MvcPropertyMappingConfigurationServiceTest.php

Go to the documentation of this file.

<?php
 
declare(strict_types=1);
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
namespace ‪TYPO3\CMS\Extbase\Tests\Unit\Mvc\Controller;
 
use ‪TYPO3\CMS\Core\Error\Http\BadRequestException;
use ‪TYPO3\CMS\Extbase\Mvc\Controller\Argument;
use ‪TYPO3\CMS\Extbase\Mvc\Controller\Arguments;
use ‪TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfiguration;
use ‪TYPO3\CMS\Extbase\Mvc\Controller\MvcPropertyMappingConfigurationService;
use ‪TYPO3\CMS\Extbase\Mvc\Request;
use ‪TYPO3\CMS\Extbase\Property\TypeConverter\PersistentObjectConverter;
use ‪TYPO3\CMS\Extbase\Security\Cryptography\HashService;
use ‪TYPO3\CMS\Extbase\Security\Exception\InvalidArgumentForHashGenerationException;
use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
 
class ‪MvcPropertyMappingConfigurationServiceTest extends UnitTestCase
{
    public function ‪dataProviderForGenerateTrustedPropertiesToken(): array
    {
        return [
            'Simple Case - Empty' => [
                [],
                [],
            ],
            'Simple Case - Single Value' => [
                ['field1'],
                ['field1' => 1],
            ],
            'Simple Case - Two Values' => [
                ['field1', 'field2'],
                [
                    'field1' => 1,
                    'field2' => 1,
                ],
            ],
            'Recursion' => [
                ['field1', 'field[subfield1]', 'field[subfield2]'],
                [
                    'field1' => 1,
                    'field' => [
                        'subfield1' => 1,
                        'subfield2' => 1,
                    ],
                ],
            ],
            'recursion with duplicated field name' => [
                ['field1', 'field[subfield1]', 'field[subfield2]', 'field1'],
                [
                    'field1' => 1,
                    'field' => [
                        'subfield1' => 1,
                        'subfield2' => 1,
                    ],
                ],
            ],
            'Recursion with un-named fields at the end (...[]). There, they should be made explicit by increasing the counter' => [
                ['field1', 'field[subfield1][]', 'field[subfield1][]', 'field[subfield2]'],
                [
                    'field1' => 1,
                    'field' => [
                        'subfield1' => [
                            0 => 1,
                            1 => 1,
                        ],
                        'subfield2' => 1,
                    ],
                ],
            ],
        ];
    }
 
    public function ‪dataProviderForGenerateTrustedPropertiesTokenWithUnallowedValues(): array
    {
        return [
            'Overriding form fields (string overridden by array) - 1' => [
                ['field1', 'field2', 'field2[bla]', 'field2[blubb]'],
                1255072196,
            ],
            'Overriding form fields (string overridden by array) - 2' => [
                ['field1', 'field2[bla]', 'field2[bla][blubb][blubb]'],
                1255072196,
            ],
            'Overriding form fields (array overridden by string) - 1' => [
                ['field1', 'field2[bla]', 'field2[blubb]', 'field2'],
                1255072587,
            ],
            'Overriding form fields (array overridden by string) - 2' => [
                ['field1', 'field2[bla][blubb][blubb]', 'field2[bla]'],
                1255072587,
            ],
            'Empty [] not as last argument' => [
                ['field1', 'field2[][bla]'],
                1255072832,
            ],
 
        ];
    }
 
    public function ‪generateTrustedPropertiesTokenGeneratesTheCorrectHashesInNormalOperation($input, $expected): void
    {
        $requestHashService = $this->getMockBuilder(MvcPropertyMappingConfigurationService::class)
            ->onlyMethods(['serializeAndHashFormFieldArray'])
            ->getMock();
        $requestHashService->expects(self::once())->method('serializeAndHashFormFieldArray')->with($expected);
        $requestHashService->generateTrustedPropertiesToken($input);
    }
 
    public function ‪generateTrustedPropertiesTokenThrowsExceptionInWrongCases(array $input, int $expectExceptionCode): void
    {
        $this->expectException(InvalidArgumentForHashGenerationException::class);
        $this->expectExceptionCode($expectExceptionCode);
        $requestHashService = $this->getMockBuilder(MvcPropertyMappingConfigurationService::class)
            ->onlyMethods(['serializeAndHashFormFieldArray'])
            ->getMock();
        $requestHashService->generateTrustedPropertiesToken($input);
    }
 
    public function ‪serializeAndHashFormFieldArrayWorks(): void
    {
        $formFieldArray = [
            'bla' => [
                'blubb' => 1,
                'hu' => 1,
            ],
        ];
        $mockHash = '12345';
 
        $hashService = $this->getMockBuilder(HashService::class)
            ->onlyMethods(['appendHmac'])
            ->getMock();
        $hashService->expects(self::once())->method('appendHmac')->with(json_encode($formFieldArray))->willReturn(json_encode($formFieldArray) . $mockHash);
 
        $requestHashService = $this->getAccessibleMock(MvcPropertyMappingConfigurationService::class, ['dummy']);
        $requestHashService->injectHashService($hashService);
 
        $expected = json_encode($formFieldArray) . $mockHash;
        $actual = $requestHashService->_call('serializeAndHashFormFieldArray', $formFieldArray);
        self::assertEquals($expected, $actual);
    }
 
    public function ‪initializePropertyMappingConfigurationDoesNothingIfTrustedPropertiesAreNotSet(): void
    {
        $request = $this->getMockBuilder(Request::class)->onlyMethods(['getInternalArgument'])->disableOriginalConstructor()->getMock();
        $request->method('getInternalArgument')->with('__trustedProperties')->willReturn(null);
        $arguments = new ‪Arguments();
 
        $requestHashService = new ‪MvcPropertyMappingConfigurationService();
        $requestHashService->initializePropertyMappingConfigurationFromRequest($request, $arguments);
    }
 
    public function ‪initializePropertyMappingConfigurationThrowsBadRequestExceptionOnInvalidHmac(): void
    {
        $this->expectException(BadRequestException::class);
        $this->expectExceptionCode(1581862822);
 
        $request = $this->getMockBuilder(Request::class)->onlyMethods(['getInternalArgument'])->disableOriginalConstructor()->getMock();
        $request->method('getInternalArgument')->with('__trustedProperties')->willReturn('string with less than 40 characters');
        $arguments = new ‪Arguments();
 
        $hashService = new ‪HashService();
        $requestHashService = new ‪MvcPropertyMappingConfigurationService();
        $requestHashService->injectHashService($hashService);
        $requestHashService->initializePropertyMappingConfigurationFromRequest($request, $arguments);
    }
 
    public function ‪initializePropertyMappingConfigurationWithNonDecodableTrustedPropertiesThrowsException(): void
    {
        ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'bar';
        $hashService = new ‪HashService();
        $request = $this->getMockBuilder(Request::class)->onlyMethods(['getInternalArgument'])->disableOriginalConstructor()->getMock();
        $request->method('getInternalArgument')->with('__trustedProperties')->willReturn('garbage' . $hashService->generateHmac('garbage'));
        $arguments = new ‪Arguments();
 
        $arguments = new ‪Arguments();
        $requestHashService = new ‪MvcPropertyMappingConfigurationService();
        $requestHashService->injectHashService($hashService);
 
        $this->expectException(BadRequestException::class);
        $this->expectExceptionMessage('The HMAC of the form could not be utilized.');
        $this->expectExceptionCode(1691267306);
 
        $requestHashService->initializePropertyMappingConfigurationFromRequest($request, $arguments);
    }
 
    public function ‪initializePropertyMappingConfigurationWithOutdatedTrustedPropertiesThrowsException(): void
    {
        $hashService = new ‪HashService();
        ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] = 'bar';
        $request = $this->getMockBuilder(Request::class)->onlyMethods(['getInternalArgument'])->disableOriginalConstructor()->getMock();
        $request->method('getInternalArgument')->with('__trustedProperties')->willReturn('a:1:{s:3:"foo";s:3:"bar";}' . $hashService->generateHmac('a:1:{s:3:"foo";s:3:"bar";}'));
 
        $arguments = new ‪Arguments();
        $requestHashService = new ‪MvcPropertyMappingConfigurationService();
        $requestHashService->injectHashService($hashService);
 
        $this->expectException(BadRequestException::class);
        $this->expectExceptionMessage('Trusted properties used outdated serialization format instead of json.');
        $this->expectExceptionCode(1699604555);
 
        $requestHashService->initializePropertyMappingConfigurationFromRequest($request, $arguments);
    }
 
    public function ‪initializePropertyMappingConfigurationReturnsEarlyIfNoTrustedPropertiesAreSet(): void
    {
        $trustedProperties = [
            'foo' => 1,
        ];
        $this->‪initializePropertyMappingConfiguration($trustedProperties);
    }
 
    public function ‪initializePropertyMappingConfigurationReturnsEarlyIfArgumentIsUnknown(): void
    {
        $trustedProperties = [
            'nonExistingArgument' => 1,
        ];
        $arguments = $this->‪initializePropertyMappingConfiguration($trustedProperties);
        self::assertFalse($arguments->hasArgument('nonExistingArgument'));
    }
 
    public function ‪initializePropertyMappingConfigurationSetsModificationAllowedIfIdentityPropertyIsSet(): void
    {
        $trustedProperties = [
            'foo' => [
                '__identity' => 1,
                'nested' => [
                    '__identity' => 1,
                ],
            ],
        ];
        $arguments = $this->‪initializePropertyMappingConfiguration($trustedProperties);
        $propertyMappingConfiguration = $arguments->getArgument('foo')->getPropertyMappingConfiguration();
        self::assertTrue($propertyMappingConfiguration->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_MODIFICATION_ALLOWED), 'ConfigurationValue is not CONFIGURATION_MODIFICATION_ALLOWED at line ' . __LINE__);
        self::assertNull($propertyMappingConfiguration->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_CREATION_ALLOWED), 'ConfigurationValue is not NULL at line ' . __LINE__);
        self::assertFalse($propertyMappingConfiguration->shouldMap('someProperty'), 'Value is not FALSE at line ' . __LINE__);
 
        self::assertTrue($propertyMappingConfiguration->forProperty('nested')->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_MODIFICATION_ALLOWED), 'ConfigurationValue is not CONFIGURATION_MODIFICATION_ALLOWED at line ' . __LINE__);
        self::assertNull($propertyMappingConfiguration->forProperty('nested')->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_CREATION_ALLOWED), 'ConfigurationValue is not NULL at line ' . __LINE__);
        self::assertFalse($propertyMappingConfiguration->forProperty('nested')->shouldMap('someProperty'), 'Value is not FALSE at line ' . __LINE__);
    }
 
    public function ‪initializePropertyMappingConfigurationSetsCreationAllowedIfIdentityPropertyIsNotSet(): void
    {
        $trustedProperties = [
            'foo' => [
                'bar' => [],
            ],
        ];
        $arguments = $this->‪initializePropertyMappingConfiguration($trustedProperties);
        $propertyMappingConfiguration = $arguments->getArgument('foo')->getPropertyMappingConfiguration();
        self::assertNull($propertyMappingConfiguration->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_MODIFICATION_ALLOWED));
        self::assertTrue($propertyMappingConfiguration->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_CREATION_ALLOWED));
        self::assertFalse($propertyMappingConfiguration->shouldMap('someProperty'));
 
        self::assertNull($propertyMappingConfiguration->forProperty('bar')->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_MODIFICATION_ALLOWED));
        self::assertTrue($propertyMappingConfiguration->forProperty('bar')->getConfigurationValue(PersistentObjectConverter::class, ‪PersistentObjectConverter::CONFIGURATION_CREATION_ALLOWED));
        self::assertFalse($propertyMappingConfiguration->forProperty('bar')->shouldMap('someProperty'));
    }
 
    public function ‪initializePropertyMappingConfigurationSetsAllowedFields(): void
    {
        $trustedProperties = [
            'foo' => [
                'bar' => 1,
            ],
        ];
        $arguments = $this->‪initializePropertyMappingConfiguration($trustedProperties);
        $propertyMappingConfiguration = $arguments->getArgument('foo')->getPropertyMappingConfiguration();
        self::assertFalse($propertyMappingConfiguration->shouldMap('someProperty'));
        self::assertTrue($propertyMappingConfiguration->shouldMap('bar'));
    }
 
    public function ‪initializePropertyMappingConfigurationSetsAllowedFieldsRecursively(): void
    {
        $trustedProperties = [
            'foo' => [
                'bar' => [
                    'foo' => 1,
                ],
            ],
        ];
        $arguments = $this->‪initializePropertyMappingConfiguration($trustedProperties);
        $propertyMappingConfiguration = $arguments->getArgument('foo')->getPropertyMappingConfiguration();
        self::assertFalse($propertyMappingConfiguration->shouldMap('someProperty'));
        self::assertTrue($propertyMappingConfiguration->shouldMap('bar'));
        self::assertTrue($propertyMappingConfiguration->forProperty('bar')->shouldMap('foo'));
    }
 
    protected function ‪initializePropertyMappingConfiguration(array $trustedProperties): ‪Arguments
    {
        $request = $this->getMockBuilder(Request::class)->onlyMethods(['getInternalArgument'])->disableOriginalConstructor()->getMock();
        $request->method('getInternalArgument')->with('__trustedProperties')->willReturn('fooTrustedProperties');
 
        $mockHashService = $this->getMockBuilder(HashService::class)
            ->onlyMethods(['validateAndStripHmac'])
            ->getMock();
        $mockHashService->expects(self::once())->method('validateAndStripHmac')->with('fooTrustedProperties')->willReturn(json_encode($trustedProperties));
 
        $requestHashService = $this->getAccessibleMock(MvcPropertyMappingConfigurationService::class, ['dummy']);
        $requestHashService->_set('hashService', $mockHashService);
 
        $mockArgument = $this->getAccessibleMock(Argument::class, ['getName'], [], '', false);
 
        $propertyMappingConfiguration = new ‪MvcPropertyMappingConfiguration();
 
        $mockArgument->_set('propertyMappingConfiguration', $propertyMappingConfiguration);
        $mockArgument->method('getName')->willReturn('foo');
 
        $arguments = $this->getAccessibleMock(Arguments::class, ['dummy']);
        $arguments->addNewArgument('foo');
 
        $requestHashService->initializePropertyMappingConfigurationFromRequest($request, $arguments);
 
        return $arguments;
    }
}