MixedFlowsTest
extends AbstractFlowsTest
in package
In the MixedFlowsTest, we assume that the basic flows work -- then step out to another level.
What happens when different authentication behaviors get mixed-up/criss-crossed? For example:
- What happens if you send several stateless requests as different users -- without realizing that your HTTP client is actually tracking cookies? Are they truly stateless?
- What happens if you send a mix of stateless and stateful requests for different users?
- What happens if you mix
Authorization:headers for authx withAuthorization:headers for another layer (HTTPD/CMS/proxy)?
Tags
Table of Contents
Properties
- $httpHistory : array<string|int, mixed>
- List of HTTP requests that have been made by this test.
- $quirks : array<string|int, mixed>
- List of CMS-dependent quirks that should be ignored during testing.
- $settingsBackup : array<string|int, mixed>
- Backup copy of the original settings.
Methods
- assertAnonymousContact() : void
- Assert the AJAX request provided empty contact information
- assertDashboardOk() : void
- assertDashboardUnauthorized() : void
- Assert that the $response indicates the user cannot view the dashboard.
- assertMyContact() : void
- Assert the AJAX response provided the expected contact.
- credApikey() : mixed
- credJwt() : mixed
- getCredTypes() : mixed
- getFlowTypes() : mixed
- getLebowskiCID() : mixed
- requestMyContact() : Request
- Make an AJAX request with info about the current contact.
- requestMyContactDashboard() : mixed
- setUp() : void
- setUpBeforeClass() : void
- tearDown() : void
- testIgnoredHeaderAuthorization() : mixed
- Suppose a deployment has two layers of authorization:
- testIgnoredHeaderAuthorization_anon() : mixed
- Similar to testIgnoredHeaderAuthorization(), but the Civi/CMS user is anonymous.
- testMultipleStateless() : void
- This consumer intends to make stateless requests with a handful of different identities, but their browser happens to be cookie-enabled. Ensure that identities do not leak between requests.
- testStatefulStatelessOverlap() : void
- Create a session for $demoCID. Within the session, make a single stateless request as $lebowskiCID.
- testStatelessWebUI() : mixed
- Most of our testing has been focused on AJAX/REST usage. However, the code-paths are a bit different for web UI (HTML pages), so we exercise those as well.
- applyAuth() : RequestInterface
- Apply authentication options to a prepared HTTP request.
- assertBodyRegexp() : mixed
- Assert that the response body matches a regular-expression.
- assertContentType() : $this
- assertFailedDueToProhibition() : void
- assertHasCookies() : mixed
- assertNoCookies() : mixed
- assertNotAuthenticated() : mixed
- Assert that a request was not authenticated.
- assertNotBodyRegexp() : mixed
- Assert that the response body DOES NOT match a regular-expression.
- assertPageNotShown() : void
- Assert that the response did NOT produce a normal page-view.
- assertStatusCode() : $this
- callApi4AjaxError() : mixed
- callApi4AjaxSuccess() : mixed
- createGuzzle() : Client
- Create an HTTP client suitable for simulating AJAX requests.
- findQuirks() : array<string|int, mixed>|array<string|int, string>
- formatFailure() : false|string
- Given that an HTTP request has yielded a failed response, format a blurb to summarize the details of the request+response.
- getDemoCID() : int
- getDemoUID() : int
- resolveResponse() : ResponseInterface
Properties
$httpHistory
List of HTTP requests that have been made by this test.
protected
array<string|int, mixed>
$httpHistory
= []
$quirks
List of CMS-dependent quirks that should be ignored during testing.
protected
array<string|int, mixed>
$quirks
= []
$settingsBackup
Backup copy of the original settings.
protected
array<string|int, mixed>
$settingsBackup
Methods
assertAnonymousContact()
Assert the AJAX request provided empty contact information
public
assertAnonymousContact(ResponseInterface $response[, string $additionalMessage = '' ]) : void
Parameters
- $response : ResponseInterface
- $additionalMessage : string = ''
assertDashboardOk()
public
assertDashboardOk([mixed $response = NULL ]) : void
Parameters
- $response : mixed = NULL
assertDashboardUnauthorized()
Assert that the $response indicates the user cannot view the dashboard.
public
assertDashboardUnauthorized([ResponseInterface $response = NULL ]) : void
Parameters
- $response : ResponseInterface = NULL
assertMyContact()
Assert the AJAX response provided the expected contact.
public
assertMyContact(int $cid, int|null $uid, string $credType, string $flow, ResponseInterface $response) : void
Parameters
- $cid : int
-
The expected contact ID
- $uid : int|null
-
The expected user ID
- $credType : string
- $flow : string
- $response : ResponseInterface
credApikey()
public
credApikey(mixed $cid) : mixed
Parameters
- $cid : mixed
credJwt()
public
credJwt(mixed $cid[, mixed $expired = FALSE ]) : mixed
Parameters
- $cid : mixed
- $expired : mixed = FALSE
getCredTypes()
public
getCredTypes() : mixed
getFlowTypes()
public
getFlowTypes() : mixed
getLebowskiCID()
public
getLebowskiCID() : mixed
requestMyContact()
Make an AJAX request with info about the current contact.
public
requestMyContact() : Request
Return values
RequestrequestMyContactDashboard()
public
requestMyContactDashboard() : mixed
setUp()
public
setUp() : void
setUpBeforeClass()
public
static setUpBeforeClass() : void
tearDown()
public
tearDown() : void
testIgnoredHeaderAuthorization()
Suppose a deployment has two layers of authorization:
public
testIgnoredHeaderAuthorization() : mixed
(1) a generic/site-wide HTTP restriction (perhaps enforced by a reverse proxy) (2) anything/everything else (CMS/login-form/parameter/X-Civi-Auth stuff).
Layer (1) has an Authorization: header that should be ignored by authx.
This test submits both layer (1) and layer (2) credentials and ensures that authx respects the layer (2).
testIgnoredHeaderAuthorization_anon()
Similar to testIgnoredHeaderAuthorization(), but the Civi/CMS user is anonymous.
public
testIgnoredHeaderAuthorization_anon() : mixed
testMultipleStateless()
This consumer intends to make stateless requests with a handful of different identities, but their browser happens to be cookie-enabled. Ensure that identities do not leak between requests.
public
testMultipleStateless() : void
Tags
testStatefulStatelessOverlap()
Create a session for $demoCID. Within the session, make a single stateless request as $lebowskiCID.
public
testStatefulStatelessOverlap() : void
Tags
testStatelessWebUI()
Most of our testing has been focused on AJAX/REST usage. However, the code-paths are a bit different for web UI (HTML pages), so we exercise those as well.
public
testStatelessWebUI() : mixed
applyAuth()
Apply authentication options to a prepared HTTP request.
protected
applyAuth(RequestInterface $request, string $credType, string $flowType, int $cid) : RequestInterface
Parameters
- $request : RequestInterface
-
The original HTTP request (without any authentication options).
- $credType : string
-
Ex: 'pass', 'jwt', 'api_key'
- $flowType : string
-
Ex: 'param', 'header', 'xheader'
- $cid : int
-
Authenticate as a specific contact (contact ID#).
Return values
RequestInterface —The new HTTP request (with authentication options).
assertBodyRegexp()
Assert that the response body matches a regular-expression.
protected
assertBodyRegexp(string $regexp[, ResponseInterface $response = NULL ][, string $message = NULL ]) : mixed
Parameters
- $regexp : string
- $response : ResponseInterface = NULL
- $message : string = NULL
assertContentType()
protected
assertContentType(mixed $expectType[, ResponseInterface|null $response = NULL ]) : $this
Parameters
- $expectType : mixed
- $response : ResponseInterface|null = NULL
-
If NULL, then it uses the last response.
Return values
$thisassertFailedDueToProhibition()
protected
assertFailedDueToProhibition(ResponseInterface $response) : void
Parameters
- $response : ResponseInterface
assertHasCookies()
protected
assertHasCookies([ResponseInterface $response = NULL ]) : mixed
Parameters
- $response : ResponseInterface = NULL
assertNoCookies()
protected
assertNoCookies([ResponseInterface $response = NULL ]) : mixed
Parameters
- $response : ResponseInterface = NULL
assertNotAuthenticated()
Assert that a request was not authenticated.
protected
assertNotAuthenticated(string $mode, ResponseInterface $response) : mixed
Parameters
- $mode : string
-
Expect that the 'prohibited' or 'anon'
- $response : ResponseInterface
assertNotBodyRegexp()
Assert that the response body DOES NOT match a regular-expression.
protected
assertNotBodyRegexp(string $regexp[, ResponseInterface $response = NULL ][, string $message = NULL ]) : mixed
Parameters
- $regexp : string
- $response : ResponseInterface = NULL
- $message : string = NULL
assertPageNotShown()
Assert that the response did NOT produce a normal page-view.
protected
assertPageNotShown([mixed $response = NULL ]) : void
This is basically assertStatusCode(404), except that the local configuration
(CMS/setings/exts/yaddayadda) may change how the error manifests.
Parameters
- $response : mixed = NULL
assertStatusCode()
protected
assertStatusCode(mixed $expectCode[, ResponseInterface|null $response = NULL ]) : $this
Parameters
- $expectCode : mixed
- $response : ResponseInterface|null = NULL
-
If NULL, then it uses the last response.
Return values
$thiscallApi4AjaxError()
protected
callApi4AjaxError(string $entity, string $action[, array<string|int, mixed> $params = [] ]) : mixed
Parameters
- $entity : string
- $action : string
- $params : array<string|int, mixed> = []
callApi4AjaxSuccess()
protected
callApi4AjaxSuccess(string $entity, string $action[, array<string|int, mixed> $params = [] ]) : mixed
Parameters
- $entity : string
- $action : string
- $params : array<string|int, mixed> = []
createGuzzle()
Create an HTTP client suitable for simulating AJAX requests.
protected
createGuzzle([array<string|int, mixed> $options = [] ]) : Client
The client may include some mix of these middlewares:
Parameters
- $options : array<string|int, mixed> = []
Tags
Return values
ClientfindQuirks()
protected
findQuirks() : array<string|int, mixed>|array<string|int, string>
Return values
array<string|int, mixed>|array<string|int, string>formatFailure()
Given that an HTTP request has yielded a failed response, format a blurb to summarize the details of the request+response.
protected
formatFailure(ResponseInterface $response) : false|string
Parameters
- $response : ResponseInterface
Return values
false|stringgetDemoCID()
protected
getDemoCID() : int
Tags
Return values
intgetDemoUID()
protected
getDemoUID() : int
Return values
intresolveResponse()
protected
resolveResponse(ResponseInterface|null $response) : ResponseInterface
Parameters
- $response : ResponseInterface|null