. */
  310. function testRequireGetSucceed() {
  311. $_SERVER['REQUEST_METHOD'] = 'GET';
  312. $this->Controller->action = 'getted';
  313. $this->Controller->Security->requireGet('getted');
  314. $this->Controller->Security->startup($this->Controller);
  315. $this->assertFalse($this->Controller->failed);
  316. }
  317. /**
  318. * testRequireLogin method
  319. *
  320. * @access public
  321. * @return void
  322. */
  323. function testRequireLogin() {
  324. $this->Controller->action = 'posted';
  325. $this->Controller->Security->requireLogin(
  326. 'posted',
  327. array('type' => 'basic', 'users' => array('admin' => 'password'))
  328. );
  329. $_SERVER['PHP_AUTH_USER'] = 'admin';
  330. $_SERVER['PHP_AUTH_PW'] = 'password';
  331. $this->Controller->Security->startup($this->Controller);
  332. $this->assertFalse($this->Controller->failed);
  333. $this->Controller->action = 'posted';
  334. $this->Controller->Security->requireLogin(
  335. 'posted',
  336. array('type' => 'basic', 'users' => array('admin' => 'password'))
  337. );
  338. $_SERVER['PHP_AUTH_USER'] = 'admin2';
  339. $_SERVER['PHP_AUTH_PW'] = 'password';
  340. $this->Controller->Security->startup($this->Controller);
  341. $this->assertTrue($this->Controller->failed);
  342. $this->Controller->action = 'posted';
  343. $this->Controller->Security->requireLogin(
  344. 'posted',
  345. array('type' => 'basic', 'users' => array('admin' => 'password'))
  346. );
  347. $_SERVER['PHP_AUTH_USER'] = 'admin';
  348. $_SERVER['PHP_AUTH_PW'] = 'password2';
  349. $this->Controller->Security->startup($this->Controller);
  350. $this->assertTrue($this->Controller->failed);
  351. }
  352. /**
  353. * testDigestAuth method
  354. *
  355. * @access public
  356. * @return void
  357. */
  358. function testDigestAuth() {
  359. $skip = $this->skipIf((version_compare(PHP_VERSION, '5.1') == -1) XOR (!function_exists('apache_request_headers')),
  360. "%s Cannot run Digest Auth test for PHP versions < 5.1"
  361. );
  362. if ($skip) {
  363. return;
  364. }
  365. $this->Controller->action = 'posted';
  366. $_SERVER['PHP_AUTH_DIGEST'] = $digest = <<<DIGEST
  367. Digest username="Mufasa",
  368. realm="testrealm@host.com",
  369. nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
  370. uri="/dir/index.html",
  371. qop=auth,
  372. nc=00000001,
  373. cnonce="0a4f113b",
  374. response="460d0d3c6867c2f1ab85b1ada1aece48",
  375. opaque="5ccc069c403ebaf9f0171e9517f40e41"
  376. DIGEST;
  377. $this->Controller->Security->requireLogin('posted', array(
  378. 'type' => 'digest', 'users' => array('Mufasa' => 'password'),
  379. 'realm' => 'testrealm@host.com'
  380. ));
  381. $this->Controller->Security->startup($this->Controller);
  382. $this->assertFalse($this->Controller->failed);
  383. }
  384. /**
  385. * testRequireGetSucceedWrongMethod method
  386. *
  387. * @access public
  388. * @return void
  389. */
  390. function testRequireGetSucceedWrongMethod() {
  391. $_SERVER['REQUEST_METHOD'] = 'POST';
  392. $this->Controller->action = 'posted';
  393. $this->Controller->Security->requireGet('getted');
  394. $this->Controller->Security->startup($this->Controller);
  395. $this->assertFalse($this->Controller->failed);
  396. }
  397. /**
  398. * testRequirePutFail method
  399. *
  400. * @access public
  401. * @return void
  402. */
  403. function testRequirePutFail() {
  404. $_SERVER['REQUEST_METHOD'] = 'POST';
  405. $this->Controller->action = 'putted';
  406. $this->Controller->Security->requirePut('putted');
  407. $this->Controller->Security->startup($this->Controller);
  408. $this->assertTrue($this->Controller->failed);
  409. }
  410. /**
  411. * testRequirePutSucceed method
  412. *
  413. * @access public
  414. * @return void
  415. */
  416. function testRequirePutSucceed() {
  417. $_SERVER['REQUEST_METHOD'] = 'PUT';
  418. $this->Controller->action = 'putted';
  419. $this->Controller->Security->requirePut('putted');
  420. $this->Controller->Security->startup($this->Controller);
  421. $this->assertFalse($this->Controller->failed);
  422. }
  423. /**
  424. * testRequirePutSucceedWrongMethod method
  425. *
  426. * @access public
  427. * @return void
  428. */
  429. function testRequirePutSucceedWrongMethod() {
  430. $_SERVER['REQUEST_METHOD'] = 'POST';
  431. $this->Controller->action = 'posted';
  432. $this->Controller->Security->requirePut('putted');
  433. $this->Controller->Security->startup($this->Controller);
  434. $this->assertFalse($this->Controller->failed);
  435. }
  436. /**
  437. * testRequireDeleteFail method
  438. *
  439. * @access public
  440. * @return void
  441. */
  442. function testRequireDeleteFail() {
  443. $_SERVER['REQUEST_METHOD'] = 'POST';
  444. $this->Controller->action = 'deleted';
  445. $this->Controller->Security->requireDelete('deleted');
  446. $this->Controller->Security->startup($this->Controller);
  447. $this->assertTrue($this->Controller->failed);
  448. }
  449. /**
  450. * testRequireDeleteSucceed method
  451. *
  452. * @access public
  453. * @return void
  454. */
  455. function testRequireDeleteSucceed() {
  456. $_SERVER['REQUEST_METHOD'] = 'DELETE';
  457. $this->Controller->action = 'deleted';
  458. $this->Controller->Security->requireDelete('deleted');
  459. $this->Controller->Security->startup($this->Controller);
  460. $this->assertFalse($this->Controller->failed);
  461. }
  462. /**
  463. * testRequireDeleteSucceedWrongMethod method
  464. *
  465. * @access public
  466. * @return void
  467. */
  468. function testRequireDeleteSucceedWrongMethod() {
  469. $_SERVER['REQUEST_METHOD'] = 'POST';
  470. $this->Controller->action = 'posted';
  471. $this->Controller->Security->requireDelete('deleted');
  472. $this->Controller->Security->startup($this->Controller);
  473. $this->assertFalse($this->Controller->failed);
  474. }
  475. /**
  476. * testRequireLoginSettings method
  477. *
  478. * @access public
  479. * @return void
  480. */
  481. function testRequireLoginSettings() {
  482. $this->Controller->Security->requireLogin(
  483. 'add', 'edit',
  484. array('type' => 'basic', 'users' => array('admin' => 'password'))
  485. );
  486. $this->assertEqual($this->Controller->Security->requireLogin, array('add', 'edit'));
  487. $this->assertEqual($this->Controller->Security->loginUsers, array('admin' => 'password'));
  488. }
  489. /**
  490. * testRequireLoginAllActions method
  491. *
  492. * @access public
  493. * @return void
  494. */
  495. function testRequireLoginAllActions() {
  496. $this->Controller->Security->requireLogin(
  497. array('type' => 'basic', 'users' => array('admin' => 'password'))
  498. );
  499. $this->assertEqual($this->Controller->Security->requireLogin, array('*'));
  500. $this->assertEqual($this->Controller->Security->loginUsers, array('admin' => 'password'));
  501. }
  502. /**
  503. * Simple hash validation test
  504. *
  505. * @access public
  506. * @return void
  507. */
  508. function testValidatePost() {
  509. $this->Controller->Security->startup($this->Controller);
  510. $key = $this->Controller->params['_Token']['key'];
  511. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3An%3A1%3A%7Bv%3A0%3B';
  512. $fields .= 'f%3A11%3A%22Zbqry.inyvq%22%3B%7D';
  513. $this->Controller->data = array(
  514. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  515. '_Token' => compact('key', 'fields')
  516. );
  517. $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
  518. }
  519. /**
  520. * Tests validation of checkbox arrays
  521. *
  522. * @access public
  523. * @return void
  524. */
  525. function testValidatePostArray() {
  526. $this->Controller->Security->startup($this->Controller);
  527. $key = $this->Controller->params['_Token']['key'];
  528. $fields = 'f7d573650a295b94e0938d32b323fde775e5f32b%3An%3A0%3A%7B%7D';
  529. $this->Controller->data = array(
  530. 'Model' => array('multi_field' => array('1', '3')),
  531. '_Token' => compact('key', 'fields')
  532. );
  533. $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
  534. }
  535. /**
  536. * testValidatePostNoModel method
  537. *
  538. * @access public
  539. * @return void
  540. */
  541. function testValidatePostNoModel() {
  542. $this->Controller->Security->startup($this->Controller);
  543. $key = $this->Controller->params['_Token']['key'];
  544. $fields = '540ac9c60d323c22bafe997b72c0790f39a8bdef%3An%3A0%3A%7B%7D';
  545. $this->Controller->data = array(
  546. 'anything' => 'some_data',
  547. '_Token' => compact('key', 'fields')
  548. );
  549. $result = $this->Controller->Security->validatePost($this->Controller);
  550. $this->assertTrue($result);
  551. }
  552. /**
  553. * testValidatePostSimple method
  554. *
  555. * @access public
  556. * @return void
  557. */
  558. function testValidatePostSimple() {
  559. $this->Controller->Security->startup($this->Controller);
  560. $key = $this->Controller->params['_Token']['key'];
  561. $fields = '69f493434187b867ea14b901fdf58b55d27c935d%3An%3A0%3A%7B%7D';
  562. $this->Controller->data = $data = array(
  563. 'Model' => array('username' => '', 'password' => ''),
  564. '_Token' => compact('key', 'fields')
  565. );
  566. $result = $this->Controller->Security->validatePost($this->Controller);
  567. $this->assertTrue($result);
  568. }
  569. /**
  570. * Tests hash validation for multiple records, including locked fields
  571. *
  572. * @access public
  573. * @return void
  574. */
  575. function testValidatePostComplex() {
  576. $this->Controller->Security->startup($this->Controller);
  577. $key = $this->Controller->params['_Token']['key'];
  578. $fields = 'c9118120e680a7201b543f562e5301006ccfcbe2%3An%3A2%3A%7Bv%3A0%3Bf%3A14%3A%';
  579. $fields .= '22Nqqerffrf.0.vq%22%3Bv%3A1%3Bf%3A14%3A%22Nqqerffrf.1.vq%22%3B%7D';
  580. $this->Controller->data = array(
  581. 'Addresses' => array(
  582. '0' => array(
  583. 'id' => '123456', 'title' => '', 'first_name' => '', 'last_name' => '',
  584. 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
  585. ),
  586. '1' => array(
  587. 'id' => '654321', 'title' => '', 'first_name' => '', 'last_name' => '',
  588. 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
  589. )
  590. ),
  591. '_Token' => compact('key', 'fields')
  592. );
  593. $result = $this->Controller->Security->validatePost($this->Controller);
  594. $this->assertTrue($result);
  595. }
  596. /**
  597. * test ValidatePost with multiple select elements.
  598. *
  599. * @return void
  600. **/
  601. function testValidatePostMultipleSelect() {
  602. $this->Controller->Security->startup($this->Controller);
  603. $key = $this->Controller->params['_Token']['key'];
  604. $fields = '422cde416475abc171568be690a98cad20e66079%3An%3A0%3A%7B%7D';
  605. $this->Controller->data = array(
  606. 'Tag' => array('Tag' => array(1, 2)),
  607. '_Token' => compact('key', 'fields'),
  608. );
  609. $result = $this->Controller->Security->validatePost($this->Controller);
  610. $this->assertTrue($result);
  611. $this->Controller->data = array(
  612. 'Tag' => array('Tag' => array(1, 2, 3)),
  613. '_Token' => compact('key', 'fields'),
  614. );
  615. $result = $this->Controller->Security->validatePost($this->Controller);
  616. $this->assertTrue($result);
  617. $this->Controller->data = array(
  618. 'Tag' => array('Tag' => array(1, 2, 3, 4)),
  619. '_Token' => compact('key', 'fields'),
  620. );
  621. $result = $this->Controller->Security->validatePost($this->Controller);
  622. $this->assertTrue($result);
  623. $fields = '19464422eafe977ee729c59222af07f983010c5f%3An%3A0%3A%7B%7D';
  624. $this->Controller->data = array(
  625. 'User.password' => 'bar', 'User.name' => 'foo', 'User.is_valid' => '1',
  626. 'Tag' => array('Tag' => array(1)), '_Token' => compact('key', 'fields'),
  627. );
  628. $result = $this->Controller->Security->validatePost($this->Controller);
  629. $this->assertTrue($result);
  630. }
  631. /**
  632. * testValidatePostCheckbox method
  633. *
  634. * First block tests un-checked checkbox
  635. * Second block tests checked checkbox
  636. *
  637. * @access public
  638. * @return void
  639. */
  640. function testValidatePostCheckbox() {
  641. $this->Controller->Security->startup($this->Controller);
  642. $key = $this->Controller->params['_Token']['key'];
  643. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3An%3A1%3A%7Bv%3A0%';
  644. $fields .= '3Bf%3A11%3A%22Zbqry.inyvq%22%3B%7D';
  645. $this->Controller->data = array(
  646. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  647. '_Token' => compact('key', 'fields')
  648. );
  649. $result = $this->Controller->Security->validatePost($this->Controller);
  650. $this->assertTrue($result);
  651. $fields = '874439ca69f89b4c4a5f50fb9c36ff56a28f5d42%3An%3A0%3A%7B%7D';
  652. $this->Controller->data = array(
  653. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  654. '_Token' => compact('key', 'fields')
  655. );
  656. $result = $this->Controller->Security->validatePost($this->Controller);
  657. $this->assertTrue($result);
  658. $this->Controller->data = array();
  659. $this->Controller->Security->startup($this->Controller);
  660. $key = $this->Controller->params['_Token']['key'];
  661. $this->Controller->data = $data = array(
  662. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  663. '_Token' => compact('key', 'fields')
  664. );
  665. $result = $this->Controller->Security->validatePost($this->Controller);
  666. $this->assertTrue($result);
  667. }
  668. /**
  669. * testValidatePostHidden method
  670. *
  671. * @access public
  672. * @return void
  673. */
  674. function testValidatePostHidden() {
  675. $this->Controller->Security->startup($this->Controller);
  676. $key = $this->Controller->params['_Token']['key'];
  677. $fields = '51ccd8cb0997c7b3d4523ecde5a109318405ef8c%3An%3A2%3A%7Bv%3A0%3Bf%3A12%3A';
  678. $fields .= '%22Zbqry.uvqqra%22%3Bv%3A1%3Bf%3A18%3A%22Zbqry.bgure_uvqqra%22%3B%7D';
  679. $this->Controller->data = array(
  680. 'Model' => array(
  681. 'username' => '', 'password' => '', 'hidden' => '0',
  682. 'other_hidden' => 'some hidden value'
  683. ),
  684. '_Token' => compact('key', 'fields')
  685. );
  686. $result = $this->Controller->Security->validatePost($this->Controller);
  687. $this->assertTrue($result);
  688. }
  689. /**
  690. * testValidatePostWithDisabledFields method
  691. *
  692. * @access public
  693. * @return void
  694. */
  695. function testValidatePostWithDisabledFields() {
  696. $this->Controller->Security->disabledFields = array('Model.username', 'Model.password');
  697. $this->Controller->Security->startup($this->Controller);
  698. $key = $this->Controller->params['_Token']['key'];
  699. $fields = 'ef1082968c449397bcd849f963636864383278b1%3An%3A1%3A%7Bv%';
  700. $fields .= '3A0%3Bf%3A12%3A%22Zbqry.uvqqra%22%3B%7D';
  701. $this->Controller->data = array(
  702. 'Model' => array(
  703. 'username' => '', 'password' => '', 'hidden' => '0'
  704. ),
  705. '_Token' => compact('fields', 'key')
  706. );
  707. $result = $this->Controller->Security->validatePost($this->Controller);
  708. $this->assertTrue($result);
  709. }
  710. /**
  711. * testValidateHiddenMultipleModel method
  712. *
  713. * @access public
  714. * @return void
  715. */
  716. function testValidateHiddenMultipleModel() {
  717. $this->Controller->Security->startup($this->Controller);
  718. $key = $this->Controller->params['_Token']['key'];
  719. $fields = 'a2d01072dc4660eea9d15007025f35a7a5b58e18%3An%3A3%3A%7Bv%3A0%3Bf%3A11';
  720. $fields .= '%3A%22Zbqry.inyvq%22%3Bv%3A1%3Bf%3A12%3A%22Zbqry2.inyvq%22%3Bv%3A2%';
  721. $fields .= '3Bf%3A12%3A%22Zbqry3.inyvq%22%3B%7D';
  722. $this->Controller->data = array(
  723. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  724. 'Model2' => array('valid' => '0'),
  725. 'Model3' => array('valid' => '0'),
  726. '_Token' => compact('key', 'fields')
  727. );
  728. $result = $this->Controller->Security->validatePost($this->Controller);
  729. $this->assertTrue($result);
  730. }
  731. /**
  732. * testLoginValidation method
  733. *
  734. * @access public
  735. * @return void
  736. */
  737. function testLoginValidation() {
  738. }
  739. /**
  740. * testValidateHasManyModel method
  741. *
  742. * @access public
  743. * @return void
  744. */
  745. function testValidateHasManyModel() {
  746. $this->Controller->Security->startup($this->Controller);
  747. $key = $this->Controller->params['_Token']['key'];
  748. $fields = '51e3b55a6edd82020b3f29c9ae200e14bbeb7ee5%3An%3A4%3A%7Bv%3A0%3Bf%3A14%3A%2';
  749. $fields .= '2Zbqry.0.uvqqra%22%3Bv%3A1%3Bf%3A13%3A%22Zbqry.0.inyvq%22%3Bv%3A2%3Bf%3';
  750. $fields .= 'A14%3A%22Zbqry.1.uvqqra%22%3Bv%3A3%3Bf%3A13%3A%22Zbqry.1.inyvq%22%3B%7D';
  751. $this->Controller->data = array(
  752. 'Model' => array(
  753. array(
  754. 'username' => 'username', 'password' => 'password',
  755. 'hidden' => 'value', 'valid' => '0'
  756. ),
  757. array(
  758. 'username' => 'username', 'password' => 'password',
  759. 'hidden' => 'value', 'valid' => '0'
  760. )
  761. ),
  762. '_Token' => compact('key', 'fields')
  763. );
  764. $result = $this->Controller->Security->validatePost($this->Controller);
  765. $this->assertTrue($result);
  766. }
  767. /**
  768. * testValidateHasManyRecordsPass method
  769. *
  770. * @access public
  771. * @return void
  772. */
  773. function testValidateHasManyRecordsPass() {
  774. $this->Controller->Security->startup($this->Controller);
  775. $key = $this->Controller->params['_Token']['key'];
  776. $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3An%3A4%3A%7Bv%3A0%3Bf%3A12%3A%2';
  777. $fields .= '2Nqqerff.0.vq%22%3Bv%3A1%3Bf%3A17%3A%22Nqqerff.0.cevznel%22%3Bv%3A2%3Bf%';
  778. $fields .= '3A12%3A%22Nqqerff.1.vq%22%3Bv%3A3%3Bf%3A17%3A%22Nqqerff.1.cevznel%22%3B%7D';
  779. $this->Controller->data = array(
  780. 'Address' => array(
  781. 0 => array(
  782. 'id' => '123',
  783. 'title' => 'home',
  784. 'first_name' => 'Bilbo',
  785. 'last_name' => 'Baggins',
  786. 'address' => '23 Bag end way',
  787. 'city' => 'the shire',
  788. 'phone' => 'N/A',
  789. 'primary' => '1',
  790. ),
  791. 1 => array(
  792. 'id' => '124',
  793. 'title' => 'home',
  794. 'first_name' => 'Frodo',
  795. 'last_name' => 'Baggins',
  796. 'address' => '50 Bag end way',
  797. 'city' => 'the shire',
  798. 'phone' => 'N/A',
  799. 'primary' => '1'
  800. )
  801. ),
  802. '_Token' => compact('key', 'fields')
  803. );
  804. $result = $this->Controller->Security->validatePost($this->Controller);
  805. $this->assertTrue($result);
  806. }
  807. /**
  808. * testValidateHasManyRecords method
  809. *
  810. * validatePost should fail, hidden fields have been changed.
  811. *
  812. * @access public
  813. * @return void
  814. */
  815. function testValidateHasManyRecordsFail() {
  816. $this->Controller->Security->startup($this->Controller);
  817. $key = $this->Controller->params['_Token']['key'];
  818. $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3An%3A4%3A%7Bv%3A0%3Bf%3A12%3A%2';
  819. $fields .= '2Nqqerff.0.vq%22%3Bv%3A1%3Bf%3A17%3A%22Nqqerff.0.cevznel%22%3Bv%3A2%3Bf%';
  820. $fields .= '3A12%3A%22Nqqerff.1.vq%22%3Bv%3A3%3Bf%3A17%3A%22Nqqerff.1.cevznel%22%3B%7D';
  821. $this->Controller->data = array(
  822. 'Address' => array(
  823. 0 => array(
  824. 'id' => '123',
  825. 'title' => 'home',
  826. 'first_name' => 'Bilbo',
  827. 'last_name' => 'Baggins',
  828. 'address' => '23 Bag end way',
  829. 'city' => 'the shire',
  830. 'phone' => 'N/A',
  831. 'primary' => '5',
  832. ),
  833. 1 => array(
  834. 'id' => '124',
  835. 'title' => 'home',
  836. 'first_name' => 'Frodo',
  837. 'last_name' => 'Baggins',
  838. 'address' => '50 Bag end way',
  839. 'city' => 'the shire',
  840. 'phone' => 'N/A',
  841. 'primary' => '1'
  842. )
  843. ),
  844. '_Token' => compact('key', 'fields')
  845. );
  846. $result = $this->Controller->Security->validatePost($this->Controller);
  847. $this->assertFalse($result);
  848. }
  849. /**
  850. * testLoginRequest method
  851. *
  852. * @access public
  853. * @return void
  854. */
  855. function testLoginRequest() {
  856. $this->Controller->Security->startup($this->Controller);
  857. $realm = 'cakephp.org';
  858. $options = array('realm' => $realm, 'type' => 'basic');
  859. $result = $this->Controller->Security->loginRequest($options);
  860. $expected = 'WWW-Authenticate: Basic realm="'.$realm.'"';
  861. $this->assertEqual($result, $expected);
  862. $this->Controller->Security->startup($this->Controller);
  863. $options = array('realm' => $realm, 'type' => 'digest');
  864. $result = $this->Controller->Security->loginRequest($options);
  865. $this->assertPattern('/realm="'.$realm.'"/', $result);
  866. $this->assertPattern('/qop="auth"/', $result);
  867. }
  868. /**
  869. * testGenerateDigestResponseHash method
  870. *
  871. * @access public
  872. * @return void
  873. */
  874. function testGenerateDigestResponseHash() {
  875. $this->Controller->Security->startup($this->Controller);
  876. $realm = 'cakephp.org';
  877. $loginData = array('realm' => $realm, 'users' => array('Willy Smith' => 'password'));
  878. $this->Controller->Security->requireLogin($loginData);
  879. $data = array(
  880. 'username' => 'Willy Smith',
  881. 'password' => 'password',
  882. 'nonce' => String::uuid(),
  883. 'nc' => 1,
  884. 'cnonce' => 1,
  885. 'realm' => $realm,
  886. 'uri' => 'path_to_identifier',
  887. 'qop' => 'testme'
  888. );
  889. $_SERVER['REQUEST_METHOD'] = 'POST';
  890. $result = $this->Controller->Security->generateDigestResponseHash($data);
  891. $expected = md5(
  892. md5($data['username'] . ':' . $loginData['realm'] . ':' . $data['password']) . ':' .
  893. $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' .
  894. md5(env('REQUEST_METHOD') . ':' . $data['uri'])
  895. );
  896. $this->assertIdentical($result, $expected);
  897. }
  898. /**
  899. * testLoginCredentials method
  900. *
  901. * @access public
  902. * @return void
  903. */
  904. function testLoginCredentials() {
  905. $this->Controller->Security->startup($this->Controller);
  906. $_SERVER['PHP_AUTH_USER'] = $user = 'Willy Test';
  907. $_SERVER['PHP_AUTH_PW'] = $pw = 'some password for the nice test';
  908. $result = $this->Controller->Security->loginCredentials('basic');
  909. $expected = array('username' => $user, 'password' => $pw);
  910. $this->assertIdentical($result, $expected);
  911. if (version_compare(PHP_VERSION, '5.1') != -1) {
  912. $_SERVER['PHP_AUTH_DIGEST'] = $digest = <<<DIGEST
  913. Digest username="Mufasa",
  914. realm="testrealm@host.com",
  915. nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
  916. uri="/dir/index.html",
  917. qop=auth,
  918. nc=00000001,
  919. cnonce="0a4f113b",
  920. response="6629fae49393a05397450978507c4ef1",
  921. opaque="5ccc069c403ebaf9f0171e9517f40e41"
  922. DIGEST;
  923. $expected = array(
  924. 'username' => 'Mufasa',
  925. 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
  926. 'uri' => '/dir/index.html',
  927. 'qop' => 'auth',
  928. 'nc' => '00000001',
  929. 'cnonce' => '0a4f113b',
  930. 'response' => '6629fae49393a05397450978507c4ef1',
  931. 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
  932. );
  933. $result = $this->Controller->Security->loginCredentials('digest');
  934. $this->assertIdentical($result, $expected);
  935. }
  936. }
  937. /**
  938. * testParseDigestAuthData method
  939. *
  940. * @access public
  941. * @return void
  942. */
  943. function testParseDigestAuthData() {
  944. $this->Controller->Security->startup($this->Controller);
  945. $digest = <<<DIGEST
  946. Digest username="Mufasa",
  947. realm="testrealm@host.com",
  948. nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
  949. uri="/dir/index.html",
  950. qop=auth,
  951. nc=00000001,
  952. cnonce="0a4f113b",
  953. response="6629fae49393a05397450978507c4ef1",
  954. opaque="5ccc069c403ebaf9f0171e9517f40e41"
  955. DIGEST;
  956. $expected = array(
  957. 'username' => 'Mufasa',
  958. 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
  959. 'uri' => '/dir/index.html',
  960. 'qop' => 'auth',
  961. 'nc' => '00000001',
  962. 'cnonce' => '0a4f113b',
  963. 'response' => '6629fae49393a05397450978507c4ef1',
  964. 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
  965. );
  966. $result = $this->Controller->Security->parseDigestAuthData($digest);
  967. $this->assertIdentical($result, $expected);
  968. $result = $this->Controller->Security->parseDigestAuthData('');
  969. $this->assertNull($result);
  970. }
  971. /**
  972. * testFormDisabledFields method
  973. *
  974. * @access public
  975. * @return void
  976. */
  977. function testFormDisabledFields() {
  978. $this->Controller->Security->startup($this->Controller);
  979. $key = $this->Controller->params['_Token']['key'];
  980. $fields = '11842060341b9d0fc3808b90ba29fdea7054d6ad%3An%3A0%3A%7B%7D';
  981. $this->Controller->data = array(
  982. 'MyModel' => array('name' => 'some data'),
  983. '_Token' => compact('key', 'fields')
  984. );
  985. $result = $this->Controller->Security->validatePost($this->Controller);
  986. $this->assertFalse($result);
  987. $this->Controller->Security->startup($this->Controller);
  988. $this->Controller->Security->disabledFields = array('MyModel.name');
  989. $key = $this->Controller->params['_Token']['key'];
  990. $this->Controller->data = array(
  991. 'MyModel' => array('name' => 'some data'),
  992. '_Token' => compact('key', 'fields')
  993. );
  994. $result = $this->Controller->Security->validatePost($this->Controller);
  995. $this->assertTrue($result);
  996. }
  997. /**
  998. * testRadio method
  999. *
  1000. * @access public
  1001. * @return void
  1002. */
  1003. function testRadio() {
  1004. $this->Controller->Security->startup($this->Controller);
  1005. $key = $this->Controller->params['_Token']['key'];
  1006. $fields = '575ef54ca4fc8cab468d6d898e9acd3a9671c17e%3An%3A0%3A%7B%7D';
  1007. $this->Controller->data = array(
  1008. '_Token' => compact('key', 'fields')
  1009. );
  1010. $result = $this->Controller->Security->validatePost($this->Controller);
  1011. $this->assertFalse($result);
  1012. $this->Controller->data = array(
  1013. '_Token' => compact('key', 'fields'),
  1014. 'Test' => array('test' => '')
  1015. );
  1016. $result = $this->Controller->Security->validatePost($this->Controller);
  1017. $this->assertTrue($result);
  1018. $this->Controller->data = array(
  1019. '_Token' => compact('key', 'fields'),
  1020. 'Test' => array('test' => '1')
  1021. );
  1022. $result = $this->Controller->Security->validatePost($this->Controller);
  1023. $this->assertTrue($result);
  1024. $this->Controller->data = array(
  1025. '_Token' => compact('key', 'fields'),
  1026. 'Test' => array('test' => '2')
  1027. );
  1028. $result = $this->Controller->Security->validatePost($this->Controller);
  1029. $this->assertTrue($result);
  1030. }
  1031. /**
  1032. * testInvalidAuthHeaders method
  1033. *
  1034. * @access public
  1035. * @return void
  1036. */
  1037. function testInvalidAuthHeaders() {
  1038. $this->Controller->Security->blackHoleCallback = null;
  1039. $_SERVER['PHP_AUTH_USER'] = 'admin';
  1040. $_SERVER['PHP_AUTH_PW'] = 'password';
  1041. $realm = 'cakephp.org';
  1042. $loginData = array('type' => 'basic', 'realm' => $realm);
  1043. $this->Controller->Security->requireLogin($loginData);
  1044. $this->Controller->Security->startup($this->Controller);
  1045. $expected = 'WWW-Authenticate: Basic realm="'.$realm.'"';
  1046. $this->assertEqual(count($this->Controller->testHeaders), 1);
  1047. $this->assertEqual(current($this->Controller->testHeaders), $expected);
  1048. }
  1049. }
  1050. ?>