Home Explore Help
Sign In
chiappa
/
irdb
mirror of https://git.snix.ch/chiappa/irdb.git
1
0
Fork 0
Files Issues 0
Tree: 8d89b8b1a2
Branches Tags
irdb
/
api
/
tests
/
Integration
/
Public
/
ReportControllerTest.php

ReportControllerTest.php 8.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Integration\Public;
    6. 

  6. 

  7. use App\Domain\Auth\Role;
    8. 

  8. use App\Domain\Auth\TokenKind;
    9. 

  9. use App\Tests\Integration\Support\AppTestCase;
    10. 

  10. 

  11. final class ReportControllerTest extends AppTestCase
    12. 

  12. {
    13. 

  13.     public function testValidReportInsertedAndScoreUpdated(): void
    14. 

  14.     {
    15. 

  15.         $reporterId = $this->createReporter('web-prod');
    16. 

  16.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    17. 

  17. 

  18.         $resp = $this->request(
    19. 

  19.             'POST',
    20. 

  20.             '/api/v1/report',
    21. 

  21.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    22. 

  22.             json_encode(['ip' => '203.0.113.42', 'category' => 'brute_force']) ?: null,
    23. 

  23.         );
    24. 

  24.         self::assertSame(202, $resp->getStatusCode());
    25. 

  25.         $body = $this->decode($resp);
    26. 

  26.         self::assertArrayHasKey('report_id', $body);
    27. 

  27.         self::assertSame('203.0.113.42', $body['ip']);
    28. 

  28.         self::assertArrayHasKey('received_at', $body);
    29. 

  29. 

  30.         // ip_scores must have a row > 0.
    31. 

  31.         $score = $this->db->fetchOne(
    32. 

  32.             "SELECT score FROM ip_scores WHERE ip_text = '203.0.113.42'"
    33. 

  33.         );
    34. 

  34.         self::assertNotFalse($score);
    35. 

  35.         self::assertGreaterThan(0.0, (float) $score);
    36. 

  36.     }
    37. 

  37. 

  38.     public function testManyReportsAccumulateMonotonically(): void
    39. 

  39.     {
    40. 

  40.         $reporterId = $this->createReporter('web-many');
    41. 

  41.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    42. 

  42. 

  43.         for ($i = 0; $i < 5; $i++) {
    44. 

  44.             $this->request(
    45. 

  45.                 'POST',
    46. 

  46.                 '/api/v1/report',
    47. 

  47.                 ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    48. 

  48.                 json_encode(['ip' => '198.51.100.7', 'category' => 'scanner']) ?: null,
    49. 

  49.             );
    50. 

  50.         }
    51. 

  51. 

  52.         $count = (int) $this->db->fetchOne(
    53. 

  53.             "SELECT COUNT(*) FROM reports WHERE ip_text = '198.51.100.7'"
    54. 

  54.         );
    55. 

  55.         self::assertSame(5, $count);
    56. 

  56. 

  57.         $score = (float) $this->db->fetchOne(
    58. 

  58.             "SELECT score FROM ip_scores WHERE ip_text = '198.51.100.7'"
    59. 

  59.         );
    60. 

  60.         // 5 fresh reports × weight 1.0 × decay~1.0 should be ~5.0.
    61. 

  61.         self::assertEqualsWithDelta(5.0, $score, 0.05);
    62. 

  62.     }
    63. 

  63. 

  64.     public function testWrongKindTokenRejected(): void
    65. 

  65.     {
    66. 

  66.         $token = $this->createToken(TokenKind::Admin, role: Role::Admin);
    67. 

  67. 

  68.         $resp = $this->request(
    69. 

  69.             'POST',
    70. 

  70.             '/api/v1/report',
    71. 

  71.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    72. 

  72.             json_encode(['ip' => '1.2.3.4', 'category' => 'spam']) ?: null,
    73. 

  73.         );
    74. 

  74.         self::assertSame(401, $resp->getStatusCode());
    75. 

  75.     }
    76. 

  76. 

  77.     public function testInvalidIpReturns400(): void
    78. 

  78.     {
    79. 

  79.         $reporterId = $this->createReporter('web-bad-ip');
    80. 

  80.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    81. 

  81. 

  82.         $resp = $this->request(
    83. 

  83.             'POST',
    84. 

  84.             '/api/v1/report',
    85. 

  85.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    86. 

  86.             json_encode(['ip' => 'not-an-ip', 'category' => 'spam']) ?: null,
    87. 

  87.         );
    88. 

  88.         self::assertSame(400, $resp->getStatusCode());
    89. 

  89.         $body = $this->decode($resp);
    90. 

  90.         self::assertSame('validation_failed', $body['error']);
    91. 

  91.         self::assertArrayHasKey('ip', $body['details']);
    92. 

  92.     }
    93. 

  93. 

  94.     public function testUnknownCategoryReturns400(): void
    95. 

  95.     {
    96. 

  96.         $reporterId = $this->createReporter('web-bad-cat');
    97. 

  97.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    98. 

  98. 

  99.         $resp = $this->request(
    100. 

  100.             'POST',
    101. 

  101.             '/api/v1/report',
    102. 

  102.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    103. 

  103.             json_encode(['ip' => '1.2.3.4', 'category' => 'no-such']) ?: null,
    104. 

  104.         );
    105. 

  105.         self::assertSame(400, $resp->getStatusCode());
    106. 

  106.         self::assertArrayHasKey('category', $this->decode($resp)['details']);
    107. 

  107.     }
    108. 

  108. 

  109.     public function testMetadataMustBeObject(): void
    110. 

  110.     {
    111. 

  111.         $reporterId = $this->createReporter('web-bad-meta');
    112. 

  112.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    113. 

  113. 

  114.         $resp = $this->request(
    115. 

  115.             'POST',
    116. 

  116.             '/api/v1/report',
    117. 

  117.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    118. 

  118.             json_encode(['ip' => '1.2.3.4', 'category' => 'spam', 'metadata' => [1, 2, 3]]) ?: null,
    119. 

  119.         );
    120. 

  120.         self::assertSame(400, $resp->getStatusCode());
    121. 

  121.     }
    122. 

  122. 

  123.     public function testMetadataExceedingLimitRejected(): void
    124. 

  124.     {
    125. 

  125.         $reporterId = $this->createReporter('web-big-meta');
    126. 

  126.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    127. 

  127. 

  128.         $big = ['blob' => str_repeat('A', 5000)];
    129. 

  129.         $resp = $this->request(
    130. 

  130.             'POST',
    131. 

  131.             '/api/v1/report',
    132. 

  132.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    133. 

  133.             json_encode(['ip' => '1.2.3.4', 'category' => 'spam', 'metadata' => $big]) ?: null,
    134. 

  134.         );
    135. 

  135.         self::assertSame(400, $resp->getStatusCode());
    136. 

  136.     }
    137. 

  137. 

  138.     public function testInactiveReporterTokenRejected(): void
    139. 

  139.     {
    140. 

  140.         $reporterId = $this->createReporter('web-disabled');
    141. 

  141.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    142. 

  142.         $this->db->update('reporters', ['is_active' => 0], ['id' => $reporterId]);
    143. 

  143. 

  144.         $resp = $this->request(
    145. 

  145.             'POST',
    146. 

  146.             '/api/v1/report',
    147. 

  147.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    148. 

  148.             json_encode(['ip' => '1.2.3.4', 'category' => 'spam']) ?: null,
    149. 

  149.         );
    150. 

  150.         self::assertSame(401, $resp->getStatusCode());
    151. 

  151.     }
    152. 

  152. 

  153.     public function testOversizedRequestBodyIsRejectedWith413(): void
    154. 

  154.     {
    155. 

  155.         // SEC_REVIEW F69: a Reporter token can no longer POST a
    156. 

  156.         // multi-megabyte body that gets `getContents()`-ed into
    157. 

  157.         // memory by Slim's BodyParsingMiddleware. The global
    158. 

  158.         // RequestBodySizeLimitMiddleware (256 KiB cap) returns 413
    159. 

  159.         // BEFORE the body is read.
    160. 

  160.         $reporterId = $this->createReporter('web-oversize');
    161. 

  161.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    162. 

  162. 

  163.         // 512 KiB of plaintext, well past the 256 KiB cap.
    164. 

  164.         $bigBody = json_encode([
    165. 

  165.             'ip' => '203.0.113.42',
    166. 

  166.             'category' => 'spam',
    167. 

  167.             'metadata' => ['blob' => str_repeat('A', 512 * 1024)],
    168. 

  168.         ]) ?: '';
    169. 

  169. 

  170.         $resp = $this->request(
    171. 

  171.             'POST',
    172. 

  172.             '/api/v1/report',
    173. 

  173.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    174. 

  174.             $bigBody,
    175. 

  175.         );
    176. 

  176. 

  177.         self::assertSame(413, $resp->getStatusCode());
    178. 

  178.         self::assertSame('payload_too_large', $this->decode($resp)['error']);
    179. 

  179.     }
    180. 

  180. 

  181.     public function testDeeplyNestedJsonDoesNotBlowTheStack(): void
    182. 

  182.     {
    183. 

  183.         // SEC_REVIEW F69: bounded `json_decode` depth (32). A
    184. 

  184.         // 100-level nested object would otherwise hit PHP's default
    185. 

  185.         // 512-deep recursion limit and risk a stack issue on top of
    186. 

  186.         // wasting CPU. Past the cap, json_decode throws —
    187. 

  187.         // `ReportController::jsonBody` catches and treats as empty,
    188. 

  188.         // so the request continues and fails the regular `ip
    189. 

  189.         // required` validation.
    190. 

  190.         $reporterId = $this->createReporter('web-deepjson');
    191. 

  191.         $token = $this->createToken(TokenKind::Reporter, reporterId: $reporterId);
    192. 

  192. 

  193.         // Build a 100-deep nested object.
    194. 

  194.         $payload = '{}';
    195. 

  195.         for ($i = 0; $i < 100; $i++) {
    196. 

  196.             $payload = '{"x":' . $payload . '}';
    197. 

  197.         }
    198. 

  198. 

  199.         $resp = $this->request(
    200. 

  200.             'POST',
    201. 

  201.             '/api/v1/report',
    202. 

  202.             ['Authorization' => 'Bearer ' . $token, 'Content-Type' => 'application/json'],
    203. 

  203.             $payload,
    204. 

  204.         );
    205. 

  205. 

  206.         // Slim's BodyParsingMiddleware uses its own json_decode
    207. 

  207.         // (depth 512), so it succeeds — but then the controller's
    208. 

  208.         // validation runs and rejects "ip required" with 400. The
    209. 

  209.         // important guarantee is "no 500, no exception leaked"; the
    210. 

  210.         // exact response code isn't the point.
    211. 

  211.         self::assertContains($resp->getStatusCode(), [400, 413]);
    212. 

  212.     }
    213. 

  213. }
    214.