TYPO3 CMS  TYPO3_6-2
RequestHashServiceTest.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Extbase\Tests\Unit\Security\Channel;
3 
20 class RequestHashServiceTest extends \TYPO3\CMS\Core\Tests\UnitTestCase {
21 
25  public function dataProviderForGenerateRequestHash() {
26  return array(
27  // Simple cases
28  array(
29  array(),
30  array()
31  ),
32  array(
33  array('field1'),
34  array('field1' => 1)
35  ),
36  array(
37  array('field1', 'field2'),
38  array(
39  'field1' => 1,
40  'field2' => 1
41  )
42  ),
43  // recursion
44  array(
45  array('field1', 'field[subfield1]', 'field[subfield2]'),
46  array(
47  'field1' => 1,
48  'field' => array(
49  'subfield1' => 1,
50  'subfield2' => 1
51  )
52  )
53  ),
54  // recursion with duplicated field name
55  array(
56  array('field1', 'field[subfield1]', 'field[subfield2]', 'field1'),
57  array(
58  'field1' => 1,
59  'field' => array(
60  'subfield1' => 1,
61  'subfield2' => 1
62  )
63  )
64  ),
65  // Recursion with un-named fields at the end (...[]). There, they should be made explicit by increasing the counter
66  array(
67  array('field1', 'field[subfield1][]', 'field[subfield1][]', 'field[subfield2]'),
68  array(
69  'field1' => 1,
70  'field' => array(
71  'subfield1' => array(
72  0 => 1,
73  1 => 1
74  ),
75  'subfield2' => 1
76  )
77  )
78  )
79  );
80  }
81 
87  public function dataProviderForGenerateRequestHashWithUnallowedValues() {
88  return array(
89  // Overriding form fields (string overridden by array)
90  array(
91  array('field1', 'field2', 'field2[bla]', 'field2[blubb]')
92  ),
93  array(
94  array('field1', 'field2[bla]', 'field2[bla][blubb][blubb]')
95  ),
96  // Overriding form fields (array overridden by string)
97  array(
98  array('field1', 'field2[bla]', 'field2[blubb]', 'field2')
99  ),
100  array(
101  array('field1', 'field2[bla][blubb][blubb]', 'field2[bla]')
102  ),
103  // Empty [] not as last argument
104  array(
105  array('field1', 'field2[][bla]')
106  )
107  );
108  }
109 
117  public function generateRequestHashGeneratesTheCorrectHashesInNormalOperation($input, $expected) {
118  $requestHashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('serializeAndHashFormFieldArray'));
119  $requestHashService->expects($this->once())->method('serializeAndHashFormFieldArray')->with($expected);
120  $requestHashService->generateRequestHash($input);
121  }
122 
130  public function generateRequestHashThrowsExceptionInWrongCases($input) {
131  $requestHashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('serializeAndHashFormFieldArray'));
132  $requestHashService->generateRequestHash($input);
133  }
134 
139  public function serializeAndHashFormFieldArrayWorks() {
140  $formFieldArray = array(
141  'bla' => array(
142  'blubb' => 1,
143  'hu' => 1
144  )
145  );
146  $mockHash = '12345';
147  $hashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('generateHmac'));
148  $hashService->expects($this->once())->method('generateHmac')->with(serialize($formFieldArray))->will($this->returnValue($mockHash));
149  $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('dummy'));
150  $requestHashService->_set('hashService', $hashService);
151  $expected = serialize($formFieldArray) . $mockHash;
152  $actual = $requestHashService->_call('serializeAndHashFormFieldArray', $formFieldArray);
153  $this->assertEquals($expected, $actual);
154  }
155 
160  public function verifyRequestHashSetsHmacVerifiedToFalseIfRequestDoesNotHaveAnHmacArgument() {
161  $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'setHmacVerified'));
162  $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue(FALSE));
163  $request->expects($this->once())->method('setHmacVerified')->with(FALSE);
164  $requestHashService = new \TYPO3\CMS\Extbase\Security\Channel\RequestHashService();
165  $requestHashService->verifyRequest($request);
166  }
167 
173  public function verifyRequestHashThrowsExceptionIfHmacIsShortherThan40Characters() {
174  $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'setHmacVerified'));
175  $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue('abc'));
176  $requestHashService = new \TYPO3\CMS\Extbase\Security\Channel\RequestHashService();
177  $requestHashService->verifyRequest($request);
178  }
179 
184  public function verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfHashCouldNotBeVerified() {
185  $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'setHmacVerified'));
186  $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue('11111' . '0000000000000000000000000000000000000000'));
187  $request->expects($this->once())->method('setHmacVerified')->with(FALSE);
188  $hashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('validateHmac'));
189  $hashService->expects($this->once())->method('validateHmac')->with('11111', '0000000000000000000000000000000000000000')->will($this->returnValue(FALSE));
190  $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('dummy'));
191  $requestHashService->_set('hashService', $hashService);
192  $requestHashService->verifyRequest($request);
193  }
194 
199  public function verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToTrueIfArgumentsAreIncludedInTheAllowedArgumentList() {
200  $data = serialize(array('a' => 1));
201  $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'getArguments', 'setHmacVerified'));
202  $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue($data . '0000000000000000000000000000000000000000'));
203  $request->expects($this->once())->method('getArguments')->will($this->returnValue(array(
204  '__hmac' => 'ABC',
205  '__referrer' => '...',
206  'a' => 'bla'
207  )));
208  $request->expects($this->once())->method('setHmacVerified')->with(TRUE);
209  $hashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('validateHmac'));
210  $hashService->expects($this->once())->method('validateHmac')->with($data, '0000000000000000000000000000000000000000')->will($this->returnValue(TRUE));
211  $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('checkFieldNameInclusion'));
212  $requestHashService->expects($this->once())->method('checkFieldNameInclusion')->with(array('a' => 'bla'), array('a' => 1))->will($this->returnValue(TRUE));
213  $requestHashService->_set('hashService', $hashService);
214  $requestHashService->verifyRequest($request);
215  }
216 
221  public function verifyRequestHashValidatesTheHashAndSetsHmacVerifiedToFalseIfNotAllArgumentsAreIncludedInTheAllowedArgumentList() {
222  $data = serialize(array('a' => 1));
223  $request = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Mvc\\Web\\Request', array('getInternalArgument', 'getArguments', 'setHmacVerified'));
224  $request->expects($this->any())->method('getInternalArgument')->with('__hmac')->will($this->returnValue($data . '0000000000000000000000000000000000000000'));
225  $request->expects($this->once())->method('getArguments')->will($this->returnValue(array(
226  '__hmac' => 'ABC',
227  '__referrer' => '...',
228  'a' => 'bla',
229  'b' => 'blubb'
230  )));
231  $request->expects($this->once())->method('setHmacVerified')->with(FALSE);
232  $hashService = $this->getMock('TYPO3\\CMS\\Extbase\\Security\\Cryptography\\HashService', array('validateHmac'));
233  $hashService->expects($this->once())->method('validateHmac')->with($data, '0000000000000000000000000000000000000000')->will($this->returnValue(TRUE));
234  $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('checkFieldNameInclusion'));
235  $requestHashService->expects($this->once())->method('checkFieldNameInclusion')->with(array('a' => 'bla', 'b' => 'blubb'), array('a' => 1))->will($this->returnValue(FALSE));
236  $requestHashService->_set('hashService', $hashService);
237  $requestHashService->verifyRequest($request);
238  }
239 
245  public function dataProviderForCheckFieldNameInclusion() {
246  return array(
247  // Simple fields with requestfields = responsefields
248  array(
249  // Request
250  array(
251  'a' => 'X',
252  'b' => 'X',
253  'c' => 'X'
254  ),
255  // Allowed
256  array(
257  'a' => 1,
258  'b' => 1,
259  'c' => 1
260  ),
261  // Expected result
262  TRUE
263  ),
264  // Simple fields with requestfields < responsefields
265  array(
266  // Request
267  array(
268  'a' => 'X',
269  'c' => 'X'
270  ),
271  // Allowed
272  array(
273  'a' => 1,
274  'b' => 1,
275  'c' => 1
276  ),
277  // Expected result
278  TRUE
279  ),
280  // Simple fields with requestfields > responsefields
281  array(
282  // Request
283  array(
284  'a' => 'X',
285  'b' => 'X',
286  'c' => 'X'
287  ),
288  // Allowed
289  array(
290  'a' => 1,
291  'b' => 1
292  ),
293  // Expected result
294  FALSE
295  ),
296  // Hierarchical fields with requestfields < responsefields
297  array(
298  // Request
299  array(
300  'a' => array(
301  'b' => 'X'
302  ),
303  'c' => 'X'
304  ),
305  // Allowed
306  array(
307  'a' => array(
308  'b' => 1,
309  'abc' => 1
310  ),
311  'c' => 1
312  ),
313  // Expected result
314  TRUE
315  ),
316  // Hierarchical fields with requestfields > responsefields
317  array(
318  // Request
319  array(
320  'a' => array(
321  'b' => 'X',
322  'abc' => 'X'
323  ),
324  'c' => 'X'
325  ),
326  // Allowed
327  array(
328  'a' => array(
329  'b' => 1
330  ),
331  'c' => 1
332  ),
333  // Expected result
334  FALSE
335  ),
336  // hierarchical fields with requestfields != responsefields (different types) - 1
337  array(
338  // Request
339  array(
340  'a' => array(
341  'b' => 'X',
342  'c' => 'X'
343  ),
344  'b' => 'X',
345  'c' => 'X'
346  ),
347  // Allowed
348  array(
349  'a' => 1,
350  'b' => 1,
351  'c' => 1
352  ),
353  // Expected result
354  FALSE
355  ),
356  // hierarchical fields with requestfields != responsefields (different types) - 2
357  array(
358  // Request
359  array(
360  'a' => 'X',
361  'b' => 'X',
362  'c' => 'X'
363  ),
364  // Allowed
365  array(
366  'a' => array(
367  'x' => 1,
368  'y' => 1
369  ),
370  'b' => 1,
371  'c' => 1
372  ),
373  // Expected result
374  FALSE
375  ),
376  // hierarchical fields with requestfields != responsefields (different types)
377  // This case happens if an array of checkboxes is rendered, in case they are fully unchecked.
378  array(
379  // Request
380  array(
381  'a' => '',
382  // this is the only allowed value.
383  'b' => 'X',
384  'c' => 'X'
385  ),
386  // Allowed
387  array(
388  'a' => array(
389  'x' => 1,
390  'y' => 1
391  ),
392  'b' => 1,
393  'c' => 1
394  ),
395  // Expected result
396  TRUE
397  )
398  );
399  }
400 
409  public function checkFieldNameInclusionWorks($requestArguments, $allowedFields, $expectedResult) {
410  $requestHashService = $this->getAccessibleMock('TYPO3\\CMS\\Extbase\\Security\\Channel\\RequestHashService', array('dummy'));
411  $this->assertEquals($expectedResult, $requestHashService->_call('checkFieldNameInclusion', $requestArguments, $allowedFields));
412  }
413 }
TYPO3\CMS\Extbase\Tests\Unit\Security\Channel\RequestHashServiceTest\checkFieldNameInclusionWorks
checkFieldNameInclusionWorks($requestArguments, $allowedFields, $expectedResult)
Definition: RequestHashServiceTest.php:409
TYPO3\CMS\Core\Tests\BaseTestCase\getAccessibleMock
getAccessibleMock( $originalClassName, array $methods=array(), array $arguments=array(), $mockClassName='', $callOriginalConstructor=TRUE, $callOriginalClone=TRUE, $callAutoload=TRUE)
Definition: BaseTestCase.php:56