Update core 8.3.0

web/core/modules/basic_auth/basic_auth.module

@@ -15,7 +15,7 @@ function basic_auth_help($route_name, RouteMatchInterface $route_match) {
     case 'help.page.basic_auth':
       $output = '';
       $output .= '<h3>' . t('About') . '</h3>';
-      $output .= '<p>' . t('The HTTP Basic Authentication module supplies an <a href="http://en.wikipedia.org/wiki/Basic_access_authentication">HTTP Basic authentication</a> provider for web service requests. This authentication provider authenticates requests using the HTTP Basic Authentication username and password, as an alternative to using Drupal\'s standard cookie-based authentication system. It is only useful if your site provides web services configured to use this type of authentication (for instance, the <a href=":rest_help">RESTful Web Services module</a>). For more information, see the <a href=":hba_do">online documentation for the HTTP Basic Authentication module</a>.', array(':hba_do' => 'https://www.drupal.org/documentation/modules/basic_auth', ':rest_help' => (\Drupal::moduleHandler()->moduleExists('rest')) ? \Drupal::url('help.page', array('name' => 'rest')) : '#')) . '</p>';
+      $output .= '<p>' . t('The HTTP Basic Authentication module supplies an <a href="http://en.wikipedia.org/wiki/Basic_access_authentication">HTTP Basic authentication</a> provider for web service requests. This authentication provider authenticates requests using the HTTP Basic Authentication username and password, as an alternative to using Drupal\'s standard cookie-based authentication system. It is only useful if your site provides web services configured to use this type of authentication (for instance, the <a href=":rest_help">RESTful Web Services module</a>). For more information, see the <a href=":hba_do">online documentation for the HTTP Basic Authentication module</a>.', [':hba_do' => 'https://www.drupal.org/documentation/modules/basic_auth', ':rest_help' => (\Drupal::moduleHandler()->moduleExists('rest')) ? \Drupal::url('help.page', ['name' => 'rest']) : '#']) . '</p>';
       return $output;
   }
 }

web/core/modules/basic_auth/src/Authentication/Provider/BasicAuth.php

@@ -88,7 +88,7 @@ class BasicAuth implements AuthenticationProviderInterface, AuthenticationProvid
     // in to many different user accounts.  We have a reasonably high limit
     // since there may be only one apparent IP for all users at an institution.
     if ($this->flood->isAllowed('basic_auth.failed_login_ip', $flood_config->get('ip_limit'), $flood_config->get('ip_window'))) {
-      $accounts = $this->entityManager->getStorage('user')->loadByProperties(array('name' => $username, 'status' => 1));
+      $accounts = $this->entityManager->getStorage('user')->loadByProperties(['name' => $username, 'status' => 1]);
       $account = reset($accounts);
       if ($account) {
         if ($flood_config->get('uid_only')) {
@@ -127,9 +127,9 @@ class BasicAuth implements AuthenticationProviderInterface, AuthenticationProvid
    */
   public function challengeException(Request $request, \Exception $previous) {
     $site_name = $this->configFactory->get('system.site')->get('name');
-    $challenge = SafeMarkup::format('Basic realm="@realm"', array(
+    $challenge = SafeMarkup::format('Basic realm="@realm"', [
       '@realm' => !empty($site_name) ? $site_name : 'Access restricted',
-    ));
+    ]);
     return new UnauthorizedHttpException((string) $challenge, 'No authentication credentials provided.', $previous);
   }
 

web/core/modules/basic_auth/src/Tests/BasicAuthTestTrait.php

@@ -2,8 +2,15 @@
 
 namespace Drupal\basic_auth\Tests;
 
+@trigger_error(__FILE__ . ' is deprecated in Drupal 8.3.0 and will be removed before Drupal 9.0.0. Use \Drupal\Tests\basic_auth\Traits\BasicAuthTestTrait instead. See https://www.drupal.org/node/2862800.', E_USER_DEPRECATED);
+
 /**
  * Provides common functionality for Basic Authentication test classes.
+ *
+ * @deprecated in Drupal 8.3.0 and will be removed before Drupal 9.0.0.
+ *   Use \Drupal\Tests\basic_auth\Traits\BasicAuthTestTrait instead.
+ *
+ * @see https://www.drupal.org/node/2862800
  */
 trait BasicAuthTestTrait {
 
@@ -51,7 +58,7 @@ trait BasicAuthTestTrait {
    *
    * @see \Drupal\simpletest\WebTestBase::drupalPostForm()
    */
-  protected function basicAuthPostForm($path, $edit, $submit, $username, $password, array $options = array(), $form_html_id = NULL, $extra_post = NULL) {
+  protected function basicAuthPostForm($path, $edit, $submit, $username, $password, array $options = [], $form_html_id = NULL, $extra_post = NULL) {
     return $this->drupalPostForm($path, $edit, $submit, $options, $this->getBasicAuthHeaders($username, $password), $form_html_id, $extra_post);
   }
 

web/core/modules/basic_auth/tests/src/Functional/BasicAuthTest.php

@@ -1,19 +1,19 @@
 <?php
 
-namespace Drupal\basic_auth\Tests\Authentication;
+namespace Drupal\Tests\basic_auth\Functional;
 
 use Drupal\Component\Utility\SafeMarkup;
 use Drupal\Core\Url;
-use Drupal\basic_auth\Tests\BasicAuthTestTrait;
+use Drupal\Tests\basic_auth\Traits\BasicAuthTestTrait;
 use Drupal\language\Entity\ConfigurableLanguage;
-use Drupal\simpletest\WebTestBase;
+use Drupal\Tests\BrowserTestBase;
 
 /**
  * Tests for BasicAuth authentication provider.
  *
  * @group basic_auth
  */
-class BasicAuthTest extends WebTestBase {
+class BasicAuthTest extends BrowserTestBase {
 
   use BasicAuthTestTrait;
 
@@ -22,7 +22,7 @@ class BasicAuthTest extends WebTestBase {
    *
    * @var array
    */
-  public static $modules = array('basic_auth', 'router_test', 'locale', 'basic_auth_test');
+  public static $modules = ['basic_auth', 'router_test', 'locale', 'basic_auth_test'];
 
   /**
    * Test http basic authentication.
@@ -39,14 +39,14 @@ class BasicAuthTest extends WebTestBase {
     $this->basicAuthGet($url, $account->getUsername(), $account->pass_raw);
     $this->assertText($account->getUsername(), 'Account name is displayed.');
     $this->assertResponse('200', 'HTTP response is OK');
-    $this->curlClose();
+    $this->mink->resetSessions();
     $this->assertFalse($this->drupalGetHeader('X-Drupal-Cache'));
     $this->assertIdentical(strpos($this->drupalGetHeader('Cache-Control'), 'public'), FALSE, 'Cache-Control is not set to public');
 
     $this->basicAuthGet($url, $account->getUsername(), $this->randomMachineName());
     $this->assertNoText($account->getUsername(), 'Bad basic auth credentials do not authenticate the user.');
     $this->assertResponse('403', 'Access is not granted.');
-    $this->curlClose();
+    $this->mink->resetSessions();
 
     $this->drupalGet($url);
     $this->assertEqual($this->drupalGetHeader('WWW-Authenticate'), SafeMarkup::format('Basic realm="@realm"', ['@realm' => \Drupal::config('system.site')->get('name')]));
@@ -55,12 +55,12 @@ class BasicAuthTest extends WebTestBase {
     $this->drupalGet('admin');
     $this->assertResponse('403', 'No authentication prompt for routes not explicitly defining authentication providers.');
 
-    $account = $this->drupalCreateUser(array('access administration pages'));
+    $account = $this->drupalCreateUser(['access administration pages']);
 
     $this->basicAuthGet(Url::fromRoute('system.admin'), $account->getUsername(), $account->pass_raw);
     $this->assertNoLink('Log out', 'User is not logged in');
     $this->assertResponse('403', 'No basic authentication for routes not explicitly defining authentication providers.');
-    $this->curlClose();
+    $this->mink->resetSessions();
 
     // Ensure that pages already in the page cache aren't returned from page
     // cache if basic auth credentials are provided.
@@ -75,14 +75,14 @@ class BasicAuthTest extends WebTestBase {
   /**
    * Test the global login flood control.
    */
-  function testGlobalLoginFloodControl() {
+  public function testGlobalLoginFloodControl() {
     $this->config('user.flood')
       ->set('ip_limit', 2)
       // Set a high per-user limit out so that it is not relevant in the test.
       ->set('user_limit', 4000)
       ->save();
 
-    $user = $this->drupalCreateUser(array());
+    $user = $this->drupalCreateUser([]);
     $incorrect_user = clone $user;
     $incorrect_user->pass_raw .= 'incorrect';
     $url = Url::fromRoute('router_test.11');
@@ -100,17 +100,17 @@ class BasicAuthTest extends WebTestBase {
   /**
    * Test the per-user login flood control.
    */
-  function testPerUserLoginFloodControl() {
+  public function testPerUserLoginFloodControl() {
     $this->config('user.flood')
       // Set a high global limit out so that it is not relevant in the test.
       ->set('ip_limit', 4000)
       ->set('user_limit', 2)
       ->save();
 
-    $user = $this->drupalCreateUser(array());
+    $user = $this->drupalCreateUser([]);
     $incorrect_user = clone $user;
     $incorrect_user->pass_raw .= 'incorrect';
-    $user2 = $this->drupalCreateUser(array());
+    $user2 = $this->drupalCreateUser([]);
     $url = Url::fromRoute('router_test.11');
 
     // Try a failed login.
@@ -138,7 +138,7 @@ class BasicAuthTest extends WebTestBase {
   /**
    * Tests compatibility with locale/UI translation.
    */
-  function testLocale() {
+  public function testLocale() {
     ConfigurableLanguage::createFromLangcode('de')->save();
     $this->config('system.site')->set('default_langcode', 'de')->save();
 
@@ -148,13 +148,12 @@ class BasicAuthTest extends WebTestBase {
     $this->basicAuthGet($url, $account->getUsername(), $account->pass_raw);
     $this->assertText($account->getUsername(), 'Account name is displayed.');
     $this->assertResponse('200', 'HTTP response is OK');
-    $this->curlClose();
   }
 
   /**
    * Tests if a comprehensive message is displayed when the route is denied.
    */
-  function testUnauthorizedErrorMessage() {
+  public function testUnauthorizedErrorMessage() {
     $account = $this->drupalCreateUser();
     $url = Url::fromRoute('router_test.11');
 
@@ -173,6 +172,12 @@ class BasicAuthTest extends WebTestBase {
     $this->basicAuthGet($url, $account->getUsername(), $this->randomMachineName());
     $this->assertResponse('403', 'The user is blocked when wrong credentials are passed.');
     $this->assertText('Access denied', "A user friendly access denied message is displayed");
+
+    // Case when correct credentials but hasn't access to the route.
+    $url = Url::fromRoute('router_test.15');
+    $this->basicAuthGet($url, $account->getUsername(), $account->pass_raw);
+    $this->assertResponse('403', 'The used authentication method is not allowed on this route.');
+    $this->assertText('Access denied', "A user friendly access denied message is displayed");
   }
 
   /**
@@ -191,6 +196,8 @@ class BasicAuthTest extends WebTestBase {
     $this->basicAuthGet('/basic_auth_test/state/modify', $account->getUsername(), $account->pass_raw);
     $this->assertResponse(200);
     $this->assertRaw('Done');
+
+    $this->mink->resetSessions();
     $this->drupalGet('/basic_auth_test/state/read');
     $this->assertResponse(200);
     $this->assertRaw('yep');

web/core/modules/basic_auth/tests/src/Traits/BasicAuthTestTrait.php

@@ -0,0 +1,74 @@
+<?php
+
+namespace Drupal\Tests\basic_auth\Traits;
+
+/**
+ * Provides common functionality for Basic Authentication test classes.
+ */
+trait BasicAuthTestTrait {
+
+  /**
+   * Retrieves a Drupal path or an absolute path using basic authentication.
+   *
+   * @param \Drupal\Core\Url|string $path
+   *   Drupal path or URL to load into the internal browser.
+   * @param string $username
+   *   The username to use for basic authentication.
+   * @param string $password
+   *   The password to use for basic authentication.
+   * @param array $options
+   *   (optional) Options to be forwarded to the url generator.
+   *
+   * @return string
+   *   The retrieved HTML string, also available as $this->getRawContent().
+   */
+  protected function basicAuthGet($path, $username, $password, array $options = []) {
+    return $this->drupalGet($path, $options, $this->getBasicAuthHeaders($username, $password));
+  }
+
+  /**
+   * Executes a form submission using basic authentication.
+   *
+   * @param string $path
+   *   Location of the post form.
+   * @param array $edit
+   *   Field data in an associative array.
+   * @param string $submit
+   *   Value of the submit button whose click is to be emulated.
+   * @param string $username
+   *   The username to use for basic authentication.
+   * @param string $password
+   *   The password to use for basic authentication.
+   * @param array $options
+   *   Options to be forwarded to the url generator.
+   * @param string $form_html_id
+   *   (optional) HTML ID of the form to be submitted.
+   * @param string $extra_post
+   *   (optional) A string of additional data to append to the POST submission.
+   *
+   * @return string
+   *   The retrieved HTML string.
+   *
+   * @see \Drupal\simpletest\WebTestBase::drupalPostForm()
+   */
+  protected function basicAuthPostForm($path, $edit, $submit, $username, $password, array $options = [], $form_html_id = NULL, $extra_post = NULL) {
+    return $this->drupalPostForm($path, $edit, $submit, $options, $this->getBasicAuthHeaders($username, $password), $form_html_id, $extra_post);
+  }
+
+  /**
+   * Returns HTTP headers that can be used for basic authentication in Curl.
+   *
+   * @param string $username
+   *   The username to use for basic authentication.
+   * @param string $password
+   *   The password to use for basic authentication.
+   *
+   * @return array
+   *   An array of raw request headers as used by curl_setopt().
+   */
+  protected function getBasicAuthHeaders($username, $password) {
+    // Set up Curl to use basic authentication with the test user's credentials.
+    return ['Authorization' => 'Basic ' . base64_encode("$username:$password")];
+  }
+
+}