TYPO3_6-2/_request_hash_service_test_8php_source.html

 <?php
 namespace TYPO3\CMS\Extbase\Tests\Unit\Security\Channel;

 class RequestHashServiceTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {

     public function dataProviderForGenerateRequestHash() {
         return array(
             // Simple cases
             array(
                 array(),
                 array()
             ),
             array(
                 array('field1'),
                 array('field1' => 1)
             ),
             array(
                 array('field1', 'field2'),
                 array(
                     'field1' => 1,
                     'field2' => 1
                 )
             ),
             // recursion
             array(
                 array('field1', 'field[subfield1]', 'field[subfield2]'),
                 array(
                     'field1' => 1,
                     'field' => array(
                         'subfield1' => 1,
                         'subfield2' => 1
                     )
                 )
             ),
             // recursion with duplicated field name
             array(
                 array('field1', 'field[subfield1]', 'field[subfield2]', 'field1'),
                 array(
                     'field1' => 1,
                     'field' => array(
                         'subfield1' => 1,
                         'subfield2' => 1
                     )
                 )
             ),
             // Recursion with un-named fields at the end (...[]). There, they should be made explicit by increasing the counter
             array(
                 array('field1', 'field[subfield1][]', 'field[subfield1][]', 'field[subfield2]'),
                 array(
                     'field1' => 1,
                     'field' => array(
                         'subfield1' => array(
                             0 => 1,
                             1 => 1
                         ),
                         'subfield2' => 1
                     )
                 )
             )
         );
     }

     public function dataProviderForGenerateRequestHashWithUnallowedValues() {
         return array(
             // Overriding form fields (string overridden by array)
             array(
                 array('field1', 'field2', 'field2[bla]', 'field2[blubb]')
             ),
             array(
                 array('field1', 'field2[bla]', 'field2[bla][blubb][blubb]')
             ),
             // Overriding form fields (array overridden by string)
             array(
                 array('field1', 'field2[bla]', 'field2[blubb]', 'field2')
             ),
             array(
                 array('field1', 'field2[bla][blubb][blubb]', 'field2[bla]')
             ),
             // Empty [] not as last argument
             array(
                 array('field1', 'field2[][bla]')
             )
         );
     }

     public function generateRequestHashGeneratesTheCorrectHashesInNormalOperation($input, $expected) {
         $requestHashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('serializeAndHashFormFieldArray'));
         $requestHashService->expects($this->once())->method('serializeAndHashFormFieldArray')->with($expected);
         $requestHashService->generateRequestHash($input);
     }

     public function generateRequestHashThrowsExceptionInWrongCases($input) {
         $requestHashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('serializeAndHashFormFieldArray'));
         $requestHashService->generateRequestHash($input);
     }

     public function serializeAndHashFormFieldArrayWorks() {
         $formFieldArray = array(
             'bla' => array(
                 'blubb' => 1,
                 'hu' => 1
             )
         );
         $mockHash = '12345';
         $hashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('generateHmac'));
         $hashService->expects($this->once())->method('generateHmac')->with(serialize($formFieldArray))->will($this->returnValue($mockHash));
         $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('dummy'));
         $requestHashService->_set('hashService', $hashService);
         $expected = serialize($formFieldArray) . $mockHash;
         $actual = $requestHashService->_call('serializeAndHashFormFieldArray', $formFieldArray);
         $this->assertEquals($expected, $actual);
     }

     public function verifyRequestHashSetsHmacVerifiedToFalseIfRequestDoesNotHaveAnHmacArgument() {
         $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'setHmacVerified'));
         $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue(FALSE));
         $request->expects($this->once())->method('setHmacVerified')->with(FALSE);
         $requestHashService = new \TYPO3\CMS\Extbase\Security\Channel\RequestHashService();
         $requestHashService->verifyRequest($request);
     }

     public function verifyRequestHashThrowsExceptionIfHmacIsShortherThan40Characters() {
         $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'setHmacVerified'));
         $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue('abc'));
         $requestHashService = new \TYPO3\CMS\Extbase\Security\Channel\RequestHashService();
         $requestHashService->verifyRequest($request);
     }

     public function verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfHashCouldNotBeVerified() {
         $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'setHmacVerified'));
         $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue('11111' . '0000000000000000000000000000000000000000'));
         $request->expects($this->once())->method('setHmacVerified')->with(FALSE);
         $hashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('validateHmac'));
         $hashService->expects($this->once())->method('validateHmac')->with('11111', '0000000000000000000000000000000000000000')->will($this->returnValue(FALSE));
         $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('dummy'));
         $requestHashService->_set('hashService', $hashService);
         $requestHashService->verifyRequest($request);
     }

     public function verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToTrueIfArgumentsAreIncludedInTheAllowedArgumentList() {
         $data = serialize(array('a' => 1));
         $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'getArguments', 'setHmacVerified'));
         $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue($data . '0000000000000000000000000000000000000000'));
         $request->expects($this->once())->method('getArguments')->will($this->returnValue(array(
             '__hmac' => 'ABC',
             '__referrer' => '...',
             'a' => 'bla'
         )));
         $request->expects($this->once())->method('setHmacVerified')->with(TRUE);
         $hashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('validateHmac'));
         $hashService->expects($this->once())->method('validateHmac')->with($data, '0000000000000000000000000000000000000000')->will($this->returnValue(TRUE));
         $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('checkFieldNameInclusion'));
         $requestHashService->expects($this->once())->method('checkFieldNameInclusion')->with(array('a' => 'bla'), array('a' => 1))->will($this->returnValue(TRUE));
         $requestHashService->_set('hashService', $hashService);
         $requestHashService->verifyRequest($request);
     }

     public function verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfNotAllArgumentsAreIncludedInTheAllowedArgumentList() {
         $data = serialize(array('a' => 1));
         $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'getArguments', 'setHmacVerified'));
         $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue($data . '0000000000000000000000000000000000000000'));
         $request->expects($this->once())->method('getArguments')->will($this->returnValue(array(
             '__hmac' => 'ABC',
             '__referrer' => '...',
             'a' => 'bla',
             'b' => 'blubb'
         )));
         $request->expects($this->once())->method('setHmacVerified')->with(FALSE);
         $hashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('validateHmac'));
         $hashService->expects($this->once())->method('validateHmac')->with($data, '0000000000000000000000000000000000000000')->will($this->returnValue(TRUE));
         $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('checkFieldNameInclusion'));
         $requestHashService->expects($this->once())->method('checkFieldNameInclusion')->with(array('a' => 'bla', 'b' => 'blubb'), array('a' => 1))->will($this->returnValue(FALSE));
         $requestHashService->_set('hashService', $hashService);
         $requestHashService->verifyRequest($request);
     }

     public function dataProviderForCheckFieldNameInclusion() {
         return array(
             // Simple fields with requestfields = responsefields
             array(
                 // Request
                 array(
                     'a' => 'X',
                     'b' => 'X',
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => 1,
                     'b' => 1,
                     'c' => 1
                 ),
                 // Expected result
                 TRUE
             ),
             // Simple fields with requestfields < responsefields
             array(
                 // Request
                 array(
                     'a' => 'X',
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => 1,
                     'b' => 1,
                     'c' => 1
                 ),
                 // Expected result
                 TRUE
             ),
             // Simple fields with requestfields > responsefields
             array(
                 // Request
                 array(
                     'a' => 'X',
                     'b' => 'X',
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => 1,
                     'b' => 1
                 ),
                 // Expected result
                 FALSE
             ),
             // Hierarchical fields with requestfields < responsefields
             array(
                 // Request
                 array(
                     'a' => array(
                         'b' => 'X'
                     ),
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => array(
                         'b' => 1,
                         'abc' => 1
                     ),
                     'c' => 1
                 ),
                 // Expected result
                 TRUE
             ),
             // Hierarchical fields with requestfields > responsefields
             array(
                 // Request
                 array(
                     'a' => array(
                         'b' => 'X',
                         'abc' => 'X'
                     ),
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => array(
                         'b' => 1
                     ),
                     'c' => 1
                 ),
                 // Expected result
                 FALSE
             ),
             // hierarchical fields with requestfields != responsefields (different types) - 1
             array(
                 // Request
                 array(
                     'a' => array(
                         'b' => 'X',
                         'c' => 'X'
                     ),
                     'b' => 'X',
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => 1,
                     'b' => 1,
                     'c' => 1
                 ),
                 // Expected result
                 FALSE
             ),
             // hierarchical fields with requestfields != responsefields (different types) - 2
             array(
                 // Request
                 array(
                     'a' => 'X',
                     'b' => 'X',
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => array(
                         'x' => 1,
                         'y' => 1
                     ),
                     'b' => 1,
                     'c' => 1
                 ),
                 // Expected result
                 FALSE
             ),
             // hierarchical fields with requestfields != responsefields (different types)
             // This case happens if an array of checkboxes is rendered, in case they are fully unchecked.
             array(
                 // Request
                 array(
                     'a' => '',
                     // this is the only allowed value.
                     'b' => 'X',
                     'c' => 'X'
                 ),
                 // Allowed
                 array(
                     'a' => array(
                         'x' => 1,
                         'y' => 1
                     ),
                     'b' => 1,
                     'c' => 1
                 ),
                 // Expected result
                 TRUE
             )
         );
     }

     public function checkFieldNameInclusionWorks($requestArguments, $allowedFields, $expectedResult) {
         $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('dummy'));
         $this->assertEquals($expectedResult, $requestHashService->_call('checkFieldNameInclusion', $requestArguments, $allowedFields));
     }
 }
TYPO3\CMS\Extbase\Tests\Unit\Security\Channel
Definition: RequestHashServiceTest.php:2

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToTrueIfArgumentsAreIncludedInTheAllowedArgumentList
verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToTrueIfArgumentsAreIncludedInTheAllowedArgumentList()
Definition: RequestHashServiceTest.php:199

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\checkFieldNameInclusionWorks
checkFieldNameInclusionWorks($requestArguments, $allowedFields, $expectedResult)
Definition: RequestHashServiceTest.php:409

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfNotAllArgumentsAreIncludedInTheAllowedArgumentList
verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfNotAllArgumentsAreIncludedInTheAllowedArgumentList()
Definition: RequestHashServiceTest.php:221

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\dataProviderForCheckFieldNameInclusion
dataProviderForCheckFieldNameInclusion()
Definition: RequestHashServiceTest.php:245

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\verifyRequestHashSetsHmacVerifiedToFalseIfRequestDoesNotHaveAnHmacArgument
verifyRequestHashSetsHmacVerifiedToFalseIfRequestDoesNotHaveAnHmacArgument()
Definition: RequestHashServiceTest.php:160

TYPO3\CMS\Core\Tests\BaseTestCase\getAccessibleMock
getAccessibleMock( $originalClassName, array $methods=array(), array $arguments=array(), $mockClassName='', $callOriginalConstructor=TRUE, $callOriginalClone=TRUE, $callAutoload=TRUE)
Definition: BaseTestCase.php:56

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\serializeAndHashFormFieldArrayWorks
serializeAndHashFormFieldArrayWorks()
Definition: RequestHashServiceTest.php:139

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest
Definition: RequestHashServiceTest.php:20

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\dataProviderForGenerateRequestHashWithUnallowedValues
dataProviderForGenerateRequestHashWithUnallowedValues()
Definition: RequestHashServiceTest.php:87

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\generateRequestHashThrowsExceptionInWrongCases
generateRequestHashThrowsExceptionInWrongCases($input)
Definition: RequestHashServiceTest.php:130

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfHashCouldNotBeVerified
verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfHashCouldNotBeVerified()
Definition: RequestHashServiceTest.php:184

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\verifyRequestHashThrowsExceptionIfHmacIsShortherThan40Characters
verifyRequestHashThrowsExceptionIfHmacIsShortherThan40Characters()
Definition: RequestHashServiceTest.php:173

TYPO3\CMS\Core\Tests\UnitTestCase
Definition: UnitTestCase.php:26

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\dataProviderForGenerateRequestHash
dataProviderForGenerateRequestHash()
Definition: RequestHashServiceTest.php:25

TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\generateRequestHashGeneratesTheCorrectHashesInNormalOperation
generateRequestHashGeneratesTheCorrectHashesInNormalOperation($input, $expected)
Definition: RequestHashServiceTest.php:117