2016-12-15 10:13:00 +01:00
|
|
|
<?php
|
2021-04-05 09:39:34 +02:00
|
|
|
|
2016-12-15 10:13:00 +01:00
|
|
|
namespace Shaarli\Api;
|
|
|
|
|
|
2017-03-03 23:06:12 +01:00
|
|
|
use Shaarli\Config\ConfigManager;
|
2020-01-17 21:34:12 +01:00
|
|
|
use Shaarli\History;
|
2021-01-20 15:59:00 +01:00
|
|
|
use Shaarli\Plugin\PluginManager;
|
2021-04-05 11:00:28 +02:00
|
|
|
use Shaarli\Tests\Utils\ReferenceLinkDB;
|
2016-12-15 10:13:00 +01:00
|
|
|
use Slim\Container;
|
|
|
|
|
use Slim\Http\Environment;
|
|
|
|
|
use Slim\Http\Request;
|
|
|
|
|
use Slim\Http\Response;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Class ApiMiddlewareTest
|
|
|
|
|
*
|
|
|
|
|
* Test the REST API Slim Middleware.
|
|
|
|
|
*
|
|
|
|
|
* Note that we can't test a valid use case here, because the middleware
|
|
|
|
|
* needs to call a valid controller/action during its execution.
|
|
|
|
|
*
|
|
|
|
|
* @package Api
|
|
|
|
|
*/
|
2020-09-29 14:41:40 +02:00
|
|
|
class ApiMiddlewareTest extends \Shaarli\TestCase
|
2016-12-15 10:13:00 +01:00
|
|
|
{
|
|
|
|
|
/**
|
|
|
|
|
* @var string datastore to test write operations
|
|
|
|
|
*/
|
|
|
|
|
protected static $testDatastore = 'sandbox/datastore.php';
|
|
|
|
|
|
|
|
|
|
/**
|
2020-09-29 14:41:40 +02:00
|
|
|
* @var ConfigManager instance
|
2016-12-15 10:13:00 +01:00
|
|
|
*/
|
|
|
|
|
protected $conf;
|
|
|
|
|
|
|
|
|
|
/**
|
2021-04-05 11:00:28 +02:00
|
|
|
* @var ReferenceLinkDB instance.
|
2016-12-15 10:13:00 +01:00
|
|
|
*/
|
|
|
|
|
protected $refDB = null;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @var Container instance.
|
|
|
|
|
*/
|
|
|
|
|
protected $container;
|
|
|
|
|
|
|
|
|
|
/**
|
2020-01-17 21:34:12 +01:00
|
|
|
* Before every test, instantiate a new Api with its config, plugins and bookmarks.
|
2016-12-15 10:13:00 +01:00
|
|
|
*/
|
2020-09-26 15:08:39 +02:00
|
|
|
protected function setUp(): void
|
2016-12-15 10:13:00 +01:00
|
|
|
{
|
2020-01-17 21:34:12 +01:00
|
|
|
$this->conf = new ConfigManager('tests/utils/config/configJson');
|
2016-12-15 10:13:00 +01:00
|
|
|
$this->conf->set('api.secret', 'NapoleonWasALizard');
|
|
|
|
|
|
2021-04-05 11:00:28 +02:00
|
|
|
$this->refDB = new ReferenceLinkDB();
|
2016-12-15 10:13:00 +01:00
|
|
|
$this->refDB->write(self::$testDatastore);
|
|
|
|
|
|
2020-01-17 21:34:12 +01:00
|
|
|
$history = new History('sandbox/history.php');
|
|
|
|
|
|
2016-12-15 10:13:00 +01:00
|
|
|
$this->container = new Container();
|
|
|
|
|
$this->container['conf'] = $this->conf;
|
2020-01-17 21:34:12 +01:00
|
|
|
$this->container['history'] = $history;
|
2021-01-20 15:59:00 +01:00
|
|
|
$this->container['pluginManager'] = new PluginManager($this->conf);
|
2016-12-15 10:13:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* After every test, remove the test datastore.
|
|
|
|
|
*/
|
2020-09-26 15:08:39 +02:00
|
|
|
protected function tearDown(): void
|
2016-12-15 10:13:00 +01:00
|
|
|
{
|
|
|
|
|
@unlink(self::$testDatastore);
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-30 15:57:57 +02:00
|
|
|
/**
|
|
|
|
|
* Invoke the middleware with a valid token
|
|
|
|
|
*/
|
|
|
|
|
public function testInvokeMiddlewareWithValidToken(): void
|
|
|
|
|
{
|
|
|
|
|
$next = function (Request $request, Response $response): Response {
|
|
|
|
|
return $response;
|
|
|
|
|
};
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
2021-04-05 09:39:34 +02:00
|
|
|
'HTTP_AUTHORIZATION' => 'Bearer ' . ApiUtilsTest::generateValidJwtToken('NapoleonWasALizard'),
|
2020-09-30 15:57:57 +02:00
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, $next);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Invoke the middleware with a valid token
|
|
|
|
|
* Using specific Apache CGI redirected authorization.
|
|
|
|
|
*/
|
|
|
|
|
public function testInvokeMiddlewareWithValidTokenFromRedirectedHeader(): void
|
|
|
|
|
{
|
|
|
|
|
$next = function (Request $request, Response $response): Response {
|
|
|
|
|
return $response;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
$token = 'Bearer ' . ApiUtilsTest::generateValidJwtToken('NapoleonWasALizard');
|
|
|
|
|
$this->container->environment['REDIRECT_HTTP_AUTHORIZATION'] = $token;
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
|
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, $next);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(200, $response->getStatusCode());
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-15 10:13:00 +01:00
|
|
|
/**
|
|
|
|
|
* Invoke the middleware with the API disabled:
|
|
|
|
|
* should return a 401 error Unauthorized.
|
|
|
|
|
*/
|
|
|
|
|
public function testInvokeMiddlewareApiDisabled()
|
|
|
|
|
{
|
|
|
|
|
$this->conf->set('api.enabled', false);
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
|
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, null);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(401, $response->getStatusCode());
|
|
|
|
|
$body = json_decode((string) $response->getBody());
|
|
|
|
|
$this->assertEquals('Not authorized', $body);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Invoke the middleware with the API disabled in debug mode:
|
|
|
|
|
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
|
|
|
|
|
*/
|
|
|
|
|
public function testInvokeMiddlewareApiDisabledDebug()
|
|
|
|
|
{
|
|
|
|
|
$this->conf->set('api.enabled', false);
|
|
|
|
|
$this->conf->set('dev.debug', true);
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
|
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, null);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(401, $response->getStatusCode());
|
|
|
|
|
$body = json_decode((string) $response->getBody());
|
|
|
|
|
$this->assertEquals('Not authorized: API is disabled', $body->message);
|
2020-09-29 14:41:40 +02:00
|
|
|
$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
|
2016-12-15 10:13:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Invoke the middleware without a token (debug):
|
|
|
|
|
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
|
|
|
|
|
*/
|
|
|
|
|
public function testInvokeMiddlewareNoTokenProvidedDebug()
|
|
|
|
|
{
|
|
|
|
|
$this->conf->set('dev.debug', true);
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
|
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, null);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(401, $response->getStatusCode());
|
|
|
|
|
$body = json_decode((string) $response->getBody());
|
|
|
|
|
$this->assertEquals('Not authorized: JWT token not provided', $body->message);
|
2020-09-29 14:41:40 +02:00
|
|
|
$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
|
2016-12-15 10:13:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Invoke the middleware without a secret set in settings (debug):
|
|
|
|
|
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
|
|
|
|
|
*/
|
|
|
|
|
public function testInvokeMiddlewareNoSecretSetDebug()
|
|
|
|
|
{
|
|
|
|
|
$this->conf->set('dev.debug', true);
|
|
|
|
|
$this->conf->set('api.secret', '');
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
2021-04-05 09:39:34 +02:00
|
|
|
'HTTP_AUTHORIZATION' => 'Bearer jwt',
|
2016-12-15 10:13:00 +01:00
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, null);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(401, $response->getStatusCode());
|
|
|
|
|
$body = json_decode((string) $response->getBody());
|
|
|
|
|
$this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
|
2020-09-29 14:41:40 +02:00
|
|
|
$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
|
2016-12-15 10:13:00 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2017-01-07 22:23:47 +01:00
|
|
|
* Invoke the middleware with an invalid JWT token header
|
|
|
|
|
*/
|
|
|
|
|
public function testInvalidJwtAuthHeaderDebug()
|
|
|
|
|
{
|
|
|
|
|
$this->conf->set('dev.debug', true);
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
2021-04-05 09:39:34 +02:00
|
|
|
'HTTP_AUTHORIZATION' => 'PolarBearer jwt',
|
2017-01-07 22:23:47 +01:00
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, null);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(401, $response->getStatusCode());
|
|
|
|
|
$body = json_decode((string) $response->getBody());
|
|
|
|
|
$this->assertEquals('Not authorized: Invalid JWT header', $body->message);
|
2020-09-29 14:41:40 +02:00
|
|
|
$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
|
2017-01-07 22:23:47 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Invoke the middleware with an invalid JWT token (debug):
|
2016-12-15 10:13:00 +01:00
|
|
|
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
|
|
|
|
|
*
|
|
|
|
|
* Note: specific JWT errors tests are handled in ApiUtilsTest.
|
|
|
|
|
*/
|
|
|
|
|
public function testInvokeMiddlewareInvalidJwtDebug()
|
|
|
|
|
{
|
|
|
|
|
$this->conf->set('dev.debug', true);
|
|
|
|
|
$mw = new ApiMiddleware($this->container);
|
|
|
|
|
$env = Environment::mock([
|
|
|
|
|
'REQUEST_METHOD' => 'GET',
|
|
|
|
|
'REQUEST_URI' => '/echo',
|
2021-04-05 09:39:34 +02:00
|
|
|
'HTTP_AUTHORIZATION' => 'Bearer jwt',
|
2016-12-15 10:13:00 +01:00
|
|
|
]);
|
|
|
|
|
$request = Request::createFromEnvironment($env);
|
|
|
|
|
$response = new Response();
|
|
|
|
|
/** @var Response $response */
|
|
|
|
|
$response = $mw($request, $response, null);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(401, $response->getStatusCode());
|
|
|
|
|
$body = json_decode((string) $response->getBody());
|
|
|
|
|
$this->assertEquals('Not authorized: Malformed JWT token', $body->message);
|
2020-09-29 14:41:40 +02:00
|
|
|
$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
|
2016-12-15 10:13:00 +01:00
|
|
|
}
|
|
|
|
|
}
|
