[TASK] Make felogin/Test/Unit notice free
[Packages/TYPO3.CMS.git] / typo3 / sysext / felogin / Tests / Unit / Controller / FrontendLoginControllerTest.php
1 <?php
2 declare(strict_types = 1);
3 namespace TYPO3\CMS\Felogin\Tests\Unit\Controller;
4
5 /*
6 * This file is part of the TYPO3 CMS project.
7 *
8 * It is free software; you can redistribute it and/or modify it under
9 * the terms of the GNU General Public License, either version 2
10 * of the License, or any later version.
11 *
12 * For the full copyright and license information, please read the
13 * LICENSE.txt file that was distributed with this source code.
14 *
15 * The TYPO3 project - inspiring people to share!
16 */
17
18 use Prophecy\Argument;
19 use Prophecy\Prophecy\ObjectProphecy;
20 use Psr\Log\NullLogger;
21 use TYPO3\CMS\Core\Authentication\LoginType;
22 use TYPO3\CMS\Core\Database\Connection;
23 use TYPO3\CMS\Core\Database\ConnectionPool;
24 use TYPO3\CMS\Core\Database\Query\Expression\ExpressionBuilder;
25 use TYPO3\CMS\Core\Database\Query\QueryBuilder;
26 use TYPO3\CMS\Core\Tests\Unit\Database\Mocks\MockPlatform;
27 use TYPO3\CMS\Core\Utility\GeneralUtility;
28 use TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController;
29 use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
30
31 /**
32 * Test case
33 */
34 class FrontendLoginControllerTest extends UnitTestCase
35 {
36 /**
37 * @var \TYPO3\CMS\Felogin\Controller\FrontendLoginController|\TYPO3\TestingFramework\Core\AccessibleObjectInterface
38 */
39 protected $accessibleFixture;
40
41 /**
42 * @var string
43 */
44 protected $testHostName;
45
46 /**
47 * @var string
48 */
49 protected $testSitePath;
50
51 /**
52 * @var string
53 */
54 protected $testTableName;
55
56 /**
57 * Set up
58 */
59 protected function setUp()
60 {
61 $GLOBALS['TSFE'] = new \stdClass();
62 $this->testTableName = 'sys_domain';
63 $this->testHostName = 'hostname.tld';
64 $this->testSitePath = '/';
65 $this->accessibleFixture = $this->getAccessibleMock(\TYPO3\CMS\Felogin\Controller\FrontendLoginController::class, ['dummy']);
66 $this->accessibleFixture->cObj = $this->createMock(\TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::class);
67 $this->accessibleFixture->_set('frontendController', $this->createMock(\TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController::class));
68 $this->accessibleFixture->setLogger(new NullLogger());
69 $this->setUpFakeSitePathAndHost();
70 }
71
72 /**
73 * Tear down
74 */
75 protected function tearDown()
76 {
77 // setUpDatabaseMock() prepares some instances via addInstance(), but not all
78 // tests use that instance. purgeInstances() removes left overs
79 GeneralUtility::purgeInstances();
80 parent::tearDown();
81 }
82
83 /**
84 * Set up a fake site path and host
85 */
86 protected function setUpFakeSitePathAndHost()
87 {
88 GeneralUtility::flushInternalRuntimeCaches();
89 $_SERVER['ORIG_PATH_INFO'] = $_SERVER['PATH_INFO'] = $_SERVER['ORIG_SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'] = $this->testSitePath . TYPO3_mainDir;
90 $_SERVER['HTTP_HOST'] = $this->testHostName;
91 }
92
93 /**
94 * Mock database
95 */
96 protected function setUpDatabaseMock()
97 {
98 /** @var Connection|ObjectProphecy $connection */
99 $connection = $this->prophesize(Connection::class);
100 $connection->getDatabasePlatform()->willReturn(new MockPlatform());
101 $connection->getExpressionBuilder()->willReturn(new ExpressionBuilder($connection->reveal()));
102 $connection->quoteIdentifier(Argument::cetera())->willReturnArgument(0);
103
104 // TODO: This should rather be a functional test if we need a query builder
105 // or we should clean up the code itself to not need to mock internal behavior here
106 $queryBuilder = new QueryBuilder(
107 $connection->reveal(),
108 null,
109 new \Doctrine\DBAL\Query\QueryBuilder($connection->reveal())
110 );
111
112 /** @var \Doctrine\DBAL\Driver\Statement|ObjectProphecy $resultSet */
113 $resultSet = $this->prophesize(\Doctrine\DBAL\Driver\Statement::class);
114 $resultSet->fetchAll()->willReturn([
115 ['domainName' => 'domainhostname.tld'],
116 ['domainName' => 'otherhostname.tld/path'],
117 ['domainName' => 'sub.domainhostname.tld/path/']
118 ]);
119
120 /** @var ConnectionPool|ObjectProphecy $connectionPool */
121 $connectionPool = $this->prophesize(ConnectionPool::class);
122 $connectionPool->getQueryBuilderForTable('sys_domain')->willReturn($queryBuilder);
123 GeneralUtility::addInstance(ConnectionPool::class, $connectionPool->reveal());
124
125 $connection->executeQuery('SELECT domainName FROM sys_domain', Argument::cetera())
126 ->willReturn($resultSet->reveal());
127 }
128
129 /**
130 * @test
131 */
132 public function typo3SitePathEqualsStubSitePath()
133 {
134 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath);
135 }
136
137 /**
138 * @test
139 */
140 public function typo3SiteUrlEqualsStubSiteUrl()
141 {
142 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName) . $this->testSitePath);
143 }
144
145 /**
146 * @test
147 */
148 public function typo3SitePathEqualsStubSitePathAfterChangingInTest()
149 {
150 $this->testHostName = 'somenewhostname.com';
151 $this->testSitePath = '/somenewpath/';
152 $this->setUpFakeSitePathAndHost();
153 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'), $this->testSitePath);
154 }
155
156 /**
157 * @test
158 */
159 public function typo3SiteUrlEqualsStubSiteUrlAfterChangingInTest()
160 {
161 $this->testHostName = 'somenewhostname.com';
162 $this->testSitePath = '/somenewpath/';
163 $this->setUpFakeSitePathAndHost();
164 $this->assertEquals(\TYPO3\CMS\Core\Utility\GeneralUtility::getIndpEnv('TYPO3_SITE_URL'), ('http://' . $this->testHostName) . $this->testSitePath);
165 }
166
167 /**
168 * Data provider for validateRedirectUrlClearsUrl
169 *
170 * @return array
171 */
172 public function validateRedirectUrlClearsUrlDataProvider()
173 {
174 return [
175 'absolute URL, hostname not in sys_domain, trailing slash' => ['http://badhost.tld/'],
176 'absolute URL, hostname not in sys_domain, no trailing slash' => ['http://badhost.tld'],
177 'absolute URL, subdomain in sys_domain, but main domain not, trailing slash' => ['http://domainhostname.tld.badhost.tld/'],
178 'absolute URL, subdomain in sys_domain, but main domain not, no trailing slash' => ['http://domainhostname.tld.badhost.tld'],
179 'non http absolute URL 1' => ['its://domainhostname.tld/itunes/'],
180 'non http absolute URL 2' => ['ftp://domainhostname.tld/download/'],
181 'XSS attempt 1' => ['javascript:alert(123)'],
182 'XSS attempt 2' => ['" onmouseover="alert(123)"'],
183 'invalid URL, HTML break out attempt' => ['" >blabuubb'],
184 'invalid URL, UNC path' => ['\\\\foo\\bar\\'],
185 'invalid URL, backslashes in path' => ['http://domainhostname.tld\\bla\\blupp'],
186 'invalid URL, linefeed in path' => ['http://domainhostname.tld/bla/blupp' . LF],
187 'invalid URL, only one slash after scheme' => ['http:/domainhostname.tld/bla/blupp'],
188 'invalid URL, illegal chars' => ['http://(<>domainhostname).tld/bla/blupp'],
189 ];
190 }
191
192 /**
193 * @test
194 * @dataProvider validateRedirectUrlClearsUrlDataProvider
195 * @param string $url Invalid Url
196 */
197 public function validateRedirectUrlClearsUrl($url)
198 {
199 $this->setUpDatabaseMock();
200 $this->assertEquals('', $this->accessibleFixture->_call('validateRedirectUrl', $url));
201 }
202
203 /**
204 * Data provider for validateRedirectUrlKeepsCleanUrl
205 *
206 * @return array
207 */
208 public function validateRedirectUrlKeepsCleanUrlDataProvider()
209 {
210 return [
211 'sane absolute URL' => ['http://domainhostname.tld/'],
212 'sane absolute URL with script' => ['http://domainhostname.tld/index.php?id=1'],
213 'sane absolute URL with realurl' => ['http://domainhostname.tld/foo/bar/foo.html'],
214 'sane absolute URL with homedir' => ['http://domainhostname.tld/~user/'],
215 'sane absolute URL with some strange chars encoded' => ['http://domainhostname.tld/~user/a%cc%88o%cc%88%c3%9fa%cc%82/foo.html'],
216 'sane absolute URL (domain record with path)' => ['http://otherhostname.tld/path/'],
217 'sane absolute URL with script (domain record with path)' => ['http://otherhostname.tld/path/index.php?id=1'],
218 'sane absolute URL with realurl (domain record with path)' => ['http://otherhostname.tld/path/foo/bar/foo.html'],
219 'sane absolute URL (domain record with path and slash)' => ['http://sub.domainhostname.tld/path/'],
220 'sane absolute URL with script (domain record with path slash)' => ['http://sub.domainhostname.tld/path/index.php?id=1'],
221 'sane absolute URL with realurl (domain record with path slash)' => ['http://sub.domainhostname.tld/path/foo/bar/foo.html'],
222 'relative URL, no leading slash 1' => ['index.php?id=1'],
223 'relative URL, no leading slash 2' => ['foo/bar/index.php?id=2'],
224 'relative URL, leading slash, no realurl' => ['/index.php?id=1'],
225 'relative URL, leading slash, realurl' => ['/de/service/imprint.html'],
226 ];
227 }
228
229 /**
230 * @test
231 * @dataProvider validateRedirectUrlKeepsCleanUrlDataProvider
232 * @param string $url Clean URL to test
233 */
234 public function validateRedirectUrlKeepsCleanUrl($url)
235 {
236 $this->setUpDatabaseMock();
237 $this->assertEquals($url, $this->accessibleFixture->_call('validateRedirectUrl', $url));
238 }
239
240 /**
241 * Data provider for validateRedirectUrlClearsInvalidUrlInSubdirectory
242 *
243 * @return array
244 */
245 public function validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider()
246 {
247 return [
248 'absolute URL, missing subdirectory' => ['http://hostname.tld/'],
249 'absolute URL, wrong subdirectory' => ['http://hostname.tld/hacker/index.php'],
250 'absolute URL, correct subdirectory, no trailing slash' => ['http://hostname.tld/subdir'],
251 'absolute URL, correct subdirectory of sys_domain record, no trailing slash' => ['http://otherhostname.tld/path'],
252 'absolute URL, correct subdirectory of sys_domain record, no trailing slash, subdomain' => ['http://sub.domainhostname.tld/path'],
253 'relative URL, leading slash, no path' => ['/index.php?id=1'],
254 'relative URL, leading slash, wrong path' => ['/de/sub/site.html'],
255 'relative URL, leading slash, slash only' => ['/'],
256 ];
257 }
258
259 /**
260 * @test
261 * @dataProvider validateRedirectUrlClearsInvalidUrlInSubdirectoryDataProvider
262 * @param string $url Invalid Url
263 */
264 public function validateRedirectUrlClearsInvalidUrlInSubdirectory($url)
265 {
266 $this->testSitePath = '/subdir/';
267 $this->setUpFakeSitePathAndHost();
268 $this->setUpDatabaseMock();
269 $this->assertEquals('', $this->accessibleFixture->_call('validateRedirectUrl', $url));
270 }
271
272 /**
273 * Data provider for validateRedirectUrlKeepsCleanUrlInSubdirectory
274 *
275 * @return array
276 */
277 public function validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider()
278 {
279 return [
280 'absolute URL, correct subdirectory' => ['http://hostname.tld/subdir/'],
281 'absolute URL, correct subdirectory, realurl' => ['http://hostname.tld/subdir/de/imprint.html'],
282 'absolute URL, correct subdirectory, no realurl' => ['http://hostname.tld/subdir/index.php?id=10'],
283 'absolute URL, correct subdirectory of sys_domain record' => ['http://otherhostname.tld/path/'],
284 'absolute URL, correct subdirectory of sys_domain record, subdomain' => ['http://sub.domainhostname.tld/path/'],
285 'relative URL, no leading slash, realurl' => ['de/service/imprint.html'],
286 'relative URL, no leading slash, no realurl' => ['index.php?id=1'],
287 'relative nested URL, no leading slash, no realurl' => ['foo/bar/index.php?id=2']
288 ];
289 }
290
291 /**
292 * @test
293 * @dataProvider validateRedirectUrlKeepsCleanUrlInSubdirectoryDataProvider
294 * @param string $url Invalid Url
295 */
296 public function validateRedirectUrlKeepsCleanUrlInSubdirectory($url)
297 {
298 $this->testSitePath = '/subdir/';
299 $this->setUpFakeSitePathAndHost();
300 $this->setUpDatabaseMock();
301 $this->assertEquals($url, $this->accessibleFixture->_call('validateRedirectUrl', $url));
302 }
303
304 /*************************
305 * Test concerning getPreverveGetVars
306 *************************/
307
308 /**
309 * @return array
310 */
311 public function getPreserveGetVarsReturnsCorrectResultDataProvider()
312 {
313 return [
314 'special get var id is not preserved' => [
315 [
316 'id' => 42,
317 ],
318 '',
319 '',
320 ],
321 'simple additional parameter is not preserved if not specified in preservedGETvars' => [
322 [
323 'id' => 42,
324 'special' => 23,
325 ],
326 '',
327 '',
328 ],
329 'all params except ignored ones are preserved if preservedGETvars is set to "all"' => [
330 [
331 'id' => 42,
332 'special1' => 23,
333 'special2' => [
334 'foo' => 'bar',
335 ],
336 'tx_felogin_pi1' => [
337 'forgot' => 1,
338 ],
339 ],
340 'all',
341 '&special1=23&special2[foo]=bar',
342 ],
343 'preserve single parameter' => [
344 [
345 'L' => 42,
346 ],
347 'L',
348 '&L=42'
349 ],
350 'preserve whole parameter array' => [
351 [
352 'L' => 3,
353 'tx_someext' => [
354 'foo' => 'simple',
355 'bar' => [
356 'baz' => 'simple',
357 ],
358 ],
359 ],
360 'L,tx_someext',
361 '&L=3&tx_someext[foo]=simple&tx_someext[bar][baz]=simple',
362 ],
363 'preserve part of sub array' => [
364 [
365 'L' => 3,
366 'tx_someext' => [
367 'foo' => 'simple',
368 'bar' => [
369 'baz' => 'simple',
370 ],
371 ],
372 ],
373 'L,tx_someext[bar]',
374 '&L=3&tx_someext[bar][baz]=simple',
375 ],
376 'preserve keys on different levels' => [
377 [
378 'L' => 3,
379 'no-preserve' => 'whatever',
380 'tx_ext2' => [
381 'foo' => 'simple',
382 ],
383 'tx_ext3' => [
384 'bar' => [
385 'baz' => 'simple',
386 ],
387 'go-away' => '',
388 ],
389 ],
390 'L,tx_ext2,tx_ext3[bar]',
391 '&L=3&tx_ext2[foo]=simple&tx_ext3[bar][baz]=simple',
392 ],
393 'preserved value that does not exist in get' => [
394 [],
395 'L,foo[bar]',
396 ''
397 ],
398 'url params are encoded' => [
399 ['tx_ext1' => 'param with spaces and \\ %<>& /'],
400 'L,tx_ext1',
401 '&tx_ext1=param%20with%20spaces%20and%20%5C%20%25%3C%3E%26%20%2F'
402 ],
403 ];
404 }
405
406 /**
407 * @test
408 * @dataProvider getPreserveGetVarsReturnsCorrectResultDataProvider
409 * @param array $getArray
410 * @param string $preserveVars
411 * @param string $expected
412 */
413 public function getPreserveGetVarsReturnsCorrectResult(array $getArray, $preserveVars, $expected)
414 {
415 $_GET = $getArray;
416 $this->accessibleFixture->conf['preserveGETvars'] = $preserveVars;
417 $this->assertSame($expected, $this->accessibleFixture->_call('getPreserveGetVars'));
418 }
419
420 /**************************************************
421 * Tests concerning isInLocalDomain
422 **************************************************/
423
424 /**
425 * Dataprovider for isInCurrentDomainIgnoresScheme
426 *
427 * @return array
428 */
429 public function isInCurrentDomainIgnoresSchemeDataProvider()
430 {
431 return [
432 'url https, current host http' => [
433 'example.com', // HTTP_HOST
434 '0', // HTTPS
435 'https://example.com/foo.html' // URL
436 ],
437 'url http, current host https' => [
438 'example.com',
439 '1',
440 'http://example.com/foo.html'
441 ],
442 'url https, current host https' => [
443 'example.com',
444 '1',
445 'https://example.com/foo.html'
446 ],
447 'url http, current host http' => [
448 'example.com',
449 '0',
450 'http://example.com/foo.html'
451 ]
452 ];
453 }
454
455 /**
456 * @test
457 * @dataProvider isInCurrentDomainIgnoresSchemeDataProvider
458 * @param string $host $_SERVER['HTTP_HOST']
459 * @param string $https $_SERVER['HTTPS']
460 * @param string $url The url to test
461 */
462 public function isInCurrentDomainIgnoresScheme($host, $https, $url)
463 {
464 $_SERVER['HTTP_HOST'] = $host;
465 $_SERVER['HTTPS'] = $https;
466 $this->assertTrue($this->accessibleFixture->_call('isInCurrentDomain', $url));
467 }
468
469 /**
470 * @return array
471 */
472 public function isInCurrentDomainReturnsFalseIfDomainsAreDifferentDataProvider()
473 {
474 return [
475 'simple difference' => [
476 'example.com', // HTTP_HOST
477 'http://typo3.org/foo.html' // URL
478 ],
479 'subdomain different' => [
480 'example.com',
481 'http://foo.example.com/bar.html'
482 ]
483 ];
484 }
485
486 /**
487 * @test
488 * @dataProvider isInCurrentDomainReturnsFalseIfDomainsAreDifferentDataProvider
489 * @param string $host $_SERVER['HTTP_HOST']
490 * @param string $url The url to test
491 */
492 public function isInCurrentDomainReturnsFalseIfDomainsAreDifferent($host, $url)
493 {
494 $_SERVER['HTTP_HOST'] = $host;
495 $this->assertFalse($this->accessibleFixture->_call('isInCurrentDomain', $url));
496 }
497
498 /**
499 * @test
500 */
501 public function processRedirectReferrerDomainsMatchesDomains()
502 {
503 $conf = [
504 'redirectMode' => 'refererDomains',
505 'domains' => 'example.com'
506 ];
507
508 $this->accessibleFixture->_set('conf', $conf);
509 $this->accessibleFixture->_set('logintype', LoginType::LOGIN);
510 $this->accessibleFixture->_set('referer', 'http://www.example.com/snafu');
511 /** @var TypoScriptFrontendController $tsfe */
512 $tsfe = $this->accessibleFixture->_get('frontendController');
513 $this->accessibleFixture->_set('userIsLoggedIn', true);
514 $this->assertSame(['http://www.example.com/snafu'], $this->accessibleFixture->_call('processRedirect'));
515 }
516 }