PageRenderTime 53ms CodeModel.GetById 16ms RepoModel.GetById 0ms app.codeStats 0ms

/cake/tests/cases/libs/controller/components/security.test.php

http://github.com/Datawalke/Coordino
PHP | 1305 lines | 768 code | 128 blank | 409 comment | 5 complexity | 7f3e7d2f1a4670d83a06f7569ef37e1b MD5 | raw file
  1. <?php
  2. /**
  3. * SecurityComponentTest file
  4. *
  5. * PHP versions 4 and 5
  6. *
  7. * CakePHP(tm) Tests <http://book.cakephp.org/view/1196/Testing>
  8. * Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
  9. *
  10. * Licensed under The Open Group Test Suite License
  11. * Redistributions of files must retain the above copyright notice.
  12. *
  13. * @copyright Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
  14. * @link http://book.cakephp.org/view/1196/Testing CakePHP(tm) Tests
  15. * @package cake
  16. * @subpackage cake.tests.cases.libs.controller.components
  17. * @since CakePHP(tm) v 1.2.0.5435
  18. * @license http://www.opensource.org/licenses/opengroup.php The Open Group Test Suite License
  19. */
  20. App::import('Component', 'Security');
  21. /**
  22. * TestSecurityComponent
  23. *
  24. * @package cake
  25. * @subpackage cake.tests.cases.libs.controller.components
  26. */
  27. class TestSecurityComponent extends SecurityComponent {
  28. /**
  29. * validatePost method
  30. *
  31. * @param Controller $controller
  32. * @return unknown
  33. */
  34. function validatePost(&$controller) {
  35. return $this->_validatePost($controller);
  36. }
  37. }
  38. /**
  39. * SecurityTestController
  40. *
  41. * @package cake
  42. * @subpackage cake.tests.cases.libs.controller.components
  43. */
  44. class SecurityTestController extends Controller {
  45. /**
  46. * name property
  47. *
  48. * @var string 'SecurityTest'
  49. * @access public
  50. */
  51. var $name = 'SecurityTest';
  52. /**
  53. * components property
  54. *
  55. * @var array
  56. * @access public
  57. */
  58. var $components = array('Session', 'TestSecurity');
  59. /**
  60. * failed property
  61. *
  62. * @var bool false
  63. * @access public
  64. */
  65. var $failed = false;
  66. /**
  67. * Used for keeping track of headers in test
  68. *
  69. * @var array
  70. * @access public
  71. */
  72. var $testHeaders = array();
  73. /**
  74. * fail method
  75. *
  76. * @access public
  77. * @return void
  78. */
  79. function fail() {
  80. $this->failed = true;
  81. }
  82. /**
  83. * redirect method
  84. *
  85. * @param mixed $option
  86. * @param mixed $code
  87. * @param mixed $exit
  88. * @access public
  89. * @return void
  90. */
  91. function redirect($option, $code, $exit) {
  92. return $code;
  93. }
  94. /**
  95. * Conveinence method for header()
  96. *
  97. * @param string $status
  98. * @return void
  99. * @access public
  100. */
  101. function header($status) {
  102. $this->testHeaders[] = $status;
  103. }
  104. }
  105. /**
  106. * SecurityComponentTest class
  107. *
  108. * @package cake
  109. * @subpackage cake.tests.cases.libs.controller.components
  110. */
  111. class SecurityComponentTest extends CakeTestCase {
  112. /**
  113. * Controller property
  114. *
  115. * @var SecurityTestController
  116. * @access public
  117. */
  118. var $Controller;
  119. /**
  120. * oldSalt property
  121. *
  122. * @var string
  123. * @access public
  124. */
  125. var $oldSalt;
  126. /**
  127. * setUp method
  128. *
  129. * @access public
  130. * @return void
  131. */
  132. function startTest() {
  133. $this->Controller =& new SecurityTestController();
  134. $this->Controller->Component->init($this->Controller);
  135. $this->Controller->Security =& $this->Controller->TestSecurity;
  136. $this->Controller->Security->blackHoleCallback = 'fail';
  137. $this->oldSalt = Configure::read('Security.salt');
  138. Configure::write('Security.salt', 'foo!');
  139. }
  140. /**
  141. * Tear-down method. Resets environment state.
  142. *
  143. * @access public
  144. * @return void
  145. */
  146. function endTest() {
  147. Configure::write('Security.salt', $this->oldSalt);
  148. $this->Controller->Session->delete('_Token');
  149. unset($this->Controller->Security);
  150. unset($this->Controller->Component);
  151. unset($this->Controller);
  152. }
  153. /**
  154. * test that initalize can set properties.
  155. *
  156. * @return void
  157. */
  158. function testInitialize() {
  159. $settings = array(
  160. 'requirePost' => array('edit', 'update'),
  161. 'requireSecure' => array('update_account'),
  162. 'requireGet' => array('index'),
  163. 'validatePost' => false,
  164. 'loginUsers' => array(
  165. 'mark' => 'password'
  166. ),
  167. 'requireLogin' => array('login'),
  168. );
  169. $this->Controller->Security->initialize($this->Controller, $settings);
  170. $this->assertEqual($this->Controller->Security->requirePost, $settings['requirePost']);
  171. $this->assertEqual($this->Controller->Security->requireSecure, $settings['requireSecure']);
  172. $this->assertEqual($this->Controller->Security->requireGet, $settings['requireGet']);
  173. $this->assertEqual($this->Controller->Security->validatePost, $settings['validatePost']);
  174. $this->assertEqual($this->Controller->Security->loginUsers, $settings['loginUsers']);
  175. $this->assertEqual($this->Controller->Security->requireLogin, $settings['requireLogin']);
  176. }
  177. /**
  178. * testStartup method
  179. *
  180. * @access public
  181. * @return void
  182. */
  183. function testStartup() {
  184. $this->Controller->Security->startup($this->Controller);
  185. $result = $this->Controller->params['_Token']['key'];
  186. $this->assertNotNull($result);
  187. $this->assertTrue($this->Controller->Session->check('_Token'));
  188. }
  189. /**
  190. * testRequirePostFail method
  191. *
  192. * @access public
  193. * @return void
  194. */
  195. function testRequirePostFail() {
  196. $_SERVER['REQUEST_METHOD'] = 'GET';
  197. $this->Controller->action = 'posted';
  198. $this->Controller->Security->requirePost(array('posted'));
  199. $this->Controller->Security->startup($this->Controller);
  200. $this->assertTrue($this->Controller->failed);
  201. }
  202. /**
  203. * testRequirePostSucceed method
  204. *
  205. * @access public
  206. * @return void
  207. */
  208. function testRequirePostSucceed() {
  209. $_SERVER['REQUEST_METHOD'] = 'POST';
  210. $this->Controller->action = 'posted';
  211. $this->Controller->Security->requirePost('posted');
  212. $this->Controller->Security->startup($this->Controller);
  213. $this->assertFalse($this->Controller->failed);
  214. }
  215. /**
  216. * testRequireSecureFail method
  217. *
  218. * @access public
  219. * @return void
  220. */
  221. function testRequireSecureFail() {
  222. $_SERVER['HTTPS'] = 'off';
  223. $_SERVER['REQUEST_METHOD'] = 'POST';
  224. $this->Controller->action = 'posted';
  225. $this->Controller->Security->requireSecure(array('posted'));
  226. $this->Controller->Security->startup($this->Controller);
  227. $this->assertTrue($this->Controller->failed);
  228. }
  229. /**
  230. * testRequireSecureSucceed method
  231. *
  232. * @access public
  233. * @return void
  234. */
  235. function testRequireSecureSucceed() {
  236. $_SERVER['REQUEST_METHOD'] = 'Secure';
  237. $this->Controller->action = 'posted';
  238. $_SERVER['HTTPS'] = 'on';
  239. $this->Controller->Security->requireSecure('posted');
  240. $this->Controller->Security->startup($this->Controller);
  241. $this->assertFalse($this->Controller->failed);
  242. }
  243. /**
  244. * testRequireAuthFail method
  245. *
  246. * @access public
  247. * @return void
  248. */
  249. function testRequireAuthFail() {
  250. $_SERVER['REQUEST_METHOD'] = 'AUTH';
  251. $this->Controller->action = 'posted';
  252. $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
  253. $this->Controller->Security->requireAuth(array('posted'));
  254. $this->Controller->Security->startup($this->Controller);
  255. $this->assertTrue($this->Controller->failed);
  256. $this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
  257. $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
  258. $this->Controller->action = 'posted';
  259. $this->Controller->Security->requireAuth('posted');
  260. $this->Controller->Security->startup($this->Controller);
  261. $this->assertTrue($this->Controller->failed);
  262. $this->Controller->Session->write('_Token', serialize(array(
  263. 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
  264. )));
  265. $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
  266. $this->Controller->action = 'posted';
  267. $this->Controller->Security->requireAuth('posted');
  268. $this->Controller->Security->startup($this->Controller);
  269. $this->assertTrue($this->Controller->failed);
  270. }
  271. /**
  272. * testRequireAuthSucceed method
  273. *
  274. * @access public
  275. * @return void
  276. */
  277. function testRequireAuthSucceed() {
  278. $_SERVER['REQUEST_METHOD'] = 'AUTH';
  279. $this->Controller->action = 'posted';
  280. $this->Controller->Security->requireAuth('posted');
  281. $this->Controller->Security->startup($this->Controller);
  282. $this->assertFalse($this->Controller->failed);
  283. $this->Controller->Security->Session->write('_Token', serialize(array(
  284. 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted')
  285. )));
  286. $this->Controller->params['controller'] = 'SecurityTest';
  287. $this->Controller->params['action'] = 'posted';
  288. $this->Controller->data = array(
  289. 'username' => 'willy', 'password' => 'somePass', '_Token' => ''
  290. );
  291. $this->Controller->action = 'posted';
  292. $this->Controller->Security->requireAuth('posted');
  293. $this->Controller->Security->startup($this->Controller);
  294. $this->assertFalse($this->Controller->failed);
  295. }
  296. /**
  297. * testRequirePostSucceedWrongMethod method
  298. *
  299. * @access public
  300. * @return void
  301. */
  302. function testRequirePostSucceedWrongMethod() {
  303. $_SERVER['REQUEST_METHOD'] = 'GET';
  304. $this->Controller->action = 'getted';
  305. $this->Controller->Security->requirePost('posted');
  306. $this->Controller->Security->startup($this->Controller);
  307. $this->assertFalse($this->Controller->failed);
  308. }
  309. /**
  310. * testRequireGetFail method
  311. *
  312. * @access public
  313. * @return void
  314. */
  315. function testRequireGetFail() {
  316. $_SERVER['REQUEST_METHOD'] = 'POST';
  317. $this->Controller->action = 'getted';
  318. $this->Controller->Security->requireGet(array('getted'));
  319. $this->Controller->Security->startup($this->Controller);
  320. $this->assertTrue($this->Controller->failed);
  321. }
  322. /**
  323. * testRequireGetSucceed method
  324. *
  325. * @access public
  326. * @return void
  327. */
  328. function testRequireGetSucceed() {
  329. $_SERVER['REQUEST_METHOD'] = 'GET';
  330. $this->Controller->action = 'getted';
  331. $this->Controller->Security->requireGet('getted');
  332. $this->Controller->Security->startup($this->Controller);
  333. $this->assertFalse($this->Controller->failed);
  334. }
  335. /**
  336. * testRequireLogin method
  337. *
  338. * @access public
  339. * @return void
  340. */
  341. function testRequireLogin() {
  342. $this->Controller->action = 'posted';
  343. $this->Controller->Security->requireLogin(
  344. 'posted',
  345. array('type' => 'basic', 'users' => array('admin' => 'password'))
  346. );
  347. $_SERVER['PHP_AUTH_USER'] = 'admin';
  348. $_SERVER['PHP_AUTH_PW'] = 'password';
  349. $this->Controller->Security->startup($this->Controller);
  350. $this->assertFalse($this->Controller->failed);
  351. $this->Controller->action = 'posted';
  352. $this->Controller->Security->requireLogin(
  353. array('posted'),
  354. array('type' => 'basic', 'users' => array('admin' => 'password'))
  355. );
  356. $_SERVER['PHP_AUTH_USER'] = 'admin2';
  357. $_SERVER['PHP_AUTH_PW'] = 'password';
  358. $this->Controller->Security->startup($this->Controller);
  359. $this->assertTrue($this->Controller->failed);
  360. $this->Controller->action = 'posted';
  361. $this->Controller->Security->requireLogin(
  362. 'posted',
  363. array('type' => 'basic', 'users' => array('admin' => 'password'))
  364. );
  365. $_SERVER['PHP_AUTH_USER'] = 'admin';
  366. $_SERVER['PHP_AUTH_PW'] = 'password2';
  367. $this->Controller->Security->startup($this->Controller);
  368. $this->assertTrue($this->Controller->failed);
  369. }
  370. /**
  371. * testDigestAuth method
  372. *
  373. * @access public
  374. * @return void
  375. */
  376. function testDigestAuth() {
  377. $skip = $this->skipIf((version_compare(PHP_VERSION, '5.1') == -1) XOR (!function_exists('apache_request_headers')),
  378. "%s Cannot run Digest Auth test for PHP versions < 5.1"
  379. );
  380. if ($skip) {
  381. return;
  382. }
  383. $this->Controller->action = 'posted';
  384. $_SERVER['PHP_AUTH_DIGEST'] = $digest = <<<DIGEST
  385. Digest username="Mufasa",
  386. realm="testrealm@host.com",
  387. nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
  388. uri="/dir/index.html",
  389. qop=auth,
  390. nc=00000001,
  391. cnonce="0a4f113b",
  392. response="460d0d3c6867c2f1ab85b1ada1aece48",
  393. opaque="5ccc069c403ebaf9f0171e9517f40e41"
  394. DIGEST;
  395. $this->Controller->Security->requireLogin('posted', array(
  396. 'type' => 'digest', 'users' => array('Mufasa' => 'password'),
  397. 'realm' => 'testrealm@host.com'
  398. ));
  399. $this->Controller->Security->startup($this->Controller);
  400. $this->assertFalse($this->Controller->failed);
  401. }
  402. /**
  403. * testRequireGetSucceedWrongMethod method
  404. *
  405. * @access public
  406. * @return void
  407. */
  408. function testRequireGetSucceedWrongMethod() {
  409. $_SERVER['REQUEST_METHOD'] = 'POST';
  410. $this->Controller->action = 'posted';
  411. $this->Controller->Security->requireGet('getted');
  412. $this->Controller->Security->startup($this->Controller);
  413. $this->assertFalse($this->Controller->failed);
  414. }
  415. /**
  416. * testRequirePutFail method
  417. *
  418. * @access public
  419. * @return void
  420. */
  421. function testRequirePutFail() {
  422. $_SERVER['REQUEST_METHOD'] = 'POST';
  423. $this->Controller->action = 'putted';
  424. $this->Controller->Security->requirePut(array('putted'));
  425. $this->Controller->Security->startup($this->Controller);
  426. $this->assertTrue($this->Controller->failed);
  427. }
  428. /**
  429. * testRequirePutSucceed method
  430. *
  431. * @access public
  432. * @return void
  433. */
  434. function testRequirePutSucceed() {
  435. $_SERVER['REQUEST_METHOD'] = 'PUT';
  436. $this->Controller->action = 'putted';
  437. $this->Controller->Security->requirePut('putted');
  438. $this->Controller->Security->startup($this->Controller);
  439. $this->assertFalse($this->Controller->failed);
  440. }
  441. /**
  442. * testRequirePutSucceedWrongMethod method
  443. *
  444. * @access public
  445. * @return void
  446. */
  447. function testRequirePutSucceedWrongMethod() {
  448. $_SERVER['REQUEST_METHOD'] = 'POST';
  449. $this->Controller->action = 'posted';
  450. $this->Controller->Security->requirePut('putted');
  451. $this->Controller->Security->startup($this->Controller);
  452. $this->assertFalse($this->Controller->failed);
  453. }
  454. /**
  455. * testRequireDeleteFail method
  456. *
  457. * @access public
  458. * @return void
  459. */
  460. function testRequireDeleteFail() {
  461. $_SERVER['REQUEST_METHOD'] = 'POST';
  462. $this->Controller->action = 'deleted';
  463. $this->Controller->Security->requireDelete(array('deleted', 'other_method'));
  464. $this->Controller->Security->startup($this->Controller);
  465. $this->assertTrue($this->Controller->failed);
  466. }
  467. /**
  468. * testRequireDeleteSucceed method
  469. *
  470. * @access public
  471. * @return void
  472. */
  473. function testRequireDeleteSucceed() {
  474. $_SERVER['REQUEST_METHOD'] = 'DELETE';
  475. $this->Controller->action = 'deleted';
  476. $this->Controller->Security->requireDelete('deleted');
  477. $this->Controller->Security->startup($this->Controller);
  478. $this->assertFalse($this->Controller->failed);
  479. }
  480. /**
  481. * testRequireDeleteSucceedWrongMethod method
  482. *
  483. * @access public
  484. * @return void
  485. */
  486. function testRequireDeleteSucceedWrongMethod() {
  487. $_SERVER['REQUEST_METHOD'] = 'POST';
  488. $this->Controller->action = 'posted';
  489. $this->Controller->Security->requireDelete('deleted');
  490. $this->Controller->Security->startup($this->Controller);
  491. $this->assertFalse($this->Controller->failed);
  492. }
  493. /**
  494. * testRequireLoginSettings method
  495. *
  496. * @access public
  497. * @return void
  498. */
  499. function testRequireLoginSettings() {
  500. $this->Controller->Security->requireLogin(
  501. 'add', 'edit',
  502. array('type' => 'basic', 'users' => array('admin' => 'password'))
  503. );
  504. $this->assertEqual($this->Controller->Security->requireLogin, array('add', 'edit'));
  505. $this->assertEqual($this->Controller->Security->loginUsers, array('admin' => 'password'));
  506. }
  507. /**
  508. * testRequireLoginAllActions method
  509. *
  510. * @access public
  511. * @return void
  512. */
  513. function testRequireLoginAllActions() {
  514. $this->Controller->Security->requireLogin(
  515. array('type' => 'basic', 'users' => array('admin' => 'password'))
  516. );
  517. $this->assertEqual($this->Controller->Security->requireLogin, array('*'));
  518. $this->assertEqual($this->Controller->Security->loginUsers, array('admin' => 'password'));
  519. }
  520. /**
  521. * Simple hash validation test
  522. *
  523. * @access public
  524. * @return void
  525. */
  526. function testValidatePost() {
  527. $this->Controller->Security->startup($this->Controller);
  528. $key = $this->Controller->params['_Token']['key'];
  529. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  530. $this->Controller->data = array(
  531. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  532. '_Token' => compact('key', 'fields')
  533. );
  534. $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
  535. }
  536. /**
  537. * Test that validatePost fails if you are missing the session information.
  538. *
  539. * @return void
  540. */
  541. function testValidatePostNoSession() {
  542. $this->Controller->Security->startup($this->Controller);
  543. $this->Controller->Session->delete('_Token');
  544. $key = $this->Controller->params['_Token']['key'];
  545. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  546. $this->Controller->data = array(
  547. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  548. '_Token' => compact('key', 'fields')
  549. );
  550. $this->assertFalse($this->Controller->Security->validatePost($this->Controller));
  551. }
  552. /**
  553. * test that validatePost fails if any of its required fields are missing.
  554. *
  555. * @return void
  556. */
  557. function testValidatePostFormHacking() {
  558. $this->Controller->Security->startup($this->Controller);
  559. $key = $this->Controller->params['_Token']['key'];
  560. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  561. $this->Controller->data = array(
  562. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  563. '_Token' => compact('key')
  564. );
  565. $result = $this->Controller->Security->validatePost($this->Controller);
  566. $this->assertFalse($result, 'validatePost passed when fields were missing. %s');
  567. $this->Controller->data = array(
  568. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  569. '_Token' => compact('fields')
  570. );
  571. $result = $this->Controller->Security->validatePost($this->Controller);
  572. $this->assertFalse($result, 'validatePost passed when key was missing. %s');
  573. }
  574. /**
  575. * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI
  576. * attacks. Thanks to Felix Wilhelm
  577. *
  578. * @return void
  579. */
  580. function testValidatePostObjectDeserialize() {
  581. $this->Controller->Security->startup($this->Controller);
  582. $key = $this->Controller->params['_Token']['key'];
  583. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877';
  584. // a corrupted serialized object, so we can see if it ever gets to deserialize
  585. $attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}';
  586. $fields .= urlencode(':' . str_rot13($attack));
  587. $this->Controller->data = array(
  588. 'Model' => array('username' => 'mark', 'password' => 'foo', 'valid' => '0'),
  589. '_Token' => compact('key', 'fields')
  590. );
  591. $result = $this->Controller->Security->validatePost($this->Controller);
  592. $this->assertFalse($result, 'validatePost passed when key was missing. %s');
  593. }
  594. /**
  595. * Tests validation of checkbox arrays
  596. *
  597. * @access public
  598. * @return void
  599. */
  600. function testValidatePostArray() {
  601. $this->Controller->Security->startup($this->Controller);
  602. $key = $this->Controller->params['_Token']['key'];
  603. $fields = 'f7d573650a295b94e0938d32b323fde775e5f32b%3A';
  604. $this->Controller->data = array(
  605. 'Model' => array('multi_field' => array('1', '3')),
  606. '_Token' => compact('key', 'fields')
  607. );
  608. $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
  609. }
  610. /**
  611. * testValidatePostNoModel method
  612. *
  613. * @access public
  614. * @return void
  615. */
  616. function testValidatePostNoModel() {
  617. $this->Controller->Security->startup($this->Controller);
  618. $key = $this->Controller->params['_Token']['key'];
  619. $fields = '540ac9c60d323c22bafe997b72c0790f39a8bdef%3A';
  620. $this->Controller->data = array(
  621. 'anything' => 'some_data',
  622. '_Token' => compact('key', 'fields')
  623. );
  624. $result = $this->Controller->Security->validatePost($this->Controller);
  625. $this->assertTrue($result);
  626. }
  627. /**
  628. * testValidatePostSimple method
  629. *
  630. * @access public
  631. * @return void
  632. */
  633. function testValidatePostSimple() {
  634. $this->Controller->Security->startup($this->Controller);
  635. $key = $this->Controller->params['_Token']['key'];
  636. $fields = '69f493434187b867ea14b901fdf58b55d27c935d%3A';
  637. $this->Controller->data = $data = array(
  638. 'Model' => array('username' => '', 'password' => ''),
  639. '_Token' => compact('key', 'fields')
  640. );
  641. $result = $this->Controller->Security->validatePost($this->Controller);
  642. $this->assertTrue($result);
  643. }
  644. /**
  645. * Tests hash validation for multiple records, including locked fields
  646. *
  647. * @access public
  648. * @return void
  649. */
  650. function testValidatePostComplex() {
  651. $this->Controller->Security->startup($this->Controller);
  652. $key = $this->Controller->params['_Token']['key'];
  653. $fields = 'c9118120e680a7201b543f562e5301006ccfcbe2%3AAddresses.0.id%7CAddresses.1.id';
  654. $this->Controller->data = array(
  655. 'Addresses' => array(
  656. '0' => array(
  657. 'id' => '123456', 'title' => '', 'first_name' => '', 'last_name' => '',
  658. 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
  659. ),
  660. '1' => array(
  661. 'id' => '654321', 'title' => '', 'first_name' => '', 'last_name' => '',
  662. 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
  663. )
  664. ),
  665. '_Token' => compact('key', 'fields')
  666. );
  667. $result = $this->Controller->Security->validatePost($this->Controller);
  668. $this->assertTrue($result);
  669. }
  670. /**
  671. * test ValidatePost with multiple select elements.
  672. *
  673. * @return void
  674. */
  675. function testValidatePostMultipleSelect() {
  676. $this->Controller->Security->startup($this->Controller);
  677. $key = $this->Controller->params['_Token']['key'];
  678. $fields = '422cde416475abc171568be690a98cad20e66079%3A';
  679. $this->Controller->data = array(
  680. 'Tag' => array('Tag' => array(1, 2)),
  681. '_Token' => compact('key', 'fields'),
  682. );
  683. $result = $this->Controller->Security->validatePost($this->Controller);
  684. $this->assertTrue($result);
  685. $this->Controller->data = array(
  686. 'Tag' => array('Tag' => array(1, 2, 3)),
  687. '_Token' => compact('key', 'fields'),
  688. );
  689. $result = $this->Controller->Security->validatePost($this->Controller);
  690. $this->assertTrue($result);
  691. $this->Controller->data = array(
  692. 'Tag' => array('Tag' => array(1, 2, 3, 4)),
  693. '_Token' => compact('key', 'fields'),
  694. );
  695. $result = $this->Controller->Security->validatePost($this->Controller);
  696. $this->assertTrue($result);
  697. $fields = '19464422eafe977ee729c59222af07f983010c5f%3A';
  698. $this->Controller->data = array(
  699. 'User.password' => 'bar', 'User.name' => 'foo', 'User.is_valid' => '1',
  700. 'Tag' => array('Tag' => array(1)), '_Token' => compact('key', 'fields'),
  701. );
  702. $result = $this->Controller->Security->validatePost($this->Controller);
  703. $this->assertTrue($result);
  704. }
  705. /**
  706. * testValidatePostCheckbox method
  707. *
  708. * First block tests un-checked checkbox
  709. * Second block tests checked checkbox
  710. *
  711. * @access public
  712. * @return void
  713. */
  714. function testValidatePostCheckbox() {
  715. $this->Controller->Security->startup($this->Controller);
  716. $key = $this->Controller->params['_Token']['key'];
  717. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  718. $this->Controller->data = array(
  719. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  720. '_Token' => compact('key', 'fields')
  721. );
  722. $result = $this->Controller->Security->validatePost($this->Controller);
  723. $this->assertTrue($result);
  724. $fields = '874439ca69f89b4c4a5f50fb9c36ff56a28f5d42%3A';
  725. $this->Controller->data = array(
  726. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  727. '_Token' => compact('key', 'fields')
  728. );
  729. $result = $this->Controller->Security->validatePost($this->Controller);
  730. $this->assertTrue($result);
  731. $this->Controller->data = array();
  732. $this->Controller->Security->startup($this->Controller);
  733. $key = $this->Controller->params['_Token']['key'];
  734. $this->Controller->data = $data = array(
  735. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  736. '_Token' => compact('key', 'fields')
  737. );
  738. $result = $this->Controller->Security->validatePost($this->Controller);
  739. $this->assertTrue($result);
  740. }
  741. /**
  742. * testValidatePostHidden method
  743. *
  744. * @access public
  745. * @return void
  746. */
  747. function testValidatePostHidden() {
  748. $this->Controller->Security->startup($this->Controller);
  749. $key = $this->Controller->params['_Token']['key'];
  750. $fields = '51ccd8cb0997c7b3d4523ecde5a109318405ef8c%3AModel.hidden%7CModel.other_hidden';
  751. $fields .= '';
  752. $this->Controller->data = array(
  753. 'Model' => array(
  754. 'username' => '', 'password' => '', 'hidden' => '0',
  755. 'other_hidden' => 'some hidden value'
  756. ),
  757. '_Token' => compact('key', 'fields')
  758. );
  759. $result = $this->Controller->Security->validatePost($this->Controller);
  760. $this->assertTrue($result);
  761. }
  762. /**
  763. * testValidatePostWithDisabledFields method
  764. *
  765. * @access public
  766. * @return void
  767. */
  768. function testValidatePostWithDisabledFields() {
  769. $this->Controller->Security->disabledFields = array('Model.username', 'Model.password');
  770. $this->Controller->Security->startup($this->Controller);
  771. $key = $this->Controller->params['_Token']['key'];
  772. $fields = 'ef1082968c449397bcd849f963636864383278b1%3AModel.hidden';
  773. $this->Controller->data = array(
  774. 'Model' => array(
  775. 'username' => '', 'password' => '', 'hidden' => '0'
  776. ),
  777. '_Token' => compact('fields', 'key')
  778. );
  779. $result = $this->Controller->Security->validatePost($this->Controller);
  780. $this->assertTrue($result);
  781. }
  782. /**
  783. * testValidateHiddenMultipleModel method
  784. *
  785. * @access public
  786. * @return void
  787. */
  788. function testValidateHiddenMultipleModel() {
  789. $this->Controller->Security->startup($this->Controller);
  790. $key = $this->Controller->params['_Token']['key'];
  791. $fields = 'a2d01072dc4660eea9d15007025f35a7a5b58e18%3AModel.valid%7CModel2.valid%7CModel3.valid';
  792. $this->Controller->data = array(
  793. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  794. 'Model2' => array('valid' => '0'),
  795. 'Model3' => array('valid' => '0'),
  796. '_Token' => compact('key', 'fields')
  797. );
  798. $result = $this->Controller->Security->validatePost($this->Controller);
  799. $this->assertTrue($result);
  800. }
  801. /**
  802. * testLoginValidation method
  803. *
  804. * @access public
  805. * @return void
  806. */
  807. function testLoginValidation() {
  808. }
  809. /**
  810. * testValidateHasManyModel method
  811. *
  812. * @access public
  813. * @return void
  814. */
  815. function testValidateHasManyModel() {
  816. $this->Controller->Security->startup($this->Controller);
  817. $key = $this->Controller->params['_Token']['key'];
  818. $fields = '51e3b55a6edd82020b3f29c9ae200e14bbeb7ee5%3AModel.0.hidden%7CModel.0.valid';
  819. $fields .= '%7CModel.1.hidden%7CModel.1.valid';
  820. $this->Controller->data = array(
  821. 'Model' => array(
  822. array(
  823. 'username' => 'username', 'password' => 'password',
  824. 'hidden' => 'value', 'valid' => '0'
  825. ),
  826. array(
  827. 'username' => 'username', 'password' => 'password',
  828. 'hidden' => 'value', 'valid' => '0'
  829. )
  830. ),
  831. '_Token' => compact('key', 'fields')
  832. );
  833. $result = $this->Controller->Security->validatePost($this->Controller);
  834. $this->assertTrue($result);
  835. }
  836. /**
  837. * testValidateHasManyRecordsPass method
  838. *
  839. * @access public
  840. * @return void
  841. */
  842. function testValidateHasManyRecordsPass() {
  843. $this->Controller->Security->startup($this->Controller);
  844. $key = $this->Controller->params['_Token']['key'];
  845. $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C';
  846. $fields .= 'Address.1.id%7CAddress.1.primary';
  847. $this->Controller->data = array(
  848. 'Address' => array(
  849. 0 => array(
  850. 'id' => '123',
  851. 'title' => 'home',
  852. 'first_name' => 'Bilbo',
  853. 'last_name' => 'Baggins',
  854. 'address' => '23 Bag end way',
  855. 'city' => 'the shire',
  856. 'phone' => 'N/A',
  857. 'primary' => '1',
  858. ),
  859. 1 => array(
  860. 'id' => '124',
  861. 'title' => 'home',
  862. 'first_name' => 'Frodo',
  863. 'last_name' => 'Baggins',
  864. 'address' => '50 Bag end way',
  865. 'city' => 'the shire',
  866. 'phone' => 'N/A',
  867. 'primary' => '1'
  868. )
  869. ),
  870. '_Token' => compact('key', 'fields')
  871. );
  872. $result = $this->Controller->Security->validatePost($this->Controller);
  873. $this->assertTrue($result);
  874. }
  875. /**
  876. * testValidateHasManyRecords method
  877. *
  878. * validatePost should fail, hidden fields have been changed.
  879. *
  880. * @access public
  881. * @return void
  882. */
  883. function testValidateHasManyRecordsFail() {
  884. $this->Controller->Security->startup($this->Controller);
  885. $key = $this->Controller->params['_Token']['key'];
  886. $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C';
  887. $fields .= 'Address.1.id%7CAddress.1.primary';
  888. $this->Controller->data = array(
  889. 'Address' => array(
  890. 0 => array(
  891. 'id' => '123',
  892. 'title' => 'home',
  893. 'first_name' => 'Bilbo',
  894. 'last_name' => 'Baggins',
  895. 'address' => '23 Bag end way',
  896. 'city' => 'the shire',
  897. 'phone' => 'N/A',
  898. 'primary' => '5',
  899. ),
  900. 1 => array(
  901. 'id' => '124',
  902. 'title' => 'home',
  903. 'first_name' => 'Frodo',
  904. 'last_name' => 'Baggins',
  905. 'address' => '50 Bag end way',
  906. 'city' => 'the shire',
  907. 'phone' => 'N/A',
  908. 'primary' => '1'
  909. )
  910. ),
  911. '_Token' => compact('key', 'fields')
  912. );
  913. $result = $this->Controller->Security->validatePost($this->Controller);
  914. $this->assertFalse($result);
  915. }
  916. /**
  917. * testLoginRequest method
  918. *
  919. * @access public
  920. * @return void
  921. */
  922. function testLoginRequest() {
  923. $this->Controller->Security->startup($this->Controller);
  924. $realm = 'cakephp.org';
  925. $options = array('realm' => $realm, 'type' => 'basic');
  926. $result = $this->Controller->Security->loginRequest($options);
  927. $expected = 'WWW-Authenticate: Basic realm="'.$realm.'"';
  928. $this->assertEqual($result, $expected);
  929. $this->Controller->Security->startup($this->Controller);
  930. $options = array('realm' => $realm, 'type' => 'digest');
  931. $result = $this->Controller->Security->loginRequest($options);
  932. $this->assertPattern('/realm="'.$realm.'"/', $result);
  933. $this->assertPattern('/qop="auth"/', $result);
  934. }
  935. /**
  936. * testGenerateDigestResponseHash method
  937. *
  938. * @access public
  939. * @return void
  940. */
  941. function testGenerateDigestResponseHash() {
  942. $this->Controller->Security->startup($this->Controller);
  943. $realm = 'cakephp.org';
  944. $loginData = array('realm' => $realm, 'users' => array('Willy Smith' => 'password'));
  945. $this->Controller->Security->requireLogin($loginData);
  946. $data = array(
  947. 'username' => 'Willy Smith',
  948. 'password' => 'password',
  949. 'nonce' => String::uuid(),
  950. 'nc' => 1,
  951. 'cnonce' => 1,
  952. 'realm' => $realm,
  953. 'uri' => 'path_to_identifier',
  954. 'qop' => 'testme'
  955. );
  956. $_SERVER['REQUEST_METHOD'] = 'POST';
  957. $result = $this->Controller->Security->generateDigestResponseHash($data);
  958. $expected = md5(
  959. md5($data['username'] . ':' . $loginData['realm'] . ':' . $data['password']) . ':' .
  960. $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' .
  961. md5(env('REQUEST_METHOD') . ':' . $data['uri'])
  962. );
  963. $this->assertIdentical($result, $expected);
  964. }
  965. /**
  966. * testLoginCredentials method
  967. *
  968. * @access public
  969. * @return void
  970. */
  971. function testLoginCredentials() {
  972. $this->Controller->Security->startup($this->Controller);
  973. $_SERVER['PHP_AUTH_USER'] = $user = 'Willy Test';
  974. $_SERVER['PHP_AUTH_PW'] = $pw = 'some password for the nice test';
  975. $result = $this->Controller->Security->loginCredentials('basic');
  976. $expected = array('username' => $user, 'password' => $pw);
  977. $this->assertIdentical($result, $expected);
  978. if (version_compare(PHP_VERSION, '5.1') != -1) {
  979. $_SERVER['PHP_AUTH_DIGEST'] = $digest = <<<DIGEST
  980. Digest username="Mufasa",
  981. realm="testrealm@host.com",
  982. nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
  983. uri="/dir/index.html",
  984. qop=auth,
  985. nc=00000001,
  986. cnonce="0a4f113b",
  987. response="6629fae49393a05397450978507c4ef1",
  988. opaque="5ccc069c403ebaf9f0171e9517f40e41"
  989. DIGEST;
  990. $expected = array(
  991. 'username' => 'Mufasa',
  992. 'realm' => 'testrealm@host.com',
  993. 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
  994. 'uri' => '/dir/index.html',
  995. 'qop' => 'auth',
  996. 'nc' => '00000001',
  997. 'cnonce' => '0a4f113b',
  998. 'response' => '6629fae49393a05397450978507c4ef1',
  999. 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
  1000. );
  1001. $result = $this->Controller->Security->loginCredentials('digest');
  1002. $this->assertIdentical($result, $expected);
  1003. }
  1004. }
  1005. /**
  1006. * testParseDigestAuthData method
  1007. *
  1008. * @access public
  1009. * @return void
  1010. */
  1011. function testParseDigestAuthData() {
  1012. $this->Controller->Security->startup($this->Controller);
  1013. $digest = <<<DIGEST
  1014. Digest username="Mufasa",
  1015. realm="testrealm@host.com",
  1016. nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
  1017. uri="/dir/index.html",
  1018. qop=auth,
  1019. nc=00000001,
  1020. cnonce="0a4f113b",
  1021. response="6629fae49393a05397450978507c4ef1",
  1022. opaque="5ccc069c403ebaf9f0171e9517f40e41"
  1023. DIGEST;
  1024. $expected = array(
  1025. 'username' => 'Mufasa',
  1026. 'realm' => 'testrealm@host.com',
  1027. 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
  1028. 'uri' => '/dir/index.html',
  1029. 'qop' => 'auth',
  1030. 'nc' => '00000001',
  1031. 'cnonce' => '0a4f113b',
  1032. 'response' => '6629fae49393a05397450978507c4ef1',
  1033. 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
  1034. );
  1035. $result = $this->Controller->Security->parseDigestAuthData($digest);
  1036. $this->assertIdentical($result, $expected);
  1037. $result = $this->Controller->Security->parseDigestAuthData('');
  1038. $this->assertNull($result);
  1039. }
  1040. /**
  1041. * test parsing digest information with email addresses
  1042. *
  1043. * @return void
  1044. */
  1045. function testParseDigestAuthEmailAddress() {
  1046. $this->Controller->Security->startup($this->Controller);
  1047. $digest = <<<DIGEST
  1048. Digest username="mark@example.com",
  1049. realm="testrealm@host.com",
  1050. nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
  1051. uri="/dir/index.html",
  1052. qop=auth,
  1053. nc=00000001,
  1054. cnonce="0a4f113b",
  1055. response="6629fae49393a05397450978507c4ef1",
  1056. opaque="5ccc069c403ebaf9f0171e9517f40e41"
  1057. DIGEST;
  1058. $expected = array(
  1059. 'username' => 'mark@example.com',
  1060. 'realm' => 'testrealm@host.com',
  1061. 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
  1062. 'uri' => '/dir/index.html',
  1063. 'qop' => 'auth',
  1064. 'nc' => '00000001',
  1065. 'cnonce' => '0a4f113b',
  1066. 'response' => '6629fae49393a05397450978507c4ef1',
  1067. 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
  1068. );
  1069. $result = $this->Controller->Security->parseDigestAuthData($digest);
  1070. $this->assertIdentical($result, $expected);
  1071. }
  1072. /**
  1073. * testFormDisabledFields method
  1074. *
  1075. * @access public
  1076. * @return void
  1077. */
  1078. function testFormDisabledFields() {
  1079. $this->Controller->Security->startup($this->Controller);
  1080. $key = $this->Controller->params['_Token']['key'];
  1081. $fields = '11842060341b9d0fc3808b90ba29fdea7054d6ad%3An%3A0%3A%7B%7D';
  1082. $this->Controller->data = array(
  1083. 'MyModel' => array('name' => 'some data'),
  1084. '_Token' => compact('key', 'fields')
  1085. );
  1086. $result = $this->Controller->Security->validatePost($this->Controller);
  1087. $this->assertFalse($result);
  1088. $this->Controller->Security->startup($this->Controller);
  1089. $this->Controller->Security->disabledFields = array('MyModel.name');
  1090. $key = $this->Controller->params['_Token']['key'];
  1091. $this->Controller->data = array(
  1092. 'MyModel' => array('name' => 'some data'),
  1093. '_Token' => compact('key', 'fields')
  1094. );
  1095. $result = $this->Controller->Security->validatePost($this->Controller);
  1096. $this->assertTrue($result);
  1097. }
  1098. /**
  1099. * testRadio method
  1100. *
  1101. * @access public
  1102. * @return void
  1103. */
  1104. function testRadio() {
  1105. $this->Controller->Security->startup($this->Controller);
  1106. $key = $this->Controller->params['_Token']['key'];
  1107. $fields = '575ef54ca4fc8cab468d6d898e9acd3a9671c17e%3An%3A0%3A%7B%7D';
  1108. $this->Controller->data = array(
  1109. '_Token' => compact('key', 'fields')
  1110. );
  1111. $result = $this->Controller->Security->validatePost($this->Controller);
  1112. $this->assertFalse($result);
  1113. $this->Controller->data = array(
  1114. '_Token' => compact('key', 'fields'),
  1115. 'Test' => array('test' => '')
  1116. );
  1117. $result = $this->Controller->Security->validatePost($this->Controller);
  1118. $this->assertTrue($result);
  1119. $this->Controller->data = array(
  1120. '_Token' => compact('key', 'fields'),
  1121. 'Test' => array('test' => '1')
  1122. );
  1123. $result = $this->Controller->Security->validatePost($this->Controller);
  1124. $this->assertTrue($result);
  1125. $this->Controller->data = array(
  1126. '_Token' => compact('key', 'fields'),
  1127. 'Test' => array('test' => '2')
  1128. );
  1129. $result = $this->Controller->Security->validatePost($this->Controller);
  1130. $this->assertTrue($result);
  1131. }
  1132. /**
  1133. * testInvalidAuthHeaders method
  1134. *
  1135. * @access public
  1136. * @return void
  1137. */
  1138. function testInvalidAuthHeaders() {
  1139. $this->Controller->Security->blackHoleCallback = null;
  1140. $_SERVER['PHP_AUTH_USER'] = 'admin';
  1141. $_SERVER['PHP_AUTH_PW'] = 'password';
  1142. $realm = 'cakephp.org';
  1143. $loginData = array('type' => 'basic', 'realm' => $realm);
  1144. $this->Controller->Security->requireLogin($loginData);
  1145. $this->Controller->Security->startup($this->Controller);
  1146. $expected = 'WWW-Authenticate: Basic realm="'.$realm.'"';
  1147. $this->assertEqual(count($this->Controller->testHeaders), 1);
  1148. $this->assertEqual(current($this->Controller->testHeaders), $expected);
  1149. }
  1150. /**
  1151. * test that a requestAction's controller will have the _Token appended to
  1152. * the params.
  1153. *
  1154. * @return void
  1155. * @see http://cakephp.lighthouseapp.com/projects/42648/tickets/68
  1156. */
  1157. function testSettingTokenForRequestAction() {
  1158. $this->Controller->Security->startup($this->Controller);
  1159. $key = $this->Controller->params['_Token']['key'];
  1160. $this->Controller->params['requested'] = 1;
  1161. unset($this->Controller->params['_Token']);
  1162. $this->Controller->Security->startup($this->Controller);
  1163. $this->assertEqual($this->Controller->params['_Token']['key'], $key);
  1164. }
  1165. /**
  1166. * test that blackhole doesn't delete the _Token session key so repeat data submissions
  1167. * stay blackholed.
  1168. *
  1169. * @link http://cakephp.lighthouseapp.com/projects/42648/tickets/214
  1170. * @return void
  1171. */
  1172. function testBlackHoleNotDeletingSessionInformation() {
  1173. $this->Controller->Security->startup($this->Controller);
  1174. $this->Controller->Security->blackHole($this->Controller, 'auth');
  1175. $this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
  1176. }
  1177. }