[github/shaarli/Shaarli.git] / tests / api / ApiMiddlewareTest.php

<?php
namespace Shaarli\Api;

use Shaarli\Config\ConfigManager;
use Shaarli\History;
use Slim\Container;
use Slim\Http\Environment;
use Slim\Http\Request;
use Slim\Http\Response;

/**
 * Class ApiMiddlewareTest
 *
 * Test the REST API Slim Middleware.
 *
 * Note that we can't test a valid use case here, because the middleware
 * needs to call a valid controller/action during its execution.
 *
 * @package Api
 */
class ApiMiddlewareTest extends \Shaarli\TestCase
{
    /**
     * @var string datastore to test write operations
     */
    protected static $testDatastore = 'sandbox/datastore.php';

    /**
     * @var ConfigManager instance
     */
    protected $conf;

    /**
     * @var \ReferenceLinkDB instance.
     */
    protected $refDB = null;

    /**
     * @var Container instance.
     */
    protected $container;

    /**
     * Before every test, instantiate a new Api with its config, plugins and bookmarks.
     */
    protected function setUp(): void
    {
        $this->conf = new ConfigManager('tests/utils/config/configJson');
        $this->conf->set('api.secret', 'NapoleonWasALizard');

        $this->refDB = new \ReferenceLinkDB();
        $this->refDB->write(self::$testDatastore);

        $history = new History('sandbox/history.php');

        $this->container = new Container();
        $this->container['conf'] = $this->conf;
        $this->container['history'] = $history;
    }

    /**
     * After every test, remove the test datastore.
     */
    protected function tearDown(): void
    {
        @unlink(self::$testDatastore);
    }

    /**
     * Invoke the middleware with the API disabled:
     * should return a 401 error Unauthorized.
     */
    public function testInvokeMiddlewareApiDisabled()
    {
        $this->conf->set('api.enabled', false);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized', $body);
    }

    /**
     * Invoke the middleware with the API disabled in debug mode:
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareApiDisabledDebug()
    {
        $this->conf->set('api.enabled', false);
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: API is disabled', $body->message);
        $this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware without a token (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareNoTokenProvidedDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: JWT token not provided', $body->message);
        $this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware without a secret set in settings (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareNoSecretSetDebug()
    {
        $this->conf->set('dev.debug', true);
        $this->conf->set('api.secret', '');
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
        $this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware with an invalid JWT token header
     */
    public function testInvalidJwtAuthHeaderDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Invalid JWT header', $body->message);
        $this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware with an invalid JWT token (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     *
     * Note: specific JWT errors tests are handled in ApiUtilsTest.
     */
    public function testInvokeMiddlewareInvalidJwtDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Malformed JWT token', $body->message);
        $this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
    }
}
Commit	Line	Data
18e67967	1	<?php
18e67967 A	2	namespace Shaarli\Api;
18e67967 A	3
3c66e564	4	use Shaarli\Config\ConfigManager;
e26e2060	5	use Shaarli\History;
18e67967 A	6	use Slim\Container;
	7	use Slim\Http\Environment;
	8	use Slim\Http\Request;
	9	use Slim\Http\Response;
	10
	11	/**
	12	* Class ApiMiddlewareTest
	13	*
	14	* Test the REST API Slim Middleware.
	15	*
	16	* Note that we can't test a valid use case here, because the middleware
	17	* needs to call a valid controller/action during its execution.
	18	*
	19	* @package Api
	20	*/
a5a9cf23	21	class ApiMiddlewareTest extends \Shaarli\TestCase
18e67967 A	22	{
	23	/**
	24	* @var string datastore to test write operations
	25	*/
	26	protected static $testDatastore = 'sandbox/datastore.php';
	27
	28	/**
a5a9cf23	29	* @var ConfigManager instance
18e67967 A	30	*/
	31	protected $conf;
	32
	33	/**
	34	* @var \ReferenceLinkDB instance.
	35	*/
	36	protected $refDB = null;
	37
	38	/**
	39	* @var Container instance.
	40	*/
	41	protected $container;
	42
	43	/**
e26e2060	44	* Before every test, instantiate a new Api with its config, plugins and bookmarks.
18e67967	45	*/
8f60e120	46	protected function setUp(): void
18e67967	47	{
e26e2060	48	$this->conf = new ConfigManager('tests/utils/config/configJson');
18e67967 A	49	$this->conf->set('api.secret', 'NapoleonWasALizard');
	50
	51	$this->refDB = new \ReferenceLinkDB();
	52	$this->refDB->write(self::$testDatastore);
	53
e26e2060 A	54	$history = new History('sandbox/history.php');
e26e2060 A	55
18e67967 A	56	$this->container = new Container();
18e67967 A	57	$this->container['conf'] = $this->conf;
e26e2060	58	$this->container['history'] = $history;
18e67967 A	59	}
	60
	61	/**
	62	* After every test, remove the test datastore.
	63	*/
8f60e120	64	protected function tearDown(): void
18e67967 A	65	{
	66	@unlink(self::$testDatastore);
	67	}
	68
	69	/**
	70	* Invoke the middleware with the API disabled:
	71	* should return a 401 error Unauthorized.
	72	*/
	73	public function testInvokeMiddlewareApiDisabled()
	74	{
	75	$this->conf->set('api.enabled', false);
	76	$mw = new ApiMiddleware($this->container);
	77	$env = Environment::mock([
	78	'REQUEST_METHOD' => 'GET',
	79	'REQUEST_URI' => '/echo',
	80	]);
	81	$request = Request::createFromEnvironment($env);
	82	$response = new Response();
	83	/** @var Response $response */
	84	$response = $mw($request, $response, null);
	85
	86	$this->assertEquals(401, $response->getStatusCode());
	87	$body = json_decode((string) $response->getBody());
	88	$this->assertEquals('Not authorized', $body);
	89	}
	90
	91	/**
	92	* Invoke the middleware with the API disabled in debug mode:
	93	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	94	*/
	95	public function testInvokeMiddlewareApiDisabledDebug()
	96	{
	97	$this->conf->set('api.enabled', false);
	98	$this->conf->set('dev.debug', true);
	99	$mw = new ApiMiddleware($this->container);
	100	$env = Environment::mock([
	101	'REQUEST_METHOD' => 'GET',
	102	'REQUEST_URI' => '/echo',
	103	]);
	104	$request = Request::createFromEnvironment($env);
	105	$response = new Response();
	106	/** @var Response $response */
	107	$response = $mw($request, $response, null);
	108
	109	$this->assertEquals(401, $response->getStatusCode());
	110	$body = json_decode((string) $response->getBody());
	111	$this->assertEquals('Not authorized: API is disabled', $body->message);
a5a9cf23	112	$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
18e67967 A	113	}
	114
	115	/**
	116	* Invoke the middleware without a token (debug):
	117	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	118	*/
	119	public function testInvokeMiddlewareNoTokenProvidedDebug()
	120	{
	121	$this->conf->set('dev.debug', true);
	122	$mw = new ApiMiddleware($this->container);
	123	$env = Environment::mock([
	124	'REQUEST_METHOD' => 'GET',
	125	'REQUEST_URI' => '/echo',
	126	]);
	127	$request = Request::createFromEnvironment($env);
	128	$response = new Response();
	129	/** @var Response $response */
	130	$response = $mw($request, $response, null);
	131
	132	$this->assertEquals(401, $response->getStatusCode());
	133	$body = json_decode((string) $response->getBody());
	134	$this->assertEquals('Not authorized: JWT token not provided', $body->message);
a5a9cf23	135	$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
18e67967 A	136	}
	137
	138	/**
	139	* Invoke the middleware without a secret set in settings (debug):
	140	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	141	*/
	142	public function testInvokeMiddlewareNoSecretSetDebug()
	143	{
	144	$this->conf->set('dev.debug', true);
	145	$this->conf->set('api.secret', '');
	146	$mw = new ApiMiddleware($this->container);
	147	$env = Environment::mock([
	148	'REQUEST_METHOD' => 'GET',
	149	'REQUEST_URI' => '/echo',
63ef5497	150	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
18e67967 A	151	]);
	152	$request = Request::createFromEnvironment($env);
	153	$response = new Response();
	154	/** @var Response $response */
	155	$response = $mw($request, $response, null);
	156
	157	$this->assertEquals(401, $response->getStatusCode());
	158	$body = json_decode((string) $response->getBody());
	159	$this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
a5a9cf23	160	$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
18e67967 A	161	}
	162
	163	/**
63ef5497 V	164	* Invoke the middleware with an invalid JWT token header
	165	*/
	166	public function testInvalidJwtAuthHeaderDebug()
	167	{
	168	$this->conf->set('dev.debug', true);
	169	$mw = new ApiMiddleware($this->container);
	170	$env = Environment::mock([
	171	'REQUEST_METHOD' => 'GET',
	172	'REQUEST_URI' => '/echo',
	173	'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
	174	]);
	175	$request = Request::createFromEnvironment($env);
	176	$response = new Response();
	177	/** @var Response $response */
	178	$response = $mw($request, $response, null);
	179
	180	$this->assertEquals(401, $response->getStatusCode());
	181	$body = json_decode((string) $response->getBody());
	182	$this->assertEquals('Not authorized: Invalid JWT header', $body->message);
a5a9cf23	183	$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
63ef5497 V	184	}
	185
	186	/**
	187	* Invoke the middleware with an invalid JWT token (debug):
18e67967 A	188	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	189	*
	190	* Note: specific JWT errors tests are handled in ApiUtilsTest.
	191	*/
	192	public function testInvokeMiddlewareInvalidJwtDebug()
	193	{
	194	$this->conf->set('dev.debug', true);
	195	$mw = new ApiMiddleware($this->container);
	196	$env = Environment::mock([
	197	'REQUEST_METHOD' => 'GET',
	198	'REQUEST_URI' => '/echo',
63ef5497	199	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
18e67967 A	200	]);
	201	$request = Request::createFromEnvironment($env);
	202	$response = new Response();
	203	/** @var Response $response */
	204	$response = $mw($request, $response, null);
	205
	206	$this->assertEquals(401, $response->getStatusCode());
	207	$body = json_decode((string) $response->getBody());
	208	$this->assertEquals('Not authorized: Malformed JWT token', $body->message);
a5a9cf23	209	$this->assertContainsPolyfill('ApiAuthorizationException', $body->stacktrace);
18e67967 A	210	}
18e67967 A	211	}