1 files changed, 208 insertions, 0 deletions
diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php
new file mode 100644
index 00000000..23a56b1c
--- /dev/null
+++ b/tests/api/ApiMiddlewareTest.php
@@ -0,0 +1,208 @@
+<?php
+namespace Shaarli\Api;
+use Shaarli\Config\ConfigManager;
+use Slim\Container;
+use Slim\Http\Environment;
+use Slim\Http\Request;
+use Slim\Http\Response;
+/**
+ * Class ApiMiddlewareTest
+ *
+ * Test the REST API Slim Middleware.
+ *
+ * Note that we can't test a valid use case here, because the middleware
+ * needs to call a valid controller/action during its execution.
+ *
+ * @package Api
+ */
+class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var string datastore to test write operations
+     */
+    protected static $testDatastore = 'sandbox/datastore.php';
+    /**
+     * @var \ConfigManager instance
+     */
+    protected $conf;
+    /**
+     * @var \ReferenceLinkDB instance.
+     */
+    protected $refDB = null;
+    /**
+     * @var Container instance.
+     */
+    protected $container;
+    /**
+     * Before every test, instantiate a new Api with its config, plugins and links.
+     */
+    public function setUp()
+    {
+        $this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
+        $this->conf->set('api.secret', 'NapoleonWasALizard');
+        $this->refDB = new \ReferenceLinkDB();
+        $this->refDB->write(self::$testDatastore);
+        $this->container = new Container();
+        $this->container['conf'] = $this->conf;
+    }
+    /**
+     * After every test, remove the test datastore.
+     */
+    public function tearDown()
+    {
+        @unlink(self::$testDatastore);
+    }
+    /**
+     * Invoke the middleware with the API disabled:
+     * should return a 401 error Unauthorized.
+     */
+    public function testInvokeMiddlewareApiDisabled()
+    {
+        $this->conf->set('api.enabled', false);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized', $body);
+    }
+    /**
+     * Invoke the middleware with the API disabled in debug mode:
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     */
+    public function testInvokeMiddlewareApiDisabledDebug()
+    {
+        $this->conf->set('api.enabled', false);
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: API is disabled', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+    /**
+     * Invoke the middleware without a token (debug):
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     */
+    public function testInvokeMiddlewareNoTokenProvidedDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: JWT token not provided', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+    /**
+     * Invoke the middleware without a secret set in settings (debug):
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     */
+    public function testInvokeMiddlewareNoSecretSetDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $this->conf->set('api.secret', '');
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+    /**
+     * Invoke the middleware with an invalid JWT token header
+     */
+    public function testInvalidJwtAuthHeaderDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+            'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: Invalid JWT header', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+    /**
+     * Invoke the middleware with an invalid JWT token (debug):
+     * should return a 401 error Unauthorized - with a specific message and a stacktrace.
+     *
+     * Note: specific JWT errors tests are handled in ApiUtilsTest.
+     */
+    public function testInvokeMiddlewareInvalidJwtDebug()
+    {
+        $this->conf->set('dev.debug', true);
+        $mw = new ApiMiddleware($this->container);
+        $env = Environment::mock([
+            'REQUEST_METHOD' => 'GET',
+            'REQUEST_URI' => '/echo',
+            'HTTP_AUTHORIZATION'=> 'Bearer jwt',
+        ]);
+        $request = Request::createFromEnvironment($env);
+        $response = new Response();
+        /** @var Response $response */
+        $response = $mw($request, $response, null);
+        $this->assertEquals(401, $response->getStatusCode());
+        $body = json_decode((string) $response->getBody());
+        $this->assertEquals('Not authorized: Malformed JWT token', $body->message);
+        $this->assertContains('ApiAuthorizationException', $body->stacktrace);
+    }
+}

diff --git a/tests/api/ApiMiddlewareTest.php b/tests/api/ApiMiddlewareTest.php new file mode 100644 index 00000000..23a56b1c --- /dev/null +++ b/tests/api/ApiMiddlewareTest.php
@@ -0,0 +1,208 @@
	1	<?php
	2	namespace Shaarli\Api;
	3
	4	use Shaarli\Config\ConfigManager;
	5
	6	use Slim\Container;
	7	use Slim\Http\Environment;
	8	use Slim\Http\Request;
	9	use Slim\Http\Response;
	10
	11	/**
	12	* Class ApiMiddlewareTest
	13	*
	14	* Test the REST API Slim Middleware.
	15	*
	16	* Note that we can't test a valid use case here, because the middleware
	17	* needs to call a valid controller/action during its execution.
	18	*
	19	* @package Api
	20	*/
	21	class ApiMiddlewareTest extends \PHPUnit_Framework_TestCase
	22	{
	23	/**
	24	* @var string datastore to test write operations
	25	*/
	26	protected static $testDatastore = 'sandbox/datastore.php';
	27
	28	/**
	29	* @var \ConfigManager instance
	30	*/
	31	protected $conf;
	32
	33	/**
	34	* @var \ReferenceLinkDB instance.
	35	*/
	36	protected $refDB = null;
	37
	38	/**
	39	* @var Container instance.
	40	*/
	41	protected $container;
	42
	43	/**
	44	* Before every test, instantiate a new Api with its config, plugins and links.
	45	*/
	46	public function setUp()
	47	{
	48	$this->conf = new ConfigManager('tests/utils/config/configJson.json.php');
	49	$this->conf->set('api.secret', 'NapoleonWasALizard');
	50
	51	$this->refDB = new \ReferenceLinkDB();
	52	$this->refDB->write(self::$testDatastore);
	53
	54	$this->container = new Container();
	55	$this->container['conf'] = $this->conf;
	56	}
	57
	58	/**
	59	* After every test, remove the test datastore.
	60	*/
	61	public function tearDown()
	62	{
	63	@unlink(self::$testDatastore);
	64	}
	65
	66	/**
	67	* Invoke the middleware with the API disabled:
	68	* should return a 401 error Unauthorized.
	69	*/
	70	public function testInvokeMiddlewareApiDisabled()
	71	{
	72	$this->conf->set('api.enabled', false);
	73	$mw = new ApiMiddleware($this->container);
	74	$env = Environment::mock([
	75	'REQUEST_METHOD' => 'GET',
	76	'REQUEST_URI' => '/echo',
	77	]);
	78	$request = Request::createFromEnvironment($env);
	79	$response = new Response();
	80	/** @var Response $response */
	81	$response = $mw($request, $response, null);
	82
	83	$this->assertEquals(401, $response->getStatusCode());
	84	$body = json_decode((string) $response->getBody());
	85	$this->assertEquals('Not authorized', $body);
	86	}
	87
	88	/**
	89	* Invoke the middleware with the API disabled in debug mode:
	90	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	91	*/
	92	public function testInvokeMiddlewareApiDisabledDebug()
	93	{
	94	$this->conf->set('api.enabled', false);
	95	$this->conf->set('dev.debug', true);
	96	$mw = new ApiMiddleware($this->container);
	97	$env = Environment::mock([
	98	'REQUEST_METHOD' => 'GET',
	99	'REQUEST_URI' => '/echo',
	100	]);
	101	$request = Request::createFromEnvironment($env);
	102	$response = new Response();
	103	/** @var Response $response */
	104	$response = $mw($request, $response, null);
	105
	106	$this->assertEquals(401, $response->getStatusCode());
	107	$body = json_decode((string) $response->getBody());
	108	$this->assertEquals('Not authorized: API is disabled', $body->message);
	109	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	110	}
	111
	112	/**
	113	* Invoke the middleware without a token (debug):
	114	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	115	*/
	116	public function testInvokeMiddlewareNoTokenProvidedDebug()
	117	{
	118	$this->conf->set('dev.debug', true);
	119	$mw = new ApiMiddleware($this->container);
	120	$env = Environment::mock([
	121	'REQUEST_METHOD' => 'GET',
	122	'REQUEST_URI' => '/echo',
	123	]);
	124	$request = Request::createFromEnvironment($env);
	125	$response = new Response();
	126	/** @var Response $response */
	127	$response = $mw($request, $response, null);
	128
	129	$this->assertEquals(401, $response->getStatusCode());
	130	$body = json_decode((string) $response->getBody());
	131	$this->assertEquals('Not authorized: JWT token not provided', $body->message);
	132	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	133	}
	134
	135	/**
	136	* Invoke the middleware without a secret set in settings (debug):
	137	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	138	*/
	139	public function testInvokeMiddlewareNoSecretSetDebug()
	140	{
	141	$this->conf->set('dev.debug', true);
	142	$this->conf->set('api.secret', '');
	143	$mw = new ApiMiddleware($this->container);
	144	$env = Environment::mock([
	145	'REQUEST_METHOD' => 'GET',
	146	'REQUEST_URI' => '/echo',
	147	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
	148	]);
	149	$request = Request::createFromEnvironment($env);
	150	$response = new Response();
	151	/** @var Response $response */
	152	$response = $mw($request, $response, null);
	153
	154	$this->assertEquals(401, $response->getStatusCode());
	155	$body = json_decode((string) $response->getBody());
	156	$this->assertEquals('Not authorized: Token secret must be set in Shaarli\'s administration', $body->message);
	157	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	158	}
	159
	160	/**
	161	* Invoke the middleware with an invalid JWT token header
	162	*/
	163	public function testInvalidJwtAuthHeaderDebug()
	164	{
	165	$this->conf->set('dev.debug', true);
	166	$mw = new ApiMiddleware($this->container);
	167	$env = Environment::mock([
	168	'REQUEST_METHOD' => 'GET',
	169	'REQUEST_URI' => '/echo',
	170	'HTTP_AUTHORIZATION'=> 'PolarBearer jwt',
	171	]);
	172	$request = Request::createFromEnvironment($env);
	173	$response = new Response();
	174	/** @var Response $response */
	175	$response = $mw($request, $response, null);
	176
	177	$this->assertEquals(401, $response->getStatusCode());
	178	$body = json_decode((string) $response->getBody());
	179	$this->assertEquals('Not authorized: Invalid JWT header', $body->message);
	180	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	181	}
	182
	183	/**
	184	* Invoke the middleware with an invalid JWT token (debug):
	185	* should return a 401 error Unauthorized - with a specific message and a stacktrace.
	186	*
	187	* Note: specific JWT errors tests are handled in ApiUtilsTest.
	188	*/
	189	public function testInvokeMiddlewareInvalidJwtDebug()
	190	{
	191	$this->conf->set('dev.debug', true);
	192	$mw = new ApiMiddleware($this->container);
	193	$env = Environment::mock([
	194	'REQUEST_METHOD' => 'GET',
	195	'REQUEST_URI' => '/echo',
	196	'HTTP_AUTHORIZATION'=> 'Bearer jwt',
	197	]);
	198	$request = Request::createFromEnvironment($env);
	199	$response = new Response();
	200	/** @var Response $response */
	201	$response = $mw($request, $response, null);
	202
	203	$this->assertEquals(401, $response->getStatusCode());
	204	$body = json_decode((string) $response->getBody());
	205	$this->assertEquals('Not authorized: Malformed JWT token', $body->message);
	206	$this->assertContains('ApiAuthorizationException', $body->stacktrace);
	207	}
	208	}