View source
<?php
namespace Drupal\Tests\jwt\Functional;
use Drupal\file\Entity\File;
use Drupal\file\FileInterface;
use Drupal\jwt\JsonWebToken\JsonWebToken;
use Drupal\Tests\BrowserTestBase;
use Drupal\Core\Url;
use Drupal\Tests\file\Functional\FileFieldCreationTrait;
use Drupal\Tests\TestFileCreationTrait;
class JwtPathAuthTest extends BrowserTestBase {
use FileFieldCreationTrait;
use TestFileCreationTrait;
protected static $modules = [
'file',
'rest',
'key',
'jwt',
'jwt_path_auth',
'jwt_auth_consumer',
'jwt_test',
];
protected $defaultTheme = 'stark';
protected $adminUser;
protected function setUp() {
parent::setUp();
$this->adminUser = $this
->drupalCreateUser([
'administer jwt',
'access content',
]);
$params = [
'id' => 'entity.file',
'plugin_id' => 'entity:file',
'granularity' => 'resource',
'configuration' => [
'authentication' => [
'cookie',
'jwt_path_auth',
],
'methods' => [
'GET',
],
'formats' => [
'json',
],
],
];
$storage = $this->container
->get('entity_type.manager')
->getStorage('rest_resource_config');
$resource = $storage
->create($params);
$resource
->save();
$this->container
->get('router.builder')
->rebuild();
}
public function testPathAdmin() {
$this
->drupalLogin($this->adminUser);
$url = Url::fromRoute('jwt_path_auth.config_form');
$this
->drupalGet($url);
$edit = [
'allowed_path_prefixes' => "/system/files/\nzzz",
];
$this
->drupalPostForm(NULL, $edit, 'Save configuration');
$this
->assertText('Paths must start with a slash.');
$edit = [
'allowed_path_prefixes' => "/system/files/\r\n/foo/zzz/ \r\n/entity/file/",
];
$this
->drupalPostForm(NULL, $edit, 'Save configuration');
$config = $this
->config('jwt_path_auth.config');
$expected = [
'/system/files/',
'/foo/zzz/',
'/entity/file/',
];
$this
->assertSame($expected, $config
->get('allowed_path_prefixes'));
$file_system = $this->container
->get('file_system');
$file = $this
->createPrivateFile('drupal.txt', $this->adminUser
->id(), 0);
$file_real_path = $file_system
->realpath($file
->getFileUri());
$this
->assertFileExists($file_real_path);
$this
->drupalGet($file
->createFileUrl());
$this
->assertResponse(200);
$this
->assertText($this
->getFileContent($file));
$options = [
'query' => [
'_format' => 'json',
],
];
$file_rest_url = Url::fromRoute('rest.entity.file.GET', [
'file' => $file
->id(),
], $options);
$this
->drupalGet($file_rest_url);
$this
->assertResponse(200);
$this
->drupalLogout();
$this
->drupalGet($file
->createFileUrl());
$this
->assertResponse(403);
$base_url = $this->container
->get('router.request_context')
->getBaseUrl();
$transcoder = $this->container
->get('jwt.transcoder');
$jwt = new JsonWebToken();
$jwt
->setClaim([
'drupal',
'path_auth',
'uid',
], $this->adminUser
->id());
$jwt
->setClaim([
'drupal',
'path_auth',
'path',
], '/');
$token = $transcoder
->encode($jwt);
$this
->assertSame('private://drupal.txt', $file
->getFileUri());
$options = [
'query' => [
'jwt' => $token,
],
];
$this
->drupalGet($file
->createFileUrl(), $options);
$this
->assertResponse(200);
$this
->assertText($this
->getFileContent($file));
$jwt = new JsonWebToken();
$jwt
->setClaim([
'drupal',
'path_auth',
'uid',
], $this->adminUser
->id());
$jwt
->setClaim([
'drupal',
'path_auth',
'path',
], $base_url . '/foo/');
$token = $transcoder
->encode($jwt);
$options = [
'query' => [
'jwt' => $token,
],
];
$this
->drupalGet($file
->createFileUrl(), $options);
$this
->assertResponse(403);
$options = [
'query' => [
'_format' => 'json',
],
];
$file_rest_url = Url::fromRoute('rest.entity.file.GET', [
'file' => $file
->id(),
], $options);
$this
->drupalGet($file_rest_url);
$this
->assertResponse(403);
$options = [
'query' => [
'_format' => 'json',
'jwt' => $token,
],
];
$file_rest_url = Url::fromRoute('rest.entity.file.GET', [
'file' => $file
->id(),
], $options);
$this
->drupalGet($file_rest_url);
$this
->assertResponse(403);
$jwt = new JsonWebToken();
$jwt
->setClaim([
'drupal',
'path_auth',
'uid',
], $this->adminUser
->id());
$jwt
->setClaim([
'drupal',
'path_auth',
'path',
], $base_url . '/entity/');
$token = $transcoder
->encode($jwt);
$options = [
'query' => [
'_format' => 'json',
'jwt' => $token,
],
];
$file_rest_url = Url::fromRoute('rest.entity.file.GET', [
'file' => $file
->id(),
], $options);
$this
->drupalGet($file_rest_url);
$this
->assertResponse(200);
$json = $this
->getSession()
->getPage()
->getContent();
$data = json_decode($json, TRUE);
$this
->assertEquals($file
->uuid(), $data['uuid'][0]['value']);
$this->adminUser
->block();
$this->adminUser
->save();
$this
->drupalGet($file_rest_url);
$this
->assertResponse(403);
}
protected function createPrivateFile($file_name, $uid = 1, $status = FILE_STATUS_PERMANENT) {
$file = File::create([
'uid' => $uid,
'filename' => $file_name,
'uri' => "private://{$file_name}",
'filemime' => 'text/plain',
'status' => $status,
]);
file_put_contents($file
->getFileUri(), $this
->getFileContent($file));
$file
->save();
return $file;
}
protected function getFileContent(FileInterface $file) {
return "The content in {$file->label()} {$file->uuid()}";
}
}