3 # This file is part of Koha.
5 # Copyright (C) 2017 Catalyst IT
6 # Copyright 2021 Koha Development team
8 # Koha is free software; you can redistribute it and/or modify it
9 # under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # Koha is distributed in the hope that it will be useful, but
14 # WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with Koha; if not, see <http://www.gnu.org/licenses>.
21 #This selenium test is to test authentication, by performing the following: create a category and patron (same as basic_workflow.t). Then the superlibrarian logs out and the created patron must log into the staff intranet and OPAC
23 #Note: If you are testing this on kohadevbox with selenium installed in kohadevbox then you need to set the staffClientBaseURL to localhost:8080 and the OPACBaseURL to localhost:80
26 use Test::More tests => 3;
32 use t::lib::TestBuilder;
37 eval { require Selenium::Remote::Driver; };
38 skip "Selenium::Remote::Driver is needed for selenium tests.", 3 if $@;
40 my $builder = t::lib::TestBuilder->new;
41 my $s = t::lib::Selenium->new;
42 my $driver = $s->driver;
44 subtest 'Staff interface authentication' => sub {
46 my $mainpage = $s->base_url . q|mainpage.pl|;
47 $driver->get($mainpage);
48 like( $driver->get_title, qr(Log in to Koha), 'Hitting the main page should redirect to the login form');
50 my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 0 }});
51 my $password = Koha::AuthUtils::generate_password($patron->category);
52 t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
53 $patron->set_password({ password => $password });
55 # Patron is authenticated but is not authorized to access staff interface
56 $s->auth( $patron->userid, $password );
57 like( $driver->get_title, qr(Access denied), 'Patron without permission should be redirected to the login form' );
59 # Try logging in as someone else (even a non-existent patron) and you should still be denied access
60 $s->auth( 'Bond', 'James Bond' );
62 $driver->get_title, qr(Invalid username or password),
63 'Trying to change to a non-existent user should fail login'
66 $driver->get($mainpage . q|?logout.x=1|);
67 $patron->flags(4)->store; # catalogue permission
68 $s->auth( $patron->userid, $password );
69 like( $driver->get_title, qr(Koha staff interface), 'Patron with flags catalogue should be able to login' );
71 $driver->get($mainpage . q|?logout.x=1|);
72 like( $driver->get_title(), qr(Log in to Koha), 'If logout is requested, login form should be displayed' );
74 $patron->flags(1)->store; # superlibrarian permission
75 $s->auth( $patron->userid, $password );
76 like( $driver->get_title, qr(Koha staff interface), 'Patron with flags superlibrarian should be able to login' );
78 subtest 'not authorized' => sub {
82 $driver->get($mainpage . q|?logout.x=1|);
83 $patron->flags(4)->store; # Patron has only catalogue permission
84 like( $driver->get_title, qr(Log in to Koha), 'Patron should hit the login form after logout' );
86 $s->fill_form({ userid => $patron->userid, password => $password });
87 $s->driver->find_element('//input[@id="submit-button"]')->click;
89 my $cookie = $driver->get_cookie_named('CGISESSID');
90 my $first_sessionID = $cookie->{value};
92 # Patron is logged in and got a CGISESSID cookie, miam
93 like( $driver->get_title, qr(Koha staff interface), 'Patron is logged in' );
94 $cookie = $driver->get_cookie_named('CGISESSID');
95 is( $cookie->{value}, $first_sessionID, 'no new session after login, the session has been upgraded' );
97 # Authorized page can be accessed, cookie does not change
98 $driver->get( $s->base_url . q|catalogue/search.pl| );
99 like( $driver->get_title, qr(Advanced search), 'Patron can access advanced search' );
100 $cookie = $driver->get_cookie_named('CGISESSID');
101 is( $cookie->{value}, $first_sessionID, 'no new session after hit' );
103 # Unauthorized page redirect to the login form
104 $driver->get( $s->base_url . q|circ/circulation.pl| );
105 like( $driver->get_title, qr(Access denied), 'Patron cannot access the circulation module' );
106 # But the patron does not lose the CGISESSID cookie!
107 $cookie = $driver->get_cookie_named('CGISESSID');
108 is( $cookie->{value}, $first_sessionID, 'no new session if unauthorized page is hit' );
110 # Luckily mainpage can still be accessed
111 $s->click( { id => 'mainpage', main_class => 'main container-fluid' } );
112 like( $driver->get_title, qr(Koha staff interface), 'Patron can come back to the mainpage' );
113 $cookie = $driver->get_cookie_named('CGISESSID');
114 is( $cookie->{value}, $first_sessionID, 'no new session if back to the mainpage' );
116 # As well as the search
117 $driver->get( $s->base_url . q|catalogue/search.pl| );
118 like( $driver->get_title, qr(Advanced search), 'Patron can access advanced search' );
119 # But circulation module is prohibided!
120 $driver->get( $s->base_url . q|circ/circulation.pl| );
121 like( $driver->get_title, qr(Access denied), 'Patron cannot access the circulation module' );
122 # Still can reuse the same cookie
123 $cookie = $driver->get_cookie_named('CGISESSID');
124 is( $cookie->{value}, $first_sessionID, 'no new session if unauthorized page is hit' );
126 # This is the "previous page" using the back() JS
127 $s->click( { id => 'previous_page', main_class => 'main container-fluid' } );
128 like( $driver->get_title, qr(Advanced search), 'Patron can come back to the previous page' );
129 $cookie = $driver->get_cookie_named('CGISESSID');
130 is( $cookie->{value}, $first_sessionID, 'no new session if back to the previous page' );
132 # Check with a script that is using check_cookie_auth, session must not be deleted!
133 $driver->get( $s->base_url . q|svc/checkouts| );
134 #FIXME - 500 is the current behaviour, but it's not nice. It could be improved.
135 like( $driver->get_title, qr(Error 500), 'Patron cannot access svc script where circulate permissions are required');
136 $driver->get( $s->base_url . q|catalogue/search.pl| );
137 like( $driver->get_title, qr(Advanced search), 'Patron can reuse the cookie after a script that used check_cookie_auth' );
138 $cookie = $driver->get_cookie_named('CGISESSID');
139 is( $cookie->{value}, $first_sessionID, 'no new session if unauthorized page is hit' );
141 push @data_to_cleanup, $patron, $patron->category, $patron->library;
144 subtest 'OPAC interface authentication' => sub {
147 my $mainpage = $s->opac_base_url . q|opac-main.pl|;
149 $driver->get($mainpage . q|?logout.x=1|); # Disconnect first! We are logged in if staff and opac interfaces are separated by ports
151 $driver->get($mainpage);
152 like( $driver->get_title, qr(Koha online catalog), 'Hitting the main page should not redirect to the login form');
154 my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 0 }});
155 my $password = Koha::AuthUtils::generate_password($patron->category);
156 t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
157 $patron->set_password({ password => $password });
160 $driver->find_element('//a[@class="nav-link login-link loginModal-trigger"]')->click;
161 $s->fill_form( { muserid => $patron->userid, mpassword => $password } );
162 $driver->find_element('//div[@id="loginModal"]//input[@type="submit"]')->click;
163 like( $driver->get_title, qr(Koha online catalog), 'Patron without permission should be able to login to the OPAC using the modal' );
164 $driver->find_element('//div[@id="userdetails"]');
165 like( $driver->get_title, qr(Your library home), 'Patron without permissions should be able to login to the OPAC using the modal');
167 $driver->find_element('//a[@id="user-menu"]')->click;
168 $driver->find_element('//a[@id="logout"]')->click;
169 $driver->get($mainpage); # This should not be needed but we the next find_element fails randomly
172 $driver->error_handler(
174 my ( $driver, $selenium_error ) = @_;
175 print STDERR "\nSTRACE:";
177 while ( (my @call_details = (caller($i++))) ){
178 print STDERR "\t" . $call_details[1]. ":" . $call_details[2] . " in " . $call_details[3]."\n";
181 print STDERR sprintf("Is logged in patron: %s (%s)?\n", $patron->firstname, $patron->surname );
182 $s->capture( $driver );
183 croak $selenium_error;
187 $driver->find_element('//div[@id="login"]'); # logged out
188 $s->add_error_handler; # Reset to the default error handler
191 # Using the form on the right
192 $s->fill_form( { userid => $patron->userid, password => $password } );
194 $driver->find_element('//div[@id="userdetails"]');
195 like( $driver->get_title, qr(Your library home), 'Patron without permissions should be able to login to the OPAC using the form on the right');
197 $driver->find_element('//a[@id="user-menu"]')->click;
198 $driver->find_element('//a[@id="logout"]')->click;
199 $driver->find_element('//div[@id="login"]'); # logged out
202 $patron->flags(4)->store; # catalogue permission
203 $s->fill_form( { userid => $patron->userid, password => $password } );
205 $driver->find_element('//div[@id="userdetails"]');
206 like( $driver->get_title, qr(Your library home), 'Patron with catalogue permission should be able to login to the OPAC');
208 $driver->find_element('//a[@id="user-menu"]')->click;
209 $driver->find_element('//a[@id="logout"]')->click;
210 $driver->find_element('//div[@id="login"]'); # logged out
212 $patron->flags(1)->store; # superlibrarian permission
213 $s->fill_form( { userid => $patron->userid, password => $password } );
215 $driver->find_element('//div[@id="userdetails"]');
216 like( $driver->get_title, qr(Your library home), 'Patron with superlibrarian permission should be able to login to the OPAC');
218 $driver->find_element('//a[@id="user-menu"]')->click;
219 $driver->find_element('//a[@id="logout"]')->click;
220 $driver->find_element('//div[@id="login"]'); # logged out
222 subtest 'not authorized' => sub {
225 $driver->get($mainpage . q|?logout.x=1|);
226 $driver->get($mainpage);
227 my $cookie = $driver->get_cookie_named('CGISESSID');
228 my $first_sessionID = $cookie->{value};
230 # User is not logged in, navigation does not generate a new cookie
231 $driver->get( $s->opac_base_url . q|opac-search.pl| );
232 like( $driver->get_title, qr(Advanced search) );
233 $cookie = $driver->get_cookie_named('CGISESSID');
234 is( $cookie->{value}, $first_sessionID, );
237 $driver->get($mainpage);
238 $s->fill_form( { userid => $patron->userid, password => $password } );
241 # After logged in, the same cookie is reused
242 like( $driver->get_title, qr(Your library home) );
243 $cookie = $driver->get_cookie_named('CGISESSID');
244 is( $cookie->{value}, $first_sessionID, );
245 $driver->get( $s->opac_base_url . q|opac-search.pl| );
246 like( $driver->get_title, qr(Advanced search) );
247 $cookie = $driver->get_cookie_named('CGISESSID');
248 is( $cookie->{value}, $first_sessionID, );
250 # Logged in user can place holds
251 $driver->get( $s->opac_base_url . q|opac-reserve.pl| ); # We may need to pass a biblionumber here in the future
252 like( $driver->get_title, qr(Placing a hold) );
253 $cookie = $driver->get_cookie_named('CGISESSID');
254 is( $cookie->{value}, $first_sessionID, );
256 $driver->get($mainpage . q|?logout.x=1|);
258 # FIXME This new get should not be needed, but the cookie is not modified right after logout
259 # However it's not the behaviour when testing the UI
260 $driver->get($mainpage);
262 # After logout a new cookie is generated, the previous session has been deleted
263 $cookie = $driver->get_cookie_named('CGISESSID');
264 isnt( $cookie->{value}, $first_sessionID, );
265 $first_sessionID = $cookie->{value};
267 $driver->get( $s->opac_base_url . q|svc/checkout_notes| );
268 #FIXME - 500 is the current behaviour, but it's not nice. It could be improved.
269 like( $driver->get_title, qr(An error has occurred), 'Patron cannot access svc');
270 # No new cookie generated
271 $cookie = $driver->get_cookie_named('CGISESSID');
272 is( $cookie->{value}, $first_sessionID, );
274 $driver->get( $s->opac_base_url . q|opac-reserve.pl| );
275 like( $driver->get_title, qr(Log in to your account) );
277 # Still no new cookie generated
278 $driver->get($mainpage);
279 $cookie = $driver->get_cookie_named('CGISESSID');
280 is( $cookie->{value}, $first_sessionID, );
283 push @data_to_cleanup, $patron, $patron->category, $patron->library;
286 subtest 'Regressions' => sub {
290 my $mainpage = $s->base_url . q|mainpage.pl|;
292 my $patron_1 = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 1 }});
293 my $patron_2 = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 0 }});
294 my $password = 'password';
295 t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
296 $patron_1->set_password({ password => $password });
297 $patron_2->set_password({ password => $password });
299 $driver->get($mainpage . q|?logout.x=1|);
300 $s->auth( $patron_2->userid, $password );
301 like( $driver->get_title, qr(Access denied), 'Patron without permissions should not be able to login' );
303 $s->auth( $patron_1->userid, $password );
304 like( $driver->get_title(), qr(Koha staff interface), 'Patron with permissions should be able to login' );
306 push @data_to_cleanup, $patron_1, $patron_1->category, $patron_1->library;
307 push @data_to_cleanup, $patron_2, $patron_2->category, $patron_2->library;
314 $_->delete for @data_to_cleanup;