[github/shaarli/Shaarli.git] / tests / api / ApiMiddlewareTest.php

<?php
namespace Shaarli\Api;

use Shaarli\Config\ConfigManager;

use Slim\Container;
use Slim\Http\Environment;
use Slim\Http\Request;
use Slim\Http\Response;

/**
 * Class ApiMiddlewareTest
 *
 * Test the REST API Slim Middleware.
 *
 * Note that we can't test a valid use case here, because the middleware
 * needs to call a valid controller/action during its execution.
 *
 * @package Api
 */
class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
{
    /**
     * @var string datastore to test write operations
     */
    protected static $testDatastore = 'sandbox/datastore.php';

    /**
     * @var \ConfigManager instance
     */
    protected $conf;

    /**
     * @var \ReferenceLinkDB instance.
     */
    protected $refDB = null;

    /**
     * @var Container instance.
     */
    protected $container;

    /**
     * Before every test, instantiate a new Api with its config, plugins and links.
     */
    public function setUp()
    {
        $this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
        $this->conf->set('api.secret', 'NapoleonWasALizard');

        $this->refDB = new \ReferenceLinkDB();
        $this->refDB->write(self::$testDatastore);

        $this->container = new Container();
        $this->container['conf'] = $this->conf;
    }

    /**
     * After every test, remove the test datastore.
     */
    public function tearDown()
    {
        @unlink(self::$testDatastore);
    }

    /**
     * Invoke the middleware with the API disabled:
     * should return a 401 error Unauthorized.
     */
    public function testInvokeMiddlewareApiDisabled()
    {
        $this->conf->set('api.enabled', false);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized', $body);
    }

    /**
     * Invoke the middleware with the API disabled in debug mode:
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareApiDisabledDebug()
    {
        $this->conf->set('api.enabled', false);
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: API is disabled', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware without a token (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareNoTokenProvidedDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: JWT token not provided', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware without a secret set in settings (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareNoSecretSetDebug()
    {
        $this->conf->set('dev.debug', true);
        $this->conf->set('api.secret', '');
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware with an invalid JWT token header
     */
    public function testInvalidJwtAuthHeaderDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Invalid JWT header', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware with an invalid JWT token (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     *
     * Note: specific JWT errors tests are handled in ApiUtilsTest.
     */
    public function testInvokeMiddlewareInvalidJwtDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Malformed JWT token', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }
}
Commit	Line	Data
18e67967	1	<?php
18e67967 A	2	namespace Shaarli\Api;
18e67967 A	3
3c66e564 V	4	use Shaarli\Config\ConfigManager;
3c66e564 V	5
18e67967 A	6	use Slim\Container;
	7	use Slim\Http\Environment;
	8	use Slim\Http\Request;
	9	use Slim\Http\Response;
	10
	11	/**
	12	* Class ApiMiddlewareTest
	13	*
	14	* Test the REST API Slim Middleware.
	15	*
	16	* Note that we can't test a valid use case here, because the middleware
	17	* needs to call a valid controller/action during its execution.
	18	*
	19	* @package Api
	20	*/
	21	class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
	22	{
	23	/**
	24	* @var string datastore to test write operations
	25	*/
	26	protected static $testDatastore = 'sandbox/datastore.php';
	27
	28	/**
	29	* @var \ConfigManager instance
	30	*/
	31	protected $conf;
	32
	33	/**
	34	* @var \ReferenceLinkDB instance.
	35	*/
	36	protected $refDB = null;
	37
	38	/**
	39	* @var Container instance.
	40	*/
	41	protected $container;
	42
	43	/**
	44	* Before every test, instantiate a new Api with its config, plugins and links.
	45	*/
	46	public function setUp()
	47	{
3c66e564	48	$this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
18e67967 A	49	$this->conf->set('api.secret', 'NapoleonWasALizard');
	50
	51	$this->refDB = new \ReferenceLinkDB();
	52	$this->refDB->write(self::$testDatastore);
	53
	54	$this->container = new Container();
	55	$this->container['conf'] = $this->conf;
	56	}
	57
	58	/**
	59	* After every test, remove the test datastore.
	60	*/
	61	public function tearDown()
	62	{
	63	@unlink(self::$testDatastore);
	64	}
	65
	66	/**
	67	* Invoke the middleware with the API disabled:
	68	* should return a 401 error Unauthorized.
	69	*/
	70	public function testInvokeMiddlewareApiDisabled()
	71	{
	72	$this->conf->set('api.enabled', false);
	73	$mw = new ApiMiddleware($this->container);
	74	$env = Environment::mock([
	75	'REQUEST_METHOD' => 'GET',
	76	'REQUEST_URI' => '/echo',
	77	]);
	78	$request = Request::createFromEnvironment($env);
	79	$response = new Response();
	80	/** @var Response $response */
	81	$response = $mw($request, $response, null);
	82
	83	$this->assertEquals(401, $response->getStatusCode());
	84	$body = json_decode((string) $response->getBody());
	85	$this->assertEquals('Not authorized', $body);
	86	}
	87
	88	/**
	89	* Invoke the middleware with the API disabled in debug mode:
	90	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	91	*/
	92	public function testInvokeMiddlewareApiDisabledDebug()
	93	{
	94	$this->conf->set('api.enabled', false);
	95	$this->conf->set('dev.debug', true);
	96	$mw = new ApiMiddleware($this->container);
	97	$env = Environment::mock([
	98	'REQUEST_METHOD' => 'GET',
	99	'REQUEST_URI' => '/echo',
	100	]);
	101	$request = Request::createFromEnvironment($env);
	102	$response = new Response();
	103	/** @var Response $response */
	104	$response = $mw($request, $response, null);
	105
	106	$this->assertEquals(401, $response->getStatusCode());
	107	$body = json_decode((string) $response->getBody());
	108	$this->assertEquals('Not authorized: API is disabled', $body->message);
	109	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	110	}
	111
	112	/**
113	* Invoke the middleware without a token (debug):
114	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
115	*/
116	public function testInvokeMiddlewareNoTokenProvidedDebug()
117	{
118	$this->conf->set('dev.debug', true);
119	$mw = new ApiMiddleware($this->container);
120	$env = Environment::mock([
121	'REQUEST_METHOD' => 'GET',
122	'REQUEST_URI' => '/echo',
123	]);
124	$request = Request::createFromEnvironment($env);
125	$response = new Response();
126	/** @var Response $response */
127	$response = $mw($request, $response, null);
128
129	$this->assertEquals(401, $response->getStatusCode());
130	$body = json_decode((string) $response->getBody());
131	$this->assertEquals('Not authorized: JWT token not provided', $body->message);
132	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
133	}
134
135	/**
136	* Invoke the middleware without a secret set in settings (debug):
137	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
138	*/
139	public function testInvokeMiddlewareNoSecretSetDebug()
140	{
141	$this->conf->set('dev.debug', true);
142	$this->conf->set('api.secret', '');
143	$mw = new ApiMiddleware($this->container);
144	$env = Environment::mock([
145	'REQUEST_METHOD' => 'GET',
146	'REQUEST_URI' => '/echo',
63ef5497	147	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
18e67967 A	148	]);
	149	$request = Request::createFromEnvironment($env);
	150	$response = new Response();
	151	/** @var Response $response */
	152	$response = $mw($request, $response, null);
	153
	154	$this->assertEquals(401, $response->getStatusCode());
	155	$body = json_decode((string) $response->getBody());
	156	$this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
	157	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	158	}
	159
	160	/**
63ef5497 V	161	* Invoke the middleware with an invalid JWT token header
	162	*/
	163	public function testInvalidJwtAuthHeaderDebug()
	164	{
	165	$this->conf->set('dev.debug', true);
	166	$mw = new ApiMiddleware($this->container);
	167	$env = Environment::mock([
	168	'REQUEST_METHOD' => 'GET',
	169	'REQUEST_URI' => '/echo',
	170	'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
	171	]);
	172	$request = Request::createFromEnvironment($env);
	173	$response = new Response();
	174	/** @var Response $response */
	175	$response = $mw($request, $response, null);
	176
	177	$this->assertEquals(401, $response->getStatusCode());
	178	$body = json_decode((string) $response->getBody());
	179	$this->assertEquals('Not authorized: Invalid JWT header', $body->message);
	180	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	181	}
	182
	183	/**
	184	* Invoke the middleware with an invalid JWT token (debug):
18e67967 A	185	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	186	*
	187	* Note: specific JWT errors tests are handled in ApiUtilsTest.
	188	*/
	189	public function testInvokeMiddlewareInvalidJwtDebug()
	190	{
	191	$this->conf->set('dev.debug', true);
	192	$mw = new ApiMiddleware($this->container);
	193	$env = Environment::mock([
	194	'REQUEST_METHOD' => 'GET',
	195	'REQUEST_URI' => '/echo',
63ef5497	196	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
18e67967 A	197	]);
	198	$request = Request::createFromEnvironment($env);
	199	$response = new Response();
	200	/** @var Response $response */
	201	$response = $mw($request, $response, null);
	202
	203	$this->assertEquals(401, $response->getStatusCode());
	204	$body = json_decode((string) $response->getBody());
	205	$this->assertEquals('Not authorized: Malformed JWT token', $body->message);
	206	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	207	}
	208	}