Mercurial > hg > Members > shoshi > webvirt

comparison cake/tests/cases/libs/controller/components/security.test.php @ 0:261e66bd5a0c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hg init
author Shoshi TAMAKI <shoshi@cr.ie.u-ryukyu.ac.jp>
date Sun, 24 Jul 2011 21:08:31 +0900
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:261e66bd5a0c
1 <?php
2 /**
3 * SecurityComponentTest file
4 *
5 * PHP versions 4 and 5
6 *
7 * CakePHP(tm) Tests <http://book.cakephp.org/view/1196/Testing>
8 * Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
9 *
10 * Licensed under The Open Group Test Suite License
11 * Redistributions of files must retain the above copyright notice.
12 *
13 * @copyright Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
14 * @link http://book.cakephp.org/view/1196/Testing CakePHP(tm) Tests
15 * @package cake
16 * @subpackage cake.tests.cases.libs.controller.components
17 * @since CakePHP(tm) v 1.2.0.5435
18 * @license http://www.opensource.org/licenses/opengroup.php The Open Group Test Suite License
19 */
20 App::import('Component', 'Security');
21
22 /**
23 * TestSecurityComponent
24 *
25 * @package cake
26 * @subpackage cake.tests.cases.libs.controller.components
27 */
28 class TestSecurityComponent extends SecurityComponent {
29
30 /**
31 * validatePost method
32 *
33 * @param Controller $controller
34 * @return unknown
35 */
36 function validatePost(&$controller) {
37 return $this->_validatePost($controller);
38 }
39 }
40
41 /**
42 * SecurityTestController
43 *
44 * @package cake
45 * @subpackage cake.tests.cases.libs.controller.components
46 */
47 class SecurityTestController extends Controller {
48
49 /**
50 * name property
51 *
52 * @var string 'SecurityTest'
53 * @access public
54 */
55 var $name = 'SecurityTest';
56
57 /**
58 * components property
59 *
60 * @var array
61 * @access public
62 */
63 var $components = array('Session', 'TestSecurity');
64
65 /**
66 * failed property
67 *
68 * @var bool false
69 * @access public
70 */
71 var $failed = false;
72
73 /**
74 * Used for keeping track of headers in test
75 *
76 * @var array
77 * @access public
78 */
79 var $testHeaders = array();
80
81 /**
82 * fail method
83 *
84 * @access public
85 * @return void
86 */
87 function fail() {
88 $this->failed = true;
89 }
90
91 /**
92 * redirect method
93 *
94 * @param mixed $option
95 * @param mixed $code
96 * @param mixed $exit
97 * @access public
98 * @return void
99 */
100 function redirect($option, $code, $exit) {
101 return $code;
102 }
103
104 /**
105 * Conveinence method for header()
106 *
107 * @param string $status
108 * @return void
109 * @access public
110 */
111 function header($status) {
112 $this->testHeaders[] = $status;
113 }
114 }
115
116 /**
117 * SecurityComponentTest class
118 *
119 * @package cake
120 * @subpackage cake.tests.cases.libs.controller.components
121 */
122 class SecurityComponentTest extends CakeTestCase {
123
124 /**
125 * Controller property
126 *
127 * @var SecurityTestController
128 * @access public
129 */
130 var $Controller;
131
132 /**
133 * oldSalt property
134 *
135 * @var string
136 * @access public
137 */
138 var $oldSalt;
139
140 /**
141 * setUp method
142 *
143 * @access public
144 * @return void
145 */
146 function startTest() {
147 $this->Controller =& new SecurityTestController();
148 $this->Controller->Component->init($this->Controller);
149 $this->Controller->Security =& $this->Controller->TestSecurity;
150 $this->Controller->Security->blackHoleCallback = 'fail';
151 $this->oldSalt = Configure::read('Security.salt');
152 Configure::write('Security.salt', 'foo!');
153 }
154
155 /**
156 * Tear-down method. Resets environment state.
157 *
158 * @access public
159 * @return void
160 */
161 function endTest() {
162 Configure::write('Security.salt', $this->oldSalt);
163 $this->Controller->Session->delete('_Token');
164 unset($this->Controller->Security);
165 unset($this->Controller->Component);
166 unset($this->Controller);
167 }
168
169 /**
170 * test that initalize can set properties.
171 *
172 * @return void
173 */
174 function testInitialize() {
175 $settings = array(
176 'requirePost' => array('edit', 'update'),
177 'requireSecure' => array('update_account'),
178 'requireGet' => array('index'),
179 'validatePost' => false,
180 'loginUsers' => array(
181 'mark' => 'password'
182 ),
183 'requireLogin' => array('login'),
184 );
185 $this->Controller->Security->initialize($this->Controller, $settings);
186 $this->assertEqual($this->Controller->Security->requirePost, $settings['requirePost']);
187 $this->assertEqual($this->Controller->Security->requireSecure, $settings['requireSecure']);
188 $this->assertEqual($this->Controller->Security->requireGet, $settings['requireGet']);
189 $this->assertEqual($this->Controller->Security->validatePost, $settings['validatePost']);
190 $this->assertEqual($this->Controller->Security->loginUsers, $settings['loginUsers']);
191 $this->assertEqual($this->Controller->Security->requireLogin, $settings['requireLogin']);
192 }
193
194 /**
195 * testStartup method
196 *
197 * @access public
198 * @return void
199 */
200 function testStartup() {
201 $this->Controller->Security->startup($this->Controller);
202 $result = $this->Controller->params['_Token']['key'];
203 $this->assertNotNull($result);
204 $this->assertTrue($this->Controller->Session->check('_Token'));
205 }
206
207 /**
208 * testRequirePostFail method
209 *
210 * @access public
211 * @return void
212 */
213 function testRequirePostFail() {
214 $_SERVER['REQUEST_METHOD'] = 'GET';
215 $this->Controller->action = 'posted';
216 $this->Controller->Security->requirePost(array('posted'));
217 $this->Controller->Security->startup($this->Controller);
218 $this->assertTrue($this->Controller->failed);
219 }
220
221 /**
222 * testRequirePostSucceed method
223 *
224 * @access public
225 * @return void
226 */
227 function testRequirePostSucceed() {
228 $_SERVER['REQUEST_METHOD'] = 'POST';
229 $this->Controller->action = 'posted';
230 $this->Controller->Security->requirePost('posted');
231 $this->Controller->Security->startup($this->Controller);
232 $this->assertFalse($this->Controller->failed);
233 }
234
235 /**
236 * testRequireSecureFail method
237 *
238 * @access public
239 * @return void
240 */
241 function testRequireSecureFail() {
242 $_SERVER['HTTPS'] = 'off';
243 $_SERVER['REQUEST_METHOD'] = 'POST';
244 $this->Controller->action = 'posted';
245 $this->Controller->Security->requireSecure(array('posted'));
246 $this->Controller->Security->startup($this->Controller);
247 $this->assertTrue($this->Controller->failed);
248 }
249
250 /**
251 * testRequireSecureSucceed method
252 *
253 * @access public
254 * @return void
255 */
256 function testRequireSecureSucceed() {
257 $_SERVER['REQUEST_METHOD'] = 'Secure';
258 $this->Controller->action = 'posted';
259 $_SERVER['HTTPS'] = 'on';
260 $this->Controller->Security->requireSecure('posted');
261 $this->Controller->Security->startup($this->Controller);
262 $this->assertFalse($this->Controller->failed);
263 }
264
265 /**
266 * testRequireAuthFail method
267 *
268 * @access public
269 * @return void
270 */
271 function testRequireAuthFail() {
272 $_SERVER['REQUEST_METHOD'] = 'AUTH';
273 $this->Controller->action = 'posted';
274 $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
275 $this->Controller->Security->requireAuth(array('posted'));
276 $this->Controller->Security->startup($this->Controller);
277 $this->assertTrue($this->Controller->failed);
278
279 $this->Controller->Session->write('_Token', serialize(array('allowedControllers' => array())));
280 $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
281 $this->Controller->action = 'posted';
282 $this->Controller->Security->requireAuth('posted');
283 $this->Controller->Security->startup($this->Controller);
284 $this->assertTrue($this->Controller->failed);
285
286 $this->Controller->Session->write('_Token', serialize(array(
287 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
288 )));
289 $this->Controller->data = array('username' => 'willy', 'password' => 'somePass');
290 $this->Controller->action = 'posted';
291 $this->Controller->Security->requireAuth('posted');
292 $this->Controller->Security->startup($this->Controller);
293 $this->assertTrue($this->Controller->failed);
294 }
295
296 /**
297 * testRequireAuthSucceed method
298 *
299 * @access public
300 * @return void
301 */
302 function testRequireAuthSucceed() {
303 $_SERVER['REQUEST_METHOD'] = 'AUTH';
304 $this->Controller->action = 'posted';
305 $this->Controller->Security->requireAuth('posted');
306 $this->Controller->Security->startup($this->Controller);
307 $this->assertFalse($this->Controller->failed);
308
309 $this->Controller->Security->Session->write('_Token', serialize(array(
310 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted')
311 )));
312 $this->Controller->params['controller'] = 'SecurityTest';
313 $this->Controller->params['action'] = 'posted';
314
315 $this->Controller->data = array(
316 'username' => 'willy', 'password' => 'somePass', '_Token' => ''
317 );
318 $this->Controller->action = 'posted';
319 $this->Controller->Security->requireAuth('posted');
320 $this->Controller->Security->startup($this->Controller);
321 $this->assertFalse($this->Controller->failed);
322 }
323
324 /**
325 * testRequirePostSucceedWrongMethod method
326 *
327 * @access public
328 * @return void
329 */
330 function testRequirePostSucceedWrongMethod() {
331 $_SERVER['REQUEST_METHOD'] = 'GET';
332 $this->Controller->action = 'getted';
333 $this->Controller->Security->requirePost('posted');
334 $this->Controller->Security->startup($this->Controller);
335 $this->assertFalse($this->Controller->failed);
336 }
337
338 /**
339 * testRequireGetFail method
340 *
341 * @access public
342 * @return void
343 */
344 function testRequireGetFail() {
345 $_SERVER['REQUEST_METHOD'] = 'POST';
346 $this->Controller->action = 'getted';
347 $this->Controller->Security->requireGet(array('getted'));
348 $this->Controller->Security->startup($this->Controller);
349 $this->assertTrue($this->Controller->failed);
350 }
351
352 /**
353 * testRequireGetSucceed method
354 *
355 * @access public
356 * @return void
357 */
358 function testRequireGetSucceed() {
359 $_SERVER['REQUEST_METHOD'] = 'GET';
360 $this->Controller->action = 'getted';
361 $this->Controller->Security->requireGet('getted');
362 $this->Controller->Security->startup($this->Controller);
363 $this->assertFalse($this->Controller->failed);
364 }
365
366 /**
367 * testRequireLogin method
368 *
369 * @access public
370 * @return void
371 */
372 function testRequireLogin() {
373 $this->Controller->action = 'posted';
374 $this->Controller->Security->requireLogin(
375 'posted',
376 array('type' => 'basic', 'users' => array('admin' => 'password'))
377 );
378 $_SERVER['PHP_AUTH_USER'] = 'admin';
379 $_SERVER['PHP_AUTH_PW'] = 'password';
380 $this->Controller->Security->startup($this->Controller);
381 $this->assertFalse($this->Controller->failed);
382
383
384 $this->Controller->action = 'posted';
385 $this->Controller->Security->requireLogin(
386 array('posted'),
387 array('type' => 'basic', 'users' => array('admin' => 'password'))
388 );
389 $_SERVER['PHP_AUTH_USER'] = 'admin2';
390 $_SERVER['PHP_AUTH_PW'] = 'password';
391 $this->Controller->Security->startup($this->Controller);
392 $this->assertTrue($this->Controller->failed);
393
394 $this->Controller->action = 'posted';
395 $this->Controller->Security->requireLogin(
396 'posted',
397 array('type' => 'basic', 'users' => array('admin' => 'password'))
398 );
399 $_SERVER['PHP_AUTH_USER'] = 'admin';
400 $_SERVER['PHP_AUTH_PW'] = 'password2';
401 $this->Controller->Security->startup($this->Controller);
402 $this->assertTrue($this->Controller->failed);
403 }
404
405 /**
406 * testDigestAuth method
407 *
408 * @access public
409 * @return void
410 */
411 function testDigestAuth() {
412 $skip = $this->skipIf((version_compare(PHP_VERSION, '5.1') == -1) XOR (!function_exists('apache_request_headers')),
413 "%s Cannot run Digest Auth test for PHP versions < 5.1"
414 );
415
416 if ($skip) {
417 return;
418 }
419
420 $this->Controller->action = 'posted';
421 $_SERVER['PHP_AUTH_DIGEST'] = $digest = <<<DIGEST
422 Digest username="Mufasa",
423 realm="testrealm@host.com",
424 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
425 uri="/dir/index.html",
426 qop=auth,
427 nc=00000001,
428 cnonce="0a4f113b",
429 response="460d0d3c6867c2f1ab85b1ada1aece48",
430 opaque="5ccc069c403ebaf9f0171e9517f40e41"
431 DIGEST;
432 $this->Controller->Security->requireLogin('posted', array(
433 'type' => 'digest', 'users' => array('Mufasa' => 'password'),
434 'realm' => 'testrealm@host.com'
435 ));
436 $this->Controller->Security->startup($this->Controller);
437 $this->assertFalse($this->Controller->failed);
438 }
439
440 /**
441 * testRequireGetSucceedWrongMethod method
442 *
443 * @access public
444 * @return void
445 */
446 function testRequireGetSucceedWrongMethod() {
447 $_SERVER['REQUEST_METHOD'] = 'POST';
448 $this->Controller->action = 'posted';
449 $this->Controller->Security->requireGet('getted');
450 $this->Controller->Security->startup($this->Controller);
451 $this->assertFalse($this->Controller->failed);
452 }
453
454 /**
455 * testRequirePutFail method
456 *
457 * @access public
458 * @return void
459 */
460 function testRequirePutFail() {
461 $_SERVER['REQUEST_METHOD'] = 'POST';
462 $this->Controller->action = 'putted';
463 $this->Controller->Security->requirePut(array('putted'));
464 $this->Controller->Security->startup($this->Controller);
465 $this->assertTrue($this->Controller->failed);
466 }
467
468 /**
469 * testRequirePutSucceed method
470 *
471 * @access public
472 * @return void
473 */
474 function testRequirePutSucceed() {
475 $_SERVER['REQUEST_METHOD'] = 'PUT';
476 $this->Controller->action = 'putted';
477 $this->Controller->Security->requirePut('putted');
478 $this->Controller->Security->startup($this->Controller);
479 $this->assertFalse($this->Controller->failed);
480 }
481
482 /**
483 * testRequirePutSucceedWrongMethod method
484 *
485 * @access public
486 * @return void
487 */
488 function testRequirePutSucceedWrongMethod() {
489 $_SERVER['REQUEST_METHOD'] = 'POST';
490 $this->Controller->action = 'posted';
491 $this->Controller->Security->requirePut('putted');
492 $this->Controller->Security->startup($this->Controller);
493 $this->assertFalse($this->Controller->failed);
494 }
495
496 /**
497 * testRequireDeleteFail method
498 *
499 * @access public
500 * @return void
501 */
502 function testRequireDeleteFail() {
503 $_SERVER['REQUEST_METHOD'] = 'POST';
504 $this->Controller->action = 'deleted';
505 $this->Controller->Security->requireDelete(array('deleted', 'other_method'));
506 $this->Controller->Security->startup($this->Controller);
507 $this->assertTrue($this->Controller->failed);
508 }
509
510 /**
511 * testRequireDeleteSucceed method
512 *
513 * @access public
514 * @return void
515 */
516 function testRequireDeleteSucceed() {
517 $_SERVER['REQUEST_METHOD'] = 'DELETE';
518 $this->Controller->action = 'deleted';
519 $this->Controller->Security->requireDelete('deleted');
520 $this->Controller->Security->startup($this->Controller);
521 $this->assertFalse($this->Controller->failed);
522 }
523
524 /**
525 * testRequireDeleteSucceedWrongMethod method
526 *
527 * @access public
528 * @return void
529 */
530 function testRequireDeleteSucceedWrongMethod() {
531 $_SERVER['REQUEST_METHOD'] = 'POST';
532 $this->Controller->action = 'posted';
533 $this->Controller->Security->requireDelete('deleted');
534 $this->Controller->Security->startup($this->Controller);
535 $this->assertFalse($this->Controller->failed);
536 }
537
538 /**
539 * testRequireLoginSettings method
540 *
541 * @access public
542 * @return void
543 */
544 function testRequireLoginSettings() {
545 $this->Controller->Security->requireLogin(
546 'add', 'edit',
547 array('type' => 'basic', 'users' => array('admin' => 'password'))
548 );
549 $this->assertEqual($this->Controller->Security->requireLogin, array('add', 'edit'));
550 $this->assertEqual($this->Controller->Security->loginUsers, array('admin' => 'password'));
551 }
552
553 /**
554 * testRequireLoginAllActions method
555 *
556 * @access public
557 * @return void
558 */
559 function testRequireLoginAllActions() {
560 $this->Controller->Security->requireLogin(
561 array('type' => 'basic', 'users' => array('admin' => 'password'))
562 );
563 $this->assertEqual($this->Controller->Security->requireLogin, array('*'));
564 $this->assertEqual($this->Controller->Security->loginUsers, array('admin' => 'password'));
565 }
566
567 /**
568 * Simple hash validation test
569 *
570 * @access public
571 * @return void
572 */
573 function testValidatePost() {
574 $this->Controller->Security->startup($this->Controller);
575 $key = $this->Controller->params['_Token']['key'];
576 $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
577
578 $this->Controller->data = array(
579 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
580 '_Token' => compact('key', 'fields')
581 );
582 $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
583 }
584
585 /**
586 * test that validatePost fails if any of its required fields are missing.
587 *
588 * @return void
589 */
590 function testValidatePostFormHacking() {
591 $this->Controller->Security->startup($this->Controller);
592 $key = $this->Controller->params['_Token']['key'];
593 $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
594
595 $this->Controller->data = array(
596 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
597 '_Token' => compact('key')
598 );
599 $result = $this->Controller->Security->validatePost($this->Controller);
600 $this->assertFalse($result, 'validatePost passed when fields were missing. %s');
601
602 $this->Controller->data = array(
603 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
604 '_Token' => compact('fields')
605 );
606 $result = $this->Controller->Security->validatePost($this->Controller);
607 $this->assertFalse($result, 'validatePost passed when key was missing. %s');
608 }
609
610 /**
611 * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI
612 * attacks. Thanks to Felix Wilhelm
613 *
614 * @return void
615 */
616 function testValidatePostObjectDeserialize() {
617 $this->Controller->Security->startup($this->Controller);
618 $key = $this->Controller->params['_Token']['key'];
619 $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877';
620
621 // a corrupted serialized object, so we can see if it ever gets to deserialize
622 $attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}';
623 $fields .= urlencode(':' . str_rot13($attack));
624
625 $this->Controller->data = array(
626 'Model' => array('username' => 'mark', 'password' => 'foo', 'valid' => '0'),
627 '_Token' => compact('key', 'fields')
628 );
629 $result = $this->Controller->Security->validatePost($this->Controller);
630 $this->assertFalse($result, 'validatePost passed when key was missing. %s');
631 }
632
633 /**
634 * Tests validation of checkbox arrays
635 *
636 * @access public
637 * @return void
638 */
639 function testValidatePostArray() {
640 $this->Controller->Security->startup($this->Controller);
641 $key = $this->Controller->params['_Token']['key'];
642 $fields = 'f7d573650a295b94e0938d32b323fde775e5f32b%3A';
643
644 $this->Controller->data = array(
645 'Model' => array('multi_field' => array('1', '3')),
646 '_Token' => compact('key', 'fields')
647 );
648 $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
649 }
650
651 /**
652 * testValidatePostNoModel method
653 *
654 * @access public
655 * @return void
656 */
657 function testValidatePostNoModel() {
658 $this->Controller->Security->startup($this->Controller);
659 $key = $this->Controller->params['_Token']['key'];
660 $fields = '540ac9c60d323c22bafe997b72c0790f39a8bdef%3A';
661
662 $this->Controller->data = array(
663 'anything' => 'some_data',
664 '_Token' => compact('key', 'fields')
665 );
666
667 $result = $this->Controller->Security->validatePost($this->Controller);
668 $this->assertTrue($result);
669 }
670
671 /**
672 * testValidatePostSimple method
673 *
674 * @access public
675 * @return void
676 */
677 function testValidatePostSimple() {
678 $this->Controller->Security->startup($this->Controller);
679 $key = $this->Controller->params['_Token']['key'];
680 $fields = '69f493434187b867ea14b901fdf58b55d27c935d%3A';
681
682 $this->Controller->data = $data = array(
683 'Model' => array('username' => '', 'password' => ''),
684 '_Token' => compact('key', 'fields')
685 );
686
687 $result = $this->Controller->Security->validatePost($this->Controller);
688 $this->assertTrue($result);
689 }
690
691 /**
692 * Tests hash validation for multiple records, including locked fields
693 *
694 * @access public
695 * @return void
696 */
697 function testValidatePostComplex() {
698 $this->Controller->Security->startup($this->Controller);
699 $key = $this->Controller->params['_Token']['key'];
700 $fields = 'c9118120e680a7201b543f562e5301006ccfcbe2%3AAddresses.0.id%7CAddresses.1.id';
701
702 $this->Controller->data = array(
703 'Addresses' => array(
704 '0' => array(
705 'id' => '123456', 'title' => '', 'first_name' => '', 'last_name' => '',
706 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
707 ),
708 '1' => array(
709 'id' => '654321', 'title' => '', 'first_name' => '', 'last_name' => '',
710 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
711 )
712 ),
713 '_Token' => compact('key', 'fields')
714 );
715 $result = $this->Controller->Security->validatePost($this->Controller);
716 $this->assertTrue($result);
717 }
718
719 /**
720 * test ValidatePost with multiple select elements.
721 *
722 * @return void
723 */
724 function testValidatePostMultipleSelect() {
725 $this->Controller->Security->startup($this->Controller);
726 $key = $this->Controller->params['_Token']['key'];
727 $fields = '422cde416475abc171568be690a98cad20e66079%3A';
728
729 $this->Controller->data = array(
730 'Tag' => array('Tag' => array(1, 2)),
731 '_Token' => compact('key', 'fields'),
732 );
733 $result = $this->Controller->Security->validatePost($this->Controller);
734 $this->assertTrue($result);
735
736 $this->Controller->data = array(
737 'Tag' => array('Tag' => array(1, 2, 3)),
738 '_Token' => compact('key', 'fields'),
739 );
740 $result = $this->Controller->Security->validatePost($this->Controller);
741 $this->assertTrue($result);
742
743 $this->Controller->data = array(
744 'Tag' => array('Tag' => array(1, 2, 3, 4)),
745 '_Token' => compact('key', 'fields'),
746 );
747 $result = $this->Controller->Security->validatePost($this->Controller);
748 $this->assertTrue($result);
749
750 $fields = '19464422eafe977ee729c59222af07f983010c5f%3A';
751 $this->Controller->data = array(
752 'User.password' => 'bar', 'User.name' => 'foo', 'User.is_valid' => '1',
753 'Tag' => array('Tag' => array(1)), '_Token' => compact('key', 'fields'),
754 );
755 $result = $this->Controller->Security->validatePost($this->Controller);
756 $this->assertTrue($result);
757 }
758
759 /**
760 * testValidatePostCheckbox method
761 *
762 * First block tests un-checked checkbox
763 * Second block tests checked checkbox
764 *
765 * @access public
766 * @return void
767 */
768 function testValidatePostCheckbox() {
769 $this->Controller->Security->startup($this->Controller);
770 $key = $this->Controller->params['_Token']['key'];
771 $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
772
773 $this->Controller->data = array(
774 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
775 '_Token' => compact('key', 'fields')
776 );
777
778 $result = $this->Controller->Security->validatePost($this->Controller);
779 $this->assertTrue($result);
780
781 $fields = '874439ca69f89b4c4a5f50fb9c36ff56a28f5d42%3A';
782
783 $this->Controller->data = array(
784 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
785 '_Token' => compact('key', 'fields')
786 );
787
788 $result = $this->Controller->Security->validatePost($this->Controller);
789 $this->assertTrue($result);
790
791
792 $this->Controller->data = array();
793 $this->Controller->Security->startup($this->Controller);
794 $key = $this->Controller->params['_Token']['key'];
795
796 $this->Controller->data = $data = array(
797 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
798 '_Token' => compact('key', 'fields')
799 );
800
801 $result = $this->Controller->Security->validatePost($this->Controller);
802 $this->assertTrue($result);
803 }
804
805 /**
806 * testValidatePostHidden method
807 *
808 * @access public
809 * @return void
810 */
811 function testValidatePostHidden() {
812 $this->Controller->Security->startup($this->Controller);
813 $key = $this->Controller->params['_Token']['key'];
814 $fields = '51ccd8cb0997c7b3d4523ecde5a109318405ef8c%3AModel.hidden%7CModel.other_hidden';
815 $fields .= '';
816
817 $this->Controller->data = array(
818 'Model' => array(
819 'username' => '', 'password' => '', 'hidden' => '0',
820 'other_hidden' => 'some hidden value'
821 ),
822 '_Token' => compact('key', 'fields')
823 );
824 $result = $this->Controller->Security->validatePost($this->Controller);
825 $this->assertTrue($result);
826 }
827
828 /**
829 * testValidatePostWithDisabledFields method
830 *
831 * @access public
832 * @return void
833 */
834 function testValidatePostWithDisabledFields() {
835 $this->Controller->Security->disabledFields = array('Model.username', 'Model.password');
836 $this->Controller->Security->startup($this->Controller);
837 $key = $this->Controller->params['_Token']['key'];
838 $fields = 'ef1082968c449397bcd849f963636864383278b1%3AModel.hidden';
839
840 $this->Controller->data = array(
841 'Model' => array(
842 'username' => '', 'password' => '', 'hidden' => '0'
843 ),
844 '_Token' => compact('fields', 'key')
845 );
846
847 $result = $this->Controller->Security->validatePost($this->Controller);
848 $this->assertTrue($result);
849 }
850
851 /**
852 * testValidateHiddenMultipleModel method
853 *
854 * @access public
855 * @return void
856 */
857 function testValidateHiddenMultipleModel() {
858 $this->Controller->Security->startup($this->Controller);
859 $key = $this->Controller->params['_Token']['key'];
860 $fields = 'a2d01072dc4660eea9d15007025f35a7a5b58e18%3AModel.valid%7CModel2.valid%7CModel3.valid';
861
862 $this->Controller->data = array(
863 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
864 'Model2' => array('valid' => '0'),
865 'Model3' => array('valid' => '0'),
866 '_Token' => compact('key', 'fields')
867 );
868 $result = $this->Controller->Security->validatePost($this->Controller);
869 $this->assertTrue($result);
870 }
871
872 /**
873 * testLoginValidation method
874 *
875 * @access public
876 * @return void
877 */
878 function testLoginValidation() {
879
880 }
881
882 /**
883 * testValidateHasManyModel method
884 *
885 * @access public
886 * @return void
887 */
888 function testValidateHasManyModel() {
889 $this->Controller->Security->startup($this->Controller);
890 $key = $this->Controller->params['_Token']['key'];
891 $fields = '51e3b55a6edd82020b3f29c9ae200e14bbeb7ee5%3AModel.0.hidden%7CModel.0.valid';
892 $fields .= '%7CModel.1.hidden%7CModel.1.valid';
893
894 $this->Controller->data = array(
895 'Model' => array(
896 array(
897 'username' => 'username', 'password' => 'password',
898 'hidden' => 'value', 'valid' => '0'
899 ),
900 array(
901 'username' => 'username', 'password' => 'password',
902 'hidden' => 'value', 'valid' => '0'
903 )
904 ),
905 '_Token' => compact('key', 'fields')
906 );
907
908 $result = $this->Controller->Security->validatePost($this->Controller);
909 $this->assertTrue($result);
910 }
911
912 /**
913 * testValidateHasManyRecordsPass method
914 *
915 * @access public
916 * @return void
917 */
918 function testValidateHasManyRecordsPass() {
919 $this->Controller->Security->startup($this->Controller);
920 $key = $this->Controller->params['_Token']['key'];
921 $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C';
922 $fields .= 'Address.1.id%7CAddress.1.primary';
923
924 $this->Controller->data = array(
925 'Address' => array(
926 0 => array(
927 'id' => '123',
928 'title' => 'home',
929 'first_name' => 'Bilbo',
930 'last_name' => 'Baggins',
931 'address' => '23 Bag end way',
932 'city' => 'the shire',
933 'phone' => 'N/A',
934 'primary' => '1',
935 ),
936 1 => array(
937 'id' => '124',
938 'title' => 'home',
939 'first_name' => 'Frodo',
940 'last_name' => 'Baggins',
941 'address' => '50 Bag end way',
942 'city' => 'the shire',
943 'phone' => 'N/A',
944 'primary' => '1'
945 )
946 ),
947 '_Token' => compact('key', 'fields')
948 );
949
950 $result = $this->Controller->Security->validatePost($this->Controller);
951 $this->assertTrue($result);
952 }
953
954 /**
955 * testValidateHasManyRecords method
956 *
957 * validatePost should fail, hidden fields have been changed.
958 *
959 * @access public
960 * @return void
961 */
962 function testValidateHasManyRecordsFail() {
963 $this->Controller->Security->startup($this->Controller);
964 $key = $this->Controller->params['_Token']['key'];
965 $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C';
966 $fields .= 'Address.1.id%7CAddress.1.primary';
967
968 $this->Controller->data = array(
969 'Address' => array(
970 0 => array(
971 'id' => '123',
972 'title' => 'home',
973 'first_name' => 'Bilbo',
974 'last_name' => 'Baggins',
975 'address' => '23 Bag end way',
976 'city' => 'the shire',
977 'phone' => 'N/A',
978 'primary' => '5',
979 ),
980 1 => array(
981 'id' => '124',
982 'title' => 'home',
983 'first_name' => 'Frodo',
984 'last_name' => 'Baggins',
985 'address' => '50 Bag end way',
986 'city' => 'the shire',
987 'phone' => 'N/A',
988 'primary' => '1'
989 )
990 ),
991 '_Token' => compact('key', 'fields')
992 );
993
994 $result = $this->Controller->Security->validatePost($this->Controller);
995 $this->assertFalse($result);
996 }
997
998 /**
999 * testLoginRequest method
1000 *
1001 * @access public
1002 * @return void
1003 */
1004 function testLoginRequest() {
1005 $this->Controller->Security->startup($this->Controller);
1006 $realm = 'cakephp.org';
1007 $options = array('realm' => $realm, 'type' => 'basic');
1008 $result = $this->Controller->Security->loginRequest($options);
1009 $expected = 'WWW-Authenticate: Basic realm="'.$realm.'"';
1010 $this->assertEqual($result, $expected);
1011
1012 $this->Controller->Security->startup($this->Controller);
1013 $options = array('realm' => $realm, 'type' => 'digest');
1014 $result = $this->Controller->Security->loginRequest($options);
1015 $this->assertPattern('/realm="'.$realm.'"/', $result);
1016 $this->assertPattern('/qop="auth"/', $result);
1017 }
1018
1019 /**
1020 * testGenerateDigestResponseHash method
1021 *
1022 * @access public
1023 * @return void
1024 */
1025 function testGenerateDigestResponseHash() {
1026 $this->Controller->Security->startup($this->Controller);
1027 $realm = 'cakephp.org';
1028 $loginData = array('realm' => $realm, 'users' => array('Willy Smith' => 'password'));
1029 $this->Controller->Security->requireLogin($loginData);
1030
1031 $data = array(
1032 'username' => 'Willy Smith',
1033 'password' => 'password',
1034 'nonce' => String::uuid(),
1035 'nc' => 1,
1036 'cnonce' => 1,
1037 'realm' => $realm,
1038 'uri' => 'path_to_identifier',
1039 'qop' => 'testme'
1040 );
1041 $_SERVER['REQUEST_METHOD'] = 'POST';
1042
1043 $result = $this->Controller->Security->generateDigestResponseHash($data);
1044 $expected = md5(
1045 md5($data['username'] . ':' . $loginData['realm'] . ':' . $data['password']) . ':' .
1046 $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' .
1047 md5(env('REQUEST_METHOD') . ':' . $data['uri'])
1048 );
1049 $this->assertIdentical($result, $expected);
1050 }
1051
1052 /**
1053 * testLoginCredentials method
1054 *
1055 * @access public
1056 * @return void
1057 */
1058 function testLoginCredentials() {
1059 $this->Controller->Security->startup($this->Controller);
1060 $_SERVER['PHP_AUTH_USER'] = $user = 'Willy Test';
1061 $_SERVER['PHP_AUTH_PW'] = $pw = 'some password for the nice test';
1062
1063 $result = $this->Controller->Security->loginCredentials('basic');
1064 $expected = array('username' => $user, 'password' => $pw);
1065 $this->assertIdentical($result, $expected);
1066
1067 if (version_compare(PHP_VERSION, '5.1') != -1) {
1068 $_SERVER['PHP_AUTH_DIGEST'] = $digest = <<<DIGEST
1069 Digest username="Mufasa",
1070 realm="testrealm@host.com",
1071 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
1072 uri="/dir/index.html",
1073 qop=auth,
1074 nc=00000001,
1075 cnonce="0a4f113b",
1076 response="6629fae49393a05397450978507c4ef1",
1077 opaque="5ccc069c403ebaf9f0171e9517f40e41"
1078 DIGEST;
1079 $expected = array(
1080 'username' => 'Mufasa',
1081 'realm' => 'testrealm@host.com',
1082 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
1083 'uri' => '/dir/index.html',
1084 'qop' => 'auth',
1085 'nc' => '00000001',
1086 'cnonce' => '0a4f113b',
1087 'response' => '6629fae49393a05397450978507c4ef1',
1088 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
1089 );
1090 $result = $this->Controller->Security->loginCredentials('digest');
1091 $this->assertIdentical($result, $expected);
1092 }
1093 }
1094
1095 /**
1096 * testParseDigestAuthData method
1097 *
1098 * @access public
1099 * @return void
1100 */
1101 function testParseDigestAuthData() {
1102 $this->Controller->Security->startup($this->Controller);
1103 $digest = <<<DIGEST
1104 Digest username="Mufasa",
1105 realm="testrealm@host.com",
1106 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
1107 uri="/dir/index.html",
1108 qop=auth,
1109 nc=00000001,
1110 cnonce="0a4f113b",
1111 response="6629fae49393a05397450978507c4ef1",
1112 opaque="5ccc069c403ebaf9f0171e9517f40e41"
1113 DIGEST;
1114 $expected = array(
1115 'username' => 'Mufasa',
1116 'realm' => 'testrealm@host.com',
1117 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
1118 'uri' => '/dir/index.html',
1119 'qop' => 'auth',
1120 'nc' => '00000001',
1121 'cnonce' => '0a4f113b',
1122 'response' => '6629fae49393a05397450978507c4ef1',
1123 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
1124 );
1125 $result = $this->Controller->Security->parseDigestAuthData($digest);
1126 $this->assertIdentical($result, $expected);
1127
1128 $result = $this->Controller->Security->parseDigestAuthData('');
1129 $this->assertNull($result);
1130 }
1131
1132 /**
1133 * test parsing digest information with email addresses
1134 *
1135 * @return void
1136 */
1137 function testParseDigestAuthEmailAddress() {
1138 $this->Controller->Security->startup($this->Controller);
1139 $digest = <<<DIGEST
1140 Digest username="mark@example.com",
1141 realm="testrealm@host.com",
1142 nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
1143 uri="/dir/index.html",
1144 qop=auth,
1145 nc=00000001,
1146 cnonce="0a4f113b",
1147 response="6629fae49393a05397450978507c4ef1",
1148 opaque="5ccc069c403ebaf9f0171e9517f40e41"
1149 DIGEST;
1150 $expected = array(
1151 'username' => 'mark@example.com',
1152 'realm' => 'testrealm@host.com',
1153 'nonce' => 'dcd98b7102dd2f0e8b11d0f600bfb0c093',
1154 'uri' => '/dir/index.html',
1155 'qop' => 'auth',
1156 'nc' => '00000001',
1157 'cnonce' => '0a4f113b',
1158 'response' => '6629fae49393a05397450978507c4ef1',
1159 'opaque' => '5ccc069c403ebaf9f0171e9517f40e41'
1160 );
1161 $result = $this->Controller->Security->parseDigestAuthData($digest);
1162 $this->assertIdentical($result, $expected);
1163 }
1164
1165 /**
1166 * testFormDisabledFields method
1167 *
1168 * @access public
1169 * @return void
1170 */
1171 function testFormDisabledFields() {
1172 $this->Controller->Security->startup($this->Controller);
1173 $key = $this->Controller->params['_Token']['key'];
1174 $fields = '11842060341b9d0fc3808b90ba29fdea7054d6ad%3An%3A0%3A%7B%7D';
1175
1176 $this->Controller->data = array(
1177 'MyModel' => array('name' => 'some data'),
1178 '_Token' => compact('key', 'fields')
1179 );
1180 $result = $this->Controller->Security->validatePost($this->Controller);
1181 $this->assertFalse($result);
1182
1183 $this->Controller->Security->startup($this->Controller);
1184 $this->Controller->Security->disabledFields = array('MyModel.name');
1185 $key = $this->Controller->params['_Token']['key'];
1186
1187 $this->Controller->data = array(
1188 'MyModel' => array('name' => 'some data'),
1189 '_Token' => compact('key', 'fields')
1190 );
1191
1192 $result = $this->Controller->Security->validatePost($this->Controller);
1193 $this->assertTrue($result);
1194 }
1195
1196 /**
1197 * testRadio method
1198 *
1199 * @access public
1200 * @return void
1201 */
1202 function testRadio() {
1203 $this->Controller->Security->startup($this->Controller);
1204 $key = $this->Controller->params['_Token']['key'];
1205 $fields = '575ef54ca4fc8cab468d6d898e9acd3a9671c17e%3An%3A0%3A%7B%7D';
1206
1207 $this->Controller->data = array(
1208 '_Token' => compact('key', 'fields')
1209 );
1210 $result = $this->Controller->Security->validatePost($this->Controller);
1211 $this->assertFalse($result);
1212
1213 $this->Controller->data = array(
1214 '_Token' => compact('key', 'fields'),
1215 'Test' => array('test' => '')
1216 );
1217 $result = $this->Controller->Security->validatePost($this->Controller);
1218 $this->assertTrue($result);
1219
1220 $this->Controller->data = array(
1221 '_Token' => compact('key', 'fields'),
1222 'Test' => array('test' => '1')
1223 );
1224 $result = $this->Controller->Security->validatePost($this->Controller);
1225 $this->assertTrue($result);
1226
1227 $this->Controller->data = array(
1228 '_Token' => compact('key', 'fields'),
1229 'Test' => array('test' => '2')
1230 );
1231 $result = $this->Controller->Security->validatePost($this->Controller);
1232 $this->assertTrue($result);
1233 }
1234
1235 /**
1236 * testInvalidAuthHeaders method
1237 *
1238 * @access public
1239 * @return void
1240 */
1241 function testInvalidAuthHeaders() {
1242 $this->Controller->Security->blackHoleCallback = null;
1243 $_SERVER['PHP_AUTH_USER'] = 'admin';
1244 $_SERVER['PHP_AUTH_PW'] = 'password';
1245 $realm = 'cakephp.org';
1246 $loginData = array('type' => 'basic', 'realm' => $realm);
1247 $this->Controller->Security->requireLogin($loginData);
1248 $this->Controller->Security->startup($this->Controller);
1249
1250 $expected = 'WWW-Authenticate: Basic realm="'.$realm.'"';
1251 $this->assertEqual(count($this->Controller->testHeaders), 1);
1252 $this->assertEqual(current($this->Controller->testHeaders), $expected);
1253 }
1254
1255 /**
1256 * test that a requestAction's controller will have the _Token appended to
1257 * the params.
1258 *
1259 * @return void
1260 * @see http://cakephp.lighthouseapp.com/projects/42648/tickets/68
1261 */
1262 function testSettingTokenForRequestAction() {
1263 $this->Controller->Security->startup($this->Controller);
1264 $key = $this->Controller->params['_Token']['key'];
1265
1266 $this->Controller->params['requested'] = 1;
1267 unset($this->Controller->params['_Token']);
1268
1269 $this->Controller->Security->startup($this->Controller);
1270 $this->assertEqual($this->Controller->params['_Token']['key'], $key);
1271 }
1272
1273 /**
1274 * test that blackhole doesn't delete the _Token session key so repeat data submissions
1275 * stay blackholed.
1276 *
1277 * @link http://cakephp.lighthouseapp.com/projects/42648/tickets/214
1278 * @return void
1279 */
1280 function testBlackHoleNotDeletingSessionInformation() {
1281 $this->Controller->Security->startup($this->Controller);
1282
1283 $this->Controller->Security->blackHole($this->Controller, 'auth');
1284 $this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
1285 }
1286 }