3 # This file is part of Koha.
5 # Copyright (C) 2017 Catalyst IT
6 # Copyright 2021 Koha Development team
8 # Koha is free software; you can redistribute it and/or modify it
9 # under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # Koha is distributed in the hope that it will be useful, but
14 # WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with Koha; if not, see <http://www.gnu.org/licenses>.
21 #This selenium test is to test authentication, by performing the following: create a category and patron (same as basic_workflow.t). Then the superlibrarian logs out and the created patron must log into the staff intranet and OPAC
23 #Note: If you are testing this on kohadevbox with selenium installed in kohadevbox then you need to set the staffClientBaseURL to localhost:8080 and the OPACBaseURL to localhost:80
26 use Test::More tests => 3;
32 use t::lib::TestBuilder;
37 eval { require Selenium::Remote::Driver; };
38 skip "Selenium::Remote::Driver is needed for selenium tests.", 3 if $@;
40 my $builder = t::lib::TestBuilder->new;
41 my $s = t::lib::Selenium->new;
42 my $driver = $s->driver;
44 subtest 'Staff interface authentication' => sub {
46 my $mainpage = $s->base_url . q|mainpage.pl|;
47 $driver->get($mainpage);
48 like( $driver->get_title, qr(Log in to Koha), 'Hitting the main page should redirect to the login form');
50 my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 0 }});
51 my $password = Koha::AuthUtils::generate_password($patron->category);
52 t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
53 $patron->set_password({ password => $password });
55 # Patron is authenticated but is not authorized to access staff interface
56 $s->auth( $patron->userid, $password );
57 like( $driver->get_title, qr(Access denied), 'Patron without permission should be redirected to the login form' );
59 # Try logging in as someone else (even a non-existent patron) and you should still be denied access
60 $s->auth('Bond','James Bond');
61 like( $driver->get_title, qr(Invalid username or password), 'Trying to change to a non-existent user should fail login' );
63 $driver->get($mainpage . q|?logout.x=1|);
64 $patron->flags(4)->store; # catalogue permission
65 $s->auth( $patron->userid, $password );
66 like( $driver->get_title, qr(Koha staff interface), 'Patron with flags catalogue should be able to login' );
68 $driver->get($mainpage . q|?logout.x=1|);
69 like( $driver->get_title(), qr(Log in to Koha), 'If logout is requested, login form should be displayed' );
71 $patron->flags(1)->store; # superlibrarian permission
72 $s->auth( $patron->userid, $password );
73 like( $driver->get_title, qr(Koha staff interface), 'Patron with flags superlibrarian should be able to login' );
75 subtest 'not authorized' => sub {
79 $driver->get($mainpage . q|?logout.x=1|);
80 $patron->flags(4)->store; # Patron has only catalogue permission
81 like( $driver->get_title, qr(Log in to Koha), 'Patron should hit the login form after logout' );
83 $s->fill_form({ userid => $patron->userid, password => $password });
84 $s->driver->find_element('//input[@id="submit-button"]')->click;
86 my $cookie = $driver->get_cookie_named('CGISESSID');
87 my $first_sessionID = $cookie->{value};
89 # Patron is logged in and got a CGISESSID cookie, miam
90 like( $driver->get_title, qr(Koha staff interface), 'Patron is logged in' );
91 $cookie = $driver->get_cookie_named('CGISESSID');
92 is( $cookie->{value}, $first_sessionID, 'no new session after login, the session has been upgraded' );
94 # Authorized page can be accessed, cookie does not change
95 $driver->get( $s->base_url . q|catalogue/search.pl| );
96 like( $driver->get_title, qr(Advanced search), 'Patron can access advanced search' );
97 $cookie = $driver->get_cookie_named('CGISESSID');
98 is( $cookie->{value}, $first_sessionID, 'no new session after hit' );
100 # Unauthorized page redirect to the login form
101 $driver->get( $s->base_url . q|circ/circulation.pl| );
102 like( $driver->get_title, qr(Access denied), 'Patron cannot access the circulation module' );
103 # But the patron does not lose the CGISESSID cookie!
104 $cookie = $driver->get_cookie_named('CGISESSID');
105 is( $cookie->{value}, $first_sessionID, 'no new session if unauthorized page is hit' );
107 # Luckily mainpage can still be accessed
108 $s->click( { id => 'mainpage', main_class => 'main container-fluid' } );
109 like( $driver->get_title, qr(Koha staff interface), 'Patron can come back to the mainpage' );
110 $cookie = $driver->get_cookie_named('CGISESSID');
111 is( $cookie->{value}, $first_sessionID, 'no new session if back to the mainpage' );
113 # As well as the search
114 $driver->get( $s->base_url . q|catalogue/search.pl| );
115 like( $driver->get_title, qr(Advanced search), 'Patron can access advanced search' );
116 # But circulation module is prohibided!
117 $driver->get( $s->base_url . q|circ/circulation.pl| );
118 like( $driver->get_title, qr(Access denied), 'Patron cannot access the circulation module' );
119 # Still can reuse the same cookie
120 $cookie = $driver->get_cookie_named('CGISESSID');
121 is( $cookie->{value}, $first_sessionID, 'no new session if unauthorized page is hit' );
123 # This is the "previous page" using the back() JS
124 $s->click( { id => 'previous_page', main_class => 'main container-fluid' } );
125 like( $driver->get_title, qr(Advanced search), 'Patron can come back to the previous page' );
126 $cookie = $driver->get_cookie_named('CGISESSID');
127 is( $cookie->{value}, $first_sessionID, 'no new session if back to the previous page' );
129 # Check with a script that is using check_cookie_auth, session must not be deleted!
130 $driver->get( $s->base_url . q|svc/checkouts| );
131 #FIXME - 500 is the current behaviour, but it's not nice. It could be improved.
132 like( $driver->get_title, qr(Error 500), 'Patron cannot access svc script where circulate permissions are required');
133 $driver->get( $s->base_url . q|catalogue/search.pl| );
134 like( $driver->get_title, qr(Advanced search), 'Patron can reuse the cookie after a script that used check_cookie_auth' );
135 $cookie = $driver->get_cookie_named('CGISESSID');
136 is( $cookie->{value}, $first_sessionID, 'no new session if unauthorized page is hit' );
138 push @data_to_cleanup, $patron, $patron->category, $patron->library;
141 subtest 'OPAC interface authentication' => sub {
144 my $mainpage = $s->opac_base_url . q|opac-main.pl|;
146 $driver->get($mainpage . q|?logout.x=1|); # Disconnect first! We are logged in if staff and opac interfaces are separated by ports
148 $driver->get($mainpage);
149 like( $driver->get_title, qr(Koha online catalog), 'Hitting the main page should not redirect to the login form');
151 my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 0 }});
152 my $password = Koha::AuthUtils::generate_password($patron->category);
153 t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
154 $patron->set_password({ password => $password });
157 $driver->find_element('//a[@class="nav-link login-link loginModal-trigger"]')->click;
158 $s->fill_form( { muserid => $patron->userid, mpassword => $password } );
159 $driver->find_element('//div[@id="loginModal"]//input[@type="submit"]')->click;
160 like( $driver->get_title, qr(Koha online catalog), 'Patron without permission should be able to login to the OPAC using the modal' );
161 $driver->find_element('//div[@id="userdetails"]');
162 like( $driver->get_title, qr(Your library home), 'Patron without permissions should be able to login to the OPAC using the modal');
164 $driver->find_element('//a[@id="user-menu"]')->click;
165 $driver->find_element('//a[@id="logout"]')->click;
166 $driver->get($mainpage); # This should not be needed but we the next find_element fails randomly
169 $driver->error_handler(
171 my ( $driver, $selenium_error ) = @_;
172 print STDERR "\nSTRACE:";
174 while ( (my @call_details = (caller($i++))) ){
175 print STDERR "\t" . $call_details[1]. ":" . $call_details[2] . " in " . $call_details[3]."\n";
178 print STDERR sprintf("Is logged in patron: %s (%s)?\n", $patron->firstname, $patron->surname );
179 $s->capture( $driver );
180 croak $selenium_error;
184 $driver->find_element('//div[@id="login"]'); # logged out
185 $s->add_error_handler; # Reset to the default error handler
188 # Using the form on the right
189 $s->fill_form( { userid => $patron->userid, password => $password } );
191 $driver->find_element('//div[@id="userdetails"]');
192 like( $driver->get_title, qr(Your library home), 'Patron without permissions should be able to login to the OPAC using the form on the right');
194 $driver->find_element('//a[@id="user-menu"]')->click;
195 $driver->find_element('//a[@id="logout"]')->click;
196 $driver->find_element('//div[@id="login"]'); # logged out
199 $patron->flags(4)->store; # catalogue permission
200 $s->fill_form( { userid => $patron->userid, password => $password } );
202 $driver->find_element('//div[@id="userdetails"]');
203 like( $driver->get_title, qr(Your library home), 'Patron with catalogue permission should be able to login to the OPAC');
205 $driver->find_element('//a[@id="user-menu"]')->click;
206 $driver->find_element('//a[@id="logout"]')->click;
207 $driver->find_element('//div[@id="login"]'); # logged out
209 $patron->flags(1)->store; # superlibrarian permission
210 $s->fill_form( { userid => $patron->userid, password => $password } );
212 $driver->find_element('//div[@id="userdetails"]');
213 like( $driver->get_title, qr(Your library home), 'Patron with superlibrarian permission should be able to login to the OPAC');
215 $driver->find_element('//a[@id="user-menu"]')->click;
216 $driver->find_element('//a[@id="logout"]')->click;
217 $driver->find_element('//div[@id="login"]'); # logged out
219 subtest 'not authorized' => sub {
222 $driver->get($mainpage . q|?logout.x=1|);
223 $driver->get($mainpage);
224 my $cookie = $driver->get_cookie_named('CGISESSID');
225 my $first_sessionID = $cookie->{value};
227 # User is not logged in, navigation does not generate a new cookie
228 $driver->get( $s->opac_base_url . q|opac-search.pl| );
229 like( $driver->get_title, qr(Advanced search) );
230 $cookie = $driver->get_cookie_named('CGISESSID');
231 is( $cookie->{value}, $first_sessionID, );
234 $driver->get($mainpage);
235 $s->fill_form( { userid => $patron->userid, password => $password } );
238 # After logged in, the same cookie is reused
239 like( $driver->get_title, qr(Your library home) );
240 $cookie = $driver->get_cookie_named('CGISESSID');
241 is( $cookie->{value}, $first_sessionID, );
242 $driver->get( $s->opac_base_url . q|opac-search.pl| );
243 like( $driver->get_title, qr(Advanced search) );
244 $cookie = $driver->get_cookie_named('CGISESSID');
245 is( $cookie->{value}, $first_sessionID, );
247 # Logged in user can place holds
248 $driver->get( $s->opac_base_url . q|opac-reserve.pl| ); # We may need to pass a biblionumber here in the future
249 like( $driver->get_title, qr(Placing a hold) );
250 $cookie = $driver->get_cookie_named('CGISESSID');
251 is( $cookie->{value}, $first_sessionID, );
253 $driver->get($mainpage . q|?logout.x=1|);
255 # FIXME This new get should not be needed, but the cookie is not modified right after logout
256 # However it's not the behaviour when testing the UI
257 $driver->get($mainpage);
259 # After logout a new cookie is generated, the previous session has been deleted
260 $cookie = $driver->get_cookie_named('CGISESSID');
261 isnt( $cookie->{value}, $first_sessionID, );
262 $first_sessionID = $cookie->{value};
264 $driver->get( $s->opac_base_url . q|svc/checkout_notes| );
265 #FIXME - 500 is the current behaviour, but it's not nice. It could be improved.
266 like( $driver->get_title, qr(An error has occurred), 'Patron cannot access svc');
267 # No new cookie generated
268 $cookie = $driver->get_cookie_named('CGISESSID');
269 is( $cookie->{value}, $first_sessionID, );
271 $driver->get( $s->opac_base_url . q|opac-reserve.pl| );
272 like( $driver->get_title, qr(Log in to your account) );
274 # Still no new cookie generated
275 $driver->get($mainpage);
276 $cookie = $driver->get_cookie_named('CGISESSID');
277 is( $cookie->{value}, $first_sessionID, );
280 push @data_to_cleanup, $patron, $patron->category, $patron->library;
283 subtest 'Regressions' => sub {
287 my $mainpage = $s->base_url . q|mainpage.pl|;
289 my $patron_1 = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 1 }});
290 my $patron_2 = $builder->build_object({ class => 'Koha::Patrons', value => { flags => 0 }});
291 my $password = 'password';
292 t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
293 $patron_1->set_password({ password => $password });
294 $patron_2->set_password({ password => $password });
296 $driver->get($mainpage . q|?logout.x=1|);
297 $s->auth( $patron_2->userid, $password );
298 like( $driver->get_title, qr(Access denied), 'Patron without permissions should not be able to login' );
300 $s->auth( $patron_1->userid, $password );
301 like( $driver->get_title(), qr(Koha staff interface), 'Patron with permissions should be able to login' );
303 push @data_to_cleanup, $patron_1, $patron_1->category, $patron_1->library;
304 push @data_to_cleanup, $patron_2, $patron_2->category, $patron_2->library;
311 $_->delete for @data_to_cleanup;