class UserPasswordResetTestCase

class UserPasswordResetTestCase extends DrupalWebTestCase {
    protected $profile = 'standard';
    function setUp() {
        parent::setUp('user_form_test');
    }
    public static function getInfo() {
        return array(
            'name' => 'Reset password',
            'description' => 'Ensure that password reset methods work as expected.',
            'group' => 'User',
        );
    }
    
    /**
     * Retrieves password reset email and extracts the login link.
     */
    public function getResetURL($bypass_form = FALSE) {
        // Assume the most recent email.
        $_emails = $this->drupalGetMails();
        $email = end($_emails);
        $urls = array();
        preg_match('#.+user/reset/.+#', $email['body'], $urls);
        return $urls[0] . ($bypass_form ? '/login' : '');
    }
    
    /**
     * Generates login link.
     */
    public function generateResetURL($account, $bypass_form = FALSE) {
        return user_pass_reset_url($account) . ($bypass_form ? '/login' : '');
    }
    
    /**
     * Turns a password reset URL into a 'confirm' URL.
     */
    public function getConfirmURL($reset_url) {
        // Last part is always the hash; replace with "confirm".
        $parts = explode('/', $reset_url);
        array_pop($parts);
        array_push($parts, 'confirm');
        return implode('/', $parts);
    }
    
    /**
     * Tests password reset functionality.
     */
    function testUserPasswordReset($use_direct_login_link = FALSE) {
        // Create a user.
        $account = $this->drupalCreateUser();
        $this->drupalLogin($account);
        $this->drupalLogout();
        // Attempt to reset password.
        $edit = array(
            'name' => $account->name,
        );
        $this->drupalPost('user/password', $edit, t('E-mail new password'));
        // Ensure the correct message is shown for a valid user name.
        $password_reset_text = variable_get('user_password_reset_text', t('If %identifier is a valid account, an email will be sent with instructions to reset your password.'));
        $this->assertRaw(format_string($password_reset_text, array(
            '%identifier' => $account->name,
        )), 'Password reset instructions mailed message displayed for a valid user.');
        // Ensure that flood control was not triggered.
        $this->assertNoText(t('is temporarily blocked. Try again later'), 'Flood control was not triggered by single password reset.');
        // Ensure the correct message is shown for a non-existent user name.
        $name = $this->randomName();
        $edit = array(
            'name' => $name,
        );
        $this->drupalPost('user/password', $edit, t('E-mail new password'));
        $password_reset_text = variable_get('user_password_reset_text', t('If %identifier is a valid account, an email will be sent with instructions to reset your password.'));
        $this->assertRaw(format_string($password_reset_text, array(
            '%identifier' => $name,
        )), 'Password reset instructions mailed message displayed for a non-existent user.');
        // Create an image field to enable an Ajax request on the user profile page.
        $field = array(
            'field_name' => 'field_avatar',
            'type' => 'image',
            'settings' => array(),
            'cardinality' => 1,
        );
        field_create_field($field);
        $instance = array(
            'field_name' => $field['field_name'],
            'entity_type' => 'user',
            'label' => 'Avatar',
            'bundle' => 'user',
            'required' => FALSE,
            'settings' => array(),
            'widget' => array(
                'type' => 'image_image',
                'settings' => array(),
            ),
        );
        field_create_instance($instance);
        variable_del("user_test_pass_reset_form_submit_{$account->uid}");
        $resetURL = $this->getResetURL($use_direct_login_link);
        $this->drupalGet($resetURL);
        // Check successful login.
        if (!$use_direct_login_link) {
            $this->assertUrl($this->getConfirmURL($resetURL), array(), 'The user is redirected to the reset password confirm form.');
            $this->drupalPost(NULL, NULL, t('Log in'));
            // The form was fully processed before redirecting.
            $form_submit_handled = variable_get("user_test_pass_reset_form_submit_{$account->uid}", FALSE);
            $this->assertTrue($form_submit_handled, 'A custom submit handler executed.');
        }
        $this->assertText('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.');
        // Make sure the Ajax request from uploading a file does not invalidate the
        // reset token.
        $image = current($this->drupalGetTestFiles('image'));
        $edit = array(
            'files[field_avatar_und_0]' => drupal_realpath($image->uri),
        );
        $this->drupalPostAJAX(NULL, $edit, 'field_avatar_und_0_upload_button');
        // Change the forgotten password.
        $password = user_password();
        $edit = array(
            'pass[pass1]' => $password,
            'pass[pass2]' => $password,
        );
        $this->drupalPost(NULL, $edit, t('Save'));
        $this->assertText(t('The changes have been saved.'), 'Forgotten password changed.');
        // Ensure blocked and deleted accounts can't access the direct login link.
        $this->drupalLogout();
        $reset_url = $this->generateResetURL($account, $use_direct_login_link);
        user_save($account, array(
            'status' => 0,
        ));
        $this->drupalGet($reset_url);
        $this->assertResponse(403);
        user_delete($account->uid);
        $this->drupalGet($reset_url);
        $this->assertResponse(403);
    }
    
    /**
     * Test user-based flood control on password reset.
     */
    function testPasswordResetFloodControlPerUser() {
        // Set a very low limit for testing.
        variable_set('user_pass_reset_user_limit', 2);
        // Create a user.
        $account = $this->drupalCreateUser();
        $this->drupalLogin($account);
        $this->drupalLogout();
        $edit = array(
            'name' => $account->name,
        );
        // Try 2 requests that should not trigger flood control.
        for ($i = 0; $i < 2; $i++) {
            $this->drupalPost('user/password', $edit, t('E-mail new password'));
            // Confirm the password reset.
            $password_reset_text = variable_get('user_password_reset_text', t('If %identifier is a valid account, an email will be sent with instructions to reset your password.'));
            $this->assertRaw(format_string($password_reset_text, array(
                '%identifier' => $account->name,
            )), 'Password reset instructions mailed message displayed.');
            // Ensure that flood control was not triggered.
            $this->assertNoText(t('is temporarily blocked. Try again later'), 'Flood control was not triggered by password reset.');
        }
        // A successful password reset should clear flood events.
        $resetURL = $this->getResetURL();
        $this->drupalGet($resetURL);
        // Check successful login.
        $this->drupalPost(NULL, NULL, t('Log in'));
        $this->drupalLogout();
        // Try 2 requests that should not trigger flood control.
        for ($i = 0; $i < 2; $i++) {
            $this->drupalPost('user/password', $edit, t('E-mail new password'));
            // Confirm the password reset.
            $password_reset_text = variable_get('user_password_reset_text', t('If %identifier is a valid account, an email will be sent with instructions to reset your password.'));
            $this->assertRaw(format_string($password_reset_text, array(
                '%identifier' => $account->name,
            )), 'Password reset instructions mailed message displayed.');
            // Ensure that flood control was not triggered.
            $this->assertNoText(t('is temporarily blocked. Try again later'), 'Flood control was not triggered by password reset.');
        }
        // The next request should trigger flood control
        $this->drupalPost('user/password', $edit, t('E-mail new password'));
        // Confirm the password reset was blocked.
        $this->assertNoText(t('Further instructions have been sent to your e-mail address.'), 'Password reset instructions mailed message not displayed for excessive password resets.');
        // Ensure that flood control was triggered.
        $this->assertText(t('Sorry, there have been more than 2 password reset attempts for this account. It is temporarily blocked.'), 'Flood control was triggered by excessive password resets for one user.');
    }
    
    /**
     * Test IP-based flood control on password reset.
     */
    function testPasswordResetFloodControlPerIp() {
        // Set a very low limit for testing.
        variable_set('user_pass_reset_ip_limit', 2);
        // Try 2 requests that should not trigger flood control.
        for ($i = 0; $i < 2; $i++) {
            $name = $this->randomName();
            $edit = array(
                'name' => $name,
            );
            $this->drupalPost('user/password', $edit, t('E-mail new password'));
            // Confirm the password reset was not blocked.
            $password_reset_text = variable_get('user_password_reset_text', t('If %identifier is a valid account, an email will be sent with instructions to reset your password.'));
            $this->assertRaw(format_string($password_reset_text, array(
                '%identifier' => $name,
            )), 'Password reset instructions mailed message displayed.');
            // Ensure that flood control was not triggered.
            $this->assertNoText(t('is temporarily blocked. Try again later'), 'Flood control was not triggered by password reset.');
        }
        // The next request should trigger flood control
        $name = $this->randomName();
        $edit = array(
            'name' => $name,
        );
        $this->drupalPost('user/password', $edit, t('E-mail new password'));
        // Confirm the password reset was blocked early. Note that @name is used
        // instead of %name as assertText() works with plain text not HTML.
        $this->assertNoText(t('Sorry, @name is not recognized as a user name or an e-mail address.', array(
            '@name' => $name,
        )), 'User name not recognized message not displayed.');
        // Ensure that flood control was triggered.
        $this->assertText(t('Sorry, too many password reset attempts from your IP address. This IP address is temporarily blocked.'), 'Flood control was triggered by excessive password resets from one IP.');
    }
    
    /**
     * Test user password reset while logged in.
     */
    function testUserPasswordResetLoggedIn($use_direct_login_link = FALSE) {
        $another_account = $this->drupalCreateUser();
        $account = $this->drupalCreateUser();
        $this->drupalLogin($account);
        // Make sure the test account has a valid password.
        user_save($account, array(
            'pass' => user_password(),
        ));
        // Try to use the login link while logged in as a different user.
        // Generate one time login link.
        $reset_url = $this->generateResetURL($another_account, $use_direct_login_link);
        $this->drupalGet($reset_url);
        $this->assertRaw(t('Another user (%other_user) is already logged into the site on this computer, but you tried to use a one-time link for user %resetting_user. Please <a href="!logout">logout</a> and try using the link again.', array(
            '%other_user' => $account->name,
            '%resetting_user' => $another_account->name,
            '!logout' => url('user/logout'),
        )));
        // Test the link for a deleted user while logged in.
        user_delete($another_account->uid);
        $this->drupalGet($reset_url);
        $this->assertText('The one-time login link you clicked is invalid.');
        // Generate a one time login link for the logged-in user.
        $fapi_action = $use_direct_login_link ? 'build' : 'submit';
        variable_del("user_test_pass_reset_form_{$fapi_action}_{$account->uid}");
        $reset_url = $this->generateResetURL($account, $use_direct_login_link);
        $this->drupalGet($reset_url);
        if ($use_direct_login_link) {
            // The form is never fully built; user is logged out (session destroyed)
            // and redirected to the same URL, then logged in again and redirected
            // during form build.
            $form_built = variable_get("user_test_pass_reset_form_build_{$account->uid}", FALSE);
            $this->assertTrue(!$form_built, 'The password reset form was never fully built.');
        }
        else {
            $this->assertUrl($this->getConfirmURL($reset_url), array(), 'The user is redirected to the reset password confirm form.');
            $this->assertText('Reset password');
            $this->drupalPost(NULL, NULL, t('Log in'));
            // The form was fully processed before redirecting.
            $form_submit_handled = variable_get("user_test_pass_reset_form_submit_{$account->uid}", FALSE);
            $this->assertTrue($form_submit_handled, 'A custom submit handler executed.');
        }
        $this->assertText('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.');
        // The user can change the forgotten password on the page they are
        // redirected to.
        $pass = user_password();
        $edit = array(
            'pass[pass1]' => $pass,
            'pass[pass2]' => $pass,
        );
        $this->drupalPost(NULL, $edit, t('Save'));
        $this->assertText('The changes have been saved.');
    }
    
    /**
     * Test direct login link that bypasses the password reset form.
     */
    function testUserDirectLogin() {
        $this->testUserPasswordReset(TRUE);
        $this->testUserPasswordResetLoggedIn(TRUE);
    }
    
    /**
     * Attempts login using an expired password reset link.
     */
    function testUserPasswordResetExpired() {
        // Set password reset timeout variable to 43200 seconds = 12 hours.
        $timeout = 43200;
        variable_set('user_password_reset_timeout', $timeout);
        // Create a user.
        $account = $this->drupalCreateUser();
        $this->drupalLogin($account);
        // Load real user object.
        $account = user_load($account->uid, TRUE);
        $this->drupalLogout();
        // To attempt an expired password reset, create a password reset link as if
        // its request time was 60 seconds older than the allowed limit of timeout.
        $bogus_timestamp = REQUEST_TIME - variable_get('user_password_reset_timeout', 86400) - 60;
        $this->drupalGet("user/reset/{$account->uid}/{$bogus_timestamp}/" . user_pass_rehash($account->pass, $bogus_timestamp, $account->login, $account->uid, $account->mail));
        $this->assertText(t('You have tried to use a one-time login link that has expired. Please request a new one using the form below.'), 'Expired password reset request rejected.');
    }
    
    /**
     * Prefill the text box on incorrect login via link to password reset page.
     */
    function testUserPasswordTextboxFilled() {
        $this->drupalGet('user/login');
        $edit = array(
            'name' => $this->randomName(),
            'pass' => $this->randomName(),
        );
        $this->drupalPost('user', $edit, t('Log in'));
        $this->assertRaw(t('Sorry, unrecognized username or password. <a href="@password">Have you forgotten your password?</a>', array(
            '@password' => url('user/password', array(
                'query' => array(
                    'name' => $edit['name'],
                ),
            )),
        )));
        unset($edit['pass']);
        $this->drupalGet('user/password', array(
            'query' => array(
                'name' => $edit['name'],
            ),
        ));
        $this->assertFieldByName('name', $edit['name'], 'User name found.');
    }
    
    /**
     * Make sure that users cannot forge password reset URLs of other users.
     */
    function testResetImpersonation() {
        // Make sure user 1 has a valid password, so it does not interfere with the
        // test user accounts that are created below.
        $account = user_load(1);
        user_save($account, array(
            'pass' => user_password(),
        ));
        // Create two identical user accounts except for the user name. They must
        // have the same empty password, so we can't use $this->drupalCreateUser().
        $edit = array();
        $edit['name'] = $this->randomName();
        $edit['mail'] = $edit['name'] . '@example.com';
        $edit['status'] = 1;
        $user1 = user_save(drupal_anonymous_user(), $edit);
        $edit['name'] = $this->randomName();
        $user2 = user_save(drupal_anonymous_user(), $edit);
        // The password reset URL must not be valid for the second user when only
        // the user ID is changed in the URL.
        $reset_url = user_pass_reset_url($user1);
        $attack_reset_url = str_replace("user/reset/{$user1->uid}", "user/reset/{$user2->uid}", $reset_url);
        $this->drupalGet($attack_reset_url);
        $this->assertNoText($user2->name, 'The invalid password reset page does not show the user name.');
        $this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
        $this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
        // When legacy code calls user_pass_rehash() without providing the $uid
        // parameter, neither password reset URL should be valid since it is
        // impossible for the system to determine which user account the token was
        // intended for.
        $timestamp = REQUEST_TIME;
        // Pass an explicit NULL for the $uid parameter of user_pass_rehash()
        // rather than not passing it at all, to avoid triggering PHP warnings in
        // the test.
        $reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL);
        $reset_url = url("user/reset/{$user1->uid}/{$timestamp}/{$reset_url_token}", array(
            'absolute' => TRUE,
        ));
        $this->drupalGet($reset_url);
        $this->assertNoText($user1->name, 'The invalid password reset page does not show the user name.');
        $this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
        $this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
        $attack_reset_url = str_replace("user/reset/{$user1->uid}", "user/reset/{$user2->uid}", $reset_url);
        $this->drupalGet($attack_reset_url);
        $this->assertNoText($user2->name, 'The invalid password reset page does not show the user name.');
        $this->assertUrl('user/password', array(), 'The user is redirected to the password reset request page.');
        $this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
        // To verify that user_pass_rehash() never returns a valid result in the
        // above situation (even if legacy code also called it to attempt to
        // validate the token, rather than just to generate the URL), check that a
        // second call with the same parameters produces a different result.
        $new_reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL);
        $this->assertNotEqual($reset_url_token, $new_reset_url_token);
        // However, when the duplicate account is removed, the password reset URL
        // should be valid.
        user_delete($user2->uid);
        $reset_url_token = user_pass_rehash($user1->pass, $timestamp, $user1->login, NULL);
        $reset_url = url("user/reset/{$user1->uid}/{$timestamp}/{$reset_url_token}", array(
            'absolute' => TRUE,
        ));
        $this->drupalGet($reset_url);
        $this->assertText($user1->name, 'The valid password reset page shows the user name.');
        $this->assertUrl($this->getConfirmURL($reset_url), array(), 'The user is redirected to the reset password confirm form.');
        $this->assertNoText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
    }
    
    /**
     * Make sure that password reset URLs are invalidated when the user's email
     * address changes.
     */
    function testResetInvalidation() {
        $account = $this->drupalCreateUser();
        $original_reset_url = user_pass_reset_url($account);
        user_save($account, array(
            'mail' => '1' . $account->mail,
        ));
        $this->drupalGet($original_reset_url);
        $this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
    }

}