当前位置: 文江博客话题详情

如何对包含 CSRF 表单元素的 Zend_Form 进行单元测试?

发布于 2024-07-26 21:20:27 字数 181 浏览 9 评论 0原文

我将 CSRF 隐藏哈希元素与 Zend_Form 一起使用,并尝试对登录进行单元测试,但不知道如何编写单元测试来包含该元素。 查看文档并阅读尽可能多的教程。 我什至把它们都吃了,但没有人提到这一点。

原文

I'm using the CSRF hidden hash element with Zend_Form and trying to Unit Test the login but don't know how to write a Unit Test to include that element. Looked in the docs and read as many tutorials as I could find. I even delicioused them all, but no one mentions this.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

酒几许 2024-08-02 21:20:27

每次渲染表单时都会生成 Csrf 值。 表单的隐藏元素会预先填充该值。 该值也存储在会话中。
提交表单后,验证会检查从表单发布的值是否存储在会话中,如果没有,则验证失败。 至关重要的是,在测试期间必须渲染该表单(这样它就可以生成隐藏值并将其存储到会话中),然后我们可以从渲染的html中提取隐藏值,然后我们可以将隐藏的哈希值添加到我们的要求。
考虑这个例子:

function testAddPageStoreValidData()
{
    // render the page with form 
    $this->dispatch('/form-page');

    // fetch content of the page 
    $html = $this->getResponse()->getBody();

    // parse page content, find the hash value prefilled to the hidden element
    $dom = new Zend_Dom_Query($html);
    $csrf = $dom->query('#csrf')->current()->getAttribute('value');

    // reset tester for one more request
    $this->resetRequest()
         ->resetResponse();

    // now include $csrf value parsed from form, to the next request
    $this->request->setMethod('POST')
                  ->setPost(array('title'=>'MyNewTitle',
                                  'body'=>'Body',
                                  'csrf'=>$csrf));
    $this->dispatch('/form-page');

    // ...
}

Csrf value is generated each time form is rendered. Hidden element of the form gets prefilled with that value. This value also gets stored in session.
After submitting form, validation checks if value posted from the form is stored in session, if not then validation fails. It is essential, that form must be rendered during the test (so it can generate the hidden value and store it to session), then we can extract what is the hidden value out of rendered html, and later we can add hidden hash value into our request.
Consider this example:

function testAddPageStoreValidData()
{
    // render the page with form 
    $this->dispatch('/form-page');

    // fetch content of the page 
    $html = $this->getResponse()->getBody();

    // parse page content, find the hash value prefilled to the hidden element
    $dom = new Zend_Dom_Query($html);
    $csrf = $dom->query('#csrf')->current()->getAttribute('value');

    // reset tester for one more request
    $this->resetRequest()
         ->resetResponse();

    // now include $csrf value parsed from form, to the next request
    $this->request->setMethod('POST')
                  ->setPost(array('title'=>'MyNewTitle',
                                  'body'=>'Body',
                                  'csrf'=>$csrf));
    $this->dispatch('/form-page');

    // ...
}
回复 原文
永言不败 2024-08-02 21:20:27

正确的散列存储在会话中,并且 Hash 表单元素有一个 Zend_Session_Namespace 实例,其中包含散列的命名空间。

要对元素进行单元测试,您可以将元素中的 Zend_Session_Namespace 实例(使用 setSession)替换为您自己创建的包含正确散列的实例(散列存储在键“hash”中)

有关更多示例,您可以查看 Zend Zend_Form_Element_Hash 类的框架单元测试。 我认为他们也必须处理这个问题。

The correct hash is stored in the session, and the Hash form element has a Zend_Session_Namespace instance which contains the namespace for the hash.

To unit test the element, you would replace the Zend_Session_Namespace instance in the element (with setSession) with one you create yourself which contains the correct hash (the hash is stored in key "hash")

For further examples you could probably look at the Zend Framework unit tests for the Zend_Form_Element_Hash class. I would assume they have had to deal with this as well.

回复 原文
2024-08-02 21:20:27

我在 Apache vhost 文件中设置了一个环境变量,它告诉代码它正在哪个服务器上运行:
开发、登台或生产

vhost 文件的行是:

SetEnv SITE_ENV "dev"

然后我只是让我的表单对适当的环境做出反应:

if($_SERVER['SITE_ENV']!='dev')
{
   $form_element->addValidator($csrf_validator);
}

我对很多东西使用相同的技术。 例如,如果是开发人员,我会将所有外发电子邮件重定向给我,等等。

I set an environment variable in my Apache vhost file, which tells the code which server it's running on:
development, staging, or production

The line for the vhost file is:

SetEnv SITE_ENV "dev"

Then I just make my forms react to the appropriate environment:

if($_SERVER['SITE_ENV']!='dev')
{
   $form_element->addValidator($csrf_validator);
}

I use this same technique for lots of stuff. For example, if it IS dev, I redirect all outgoing email to me, etc.

回复 原文
山田美奈子 2024-08-02 21:20:27

我最近回答了一个与此类似的问题。 我也将我的答案放在这里,以防将来对任何人有帮助。

我最近发现了一种使用哈希元素测试表单的好方法。 这将使用模拟对象来消除哈希元素,您不必担心它。 您甚至不必以这种方式执行 session_start 或任何操作。 您也不必“预渲染”表单。

首先创建一个像这样的“存根”类

class My_Form_Element_HashStub extends Zend_Form_Element_Hash
{
    public function __construct(){}
}

然后,将以下内容添加到表单的某处。

class MyForm extends Zend_Form
{

    protected $_hashElement;

    public function setHashElement( Zend_Form_Hash_Element $hash )
    { 
        $this->_hashElement = $hash; 
        return $this; 
    }

    protected function _getHashElement( $name = 'hashElement' )
    { 
        if( !isset( $this->_hashElement )
        {
            if( isset( $name ) )
            {
                $element = new Zend_Form_Element_Hash( $name, 
                                                  array( 'id' => $name ) );
            }
            else
            {
                $element = new Zend_Form_Element_Hash( 'hashElement', 
                                        array( 'id' => 'hashElement' ) );
            }

            $this->setHashElement( $element );
            return $this->_hashElement;
        }
    }

    /**
     * In your init method you can now add the hash element like below
     */
    public function init()
    {
        //other code
        $this->addElement( $this->_getHashElement( 'myotherhashelementname' );
        //other code
    }
}

set 方法实际上只是用于测试目的。 在实际使用过程中您可能根本不会使用它,但现在在 phpunit 中您可以纠正以下内容。

class My_Form_LoginTest extends PHPUnit_Framework_TestCase
{

    /**
     *
     * @var My_Form_Login
     */
    protected $_form;
    /**
     *
     * @var PHPUnit_Framework_MockObject_MockObject
     */
    protected $_hash;

    public function setUp()
    {
        parent::setUp();
        $this->_hash = $this->getMock( 'My_Form_Element_HashStub' );

        $this->_form = new My_Form_Login( array(
                    'action'                    => '/',
                    'hashElement'               => $this->_hash
    }

    public function testTrue()
    {   
        //The hash element will now always validate to true
        $this->_hash
             ->expects( $this->any() )
             ->method( 'isValid' )
             ->will( $this->returnValue( true ) );

        //OR if you need it to validate to false
        $this->_hash
             ->expects( $this->any() )
             ->method( 'isValid' )
             ->will( $this->returnValue( true ) );
    }
}

您必须创建自己的存根。 您不能只调用 phpunit 方法 getMockObject() 因为这将直接扩展哈希元素,而普通哈希元素在其构造函数中会做“邪恶”的事情。

使用这种方法,您甚至不需要连接到数据库来测试您的表单! 我花了一段时间才想到这一点。

如果需要,您可以将 setHashElement() 方法(以及变量和 get 方法)推送到某个 FormAbstract 基类中。

请记住,在 phpunit 中,您必须在表单构建期间传递哈希元素。 如果不这样做,您的 init() 方法将在使用 set 方法设置存根哈希之前被调用,并且您最终将使用常规哈希元素。 您会知道您正在使用常规哈希元素,因为如果您未连接到数据库,您可能会收到一些会话错误。

如果您觉得这有帮助或者您正在使用它,请告诉我。

I answered a more recent question similar to this one. I'm putting my answer here as well in case it helps anybody in the future.

I recently found a great way of testing forms with hash elements. This will use a mock object to stub away the hash element and you won't have to worry about it. You won't even have to do a session_start or anything this way. You won't have to 'prerender' the form either.

First create a 'stub' class like so

class My_Form_Element_HashStub extends Zend_Form_Element_Hash
{
    public function __construct(){}
}

Then, add the following to the form somewhere.

class MyForm extends Zend_Form
{

    protected $_hashElement;

    public function setHashElement( Zend_Form_Hash_Element $hash )
    { 
        $this->_hashElement = $hash; 
        return $this; 
    }

    protected function _getHashElement( $name = 'hashElement' )
    { 
        if( !isset( $this->_hashElement )
        {
            if( isset( $name ) )
            {
                $element = new Zend_Form_Element_Hash( $name, 
                                                  array( 'id' => $name ) );
            }
            else
            {
                $element = new Zend_Form_Element_Hash( 'hashElement', 
                                        array( 'id' => 'hashElement' ) );
            }

            $this->setHashElement( $element );
            return $this->_hashElement;
        }
    }

    /**
     * In your init method you can now add the hash element like below
     */
    public function init()
    {
        //other code
        $this->addElement( $this->_getHashElement( 'myotherhashelementname' );
        //other code
    }
}

The set method is there just for testing purposes really. You probably won't use it at all during real use but now in phpunit you can right the following.

class My_Form_LoginTest extends PHPUnit_Framework_TestCase
{

    /**
     *
     * @var My_Form_Login
     */
    protected $_form;
    /**
     *
     * @var PHPUnit_Framework_MockObject_MockObject
     */
    protected $_hash;

    public function setUp()
    {
        parent::setUp();
        $this->_hash = $this->getMock( 'My_Form_Element_HashStub' );

        $this->_form = new My_Form_Login( array(
                    'action'                    => '/',
                    'hashElement'               => $this->_hash
    }

    public function testTrue()
    {   
        //The hash element will now always validate to true
        $this->_hash
             ->expects( $this->any() )
             ->method( 'isValid' )
             ->will( $this->returnValue( true ) );

        //OR if you need it to validate to false
        $this->_hash
             ->expects( $this->any() )
             ->method( 'isValid' )
             ->will( $this->returnValue( true ) );
    }
}

You HAVE to create your own stub. You can't just call the phpunit method getMockObject() because that will directly extend the hash element and the normal hash element does 'evil' stuff in its constructor.

With this method you don't even need to be connected to a database to test your forms! It took me a while to think of this.

If you want, you can push the setHashElement() method ( along with the variable and the get method ) into some FormAbstract base class.

REMEMBER, in phpunit you HAVE to pass the hash element during form construction. If you don't, your init() method will get called before your stub hash can be set with the set method and you'll end up using the regular hash element. You'll know you're using the regular hash element because you'll probably get some session error if you're NOT connected to a database.

Let me know if you find this helpful or if you use it.

回复 原文
救星 2024-08-02 21:20:27

ZF2 的解决方案是在测试中创建表单,并从 csrf 表单元素中获取值:

        $form = new  \User\Form\SignupForm('create-user');
        $data = [
            'security' => $form->get('security')->getValue(),
            'email' => '[email protected]',
            'password' => '123456',
            'repeat-password' => '123456',
        ];
        $this->dispatch('/signup', 'POST', $data);

Solution for ZF2 is creating your form in test, and getting value from your csrf form element:

        $form = new  \User\Form\SignupForm('create-user');
        $data = [
            'security' => $form->get('security')->getValue(),
            'email' => '[email protected]',
            'password' => '123456',
            'repeat-password' => '123456',
        ];
        $this->dispatch('/signup', 'POST', $data);
回复 原文
~没有更多了~

关于作者

多谢你的绝情让我学会死心

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文