tests/api/ApiUtilsTest.php

   1 <?php
   2
   3 namespace Shaarli\Api;
   4
   5 use Shaarli\Base64Url;
   6
   7
   8 /**
   9  * Class ApiUtilsTest
  10  */
  11 class ApiUtilsTest extends \PHPUnit_Framework_TestCase
  12 {
  13     /**
  14      * Force the timezone for ISO datetimes.
  15      */
  16     public static function setUpBeforeClass()
  17     {
  18         date_default_timezone_set('UTC');
  19     }
  20
  21     /**
  22      * Generate a valid JWT token.
  23      *
  24      * @param string $secret API secret used to generate the signature.
  25      *
  26      * @return string Generated token.
  27      */
  28     public static function generateValidJwtToken($secret)
  29     {
  30         $header = Base64Url::encode('{
  31             "typ": "JWT",
  32             "alg": "HS512"
  33         }');
  34         $payload = Base64Url::encode('{
  35             "iat": '. time() .'
  36         }');
  37         $signature = Base64Url::encode(hash_hmac('sha512', $header .'.'. $payload , $secret, true));
  38         return $header .'.'. $payload .'.'. $signature;
  39     }
  40
  41     /**
  42      * Generate a JWT token from given header and payload.
  43      *
  44      * @param string $header  Header in JSON format.
  45      * @param string $payload Payload in JSON format.
  46      * @param string $secret  API secret used to hash the signature.
  47      *
  48      * @return string JWT token.
  49      */
  50     public static function generateCustomJwtToken($header, $payload, $secret)
  51     {
  52         $header = Base64Url::encode($header);
  53         $payload = Base64Url::encode($payload);
  54         $signature = Base64Url::encode(hash_hmac('sha512', $header . '.' . $payload, $secret, true));
  55         return $header . '.' . $payload . '.' . $signature;
  56     }
  57
  58     /**
  59      * Test validateJwtToken() with a valid JWT token.
  60      */
  61     public function testValidateJwtTokenValid()
  62     {
  63         $secret = 'WarIsPeace';
  64         ApiUtils::validateJwtToken(self::generateValidJwtToken($secret), $secret);
  65     }
  66
  67     /**
  68      * Test validateJwtToken() with a malformed JWT token.
  69      *
  70      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
  71      * @expectedExceptionMessage Malformed JWT token
  72      */
  73     public function testValidateJwtTokenMalformed()
  74     {
  75         $token = 'ABC.DEF';
  76         ApiUtils::validateJwtToken($token, 'foo');
  77     }
  78
  79     /**
  80      * Test validateJwtToken() with an empty JWT token.
  81      *
  82      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
  83      * @expectedExceptionMessage Malformed JWT token
  84      */
  85     public function testValidateJwtTokenMalformedEmpty()
  86     {
  87         $token = false;
  88         ApiUtils::validateJwtToken($token, 'foo');
  89     }
  90
  91     /**
  92      * Test validateJwtToken() with a JWT token without header.
  93      *
  94      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
  95      * @expectedExceptionMessage Malformed JWT token
  96      */
  97     public function testValidateJwtTokenMalformedEmptyHeader()
  98     {
  99         $token = '.payload.signature';
 100         ApiUtils::validateJwtToken($token, 'foo');
 101     }
 102
 103     /**
 104      * Test validateJwtToken() with a JWT token without payload
 105      *
 106      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 107      * @expectedExceptionMessage Malformed JWT token
 108      */
 109     public function testValidateJwtTokenMalformedEmptyPayload()
 110     {
 111         $token = 'header..signature';
 112         ApiUtils::validateJwtToken($token, 'foo');
 113     }
 114
 115     /**
 116      * Test validateJwtToken() with a JWT token with an empty signature.
 117      *
 118      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 119      * @expectedExceptionMessage Invalid JWT signature
 120      */
 121     public function testValidateJwtTokenInvalidSignatureEmpty()
 122     {
 123         $token = 'header.payload.';
 124         ApiUtils::validateJwtToken($token, 'foo');
 125     }
 126
 127     /**
 128      * Test validateJwtToken() with a JWT token with an invalid signature.
 129      *
 130      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 131      * @expectedExceptionMessage Invalid JWT signature
 132      */
 133     public function testValidateJwtTokenInvalidSignature()
 134     {
 135         $token = 'header.payload.nope';
 136         ApiUtils::validateJwtToken($token, 'foo');
 137     }
 138
 139     /**
 140      * Test validateJwtToken() with a JWT token with a signature generated with the wrong API secret.
 141      *
 142      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 143      * @expectedExceptionMessage Invalid JWT signature
 144      */
 145     public function testValidateJwtTokenInvalidSignatureSecret()
 146     {
 147         ApiUtils::validateJwtToken(self::generateValidJwtToken('foo'), 'bar');
 148     }
 149
 150     /**
 151      * Test validateJwtToken() with a JWT token with a an invalid header (not JSON).
 152      *
 153      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 154      * @expectedExceptionMessage Invalid JWT header
 155      */
 156     public function testValidateJwtTokenInvalidHeader()
 157     {
 158         $token = $this->generateCustomJwtToken('notJSON', '{"JSON":1}', 'secret');
 159         ApiUtils::validateJwtToken($token, 'secret');
 160     }
 161
 162     /**
 163      * Test validateJwtToken() with a JWT token with a an invalid payload (not JSON).
 164      *
 165      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 166      * @expectedExceptionMessage Invalid JWT payload
 167      */
 168     public function testValidateJwtTokenInvalidPayload()
 169     {
 170         $token = $this->generateCustomJwtToken('{"JSON":1}', 'notJSON', 'secret');
 171         ApiUtils::validateJwtToken($token, 'secret');
 172     }
 173
 174     /**
 175      * Test validateJwtToken() with a JWT token without issued time.
 176      *
 177      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 178      * @expectedExceptionMessage Invalid JWT issued time
 179      */
 180     public function testValidateJwtTokenInvalidTimeEmpty()
 181     {
 182         $token = $this->generateCustomJwtToken('{"JSON":1}', '{"JSON":1}', 'secret');
 183         ApiUtils::validateJwtToken($token, 'secret');
 184     }
 185
 186     /**
 187      * Test validateJwtToken() with an expired JWT token.
 188      *
 189      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 190      * @expectedExceptionMessage Invalid JWT issued time
 191      */
 192     public function testValidateJwtTokenInvalidTimeExpired()
 193     {
 194         $token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() - 600) . '}', 'secret');
 195         ApiUtils::validateJwtToken($token, 'secret');
 196     }
 197
 198     /**
 199      * Test validateJwtToken() with a JWT token issued in the future.
 200      *
 201      * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
 202      * @expectedExceptionMessage Invalid JWT issued time
 203      */
 204     public function testValidateJwtTokenInvalidTimeFuture()
 205     {
 206         $token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() + 60) . '}', 'secret');
 207         ApiUtils::validateJwtToken($token, 'secret');
 208     }
 209 }