首頁 探索 說明
登入
chiappa
/
irdb
镜像来自 https://git.snix.ch/chiappa/irdb.git
1
0
複刻 0
Files 問題管理 0
目錄樹: 8ff409fff2
分支列表 標籤列表
irdb
/
api
/
tests
/
Integration
/
Admin
/
AuditLogControllerTest.php

AuditLogControllerTest.php 8.1 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Integration\Admin;
    6. 

  6. 

  7. use App\Domain\Auth\Role;
    8. 

  8. use App\Domain\Auth\TokenKind;
    9. 

  9. use App\Tests\Integration\Support\AppTestCase;
    10. 

  10. 

  11. /**
    12. 

  12.  * `/api/v1/admin/audit-log` end-to-end. Seeds rows directly so the
    13. 

  13.  * filter coverage doesn't depend on emission timing.
    14. 

  14.  */
    15. 

  15. final class AuditLogControllerTest extends AppTestCase
    16. 

  16. {
    17. 

  17.     public function testListEmpty(): void
    18. 

  18.     {
    19. 

  19.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    20. 

  20.         $resp = $this->request('GET', '/api/v1/admin/audit-log', ['Authorization' => 'Bearer ' . $token]);
    21. 

  21.         self::assertSame(200, $resp->getStatusCode());
    22. 

  22.         $body = $this->decode($resp);
    23. 

  23.         self::assertSame([], $body['items']);
    24. 

  24.         self::assertSame(0, $body['total']);
    25. 

  25.     }
    26. 

  26. 

  27.     public function testListWithFilters(): void
    28. 

  28.     {
    29. 

  29.         $now = (new \DateTimeImmutable('now', new \DateTimeZone('UTC')))->format('Y-m-d H:i:s');
    30. 

  30.         $this->seedAudit('user', '7', 'manual_block.created', 'manual_block', '1', '{"ip":"1.1.1.1"}', $now);
    31. 

  31.         $this->seedAudit('admin-token', '3', 'category.created', 'category', '2', '{"slug":"x"}', $now);
    32. 

  32.         $this->seedAudit('user', '7', 'allowlist.created', 'allowlist', '5', '{"ip":"2.2.2.2"}', $now);
    33. 

  33. 

  34.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    35. 

  35.         // Filter by actor_kind=user
    36. 

  36.         $resp = $this->request('GET', '/api/v1/admin/audit-log?actor_kind=user', ['Authorization' => 'Bearer ' . $token]);
    37. 

  37.         $body = $this->decode($resp);
    38. 

  38.         self::assertSame(2, $body['total']);
    39. 

  39.         foreach ($body['items'] as $item) {
    40. 

  40.             self::assertSame('user', $item['actor_kind']);
    41. 

  41.         }
    42. 

  42. 

  43.         // Filter by action
    44. 

  44.         $resp = $this->request('GET', '/api/v1/admin/audit-log?action=category.created', ['Authorization' => 'Bearer ' . $token]);
    45. 

  45.         $body = $this->decode($resp);
    46. 

  46.         self::assertSame(1, $body['total']);
    47. 

  47.         self::assertSame('category.created', $body['items'][0]['action']);
    48. 

  48.         self::assertSame(['slug' => 'x'], $body['items'][0]['details']);
    49. 

  49. 

  50.         // Filter by entity_type=manual_block
    51. 

  51.         $resp = $this->request('GET', '/api/v1/admin/audit-log?entity_type=manual_block', ['Authorization' => 'Bearer ' . $token]);
    52. 

  52.         $body = $this->decode($resp);
    53. 

  53.         self::assertSame(1, $body['total']);
    54. 

  54.         self::assertSame('manual_block', $body['items'][0]['entity_type']);
    55. 

  55.     }
    56. 

  56. 

  57.     public function testSubjectFilterUnionsActorAndTarget(): void
    58. 

  58.     {
    59. 

  59.         $now = (new \DateTimeImmutable('now', new \DateTimeZone('UTC')))->format('Y-m-d H:i:s');
    60. 

  60. 

  61.         // (1) admin updated reporter #5 — target=reporter, actor=user
    62. 

  62.         $this->seedAudit('user', '1', 'reporter.updated', 'reporter', '5', '{}', $now);
    63. 

  63.         // (2) reporter #5 emitted a report.received — actor=reporter, target=report
    64. 

  64.         $this->seedAudit('reporter', '5', 'report.received', 'report', '99', '{}', $now);
    65. 

  65.         // (3) different reporter — must NOT appear in subject_kind=reporter,subject_id=5
    66. 

  66.         $this->seedAudit('reporter', '6', 'report.received', 'report', '100', '{}', $now);
    67. 

  67.         // (4) unrelated row — must NOT appear
    68. 

  68.         $this->seedAudit('user', '1', 'manual_block.created', 'manual_block', '7', '{}', $now);
    69. 

  69. 

  70.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    71. 

  71.         $resp = $this->request(
    72. 

  72.             'GET',
    73. 

  73.             '/api/v1/admin/audit-log?subject_kind=reporter&subject_id=5',
    74. 

  74.             ['Authorization' => 'Bearer ' . $token],
    75. 

  75.         );
    76. 

  76.         $body = $this->decode($resp);
    77. 

  77.         self::assertSame(2, $body['total']);
    78. 

  78.         $actions = array_map(static fn (array $r): string => $r['action'], $body['items']);
    79. 

  79.         self::assertContains('reporter.updated', $actions);
    80. 

  80.         self::assertContains('report.received', $actions);
    81. 

  81.         self::assertNotContains('manual_block.created', $actions);
    82. 

  82.     }
    83. 

  83. 

  84.     public function testSubjectKindWithoutIdReturns400(): void
    85. 

  85.     {
    86. 

  86.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    87. 

  87.         $resp = $this->request(
    88. 

  88.             'GET',
    89. 

  89.             '/api/v1/admin/audit-log?subject_kind=reporter',
    90. 

  90.             ['Authorization' => 'Bearer ' . $token],
    91. 

  91.         );
    92. 

  92.         self::assertSame(400, $resp->getStatusCode());
    93. 

  93.         self::assertArrayHasKey('subject', $this->decode($resp)['details']);
    94. 

  94.     }
    95. 

  95. 

  96.     public function testInvalidActorKindReturns400(): void
    97. 

  97.     {
    98. 

  98.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    99. 

  99.         $resp = $this->request('GET', '/api/v1/admin/audit-log?actor_kind=potato', ['Authorization' => 'Bearer ' . $token]);
    100. 

  100.         self::assertSame(400, $resp->getStatusCode());
    101. 

  101.     }
    102. 

  102. 

  103.     public function testRequiresViewer(): void
    104. 

  104.     {
    105. 

  105.         $resp = $this->request('GET', '/api/v1/admin/audit-log');
    106. 

  106.         self::assertSame(401, $resp->getStatusCode());
    107. 

  107.     }
    108. 

  108. 

  109.     public function testOversizedFilterRejected(): void
    110. 

  110.     {
    111. 

  111.         // SEC_REVIEW F31: free-form filter strings are bounded at 128 chars.
    112. 

  112.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    113. 

  113.         $long = str_repeat('a', 200);
    114. 

  114.         $resp = $this->request(
    115. 

  115.             'GET',
    116. 

  116.             '/api/v1/admin/audit-log?action=' . $long,
    117. 

  117.             ['Authorization' => 'Bearer ' . $token],
    118. 

  118.         );
    119. 

  119.         self::assertSame(400, $resp->getStatusCode());
    120. 

  120.         self::assertArrayHasKey('action', $this->decode($resp)['details']);
    121. 

  121. 

  122.         $resp = $this->request(
    123. 

  123.             'GET',
    124. 

  124.             '/api/v1/admin/audit-log?entity_type=' . $long,
    125. 

  125.             ['Authorization' => 'Bearer ' . $token],
    126. 

  126.         );
    127. 

  127.         self::assertSame(400, $resp->getStatusCode());
    128. 

  128.         self::assertArrayHasKey('entity_type', $this->decode($resp)['details']);
    129. 

  129. 

  130.         $resp = $this->request(
    131. 

  131.             'GET',
    132. 

  132.             '/api/v1/admin/audit-log?entity_id=' . $long,
    133. 

  133.             ['Authorization' => 'Bearer ' . $token],
    134. 

  134.         );
    135. 

  135.         self::assertSame(400, $resp->getStatusCode());
    136. 

  136.         self::assertArrayHasKey('entity_id', $this->decode($resp)['details']);
    137. 

  137. 

  138.         $resp = $this->request(
    139. 

  139.             'GET',
    140. 

  140.             '/api/v1/admin/audit-log?subject_kind=' . $long . '&subject_id=5',
    141. 

  141.             ['Authorization' => 'Bearer ' . $token],
    142. 

  142.         );
    143. 

  143.         self::assertSame(400, $resp->getStatusCode());
    144. 

  144.         self::assertArrayHasKey('subject', $this->decode($resp)['details']);
    145. 

  145.     }
    146. 

  146. 

  147.     public function testDeepOffsetRejected(): void
    148. 

  148.     {
    149. 

  149.         // SEC_REVIEW F31: pagination is capped at 10 000 offset rows so a
    150. 

  150.         // Viewer can't force `LIMIT 200 OFFSET huge` deep scans.
    151. 

  151.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    152. 

  152.         $resp = $this->request(
    153. 

  153.             'GET',
    154. 

  154.             '/api/v1/admin/audit-log?page=999999&page_size=200',
    155. 

  155.             ['Authorization' => 'Bearer ' . $token],
    156. 

  156.         );
    157. 

  157.         self::assertSame(400, $resp->getStatusCode());
    158. 

  158.         self::assertArrayHasKey('page', $this->decode($resp)['details']);
    159. 

  159.     }
    160. 

  160. 

  161.     public function testDeepOffsetAtBoundaryAccepted(): void
    162. 

  162.     {
    163. 

  163.         // Right at offset = MAX_OFFSET (10 000) is fine; one more page over
    164. 

  164.         // is rejected.
    165. 

  165.         $token = $this->createToken(TokenKind::Admin, Role::Viewer);
    166. 

  166.         // page=51, page_size=200 → offset=10000 (boundary, allowed)
    167. 

  167.         $resp = $this->request(
    168. 

  168.             'GET',
    169. 

  169.             '/api/v1/admin/audit-log?page=51&page_size=200',
    170. 

  170.             ['Authorization' => 'Bearer ' . $token],
    171. 

  171.         );
    172. 

  172.         self::assertSame(200, $resp->getStatusCode());
    173. 

  173. 

  174.         // page=52, page_size=200 → offset=10200 (over boundary, rejected)
    175. 

  175.         $resp = $this->request(
    176. 

  176.             'GET',
    177. 

  177.             '/api/v1/admin/audit-log?page=52&page_size=200',
    178. 

  178.             ['Authorization' => 'Bearer ' . $token],
    179. 

  179.         );
    180. 

  180.         self::assertSame(400, $resp->getStatusCode());
    181. 

  181.     }
    182. 

  182. 

  183.     private function seedAudit(string $kind, ?string $actorId, string $action, string $type, string $id, string $details, string $when): void
    184. 

  184.     {
    185. 

  185.         $this->db->insert('audit_log', [
    186. 

  186.             'actor_kind' => $kind,
    187. 

  187.             'actor_id' => $actorId,
    188. 

  188.             'action' => $action,
    189. 

  189.             'target_type' => $type,
    190. 

  190.             'target_id' => $id,
    191. 

  191.             'details_json' => $details,
    192. 

  192.             'ip_address' => null,
    193. 

  193.             'created_at' => $when,
    194. 

  194.         ]);
    195. 

  195.     }
    196. 

  196. }
    197.