View source
<?php
namespace Drupal\Tests\jsonapi\Functional;
use Drupal\Component\Render\PlainTextOutput;
use Drupal\Component\Serialization\Json;
use Drupal\Component\Utility\NestedArray;
use Drupal\Core\Field\FieldStorageDefinitionInterface;
use Drupal\Core\Url;
use Drupal\entity_test\Entity\EntityTest;
use Drupal\field\Entity\FieldConfig;
use Drupal\field\Entity\FieldStorageConfig;
use Drupal\file\Entity\File;
use Drupal\user\Entity\User;
use GuzzleHttp\RequestOptions;
use Psr\Http\Message\ResponseInterface;
class FileUploadTest extends ResourceTestBase {
public static $modules = [
'entity_test',
'file',
];
protected static $entityTypeId = 'entity_test';
protected static $resourceTypeName = 'entity_test--entity_test';
protected static $postUri = '/jsonapi/entity_test/entity_test/field_rest_file_test';
protected $testFileData = 'Hares sit on chairs, and mules sit on stools.';
protected $fieldStorage;
protected $field;
protected $entity;
protected $file;
protected $user;
protected $fileStorage;
public function setUp() {
parent::setUp();
$this->fileStorage = $this->container
->get('entity_type.manager')
->getStorage('file');
$this->fieldStorage = FieldStorageConfig::create([
'entity_type' => 'entity_test',
'field_name' => 'field_rest_file_test',
'type' => 'file',
'settings' => [
'uri_scheme' => 'public',
],
])
->setCardinality(FieldStorageDefinitionInterface::CARDINALITY_UNLIMITED);
$this->fieldStorage
->save();
$this->field = FieldConfig::create([
'entity_type' => 'entity_test',
'field_name' => 'field_rest_file_test',
'bundle' => 'entity_test',
'settings' => [
'file_directory' => 'foobar',
'file_extensions' => 'txt',
'max_filesize' => '',
],
])
->setLabel('Test file field')
->setTranslatable(FALSE);
$this->field
->save();
$this->entity = $this->entityStorage
->loadUnchanged($this->entity
->id());
$this
->rebuildAll();
}
public function testGetIndividual() {
}
public function testPostIndividual() {
}
public function testPatchIndividual() {
}
public function testDeleteIndividual() {
}
public function testCollection() {
}
public function testRelationships() {
}
protected function createEntity() {
$entity_test = EntityTest::create([
'name' => 'Llama',
'type' => 'entity_test',
]);
$entity_test
->setOwnerId($this->account
->id());
$entity_test
->save();
return $entity_test;
}
public function testPostFileUpload() {
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertResourceErrorResponse(405, sprintf("JSON:API is configured to accept only read operations. Site administrators can configure this at %s.", Url::fromUri('base:/admin/config/services/jsonapi')
->setAbsolute()
->toString(TRUE)
->getGeneratedUrl()), $uri, $response);
$this
->assertSame([
'GET',
], $response
->getHeader('Allow'));
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertResourceErrorResponse(403, $this
->getExpectedUnauthorizedAccessMessage('POST'), $uri, $response);
$this
->setUpAuthorization('POST');
$invalid_uri = Url::fromUri('base:' . static::$postUri . '_invalid');
$response = $this
->fileRequest($invalid_uri, $this->testFileData);
$this
->assertResourceErrorResponse(404, 'Field "field_rest_file_test_invalid" does not exist.', $invalid_uri, $response);
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument();
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'filename="example.txt"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument(2, 'example_0.txt');
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example_0.txt'));
$this
->assertTrue($this->fileStorage
->loadUnchanged(1)
->isTemporary());
$entity_test_post_url = Url::fromRoute('jsonapi.entity_test--entity_test.collection.post');
$request_options = [];
$request_options[RequestOptions::HEADERS]['Content-Type'] = 'application/vnd.api+json';
$request_options = NestedArray::mergeDeep($request_options, $this
->getAuthenticationRequestOptions());
$request_options[RequestOptions::BODY] = Json::encode($this
->getPostDocument());
$response = $this
->request('POST', $entity_test_post_url, $request_options);
$this
->assertResourceResponse(201, FALSE, $response);
$this
->assertTrue($this->fileStorage
->loadUnchanged(1)
->isPermanent());
$this
->assertSame([
[
'target_id' => '1',
'display' => NULL,
'description' => "The most fascinating file ever!",
],
], EntityTest::load(2)
->get('field_rest_file_test')
->getValue());
}
public function testPostFileUploadAndUseInSingleRequest() {
mkdir('public://foobar');
file_put_contents('public://foobar/existing.txt', $this->testFileData);
$existing_file = File::create([
'uri' => 'public://foobar/existing.txt',
]);
$existing_file
->setOwnerId($this->account
->id());
$existing_file
->setPermanent();
$existing_file
->save();
$this->entity
->set('field_rest_file_test', [
'target_id' => $existing_file
->id(),
])
->save();
$uri = Url::fromUri('base:' . '/jsonapi/entity_test/entity_test/' . $this->entity
->uuid() . '/field_rest_file_test');
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertResourceErrorResponse(405, sprintf("JSON:API is configured to accept only read operations. Site administrators can configure this at %s.", Url::fromUri('base:/admin/config/services/jsonapi')
->setAbsolute()
->toString(TRUE)
->getGeneratedUrl()), $uri, $response);
$this
->assertSame([
'GET',
], $response
->getHeader('Allow'));
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertResourceErrorResponse(403, $this
->getExpectedUnauthorizedAccessMessage('PATCH'), $uri, $response);
$this
->setUpAuthorization('PATCH');
$invalid_uri = Url::fromUri($uri
->getUri() . '_invalid');
$response = $this
->fileRequest($invalid_uri, $this->testFileData);
$this
->assertResourceErrorResponse(404, 'Field "field_rest_file_test_invalid" does not exist.', $invalid_uri, $response);
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertResourceErrorResponse(403, $this
->getExpectedUnauthorizedAccessMessage('GET'), $uri, $response, FALSE, [
'4xx-response',
'http_response',
], [
'url.site',
'user.permissions',
]);
$this
->setUpAuthorization('GET');
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertSame(200, $response
->getStatusCode());
$expected = [
'jsonapi' => [
'meta' => [
'links' => [
'self' => [
'href' => 'http://jsonapi.org/format/1.0/',
],
],
],
'version' => '1.0',
],
'links' => [
'self' => [
'href' => Url::fromUri('base:/jsonapi/entity_test/entity_test/' . $this->entity
->uuid() . '/field_rest_file_test')
->setAbsolute(TRUE)
->toString(),
],
],
'data' => [
0 => $this
->getExpectedDocument(1, 'existing.txt', TRUE, TRUE)['data'],
1 => $this
->getExpectedDocument(2, 'example.txt', TRUE, TRUE)['data'],
2 => $this
->getExpectedDocument(3, 'example_0.txt', FALSE, TRUE)['data'],
],
];
$this
->assertResponseData($expected, $response);
$request_options = [];
$request_options[RequestOptions::HEADERS]['Content-Type'] = 'application/vnd.api+json';
$request_options = NestedArray::mergeDeep($request_options, $this
->getAuthenticationRequestOptions());
$response = $this
->request('GET', $uri, $request_options);
$this
->assertSame(200, $response
->getStatusCode());
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example_0.txt'));
}
protected function getPostDocument() {
return [
'data' => [
'type' => 'entity_test--entity_test',
'attributes' => [
'name' => 'Dramallama',
],
'relationships' => [
'field_rest_file_test' => [
'data' => [
'id' => File::load(1)
->uuid(),
'meta' => [
'description' => 'The most fascinating file ever!',
],
'type' => 'file--file',
],
],
],
],
];
}
public function testPostFileUploadInvalidHeaders() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Type' => 'application/vnd.api+json',
]);
$this
->assertSame(415, $response
->getStatusCode());
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => FALSE,
]);
$this
->assertResourceErrorResponse(400, '"Content-Disposition" header is required. A file name in the format "filename=FILENAME" must be provided.', $uri, $response);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename=""',
]);
$this
->assertResourceErrorResponse(400, 'No filename found in "Content-Disposition" header. A file name in the format "filename=FILENAME" must be provided.', $uri, $response);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'filename=""',
]);
$this
->assertResourceErrorResponse(400, 'No filename found in "Content-Disposition" header. A file name in the format "filename=FILENAME" must be provided.', $uri, $response);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'not_a_filename="example.txt"',
]);
$this
->assertResourceErrorResponse(400, 'No filename found in "Content-Disposition" header. A file name in the format "filename=FILENAME" must be provided.', $uri, $response);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'filename*="UTF-8 \' \' example.txt"',
]);
$this
->assertResourceErrorResponse(400, 'The extended "filename*" format is currently not supported in the "Content-Disposition" header.', $uri, $response);
}
public function testPostFileUploadDuplicateFile() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertSame(201, $response
->getStatusCode());
$response = $this
->fileRequest($uri, $this->testFileData);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument(2, 'example_0.txt');
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example_0.txt'));
}
public function testFileUploadStrippedFilePath() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename="directory/example.txt"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument();
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example.txt'));
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename="../../example_2.txt"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument(2, 'example_2.txt', TRUE);
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/example_2.txt'));
$this
->assertFalse(file_exists('../../example_2.txt'));
$this->field
->setSetting('file_extensions', '')
->save();
$this
->rebuildAll();
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename="/etc/passwd"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument(3, 'passwd', TRUE);
$expected['data']['attributes']['filemime'] = 'application/octet-stream';
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/passwd'));
}
public function testFileUploadUnicodeFilename() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'file; filename="Èxample-✓.txt"',
]);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument(1, 'Èxample-✓.txt', TRUE);
$this
->assertResponseData($expected, $response);
$this
->assertSame($this->testFileData, file_get_contents('public://foobar/Èxample-✓.txt'));
}
public function testFileUploadZeroByteFile() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, NULL);
$this
->assertSame(201, $response
->getStatusCode());
$expected = $this
->getExpectedDocument();
$expected['data']['attributes']['filesize'] = 0;
$this
->assertResponseData($expected, $response);
$this
->assertSame('', file_get_contents('public://foobar/example.txt'));
}
public function testFileUploadInvalidFileType() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, '{"test":123}', [
'Content-Disposition' => 'filename="example.json"',
]);
$this
->assertResourceErrorResponse(422, PlainTextOutput::renderFromHtml("Unprocessable Entity: file validation failed.\nOnly files with the following extensions are allowed: <em class=\"placeholder\">txt</em>."), $uri, $response);
$this
->assertEmpty(File::load(1));
$this
->assertFalse(file_exists('public://foobar/example.txt'));
}
public function testFileUploadLargerFileSize() {
$this->field
->setSetting('max_filesize', 50)
->save();
$this
->rebuildAll();
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$response = $this
->fileRequest($uri, $this
->randomString(100));
$this
->assertResourceErrorResponse(422, PlainTextOutput::renderFromHtml("Unprocessable Entity: file validation failed.\nThe file is <em class=\"placeholder\">100 bytes</em> exceeding the maximum file size of <em class=\"placeholder\">50 bytes</em>."), $uri, $response);
$this
->assertEmpty(File::load(1));
$this
->assertFalse(file_exists('public://foobar/example.txt'));
}
public function testFileUploadMaliciousExtension() {
$this->field
->setSetting('file_extensions', '')
->save();
$this
->rebuildAll();
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$php_string = '<?php print "Drupal"; ?>';
$response = $this
->fileRequest($uri, $php_string, [
'Content-Disposition' => 'filename="example.php"',
]);
$expected = $this
->getExpectedDocument(1, 'example.php.txt', TRUE);
$expected['data']['attributes']['filesize'] = strlen($php_string);
$this
->assertResponseData($expected, $response);
$this
->assertTrue(file_exists('public://foobar/example.php.txt'));
$this->field
->setSetting('file_extensions', 'php')
->save();
$this
->rebuildAll();
$response = $this
->fileRequest($uri, $php_string, [
'Content-Disposition' => 'filename="example_2.php"',
]);
$expected = $this
->getExpectedDocument(2, 'example_2.php.txt', TRUE);
$expected['data']['attributes']['filesize'] = strlen($php_string);
$this
->assertResponseData($expected, $response);
$this
->assertTrue(file_exists('public://foobar/example_2.php.txt'));
$this
->assertFalse(file_exists('public://foobar/example_2.php'));
$this->field
->setSetting('file_extensions', 'doc')
->save();
$this
->rebuildAll();
$response = $this
->fileRequest($uri, $php_string, [
'Content-Disposition' => 'filename="example_3.php.doc"',
]);
$expected = $this
->getExpectedDocument(3, 'example_3.php_.doc', TRUE);
$expected['data']['attributes']['filesize'] = strlen($php_string);
$expected['data']['attributes']['filemime'] = 'application/msword';
$this
->assertResponseData($expected, $response);
$this
->assertTrue(file_exists('public://foobar/example_3.php_.doc'));
$this
->assertFalse(file_exists('public://foobar/example_3.php.doc'));
\Drupal::configFactory()
->getEditable('system.file')
->set('allow_insecure_uploads', TRUE)
->save();
$this->field
->setSetting('file_extensions', '')
->save();
$this
->rebuildAll();
$response = $this
->fileRequest($uri, $php_string, [
'Content-Disposition' => 'filename="example_4.php"',
]);
$expected = $this
->getExpectedDocument(4, 'example_4.php', TRUE);
$expected['data']['attributes']['filesize'] = strlen($php_string);
$expected['data']['attributes']['filemime'] = 'application/x-httpd-php';
$this
->assertResponseData($expected, $response);
$this
->assertTrue(file_exists('public://foobar/example_4.php'));
}
public function testFileUploadNoExtensionSetting() {
$this
->setUpAuthorization('POST');
$this
->config('jsonapi.settings')
->set('read_only', FALSE)
->save(TRUE);
$uri = Url::fromUri('base:' . static::$postUri);
$this->field
->setSetting('file_extensions', '')
->save();
$this
->rebuildAll();
$response = $this
->fileRequest($uri, $this->testFileData, [
'Content-Disposition' => 'filename="example.txt"',
]);
$expected = $this
->getExpectedDocument(1, 'example.txt', TRUE);
$this
->assertResponseData($expected, $response);
$this
->assertTrue(file_exists('public://foobar/example.txt'));
}
protected function getExpectedUnauthorizedAccessMessage($method) {
switch ($method) {
case 'GET':
return "The current user is not allowed to view this relationship. The 'view test entity' permission is required.";
case 'POST':
return "The current user is not permitted to upload a file for this field. The following permissions are required: 'administer entity_test content' OR 'administer entity_test_with_bundle content' OR 'create entity_test entity_test_with_bundle entities'.";
case 'PATCH':
return "The current user is not permitted to upload a file for this field. The 'administer entity_test content' permission is required.";
}
}
protected function getExpectedDocument($fid = 1, $expected_filename = 'example.txt', $expected_as_filename = FALSE, $expected_status = FALSE) {
$author = User::load($this->account
->id());
$file = File::load($fid);
$self_url = Url::fromUri('base:/jsonapi/file/file/' . $file
->uuid())
->setAbsolute()
->toString(TRUE)
->getGeneratedUrl();
return [
'jsonapi' => [
'meta' => [
'links' => [
'self' => [
'href' => 'http://jsonapi.org/format/1.0/',
],
],
],
'version' => '1.0',
],
'links' => [
'self' => [
'href' => $self_url,
],
],
'data' => [
'id' => $file
->uuid(),
'type' => 'file--file',
'links' => [
'self' => [
'href' => $self_url,
],
],
'attributes' => [
'created' => (new \DateTime())
->setTimestamp($file
->getCreatedTime())
->setTimezone(new \DateTimeZone('UTC'))
->format(\DateTime::RFC3339),
'changed' => (new \DateTime())
->setTimestamp($file
->getChangedTime())
->setTimezone(new \DateTimeZone('UTC'))
->format(\DateTime::RFC3339),
'filemime' => 'text/plain',
'filename' => $expected_as_filename ? $expected_filename : 'example.txt',
'filesize' => strlen($this->testFileData),
'langcode' => 'en',
'status' => $expected_status,
'uri' => [
'value' => 'public://foobar/' . $expected_filename,
'url' => base_path() . $this->siteDirectory . '/files/foobar/' . rawurlencode($expected_filename),
],
'drupal_internal__fid' => (int) $file
->id(),
],
'relationships' => [
'uid' => [
'data' => [
'id' => $author
->uuid(),
'type' => 'user--user',
],
'links' => [
'related' => [
'href' => $self_url . '/uid',
],
'self' => [
'href' => $self_url . '/relationships/uid',
],
],
],
],
],
];
}
protected function fileRequest(Url $url, $file_contents, array $headers = []) {
$request_options = [];
$headers = $headers + [
'Content-Type' => 'application/octet-stream',
'Content-Disposition' => 'file; filename="example.txt"',
'Accept' => 'application/vnd.api+json',
];
$request_options[RequestOptions::HEADERS] = array_filter($headers, function ($value) {
return $value !== FALSE;
});
$request_options[RequestOptions::BODY] = $file_contents;
$request_options = NestedArray::mergeDeep($request_options, $this
->getAuthenticationRequestOptions());
return $this
->request('POST', $url, $request_options);
}
protected function setUpAuthorization($method) {
switch ($method) {
case 'GET':
$this
->grantPermissionsToTestedRole([
'view test entity',
]);
break;
case 'POST':
$this
->grantPermissionsToTestedRole([
'create entity_test entity_test_with_bundle entities',
'access content',
]);
break;
case 'PATCH':
$this
->grantPermissionsToTestedRole([
'administer entity_test content',
'access content',
]);
break;
}
}
protected function assertResponseData(array $expected, ResponseInterface $response) {
static::recursiveKSort($expected);
$actual = Json::decode((string) $response
->getBody());
static::recursiveKSort($actual);
$this
->assertSame($expected, $actual);
}
protected function getExpectedUnauthorizedAccessCacheability() {
}
}