[github/shaarli/Shaarli.git] / tests / api / ApiMiddlewareTest.php

<?php
namespace Shaarli\Api;

use Shaarli\Config\ConfigManager;
use Slim\Container;
use Slim\Http\Environment;
use Slim\Http\Request;
use Slim\Http\Response;

/**
 * Class ApiMiddlewareTest
 *
 * Test the REST API Slim Middleware.
 *
 * Note that we can't test a valid use case here, because the middleware
 * needs to call a valid controller/action during its execution.
 *
 * @package Api
 */
class ApiMiddlewareTest extends \PHPUnit\Framework\TestCase
{
    /**
     * @var string datastore to test write operations
     */
    protected static $testDatastore = 'sandbox/datastore.php';

    /**
     * @var \ConfigManager instance
     */
    protected $conf;

    /**
     * @var \ReferenceLinkDB instance.
     */
    protected $refDB = null;

    /**
     * @var Container instance.
     */
    protected $container;

    /**
     * Before every test, instantiate a new Api with its config, plugins and links.
     */
    public function setUp()
    {
        $this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
        $this->conf->set('api.secret', 'NapoleonWasALizard');

        $this->refDB = new \ReferenceLinkDB();
        $this->refDB->write(self::$testDatastore);

        $this->container = new Container();
        $this->container['conf'] = $this->conf;
    }

    /**
     * After every test, remove the test datastore.
     */
    public function tearDown()
    {
        @unlink(self::$testDatastore);
    }

    /**
     * Invoke the middleware with the API disabled:
     * should return a 401 error Unauthorized.
     */
    public function testInvokeMiddlewareApiDisabled()
    {
        $this->conf->set('api.enabled', false);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized', $body);
    }

    /**
     * Invoke the middleware with the API disabled in debug mode:
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareApiDisabledDebug()
    {
        $this->conf->set('api.enabled', false);
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: API is disabled', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware without a token (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareNoTokenProvidedDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: JWT token not provided', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware without a secret set in settings (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     */
    public function testInvokeMiddlewareNoSecretSetDebug()
    {
        $this->conf->set('dev.debug', true);
        $this->conf->set('api.secret', '');
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware with an invalid JWT token header
     */
    public function testInvalidJwtAuthHeaderDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Invalid JWT header', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }

    /**
     * Invoke the middleware with an invalid JWT token (debug):
     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
     *
     * Note: specific JWT errors tests are handled in ApiUtilsTest.
     */
    public function testInvokeMiddlewareInvalidJwtDebug()
    {
        $this->conf->set('dev.debug', true);
        $mw = new ApiMiddleware($this->container);
        $env = Environment::mock([
            'REQUEST_METHOD' => 'GET',
            'REQUEST_URI' => '/echo',
            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
        ]);
        $request = Request::createFromEnvironment($env);
        $response = new Response();
        /** @var Response $response */
        $response = $mw($request, $response, null);

        $this->assertEquals(401, $response->getStatusCode());
        $body = json_decode((string) $response->getBody());
        $this->assertEquals('Not authorized: Malformed JWT token', $body->message);
        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
    }
}
Commit	Line	Data
18e67967	1	<?php
18e67967 A	2	namespace Shaarli\Api;
18e67967 A	3
3c66e564	4	use Shaarli\Config\ConfigManager;
18e67967 A	5	use Slim\Container;
	6	use Slim\Http\Environment;
	7	use Slim\Http\Request;
	8	use Slim\Http\Response;
	9
	10	/**
	11	* Class ApiMiddlewareTest
	12	*
	13	* Test the REST API Slim Middleware.
	14	*
	15	* Note that we can't test a valid use case here, because the middleware
	16	* needs to call a valid controller/action during its execution.
	17	*
	18	* @package Api
	19	*/
dea72c71	20	class ApiMiddlewareTest extends \PHPUnit\Framework\TestCase
18e67967 A	21	{
	22	/**
	23	* @var string datastore to test write operations
	24	*/
	25	protected static $testDatastore = 'sandbox/datastore.php';
	26
	27	/**
	28	* @var \ConfigManager instance
	29	*/
	30	protected $conf;
	31
	32	/**
	33	* @var \ReferenceLinkDB instance.
	34	*/
	35	protected $refDB = null;
	36
	37	/**
	38	* @var Container instance.
	39	*/
	40	protected $container;
	41
	42	/**
	43	* Before every test, instantiate a new Api with its config, plugins and links.
	44	*/
	45	public function setUp()
	46	{
3c66e564	47	$this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
18e67967 A	48	$this->conf->set('api.secret', 'NapoleonWasALizard');
	49
	50	$this->refDB = new \ReferenceLinkDB();
	51	$this->refDB->write(self::$testDatastore);
	52
	53	$this->container = new Container();
	54	$this->container['conf'] = $this->conf;
	55	}
	56
	57	/**
	58	* After every test, remove the test datastore.
	59	*/
	60	public function tearDown()
	61	{
	62	@unlink(self::$testDatastore);
	63	}
	64
	65	/**
	66	* Invoke the middleware with the API disabled:
	67	* should return a 401 error Unauthorized.
	68	*/
	69	public function testInvokeMiddlewareApiDisabled()
	70	{
	71	$this->conf->set('api.enabled', false);
	72	$mw = new ApiMiddleware($this->container);
	73	$env = Environment::mock([
	74	'REQUEST_METHOD' => 'GET',
	75	'REQUEST_URI' => '/echo',
	76	]);
	77	$request = Request::createFromEnvironment($env);
	78	$response = new Response();
	79	/** @var Response $response */
	80	$response = $mw($request, $response, null);
	81
	82	$this->assertEquals(401, $response->getStatusCode());
	83	$body = json_decode((string) $response->getBody());
	84	$this->assertEquals('Not authorized', $body);
	85	}
	86
	87	/**
	88	* Invoke the middleware with the API disabled in debug mode:
	89	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	90	*/
	91	public function testInvokeMiddlewareApiDisabledDebug()
	92	{
	93	$this->conf->set('api.enabled', false);
	94	$this->conf->set('dev.debug', true);
	95	$mw = new ApiMiddleware($this->container);
	96	$env = Environment::mock([
	97	'REQUEST_METHOD' => 'GET',
	98	'REQUEST_URI' => '/echo',
	99	]);
	100	$request = Request::createFromEnvironment($env);
	101	$response = new Response();
	102	/** @var Response $response */
	103	$response = $mw($request, $response, null);
	104
	105	$this->assertEquals(401, $response->getStatusCode());
	106	$body = json_decode((string) $response->getBody());
	107	$this->assertEquals('Not authorized: API is disabled', $body->message);
	108	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	109	}
	110
	111	/**
112	* Invoke the middleware without a token (debug):
113	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
114	*/
115	public function testInvokeMiddlewareNoTokenProvidedDebug()
116	{
117	$this->conf->set('dev.debug', true);
118	$mw = new ApiMiddleware($this->container);
119	$env = Environment::mock([
120	'REQUEST_METHOD' => 'GET',
121	'REQUEST_URI' => '/echo',
122	]);
123	$request = Request::createFromEnvironment($env);
124	$response = new Response();
125	/** @var Response $response */
126	$response = $mw($request, $response, null);
127
128	$this->assertEquals(401, $response->getStatusCode());
129	$body = json_decode((string) $response->getBody());
130	$this->assertEquals('Not authorized: JWT token not provided', $body->message);
131	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
132	}
133
134	/**
135	* Invoke the middleware without a secret set in settings (debug):
136	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
137	*/
138	public function testInvokeMiddlewareNoSecretSetDebug()
139	{
140	$this->conf->set('dev.debug', true);
141	$this->conf->set('api.secret', '');
142	$mw = new ApiMiddleware($this->container);
143	$env = Environment::mock([
144	'REQUEST_METHOD' => 'GET',
145	'REQUEST_URI' => '/echo',
63ef5497	146	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
18e67967 A	147	]);
	148	$request = Request::createFromEnvironment($env);
	149	$response = new Response();
	150	/** @var Response $response */
	151	$response = $mw($request, $response, null);
	152
	153	$this->assertEquals(401, $response->getStatusCode());
	154	$body = json_decode((string) $response->getBody());
	155	$this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
	156	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	157	}
	158
	159	/**
63ef5497 V	160	* Invoke the middleware with an invalid JWT token header
	161	*/
	162	public function testInvalidJwtAuthHeaderDebug()
	163	{
	164	$this->conf->set('dev.debug', true);
	165	$mw = new ApiMiddleware($this->container);
	166	$env = Environment::mock([
	167	'REQUEST_METHOD' => 'GET',
	168	'REQUEST_URI' => '/echo',
	169	'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
	170	]);
	171	$request = Request::createFromEnvironment($env);
	172	$response = new Response();
	173	/** @var Response $response */
	174	$response = $mw($request, $response, null);
	175
	176	$this->assertEquals(401, $response->getStatusCode());
	177	$body = json_decode((string) $response->getBody());
	178	$this->assertEquals('Not authorized: Invalid JWT header', $body->message);
	179	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	180	}
	181
	182	/**
	183	* Invoke the middleware with an invalid JWT token (debug):
18e67967 A	184	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	185	*
	186	* Note: specific JWT errors tests are handled in ApiUtilsTest.
	187	*/
	188	public function testInvokeMiddlewareInvalidJwtDebug()
	189	{
	190	$this->conf->set('dev.debug', true);
	191	$mw = new ApiMiddleware($this->container);
	192	$env = Environment::mock([
	193	'REQUEST_METHOD' => 'GET',
	194	'REQUEST_URI' => '/echo',
63ef5497	195	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
18e67967 A	196	]);
	197	$request = Request::createFromEnvironment($env);
	198	$response = new Response();
	199	/** @var Response $response */
	200	$response = $mw($request, $response, null);
	201
	202	$this->assertEquals(401, $response->getStatusCode());
	203	$body = json_decode((string) $response->getBody());
	204	$this->assertEquals('Not authorized: Malformed JWT token', $body->message);
	205	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	206	}
	207	}