You are here

EntityResourceTestBase.php in Drupal 9

File

core/modules/rest/tests/src/Functional/EntityResource/EntityResourceTestBase.php
View source
<?php

namespace Drupal\Tests\rest\Functional\EntityResource;

use Drupal\Component\Assertion\Inspector;
use Drupal\Component\Utility\NestedArray;
use Drupal\Component\Utility\Random;
use Drupal\Core\Cache\Cache;
use Drupal\Core\Cache\CacheableResponseInterface;
use Drupal\Core\Cache\CacheableMetadata;
use Drupal\Core\Config\Entity\ConfigEntityInterface;
use Drupal\Core\Entity\ContentEntityNullStorage;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Entity\FieldableEntityInterface;
use Drupal\Core\Field\Plugin\Field\FieldType\BooleanItem;
use Drupal\Core\Field\Plugin\Field\FieldType\EntityReferenceItem;
use Drupal\Core\Url;
use Drupal\field\Entity\FieldConfig;
use Drupal\field\Entity\FieldStorageConfig;
use Drupal\path\Plugin\Field\FieldType\PathItem;
use Drupal\rest\ResourceResponseInterface;
use Drupal\Tests\rest\Functional\ResourceTestBase;
use GuzzleHttp\RequestOptions;
use Psr\Http\Message\ResponseInterface;

/**
 * Even though there is the generic EntityResource, it's necessary for every
 * entity type to have its own test, because they each have different fields,
 * validation constraints, et cetera. It's not because the generic case works,
 * that every case works.
 *
 * Furthermore, it's necessary to test every format separately, because there
 * can be entity type-specific normalization or serialization problems.
 *
 * Subclass this for every entity type. Also respect instructions in
 * \Drupal\rest\Tests\ResourceTestBase.
 *
 * For example, for the node test coverage, there is the (abstract)
 * \Drupal\Tests\rest\Functional\EntityResource\Node\NodeResourceTestBase, which
 * is then again subclassed for every authentication provider:
 * - \Drupal\Tests\rest\Functional\EntityResource\Node\NodeJsonAnonTest
 * - \Drupal\Tests\rest\Functional\EntityResource\Node\NodeJsonBasicAuthTest
 * - \Drupal\Tests\rest\Functional\EntityResource\Node\NodeJsonCookieTest
 * But the HAL module also adds a new format ('hal_json'), so that format also
 * needs test coverage (for its own peculiarities in normalization & encoding):
 * - \Drupal\Tests\hal\Functional\EntityResource\Node\NodeHalJsonAnonTest
 * - \Drupal\Tests\hal\Functional\EntityResource\Node\NodeHalJsonBasicAuthTest
 * - \Drupal\Tests\hal\Functional\EntityResource\Node\NodeHalJsonCookieTest
 *
 * In other words: for every entity type there should be:
 * 1. an abstract subclass that includes the entity type-specific authorization
 *    (permissions or perhaps custom access control handling, such as node
 *    grants), plus
 * 2. a concrete subclass extending the abstract entity type-specific subclass
 *    that specifies the exact @code $format @endcode, @code $mimeType @endcode
 *    and @code $auth @endcode for this concrete test. Usually that's all that's
 *    necessary: most concrete subclasses will be very thin.
 *
 * For every of these concrete subclasses, a comprehensive test scenario will
 * run per HTTP method:
 * - ::testGet()
 * - ::testPost()
 * - ::testPatch()
 * - ::testDelete()
 *
 * If there is an entity type-specific edge case scenario to test, then add that
 * to the entity type-specific abstract subclass. Example:
 * \Drupal\Tests\rest\Functional\EntityResource\Comment\CommentResourceTestBase::testPostDxWithoutCriticalBaseFields
 *
 * If there is an entity type-specific format-specific edge case to test, then
 * add that to a concrete subclass. Example:
 * \Drupal\Tests\hal\Functional\EntityResource\Comment\CommentHalJsonTestBase::$patchProtectedFieldNames
 */
abstract class EntityResourceTestBase extends ResourceTestBase {

  /**
   * The tested entity type.
   *
   * @var string
   */
  protected static $entityTypeId = NULL;

  /**
   * The fields that are protected against modification during PATCH requests.
   *
   * Keys are field names, values are expected access denied reasons.
   *
   * @var string[]
   */
  protected static $patchProtectedFieldNames;

  /**
   * The fields that need a different (random) value for each new entity created
   * by a POST request.
   *
   * @var string[]
   */
  protected static $uniqueFieldNames = [];

  /**
   * Optionally specify which field is the 'label' field. Some entities do not
   * specify a 'label' entity key. For example: User.
   *
   * @see ::getInvalidNormalizedEntityToCreate
   *
   * @var string|null
   */
  protected static $labelFieldName = NULL;

  /**
   * The entity ID for the first created entity in testPost().
   *
   * The default value of 2 should work for most content entities.
   *
   * @see ::testPost()
   *
   * @var string|int
   */
  protected static $firstCreatedEntityId = 2;

  /**
   * The entity ID for the second created entity in testPost().
   *
   * The default value of 3 should work for most content entities.
   *
   * @see ::testPost()
   *
   * @var string|int
   */
  protected static $secondCreatedEntityId = 3;

  /**
   * The main entity used for testing.
   *
   * @var \Drupal\Core\Entity\EntityInterface
   */
  protected $entity;

  /**
   * Another entity of the same type used for testing.
   *
   * @var \Drupal\Core\Entity\EntityInterface
   */
  protected $anotherEntity;

  /**
   * The entity storage.
   *
   * @var \Drupal\Core\Entity\EntityStorageInterface
   */
  protected $entityStorage;

  /**
   * Modules to install.
   *
   * @var array
   */
  protected static $modules = [
    'rest_test',
    'text',
  ];

  /**
   * Provides an entity resource.
   *
   * @param bool $single_format
   *   Provisions a single-format entity REST resource. Defaults to FALSE.
   */
  protected function provisionEntityResource($single_format = FALSE) {
    if ($existing = $this->resourceConfigStorage
      ->load(static::$resourceConfigId)) {
      $existing
        ->delete();
    }
    $format = $single_format ? [
      static::$format,
    ] : [
      static::$format,
      'foobar',
    ];

    // It's possible to not have any authentication providers enabled, when
    // testing public (anonymous) usage of a REST resource.
    $auth = isset(static::$auth) ? [
      static::$auth,
    ] : [];
    $this
      ->provisionResource($format, $auth);
  }

  /**
   * {@inheritdoc}
   */
  public function setUp() {
    parent::setUp();

    // Calculate REST Resource config entity ID.
    static::$resourceConfigId = 'entity.' . static::$entityTypeId;
    $this->entityStorage = $this->container
      ->get('entity_type.manager')
      ->getStorage(static::$entityTypeId);

    // Create an entity.
    $this->entity = $this
      ->createEntity();
    if ($this->entity instanceof FieldableEntityInterface) {

      // Add access-protected field.
      FieldStorageConfig::create([
        'entity_type' => static::$entityTypeId,
        'field_name' => 'field_rest_test',
        'type' => 'text',
      ])
        ->setCardinality(1)
        ->save();
      FieldConfig::create([
        'entity_type' => static::$entityTypeId,
        'field_name' => 'field_rest_test',
        'bundle' => $this->entity
          ->bundle(),
      ])
        ->setLabel('Test field')
        ->setTranslatable(FALSE)
        ->save();

      // Add multi-value field.
      FieldStorageConfig::create([
        'entity_type' => static::$entityTypeId,
        'field_name' => 'field_rest_test_multivalue',
        'type' => 'string',
      ])
        ->setCardinality(3)
        ->save();
      FieldConfig::create([
        'entity_type' => static::$entityTypeId,
        'field_name' => 'field_rest_test_multivalue',
        'bundle' => $this->entity
          ->bundle(),
      ])
        ->setLabel('Test field: multi-value')
        ->setTranslatable(FALSE)
        ->save();

      // Reload entity so that it has the new field.
      $reloaded_entity = $this->entityStorage
        ->loadUnchanged($this->entity
        ->id());

      // Some entity types are not stored, hence they cannot be reloaded.
      if ($reloaded_entity !== NULL) {
        $this->entity = $reloaded_entity;

        // Set a default value on the fields.
        $this->entity
          ->set('field_rest_test', [
          'value' => 'All the faith they had had had had no effect on the outcome of their life.',
        ]);
        $this->entity
          ->set('field_rest_test_multivalue', [
          [
            'value' => 'One',
          ],
          [
            'value' => 'Two',
          ],
        ]);
        $this->entity
          ->set('rest_test_validation', [
          'value' => 'allowed value',
        ]);
        $this->entity
          ->save();
      }
    }
  }

  /**
   * Creates the entity to be tested.
   *
   * @return \Drupal\Core\Entity\EntityInterface
   *   The entity to be tested.
   */
  protected abstract function createEntity();

  /**
   * Creates another entity to be tested.
   *
   * @return \Drupal\Core\Entity\EntityInterface
   *   Another entity based on $this->entity.
   */
  protected function createAnotherEntity() {
    $entity = $this->entity
      ->createDuplicate();
    $label_key = $entity
      ->getEntityType()
      ->getKey('label');
    if ($label_key) {
      $entity
        ->set($label_key, $entity
        ->label() . '_dupe');
    }
    $entity
      ->save();
    return $entity;
  }

  /**
   * Returns the expected normalization of the entity.
   *
   * @see ::createEntity()
   *
   * @return array
   */
  protected abstract function getExpectedNormalizedEntity();

  /**
   * Returns the normalized POST entity.
   *
   * @see ::testPost
   *
   * @return array
   */
  protected abstract function getNormalizedPostEntity();

  /**
   * Returns the normalized PATCH entity.
   *
   * By default, reuses ::getNormalizedPostEntity(), which works fine for most
   * entity types. A counterexample: the 'comment' entity type.
   *
   * @see ::testPatch
   *
   * @return array
   */
  protected function getNormalizedPatchEntity() {
    return $this
      ->getNormalizedPostEntity();
  }

  /**
   * Gets the normalized POST entity with random values for its unique fields.
   *
   * @see ::testPost
   * @see ::getNormalizedPostEntity
   *
   * @return array
   *   An array structure as returned by ::getNormalizedPostEntity().
   */
  protected function getModifiedEntityForPostTesting() {
    $normalized_entity = $this
      ->getNormalizedPostEntity();

    // Ensure that all the unique fields of the entity type get a new random
    // value.
    foreach (static::$uniqueFieldNames as $field_name) {
      $field_definition = $this->entity
        ->getFieldDefinition($field_name);
      $field_type_class = $field_definition
        ->getItemDefinition()
        ->getClass();
      $normalized_entity[$field_name] = $field_type_class::generateSampleValue($field_definition);
    }
    return $normalized_entity;
  }

  /**
   * {@inheritdoc}
   */
  protected function getExpectedUnauthorizedAccessMessage($method) {
    $permission = $this->entity
      ->getEntityType()
      ->getAdminPermission();
    if ($permission !== FALSE) {
      return "The '{$permission}' permission is required.";
    }
    $http_method_to_entity_operation = [
      'GET' => 'view',
      'POST' => 'create',
      'PATCH' => 'update',
      'DELETE' => 'delete',
    ];
    $operation = $http_method_to_entity_operation[$method];
    $message = sprintf('You are not authorized to %s this %s entity', $operation, $this->entity
      ->getEntityTypeId());
    if ($this->entity
      ->bundle() !== $this->entity
      ->getEntityTypeId()) {
      $message .= ' of bundle ' . $this->entity
        ->bundle();
    }
    return "{$message}.";
  }

  /**
   * {@inheritdoc}
   */
  protected function getExpectedUnauthorizedAccessCacheability() {
    return (new CacheableMetadata())
      ->setCacheTags(static::$auth ? [
      '4xx-response',
      'http_response',
    ] : [
      '4xx-response',
      'config:user.role.anonymous',
      'http_response',
    ])
      ->setCacheContexts([
      'user.permissions',
    ]);
  }

  /**
   * The cacheability of unauthorized 'view' entity access.
   *
   * @param bool $is_authenticated
   *   Whether the current request is authenticated or not. This matters for
   *   some entity access control handlers, but not for most.
   *
   * @return \Drupal\Core\Cache\CacheableMetadata
   *   The expected cacheability.
   */
  protected function getExpectedUnauthorizedEntityAccessCacheability($is_authenticated) {
    return new CacheableMetadata();
  }

  /**
   * The expected cache tags for the GET/HEAD response of the test entity.
   *
   * @see ::testGet
   *
   * @return string[]
   */
  protected function getExpectedCacheTags() {
    $expected_cache_tags = [
      'config:rest.resource.entity.' . static::$entityTypeId,
    ];
    if (!static::$auth) {
      $expected_cache_tags[] = 'config:user.role.anonymous';
    }
    $expected_cache_tags[] = 'http_response';
    return Cache::mergeTags($expected_cache_tags, $this->entity
      ->getCacheTags());
  }

  /**
   * The expected cache contexts for the GET/HEAD response of the test entity.
   *
   * @see ::testGet
   *
   * @return string[]
   */
  protected function getExpectedCacheContexts() {
    return [
      'url.site',
      'user.permissions',
    ];
  }

  /**
   * Tests a GET request for an entity, plus edge cases to ensure good DX.
   */
  public function testGet() {
    $this
      ->initAuthentication();
    $has_canonical_url = $this->entity
      ->hasLinkTemplate('canonical');

    // The URL and Guzzle request options that will be used in this test. The
    // request options will be modified/expanded throughout this test:
    // - to first test all mistakes a developer might make, and assert that the
    //   error responses provide a good DX
    // - to eventually result in a well-formed request that succeeds.
    $url = $this
      ->getEntityResourceUrl();
    $request_options = [];

    // DX: 404 when resource not provisioned, 403 if canonical route. HTML
    // response because missing ?_format query string.
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assertSame($has_canonical_url ? 403 : 404, $response
      ->getStatusCode());
    $this
      ->assertSame([
      'text/html; charset=UTF-8',
    ], $response
      ->getHeader('Content-Type'));
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);

    // DX: 404 when resource not provisioned, 403 if canonical route. Non-HTML
    // response because ?_format query string is present.
    $response = $this
      ->request('GET', $url, $request_options);
    if ($has_canonical_url) {
      $expected_cacheability = $this
        ->getExpectedUnauthorizedAccessCacheability()
        ->addCacheTags([
        'config:user.role.anonymous',
      ]);
      $expected_cacheability
        ->addCacheableDependency($this
        ->getExpectedUnauthorizedEntityAccessCacheability(FALSE));
      $this
        ->assertResourceErrorResponse(403, $this
        ->getExpectedUnauthorizedAccessMessage('GET'), $response, $expected_cacheability
        ->getCacheTags(), $expected_cacheability
        ->getCacheContexts(), 'MISS', FALSE);
    }
    else {
      $this
        ->assertResourceErrorResponse(404, 'No route found for "GET ' . str_replace($this->baseUrl, '', $this
        ->getEntityResourceUrl()
        ->setAbsolute()
        ->toString()) . '"', $response);
    }
    $this
      ->provisionEntityResource();

    // DX: forgetting authentication: authentication provider-specific error
    // response.
    if (static::$auth) {
      $response = $this
        ->request('GET', $url, $request_options);
      $this
        ->assertResponseWhenMissingAuthentication('GET', $response);
    }
    $request_options[RequestOptions::HEADERS]['REST-test-auth'] = '1';

    // DX: 403 when attempting to use unallowed authentication provider.
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, 'The used authentication method is not allowed on this route.', $response);
    unset($request_options[RequestOptions::HEADERS]['REST-test-auth']);
    $request_options[RequestOptions::HEADERS]['REST-test-auth-global'] = '1';

    // DX: 403 when attempting to use unallowed global authentication provider.
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, 'The used authentication method is not allowed on this route.', $response);
    unset($request_options[RequestOptions::HEADERS]['REST-test-auth-global']);
    $request_options = NestedArray::mergeDeep($request_options, $this
      ->getAuthenticationRequestOptions('GET'));

    // First: single format. Drupal will automatically pick the only format.
    $this
      ->provisionEntityResource(TRUE);
    $expected_403_cacheability = $this
      ->getExpectedUnauthorizedAccessCacheability()
      ->addCacheableDependency($this
      ->getExpectedUnauthorizedEntityAccessCacheability(static::$auth !== FALSE));

    // DX: 403 because unauthorized single-format route, ?_format is omittable.
    $url
      ->setOption('query', []);
    $response = $this
      ->request('GET', $url, $request_options);
    if ($has_canonical_url) {
      $this
        ->assertSame(403, $response
        ->getStatusCode());
      $this
        ->assertSame([
        'text/html; charset=UTF-8',
      ], $response
        ->getHeader('Content-Type'));
    }
    else {
      $this
        ->assertResourceErrorResponse(403, FALSE, $response, $expected_403_cacheability
        ->getCacheTags(), $expected_403_cacheability
        ->getCacheContexts(), static::$auth ? FALSE : 'MISS', FALSE);
    }
    $this
      ->assertSame(static::$auth ? [] : [
      'MISS',
    ], $response
      ->getHeader('X-Drupal-Cache'));

    // DX: 403 because unauthorized.
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, FALSE, $response, $expected_403_cacheability
      ->getCacheTags(), $expected_403_cacheability
      ->getCacheContexts(), static::$auth ? FALSE : 'MISS', FALSE);

    // Then, what we'll use for the remainder of the test: multiple formats.
    $this
      ->provisionEntityResource();

    // DX: 406 because despite unauthorized, ?_format is not omittable.
    $url
      ->setOption('query', []);
    $response = $this
      ->request('GET', $url, $request_options);
    if ($has_canonical_url) {
      $this
        ->assertSame(403, $response
        ->getStatusCode());
      $this
        ->assertSame([
        'HIT',
      ], $response
        ->getHeader('X-Drupal-Dynamic-Cache'));
    }
    else {
      $this
        ->assertSame(406, $response
        ->getStatusCode());
      $this
        ->assertSame([
        'UNCACHEABLE',
      ], $response
        ->getHeader('X-Drupal-Dynamic-Cache'));
    }
    $this
      ->assertSame([
      'text/html; charset=UTF-8',
    ], $response
      ->getHeader('Content-Type'));
    $this
      ->assertSame(static::$auth ? [] : [
      'MISS',
    ], $response
      ->getHeader('X-Drupal-Cache'));

    // DX: 403 because unauthorized.
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, $this
      ->getExpectedUnauthorizedAccessMessage('GET'), $response, $expected_403_cacheability
      ->getCacheTags(), $expected_403_cacheability
      ->getCacheContexts(), static::$auth ? FALSE : 'MISS', FALSE);
    $this
      ->assertArrayNotHasKey('Link', $response
      ->getHeaders());
    $this
      ->setUpAuthorization('GET');

    // 200 for well-formed HEAD request.
    $response = $this
      ->request('HEAD', $url, $request_options);
    $is_cacheable_by_dynamic_page_cache = empty(array_intersect([
      'user',
      'session',
    ], $this
      ->getExpectedCacheContexts()));
    $this
      ->assertResourceResponse(200, '', $response, $this
      ->getExpectedCacheTags(), $this
      ->getExpectedCacheContexts(), static::$auth ? FALSE : 'MISS', $is_cacheable_by_dynamic_page_cache ? 'MISS' : 'UNCACHEABLE');
    $head_headers = $response
      ->getHeaders();

    // 200 for well-formed GET request. Page Cache hit because of HEAD request.
    // Same for Dynamic Page Cache hit.
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assertResourceResponse(200, FALSE, $response, $this
      ->getExpectedCacheTags(), $this
      ->getExpectedCacheContexts(), static::$auth ? FALSE : 'HIT', $is_cacheable_by_dynamic_page_cache ? static::$auth ? 'HIT' : 'MISS' : 'UNCACHEABLE');

    // Assert that Dynamic Page Cache did not store a ResourceResponse object,
    // which needs serialization after every cache hit. Instead, it should
    // contain a flattened response. Otherwise performance suffers.
    // @see \Drupal\rest\EventSubscriber\ResourceResponseSubscriber::flattenResponse()
    $cache_items = $this->container
      ->get('database')
      ->select('cache_dynamic_page_cache', 'c')
      ->fields('c', [
      'cid',
      'data',
    ])
      ->condition('c.cid', '%[route]=rest.%', 'LIKE')
      ->execute()
      ->fetchAllAssoc('cid');
    if (!$is_cacheable_by_dynamic_page_cache) {
      $this
        ->assertCount(0, $cache_items);
    }
    else {
      $this
        ->assertCount(2, $cache_items);
      $found_cache_redirect = FALSE;
      $found_cached_200_response = FALSE;
      $other_cached_responses_are_4xx = TRUE;
      foreach ($cache_items as $cid => $cache_item) {
        $cached_data = unserialize($cache_item->data);
        if (!isset($cached_data['#cache_redirect'])) {
          $cached_response = $cached_data['#response'];
          if ($cached_response
            ->getStatusCode() === 200) {
            $found_cached_200_response = TRUE;
          }
          elseif (!$cached_response
            ->isClientError()) {
            $other_cached_responses_are_4xx = FALSE;
          }
          $this
            ->assertNotInstanceOf(ResourceResponseInterface::class, $cached_response);
          $this
            ->assertInstanceOf(CacheableResponseInterface::class, $cached_response);
        }
        else {
          $found_cache_redirect = TRUE;
        }
      }
      $this
        ->assertTrue($found_cache_redirect);
      $this
        ->assertTrue($found_cached_200_response);
      $this
        ->assertTrue($other_cached_responses_are_4xx);
    }

    // Sort the serialization data first so we can do an identical comparison
    // for the keys with the array order the same (it needs to match with
    // identical comparison).
    $expected = $this
      ->getExpectedNormalizedEntity();
    static::recursiveKSort($expected);
    $actual = $this->serializer
      ->decode((string) $response
      ->getBody(), static::$format);
    static::recursiveKSort($actual);
    $this
      ->assertEqualsCanonicalizing($expected, $actual);

    // Not only assert the normalization, also assert deserialization of the
    // response results in the expected object.
    // Note: deserialization of the XML format is not supported, so only test
    // this for other formats.
    if (static::$format !== 'xml') {
      $unserialized = $this->serializer
        ->deserialize((string) $response
        ->getBody(), get_class($this->entity), static::$format);
      $this
        ->assertSame($unserialized
        ->uuid(), $this->entity
        ->uuid());
    }

    // Finally, assert that the expected 'Link' headers are present.
    if ($this->entity
      ->getEntityType()
      ->getLinkTemplates()) {
      $this
        ->assertArrayHasKey('Link', $response
        ->getHeaders());
      $link_relation_type_manager = $this->container
        ->get('plugin.manager.link_relation_type');
      $expected_link_relation_headers = array_map(function ($relation_name) use ($link_relation_type_manager) {
        $link_relation_type = $link_relation_type_manager
          ->createInstance($relation_name);
        return $link_relation_type
          ->isRegistered() ? $link_relation_type
          ->getRegisteredName() : $link_relation_type
          ->getExtensionUri();
      }, array_keys($this->entity
        ->getEntityType()
        ->getLinkTemplates()));
      $parse_rel_from_link_header = function ($value) use ($link_relation_type_manager) {
        $matches = [];
        if (preg_match('/rel="([^"]+)"/', $value, $matches) === 1) {
          return $matches[1];
        }
        return FALSE;
      };
      $this
        ->assertSame($expected_link_relation_headers, array_map($parse_rel_from_link_header, $response
        ->getHeader('Link')));
    }
    $get_headers = $response
      ->getHeaders();

    // Verify that the GET and HEAD responses are the same. The only difference
    // is that there's no body. For this reason the 'Transfer-Encoding' and
    // 'Vary' headers are also added to the list of headers to ignore, as they
    // may be added to GET requests, depending on web server configuration. They
    // are usually 'Transfer-Encoding: chunked' and 'Vary: Accept-Encoding'.
    $ignored_headers = [
      'Date',
      'Content-Length',
      'X-Drupal-Cache',
      'X-Drupal-Dynamic-Cache',
      'Transfer-Encoding',
      'Vary',
    ];
    $header_cleaner = function ($headers) use ($ignored_headers) {
      foreach ($headers as $header => $value) {
        if (strpos($header, 'X-Drupal-Assertion-') === 0 || in_array($header, $ignored_headers)) {
          unset($headers[$header]);
        }
      }
      return $headers;
    };
    $get_headers = $header_cleaner($get_headers);
    $head_headers = $header_cleaner($head_headers);
    $this
      ->assertSame($get_headers, $head_headers);
    $this->resourceConfigStorage
      ->load(static::$resourceConfigId)
      ->disable()
      ->save();
    $this
      ->refreshTestStateAfterRestConfigChange();

    // DX: upon disabling a resource, it's immediately no longer available.
    $this
      ->assertResourceNotAvailable($url, $request_options);
    $this->resourceConfigStorage
      ->load(static::$resourceConfigId)
      ->enable()
      ->save();
    $this
      ->refreshTestStateAfterRestConfigChange();

    // DX: upon re-enabling a resource, immediate 200.
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assertResourceResponse(200, FALSE, $response, $this
      ->getExpectedCacheTags(), $this
      ->getExpectedCacheContexts(), static::$auth ? FALSE : 'MISS', $is_cacheable_by_dynamic_page_cache ? 'MISS' : 'UNCACHEABLE');
    $this->resourceConfigStorage
      ->load(static::$resourceConfigId)
      ->delete();
    $this
      ->refreshTestStateAfterRestConfigChange();

    // DX: upon deleting a resource, it's immediately no longer available.
    $this
      ->assertResourceNotAvailable($url, $request_options);
    $this
      ->provisionEntityResource();
    $url
      ->setOption('query', [
      '_format' => 'non_existing_format',
    ]);

    // DX: 406 when requesting unsupported format.
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assert406Response($response);
    $this
      ->assertSame([
      'text/plain; charset=UTF-8',
    ], $response
      ->getHeader('Content-Type'));
    $request_options[RequestOptions::HEADERS]['Accept'] = static::$mimeType;

    // DX: 406 when requesting unsupported format but specifying Accept header:
    // should result in a text/plain response.
    $response = $this
      ->request('GET', $url, $request_options);
    $this
      ->assert406Response($response);
    $this
      ->assertSame([
      'text/plain; charset=UTF-8',
    ], $response
      ->getHeader('Content-Type'));
    $url = Url::fromRoute('rest.entity.' . static::$entityTypeId . '.GET');
    $url
      ->setRouteParameter(static::$entityTypeId, 987654321);
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);

    // DX: 404 when GETting non-existing entity.
    $response = $this
      ->request('GET', $url, $request_options);
    $path = str_replace('987654321', '{' . static::$entityTypeId . '}', $url
      ->setAbsolute()
      ->setOptions([
      'base_url' => '',
      'query' => [],
    ])
      ->toString());
    $message = 'The "' . static::$entityTypeId . '" parameter was not converted for the path "' . $path . '" (route name: "rest.entity.' . static::$entityTypeId . '.GET")';
    $this
      ->assertResourceErrorResponse(404, $message, $response);
  }

  /**
   * Transforms a normalization: casts all non-string types to strings.
   *
   * @param array $normalization
   *   A normalization to transform.
   *
   * @return array
   *   The transformed normalization.
   */
  protected static function castToString(array $normalization) {
    foreach ($normalization as $key => $value) {
      if (is_bool($value)) {
        $normalization[$key] = (string) (int) $value;
      }
      elseif (is_int($value) || is_float($value)) {
        $normalization[$key] = (string) $value;
      }
      elseif (is_array($value)) {
        $normalization[$key] = static::castToString($value);
      }
    }
    return $normalization;
  }

  /**
   * Tests a POST request for an entity, plus edge cases to ensure good DX.
   */
  public function testPost() {

    // @todo Remove this in https://www.drupal.org/node/2300677.
    if ($this->entity instanceof ConfigEntityInterface) {
      $this
        ->assertTrue(TRUE, 'POSTing config entities is not yet supported.');
      return;
    }
    $this
      ->initAuthentication();
    $has_canonical_url = $this->entity
      ->hasLinkTemplate('canonical');

    // Try with all of the following request bodies.
    $unparseable_request_body = '!{>}<';
    $parseable_valid_request_body = $this->serializer
      ->encode($this
      ->getNormalizedPostEntity(), static::$format);
    $parseable_invalid_request_body = $this->serializer
      ->encode($this
      ->makeNormalizationInvalid($this
      ->getNormalizedPostEntity(), 'label'), static::$format);
    $parseable_invalid_request_body_2 = $this->serializer
      ->encode($this
      ->getNormalizedPostEntity() + [
      'uuid' => [
        $this
          ->randomMachineName(129),
      ],
    ], static::$format);
    $parseable_invalid_request_body_3 = $this->serializer
      ->encode($this
      ->getNormalizedPostEntity() + [
      'field_rest_test' => [
        [
          'value' => $this
            ->randomString(),
        ],
      ],
    ], static::$format);

    // The URL and Guzzle request options that will be used in this test. The
    // request options will be modified/expanded throughout this test:
    // - to first test all mistakes a developer might make, and assert that the
    //   error responses provide a good DX
    // - to eventually result in a well-formed request that succeeds.
    $url = $this
      ->getEntityResourcePostUrl();
    $request_options = [];

    // DX: 404 when resource not provisioned. HTML response because missing
    // ?_format query string.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertSame(404, $response
      ->getStatusCode());
    $this
      ->assertSame([
      'text/html; charset=UTF-8',
    ], $response
      ->getHeader('Content-Type'));
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);

    // DX: 404 when resource not provisioned.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceErrorResponse(404, 'No route found for "POST ' . str_replace($this->baseUrl, '', $this
      ->getEntityResourcePostUrl()
      ->setAbsolute()
      ->toString()) . '"', $response);
    $this
      ->provisionEntityResource();

    // Simulate the developer again forgetting the ?_format query string.
    $url
      ->setOption('query', []);

    // DX: 415 when no Content-Type request header. HTML response because
    // missing ?_format query string.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertSame(415, $response
      ->getStatusCode());
    $this
      ->assertSame([
      'text/html; charset=UTF-8',
    ], $response
      ->getHeader('Content-Type'));
    $this
      ->assertStringContainsString('A client error happened', (string) $response
      ->getBody());
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);

    // DX: 415 when no Content-Type request header.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceErrorResponse(415, 'No "Content-Type" request header specified', $response);
    $request_options[RequestOptions::HEADERS]['Content-Type'] = static::$mimeType;
    if (static::$auth) {

      // DX: forgetting authentication: authentication provider-specific error
      // response.
      $response = $this
        ->request('POST', $url, $request_options);
      $this
        ->assertResponseWhenMissingAuthentication('POST', $response);
    }
    $request_options = NestedArray::mergeDeep($request_options, $this
      ->getAuthenticationRequestOptions('POST'));

    // DX: 403 when unauthorized.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, $this
      ->getExpectedUnauthorizedAccessMessage('POST'), $response);
    $this
      ->setUpAuthorization('POST');

    // DX: 400 when no request body.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceErrorResponse(400, 'No entity content received.', $response);
    $request_options[RequestOptions::BODY] = $unparseable_request_body;

    // DX: 400 when unparseable request body.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceErrorResponse(400, 'Syntax error', $response);
    $request_options[RequestOptions::BODY] = $parseable_invalid_request_body;

    // DX: 422 when invalid entity: multiple values sent for single-value field.
    $response = $this
      ->request('POST', $url, $request_options);
    if ($label_field = $this->entity
      ->getEntityType()
      ->hasKey('label') ? $this->entity
      ->getEntityType()
      ->getKey('label') : static::$labelFieldName) {
      $label_field_capitalized = $this->entity
        ->getFieldDefinition($label_field)
        ->getLabel();
      $this
        ->assertResourceErrorResponse(422, "Unprocessable Entity: validation failed.\n{$label_field}: {$label_field_capitalized}: this field cannot hold more than 1 values.\n", $response);
    }
    $request_options[RequestOptions::BODY] = $parseable_invalid_request_body_2;

    // DX: 422 when invalid entity: UUID field too long.
    // @todo Fix this in https://www.drupal.org/node/2149851.
    if ($this->entity
      ->getEntityType()
      ->hasKey('uuid')) {
      $response = $this
        ->request('POST', $url, $request_options);
      $this
        ->assertResourceErrorResponse(422, "Unprocessable Entity: validation failed.\nuuid.0.value: UUID: may not be longer than 128 characters.\n", $response);
    }
    $request_options[RequestOptions::BODY] = $parseable_invalid_request_body_3;

    // DX: 403 when entity contains field without 'edit' access.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, "Access denied on creating field 'field_rest_test'.", $response);
    $request_options[RequestOptions::BODY] = $parseable_valid_request_body;

    // Before sending a well-formed request, allow the normalization and
    // authentication provider edge cases to also be tested.
    $this
      ->assertNormalizationEdgeCases('POST', $url, $request_options);
    $this
      ->assertAuthenticationEdgeCases('POST', $url, $request_options);
    $request_options[RequestOptions::HEADERS]['Content-Type'] = 'text/xml';

    // DX: 415 when request body in existing but not allowed format.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceErrorResponse(415, 'No route found that matches "Content-Type: text/xml"', $response);
    $request_options[RequestOptions::HEADERS]['Content-Type'] = static::$mimeType;

    // 201 for well-formed request.
    $response = $this
      ->request('POST', $url, $request_options);
    $this
      ->assertResourceResponse(201, FALSE, $response);
    if ($has_canonical_url) {
      $location = $this->entityStorage
        ->load(static::$firstCreatedEntityId)
        ->toUrl('canonical')
        ->setAbsolute(TRUE)
        ->toString();
      $this
        ->assertSame([
        $location,
      ], $response
        ->getHeader('Location'));
    }
    else {
      $this
        ->assertSame([], $response
        ->getHeader('Location'));
    }
    $this
      ->assertFalse($response
      ->hasHeader('X-Drupal-Cache'));

    // If the entity is stored, perform extra checks.
    if (get_class($this->entityStorage) !== ContentEntityNullStorage::class) {

      // Assert that the entity was indeed created, and that the response body
      // contains the serialized created entity.
      $created_entity = $this->entityStorage
        ->loadUnchanged(static::$firstCreatedEntityId);
      $created_entity_normalization = $this->serializer
        ->normalize($created_entity, static::$format, [
        'account' => $this->account,
      ]);
      $this
        ->assertSame($created_entity_normalization, $this->serializer
        ->decode((string) $response
        ->getBody(), static::$format));
      $this
        ->assertStoredEntityMatchesSentNormalization($this
        ->getNormalizedPostEntity(), $created_entity);
    }
    if ($this->entity
      ->getEntityType()
      ->getStorageClass() !== ContentEntityNullStorage::class && $this->entity
      ->getEntityType()
      ->hasKey('uuid')) {

      // 500 when creating an entity with a duplicate UUID.
      $normalized_entity = $this
        ->getModifiedEntityForPostTesting();
      $normalized_entity[$created_entity
        ->getEntityType()
        ->getKey('uuid')] = [
        [
          'value' => $created_entity
            ->uuid(),
        ],
      ];
      if ($label_field) {
        $normalized_entity[$label_field] = [
          [
            'value' => $this
              ->randomMachineName(),
          ],
        ];
      }
      $request_options[RequestOptions::BODY] = $this->serializer
        ->encode($normalized_entity, static::$format);
      $response = $this
        ->request('POST', $url, $request_options);
      $this
        ->assertSame(500, $response
        ->getStatusCode());
      $this
        ->assertStringContainsString('Internal Server Error', (string) $response
        ->getBody());

      // 201 when successfully creating an entity with a new UUID.
      $normalized_entity = $this
        ->getModifiedEntityForPostTesting();
      $new_uuid = \Drupal::service('uuid')
        ->generate();
      $normalized_entity[$created_entity
        ->getEntityType()
        ->getKey('uuid')] = [
        [
          'value' => $new_uuid,
        ],
      ];
      if ($label_field) {
        $normalized_entity[$label_field] = [
          [
            'value' => $this
              ->randomMachineName(),
          ],
        ];
      }
      $request_options[RequestOptions::BODY] = $this->serializer
        ->encode($normalized_entity, static::$format);
      $response = $this
        ->request('POST', $url, $request_options);
      $this
        ->assertResourceResponse(201, FALSE, $response);
      $entities = $this->entityStorage
        ->loadByProperties([
        $created_entity
          ->getEntityType()
          ->getKey('uuid') => $new_uuid,
      ]);
      $new_entity = reset($entities);
      $this
        ->assertNotNull($new_entity);
      $new_entity
        ->delete();
    }
  }

  /**
   * Tests a PATCH request for an entity, plus edge cases to ensure good DX.
   */
  public function testPatch() {

    // @todo Remove this in https://www.drupal.org/node/2300677.
    if ($this->entity instanceof ConfigEntityInterface) {
      $this
        ->assertTrue(TRUE, 'PATCHing config entities is not yet supported.');
      return;
    }

    // Patch testing requires that another entity of the same type exists.
    $this->anotherEntity = $this
      ->createAnotherEntity();
    $this
      ->initAuthentication();
    $has_canonical_url = $this->entity
      ->hasLinkTemplate('canonical');

    // Try with all of the following request bodies.
    $unparseable_request_body = '!{>}<';
    $parseable_valid_request_body = $this->serializer
      ->encode($this
      ->getNormalizedPatchEntity(), static::$format);
    $parseable_invalid_request_body = $this->serializer
      ->encode($this
      ->makeNormalizationInvalid($this
      ->getNormalizedPatchEntity(), 'label'), static::$format);
    $parseable_invalid_request_body_2 = $this->serializer
      ->encode($this
      ->getNormalizedPatchEntity() + [
      'field_rest_test' => [
        [
          'value' => $this
            ->randomString(),
        ],
      ],
    ], static::$format);

    // The 'field_rest_test' field does not allow 'view' access, so does not end
    // up in the normalization. Even when we explicitly add it the normalization
    // that we send in the body of a PATCH request, it is considered invalid.
    $parseable_invalid_request_body_3 = $this->serializer
      ->encode($this
      ->getNormalizedPatchEntity() + [
      'field_rest_test' => $this->entity
        ->get('field_rest_test')
        ->getValue(),
    ], static::$format);

    // The URL and Guzzle request options that will be used in this test. The
    // request options will be modified/expanded throughout this test:
    // - to first test all mistakes a developer might make, and assert that the
    //   error responses provide a good DX
    // - to eventually result in a well-formed request that succeeds.
    $url = $this
      ->getEntityResourceUrl();
    $request_options = [];

    // DX: 404 when resource not provisioned, 405 if canonical route. Plain text
    // or HTML response because missing ?_format query string.
    $response = $this
      ->request('PATCH', $url, $request_options);
    if ($has_canonical_url) {
      $this
        ->assertSame(405, $response
        ->getStatusCode());
      $this
        ->assertSame([
        'GET, POST, HEAD',
      ], $response
        ->getHeader('Allow'));
      $this
        ->assertSame([
        'text/html; charset=UTF-8',
      ], $response
        ->getHeader('Content-Type'));
      $this
        ->assertStringContainsString('A client error happened', (string) $response
        ->getBody());
    }
    else {
      $this
        ->assertSame(404, $response
        ->getStatusCode());
      $this
        ->assertSame([
        'text/html; charset=UTF-8',
      ], $response
        ->getHeader('Content-Type'));
    }
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);

    // DX: 404 when resource not provisioned, 405 if canonical route.
    $response = $this
      ->request('PATCH', $url, $request_options);
    if ($has_canonical_url) {
      $this
        ->assertResourceErrorResponse(405, 'No route found for "PATCH ' . str_replace($this->baseUrl, '', $this
        ->getEntityResourceUrl()
        ->setAbsolute()
        ->toString()) . '": Method Not Allowed (Allow: GET, POST, HEAD)', $response);
    }
    else {
      $this
        ->assertResourceErrorResponse(404, 'No route found for "PATCH ' . str_replace($this->baseUrl, '', $this
        ->getEntityResourceUrl()
        ->setAbsolute()
        ->toString()) . '"', $response);
    }
    $this
      ->provisionEntityResource();

    // Simulate the developer again forgetting the ?_format query string.
    $url
      ->setOption('query', []);

    // DX: 415 when no Content-Type request header.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertSame(415, $response
      ->getStatusCode());
    $this
      ->assertSame([
      'text/html; charset=UTF-8',
    ], $response
      ->getHeader('Content-Type'));
    $this
      ->assertStringContainsString('A client error happened', (string) $response
      ->getBody());
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);

    // DX: 415 when no Content-Type request header.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(415, 'No "Content-Type" request header specified', $response);
    $request_options[RequestOptions::HEADERS]['Content-Type'] = static::$mimeType;
    if (static::$auth) {

      // DX: forgetting authentication: authentication provider-specific error
      // response.
      $response = $this
        ->request('PATCH', $url, $request_options);
      $this
        ->assertResponseWhenMissingAuthentication('PATCH', $response);
    }
    $request_options = NestedArray::mergeDeep($request_options, $this
      ->getAuthenticationRequestOptions('PATCH'));

    // DX: 403 when unauthorized.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, $this
      ->getExpectedUnauthorizedAccessMessage('PATCH'), $response);
    $this
      ->setUpAuthorization('PATCH');

    // DX: 400 when no request body.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(400, 'No entity content received.', $response);
    $request_options[RequestOptions::BODY] = $unparseable_request_body;

    // DX: 400 when unparseable request body.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(400, 'Syntax error', $response);
    $request_options[RequestOptions::BODY] = $parseable_invalid_request_body;

    // DX: 422 when invalid entity: multiple values sent for single-value field.
    $response = $this
      ->request('PATCH', $url, $request_options);
    if ($label_field = $this->entity
      ->getEntityType()
      ->hasKey('label') ? $this->entity
      ->getEntityType()
      ->getKey('label') : static::$labelFieldName) {
      $label_field_capitalized = $this->entity
        ->getFieldDefinition($label_field)
        ->getLabel();
      $this
        ->assertResourceErrorResponse(422, "Unprocessable Entity: validation failed.\n{$label_field}: {$label_field_capitalized}: this field cannot hold more than 1 values.\n", $response);
    }
    $request_options[RequestOptions::BODY] = $parseable_invalid_request_body_2;

    // DX: 403 when entity contains field without 'edit' access.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, "Access denied on updating field 'field_rest_test'.", $response);

    // DX: 403 when entity trying to update an entity's ID field.
    $request_options[RequestOptions::BODY] = $this->serializer
      ->encode($this
      ->makeNormalizationInvalid($this
      ->getNormalizedPatchEntity(), 'id'), static::$format);
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, "Access denied on updating field '{$this->entity->getEntityType()->getKey('id')}'. The entity ID cannot be changed.", $response);
    if ($this->entity
      ->getEntityType()
      ->hasKey('uuid')) {

      // DX: 403 when entity trying to update an entity's UUID field.
      $request_options[RequestOptions::BODY] = $this->serializer
        ->encode($this
        ->makeNormalizationInvalid($this
        ->getNormalizedPatchEntity(), 'uuid'), static::$format);
      $response = $this
        ->request('PATCH', $url, $request_options);
      $this
        ->assertResourceErrorResponse(403, "Access denied on updating field '{$this->entity->getEntityType()->getKey('uuid')}'. The entity UUID cannot be changed.", $response);
    }
    $request_options[RequestOptions::BODY] = $parseable_invalid_request_body_3;

    // DX: 403 when entity contains field without 'edit' nor 'view' access, even
    // when the value for that field matches the current value. This is allowed
    // in principle, but leads to information disclosure.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, "Access denied on updating field 'field_rest_test'.", $response);

    // DX: 403 when sending PATCH request with updated read-only fields.
    $this
      ->assertPatchProtectedFieldNamesStructure();
    list($modified_entity, $original_values) = static::getModifiedEntityForPatchTesting($this->entity);

    // Send PATCH request by serializing the modified entity, assert the error
    // response, change the modified entity field that caused the error response
    // back to its original value, repeat.
    foreach (static::$patchProtectedFieldNames as $patch_protected_field_name => $reason) {
      $request_options[RequestOptions::BODY] = $this->serializer
        ->serialize($modified_entity, static::$format);
      $response = $this
        ->request('PATCH', $url, $request_options);
      $this
        ->assertResourceErrorResponse(403, "Access denied on updating field '" . $patch_protected_field_name . "'." . ($reason !== NULL ? ' ' . $reason : ''), $response);
      $modified_entity
        ->get($patch_protected_field_name)
        ->setValue($original_values[$patch_protected_field_name]);
    }
    if ($this->entity instanceof FieldableEntityInterface) {

      // Change the rest_test_validation field to prove that then its validation
      // does run.
      $override = [
        'rest_test_validation' => [
          [
            'value' => 'ALWAYS_FAIL',
          ],
        ],
      ];
      $valid_request_body = $override + $this
        ->getNormalizedPatchEntity() + $this->serializer
        ->normalize($modified_entity, static::$format);
      $request_options[RequestOptions::BODY] = $this->serializer
        ->serialize($valid_request_body, static::$format);
      $response = $this
        ->request('PATCH', $url, $request_options);
      $this
        ->assertResourceErrorResponse(422, "Unprocessable Entity: validation failed.\nrest_test_validation: REST test validation failed\n", $response);

      // Set the rest_test_validation field to always fail validation, which
      // allows asserting that not modifying that field does not trigger
      // validation errors.
      $this->entity
        ->set('rest_test_validation', 'ALWAYS_FAIL');
      $this->entity
        ->save();

      // Information disclosure prevented: when a malicious user correctly
      // guesses the current invalid value of a field, ensure a 200 is not sent
      // because this would disclose to the attacker what the current value is.
      // @see rest_test_entity_field_access()
      $response = $this
        ->request('PATCH', $url, $request_options);
      $this
        ->assertResourceErrorResponse(422, "Unprocessable Entity: validation failed.\nrest_test_validation: REST test validation failed\n", $response);

      // All requests after the above one will not include this field (neither
      // its current value nor any other), and therefore all subsequent test
      // assertions should not trigger a validation error.
    }

    // 200 for well-formed PATCH request that sends all fields (even including
    // read-only ones, but with unchanged values).
    $valid_request_body = $this
      ->getNormalizedPatchEntity() + $this->serializer
      ->normalize($this->entity, static::$format);
    $request_options[RequestOptions::BODY] = $this->serializer
      ->serialize($valid_request_body, static::$format);
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceResponse(200, FALSE, $response);
    $request_options[RequestOptions::BODY] = $parseable_valid_request_body;

    // Before sending a well-formed request, allow the normalization and
    // authentication provider edge cases to also be tested.
    $this
      ->assertNormalizationEdgeCases('PATCH', $url, $request_options);
    $this
      ->assertAuthenticationEdgeCases('PATCH', $url, $request_options);
    $request_options[RequestOptions::HEADERS]['Content-Type'] = 'text/xml';

    // DX: 415 when request body in existing but not allowed format.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceErrorResponse(415, 'No route found that matches "Content-Type: text/xml"', $response);
    $request_options[RequestOptions::HEADERS]['Content-Type'] = static::$mimeType;

    // 200 for well-formed request.
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceResponse(200, FALSE, $response);
    $this
      ->assertFalse($response
      ->hasHeader('X-Drupal-Cache'));

    // Assert that the entity was indeed updated, and that the response body
    // contains the serialized updated entity.
    $updated_entity = $this->entityStorage
      ->loadUnchanged($this->entity
      ->id());
    $updated_entity_normalization = $this->serializer
      ->normalize($updated_entity, static::$format, [
      'account' => $this->account,
    ]);
    $this
      ->assertSame($updated_entity_normalization, $this->serializer
      ->decode((string) $response
      ->getBody(), static::$format));
    $this
      ->assertStoredEntityMatchesSentNormalization($this
      ->getNormalizedPatchEntity(), $updated_entity);

    // Ensure that fields do not get deleted if they're not present in the PATCH
    // request. Test this using the configurable field that we added, but which
    // is not sent in the PATCH request.
    $this
      ->assertSame('All the faith they had had had had no effect on the outcome of their life.', $updated_entity
      ->get('field_rest_test')->value);

    // Multi-value field: remove item 0. Then item 1 becomes item 0.
    $normalization_multi_value_tests = $this
      ->getNormalizedPatchEntity();
    $normalization_multi_value_tests['field_rest_test_multivalue'] = $this->entity
      ->get('field_rest_test_multivalue')
      ->getValue();
    $normalization_remove_item = $normalization_multi_value_tests;
    unset($normalization_remove_item['field_rest_test_multivalue'][0]);
    $request_options[RequestOptions::BODY] = $this->serializer
      ->encode($normalization_remove_item, static::$format);
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceResponse(200, FALSE, $response);
    $this
      ->assertSame([
      0 => [
        'value' => 'Two',
      ],
    ], $this->entityStorage
      ->loadUnchanged($this->entity
      ->id())
      ->get('field_rest_test_multivalue')
      ->getValue());

    // Multi-value field: add one item before the existing one, and one after.
    $normalization_add_items = $normalization_multi_value_tests;
    $normalization_add_items['field_rest_test_multivalue'][2] = [
      'value' => 'Three',
    ];
    $request_options[RequestOptions::BODY] = $this->serializer
      ->encode($normalization_add_items, static::$format);
    $response = $this
      ->request('PATCH', $url, $request_options);
    $this
      ->assertResourceResponse(200, FALSE, $response);
    $this
      ->assertSame([
      0 => [
        'value' => 'One',
      ],
      1 => [
        'value' => 'Two',
      ],
      2 => [
        'value' => 'Three',
      ],
    ], $this->entityStorage
      ->loadUnchanged($this->entity
      ->id())
      ->get('field_rest_test_multivalue')
      ->getValue());
  }

  /**
   * Tests a DELETE request for an entity, plus edge cases to ensure good DX.
   */
  public function testDelete() {

    // @todo Remove this in https://www.drupal.org/node/2300677.
    if ($this->entity instanceof ConfigEntityInterface) {
      $this
        ->assertTrue(TRUE, 'DELETEing config entities is not yet supported.');
      return;
    }
    $this
      ->initAuthentication();
    $has_canonical_url = $this->entity
      ->hasLinkTemplate('canonical');

    // The URL and Guzzle request options that will be used in this test. The
    // request options will be modified/expanded throughout this test:
    // - to first test all mistakes a developer might make, and assert that the
    //   error responses provide a good DX
    // - to eventually result in a well-formed request that succeeds.
    $url = $this
      ->getEntityResourceUrl();
    $request_options = [];

    // DX: 404 when resource not provisioned, but 405 if canonical route. Plain
    // text  or HTML response because missing ?_format query string.
    $response = $this
      ->request('DELETE', $url, $request_options);
    if ($has_canonical_url) {
      $this
        ->assertSame(405, $response
        ->getStatusCode());
      $this
        ->assertSame([
        'GET, POST, HEAD',
      ], $response
        ->getHeader('Allow'));
      $this
        ->assertSame([
        'text/html; charset=UTF-8',
      ], $response
        ->getHeader('Content-Type'));
      $this
        ->assertStringContainsString('A client error happened', (string) $response
        ->getBody());
    }
    else {
      $this
        ->assertSame(404, $response
        ->getStatusCode());
      $this
        ->assertSame([
        'text/html; charset=UTF-8',
      ], $response
        ->getHeader('Content-Type'));
    }
    $url
      ->setOption('query', [
      '_format' => static::$format,
    ]);

    // DX: 404 when resource not provisioned, 405 if canonical route.
    $response = $this
      ->request('DELETE', $url, $request_options);
    if ($has_canonical_url) {
      $this
        ->assertSame([
        'GET, POST, HEAD',
      ], $response
        ->getHeader('Allow'));
      $this
        ->assertResourceErrorResponse(405, 'No route found for "DELETE ' . str_replace($this->baseUrl, '', $this
        ->getEntityResourceUrl()
        ->setAbsolute()
        ->toString()) . '": Method Not Allowed (Allow: GET, POST, HEAD)', $response);
    }
    else {
      $this
        ->assertResourceErrorResponse(404, 'No route found for "DELETE ' . str_replace($this->baseUrl, '', $this
        ->getEntityResourceUrl()
        ->setAbsolute()
        ->toString()) . '"', $response);
    }
    $this
      ->provisionEntityResource();
    if (static::$auth) {

      // DX: forgetting authentication: authentication provider-specific error
      // response.
      $response = $this
        ->request('DELETE', $url, $request_options);
      $this
        ->assertResponseWhenMissingAuthentication('DELETE', $response);
    }
    $request_options = NestedArray::mergeDeep($request_options, $this
      ->getAuthenticationRequestOptions('PATCH'));

    // DX: 403 when unauthorized.
    $response = $this
      ->request('DELETE', $url, $request_options);
    $this
      ->assertResourceErrorResponse(403, $this
      ->getExpectedUnauthorizedAccessMessage('DELETE'), $response);
    $this
      ->setUpAuthorization('DELETE');

    // Before sending a well-formed request, allow the authentication provider's
    // edge cases to also be tested.
    $this
      ->assertAuthenticationEdgeCases('DELETE', $url, $request_options);

    // 204 for well-formed request.
    $response = $this
      ->request('DELETE', $url, $request_options);
    $this
      ->assertResourceResponse(204, '', $response);
  }

  /**
   * {@inheritdoc}
   */
  protected function assertNormalizationEdgeCases($method, Url $url, array $request_options) {

    // \Drupal\serialization\Normalizer\EntityNormalizer::denormalize(): entity
    // types with bundles MUST send their bundle field to be denormalizable.
    $entity_type = $this->entity
      ->getEntityType();
    if ($entity_type
      ->hasKey('bundle')) {
      $bundle_field_name = $this->entity
        ->getEntityType()
        ->getKey('bundle');
      $normalization = $this
        ->getNormalizedPostEntity();

      // The bundle type itself can be validated only if there's a bundle entity
      // type.
      if ($entity_type
        ->getBundleEntityType()) {
        $normalization[$bundle_field_name] = 'bad_bundle_name';
        $request_options[RequestOptions::BODY] = $this->serializer
          ->encode($normalization, static::$format);

        // DX: 422 when incorrect entity type bundle is specified.
        $response = $this
          ->request($method, $url, $request_options);
        $this
          ->assertResourceErrorResponse(422, '"bad_bundle_name" is not a valid bundle type for denormalization.', $response);
      }
      unset($normalization[$bundle_field_name]);
      $request_options[RequestOptions::BODY] = $this->serializer
        ->encode($normalization, static::$format);

      // DX: 422 when no entity type bundle is specified.
      $response = $this
        ->request($method, $url, $request_options);
      $this
        ->assertResourceErrorResponse(422, sprintf('Could not determine entity type bundle: "%s" field is missing.', $bundle_field_name), $response);
    }
  }

  /**
   * Asserts structure of $patchProtectedFieldNames.
   */
  protected function assertPatchProtectedFieldNamesStructure() {
    $is_null_or_string = function ($value) {
      return is_null($value) || is_string($value);
    };
    $this
      ->assertTrue(Inspector::assertAllStrings(array_keys(static::$patchProtectedFieldNames)), 'In Drupal 8.6, the structure of $patchProtectedFieldNames changed. It used to be an array with field names as values. Now those values are the keys, and their values should be either NULL or a string: a string containing the reason for why the field cannot be PATCHed, or NULL otherwise.');
    $this
      ->assertTrue(Inspector::assertAll($is_null_or_string, static::$patchProtectedFieldNames), 'In Drupal 8.6, the structure of $patchProtectedFieldNames changed. It used to be an array with field names as values. Now those values are the keys, and their values should be either NULL or a string: a string containing the reason for why the field cannot be PATCHed, or NULL otherwise.');
  }

  /**
   * Gets an entity resource's GET/PATCH/DELETE URL.
   *
   * @return \Drupal\Core\Url
   *   The URL to GET/PATCH/DELETE.
   */
  protected function getEntityResourceUrl() {
    $has_canonical_url = $this->entity
      ->hasLinkTemplate('canonical');

    // Note that the 'canonical' link relation type must be specified explicitly
    // in the call to ::toUrl(). 'canonical' is the default for
    // \Drupal\Core\Entity\Entity::toUrl(), but ConfigEntityBase overrides this.
    return $has_canonical_url ? $this->entity
      ->toUrl('canonical') : Url::fromUri('base:entity/' . static::$entityTypeId . '/' . $this->entity
      ->id());
  }

  /**
   * Gets an entity resource's POST URL.
   *
   * @return \Drupal\Core\Url
   *   The URL to POST to.
   */
  protected function getEntityResourcePostUrl() {
    $has_create_url = $this->entity
      ->hasLinkTemplate('create');
    return $has_create_url ? Url::fromUri('internal:' . $this->entity
      ->getEntityType()
      ->getLinkTemplate('create')) : Url::fromUri('base:entity/' . static::$entityTypeId);
  }

  /**
   * Clones the given entity and modifies all PATCH-protected fields.
   *
   * @param \Drupal\Core\Entity\EntityInterface $entity
   *   The entity being tested and to modify.
   *
   * @return array
   *   Contains two items:
   *   1. The modified entity object.
   *   2. The original field values, keyed by field name.
   *
   * @internal
   */
  protected static function getModifiedEntityForPatchTesting(EntityInterface $entity) {
    $modified_entity = clone $entity;
    $original_values = [];
    foreach (array_keys(static::$patchProtectedFieldNames) as $field_name) {
      $field = $modified_entity
        ->get($field_name);
      $original_values[$field_name] = $field
        ->getValue();
      switch ($field
        ->getItemDefinition()
        ->getClass()) {
        case EntityReferenceItem::class:

          // EntityReferenceItem::generateSampleValue() picks one of the last 50
          // entities of the supported type & bundle. We don't care if the value
          // is valid, we only care that it's different.
          $field
            ->setValue([
            'target_id' => 99999,
          ]);
          break;
        case BooleanItem::class:

          // BooleanItem::generateSampleValue() picks either 0 or 1. So a 50%
          // chance of not picking a different value.
          $field->value = (int) $field->value === 1 ? '0' : '1';
          break;
        case PathItem::class:

          // PathItem::generateSampleValue() doesn't set a PID, which causes
          // PathItem::postSave() to fail. Keep the PID (and other properties),
          // just modify the alias.
          $field->alias = str_replace(' ', '-', strtolower((new Random())
            ->sentences(3)));
          break;
        default:
          $original_field = clone $field;
          while ($field
            ->equals($original_field)) {
            $field
              ->generateSampleItems();
          }
          break;
      }
    }
    return [
      $modified_entity,
      $original_values,
    ];
  }

  /**
   * Makes the given entity normalization invalid.
   *
   * @param array $normalization
   *   An entity normalization.
   * @param string $entity_key
   *   The entity key whose normalization to make invalid.
   *
   * @return array
   *   The updated entity normalization, now invalid.
   */
  protected function makeNormalizationInvalid(array $normalization, $entity_key) {
    $entity_type = $this->entity
      ->getEntityType();
    switch ($entity_key) {
      case 'label':

        // Add a second label to this entity to make it invalid.
        if ($label_field = $entity_type
          ->hasKey('label') ? $entity_type
          ->getKey('label') : static::$labelFieldName) {
          $normalization[$label_field][1]['value'] = 'Second Title';
        }
        break;
      case 'id':
        $normalization[$entity_type
          ->getKey('id')][0]['value'] = $this->anotherEntity
          ->id();
        break;
      case 'uuid':
        $normalization[$entity_type
          ->getKey('uuid')][0]['value'] = $this->anotherEntity
          ->uuid();
        break;
    }
    return $normalization;
  }

  /**
   * Asserts a 406 response… or in some cases a 403 response, because weirdness.
   *
   * Asserting a 406 response should be easy, but it's not, due to bugs.
   *
   * Drupal returns a 403 response instead of a 406 response when:
   * - there is a canonical route, i.e. one that serves HTML
   * - unless the user is logged in with any non-global authentication provider,
   *   because then they tried to access a route that requires the user to be
   *   authenticated, but they used an authentication provider that is only
   *   accepted for specific routes, and HTML routes never have such specific
   *   authentication providers specified. (By default, only 'cookie' is a
   *   global authentication provider.)
   *
   * @todo Remove this in https://www.drupal.org/node/2805279.
   *
   * @param \Psr\Http\Message\ResponseInterface $response
   *   The response to assert.
   */
  protected function assert406Response(ResponseInterface $response) {
    if ($this->entity
      ->hasLinkTemplate('canonical') && ($this->account && static::$auth !== 'cookie')) {
      $this
        ->assertSame(403, $response
        ->getStatusCode());
    }
    else {

      // This is the desired response.
      $this
        ->assertSame(406, $response
        ->getStatusCode());
      $actual_link_header = $response
        ->getHeader('Link');
      if ($actual_link_header) {
        $this
          ->assertIsArray($actual_link_header);
        $expected_type = explode(';', static::$mimeType)[0];
        $this
          ->assertStringContainsString('?_format=' . static::$format . '>; rel="alternate"; type="' . $expected_type . '"', $actual_link_header[0]);
        $this
          ->assertStringContainsString('?_format=foobar>; rel="alternate"', $actual_link_header[0]);
      }
    }
  }

  /**
   * Asserts that a resource is unavailable: 404, 406 if it has canonical route.
   *
   * @param \Drupal\Core\Url $url
   *   URL to request.
   * @param array $request_options
   *   Request options to apply.
   */
  protected function assertResourceNotAvailable(Url $url, array $request_options) {
    $has_canonical_url = $this->entity
      ->hasLinkTemplate('canonical');
    $response = $this
      ->request('GET', $url, $request_options);
    if (!$has_canonical_url) {
      $this
        ->assertSame(404, $response
        ->getStatusCode());
    }
    else {
      $this
        ->assert406Response($response);
    }
  }

  /**
   * Asserts that the stored entity matches the sent normalization.
   *
   * @param array $sent_normalization
   *   An entity normalization.
   * @param \Drupal\Core\Entity\FieldableEntityInterface $modified_entity
   *   The entity object of the modified (PATCHed or POSTed) entity.
   */
  protected function assertStoredEntityMatchesSentNormalization(array $sent_normalization, FieldableEntityInterface $modified_entity) {
    foreach ($sent_normalization as $field_name => $field_normalization) {

      // Some top-level keys in the normalization may not be fields on the
      // entity (for example '_links' and '_embedded' in the HAL normalization).
      if ($modified_entity
        ->hasField($field_name)) {
        $field_definition = $modified_entity
          ->get($field_name)
          ->getFieldDefinition();
        $property_definitions = $field_definition
          ->getItemDefinition()
          ->getPropertyDefinitions();
        $expected_stored_data = [];

        // Some fields don't have any property definitions, so there's nothing
        // to denormalize.
        if (empty($property_definitions)) {
          $expected_stored_data = $field_normalization;
        }
        else {

          // Denormalize every sent field item property to make it possible to
          // compare against the stored value.
          $denormalization_context = [
            'field_definition' => $field_definition,
          ];
          foreach ($field_normalization as $delta => $expected_field_item_normalization) {
            foreach ($property_definitions as $property_name => $property_definition) {

              // Not every property is required to be sent.
              if (!array_key_exists($property_name, $field_normalization[$delta])) {
                continue;
              }

              // Computed properties are not stored.
              if ($property_definition
                ->isComputed()) {
                continue;
              }
              $property_value = $field_normalization[$delta][$property_name];
              $property_value_class = $property_definitions[$property_name]
                ->getClass();
              $expected_stored_data[$delta][$property_name] = $this->serializer
                ->supportsDenormalization($property_value, $property_value_class, NULL, $denormalization_context) ? $this->serializer
                ->denormalize($property_value, $property_value_class, NULL, $denormalization_context) : $property_value;
            }
          }

          // Fields are stored in the database, when read they are represented
          // as strings in PHP memory.
          $expected_stored_data = static::castToString($expected_stored_data);
        }
        $this
          ->assertEntityArraySubset($expected_stored_data, $modified_entity
          ->get($field_name)
          ->getValue());
      }
    }
  }

  /**
   * Recursively asserts that the expected items are set in the tested entity.
   *
   * A response may include more properties, we only need to ensure that all
   * items in the request exist in the response.
   *
   * @param $expected
   *   An array of expected values, may contain further nested arrays.
   * @param $actual
   *   The object to test.
   */
  protected function assertEntityArraySubset($expected, $actual) {
    foreach ($expected as $key => $value) {
      if (is_array($value)) {
        $this
          ->assertEntityArraySubset($value, $actual[$key]);
      }
      else {
        $this
          ->assertSame($value, $actual[$key]);
      }
    }
  }

}

Classes

Namesort descending Description
EntityResourceTestBase Even though there is the generic EntityResource, it's necessary for every entity type to have its own test, because they each have different fields, validation constraints, et cetera. It's not because the generic case works, that every case…