Inicio Explorar Ayuda
Iniciar sesión
chiappa
/
irdb
espejo de https://git.snix.ch/chiappa/irdb.git
1
0
Fork 0
Archivos Incidencias 0
Árbol: df1a298c82
Ramas Etiquetas
irdb
/
api
/
tests
/
Integration
/
Public
/
DocsControllerTest.php

DocsControllerTest.php 3.4 KB
Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Integration\Public;
    6. 

  6. 

  7. use App\Tests\Integration\Support\AppTestCase;
    8. 

  8. 

  9. /**
    10. 

  10.  * SEC_REVIEW F58 — `/api/docs` loads the RapiDoc viewer from jsDelivr.
    11. 

  11.  * The `<script>` tag must carry an SRI `integrity` hash and
    12. 

  12.  * `crossorigin="anonymous"` so the browser refuses to execute the JS
    13. 

  13.  * if a CDN compromise or in-flight content modification serves
    14. 

  14.  * different bytes.
    15. 

  15.  *
    16. 

  16.  * Also covers SEC_REVIEW F68 — the docs routes are gated behind
    17. 

  17.  * `API_DOCS_PUBLIC` (default off). Tests that reach the routes
    18. 

  18.  * enable the flag and rebuild the app; the dedicated F68 cases
    19. 

  19.  * leave it off and assert 404.
    20. 

  20.  */
    21. 

  21. final class DocsControllerTest extends AppTestCase
    22. 

  22. {
    23. 

  23.     public function testDocsPageEmbedsRapiDocWithSriIntegrity(): void
    24. 

  24.     {
    25. 

  25.         $this->enableDocs();
    26. 

  26. 

  27.         $resp = $this->request('GET', '/api/docs');
    28. 

  28.         self::assertSame(200, $resp->getStatusCode());
    29. 

  29.         self::assertStringContainsString('text/html', $resp->getHeaderLine('Content-Type'));
    30. 

  30. 

  31.         $html = (string) $resp->getBody();
    32. 

  32.         // Script tag points at the locked RapiDoc version.
    33. 

  33.         self::assertStringContainsString(
    34. 

  34.             'https://cdn.jsdelivr.net/npm/rapidoc@9.3.4/dist/rapidoc-min.js',
    35. 

  35.             $html,
    36. 

  36.         );
    37. 

  37.         // Integrity hash present and well-formed (sha384- + base64).
    38. 

  38.         self::assertMatchesRegularExpression(
    39. 

  39.             '/integrity="sha384-[A-Za-z0-9+\/=]{64}"/',
    40. 

  40.             $html,
    41. 

  41.             'expected sha384 SRI on the rapidoc <script> tag',
    42. 

  42.         );
    43. 

  43.         // crossorigin=anonymous required alongside SRI for cross-origin scripts.
    44. 

  44.         self::assertStringContainsString('crossorigin="anonymous"', $html);
    45. 

  45.     }
    46. 

  46. 

  47.     public function testOpenapiSpecIsServed(): void
    48. 

  48.     {
    49. 

  49.         // Sanity check that we didn't break the spec endpoint while
    50. 

  50.         // editing the controller.
    51. 

  51.         $this->enableDocs();
    52. 

  52.         $resp = $this->request('GET', '/api/v1/openapi.yaml');
    53. 

  53.         // The spec file isn't shipped in tests; either 200 with content
    54. 

  54.         // or 500 with `spec_unavailable`. Both are acceptable here —
    55. 

  55.         // we just want to prove the route still wires through the
    56. 

  56.         // edited controller.
    57. 

  57.         self::assertContains($resp->getStatusCode(), [200, 500]);
    58. 

  58.     }
    59. 

  59. 

  60.     public function testDocsPageIs404ByDefault(): void
    61. 

  61.     {
    62. 

  62.         // SEC_REVIEW F68: `/api/docs` is gated behind
    63. 

  63.         // `API_DOCS_PUBLIC`. AppTestCase builds the container with
    64. 

  64.         // the env var unset, so the default (false) applies and the
    65. 

  65.         // route is never registered → Slim returns 404.
    66. 

  66.         $resp = $this->request('GET', '/api/docs');
    67. 

  67.         self::assertSame(404, $resp->getStatusCode());
    68. 

  68.     }
    69. 

  69. 

  70.     public function testOpenapiSpecIs404ByDefault(): void
    71. 

  71.     {
    72. 

  72.         $resp = $this->request('GET', '/api/v1/openapi.yaml');
    73. 

  73.         self::assertSame(404, $resp->getStatusCode());
    74. 

  74.     }
    75. 

  75. 

  76.     /**
    77. 

  77.      * Re-bind `settings.api_docs_public` to `true` and rebuild the app
    78. 

  78.      * so the docs routes are registered. Same pattern
    79. 

  79.      * `JobsAdminControllerTest::testRefreshGeoip412UnderMaxmindWithoutKey`
    80. 

  80.      * uses to swap a binding mid-test.
    81. 

  81.      */
    82. 

  82.     private function enableDocs(): void
    83. 

  83.     {
    84. 

  84.         if (method_exists($this->container, 'set')) {
    85. 

  85.             /** @var \DI\Container $c */
    86. 

  86.             $c = $this->container;
    87. 

  87.             $c->set('settings.api_docs_public', true);
    88. 

  88.             $this->app = \App\App\AppFactory::build($this->container);
    89. 

  89.         }
    90. 

  90.     }
    91. 

  91. }
    92.