diff options
author | diosmosis <diosmosis@users.noreply.github.com> | 2020-10-29 02:37:25 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-29 02:37:25 +0300 |
commit | 5c7b0f275a9fac7ef9ac8292db7b6bf1a40d8c6b (patch) | |
tree | de45a54aa679128663e569c929159ab0ebfbf959 /tests | |
parent | 935293db11b7ee98d97596118ae76d9023d8d79e (diff) |
Add new INI config [General] enable_framed_allow_write_admin_token_auth… (#16595)
* Add new INI config [General] enable_framed_allow_write_admin_token_auth to allow framed matomo use case to still function in Matomo 4.
* Link to faq in exception message.
* apply pr feedback and write integration tests (not passing)
* fix test
* fix test
* update screenshot
* fix more ui tests
* update exception message
* update some expected screenshots
* update screenshot
Co-authored-by: Thomas Steur <tsteur@users.noreply.github.com>
Diffstat (limited to 'tests')
5 files changed, 189 insertions, 9 deletions
diff --git a/tests/PHPUnit/Integration/API/RequestTest.php b/tests/PHPUnit/Integration/API/RequestTest.php index f698ed73ac..7b0755b79c 100644 --- a/tests/PHPUnit/Integration/API/RequestTest.php +++ b/tests/PHPUnit/Integration/API/RequestTest.php @@ -8,10 +8,14 @@ namespace Piwik\Tests\Integration\API; +use Piwik\Access; use Piwik\API\Request; use Piwik\AuthResult; -use Piwik\Db; +use Piwik\Common; +use Piwik\Config; +use Piwik\Tests\Framework\Fixture; use Piwik\Tests\Framework\TestCase\IntegrationTestCase; +use ReflectionClass; /** * @group Core @@ -25,6 +29,26 @@ class RequestTest extends IntegrationTestCase private $userAuthToken = 'token'; + private $idSitesAccess = []; + + public function setUp(): void + { + parent::setUp(); + $this->idSitesAccess = [ + 'view' => array(1), + 'write' => array(), + 'admin' => array(), + 'superuser' => array(), + ]; + } + + protected static function beforeTableDataCached() + { + parent::beforeTableDataCached(); + + Fixture::createWebsite('2018-02-03 00:00:00'); + } + public function test_process_shouldNotReloadAccessIfNoTokenAuthIsGiven() { $this->assertAccessNotReloaded(); @@ -93,6 +117,152 @@ class RequestTest extends IntegrationTestCase $this->assertTrue(Request::isApiRequest(array('module' => 'API', 'method' => 'test.method'))); } + public function test_checkTokenAuthIsNotLimited_allowsSuperUserTokenAuth_ifCurrentRequestIsForAPI() + { + $this->expectNotToPerformAssertions(); + + Common::$isCliMode = false; + $this->access->setSuperUserAccess(true); + + Request::checkTokenAuthIsNotLimited('API', 'index'); + } + + public function test_checkTokenAuthIsNotLimited_allowsSuperUserTokenAuth_ifCurrentlyInCliMode() + { + $this->expectNotToPerformAssertions(); + + Common::$isCliMode = true; + $this->access->setSuperUserAccess(true); + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_doesNotAllowSuperUserTokenAuth_ifCurrentlyInUiRequest() + { + $this->expectException(\Exception::class); + $this->expectExceptionMessage('Widgetize_TooHighAccessLevel'); + + Common::$isCliMode = false; + $this->access->setSuperUserAccess(true); + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_doesNotAllowSuperUserTokenAuth_ifCurrentlyInUiRequestAndEnableConfigSet() + { + Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1; + + $this->expectException(\Exception::class); + $this->expectExceptionMessage('Widgetize_TooHighAccessLevel'); + + Common::$isCliMode = false; + $this->access->setSuperUserAccess(true); + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_doesNotAllowWriteTokenAuth_ifConfigNotSet() + { + Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 0; + + $this->expectException(\Exception::class); + $this->expectExceptionMessage('Widgetize_ViewAccessRequired'); + + $this->idSitesAccess['view'] = []; + $this->idSitesAccess['write'] = [1]; + $this->access->reloadAccess($this->auth); + $this->access->setSuperUserAccess(false); + $this->assertFalse($this->access->hasSuperUserAccess()); + $this->assertTrue($this->access->isUserHasSomeWriteAccess()); + + Common::$isCliMode = false; + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_doesNotAllowAdminTokenAuth_ifConfigNotSet() + { + Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 0; + + $this->expectException(\Exception::class); + $this->expectExceptionMessage('Widgetize_ViewAccessRequired'); + + $this->idSitesAccess['view'] = []; + $this->idSitesAccess['admin'] = [1]; + $this->access->reloadAccess($this->auth); + $this->access->setSuperUserAccess(false); + $this->assertFalse($this->access->hasSuperUserAccess()); + $this->assertTrue($this->access->isUserHasSomeAdminAccess()); + + Common::$isCliMode = false; + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_allowsWriteTokenAuth_ifConfigSet() + { + Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1; + + $this->idSitesAccess['view'] = []; + $this->idSitesAccess['write'] = [1]; + $this->access->reloadAccess($this->auth); + $this->access->setSuperUserAccess(false); + $this->assertFalse($this->access->hasSuperUserAccess()); + $this->assertTrue($this->access->isUserHasSomeWriteAccess()); + + Common::$isCliMode = false; + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_allowsAdminTokenAuth_ifConfigSet() + { + Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1; + + $this->idSitesAccess['view'] = []; + $this->idSitesAccess['admin'] = [1]; + $this->access->reloadAccess($this->auth); + $this->access->setSuperUserAccess(false); + $this->assertFalse($this->access->hasSuperUserAccess()); + $this->assertTrue($this->access->isUserHasSomeAdminAccess()); + + Common::$isCliMode = false; + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_allowsViewTokenAuth_ifConfigSet() + { + Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 1; + + $this->idSitesAccess['view'] = [1]; + $this->access->reloadAccess($this->auth); + $this->access->setSuperUserAccess(false); + $this->assertFalse($this->access->hasSuperUserAccess()); + $this->assertFalse($this->access->isUserHasSomeAdminAccess()); + $this->assertFalse($this->access->isUserHasSomeWriteAccess()); + + Common::$isCliMode = false; + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + + public function test_checkTokenAuthIsNotLimited_allowsViewTokenAuth_ifConfigNotSet() + { + Config::getInstance()->General['enable_framed_allow_write_admin_token_auth'] = 0; + + $this->idSitesAccess['view'] = [1]; + $this->access->reloadAccess($this->auth); + $this->access->setSuperUserAccess(false); + $this->assertFalse($this->access->hasSuperUserAccess()); + $this->assertFalse($this->access->isUserHasSomeAdminAccess()); + $this->assertFalse($this->access->isUserHasSomeWriteAccess()); + + Common::$isCliMode = false; + + Request::checkTokenAuthIsNotLimited('SomePlugin', 'someMethod'); + } + private function assertSameUserAsBeforeIsAuthenticated() { $this->assertEquals($this->userAuthToken, $this->access->getTokenAuth()); @@ -134,9 +304,19 @@ class RequestTest extends IntegrationTestCase private function createAccessMock($auth) { $mock = $this->getMockBuilder('Piwik\Access') - ->setMethods(array('getTokenAuth', 'reloadAccess')) + ->onlyMethods(array('loadSitesIfNeeded', 'reloadAccess', 'getTokenAuth')) ->enableProxyingToOriginalMethods() ->getMock(); + $mock->method('loadSitesIfNeeded')->willReturnCallback(function () use ($mock) { + // setting the property directly since enableProxyingToOriginalMethods() will just proxy to the original + // method after this mock method is called. (we can't not call enableProxyingToOriginalMethods() because + // some tests require it) + $reflection = new ReflectionClass(Access::class); + $reflectionProperty = $reflection->getProperty('idsitesByAccess'); + $reflectionProperty->setAccessible(true); + + $reflectionProperty->setValue($mock, $this->idSitesAccess); + }); $mock->reloadAccess($auth); return $mock; diff --git a/tests/PHPUnit/Integration/FrontControllerTest.php b/tests/PHPUnit/Integration/FrontControllerTest.php index 2d529786c1..d9074f2cc6 100644 --- a/tests/PHPUnit/Integration/FrontControllerTest.php +++ b/tests/PHPUnit/Integration/FrontControllerTest.php @@ -48,7 +48,7 @@ FORMAT; $this->assertEquals('error', $response['result']); $expectedFormat = <<<FORMAT -test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(809): Piwik\EventDispatcher->postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(586): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(166): Piwik\FrontController->doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController->dispatch('CoreHome', 'index') #6 {main} +test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(809): Piwik\EventDispatcher->postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(585): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(166): Piwik\FrontController->doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController->dispatch('CoreHome', 'index') #6 {main} FORMAT; $this->assertStringMatchesFormat($expectedFormat, $response['message']); } diff --git a/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png index 5b0a68c035..e4471dcaa2 100644 --- a/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png +++ b/tests/UI/expected-screenshots/BarGraph_load_fail_when_token_used.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc -size 48697 +oid sha256:6a239a77aaa6c89e33e32b90ffe877d041d259104d2579b0c4082a45f8b8bd67 +size 52480 diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png index f63097f640..84b60458c7 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_diagnostics_configfile.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:736673adf097edb8310e6a2842d5393ab384584da8dd8a824fea4fbf95fdce1c -size 4459413 +oid sha256:683ff5d0c15c73d0b3375f1e0b2d0b77b514c6557bb9aabb45b69562da4f3c5c +size 4499185 diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png index 5b0a68c035..e4471dcaa2 100644 --- a/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png +++ b/tests/UI/expected-screenshots/UIIntegrationTest_admin_home_admintoken_not_allowed.png @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:2ecd652a528a11799f42fc81a41bc5123e06e23cbc218ede634e0ed776d7d7cc -size 48697 +oid sha256:6a239a77aaa6c89e33e32b90ffe877d041d259104d2579b0c4082a45f8b8bd67 +size 52480 |