Hello all:

I'm writing a test script to exercise the access control mechanisms on a web application I'm writing. It keeps erroring out after the first iteration and I've been chasing this around for too long to think I'm going to see anything new here.

I'm using CGI::Application::Plugin::Authentication and CGI::Application::Plugin::Authorization to handle those details. I've responded to Cees Hek's clarifying questions at http://perlmonks.org/?node_id=535305.

I'm using WWW::Mechanize to work the site and test access for different users.

I fear some interaction between the two which I don't understand. I'm new to this testing stuff and still trying to figure this out.

My test cases include the following users:
notauser
appuser
admuser

notauser should be denied access to any part of the script, except the login form.

appuser should be denied access to any administrative function of the application, but have access to all other functions.

admuser should have access to every method of the application.

My test scripts seem to work fine for the notauser and the admuser test cases. But the code for testing the appuser bombs out when access to the administrative functions is being tested, at the point where it is supposed to log in and test the second runmode. When I tried to have it logout first, I still had fatal runtime errors which kill the script on the second iteration through the loop. It was unable to find the logout form or button, regardless of how many times I used $agent->back().

My test output looks like this:

1..350
#
#  * * *
# Testuser: user2: dpruser1:e6zwd7CP
#  * * *
# User is NOT an administrative user.
# dpruser1 logging in at https://192.168.0.101/auth-test/dprnew2.cgi.
# Status: 200   Success: 1
# URL: https://192.168.0.101/auth-test/dprnew2.cgi?rm=admin_AccessAdmi
+n
ok 1 - DENIED:
https://192.168.0.101/auth-test/dprnew2.cgi?rm=admin_AccessAdmin
ok 2 - DENIED:
https://192.168.0.101/auth-test/dprnew2.cgi?rm=admin_AccessAdmin
There is no form named "loginform" at t/access_control.t
line 53 No such field 'authen_username'
at /usr/local/share/perl/5.8.7/WWW/Mechanize.pm line1052
# Looks like you planned 350 tests but only ran 2.
# Looks like your test died just after 2.
[download]

The relevant subroutine which generates these test results is reprinted below. Pay particular attention to the else clause of the condition testing whether the username ($u) matches the regular express /adm/.

sub rm_adm_tests{
  my($u,$pw,$real,$baseurl) = @_;
  my($rm,$rmurl,$string);

  my @runmodes_adm = (
    'admin_AccessAdmin', 'admin_CreateNewUser',
    'admin_EditUser', 'admin_DeleteUser',
    'admin_CreateNewGroup', 'admin_DeleteGroup', );

  if($u =~ /adm/){
    diag("User is an administrative user.");
  } else {
    diag("User is NOT an administrative user.");
  }
  diag("$u logging in at $baseurl.");

  RM: foreach $rm (@runmodes_adm){
    $test = login_mech($baseurl,$u,$pw);
    $rmurl = $baseurl."?rm=".$rm;
    if($real){
      next RM unless $test eq $u;
      $agent->follow_link (text_regex => qr/Administer User
Access/i); 
      if($u =~ /adm/){
        $test = stringify_test($agent->content,"User
Administration Menu"); 
        if ($test = qr/User Administration Menu/){
          $agent->get($rmurl);
          $test = stringify_test($agent->content,"$rm");
          is($test, "$rm", "ACCESS: ".$agent->uri());
        }
        $agent->back;
        $agent->submit_form(form_name => 'logout', button
=> '.submit'); $agent->reload();
      } else {
        diag("Status: ".$agent->status()."\tSuccess: ".
$agent->success()."\nURL: ".$agent->uri());
        $string = stringify_test($agent->content,"User
Administration Menu"); 
        unlike ($string, qr/User Administration Menu/,
"DENIED: ".$agent->uri); 
        $agent->get ($rmurl); 
        $string = stringify_test($agent->content,$rm);
        unlike($string, qr/$rm/, "DENIED: ".$agent->uri());
        $agent->back;
      }
    } else {
      isnt ($test, $u, "$u denied access at Login.");
    }
  }
}
[download]