Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
chiappa
/
irdb
-ын хуулбар https://git.snix.ch/chiappa/irdb.git
1
0
Салаа 0
Файлууд Асуудлууд 0
Мод: fc6f107feb
Салаанууд Тагууд
irdb
/
api
/
tests
/
Integration
/
Public
/
BlocklistControllerTest.php

BlocklistControllerTest.php 15 KB
Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Integration\Public;
    6. 

  6. 

  7. use App\Domain\Auth\Role;
    8. 

  8. use App\Domain\Auth\TokenKind;
    9. 

  9. use App\Domain\Ip\Cidr;
    10. 

  10. use App\Domain\Ip\IpAddress;
    11. 

  11. use App\Tests\Integration\Support\AppTestCase;
    12. 

  12. use Doctrine\DBAL\ParameterType;
    13. 

  13. 

  14. /**
    15. 

  15.  * Covers SPEC §M07.3: distribution endpoint.
    16. 

  16.  *  - kind=consumer required (admin token forbidden)
    17. 

  17.  *  - text/plain default; ?format=json
    18. 

  18.  *  - allowlist excludes; manual blocks emit
    19. 

  19.  *  - ETag round-trip → 304
    20. 

  20.  *  - response headers populated
    21. 

  21.  */
    22. 

  22. final class BlocklistControllerTest extends AppTestCase
    23. 

  23. {
    24. 

  24.     public function testAdminTokenIsRejected(): void
    25. 

  25.     {
    26. 

  26.         $token = $this->createToken(TokenKind::Admin, role: Role::Admin);
    27. 

  27.         $response = $this->request('GET', '/api/v1/blocklist', [
    28. 

  28.             'Authorization' => 'Bearer ' . $token,
    29. 

  29.         ]);
    30. 

  30.         self::assertSame(401, $response->getStatusCode());
    31. 

  31.     }
    32. 

  32. 

  33.     public function testConsumerTokenReturnsEmptyTextByDefault(): void
    34. 

  34.     {
    35. 

  35.         $token = $this->setupConsumerToken('moderate');
    36. 

  36. 

  37.         $response = $this->request('GET', '/api/v1/blocklist', [
    38. 

  38.             'Authorization' => 'Bearer ' . $token,
    39. 

  39.         ]);
    40. 

  40.         self::assertSame(200, $response->getStatusCode());
    41. 

  41.         self::assertSame('text/plain', $response->getHeaderLine('Content-Type'));
    42. 

  42.         self::assertSame('', (string) $response->getBody());
    43. 

  43.         self::assertSame('0', $response->getHeaderLine('X-Blocklist-Entries'));
    44. 

  44.         self::assertSame('moderate', $response->getHeaderLine('X-Blocklist-Policy'));
    45. 

  45.         self::assertNotSame('', $response->getHeaderLine('ETag'));
    46. 

  46.         self::assertNotSame('', $response->getHeaderLine('X-Blocklist-Generated-At'));
    47. 

  47.     }
    48. 

  48. 

  49.     public function testManualBlockAppearsInTextBlocklist(): void
    50. 

  50.     {
    51. 

  51.         $token = $this->setupConsumerToken('moderate');
    52. 

  52.         $this->insertManualSubnet('198.51.100.0/24');
    53. 

  53. 

  54.         $response = $this->request('GET', '/api/v1/blocklist', [
    55. 

  55.             'Authorization' => 'Bearer ' . $token,
    56. 

  56.         ]);
    57. 

  57.         self::assertSame(200, $response->getStatusCode());
    58. 

  58.         self::assertStringContainsString('198.51.100.0/24', (string) $response->getBody());
    59. 

  59.         self::assertSame('1', $response->getHeaderLine('X-Blocklist-Entries'));
    60. 

  60.     }
    61. 

  61. 

  62.     public function testJsonFormatReturnsStructuredEntries(): void
    63. 

  63.     {
    64. 

  64.         $token = $this->setupConsumerToken('moderate');
    65. 

  65.         $this->insertManualIp('203.0.113.7');
    66. 

  66. 

  67.         $response = $this->request('GET', '/api/v1/blocklist?format=json', [
    68. 

  68.             'Authorization' => 'Bearer ' . $token,
    69. 

  69.         ]);
    70. 

  70.         self::assertSame(200, $response->getStatusCode());
    71. 

  71.         self::assertSame('application/json', $response->getHeaderLine('Content-Type'));
    72. 

  72.         $body = json_decode((string) $response->getBody(), true);
    73. 

  73.         self::assertIsArray($body);
    74. 

  74.         self::assertCount(1, $body);
    75. 

  75.         self::assertSame('203.0.113.7', $body[0]['ip_or_cidr']);
    76. 

  76.         self::assertSame('manual', $body[0]['reason']);
    77. 

  77.         self::assertNull($body[0]['score']);
    78. 

  78.     }
    79. 

  79. 

  80.     public function testEtagRoundTripReturns304(): void
    81. 

  81.     {
    82. 

  82.         $token = $this->setupConsumerToken('moderate');
    83. 

  83.         $this->insertManualSubnet('198.51.100.0/24');
    84. 

  84. 

  85.         $first = $this->request('GET', '/api/v1/blocklist', [
    86. 

  86.             'Authorization' => 'Bearer ' . $token,
    87. 

  87.         ]);
    88. 

  88.         $etag = $first->getHeaderLine('ETag');
    89. 

  89.         self::assertNotSame('', $etag);
    90. 

  90. 

  91.         $second = $this->request('GET', '/api/v1/blocklist', [
    92. 

  92.             'Authorization' => 'Bearer ' . $token,
    93. 

  93.             'If-None-Match' => $etag,
    94. 

  94.         ]);
    95. 

  95.         self::assertSame(304, $second->getStatusCode());
    96. 

  96.         self::assertSame('', (string) $second->getBody());
    97. 

  97.     }
    98. 

  98. 

  99.     public function testEtagDiffersBetweenTextAndJson(): void
    100. 

  100.     {
    101. 

  101.         $token = $this->setupConsumerToken('moderate');
    102. 

  102.         $this->insertManualSubnet('198.51.100.0/24');
    103. 

  103. 

  104.         $text = $this->request('GET', '/api/v1/blocklist', [
    105. 

  105.             'Authorization' => 'Bearer ' . $token,
    106. 

  106.         ]);
    107. 

  107.         $json = $this->request('GET', '/api/v1/blocklist?format=json', [
    108. 

  108.             'Authorization' => 'Bearer ' . $token,
    109. 

  109.         ]);
    110. 

  110.         self::assertNotSame($text->getHeaderLine('ETag'), $json->getHeaderLine('ETag'));
    111. 

  111.     }
    112. 

  112. 

  113.     public function testAllowlistedManualSubnetIsExcluded(): void
    114. 

  114.     {
    115. 

  115.         $token = $this->setupConsumerToken('moderate');
    116. 

  116.         $this->insertManualSubnet('198.51.100.0/24');
    117. 

  117.         // Allowlist a subnet that fully contains the manual block.
    118. 

  118.         $this->insertAllowSubnet('198.51.100.0/16');
    119. 

  119. 

  120.         $response = $this->request('GET', '/api/v1/blocklist', [
    121. 

  121.             'Authorization' => 'Bearer ' . $token,
    122. 

  122.         ]);
    123. 

  123.         self::assertSame(200, $response->getStatusCode());
    124. 

  124.         self::assertStringNotContainsString('198.51.100.0/24', (string) $response->getBody());
    125. 

  125.     }
    126. 

  126. 

  127.     /**
    128. 

  128.      * Three policies with distinct thresholds yield distinct entry counts
    129. 

  129.      * over the same scored data — SPEC §M07 acceptance.
    130. 

  130.      */
    131. 

  131.     public function testThreePoliciesProduceDifferentBlocklists(): void
    132. 

  132.     {
    133. 

  133.         $strict = $this->setupConsumerToken('strict', 'consumer-strict');
    134. 

  134.         $moderate = $this->setupConsumerToken('moderate', 'consumer-moderate');
    135. 

  135.         $paranoid = $this->setupConsumerToken('paranoid', 'consumer-paranoid');
    136. 

  136. 

  137.         $bruteForceId = (int) $this->db->fetchOne('SELECT id FROM categories WHERE slug = :s', ['s' => 'brute_force']);
    138. 

  138.         // Score chosen to fall between paranoid (0.3) and moderate (1.0).
    139. 

  139.         $this->insertScore('203.0.113.10', $bruteForceId, 0.5);
    140. 

  140.         // Score that paranoid + moderate catch but strict (2.5) misses.
    141. 

  141.         $this->insertScore('203.0.113.20', $bruteForceId, 1.5);
    142. 

  142.         // Score that all three policies catch.
    143. 

  143.         $this->insertScore('203.0.113.30', $bruteForceId, 3.0);
    144. 

  144. 

  145.         $strictResp = $this->request('GET', '/api/v1/blocklist', [
    146. 

  146.             'Authorization' => 'Bearer ' . $strict,
    147. 

  147.         ]);
    148. 

  148.         $moderateResp = $this->request('GET', '/api/v1/blocklist', [
    149. 

  149.             'Authorization' => 'Bearer ' . $moderate,
    150. 

  150.         ]);
    151. 

  151.         $paranoidResp = $this->request('GET', '/api/v1/blocklist', [
    152. 

  152.             'Authorization' => 'Bearer ' . $paranoid,
    153. 

  153.         ]);
    154. 

  154. 

  155.         self::assertSame('1', $strictResp->getHeaderLine('X-Blocklist-Entries'));
    156. 

  156.         self::assertSame('2', $moderateResp->getHeaderLine('X-Blocklist-Entries'));
    157. 

  157.         self::assertSame('3', $paranoidResp->getHeaderLine('X-Blocklist-Entries'));
    158. 

  158.     }
    159. 

  159. 

  160.     private function setupConsumerToken(string $policyName, string $consumerName = 'fw-test'): string
    161. 

  161.     {
    162. 

  162.         $policyId = (int) $this->db->fetchOne('SELECT id FROM policies WHERE name = :n', ['n' => $policyName]);
    163. 

  163.         $this->db->insert('consumers', [
    164. 

  164.             'name' => $consumerName,
    165. 

  165.             'policy_id' => $policyId,
    166. 

  166.             'is_active' => 1,
    167. 

  167.         ]);
    168. 

  168.         $consumerId = (int) $this->db->lastInsertId();
    169. 

  169. 

  170.         return $this->createToken(TokenKind::Consumer, consumerId: $consumerId);
    171. 

  171.     }
    172. 

  172. 

  173.     private function insertManualIp(string $ip): void
    174. 

  174.     {
    175. 

  175.         $bin = IpAddress::fromString($ip)->binary();
    176. 

  176.         $stmt = $this->db->prepare(
    177. 

  177.             'INSERT INTO manual_blocks (kind, ip_bin, reason) VALUES (:kind, :ip_bin, :reason)'
    178. 

  178.         );
    179. 

  179.         $stmt->bindValue('kind', 'ip');
    180. 

  180.         $stmt->bindValue('ip_bin', $bin, ParameterType::LARGE_OBJECT);
    181. 

  181.         $stmt->bindValue('reason', 'test');
    182. 

  182.         $stmt->executeStatement();
    183. 

  183.     }
    184. 

  184. 

  185.     private function insertManualSubnet(string $cidr): void
    186. 

  186.     {
    187. 

  187.         $c = Cidr::fromString($cidr);
    188. 

  188.         $stmt = $this->db->prepare(
    189. 

  189.             'INSERT INTO manual_blocks (kind, network_bin, prefix_length, reason) VALUES (:kind, :net, :pl, :reason)'
    190. 

  190.         );
    191. 

  191.         $stmt->bindValue('kind', 'subnet');
    192. 

  192.         $stmt->bindValue('net', $c->network(), ParameterType::LARGE_OBJECT);
    193. 

  193.         $stmt->bindValue('pl', $c->prefixLength(), ParameterType::INTEGER);
    194. 

  194.         $stmt->bindValue('reason', 'test');
    195. 

  195.         $stmt->executeStatement();
    196. 

  196.     }
    197. 

  197. 

  198.     private function insertAllowSubnet(string $cidr): void
    199. 

  199.     {
    200. 

  200.         $c = Cidr::fromString($cidr);
    201. 

  201.         $stmt = $this->db->prepare(
    202. 

  202.             'INSERT INTO allowlist (kind, network_bin, prefix_length, reason) VALUES (:kind, :net, :pl, :reason)'
    203. 

  203.         );
    204. 

  204.         $stmt->bindValue('kind', 'subnet');
    205. 

  205.         $stmt->bindValue('net', $c->network(), ParameterType::LARGE_OBJECT);
    206. 

  206.         $stmt->bindValue('pl', $c->prefixLength(), ParameterType::INTEGER);
    207. 

  207.         $stmt->bindValue('reason', 'test');
    208. 

  208.         $stmt->executeStatement();
    209. 

  209.     }
    210. 

  210. 

  211.     private function insertScore(string $ip, int $categoryId, float $score): void
    212. 

  212.     {
    213. 

  213.         $ipObj = IpAddress::fromString($ip);
    214. 

  214.         $stmt = $this->db->prepare(
    215. 

  215.             'INSERT INTO ip_scores (ip_bin, ip_text, category_id, score, report_count_30d, last_report_at, recomputed_at) '
    216. 

  216.             . 'VALUES (:b, :t, :c, :s, 1, :now, :now)'
    217. 

  217.         );
    218. 

  218.         $stmt->bindValue('b', $ipObj->binary(), ParameterType::LARGE_OBJECT);
    219. 

  219.         $stmt->bindValue('t', $ipObj->text());
    220. 

  220.         $stmt->bindValue('c', $categoryId, ParameterType::INTEGER);
    221. 

  221.         $stmt->bindValue('s', number_format($score, 4, '.', ''));
    222. 

  222.         $stmt->bindValue('now', (new \DateTimeImmutable('now'))->format('Y-m-d H:i:s'));
    223. 

  223.         $stmt->executeStatement();
    224. 

  224.     }
    225. 

  225. 

  226.     public function testBlocklistRenderIsCachedAcrossRequests(): void
    227. 

  227.     {
    228. 

  228.         // SEC_REVIEW F70: the rendered body and its sha256 ETag are
    229. 

  229.         // cached per (policy_id, format) per cache window. Two
    230. 

  230.         // sequential requests within the same window should produce
    231. 

  231.         // byte-identical bodies and ETags. (Cache hit → no rebuild,
    232. 

  232.         // no rehash; the test asserts the steady-state contract.)
    233. 

  233.         $token = $this->setupConsumerToken('moderate');
    234. 

  234. 

  235.         $r1 = $this->request('GET', '/api/v1/blocklist?format=json', [
    236. 

  236.             'Authorization' => 'Bearer ' . $token,
    237. 

  237.         ]);
    238. 

  238.         $r2 = $this->request('GET', '/api/v1/blocklist?format=json', [
    239. 

  239.             'Authorization' => 'Bearer ' . $token,
    240. 

  240.         ]);
    241. 

  241. 

  242.         self::assertSame(200, $r1->getStatusCode());
    243. 

  243.         self::assertSame(200, $r2->getStatusCode());
    244. 

  244.         self::assertSame((string) $r1->getBody(), (string) $r2->getBody());
    245. 

  245.         self::assertSame($r1->getHeaderLine('ETag'), $r2->getHeaderLine('ETag'));
    246. 

  246.     }
    247. 

  247. 

  248.     public function testCacheIsLruBoundedAtSixteenEntries(): void
    249. 

  249.     {
    250. 

  250.         // SEC_REVIEW F71: BlocklistCache is per-process and grew
    251. 

  251.         // monotonically with no LRU. With unbounded admin policy
    252. 

  252.         // creation, memory usage was effectively unbounded over the
    253. 

  253.         // worker's lifetime. Cache now caps at MAX_ENTRIES (16) and
    254. 

  254.         // evicts the least-recently-used entry when full.
    255. 

  255.         //
    256. 

  256.         // The default test fixture sets `blocklist_cache_ttl_seconds=0`
    257. 

  257.         // (no caching) for deterministic per-test builds. Rebuild
    258. 

  258.         // the cache with a real TTL so we exercise the LRU path.
    259. 

  259.         if (method_exists($this->container, 'set')) {
    260. 

  260.             /** @var \DI\Container $c */
    261. 

  261.             $c = $this->container;
    262. 

  262.             $c->set(
    263. 

  263.                 \App\Infrastructure\Reputation\BlocklistCache::class,
    264. 

  264.                 new \App\Infrastructure\Reputation\BlocklistCache(
    265. 

  265.                     builder: $c->get(\App\Domain\Reputation\BlocklistBuilder::class),
    266. 

  266.                     clock: $c->get(\App\Domain\Time\Clock::class),
    267. 

  267.                     ttlSeconds: 30,
    268. 

  268.                 ),
    269. 

  269.             );
    270. 

  270.             // BlocklistController is autowired and singleton-scoped, so
    271. 

  271.             // it captured the OLD cache reference at first resolution.
    272. 

  272.             // Rebuild it so it picks up the new cache binding.
    273. 

  273.             $c->set(
    274. 

  274.                 \App\Application\Public\BlocklistController::class,
    275. 

  275.                 $c->make(\App\Application\Public\BlocklistController::class),
    276. 

  276.             );
    277. 

  277.             $this->app = \App\App\AppFactory::build($this->container);
    278. 

  278.         }
    279. 

  279.         /** @var \App\Infrastructure\Reputation\BlocklistCache $cache */
    280. 

  280.         $cache = $this->container->get(\App\Infrastructure\Reputation\BlocklistCache::class);
    281. 

  281. 

  282.         // Create 18 policies and a consumer-token per policy. Hit
    283. 

  283.         // /blocklist for each so each policy ends up in the cache.
    284. 

  284.         // The LRU should evict the first 2 by the time we reach the
    285. 

  285.         // last (cache cap is 16).
    286. 

  286.         $policyIds = [];
    287. 

  287.         for ($i = 1; $i <= 18; $i++) {
    288. 

  288.             $this->db->insert('policies', [
    289. 

  289.                 'name' => 'lru-policy-' . $i,
    290. 

  290.                 'description' => null,
    291. 

  291.                 'include_manual_blocks' => 1,
    292. 

  292.             ]);
    293. 

  293.             $policyId = (int) $this->db->lastInsertId();
    294. 

  294.             $policyIds[] = $policyId;
    295. 

  295.             $this->db->insert('consumers', [
    296. 

  296.                 'name' => 'lru-consumer-' . $i,
    297. 

  297.                 'policy_id' => $policyId,
    298. 

  298.                 'is_active' => 1,
    299. 

  299.             ]);
    300. 

  300.             $consumerId = (int) $this->db->lastInsertId();
    301. 

  301.             $token = $this->createToken(TokenKind::Consumer, consumerId: $consumerId);
    302. 

  302. 

  303.             $resp = $this->request('GET', '/api/v1/blocklist', [
    304. 

  304.                 'Authorization' => 'Bearer ' . $token,
    305. 

  305.             ]);
    306. 

  306.             self::assertSame(200, $resp->getStatusCode(), "consumer {$i} should succeed");
    307. 

  307.         }
    308. 

  308. 

  309.         // Cache must never exceed the MAX_ENTRIES bound.
    310. 

  310.         self::assertLessThanOrEqual(
    311. 

  311.             \App\Infrastructure\Reputation\BlocklistCache::MAX_ENTRIES,
    312. 

  312.             $cache->entryCount(),
    313. 

  313.             'cache must not grow past MAX_ENTRIES policies',
    314. 

  314.         );
    315. 

  315.         // The two oldest policies (first two created) must have been
    316. 

  316.         // evicted; the most recently used must still be present.
    317. 

  317.         $remaining = $cache->cachedPolicyIds();
    318. 

  318.         self::assertNotContains($policyIds[0], $remaining, 'oldest policy must have been evicted');
    319. 

  319.         self::assertNotContains($policyIds[1], $remaining, 'second-oldest policy must have been evicted');
    320. 

  320.         self::assertContains(end($policyIds), $remaining, 'most recent policy must still be cached');
    321. 

  321.     }
    322. 

  322. 

  323.     public function testTextAndJsonRendersBothCachedIndependently(): void
    324. 

  324.     {
    325. 

  325.         // SEC_REVIEW F70: switching format must not invalidate the
    326. 

  326.         // other format's cached render. Each format has its own
    327. 

  327.         // entry in the cache.
    328. 

  328.         $token = $this->setupConsumerToken('moderate');
    329. 

  329. 

  330.         $textA = $this->request('GET', '/api/v1/blocklist', [
    331. 

  331.             'Authorization' => 'Bearer ' . $token,
    332. 

  332.         ]);
    333. 

  333.         $jsonA = $this->request('GET', '/api/v1/blocklist?format=json', [
    334. 

  334.             'Authorization' => 'Bearer ' . $token,
    335. 

  335.         ]);
    336. 

  336.         $textB = $this->request('GET', '/api/v1/blocklist', [
    337. 

  337.             'Authorization' => 'Bearer ' . $token,
    338. 

  338.         ]);
    339. 

  339.         $jsonB = $this->request('GET', '/api/v1/blocklist?format=json', [
    340. 

  340.             'Authorization' => 'Bearer ' . $token,
    341. 

  341.         ]);
    342. 

  342. 

  343.         self::assertSame((string) $textA->getBody(), (string) $textB->getBody());
    344. 

  344.         self::assertSame($textA->getHeaderLine('ETag'), $textB->getHeaderLine('ETag'));
    345. 

  345.         self::assertSame((string) $jsonA->getBody(), (string) $jsonB->getBody());
    346. 

  346.         self::assertSame($jsonA->getHeaderLine('ETag'), $jsonB->getHeaderLine('ETag'));
    347. 

  347.         // Text and JSON ETags must DIFFER (different bodies).
    348. 

  348.         self::assertNotSame($textA->getHeaderLine('ETag'), $jsonA->getHeaderLine('ETag'));
    349. 

  349.     }
    350. 

  350. }
    351.