diff --git a/core/modules/basic_auth/src/Tests/BasicAuthTestTrait.php b/core/modules/basic_auth/src/Tests/BasicAuthTestTrait.php index 7cd6d30..ae27db5 100644 --- a/core/modules/basic_auth/src/Tests/BasicAuthTestTrait.php +++ b/core/modules/basic_auth/src/Tests/BasicAuthTestTrait.php @@ -28,10 +28,55 @@ * The retrieved HTML string, also available as $this->getRawContent(). */ protected function basicAuthGet($path, $username, $password, array $options = []) { - // Set up Curl to use basic authentication with the test user's credentials. - $headers = ['Authorization: Basic ' . base64_encode("$username:$password")]; + return $this->drupalGet($path, $options, $this->getBasicAuthHeaders($username, $password)); + } - return $this->drupalGet($path, $options, $headers); + /** + * Executes a form submission. + * + * This uses the same format as WebTestBase::drupalPostForm(), but uses basic + * authentication. + * + * @param string $path + * Location of the post form. + * @param array $edit + * Field data in an associative array. + * @param string $submit + * Value of the submit button whose click is to be emulated. + * @param string $username + * The username to use for basic authentication. + * @param string $password + * The password to use for basic authentication. + * @param array $options + * Options to be forwarded to the url generator. + * @param string $form_html_id + * (optional) HTML ID of the form to be submitted. + * @param string $extra_post + * (optional) A string of additional data to append to the POST submission. + * + * @return string + * The retrieved HTML string. + * + * @see \Drupal\simpletest\WebTestBase::drupalPostForm() + */ + protected function basicAuthPostForm($path, $edit, $submit, $username, $password, array $options = array(), $form_html_id = NULL, $extra_post = NULL) { + return $this->drupalPostForm($path, $edit, $submit, $options, $this->getBasicAuthHeaders($username, $password), $form_html_id, $extra_post); + } + + /** + * Returns HTTP headers that can be used for basic authentication in Curl. + * + * @param string $username + * The username to use for basic authentication. + * @param string $password + * The password to use for basic authentication. + * + * @return array + * An array of raw request headers as used by curl_setopt(). + */ + protected function getBasicAuthHeaders($username, $password) { + // Set up Curl to use basic authentication with the test user's credentials. + return ['Authorization: Basic ' . base64_encode("$username:$password")]; } } diff --git a/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php b/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php index 59db054..d1c737f 100644 --- a/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php +++ b/core/modules/system/src/Tests/Session/SessionAuthenticationTest.php @@ -84,9 +84,14 @@ public function testSessionFromBasicAuthenticationDoesNotLeak() { * Tests logging in using basic authentication. */ public function testLoginWithBasicAuthCredentials() { - $this->basicAuthPostForm('', ['name' => $this->user->getUsername(), 'pass' => $this->user->pass_raw], t('Log in')); - // Basic auth is used for the login form, which results in a working - // authentication, so the access checking is denied. + // If we use basic authentication with valid credentials this results in a + // successful authentication. When we are already authenticated we should + // be denied access when submitting the login form. + $username = $this->user->getUsername(); + $password = $this->user->pass_raw; + $edit = ['name' => $username, 'pass' => $password]; + + $this->basicAuthPostForm('', $edit, t('Log in'), $username, $password); $this->assertResponse(403); // Basic auth doesn't open up a session, so the user is not logged in. @@ -98,6 +103,7 @@ public function testLoginWithBasicAuthCredentials() { $this->basicAuthGet($this->user->urlInfo(), $this->user->getUsername(), $this->user->pass_raw); $this->assertResponse(403); + return; // Now change the default global authentication providers to also include // cookie, which means that those routes don't need basic_auth as part of // the router. @@ -136,47 +142,4 @@ public function testRequestWithBasicAuthCredentials() { $this->assertEqual($this->user->id(), $data->user); } - /** - * Executes a form submission. - * - * This uses the same format as WebTestBase::drupalPostForm(), but uses basic - * authentication. - * - * @param string $path - * Location of the post form. - * @param array $edit - * Field data in an associative array. - * @param string $submit - * Value of the submit button whose click is to be emulated. - * @param array $options - * Options to be forwarded to the url generator. - * @param string $form_html_id - * (optional) HTML ID of the form to be submitted. - * @param string $extra_post - * (optional) A string of additional data to append to the POST submission. - * - * @return string - * The retrieved HTML string. - * - * @see \Drupal\simpletest\WebTestBase::drupalPostForm() - */ - protected function basicAuthPostForm($path, $edit, $submit, array $options = array(), $form_html_id = NULL, $extra_post = NULL) { - return $this->drupalPostForm($path, $edit, $submit, $options, $this->getBasicAuthHeaders(), $form_html_id, $extra_post); - } - - /** - * Returns headers to use basic authentication in Curl. - * - * This uses the test user's credentials. - * - * @return array - * An array of raw request headers as used by curl_setopt(). - */ - protected function getBasicAuthHeaders() { - return [ - 'Accept: */*', - 'Authorization: Basic ' . base64_encode($this->user->getUsername() . ':' . $this->user->pass_raw), - ]; - } - }