tests/api/ApiMiddlewareTest.php

   1 <?php
   2 namespace Shaarli\Api;
   3
   4 use Shaarli\Config\ConfigManager;
   5
   6 use Slim\Container;
   7 use Slim\Http\Environment;
   8 use Slim\Http\Request;
   9 use Slim\Http\Response;
  10
  11 /**
  12  * Class ApiMiddlewareTest
  13  *
  14  * Test the REST API Slim Middleware.
  15  *
  16  * Note that we can't test a valid use case here, because the middleware
  17  * needs to call a valid controller/action during its execution.
  18  *
  19  * @package Api
  20  */
  21 class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
  22 {
  23     /**
  24      * @var string datastore to test write operations
  25      */
  26     protected static $testDatastore = 'sandbox/datastore.php';
  27
  28     /**
  29      * @var \ConfigManager instance
  30      */
  31     protected $conf;
  32
  33     /**
  34      * @var \ReferenceLinkDB instance.
  35      */
  36     protected $refDB = null;
  37
  38     /**
  39      * @var Container instance.
  40      */
  41     protected $container;
  42
  43     /**
  44      * Before every test, instantiate a new Api with its config, plugins and links.
  45      */
  46     public function setUp()
  47     {
  48         $this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
  49         $this->conf->set('api.secret', 'NapoleonWasALizard');
  50
  51         $this->refDB = new \ReferenceLinkDB();
  52         $this->refDB->write(self::$testDatastore);
  53
  54         $this->container = new Container();
  55         $this->container['conf'] = $this->conf;
  56     }
  57
  58     /**
  59      * After every test, remove the test datastore.
  60      */
  61     public function tearDown()
  62     {
  63         @unlink(self::$testDatastore);
  64     }
  65
  66     /**
  67      * Invoke the middleware with the API disabled:
  68      * should return a 401 error Unauthorized.
  69      */
  70     public function testInvokeMiddlewareApiDisabled()
  71     {
  72         $this->conf->set('api.enabled', false);
  73         $mw = new ApiMiddleware($this->container);
  74         $env = Environment::mock([
  75             'REQUEST_METHOD' => 'GET',
  76             'REQUEST_URI' => '/echo',
  77         ]);
  78         $request = Request::createFromEnvironment($env);
  79         $response = new Response();
  80         /** @var Response $response */
  81         $response = $mw($request, $response, null);
  82
  83         $this->assertEquals(401, $response->getStatusCode());
  84         $body = json_decode((string) $response->getBody());
  85         $this->assertEquals('Not authorized', $body);
  86     }
  87
  88     /**
  89      * Invoke the middleware with the API disabled in debug mode:
  90      * should return a 401 error Unauthorized - with a specific message and a stacktrace.
  91      */
  92     public function testInvokeMiddlewareApiDisabledDebug()
  93     {
  94         $this->conf->set('api.enabled', false);
  95         $this->conf->set('dev.debug', true);
  96         $mw = new ApiMiddleware($this->container);
  97         $env = Environment::mock([
  98             'REQUEST_METHOD' => 'GET',
  99             'REQUEST_URI' => '/echo',
 100         ]);
 101         $request = Request::createFromEnvironment($env);
 102         $response = new Response();
 103         /** @var Response $response */
 104         $response = $mw($request, $response, null);
 105
 106         $this->assertEquals(401, $response->getStatusCode());
 107         $body = json_decode((string) $response->getBody());
 108         $this->assertEquals('Not authorized: API is disabled', $body->message);
 109         $this->assertContains('ApiAuthorizationException', $body->stacktrace);
 110     }
 111
 112     /**
 113      * Invoke the middleware without a token (debug):
 114      * should return a 401 error Unauthorized - with a specific message and a stacktrace.
 115      */
 116     public function testInvokeMiddlewareNoTokenProvidedDebug()
 117     {
 118         $this->conf->set('dev.debug', true);
 119         $mw = new ApiMiddleware($this->container);
 120         $env = Environment::mock([
 121             'REQUEST_METHOD' => 'GET',
 122             'REQUEST_URI' => '/echo',
 123         ]);
 124         $request = Request::createFromEnvironment($env);
 125         $response = new Response();
 126         /** @var Response $response */
 127         $response = $mw($request, $response, null);
 128
 129         $this->assertEquals(401, $response->getStatusCode());
 130         $body = json_decode((string) $response->getBody());
 131         $this->assertEquals('Not authorized: JWT token not provided', $body->message);
 132         $this->assertContains('ApiAuthorizationException', $body->stacktrace);
 133     }
 134
 135     /**
 136      * Invoke the middleware without a secret set in settings (debug):
 137      * should return a 401 error Unauthorized - with a specific message and a stacktrace.
 138      */
 139     public function testInvokeMiddlewareNoSecretSetDebug()
 140     {
 141         $this->conf->set('dev.debug', true);
 142         $this->conf->set('api.secret', '');
 143         $mw = new ApiMiddleware($this->container);
 144         $env = Environment::mock([
 145             'REQUEST_METHOD' => 'GET',
 146             'REQUEST_URI' => '/echo',
 147             'HTTP_AUTHORIZATION'=> 'Bearer jwt',
 148         ]);
 149         $request = Request::createFromEnvironment($env);
 150         $response = new Response();
 151         /** @var Response $response */
 152         $response = $mw($request, $response, null);
 153
 154         $this->assertEquals(401, $response->getStatusCode());
 155         $body = json_decode((string) $response->getBody());
 156         $this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
 157         $this->assertContains('ApiAuthorizationException', $body->stacktrace);
 158     }
 159
 160     /**
 161      * Invoke the middleware with an invalid JWT token header
 162      */
 163     public function testInvalidJwtAuthHeaderDebug()
 164     {
 165         $this->conf->set('dev.debug', true);
 166         $mw = new ApiMiddleware($this->container);
 167         $env = Environment::mock([
 168             'REQUEST_METHOD' => 'GET',
 169             'REQUEST_URI' => '/echo',
 170             'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
 171         ]);
 172         $request = Request::createFromEnvironment($env);
 173         $response = new Response();
 174         /** @var Response $response */
 175         $response = $mw($request, $response, null);
 176
 177         $this->assertEquals(401, $response->getStatusCode());
 178         $body = json_decode((string) $response->getBody());
 179         $this->assertEquals('Not authorized: Invalid JWT header', $body->message);
 180         $this->assertContains('ApiAuthorizationException', $body->stacktrace);
 181     }
 182
 183     /**
 184      * Invoke the middleware with an invalid JWT token (debug):
 185      * should return a 401 error Unauthorized - with a specific message and a stacktrace.
 186      *
 187      * Note: specific JWT errors tests are handled in ApiUtilsTest.
 188      */
 189     public function testInvokeMiddlewareInvalidJwtDebug()
 190     {
 191         $this->conf->set('dev.debug', true);
 192         $mw = new ApiMiddleware($this->container);
 193         $env = Environment::mock([
 194             'REQUEST_METHOD' => 'GET',
 195             'REQUEST_URI' => '/echo',
 196             'HTTP_AUTHORIZATION'=> 'Bearer jwt',
 197         ]);
 198         $request = Request::createFromEnvironment($env);
 199         $response = new Response();
 200         /** @var Response $response */
 201         $response = $mw($request, $response, null);
 202
 203         $this->assertEquals(401, $response->getStatusCode());
 204         $body = json_decode((string) $response->getBody());
 205         $this->assertEquals('Not authorized: Malformed JWT token', $body->message);
 206         $this->assertContains('ApiAuthorizationException', $body->stacktrace);
 207     }
 208 }