REST API structure using Slim framework

* REST API routes are handle by Slim. * Every API controller go through ApiMiddleware which handles security. * First service implemented `/info`, for tests purpose.
author: ArthurHoaro <arthur@hoa.ro> 2016-12-15 10:13:00 +0100
committer: ArthurHoaro <arthur@hoa.ro> 2016-12-15 10:36:00 +0100
commit: 18e6796726d73d7dc90ecdd16c181493941f5487 (patch)
tree: 17159284be5072b505eead31efdc064b6d5a35d0 /tests/api
parent: 423ab02846286f94276d21e38ca1e296646618bf (diff)
download: Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.tar.gz
Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.tar.zst
Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.zip
3 files changed, 503 insertions, 0 deletions
diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php
new file mode 100644
index 00000000..4d4dd9b9
--- /dev/null
+++ b/tests/api/ApiMiddlewareTest.php
@@ -0,0 +1,184 @@
+<?php
+namespace Shaarli\Api;
+use Slim\Container;
+use Slim\Http\Environment;
+use Slim\Http\Request;
+use Slim\Http\Response;
+/**
+ * Class ApiMiddlewareTest
+ *
+ * Test the REST API Slim Middleware.
+ *
+ * Note that we can't test a valid use case here, because the middleware
+ * needs to call a valid controller/action during its execution.
+ *
+ * @package Api
+ */
+class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var string datastore to test write operations
+     */
+    protected static $testDatastore = 'sandbox/datastore.php';
+    /**
+     * @var \ConfigManager instance
+     */
+    protected $conf;
+    /**
+     * @var \ReferenceLinkDB instance.
+     */
+    protected $refDB = null;
+    /**
+     * @var Container instance.
+     */
+    protected $container;
+    /**
+     * Before every test, instantiate a new Api with its config, plugins and links.
+     */
+    public function setUp()
+    {
+        $this->conf = new \ConfigManager('tests/utils/config/configJson.json.php');
+        $this->conf->set('api.secret', 'NapoleonWasALizard');
+        $this->refDB = new \ReferenceLinkDB();
+        $this->refDB->write(self::$testDatastore);
+        $this->container = new Container();
+        $this->container['conf'] = $this->conf;
+    }
+    /**
+     * After every test, remove the test datastore.
+     */
+    public function tearDown()
+    {
+        @unlink(self::$testDatastore);
+    }
+    /**
+     * Invoke the middleware with the API disabled:
+     * should return a 401 error Unauthorized.
+     */
+    public function testInvokeMiddlewareApiDisabled()
+    {
+        $this->conf->set('api.enabled', false);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized', $body);
+    }
+    /**
+     * Invoke the middleware with the API disabled in debug mode:
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     */
+    public function testInvokeMiddlewareApiDisabledDebug()
+    {
+        $this->conf->set('api.enabled', false);
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: API is disabled', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+    /**
+     * Invoke the middleware without a token (debug):
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     */
+    public function testInvokeMiddlewareNoTokenProvidedDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: JWT token not provided', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+    /**
+     * Invoke the middleware without a secret set in settings (debug):
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     */
+    public function testInvokeMiddlewareNoSecretSetDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $this->conf->set('api.secret', '');
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+            'HTTP_JWT'=> 'jwt',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+    /**
+     * Invoke the middleware without an invalid JWT token (debug):
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     *
+     * Note: specific JWT errors tests are handled in ApiUtilsTest.
+     */
+    public function testInvokeMiddlewareInvalidJwtDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+            'HTTP_JWT'=> 'bad jwt',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: Malformed JWT token', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+}
diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php
new file mode 100644
index 00000000..10da1459
--- /dev/null
+++ b/tests/api/ApiUtilsTest.php
@@ -0,0 +1,206 @@
+<?php
+namespace Shaarli\Api;
+/**
+ * Class ApiUtilsTest
+ */
+class ApiUtilsTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * Force the timezone for ISO datetimes.
+     */
+    public static function setUpBeforeClass()
+    {
+        date_default_timezone_set('UTC');
+    }
+    /**
+     * Generate a valid JWT token.
+     *
+     * @param string $secret API secret used to generate the signature.
+     *
+     * @return string Generated token.
+     */
+    public static function generateValidJwtToken($secret)
+    {
+        $header = base64_encode('{
+            "typ": "JWT",
+            "alg": "HS512"
+        }');
+        $payload = base64_encode('{
+            "iat": '. time() .'
+        }');
+        $signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
+        return $header .'.'. $payload .'.'. $signature;
+    }
+    /**
+     * Generate a JWT token from given header and payload.
+     *
+     * @param string $header  Header in JSON format.
+     * @param string $payload Payload in JSON format.
+     * @param string $secret  API secret used to hash the signature.
+     *
+     * @return string JWT token.
+     */
+    public static function generateCustomJwtToken($header, $payload, $secret)
+    {
+        $header = base64_encode($header);
+        $payload = base64_encode($payload);
+        $signature = hash_hmac('sha512', $header . '.' . $payload, $secret);
+        return $header . '.' . $payload . '.' . $signature;
+    }
+    /**
+     * Test validateJwtToken() with a valid JWT token.
+     */
+    public function testValidateJwtTokenValid()
+    {
+        $secret = 'WarIsPeace';
+        ApiUtils::validateJwtToken(self::generateValidJwtToken($secret), $secret);
+    }
+    /**
+     * Test validateJwtToken() with a malformed JWT token.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Malformed JWT token
+     */
+    public function testValidateJwtTokenMalformed()
+    {
+        $token = 'ABC.DEF';
+        ApiUtils::validateJwtToken($token, 'foo');
+    }
+    /**
+     * Test validateJwtToken() with an empty JWT token.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Malformed JWT token
+     */
+    public function testValidateJwtTokenMalformedEmpty()
+    {
+        $token = false;
+        ApiUtils::validateJwtToken($token, 'foo');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token without header.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Malformed JWT token
+     */
+    public function testValidateJwtTokenMalformedEmptyHeader()
+    {
+        $token = '.payload.signature';
+        ApiUtils::validateJwtToken($token, 'foo');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token without payload
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Malformed JWT token
+     */
+    public function testValidateJwtTokenMalformedEmptyPayload()
+    {
+        $token = 'header..signature';
+        ApiUtils::validateJwtToken($token, 'foo');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token with an empty signature.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT signature
+     */
+    public function testValidateJwtTokenInvalidSignatureEmpty()
+    {
+        $token = 'header.payload.';
+        ApiUtils::validateJwtToken($token, 'foo');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token with an invalid signature.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT signature
+     */
+    public function testValidateJwtTokenInvalidSignature()
+    {
+        $token = 'header.payload.nope';
+        ApiUtils::validateJwtToken($token, 'foo');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token with a signature generated with the wrong API secret.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT signature
+     */
+    public function testValidateJwtTokenInvalidSignatureSecret()
+    {
+        ApiUtils::validateJwtToken(self::generateValidJwtToken('foo'), 'bar');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token with a an invalid header (not JSON).
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT header
+     */
+    public function testValidateJwtTokenInvalidHeader()
+    {
+        $token = $this->generateCustomJwtToken('notJSON', '{"JSON":1}', 'secret');
+        ApiUtils::validateJwtToken($token, 'secret');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token with a an invalid payload (not JSON).
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT payload
+     */
+    public function testValidateJwtTokenInvalidPayload()
+    {
+        $token = $this->generateCustomJwtToken('{"JSON":1}', 'notJSON', 'secret');
+        ApiUtils::validateJwtToken($token, 'secret');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token without issued time.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT issued time
+     */
+    public function testValidateJwtTokenInvalidTimeEmpty()
+    {
+        $token = $this->generateCustomJwtToken('{"JSON":1}', '{"JSON":1}', 'secret');
+        ApiUtils::validateJwtToken($token, 'secret');
+    }
+    /**
+     * Test validateJwtToken() with an expired JWT token.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT issued time
+     */
+    public function testValidateJwtTokenInvalidTimeExpired()
+    {
+        $token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() - 600) . '}', 'secret');
+        ApiUtils::validateJwtToken($token, 'secret');
+    }
+    /**
+     * Test validateJwtToken() with a JWT token issued in the future.
+     *
+     * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
+     * @expectedExceptionMessage Invalid JWT issued time
+     */
+    public function testValidateJwtTokenInvalidTimeFuture()
+    {
+        $token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() + 60) . '}', 'secret');
+        ApiUtils::validateJwtToken($token, 'secret');
+    }
+}
diff --git a/tests/api/controllers/InfoTest.php b/tests/api/controllers/InfoTest.php
new file mode 100644
index 00000000..2916eed8
--- /dev/null
+++ b/tests/api/controllers/InfoTest.php
@@ -0,0 +1,113 @@
+<?php
+namespace Shaarli\Api\Controllers;
+use Slim\Container;
+use Slim\Http\Environment;
+use Slim\Http\Request;
+use Slim\Http\Response;
+/**
+ * Class InfoTest
+ * 
+ * Test REST API controller Info.
+ * 
+ * @package Api\Controllers
+ */
+class InfoTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var string datastore to test write operations
+     */
+    protected static $testDatastore = 'sandbox/datastore.php';
+    /**
+     * @var \ConfigManager instance
+     */
+    protected $conf;
+    /**
+     * @var \ReferenceLinkDB instance.
+     */
+    protected $refDB = null;
+    /**
+     * @var Container instance.
+     */
+    protected $container;
+    /**
+     * @var Info controller instance.
+     */
+    protected $controller;
+    /**
+     * Before every test, instantiate a new Api with its config, plugins and links.
+     */
+    public function setUp()
+    {
+        $this->conf = new \ConfigManager('tests/utils/config/configJson.json.php');
+        $this->refDB = new \ReferenceLinkDB();
+        $this->refDB->write(self::$testDatastore);
+        $this->container = new Container();
+        $this->container['conf'] = $this->conf;
+        $this->container['db'] = new \LinkDB(self::$testDatastore, true, false);
+        $this->controller = new Info($this->container);
+    }
+    /**
+     * After every test, remove the test datastore.
+     */
+    public function tearDown()
+    {
+        @unlink(self::$testDatastore);
+    }
+    /**
+     * Test /info service.
+     */
+    public function testGetInfo()
+    {
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = $this->controller->getInfo($request, new Response());
+        $this->assertEquals(200, $response->getStatusCode());
+        $data = json_decode((string) $response->getBody(), true);
+        $this->assertEquals(8, $data['global_counter']);
+        $this->assertEquals(2, $data['private_counter']);
+        $this->assertEquals('Shaarli', $data['settings']['title']);
+        $this->assertEquals('?', $data['settings']['header_link']);
+        $this->assertEquals('UTC', $data['settings']['timezone']);
+        $this->assertEquals(\ConfigManager::$DEFAULT_PLUGINS, $data['settings']['enabled_plugins']);
+        $this->assertEquals(false, $data['settings']['default_private_links']);
+        $title = 'My links';
+        $headerLink = 'http://shaarli.tld';
+        $timezone = 'Europe/Paris';
+        $enabledPlugins = array('foo', 'bar');
+        $defaultPrivateLinks = true;
+        $this->conf->set('general.title', $title);
+        $this->conf->set('general.header_link', $headerLink);
+        $this->conf->set('general.timezone', $timezone);
+        $this->conf->set('general.enabled_plugins', $enabledPlugins);
+        $this->conf->set('privacy.default_private_links', $defaultPrivateLinks);
+        $response = $this->controller->getInfo($request, new Response());
+        $this->assertEquals(200, $response->getStatusCode());
+        $data = json_decode((string) $response->getBody(), true);
+        $this->assertEquals(8, $data['global_counter']);
+        $this->assertEquals(2, $data['private_counter']);
+        $this->assertEquals($title, $data['settings']['title']);
+        $this->assertEquals($headerLink, $data['settings']['header_link']);
+        $this->assertEquals($timezone, $data['settings']['timezone']);
+        $this->assertEquals($enabledPlugins, $data['settings']['enabled_plugins']);
+        $this->assertEquals($defaultPrivateLinks, $data['settings']['default_private_links']);
+    }
+}
author	ArthurHoaro <arthur@hoa.ro>	2016-12-15 10:13:00 +0100
committer	ArthurHoaro <arthur@hoa.ro>	2016-12-15 10:36:00 +0100
commit	18e6796726d73d7dc90ecdd16c181493941f5487 (patch)
tree	17159284be5072b505eead31efdc064b6d5a35d0 /tests/api
parent	423ab02846286f94276d21e38ca1e296646618bf (diff)
download	Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.tar.gz Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.tar.zst Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.zip

diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php new file mode 100644 index 00000000..4d4dd9b9 --- /dev/null +++ b/tests/api/ApiMiddlewareTest.php
@@ -0,0 +1,184 @@
	1	<?php
	2
	3	namespace Shaarli\Api;
	4
	5	use Slim\Container;
	6	use Slim\Http\Environment;
	7	use Slim\Http\Request;
	8	use Slim\Http\Response;
	9
	10	/**
	11	* Class ApiMiddlewareTest
	12	*
	13	* Test the REST API Slim Middleware.
	14	*
	15	* Note that we can't test a valid use case here, because the middleware
	16	* needs to call a valid controller/action during its execution.
	17	*
	18	* @package Api
	19	*/
	20	class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
	21	{
	22	/**
	23	* @var string datastore to test write operations
	24	*/
	25	protected static $testDatastore = 'sandbox/datastore.php';
	26
	27	/**
	28	* @var \ConfigManager instance
	29	*/
	30	protected $conf;
	31
	32	/**
	33	* @var \ReferenceLinkDB instance.
	34	*/
	35	protected $refDB = null;
	36
	37	/**
	38	* @var Container instance.
	39	*/
	40	protected $container;
	41
	42	/**
	43	* Before every test, instantiate a new Api with its config, plugins and links.
	44	*/
	45	public function setUp()
	46	{
	47	$this->conf = new \ConfigManager('tests/utils/config/configJson.json.php');
	48	$this->conf->set('api.secret', 'NapoleonWasALizard');
	49
	50	$this->refDB = new \ReferenceLinkDB();
	51	$this->refDB->write(self::$testDatastore);
	52
	53	$this->container = new Container();
	54	$this->container['conf'] = $this->conf;
	55	}
	56
	57	/**
	58	* After every test, remove the test datastore.
	59	*/
	60	public function tearDown()
	61	{
	62	@unlink(self::$testDatastore);
	63	}
	64
	65	/**
	66	* Invoke the middleware with the API disabled:
	67	* should return a 401 error Unauthorized.
	68	*/
	69	public function testInvokeMiddlewareApiDisabled()
	70	{
	71	$this->conf->set('api.enabled', false);
	72	$mw = new ApiMiddleware($this->container);
	73	$env = Environment::mock([
	74	'REQUEST_METHOD' => 'GET',
	75	'REQUEST_URI' => '/echo',
	76	]);
	77	$request = Request::createFromEnvironment($env);
	78	$response = new Response();
	79	/** @var Response $response */
	80	$response = $mw($request, $response, null);
	81
	82	$this->assertEquals(401, $response->getStatusCode());
	83	$body = json_decode((string) $response->getBody());
	84	$this->assertEquals('Not authorized', $body);
	85	}
	86
	87	/**
	88	* Invoke the middleware with the API disabled in debug mode:
	89	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	90	*/
	91	public function testInvokeMiddlewareApiDisabledDebug()
	92	{
	93	$this->conf->set('api.enabled', false);
	94	$this->conf->set('dev.debug', true);
	95	$mw = new ApiMiddleware($this->container);
	96	$env = Environment::mock([
	97	'REQUEST_METHOD' => 'GET',
	98	'REQUEST_URI' => '/echo',
	99	]);
	100	$request = Request::createFromEnvironment($env);
	101	$response = new Response();
	102	/** @var Response $response */
	103	$response = $mw($request, $response, null);
	104
	105	$this->assertEquals(401, $response->getStatusCode());
	106	$body = json_decode((string) $response->getBody());
	107	$this->assertEquals('Not authorized: API is disabled', $body->message);
	108	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	109	}
	110
	111	/**
	112	* Invoke the middleware without a token (debug):
	113	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	114	*/
	115	public function testInvokeMiddlewareNoTokenProvidedDebug()
	116	{
	117	$this->conf->set('dev.debug', true);
	118	$mw = new ApiMiddleware($this->container);
	119	$env = Environment::mock([
	120	'REQUEST_METHOD' => 'GET',
	121	'REQUEST_URI' => '/echo',
	122	]);
	123	$request = Request::createFromEnvironment($env);
	124	$response = new Response();
	125	/** @var Response $response */
	126	$response = $mw($request, $response, null);
	127
	128	$this->assertEquals(401, $response->getStatusCode());
	129	$body = json_decode((string) $response->getBody());
	130	$this->assertEquals('Not authorized: JWT token not provided', $body->message);
	131	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	132	}
	133
	134	/**
	135	* Invoke the middleware without a secret set in settings (debug):
	136	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	137	*/
	138	public function testInvokeMiddlewareNoSecretSetDebug()
	139	{
	140	$this->conf->set('dev.debug', true);
	141	$this->conf->set('api.secret', '');
	142	$mw = new ApiMiddleware($this->container);
	143	$env = Environment::mock([
	144	'REQUEST_METHOD' => 'GET',
	145	'REQUEST_URI' => '/echo',
	146	'HTTP_JWT'=> 'jwt',
	147	]);
	148	$request = Request::createFromEnvironment($env);
	149	$response = new Response();
	150	/** @var Response $response */
	151	$response = $mw($request, $response, null);
	152
	153	$this->assertEquals(401, $response->getStatusCode());
	154	$body = json_decode((string) $response->getBody());
	155	$this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
	156	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	157	}
	158
	159	/**
	160	* Invoke the middleware without an invalid JWT token (debug):
	161	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	162	*
	163	* Note: specific JWT errors tests are handled in ApiUtilsTest.
	164	*/
	165	public function testInvokeMiddlewareInvalidJwtDebug()
	166	{
	167	$this->conf->set('dev.debug', true);
	168	$mw = new ApiMiddleware($this->container);
	169	$env = Environment::mock([
	170	'REQUEST_METHOD' => 'GET',
	171	'REQUEST_URI' => '/echo',
	172	'HTTP_JWT'=> 'bad jwt',
	173	]);
	174	$request = Request::createFromEnvironment($env);
	175	$response = new Response();
	176	/** @var Response $response */
	177	$response = $mw($request, $response, null);
	178
	179	$this->assertEquals(401, $response->getStatusCode());
	180	$body = json_decode((string) $response->getBody());
	181	$this->assertEquals('Not authorized: Malformed JWT token', $body->message);
	182	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	183	}
	184	}


diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php new file mode 100644 index 00000000..10da1459 --- /dev/null +++ b/tests/api/ApiUtilsTest.php
@@ -0,0 +1,206 @@
	1	<?php
	2
	3	namespace Shaarli\Api;
	4
	5	/**
	6	* Class ApiUtilsTest
	7	*/
	8	class ApiUtilsTest extends \PHPUnit_Framework_TestCase
	9	{
	10	/**
	11	* Force the timezone for ISO datetimes.
	12	*/
	13	public static function setUpBeforeClass()
	14	{
	15	date_default_timezone_set('UTC');
	16	}
	17
	18	/**
	19	* Generate a valid JWT token.
	20	*
	21	* @param string $secret API secret used to generate the signature.
	22	*
	23	* @return string Generated token.
	24	*/
	25	public static function generateValidJwtToken($secret)
	26	{
	27	$header = base64_encode('{
	28	"typ": "JWT",
	29	"alg": "HS512"
	30	}');
	31	$payload = base64_encode('{
	32	"iat": '. time() .'
	33	}');
	34	$signature = hash_hmac('sha512', $header .'.'. $payload , $secret);
	35	return $header .'.'. $payload .'.'. $signature;
	36	}
	37
	38	/**
	39	* Generate a JWT token from given header and payload.
	40	*
	41	* @param string $header Header in JSON format.
	42	* @param string $payload Payload in JSON format.
	43	* @param string $secret API secret used to hash the signature.
	44	*
	45	* @return string JWT token.
	46	*/
	47	public static function generateCustomJwtToken($header, $payload, $secret)
	48	{
	49	$header = base64_encode($header);
	50	$payload = base64_encode($payload);
	51	$signature = hash_hmac('sha512', $header . '.' . $payload, $secret);
	52	return $header . '.' . $payload . '.' . $signature;
	53	}
	54
	55	/**
	56	* Test validateJwtToken() with a valid JWT token.
	57	*/
	58	public function testValidateJwtTokenValid()
	59	{
	60	$secret = 'WarIsPeace';
	61	ApiUtils::validateJwtToken(self::generateValidJwtToken($secret), $secret);
	62	}
	63
	64	/**
	65	* Test validateJwtToken() with a malformed JWT token.
	66	*
	67	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	68	* @expectedExceptionMessage Malformed JWT token
	69	*/
	70	public function testValidateJwtTokenMalformed()
	71	{
	72	$token = 'ABC.DEF';
	73	ApiUtils::validateJwtToken($token, 'foo');
	74	}
	75
	76	/**
	77	* Test validateJwtToken() with an empty JWT token.
	78	*
	79	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	80	* @expectedExceptionMessage Malformed JWT token
	81	*/
	82	public function testValidateJwtTokenMalformedEmpty()
	83	{
	84	$token = false;
	85	ApiUtils::validateJwtToken($token, 'foo');
	86	}
	87
	88	/**
	89	* Test validateJwtToken() with a JWT token without header.
	90	*
	91	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	92	* @expectedExceptionMessage Malformed JWT token
	93	*/
	94	public function testValidateJwtTokenMalformedEmptyHeader()
	95	{
	96	$token = '.payload.signature';
	97	ApiUtils::validateJwtToken($token, 'foo');
	98	}
	99
	100	/**
	101	* Test validateJwtToken() with a JWT token without payload
	102	*
	103	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	104	* @expectedExceptionMessage Malformed JWT token
	105	*/
	106	public function testValidateJwtTokenMalformedEmptyPayload()
	107	{
	108	$token = 'header..signature';
	109	ApiUtils::validateJwtToken($token, 'foo');
	110	}
	111
	112	/**
	113	* Test validateJwtToken() with a JWT token with an empty signature.
	114	*
	115	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	116	* @expectedExceptionMessage Invalid JWT signature
	117	*/
	118	public function testValidateJwtTokenInvalidSignatureEmpty()
	119	{
	120	$token = 'header.payload.';
	121	ApiUtils::validateJwtToken($token, 'foo');
	122	}
	123
	124	/**
	125	* Test validateJwtToken() with a JWT token with an invalid signature.
	126	*
	127	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	128	* @expectedExceptionMessage Invalid JWT signature
	129	*/
	130	public function testValidateJwtTokenInvalidSignature()
	131	{
	132	$token = 'header.payload.nope';
	133	ApiUtils::validateJwtToken($token, 'foo');
	134	}
	135
	136	/**
	137	* Test validateJwtToken() with a JWT token with a signature generated with the wrong API secret.
	138	*
	139	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	140	* @expectedExceptionMessage Invalid JWT signature
	141	*/
	142	public function testValidateJwtTokenInvalidSignatureSecret()
	143	{
	144	ApiUtils::validateJwtToken(self::generateValidJwtToken('foo'), 'bar');
	145	}
	146
	147	/**
	148	* Test validateJwtToken() with a JWT token with a an invalid header (not JSON).
	149	*
	150	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	151	* @expectedExceptionMessage Invalid JWT header
	152	*/
	153	public function testValidateJwtTokenInvalidHeader()
	154	{
	155	$token = $this->generateCustomJwtToken('notJSON', '{"JSON":1}', 'secret');
	156	ApiUtils::validateJwtToken($token, 'secret');
	157	}
	158
	159	/**
	160	* Test validateJwtToken() with a JWT token with a an invalid payload (not JSON).
	161	*
	162	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	163	* @expectedExceptionMessage Invalid JWT payload
	164	*/
	165	public function testValidateJwtTokenInvalidPayload()
	166	{
	167	$token = $this->generateCustomJwtToken('{"JSON":1}', 'notJSON', 'secret');
	168	ApiUtils::validateJwtToken($token, 'secret');
	169	}
	170
	171	/**
	172	* Test validateJwtToken() with a JWT token without issued time.
	173	*
	174	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	175	* @expectedExceptionMessage Invalid JWT issued time
	176	*/
	177	public function testValidateJwtTokenInvalidTimeEmpty()
	178	{
	179	$token = $this->generateCustomJwtToken('{"JSON":1}', '{"JSON":1}', 'secret');
	180	ApiUtils::validateJwtToken($token, 'secret');
	181	}
	182
	183	/**
	184	* Test validateJwtToken() with an expired JWT token.
	185	*
	186	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	187	* @expectedExceptionMessage Invalid JWT issued time
	188	*/
	189	public function testValidateJwtTokenInvalidTimeExpired()
	190	{
	191	$token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() - 600) . '}', 'secret');
	192	ApiUtils::validateJwtToken($token, 'secret');
	193	}
	194
	195	/**
	196	* Test validateJwtToken() with a JWT token issued in the future.
	197	*
	198	* @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException
	199	* @expectedExceptionMessage Invalid JWT issued time
	200	*/
	201	public function testValidateJwtTokenInvalidTimeFuture()
	202	{
	203	$token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() + 60) . '}', 'secret');
	204	ApiUtils::validateJwtToken($token, 'secret');
	205	}
	206	}


diff --git a/tests/api/controllers/InfoTest.php b/tests/api/controllers/InfoTest.php new file mode 100644 index 00000000..2916eed8 --- /dev/null +++ b/tests/api/controllers/InfoTest.php
@@ -0,0 +1,113 @@
	1	<?php
	2
	3	namespace Shaarli\Api\Controllers;
	4
	5	use Slim\Container;
	6	use Slim\Http\Environment;
	7	use Slim\Http\Request;
	8	use Slim\Http\Response;
	9
	10	/**
	11	* Class InfoTest
	12	*
	13	* Test REST API controller Info.
	14	*
	15	* @package Api\Controllers
	16	*/
	17	class InfoTest extends \PHPUnit_Framework_TestCase
	18	{
	19	/**
	20	* @var string datastore to test write operations
	21	*/
	22	protected static $testDatastore = 'sandbox/datastore.php';
	23
	24	/**
	25	* @var \ConfigManager instance
	26	*/
	27	protected $conf;
	28
	29	/**
	30	* @var \ReferenceLinkDB instance.
	31	*/
	32	protected $refDB = null;
	33
	34	/**
	35	* @var Container instance.
	36	*/
	37	protected $container;
	38
	39	/**
	40	* @var Info controller instance.
	41	*/
	42	protected $controller;
	43
	44	/**
	45	* Before every test, instantiate a new Api with its config, plugins and links.
	46	*/
	47	public function setUp()
	48	{
	49	$this->conf = new \ConfigManager('tests/utils/config/configJson.json.php');
	50	$this->refDB = new \ReferenceLinkDB();
	51	$this->refDB->write(self::$testDatastore);
	52
	53	$this->container = new Container();
	54	$this->container['conf'] = $this->conf;
	55	$this->container['db'] = new \LinkDB(self::$testDatastore, true, false);
	56
	57	$this->controller = new Info($this->container);
	58	}
	59
	60	/**
	61	* After every test, remove the test datastore.
	62	*/
	63	public function tearDown()
	64	{
	65	@unlink(self::$testDatastore);
	66	}
	67
	68	/**
	69	* Test /info service.
	70	*/
	71	public function testGetInfo()
	72	{
	73	$env = Environment::mock([
	74	'REQUEST_METHOD' => 'GET',
	75	]);
	76	$request = Request::createFromEnvironment($env);
	77
	78	$response = $this->controller->getInfo($request, new Response());
	79	$this->assertEquals(200, $response->getStatusCode());
	80	$data = json_decode((string) $response->getBody(), true);
	81
	82	$this->assertEquals(8, $data['global_counter']);
	83	$this->assertEquals(2, $data['private_counter']);
	84	$this->assertEquals('Shaarli', $data['settings']['title']);
	85	$this->assertEquals('?', $data['settings']['header_link']);
	86	$this->assertEquals('UTC', $data['settings']['timezone']);
	87	$this->assertEquals(\ConfigManager::$DEFAULT_PLUGINS, $data['settings']['enabled_plugins']);
	88	$this->assertEquals(false, $data['settings']['default_private_links']);
	89
	90	$title = 'My links';
	91	$headerLink = 'http://shaarli.tld';
	92	$timezone = 'Europe/Paris';
	93	$enabledPlugins = array('foo', 'bar');
	94	$defaultPrivateLinks = true;
	95	$this->conf->set('general.title', $title);
	96	$this->conf->set('general.header_link', $headerLink);
	97	$this->conf->set('general.timezone', $timezone);
	98	$this->conf->set('general.enabled_plugins', $enabledPlugins);
	99	$this->conf->set('privacy.default_private_links', $defaultPrivateLinks);
	100
	101	$response = $this->controller->getInfo($request, new Response());
	102	$this->assertEquals(200, $response->getStatusCode());
	103	$data = json_decode((string) $response->getBody(), true);
	104
	105	$this->assertEquals(8, $data['global_counter']);
	106	$this->assertEquals(2, $data['private_counter']);
	107	$this->assertEquals($title, $data['settings']['title']);
	108	$this->assertEquals($headerLink, $data['settings']['header_link']);
	109	$this->assertEquals($timezone, $data['settings']['timezone']);
	110	$this->assertEquals($enabledPlugins, $data['settings']['enabled_plugins']);
	111	$this->assertEquals($defaultPrivateLinks, $data['settings']['default_private_links']);
	112	}
	113	}