t/db_dependent/api/v1/patrons_password.t

   1 #!/usr/bin/perl
   2
   3 # This file is part of Koha.
   4 #
   5 # Koha is free software; you can redistribute it and/or modify it
   6 # under the terms of the GNU General Public License as published by
   7 # the Free Software Foundation; either version 3 of the License, or
   8 # (at your option) any later version.
   9 #
  10 # Koha is distributed in the hope that it will be useful, but
  11 # WITHOUT ANY WARRANTY; without even the implied warranty of
  12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13 # GNU General Public License for more details.
  14 #
  15 # You should have received a copy of the GNU General Public License
  16 # along with Koha; if not, see <http://www.gnu.org/licenses>.
  17
  18 use Modern::Perl;
  19
  20 use Test::More tests => 2;
  21
  22 use Test::Mojo;
  23 use Test::Warn;
  24
  25 use t::lib::TestBuilder;
  26 use t::lib::Mocks;
  27
  28 use Koha::Patrons;
  29
  30 my $schema  = Koha::Database->new->schema;
  31 my $builder = t::lib::TestBuilder->new;
  32
  33 # FIXME: sessionStorage defaults to mysql, but it seems to break transaction handling
  34 # this affects the other REST api tests
  35 t::lib::Mocks::mock_preference( 'SessionStorage', 'tmp' );
  36
  37 my $remote_address = '127.0.0.1';
  38 my $t              = Test::Mojo->new('Koha::REST::V1');
  39
  40 subtest 'set() (authorized user tests)' => sub {
  41
  42     plan tests => 21;
  43
  44     $schema->storage->txn_begin;
  45
  46     my ( $patron, $session ) = create_user_and_session({ authorized => 1 });
  47
  48     t::lib::Mocks::mock_preference( 'minPasswordLength',     3 );
  49     t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
  50
  51     my $new_password = 'abc';
  52
  53     my $tx
  54         = $t->ua->build_tx( POST => "/api/v1/patrons/"
  55             . $patron->id
  56             . "/password" => json => { password => $new_password, password_2 => $new_password } );
  57
  58     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
  59     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
  60     $t->request_ok($tx)->status_is(200)->json_is( '' );
  61
  62     $tx
  63         = $t->ua->build_tx( POST => "/api/v1/patrons/"
  64             . $patron->id
  65             . "/password" => json => { password => $new_password, password_2 => 'cde' } );
  66
  67     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
  68     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
  69     $t->request_ok($tx)->status_is(400)->json_is({ error => 'Passwords don\'t match' });
  70
  71     t::lib::Mocks::mock_preference( 'minPasswordLength', 5 );
  72     $tx
  73         = $t->ua->build_tx( POST => "/api/v1/patrons/"
  74             . $patron->id
  75             . "/password" => json => { password => $new_password, password_2 => $new_password } );
  76
  77     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
  78     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
  79     $t->request_ok($tx)->status_is(400)->json_is({ error => 'Password length (3) is shorter than required (5)' });
  80
  81     $new_password = 'abc   ';
  82     $tx
  83         = $t->ua->build_tx( POST => "/api/v1/patrons/"
  84             . $patron->id
  85             . "/password" => json => { password => $new_password, password_2 => $new_password } );
  86
  87     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
  88     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
  89     $t->request_ok($tx)->status_is(400)->json_is({ error => '[Password contains leading/trailing whitespace character(s)]' });
  90
  91     $new_password = 'abcdefg';
  92     $tx
  93         = $t->ua->build_tx( POST => "/api/v1/patrons/"
  94             . $patron->id
  95             . "/password" => json => { password => $new_password, password_2 => $new_password } );
  96
  97     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
  98     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
  99     $t->request_ok($tx)->status_is(200)->json_is('');
 100
 101     t::lib::Mocks::mock_preference( 'RequireStrongPassword', 1);
 102     $tx
 103         = $t->ua->build_tx( POST => "/api/v1/patrons/"
 104             . $patron->id
 105             . "/password" => json => { password => $new_password, password_2 => $new_password } );
 106
 107     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
 108     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
 109     $t->request_ok($tx)->status_is(400)->json_is({ error => '[Password is too weak]' });
 110
 111     $new_password = 'ABcde123%&';
 112     $tx
 113         = $t->ua->build_tx( POST => "/api/v1/patrons/"
 114             . $patron->id
 115             . "/password" => json => { password => $new_password, password_2 => $new_password } );
 116
 117     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
 118     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
 119     $t->request_ok($tx)->status_is(200)->json_is('');
 120
 121     $schema->storage->txn_rollback;
 122 };
 123
 124 subtest 'set_public() (unprivileged user tests)' => sub {
 125
 126     plan tests => 15;
 127
 128     $schema->storage->txn_begin;
 129
 130     my ( $patron, $session ) = create_user_and_session({ authorized => 0 });
 131     my $other_patron = $builder->build_object({ class => 'Koha::Patrons' });
 132
 133     # Enable the public API
 134     t::lib::Mocks::mock_preference( 'RESTPublicAPI', 1 );
 135
 136     t::lib::Mocks::mock_preference( 'OpacPasswordChange',    0 );
 137     t::lib::Mocks::mock_preference( 'minPasswordLength',     3 );
 138     t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
 139
 140     my $new_password = 'abc';
 141
 142     my $tx = $t->ua->build_tx(
 143               POST => "/api/v1/public/patrons/"
 144             . $patron->id
 145             . "/password" => json => {
 146             password          => $new_password,
 147             password_repeated => $new_password,
 148             old_password      => 'blah'
 149             }
 150     );
 151
 152     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
 153     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
 154     $t->request_ok($tx)
 155       ->status_is(403)
 156       ->json_is({
 157           error => 'Configuration prevents password changes by unprivileged users'
 158         });
 159
 160     t::lib::Mocks::mock_preference( 'OpacPasswordChange', 1 );
 161
 162     my $password = 'holapassword';
 163     $patron->set_password({ password => $password });
 164     $tx = $t->ua->build_tx(
 165               POST => "/api/v1/public/patrons/"
 166             . $other_patron->id
 167             . "/password" => json => {
 168             password          => $new_password,
 169             password_repeated => $new_password,
 170             old_password      => $password
 171             }
 172     );
 173
 174     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
 175     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
 176     $t->request_ok($tx)
 177       ->status_is(403)
 178       ->json_is('/error', "Authorization failure. Missing required permission(s).");
 179
 180     $tx = $t->ua->build_tx(
 181               POST => "/api/v1/public/patrons/"
 182             . $patron->id
 183             . "/password" => json => {
 184             password          => $new_password,
 185             password_repeated => 'wrong_password',
 186             old_password      => $password
 187             }
 188     );
 189
 190     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
 191     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
 192     $t->request_ok($tx)
 193       ->status_is(400)
 194       ->json_is({
 195           error => "Passwords don't match"
 196         });
 197
 198     $tx = $t->ua->build_tx(
 199               POST => "/api/v1/public/patrons/"
 200             . $patron->id
 201             . "/password" => json => {
 202             password          => $new_password,
 203             password_repeated => $new_password,
 204             old_password      => 'badpassword'
 205             }
 206     );
 207
 208     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
 209     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
 210     $t->request_ok($tx)
 211       ->status_is(400)
 212       ->json_is({
 213           error => "Invalid password"
 214         });
 215
 216     $tx = $t->ua->build_tx(
 217               POST => "/api/v1/public/patrons/"
 218             . $patron->id
 219             . "/password" => json => {
 220             password          => $new_password,
 221             password_repeated => $new_password,
 222             old_password      => $password
 223             }
 224     );
 225
 226     $tx->req->cookies( { name => 'CGISESSID', value => $session->id } );
 227     $tx->req->env( { REMOTE_ADDR => '127.0.0.1' } );
 228     $t->request_ok($tx)
 229       ->status_is(200)
 230       ->json_is('');
 231
 232     $schema->storage->txn_rollback;
 233 };
 234
 235 sub create_user_and_session {
 236
 237     my ( $args ) = @_;
 238     my $flags = ( $args->{authorized} ) ? 16 : 0;
 239
 240     my $user = $builder->build_object(
 241         {
 242             class => 'Koha::Patrons',
 243             value => { flags => $flags }
 244         }
 245     );
 246
 247     # Create a session for the authorized user
 248     my $session = C4::Auth::get_session('');
 249     $session->param( 'number',   $user->borrowernumber );
 250     $session->param( 'id',       $user->userid );
 251     $session->param( 'ip',       '127.0.0.1' );
 252     $session->param( 'lasttime', time() );
 253     $session->flush;
 254
 255     return ( $user, $session );
 256 }