function SecurityAdvisoryTest::testPsa

Same name and namespace in other branches
  1. 9 core/modules/system/tests/src/Functional/SecurityAdvisories/SecurityAdvisoryTest.php \Drupal\Tests\system\Functional\SecurityAdvisories\SecurityAdvisoryTest::testPsa()
  2. 11.x core/modules/system/tests/src/Functional/SecurityAdvisories/SecurityAdvisoryTest.php \Drupal\Tests\system\Functional\SecurityAdvisories\SecurityAdvisoryTest::testPsa()

Tests that a security advisory is displayed.

File

core/modules/system/tests/src/Functional/SecurityAdvisories/SecurityAdvisoryTest.php, line 118

Class

SecurityAdvisoryTest
Tests of security advisories functionality.

Namespace

Drupal\Tests\system\Functional\SecurityAdvisories

Code

public function testPsa() : void {
  $assert = $this->assertSession();
  // Setup test PSA endpoint.
  AdvisoryTestClientMiddleware::setTestEndpoint($this->workingEndpointMixed);
  $mixed_advisory_links = [
    'Critical Release - SA-2019-02-19',
    'Critical Release - PSA-Really Old',
    // The info for the test modules 'generic_module1_test' and
    // 'generic_module2_test' are altered for this test so match the items in
    // the test json feeds.
    // @see advisory_feed_test_system_info_alter()
'Generic Module1 Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
    'Generic Module2 project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
  ];
  // Confirm that links are not displayed if they are enabled.
  $this->config('system.advisories')
    ->set('enabled', FALSE)
    ->save();
  $this->assertAdvisoriesNotDisplayed($mixed_advisory_links);
  $this->config('system.advisories')
    ->set('enabled', TRUE)
    ->save();
  // A new request for the JSON feed will not be made on admin pages besides
  // the status report.
  $this->assertAdvisoriesNotDisplayed($mixed_advisory_links, [
    'system.admin',
  ]);
  // If both PSA and non-PSA advisories are displayed they should be displayed
  // as errors.
  $this->assertStatusReportLinks($mixed_advisory_links, REQUIREMENT_ERROR);
  // The advisories will be displayed on admin pages if the response was
  // stored from the status report request.
  $this->assertAdminPageLinks($mixed_advisory_links, REQUIREMENT_ERROR);
  // Confirm that a user without the correct permission will not see the
  // advisories on admin pages.
  $this->drupalLogin($this->drupalCreateUser([
    'access administration pages',
    // We have nothing under admin, so we need access to a child route to
    // access the parent.
'administer modules',
  ]));
  $this->assertAdvisoriesNotDisplayed($mixed_advisory_links, [
    'system.admin',
  ]);
  // Log back in with user with permission to see the advisories.
  $this->drupalLogin($this->user);
  // Test cache.
  AdvisoryTestClientMiddleware::setTestEndpoint($this->nonWorkingEndpoint);
  $this->assertAdminPageLinks($mixed_advisory_links, REQUIREMENT_ERROR);
  $this->assertStatusReportLinks($mixed_advisory_links, REQUIREMENT_ERROR);
  // Tests transmit errors with a JSON endpoint.
  $this->tempStore
    ->delete('advisories_response');
  $this->assertAdvisoriesNotDisplayed($mixed_advisory_links);
  // Test that the site status report displays an error.
  $this->drupalGet(Url::fromRoute('system.status'));
  $assert->pageTextContains('Failed to fetch security advisory data:');
  // Test a PSA endpoint that returns invalid JSON.
  AdvisoryTestClientMiddleware::setTestEndpoint($this->invalidJsonEndpoint, TRUE);
  // Assert that are no logged error messages before attempting to fetch the
  // invalid endpoint.
  $this->assertServiceAdvisoryLoggedErrors([]);
  // On admin pages no message should be displayed if the feed is malformed.
  $this->assertAdvisoriesNotDisplayed($mixed_advisory_links);
  // Assert that there was an error logged for the invalid endpoint.
  $this->assertServiceAdvisoryLoggedErrors([
    'The security advisory JSON feed from Drupal.org could not be decoded.',
  ]);
  // On the status report there should be no announcements section.
  $this->drupalGet(Url::fromRoute('system.status'));
  $assert->pageTextNotContains('Failed to fetch security advisory data:');
  // Assert the error was logged again.
  $this->assertServiceAdvisoryLoggedErrors([
    'The security advisory JSON feed from Drupal.org could not be decoded.',
  ]);
  AdvisoryTestClientMiddleware::setTestEndpoint($this->workingEndpointPsaOnly, TRUE);
  $psa_advisory_links = [
    'Critical Release - PSA-Really Old',
    'Generic Module2 project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
  ];
  // Admin page will not display the new links because a new feed request is
  // not attempted.
  $this->assertAdvisoriesNotDisplayed($psa_advisory_links, [
    'system.admin',
  ]);
  // If only PSA advisories are displayed they should be displayed as
  // warnings.
  $this->assertStatusReportLinks($psa_advisory_links, REQUIREMENT_WARNING);
  $this->assertAdminPageLinks($psa_advisory_links, REQUIREMENT_WARNING);
  AdvisoryTestClientMiddleware::setTestEndpoint($this->workingEndpointNonPsaOnly, TRUE);
  $non_psa_advisory_links = [
    'Critical Release - SA-2019-02-19',
    'Generic Module1 Project - Moderately critical - Access bypass - SA-CONTRIB-2019-02-02',
  ];
  // If only non-PSA advisories are displayed they should be displayed as
  // errors.
  $this->assertStatusReportLinks($non_psa_advisory_links, REQUIREMENT_ERROR);
  $this->assertAdminPageLinks($non_psa_advisory_links, REQUIREMENT_ERROR);
  // Confirm that advisory fetching can be disabled after enabled.
  $this->config('system.advisories')
    ->set('enabled', FALSE)
    ->save();
  $this->assertAdvisoriesNotDisplayed($non_psa_advisory_links);
  // Assert no other errors were logged.
  $this->assertServiceAdvisoryLoggedErrors([]);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.