diff options
author | ArthurHoaro <arthur@hoa.ro> | 2016-12-15 10:13:00 +0100 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2016-12-15 10:36:00 +0100 |
commit | 18e6796726d73d7dc90ecdd16c181493941f5487 (patch) | |
tree | 17159284be5072b505eead31efdc064b6d5a35d0 /tests | |
parent | 423ab02846286f94276d21e38ca1e296646618bf (diff) | |
download | Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.tar.gz Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.tar.zst Shaarli-18e6796726d73d7dc90ecdd16c181493941f5487.zip |
REST API structure using Slim framework
* REST API routes are handle by Slim.
* Every API controller go through ApiMiddleware which handles security.
* First service implemented `/info`, for tests purpose.
Diffstat (limited to 'tests')
-rw-r--r-- | tests/api/ApiMiddlewareTest.php | 184 | ||||
-rw-r--r-- | tests/api/ApiUtilsTest.php | 206 | ||||
-rw-r--r-- | tests/api/controllers/InfoTest.php | 113 |
3 files changed, 503 insertions, 0 deletions
diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php new file mode 100644 index 00000000..4d4dd9b9 --- /dev/null +++ b/tests/api/ApiMiddlewareTest.php | |||
@@ -0,0 +1,184 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Shaarli\Api; | ||
4 | |||
5 | use Slim\Container; | ||
6 | use Slim\Http\Environment; | ||
7 | use Slim\Http\Request; | ||
8 | use Slim\Http\Response; | ||
9 | |||
10 | /** | ||
11 | * Class ApiMiddlewareTest | ||
12 | * | ||
13 | * Test the REST API Slim Middleware. | ||
14 | * | ||
15 | * Note that we can't test a valid use case here, because the middleware | ||
16 | * needs to call a valid controller/action during its execution. | ||
17 | * | ||
18 | * @package Api | ||
19 | */ | ||
20 | class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase | ||
21 | { | ||
22 | /** | ||
23 | * @var string datastore to test write operations | ||
24 | */ | ||
25 | protected static $testDatastore = 'sandbox/datastore.php'; | ||
26 | |||
27 | /** | ||
28 | * @var \ConfigManager instance | ||
29 | */ | ||
30 | protected $conf; | ||
31 | |||
32 | /** | ||
33 | * @var \ReferenceLinkDB instance. | ||
34 | */ | ||
35 | protected $refDB = null; | ||
36 | |||
37 | /** | ||
38 | * @var Container instance. | ||
39 | */ | ||
40 | protected $container; | ||
41 | |||
42 | /** | ||
43 | * Before every test, instantiate a new Api with its config, plugins and links. | ||
44 | */ | ||
45 | public function setUp() | ||
46 | { | ||
47 | $this->conf = new \ConfigManager('tests/utils/config/configJson.json.php'); | ||
48 | $this->conf->set('api.secret', 'NapoleonWasALizard'); | ||
49 | |||
50 | $this->refDB = new \ReferenceLinkDB(); | ||
51 | $this->refDB->write(self::$testDatastore); | ||
52 | |||
53 | $this->container = new Container(); | ||
54 | $this->container['conf'] = $this->conf; | ||
55 | } | ||
56 | |||
57 | /** | ||
58 | * After every test, remove the test datastore. | ||
59 | */ | ||
60 | public function tearDown() | ||
61 | { | ||
62 | @unlink(self::$testDatastore); | ||
63 | } | ||
64 | |||
65 | /** | ||
66 | * Invoke the middleware with the API disabled: | ||
67 | * should return a 401 error Unauthorized. | ||
68 | */ | ||
69 | public function testInvokeMiddlewareApiDisabled() | ||
70 | { | ||
71 | $this->conf->set('api.enabled', false); | ||
72 | $mw = new ApiMiddleware($this->container); | ||
73 | $env = Environment::mock([ | ||
74 | 'REQUEST_METHOD' => 'GET', | ||
75 | 'REQUEST_URI' => '/echo', | ||
76 | ]); | ||
77 | $request = Request::createFromEnvironment($env); | ||
78 | $response = new Response(); | ||
79 | /** @var Response $response */ | ||
80 | $response = $mw($request, $response, null); | ||
81 | |||
82 | $this->assertEquals(401, $response->getStatusCode()); | ||
83 | $body = json_decode((string) $response->getBody()); | ||
84 | $this->assertEquals('Not authorized', $body); | ||
85 | } | ||
86 | |||
87 | /** | ||
88 | * Invoke the middleware with the API disabled in debug mode: | ||
89 | * should return a 401 error Unauthorized - with a specific message and a stacktrace. | ||
90 | */ | ||
91 | public function testInvokeMiddlewareApiDisabledDebug() | ||
92 | { | ||
93 | $this->conf->set('api.enabled', false); | ||
94 | $this->conf->set('dev.debug', true); | ||
95 | $mw = new ApiMiddleware($this->container); | ||
96 | $env = Environment::mock([ | ||
97 | 'REQUEST_METHOD' => 'GET', | ||
98 | 'REQUEST_URI' => '/echo', | ||
99 | ]); | ||
100 | $request = Request::createFromEnvironment($env); | ||
101 | $response = new Response(); | ||
102 | /** @var Response $response */ | ||
103 | $response = $mw($request, $response, null); | ||
104 | |||
105 | $this->assertEquals(401, $response->getStatusCode()); | ||
106 | $body = json_decode((string) $response->getBody()); | ||
107 | $this->assertEquals('Not authorized: API is disabled', $body->message); | ||
108 | $this->assertContains('ApiAuthorizationException', $body->stacktrace); | ||
109 | } | ||
110 | |||
111 | /** | ||
112 | * Invoke the middleware without a token (debug): | ||
113 | * should return a 401 error Unauthorized - with a specific message and a stacktrace. | ||
114 | */ | ||
115 | public function testInvokeMiddlewareNoTokenProvidedDebug() | ||
116 | { | ||
117 | $this->conf->set('dev.debug', true); | ||
118 | $mw = new ApiMiddleware($this->container); | ||
119 | $env = Environment::mock([ | ||
120 | 'REQUEST_METHOD' => 'GET', | ||
121 | 'REQUEST_URI' => '/echo', | ||
122 | ]); | ||
123 | $request = Request::createFromEnvironment($env); | ||
124 | $response = new Response(); | ||
125 | /** @var Response $response */ | ||
126 | $response = $mw($request, $response, null); | ||
127 | |||
128 | $this->assertEquals(401, $response->getStatusCode()); | ||
129 | $body = json_decode((string) $response->getBody()); | ||
130 | $this->assertEquals('Not authorized: JWT token not provided', $body->message); | ||
131 | $this->assertContains('ApiAuthorizationException', $body->stacktrace); | ||
132 | } | ||
133 | |||
134 | /** | ||
135 | * Invoke the middleware without a secret set in settings (debug): | ||
136 | * should return a 401 error Unauthorized - with a specific message and a stacktrace. | ||
137 | */ | ||
138 | public function testInvokeMiddlewareNoSecretSetDebug() | ||
139 | { | ||
140 | $this->conf->set('dev.debug', true); | ||
141 | $this->conf->set('api.secret', ''); | ||
142 | $mw = new ApiMiddleware($this->container); | ||
143 | $env = Environment::mock([ | ||
144 | 'REQUEST_METHOD' => 'GET', | ||
145 | 'REQUEST_URI' => '/echo', | ||
146 | 'HTTP_JWT'=> 'jwt', | ||
147 | ]); | ||
148 | $request = Request::createFromEnvironment($env); | ||
149 | $response = new Response(); | ||
150 | /** @var Response $response */ | ||
151 | $response = $mw($request, $response, null); | ||
152 | |||
153 | $this->assertEquals(401, $response->getStatusCode()); | ||
154 | $body = json_decode((string) $response->getBody()); | ||
155 | $this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message); | ||
156 | $this->assertContains('ApiAuthorizationException', $body->stacktrace); | ||
157 | } | ||
158 | |||
159 | /** | ||
160 | * Invoke the middleware without an invalid JWT token (debug): | ||
161 | * should return a 401 error Unauthorized - with a specific message and a stacktrace. | ||
162 | * | ||
163 | * Note: specific JWT errors tests are handled in ApiUtilsTest. | ||
164 | */ | ||
165 | public function testInvokeMiddlewareInvalidJwtDebug() | ||
166 | { | ||
167 | $this->conf->set('dev.debug', true); | ||
168 | $mw = new ApiMiddleware($this->container); | ||
169 | $env = Environment::mock([ | ||
170 | 'REQUEST_METHOD' => 'GET', | ||
171 | 'REQUEST_URI' => '/echo', | ||
172 | 'HTTP_JWT'=> 'bad jwt', | ||
173 | ]); | ||
174 | $request = Request::createFromEnvironment($env); | ||
175 | $response = new Response(); | ||
176 | /** @var Response $response */ | ||
177 | $response = $mw($request, $response, null); | ||
178 | |||
179 | $this->assertEquals(401, $response->getStatusCode()); | ||
180 | $body = json_decode((string) $response->getBody()); | ||
181 | $this->assertEquals('Not authorized: Malformed JWT token', $body->message); | ||
182 | $this->assertContains('ApiAuthorizationException', $body->stacktrace); | ||
183 | } | ||
184 | } | ||
diff --git a/tests/api/ApiUtilsTest.php b/tests/api/ApiUtilsTest.php new file mode 100644 index 00000000..10da1459 --- /dev/null +++ b/tests/api/ApiUtilsTest.php | |||
@@ -0,0 +1,206 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Shaarli\Api; | ||
4 | |||
5 | /** | ||
6 | * Class ApiUtilsTest | ||
7 | */ | ||
8 | class ApiUtilsTest extends \PHPUnit_Framework_TestCase | ||
9 | { | ||
10 | /** | ||
11 | * Force the timezone for ISO datetimes. | ||
12 | */ | ||
13 | public static function setUpBeforeClass() | ||
14 | { | ||
15 | date_default_timezone_set('UTC'); | ||
16 | } | ||
17 | |||
18 | /** | ||
19 | * Generate a valid JWT token. | ||
20 | * | ||
21 | * @param string $secret API secret used to generate the signature. | ||
22 | * | ||
23 | * @return string Generated token. | ||
24 | */ | ||
25 | public static function generateValidJwtToken($secret) | ||
26 | { | ||
27 | $header = base64_encode('{ | ||
28 | "typ": "JWT", | ||
29 | "alg": "HS512" | ||
30 | }'); | ||
31 | $payload = base64_encode('{ | ||
32 | "iat": '. time() .' | ||
33 | }'); | ||
34 | $signature = hash_hmac('sha512', $header .'.'. $payload , $secret); | ||
35 | return $header .'.'. $payload .'.'. $signature; | ||
36 | } | ||
37 | |||
38 | /** | ||
39 | * Generate a JWT token from given header and payload. | ||
40 | * | ||
41 | * @param string $header Header in JSON format. | ||
42 | * @param string $payload Payload in JSON format. | ||
43 | * @param string $secret API secret used to hash the signature. | ||
44 | * | ||
45 | * @return string JWT token. | ||
46 | */ | ||
47 | public static function generateCustomJwtToken($header, $payload, $secret) | ||
48 | { | ||
49 | $header = base64_encode($header); | ||
50 | $payload = base64_encode($payload); | ||
51 | $signature = hash_hmac('sha512', $header . '.' . $payload, $secret); | ||
52 | return $header . '.' . $payload . '.' . $signature; | ||
53 | } | ||
54 | |||
55 | /** | ||
56 | * Test validateJwtToken() with a valid JWT token. | ||
57 | */ | ||
58 | public function testValidateJwtTokenValid() | ||
59 | { | ||
60 | $secret = 'WarIsPeace'; | ||
61 | ApiUtils::validateJwtToken(self::generateValidJwtToken($secret), $secret); | ||
62 | } | ||
63 | |||
64 | /** | ||
65 | * Test validateJwtToken() with a malformed JWT token. | ||
66 | * | ||
67 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
68 | * @expectedExceptionMessage Malformed JWT token | ||
69 | */ | ||
70 | public function testValidateJwtTokenMalformed() | ||
71 | { | ||
72 | $token = 'ABC.DEF'; | ||
73 | ApiUtils::validateJwtToken($token, 'foo'); | ||
74 | } | ||
75 | |||
76 | /** | ||
77 | * Test validateJwtToken() with an empty JWT token. | ||
78 | * | ||
79 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
80 | * @expectedExceptionMessage Malformed JWT token | ||
81 | */ | ||
82 | public function testValidateJwtTokenMalformedEmpty() | ||
83 | { | ||
84 | $token = false; | ||
85 | ApiUtils::validateJwtToken($token, 'foo'); | ||
86 | } | ||
87 | |||
88 | /** | ||
89 | * Test validateJwtToken() with a JWT token without header. | ||
90 | * | ||
91 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
92 | * @expectedExceptionMessage Malformed JWT token | ||
93 | */ | ||
94 | public function testValidateJwtTokenMalformedEmptyHeader() | ||
95 | { | ||
96 | $token = '.payload.signature'; | ||
97 | ApiUtils::validateJwtToken($token, 'foo'); | ||
98 | } | ||
99 | |||
100 | /** | ||
101 | * Test validateJwtToken() with a JWT token without payload | ||
102 | * | ||
103 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
104 | * @expectedExceptionMessage Malformed JWT token | ||
105 | */ | ||
106 | public function testValidateJwtTokenMalformedEmptyPayload() | ||
107 | { | ||
108 | $token = 'header..signature'; | ||
109 | ApiUtils::validateJwtToken($token, 'foo'); | ||
110 | } | ||
111 | |||
112 | /** | ||
113 | * Test validateJwtToken() with a JWT token with an empty signature. | ||
114 | * | ||
115 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
116 | * @expectedExceptionMessage Invalid JWT signature | ||
117 | */ | ||
118 | public function testValidateJwtTokenInvalidSignatureEmpty() | ||
119 | { | ||
120 | $token = 'header.payload.'; | ||
121 | ApiUtils::validateJwtToken($token, 'foo'); | ||
122 | } | ||
123 | |||
124 | /** | ||
125 | * Test validateJwtToken() with a JWT token with an invalid signature. | ||
126 | * | ||
127 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
128 | * @expectedExceptionMessage Invalid JWT signature | ||
129 | */ | ||
130 | public function testValidateJwtTokenInvalidSignature() | ||
131 | { | ||
132 | $token = 'header.payload.nope'; | ||
133 | ApiUtils::validateJwtToken($token, 'foo'); | ||
134 | } | ||
135 | |||
136 | /** | ||
137 | * Test validateJwtToken() with a JWT token with a signature generated with the wrong API secret. | ||
138 | * | ||
139 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
140 | * @expectedExceptionMessage Invalid JWT signature | ||
141 | */ | ||
142 | public function testValidateJwtTokenInvalidSignatureSecret() | ||
143 | { | ||
144 | ApiUtils::validateJwtToken(self::generateValidJwtToken('foo'), 'bar'); | ||
145 | } | ||
146 | |||
147 | /** | ||
148 | * Test validateJwtToken() with a JWT token with a an invalid header (not JSON). | ||
149 | * | ||
150 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
151 | * @expectedExceptionMessage Invalid JWT header | ||
152 | */ | ||
153 | public function testValidateJwtTokenInvalidHeader() | ||
154 | { | ||
155 | $token = $this->generateCustomJwtToken('notJSON', '{"JSON":1}', 'secret'); | ||
156 | ApiUtils::validateJwtToken($token, 'secret'); | ||
157 | } | ||
158 | |||
159 | /** | ||
160 | * Test validateJwtToken() with a JWT token with a an invalid payload (not JSON). | ||
161 | * | ||
162 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
163 | * @expectedExceptionMessage Invalid JWT payload | ||
164 | */ | ||
165 | public function testValidateJwtTokenInvalidPayload() | ||
166 | { | ||
167 | $token = $this->generateCustomJwtToken('{"JSON":1}', 'notJSON', 'secret'); | ||
168 | ApiUtils::validateJwtToken($token, 'secret'); | ||
169 | } | ||
170 | |||
171 | /** | ||
172 | * Test validateJwtToken() with a JWT token without issued time. | ||
173 | * | ||
174 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
175 | * @expectedExceptionMessage Invalid JWT issued time | ||
176 | */ | ||
177 | public function testValidateJwtTokenInvalidTimeEmpty() | ||
178 | { | ||
179 | $token = $this->generateCustomJwtToken('{"JSON":1}', '{"JSON":1}', 'secret'); | ||
180 | ApiUtils::validateJwtToken($token, 'secret'); | ||
181 | } | ||
182 | |||
183 | /** | ||
184 | * Test validateJwtToken() with an expired JWT token. | ||
185 | * | ||
186 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
187 | * @expectedExceptionMessage Invalid JWT issued time | ||
188 | */ | ||
189 | public function testValidateJwtTokenInvalidTimeExpired() | ||
190 | { | ||
191 | $token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() - 600) . '}', 'secret'); | ||
192 | ApiUtils::validateJwtToken($token, 'secret'); | ||
193 | } | ||
194 | |||
195 | /** | ||
196 | * Test validateJwtToken() with a JWT token issued in the future. | ||
197 | * | ||
198 | * @expectedException \Shaarli\Api\Exceptions\ApiAuthorizationException | ||
199 | * @expectedExceptionMessage Invalid JWT issued time | ||
200 | */ | ||
201 | public function testValidateJwtTokenInvalidTimeFuture() | ||
202 | { | ||
203 | $token = $this->generateCustomJwtToken('{"JSON":1}', '{"iat":' . (time() + 60) . '}', 'secret'); | ||
204 | ApiUtils::validateJwtToken($token, 'secret'); | ||
205 | } | ||
206 | } | ||
diff --git a/tests/api/controllers/InfoTest.php b/tests/api/controllers/InfoTest.php new file mode 100644 index 00000000..2916eed8 --- /dev/null +++ b/tests/api/controllers/InfoTest.php | |||
@@ -0,0 +1,113 @@ | |||
1 | <?php | ||
2 | |||
3 | namespace Shaarli\Api\Controllers; | ||
4 | |||
5 | use Slim\Container; | ||
6 | use Slim\Http\Environment; | ||
7 | use Slim\Http\Request; | ||
8 | use Slim\Http\Response; | ||
9 | |||
10 | /** | ||
11 | * Class InfoTest | ||
12 | * | ||
13 | * Test REST API controller Info. | ||
14 | * | ||
15 | * @package Api\Controllers | ||
16 | */ | ||
17 | class InfoTest extends \PHPUnit_Framework_TestCase | ||
18 | { | ||
19 | /** | ||
20 | * @var string datastore to test write operations | ||
21 | */ | ||
22 | protected static $testDatastore = 'sandbox/datastore.php'; | ||
23 | |||
24 | /** | ||
25 | * @var \ConfigManager instance | ||
26 | */ | ||
27 | protected $conf; | ||
28 | |||
29 | /** | ||
30 | * @var \ReferenceLinkDB instance. | ||
31 | */ | ||
32 | protected $refDB = null; | ||
33 | |||
34 | /** | ||
35 | * @var Container instance. | ||
36 | */ | ||
37 | protected $container; | ||
38 | |||
39 | /** | ||
40 | * @var Info controller instance. | ||
41 | */ | ||
42 | protected $controller; | ||
43 | |||
44 | /** | ||
45 | * Before every test, instantiate a new Api with its config, plugins and links. | ||
46 | */ | ||
47 | public function setUp() | ||
48 | { | ||
49 | $this->conf = new \ConfigManager('tests/utils/config/configJson.json.php'); | ||
50 | $this->refDB = new \ReferenceLinkDB(); | ||
51 | $this->refDB->write(self::$testDatastore); | ||
52 | |||
53 | $this->container = new Container(); | ||
54 | $this->container['conf'] = $this->conf; | ||
55 | $this->container['db'] = new \LinkDB(self::$testDatastore, true, false); | ||
56 | |||
57 | $this->controller = new Info($this->container); | ||
58 | } | ||
59 | |||
60 | /** | ||
61 | * After every test, remove the test datastore. | ||
62 | */ | ||
63 | public function tearDown() | ||
64 | { | ||
65 | @unlink(self::$testDatastore); | ||
66 | } | ||
67 | |||
68 | /** | ||
69 | * Test /info service. | ||
70 | */ | ||
71 | public function testGetInfo() | ||
72 | { | ||
73 | $env = Environment::mock([ | ||
74 | 'REQUEST_METHOD' => 'GET', | ||
75 | ]); | ||
76 | $request = Request::createFromEnvironment($env); | ||
77 | |||
78 | $response = $this->controller->getInfo($request, new Response()); | ||
79 | $this->assertEquals(200, $response->getStatusCode()); | ||
80 | $data = json_decode((string) $response->getBody(), true); | ||
81 | |||
82 | $this->assertEquals(8, $data['global_counter']); | ||
83 | $this->assertEquals(2, $data['private_counter']); | ||
84 | $this->assertEquals('Shaarli', $data['settings']['title']); | ||
85 | $this->assertEquals('?', $data['settings']['header_link']); | ||
86 | $this->assertEquals('UTC', $data['settings']['timezone']); | ||
87 | $this->assertEquals(\ConfigManager::$DEFAULT_PLUGINS, $data['settings']['enabled_plugins']); | ||
88 | $this->assertEquals(false, $data['settings']['default_private_links']); | ||
89 | |||
90 | $title = 'My links'; | ||
91 | $headerLink = 'http://shaarli.tld'; | ||
92 | $timezone = 'Europe/Paris'; | ||
93 | $enabledPlugins = array('foo', 'bar'); | ||
94 | $defaultPrivateLinks = true; | ||
95 | $this->conf->set('general.title', $title); | ||
96 | $this->conf->set('general.header_link', $headerLink); | ||
97 | $this->conf->set('general.timezone', $timezone); | ||
98 | $this->conf->set('general.enabled_plugins', $enabledPlugins); | ||
99 | $this->conf->set('privacy.default_private_links', $defaultPrivateLinks); | ||
100 | |||
101 | $response = $this->controller->getInfo($request, new Response()); | ||
102 | $this->assertEquals(200, $response->getStatusCode()); | ||
103 | $data = json_decode((string) $response->getBody(), true); | ||
104 | |||
105 | $this->assertEquals(8, $data['global_counter']); | ||
106 | $this->assertEquals(2, $data['private_counter']); | ||
107 | $this->assertEquals($title, $data['settings']['title']); | ||
108 | $this->assertEquals($headerLink, $data['settings']['header_link']); | ||
109 | $this->assertEquals($timezone, $data['settings']['timezone']); | ||
110 | $this->assertEquals($enabledPlugins, $data['settings']['enabled_plugins']); | ||
111 | $this->assertEquals($defaultPrivateLinks, $data['settings']['default_private_links']); | ||
112 | } | ||
113 | } | ||