Kezdőlap Felfedezés Súgó
Bejelentkezés
chiappa
/
irdb
tükrözi: https://git.snix.ch/chiappa/irdb.git
1
0
Másolás 0
Fájlok Problémák 0
Fa: 7622fd201b
Branch-ok Tag-ek
irdb
/
api
/
tests
/
Integration
/
Public
/
BlocklistControllerTest.php

BlocklistControllerTest.php 9.1 KB
Előzmények Nyers

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Integration\Public;
    6. 

  6. 

  7. use App\Domain\Auth\Role;
    8. 

  8. use App\Domain\Auth\TokenKind;
    9. 

  9. use App\Domain\Ip\Cidr;
    10. 

  10. use App\Domain\Ip\IpAddress;
    11. 

  11. use App\Tests\Integration\Support\AppTestCase;
    12. 

  12. use Doctrine\DBAL\ParameterType;
    13. 

  13. 

  14. /**
    15. 

  15.  * Covers SPEC §M07.3: distribution endpoint.
    16. 

  16.  *  - kind=consumer required (admin token forbidden)
    17. 

  17.  *  - text/plain default; ?format=json
    18. 

  18.  *  - allowlist excludes; manual blocks emit
    19. 

  19.  *  - ETag round-trip → 304
    20. 

  20.  *  - response headers populated
    21. 

  21.  */
    22. 

  22. final class BlocklistControllerTest extends AppTestCase
    23. 

  23. {
    24. 

  24.     public function testAdminTokenIsRejected(): void
    25. 

  25.     {
    26. 

  26.         $token = $this->createToken(TokenKind::Admin, role: Role::Admin);
    27. 

  27.         $response = $this->request('GET', '/api/v1/blocklist', [
    28. 

  28.             'Authorization' => 'Bearer ' . $token,
    29. 

  29.         ]);
    30. 

  30.         self::assertSame(401, $response->getStatusCode());
    31. 

  31.     }
    32. 

  32. 

  33.     public function testConsumerTokenReturnsEmptyTextByDefault(): void
    34. 

  34.     {
    35. 

  35.         $token = $this->setupConsumerToken('moderate');
    36. 

  36. 

  37.         $response = $this->request('GET', '/api/v1/blocklist', [
    38. 

  38.             'Authorization' => 'Bearer ' . $token,
    39. 

  39.         ]);
    40. 

  40.         self::assertSame(200, $response->getStatusCode());
    41. 

  41.         self::assertSame('text/plain', $response->getHeaderLine('Content-Type'));
    42. 

  42.         self::assertSame('', (string) $response->getBody());
    43. 

  43.         self::assertSame('0', $response->getHeaderLine('X-Blocklist-Entries'));
    44. 

  44.         self::assertSame('moderate', $response->getHeaderLine('X-Blocklist-Policy'));
    45. 

  45.         self::assertNotSame('', $response->getHeaderLine('ETag'));
    46. 

  46.         self::assertNotSame('', $response->getHeaderLine('X-Blocklist-Generated-At'));
    47. 

  47.     }
    48. 

  48. 

  49.     public function testManualBlockAppearsInTextBlocklist(): void
    50. 

  50.     {
    51. 

  51.         $token = $this->setupConsumerToken('moderate');
    52. 

  52.         $this->insertManualSubnet('198.51.100.0/24');
    53. 

  53. 

  54.         $response = $this->request('GET', '/api/v1/blocklist', [
    55. 

  55.             'Authorization' => 'Bearer ' . $token,
    56. 

  56.         ]);
    57. 

  57.         self::assertSame(200, $response->getStatusCode());
    58. 

  58.         self::assertStringContainsString('198.51.100.0/24', (string) $response->getBody());
    59. 

  59.         self::assertSame('1', $response->getHeaderLine('X-Blocklist-Entries'));
    60. 

  60.     }
    61. 

  61. 

  62.     public function testJsonFormatReturnsStructuredEntries(): void
    63. 

  63.     {
    64. 

  64.         $token = $this->setupConsumerToken('moderate');
    65. 

  65.         $this->insertManualIp('203.0.113.7');
    66. 

  66. 

  67.         $response = $this->request('GET', '/api/v1/blocklist?format=json', [
    68. 

  68.             'Authorization' => 'Bearer ' . $token,
    69. 

  69.         ]);
    70. 

  70.         self::assertSame(200, $response->getStatusCode());
    71. 

  71.         self::assertSame('application/json', $response->getHeaderLine('Content-Type'));
    72. 

  72.         $body = json_decode((string) $response->getBody(), true);
    73. 

  73.         self::assertIsArray($body);
    74. 

  74.         self::assertCount(1, $body);
    75. 

  75.         self::assertSame('203.0.113.7', $body[0]['ip_or_cidr']);
    76. 

  76.         self::assertSame('manual', $body[0]['reason']);
    77. 

  77.         self::assertNull($body[0]['score']);
    78. 

  78.     }
    79. 

  79. 

  80.     public function testEtagRoundTripReturns304(): void
    81. 

  81.     {
    82. 

  82.         $token = $this->setupConsumerToken('moderate');
    83. 

  83.         $this->insertManualSubnet('198.51.100.0/24');
    84. 

  84. 

  85.         $first = $this->request('GET', '/api/v1/blocklist', [
    86. 

  86.             'Authorization' => 'Bearer ' . $token,
    87. 

  87.         ]);
    88. 

  88.         $etag = $first->getHeaderLine('ETag');
    89. 

  89.         self::assertNotSame('', $etag);
    90. 

  90. 

  91.         $second = $this->request('GET', '/api/v1/blocklist', [
    92. 

  92.             'Authorization' => 'Bearer ' . $token,
    93. 

  93.             'If-None-Match' => $etag,
    94. 

  94.         ]);
    95. 

  95.         self::assertSame(304, $second->getStatusCode());
    96. 

  96.         self::assertSame('', (string) $second->getBody());
    97. 

  97.     }
    98. 

  98. 

  99.     public function testEtagDiffersBetweenTextAndJson(): void
    100. 

  100.     {
    101. 

  101.         $token = $this->setupConsumerToken('moderate');
    102. 

  102.         $this->insertManualSubnet('198.51.100.0/24');
    103. 

  103. 

  104.         $text = $this->request('GET', '/api/v1/blocklist', [
    105. 

  105.             'Authorization' => 'Bearer ' . $token,
    106. 

  106.         ]);
    107. 

  107.         $json = $this->request('GET', '/api/v1/blocklist?format=json', [
    108. 

  108.             'Authorization' => 'Bearer ' . $token,
    109. 

  109.         ]);
    110. 

  110.         self::assertNotSame($text->getHeaderLine('ETag'), $json->getHeaderLine('ETag'));
    111. 

  111.     }
    112. 

  112. 

  113.     public function testAllowlistedManualSubnetIsExcluded(): void
    114. 

  114.     {
    115. 

  115.         $token = $this->setupConsumerToken('moderate');
    116. 

  116.         $this->insertManualSubnet('198.51.100.0/24');
    117. 

  117.         // Allowlist a subnet that fully contains the manual block.
    118. 

  118.         $this->insertAllowSubnet('198.51.100.0/16');
    119. 

  119. 

  120.         $response = $this->request('GET', '/api/v1/blocklist', [
    121. 

  121.             'Authorization' => 'Bearer ' . $token,
    122. 

  122.         ]);
    123. 

  123.         self::assertSame(200, $response->getStatusCode());
    124. 

  124.         self::assertStringNotContainsString('198.51.100.0/24', (string) $response->getBody());
    125. 

  125.     }
    126. 

  126. 

  127.     /**
    128. 

  128.      * Three policies with distinct thresholds yield distinct entry counts
    129. 

  129.      * over the same scored data — SPEC §M07 acceptance.
    130. 

  130.      */
    131. 

  131.     public function testThreePoliciesProduceDifferentBlocklists(): void
    132. 

  132.     {
    133. 

  133.         $strict = $this->setupConsumerToken('strict', 'consumer-strict');
    134. 

  134.         $moderate = $this->setupConsumerToken('moderate', 'consumer-moderate');
    135. 

  135.         $paranoid = $this->setupConsumerToken('paranoid', 'consumer-paranoid');
    136. 

  136. 

  137.         $bruteForceId = (int) $this->db->fetchOne('SELECT id FROM categories WHERE slug = :s', ['s' => 'brute_force']);
    138. 

  138.         // Score chosen to fall between paranoid (0.3) and moderate (1.0).
    139. 

  139.         $this->insertScore('203.0.113.10', $bruteForceId, 0.5);
    140. 

  140.         // Score that paranoid + moderate catch but strict (2.5) misses.
    141. 

  141.         $this->insertScore('203.0.113.20', $bruteForceId, 1.5);
    142. 

  142.         // Score that all three policies catch.
    143. 

  143.         $this->insertScore('203.0.113.30', $bruteForceId, 3.0);
    144. 

  144. 

  145.         $strictResp = $this->request('GET', '/api/v1/blocklist', [
    146. 

  146.             'Authorization' => 'Bearer ' . $strict,
    147. 

  147.         ]);
    148. 

  148.         $moderateResp = $this->request('GET', '/api/v1/blocklist', [
    149. 

  149.             'Authorization' => 'Bearer ' . $moderate,
    150. 

  150.         ]);
    151. 

  151.         $paranoidResp = $this->request('GET', '/api/v1/blocklist', [
    152. 

  152.             'Authorization' => 'Bearer ' . $paranoid,
    153. 

  153.         ]);
    154. 

  154. 

  155.         self::assertSame('1', $strictResp->getHeaderLine('X-Blocklist-Entries'));
    156. 

  156.         self::assertSame('2', $moderateResp->getHeaderLine('X-Blocklist-Entries'));
    157. 

  157.         self::assertSame('3', $paranoidResp->getHeaderLine('X-Blocklist-Entries'));
    158. 

  158.     }
    159. 

  159. 

  160.     private function setupConsumerToken(string $policyName, string $consumerName = 'fw-test'): string
    161. 

  161.     {
    162. 

  162.         $policyId = (int) $this->db->fetchOne('SELECT id FROM policies WHERE name = :n', ['n' => $policyName]);
    163. 

  163.         $this->db->insert('consumers', [
    164. 

  164.             'name' => $consumerName,
    165. 

  165.             'policy_id' => $policyId,
    166. 

  166.             'is_active' => 1,
    167. 

  167.         ]);
    168. 

  168.         $consumerId = (int) $this->db->lastInsertId();
    169. 

  169. 

  170.         return $this->createToken(TokenKind::Consumer, consumerId: $consumerId);
    171. 

  171.     }
    172. 

  172. 

  173.     private function insertManualIp(string $ip): void
    174. 

  174.     {
    175. 

  175.         $bin = IpAddress::fromString($ip)->binary();
    176. 

  176.         $stmt = $this->db->prepare(
    177. 

  177.             'INSERT INTO manual_blocks (kind, ip_bin, reason) VALUES (:kind, :ip_bin, :reason)'
    178. 

  178.         );
    179. 

  179.         $stmt->bindValue('kind', 'ip');
    180. 

  180.         $stmt->bindValue('ip_bin', $bin, ParameterType::LARGE_OBJECT);
    181. 

  181.         $stmt->bindValue('reason', 'test');
    182. 

  182.         $stmt->executeStatement();
    183. 

  183.     }
    184. 

  184. 

  185.     private function insertManualSubnet(string $cidr): void
    186. 

  186.     {
    187. 

  187.         $c = Cidr::fromString($cidr);
    188. 

  188.         $stmt = $this->db->prepare(
    189. 

  189.             'INSERT INTO manual_blocks (kind, network_bin, prefix_length, reason) VALUES (:kind, :net, :pl, :reason)'
    190. 

  190.         );
    191. 

  191.         $stmt->bindValue('kind', 'subnet');
    192. 

  192.         $stmt->bindValue('net', $c->network(), ParameterType::LARGE_OBJECT);
    193. 

  193.         $stmt->bindValue('pl', $c->prefixLength(), ParameterType::INTEGER);
    194. 

  194.         $stmt->bindValue('reason', 'test');
    195. 

  195.         $stmt->executeStatement();
    196. 

  196.     }
    197. 

  197. 

  198.     private function insertAllowSubnet(string $cidr): void
    199. 

  199.     {
    200. 

  200.         $c = Cidr::fromString($cidr);
    201. 

  201.         $stmt = $this->db->prepare(
    202. 

  202.             'INSERT INTO allowlist (kind, network_bin, prefix_length, reason) VALUES (:kind, :net, :pl, :reason)'
    203. 

  203.         );
    204. 

  204.         $stmt->bindValue('kind', 'subnet');
    205. 

  205.         $stmt->bindValue('net', $c->network(), ParameterType::LARGE_OBJECT);
    206. 

  206.         $stmt->bindValue('pl', $c->prefixLength(), ParameterType::INTEGER);
    207. 

  207.         $stmt->bindValue('reason', 'test');
    208. 

  208.         $stmt->executeStatement();
    209. 

  209.     }
    210. 

  210. 

  211.     private function insertScore(string $ip, int $categoryId, float $score): void
    212. 

  212.     {
    213. 

  213.         $ipObj = IpAddress::fromString($ip);
    214. 

  214.         $stmt = $this->db->prepare(
    215. 

  215.             'INSERT INTO ip_scores (ip_bin, ip_text, category_id, score, report_count_30d, last_report_at, recomputed_at) '
    216. 

  216.             . 'VALUES (:b, :t, :c, :s, 1, :now, :now)'
    217. 

  217.         );
    218. 

  218.         $stmt->bindValue('b', $ipObj->binary(), ParameterType::LARGE_OBJECT);
    219. 

  219.         $stmt->bindValue('t', $ipObj->text());
    220. 

  220.         $stmt->bindValue('c', $categoryId, ParameterType::INTEGER);
    221. 

  221.         $stmt->bindValue('s', number_format($score, 4, '.', ''));
    222. 

  222.         $stmt->bindValue('now', (new \DateTimeImmutable('now'))->format('Y-m-d H:i:s'));
    223. 

  223.         $stmt->executeStatement();
    224. 

  224.     }
    225. 

  225. }
    226.