首頁 探索 說明
登入
chiappa
/
irdb
镜像来自 https://git.snix.ch/chiappa/irdb.git
1
0
複刻 0
Files 問題管理 0
目錄樹: 5085bba93b
分支列表 標籤列表
irdb
/
api
/
tests
/
Integration
/
Admin
/
JobsAdminControllerTest.php

JobsAdminControllerTest.php 6.1 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Integration\Admin;
    6. 

  6. 

  7. use App\Domain\Auth\Role;
    8. 

  8. use App\Domain\Auth\TokenKind;
    9. 

  9. use App\Tests\Integration\Support\AppTestCase;
    10. 

  10. 

  11. /**
    12. 

  12.  * `/api/v1/admin/jobs/{status,trigger}` — admin-only wrapper that the UI
    13. 

  13.  * uses to invoke jobs without needing the internal token.
    14. 

  14.  */
    15. 

  15. final class JobsAdminControllerTest extends AppTestCase
    16. 

  16. {
    17. 

  17.     public function testStatusRequiresViewer(): void
    18. 

  18.     {
    19. 

  19.         $resp = $this->request('GET', '/api/v1/admin/jobs/status');
    20. 

  20.         self::assertSame(401, $resp->getStatusCode());
    21. 

  21.     }
    22. 

  22. 

  23.     public function testStatusReturnsAllJobs(): void
    24. 

  24.     {
    25. 

  25.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    26. 

  26.         $resp = $this->request('GET', '/api/v1/admin/jobs/status', ['Authorization' => 'Bearer ' . $token]);
    27. 

  27.         self::assertSame(200, $resp->getStatusCode());
    28. 

  28.         $body = $this->decode($resp);
    29. 

  29.         self::assertArrayHasKey('jobs', $body);
    30. 

  30.         foreach (['recompute-scores', 'cleanup-audit', 'enrich-pending', 'refresh-geoip', 'tick'] as $name) {
    31. 

  31.             self::assertArrayHasKey($name, $body['jobs']);
    32. 

  32.         }
    33. 

  33.     }
    34. 

  34. 

  35.     public function testTriggerOperatorForbidden(): void
    36. 

  36.     {
    37. 

  37.         $token = $this->createToken(TokenKind::Admin, Role::Operator);
    38. 

  38.         $resp = $this->request(
    39. 

  39.             'POST',
    40. 

  40.             '/api/v1/admin/jobs/trigger/recompute-scores',
    41. 

  41.             ['Authorization' => 'Bearer ' . $token],
    42. 

  42.         );
    43. 

  43.         self::assertSame(403, $resp->getStatusCode());
    44. 

  44.     }
    45. 

  45. 

  46.     public function testTriggerUnknownJobReturns404(): void
    47. 

  47.     {
    48. 

  48.         $token = $this->createToken(TokenKind::Admin, Role::Admin);
    49. 

  49.         $resp = $this->request(
    50. 

  50.             'POST',
    51. 

  51.             '/api/v1/admin/jobs/trigger/does-not-exist',
    52. 

  52.             ['Authorization' => 'Bearer ' . $token],
    53. 

  53.         );
    54. 

  54.         self::assertSame(404, $resp->getStatusCode());
    55. 

  55.     }
    56. 

  56. 

  57.     /**
    58. 

  58.      * @return iterable<string, array{string}>
    59. 

  59.      */
    60. 

  60.     public static function malformedJobNames(): iterable
    61. 

  61.     {
    62. 

  62.         // SEC_REVIEW F44: any name outside `^[a-z0-9_-]+$` must 404
    63. 

  63.         // BEFORE flowing into `registry->has()` or the `job.triggered`
    64. 

  64.         // audit row. The Slim default segment regex `[^/]+` only
    65. 

  65.         // protects against `/`; everything else (uppercase, dots,
    66. 

  66.         // spaces, control chars, brackets) needs the controller gate.
    67. 

  67.         yield 'uppercase' => ['Recompute-Scores'];
    68. 

  68.         yield 'dotted' => ['recompute.scores'];
    69. 

  69.         yield 'space' => ['recompute scores'];
    70. 

  70.         yield 'newline injection' => ["recompute\nfaked"];
    71. 

  71.         yield 'cr injection' => ["recompute\rfaked"];
    72. 

  72.         yield 'bracket' => ['recompute[scores]'];
    73. 

  73.         yield 'percent' => ['recompute%20scores'];
    74. 

  74.         yield 'empty after url decode' => ['..'];
    75. 

  75.     }
    76. 

  76. 

  77.     #[\PHPUnit\Framework\Attributes\DataProvider('malformedJobNames')]
    78. 

  78.     public function testTriggerRejectsMalformedJobName(string $name): void
    79. 

  79.     {
    80. 

  80.         $token = $this->createToken(TokenKind::Admin, Role::Admin);
    81. 

  81.         $resp = $this->request(
    82. 

  82.             'POST',
    83. 

  83.             '/api/v1/admin/jobs/trigger/' . rawurlencode($name),
    84. 

  84.             ['Authorization' => 'Bearer ' . $token],
    85. 

  85.         );
    86. 

  86.         self::assertSame(404, $resp->getStatusCode(), "expected 404 for malformed name '{$name}'");
    87. 

  87.         // Critically: no audit row is emitted for the malformed name.
    88. 

  88.         $audit = $this->db->fetchOne(
    89. 

  89.             "SELECT COUNT(*) FROM audit_log WHERE action = 'job.triggered'"
    90. 

  90.         );
    91. 

  91.         self::assertSame(0, (int) $audit, "no audit row for malformed name '{$name}'");
    92. 

  92.     }
    93. 

  93. 

  94.     public function testTriggerRecomputeRunsAndAuditsAsManual(): void
    95. 

  95.     {
    96. 

  96.         $token = $this->createToken(TokenKind::Admin, Role::Admin);
    97. 

  97.         $resp = $this->request(
    98. 

  98.             'POST',
    99. 

  99.             '/api/v1/admin/jobs/trigger/recompute-scores',
    100. 

  100.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    101. 

  101.             '{}',
    102. 

  102.         );
    103. 

  103.         self::assertSame(200, $resp->getStatusCode());
    104. 

  104.         $body = $this->decode($resp);
    105. 

  105.         self::assertSame('recompute-scores', $body['job']);
    106. 

  106.         self::assertSame('success', $body['status']);
    107. 

  107. 

  108.         // job_runs.triggered_by = manual
    109. 

  109.         $row = $this->db->fetchAssociative(
    110. 

  110.             "SELECT triggered_by FROM job_runs WHERE job_name = 'recompute-scores' ORDER BY id DESC LIMIT 1"
    111. 

  111.         );
    112. 

  112.         self::assertSame('manual', $row['triggered_by']);
    113. 

  113. 

  114.         // Audit row attributed to the admin token
    115. 

  115.         $audit = $this->db->fetchAssociative(
    116. 

  116.             "SELECT actor_kind, action, target_id, details_json FROM audit_log WHERE action = 'job.triggered' ORDER BY id DESC LIMIT 1"
    117. 

  117.         );
    118. 

  118.         self::assertIsArray($audit);
    119. 

  119.         self::assertSame('admin-token', $audit['actor_kind']);
    120. 

  120.         self::assertSame('recompute-scores', $audit['target_id']);
    121. 

  121.         $details = json_decode((string) $audit['details_json'], true);
    122. 

  122.         self::assertSame('manual', $details['triggered_by']);
    123. 

  123.     }
    124. 

  124. 

  125.     public function testRefreshGeoip412UnderMaxmindWithoutKey(): void
    126. 

  126.     {
    127. 

  127.         // Swap the downloader binding to MaxMind without a key.
    128. 

  128.         if (method_exists($this->container, 'set')) {
    129. 

  129.             /** @var \DI\Container $c */
    130. 

  130.             $c = $this->container;
    131. 

  131.             $c->set(
    132. 

  132.                 \App\Infrastructure\Enrichment\Downloaders\GeoIpDownloader::class,
    133. 

  133.                 new \App\Infrastructure\Enrichment\Downloaders\MaxMindDownloader(new \GuzzleHttp\Client(), licenseKey: ''),
    134. 

  134.             );
    135. 

  135.             $c->set(
    136. 

  136.                 \App\Application\Admin\JobsAdminController::class,
    137. 

  137.                 $c->make(\App\Application\Admin\JobsAdminController::class),
    138. 

  138.             );
    139. 

  139.             $this->app = \App\App\AppFactory::build($this->container);
    140. 

  140.         }
    141. 

  141. 

  142.         $token = $this->createToken(TokenKind::Admin, Role::Admin);
    143. 

  143.         $resp = $this->request(
    144. 

  144.             'POST',
    145. 

  145.             '/api/v1/admin/jobs/trigger/refresh-geoip',
    146. 

  146.             ['Authorization' => 'Bearer ' . $token],
    147. 

  147.         );
    148. 

  148.         self::assertSame(412, $resp->getStatusCode());
    149. 

  149.         $body = $this->decode($resp);
    150. 

  150.         self::assertSame('no_credential', $body['error']);
    151. 

  151.         self::assertSame('maxmind', $body['provider']);
    152. 

  152.         self::assertSame('MAXMIND_LICENSE_KEY', $body['missing']);
    153. 

  153.     }
    154. 

  154. }
    155.