Restrict authentication provider for REST resources

Tagging. I think this is a necessary addition. Will review later.

+++ b/core/modules/rest/lib/Drupal/rest/EventSubscriber/RouteSubscriber.php
@@ -72,6 +72,10 @@ public function dynamicRoutes(RouteBuildEvent $event) {
+          // Check authentication.
+          if (is_array($enabled_methods[$method]['supported_auth']) && !empty($enabled_methods[$method]['supported_auth'])) {
+            $route->setOption('_auth', $enabled_methods[$method]['supported_auth']);
+          }

Insufficient comment, should be "Check if there are authentication provider restrictions in the configuration and apply them to the route."

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,96 @@
+    // @todo once EntityNG is implemented for other entity types expand this at
+    // least to nodes and users.

In this case I think it is enough to test one entity type.

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,96 @@
+      //$this->enableService('entity:' . $entity_type, 'GET');

This line should be removed?

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,96 @@
+      // Attempt to read it over the REST API.
+      $response = $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'GET', NULL, $this->defaultMimeType);
+      $this->assertResponse('403', 'HTTP response code is 403 when the request is not authenticated.');
+      // Now read it authenticating the request.
+      $response = $this->basicAuthGet('entity/' . $entity_type . '/' . $entity->id(), $account->getUsername(), $account->pass_raw);
+      $this->assertResponse('200', 'HTTP response code is 200 for successfuly authenticated requests.');

Unclear comments. The first should be "Try to read the resource with session cookie authentication, which is not enabled and should not work."

The second one: "Now read it with the Basic authentication which is enabled and should work."

And we should have a test case here with a not authenticated request (anonymous user), which should also return 403.

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,96 @@
+   * Does HTTP basic auth request.

Should be "Performs a HTTP request with Basic authentication.

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,102 @@
+  public static function getInfo() {
+    return array(
+      'name' => 'Resource authentication',
+      'description' => 'Tests access to authenticated resources.',
+      'group' => 'REST',
+    );
+  }

description should be "Tests authentication provider restrictions."

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,102 @@
+    // Define the entity types we want to test.
+    $entity_types = array('entity_test');
+    foreach ($entity_types as $entity_type) {

So the foreach loop is not necessary anymore.

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,102 @@
+      // Create a user account that has the required permissions to read
+      // resources via the REST API, but the request is not authenticated.
+      $permissions = $this->entityPermissions($entity_type, 'view');
+      $permissions[] = 'restful get entity:' . $entity_type;
+      $account = $this->drupalCreateUser($permissions);
+      $this->drupalLogin($account);

Wrong comment: the request is authenticated, but with session cookies.

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,102 @@
+/**
+ * Tests authenticated operations on test entities, nodes and users.
+ */

No tests on users and nodes present.

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,102 @@
+  public static function getInfo() {

@{inheritdoc} missing.

+++ b/core/modules/rest/lib/Drupal/rest/Tests/AuthTest.php
@@ -0,0 +1,102 @@
+    // Try to read the resource with session cookie authentication, which is
+    // not enabled and should not work.
+    $response = $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'GET', NULL, $this->defaultMimeType);
+    $this->assertResponse('403', 'HTTP response code is 403 when the request is not authenticated.');
+
+    // Now read it with the Basic authentication which is enabled and should
+    // work.
+    $response = $this->basicAuthGet('entity/' . $entity_type . '/' . $entity->id(), $account->getUsername(), $account->pass_raw);
+    $this->assertResponse('200', 'HTTP response code is 200 for successfuly authenticated requests.');

I think we should call $this->drupalLogout() after the session cookie test, because the basicAuthGet request sends cookies and Basic auth credentials currently.

And we are missing an example in rest.settings.yml, same as we have there for supported formats.

1. @@ -14,3 +14,13 @@ resources:
   +#
   +# To enable only specific authentication methods for an operation, list them
   +# at supported_auth.
   +# For example, the following config only allows Basic HTTP authenticated
   +# requests for the POST method on the node entity.
   

   We should probably document here what happens if none are set. (ie, I believe all are acceptable?)

2. @@ -0,0 +1,106 @@
   +    $this->assertText(t('A fatal error occurred: No authentication credentials provided.'));
   

   No t() in test classes. WebTests can use String::format() if they need placeholders, but in this case we don't even need that.

3. @@ -0,0 +1,106 @@
   +    $this->assertResponse('403', 'HTTP response code is 403 when the request is not authenticated.');
   

   This error happens when the request is not AUTHORIZED, but has been authenticated. (That is, we know who you are, we just don't like you.)

4. @@ -0,0 +1,106 @@
   +    $this->assertResponse('200', 'HTTP response code is 200 for successfuly authenticated requests.');
   

   As above, this should be "authorized".

Needs work per #15.

The ->curlClose() is not really necessary, but it does not hurt either. I think the comment in the YAML file is good enough, it is the same as for supported formats, so it should make sense as it is now.

Committed to 8.x. Let's add a change notification. Keep up the great work.

Nice work... also, please update the docs at https://drupal.org/documentation/modules/rest

Committed 4ca797a and 2cfbc18 and pushed to 8.x because a little extra got in with this change.

"Currently, POSTing is only supported with media type application/hal+json. Enable HAL module to support this media type." https://drupal.org/documentation/modules/rest

juampy says:

I have verified that when a route does not define authentication methods, only cookie authentication is available.

klausi says:

I think the comment in the YAML file is good enough, it is the same as for supported formats, so it should make sense as it is now.

I do not understand how these two statements correspond. Available formats are all enabled by default. Available auth is not.

If we only have two keys in the config file, and they share a patten as 'supported_formats' and 'supported_auth' do, they should at least work in a consistent way. I'm fine with making it so that you have to define your supported formats. In fact, I think that could make it clearer to devs what is going on.

Follow-up: #2065193: supported_formats and supported_auth should work in the same way