Knah-Tsaeb/MyShaarli
Knah-Tsaeb/MyShaarli
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
MyShaarli/tests/api/ApiMiddlewareTest.php

208 lines
7 KiB
PHP
Raw Normal View History

REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
2016-12-15 10:13:00 +01:00
<?php
namespace Shaarli\Api;
application: introduce the Shaarli\Config namespace Namespaces have been introduced with the REST API, and should be generalized to the whole codebase to manage object scope and benefit from autoloading. See: - https://secure.php.net/manual/en/language.namespaces.php - http://www.php-fig.org/psr/psr-4/ Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-03-03 23:06:12 +01:00
use Shaarli\Config\ConfigManager;
REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
2016-12-15 10:13:00 +01:00
use Slim\Container;
use Slim\Http\Environment;
use Slim\Http\Request;
use Slim\Http\Response;
/**
* Class ApiMiddlewareTest
*
* Test the REST API Slim Middleware.
*
* Note that we can't test a valid use case here, because the middleware
* needs to call a valid controller/action during its execution.
*
* @package Api
*/
Optimize and cleanup imports Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2019-01-12 23:55:38 +01:00
class ApiMiddlewareTest extends \PHPUnit\Framework\TestCase
REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
2016-12-15 10:13:00 +01:00
{
/**
* @var string datastore to test write operations
*/
protected static $testDatastore = 'sandbox/datastore.php';
/**
* @var \ConfigManager instance
*/
protected $conf;
/**
* @var \ReferenceLinkDB instance.
*/
protected $refDB = null;
/**
* @var Container instance.
*/
protected $container;
/**
* Before every test, instantiate a new Api with its config, plugins and links.
*/
public function setUp()
{
application: introduce the Shaarli\Config namespace Namespaces have been introduced with the REST API, and should be generalized to the whole codebase to manage object scope and benefit from autoloading. See: - https://secure.php.net/manual/en/language.namespaces.php - http://www.php-fig.org/psr/psr-4/ Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-03-03 23:06:12 +01:00
$this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
2016-12-15 10:13:00 +01:00
$this->conf->set('api.secret', 'NapoleonWasALizard');
$this->refDB = new \ReferenceLinkDB();
$this->refDB->write(self::$testDatastore);
$this->container = new Container();
$this->container['conf'] = $this->conf;
}
/**
* After every test, remove the test datastore.
*/
public function tearDown()
{
@unlink(self::$testDatastore);
}
/**
* Invoke the middleware with the API disabled:
* should return a 401 error Unauthorized.
*/
public function testInvokeMiddlewareApiDisabled()
{
$this->conf->set('api.enabled', false);
$mw = new ApiMiddleware($this->container);
$env = Environment::mock([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/echo',
]);
$request = Request::createFromEnvironment($env);
$response = new Response();
/** @var Response $response */
$response = $mw($request, $response, null);
$this->assertEquals(401, $response->getStatusCode());
$body = json_decode((string) $response->getBody());
$this->assertEquals('Not authorized', $body);
}
/**
* Invoke the middleware with the API disabled in debug mode:
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
*/
public function testInvokeMiddlewareApiDisabledDebug()
{
$this->conf->set('api.enabled', false);
$this->conf->set('dev.debug', true);
$mw = new ApiMiddleware($this->container);
$env = Environment::mock([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/echo',
]);
$request = Request::createFromEnvironment($env);
$response = new Response();
/** @var Response $response */
$response = $mw($request, $response, null);
$this->assertEquals(401, $response->getStatusCode());
$body = json_decode((string) $response->getBody());
$this->assertEquals('Not authorized: API is disabled', $body->message);
$this->assertContains('ApiAuthorizationException', $body->stacktrace);
}
/**
* Invoke the middleware without a token (debug):
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
*/
public function testInvokeMiddlewareNoTokenProvidedDebug()
{
$this->conf->set('dev.debug', true);
$mw = new ApiMiddleware($this->container);
$env = Environment::mock([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/echo',
]);
$request = Request::createFromEnvironment($env);
$response = new Response();
/** @var Response $response */
$response = $mw($request, $response, null);
$this->assertEquals(401, $response->getStatusCode());
$body = json_decode((string) $response->getBody());
$this->assertEquals('Not authorized: JWT token not provided', $body->message);
$this->assertContains('ApiAuthorizationException', $body->stacktrace);
}
/**
* Invoke the middleware without a secret set in settings (debug):
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
*/
public function testInvokeMiddlewareNoSecretSetDebug()
{
$this->conf->set('dev.debug', true);
$this->conf->set('api.secret', '');
$mw = new ApiMiddleware($this->container);
$env = Environment::mock([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/echo',
API: expect JWT in the Authorization header Relates to https://github.com/shaarli/Shaarli/pull/731 Added: - require the presence of the 'Authorization' header Changed: - use the HTTP Bearer Token authorization schema See: - https://jwt.io/introduction/#how-do-json-web-tokens-work- - https://tools.ietf.org/html/rfc6750 - http://security.stackexchange.com/q/108662 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-01-07 22:23:47 +01:00
'HTTP_AUTHORIZATION'=> 'Bearer jwt',
REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
2016-12-15 10:13:00 +01:00
]);
$request = Request::createFromEnvironment($env);
$response = new Response();
/** @var Response $response */
$response = $mw($request, $response, null);
$this->assertEquals(401, $response->getStatusCode());
$body = json_decode((string) $response->getBody());
$this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
$this->assertContains('ApiAuthorizationException', $body->stacktrace);
}
/**
API: expect JWT in the Authorization header Relates to https://github.com/shaarli/Shaarli/pull/731 Added: - require the presence of the 'Authorization' header Changed: - use the HTTP Bearer Token authorization schema See: - https://jwt.io/introduction/#how-do-json-web-tokens-work- - https://tools.ietf.org/html/rfc6750 - http://security.stackexchange.com/q/108662 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-01-07 22:23:47 +01:00
* Invoke the middleware with an invalid JWT token header
*/
public function testInvalidJwtAuthHeaderDebug()
{
$this->conf->set('dev.debug', true);
$mw = new ApiMiddleware($this->container);
$env = Environment::mock([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/echo',
'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
]);
$request = Request::createFromEnvironment($env);
$response = new Response();
/** @var Response $response */
$response = $mw($request, $response, null);
$this->assertEquals(401, $response->getStatusCode());
$body = json_decode((string) $response->getBody());
$this->assertEquals('Not authorized: Invalid JWT header', $body->message);
$this->assertContains('ApiAuthorizationException', $body->stacktrace);
}
/**
* Invoke the middleware with an invalid JWT token (debug):
REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
2016-12-15 10:13:00 +01:00
* should return a 401 error Unauthorized - with a specific message and a stacktrace.
*
* Note: specific JWT errors tests are handled in ApiUtilsTest.
*/
public function testInvokeMiddlewareInvalidJwtDebug()
{
$this->conf->set('dev.debug', true);
$mw = new ApiMiddleware($this->container);
$env = Environment::mock([
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/echo',
API: expect JWT in the Authorization header Relates to https://github.com/shaarli/Shaarli/pull/731 Added: - require the presence of the 'Authorization' header Changed: - use the HTTP Bearer Token authorization schema See: - https://jwt.io/introduction/#how-do-json-web-tokens-work- - https://tools.ietf.org/html/rfc6750 - http://security.stackexchange.com/q/108662 Signed-off-by: VirtualTam <virtualtam@flibidi.net>
2017-01-07 22:23:47 +01:00
'HTTP_AUTHORIZATION'=> 'Bearer jwt',
REST API structure using Slim framework * REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
2016-12-15 10:13:00 +01:00
]);
$request = Request::createFromEnvironment($env);
$response = new Response();
/** @var Response $response */
$response = $mw($request, $response, null);
$this->assertEquals(401, $response->getStatusCode());
$body = json_decode((string) $response->getBody());
$this->assertEquals('Not authorized: Malformed JWT token', $body->message);
$this->assertContains('ApiAuthorizationException', $body->stacktrace);
}
}
Reference in a new issue Copy permalink