298 lines
11 KiB
PHP
298 lines
11 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Unit\Admin;
|
|
|
|
use PDOException;
|
|
use PHPUnit\Framework\TestCase;
|
|
use App\Auth\Csrf;
|
|
use App\Auth\PasswordHasher;
|
|
use App\Auth\SessionManager;
|
|
use App\Controllers\RoleController;
|
|
use App\Core\Config;
|
|
use App\Core\Database;
|
|
use App\Core\DatabaseInterface;
|
|
use App\Core\Request;
|
|
use App\Tests\Support\FakeDatabase;
|
|
|
|
final class TestRoleController extends RoleController
|
|
{
|
|
public function __construct(
|
|
Request $request,
|
|
Config $config,
|
|
Database $database,
|
|
private readonly SessionManager $testSession,
|
|
private readonly FakeDatabase $fakeDb,
|
|
) {
|
|
parent::__construct($request, $config, $database);
|
|
}
|
|
|
|
protected function sessionManager(): SessionManager
|
|
{
|
|
return $this->testSession;
|
|
}
|
|
|
|
protected function db(): DatabaseInterface
|
|
{
|
|
return $this->fakeDb;
|
|
}
|
|
}
|
|
|
|
final class RoleControllerTest extends TestCase
|
|
{
|
|
/** @var list<string> */
|
|
private array $touchedKeys = [];
|
|
private SessionManager $session;
|
|
private string $csrf = '';
|
|
|
|
protected function setUp(): void
|
|
{
|
|
$this->setEnv('SESSION_LIFETIME_IDLE', '14400');
|
|
$this->setEnv('SESSION_LIFETIME_ABSOLUTE', '36000');
|
|
$this->setEnv('STAFF_PIN_MIN_LENGTH', '4');
|
|
$this->setEnv('STAFF_PIN_MAX_LENGTH', '12');
|
|
$this->setEnv('ARGON2_MEMORY_COST', '1024');
|
|
$this->setEnv('ARGON2_TIME_COST', '1');
|
|
$this->setEnv('ARGON2_THREADS', '1');
|
|
|
|
$this->session = new SessionManager(new Config(), true);
|
|
$now = time();
|
|
$this->session->set('user_id', 1);
|
|
$this->session->set('role_id', 1);
|
|
$this->session->set('logged_in_at', $now - 100);
|
|
$this->session->set('last_activity', $now - 50);
|
|
$this->csrf = Csrf::token($this->session);
|
|
}
|
|
|
|
protected function tearDown(): void
|
|
{
|
|
foreach ($this->touchedKeys as $key) {
|
|
putenv($key);
|
|
}
|
|
$this->touchedKeys = [];
|
|
}
|
|
|
|
private function setEnv(string $key, string $value): void
|
|
{
|
|
$this->touchedKeys[] = $key;
|
|
putenv($key . '=' . $value);
|
|
}
|
|
|
|
private function permittedDb(): FakeDatabase
|
|
{
|
|
$db = new FakeDatabase();
|
|
$db->guardUserRow = ['is_active' => 1];
|
|
$db->userDisplayRow = ['first_name' => 'Cor', 'last_name' => 'J', 'role_label' => 'Administrateur'];
|
|
$db->canResult = true;
|
|
$db->permissionCodes = ['role.manage'];
|
|
// Catalogue minimal : id 1 = role.manage (le vecteur de lockout).
|
|
$db->permissionsRows = [
|
|
['id' => 1, 'code' => 'role.manage', 'label' => 'Manage RBAC'],
|
|
['id' => 2, 'code' => 'stats.read', 'label' => 'Stats'],
|
|
['id' => 3, 'code' => 'user.read', 'label' => 'Users'],
|
|
];
|
|
|
|
return $db;
|
|
}
|
|
|
|
private function actingPin(FakeDatabase $db): void
|
|
{
|
|
$db->actingUserRow = ['id' => 9, 'role_id' => 4, 'pin_hash' => (new PasswordHasher(new Config()))->hash('4729')];
|
|
}
|
|
|
|
/**
|
|
* @param array<string, string> $overrides
|
|
* @return array<string, string>
|
|
*/
|
|
private function createForm(array $overrides = []): array
|
|
{
|
|
return array_merge([
|
|
'_csrf' => $this->csrf,
|
|
'code' => 'kitchen_kds',
|
|
'label' => 'Kitchen KDS',
|
|
'default_route' => '/kitchen/display',
|
|
'order_source' => '',
|
|
'perm_1' => '1', // role.manage coche
|
|
'source_counter' => '1',
|
|
'pin_email' => 'sam@wakdo.local',
|
|
'pin' => '4729',
|
|
], $overrides);
|
|
}
|
|
|
|
private function get(string $path): Request
|
|
{
|
|
return new Request('GET', $path, [], [], '', '203.0.113.5');
|
|
}
|
|
|
|
/**
|
|
* @param array<string, string> $form
|
|
*/
|
|
private function post(array $form, string $path): Request
|
|
{
|
|
return new Request('POST', $path, [], ['content-type' => 'application/x-www-form-urlencoded'], http_build_query($form), '203.0.113.5');
|
|
}
|
|
|
|
private function controller(Request $request, FakeDatabase $db): TestRoleController
|
|
{
|
|
return new TestRoleController($request, new Config(), new Database(new Config()), $this->session, $db);
|
|
}
|
|
|
|
/**
|
|
* @return array{sql: string, params: array<string|int, mixed>}|null
|
|
*/
|
|
private function findWrite(FakeDatabase $db, string $needle): ?array
|
|
{
|
|
foreach ($db->writes as $write) {
|
|
if (str_contains($write['sql'], $needle)) {
|
|
return $write;
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
public function testIndexRequiresRoleManage(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->canResult = false;
|
|
|
|
self::assertSame(403, $this->controller($this->get('/admin/roles'), $db)->index()->status());
|
|
}
|
|
|
|
public function testIndexListsRoles(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->rolesAllRows = [['id' => 2, 'code' => 'manager', 'label' => 'Manager', 'default_route' => '/admin/stats', 'order_source' => null, 'is_active' => 1]];
|
|
|
|
$response = $this->controller($this->get('/admin/roles'), $db)->index();
|
|
self::assertSame(200, $response->status());
|
|
self::assertStringContainsString('manager', $response->body());
|
|
}
|
|
|
|
public function testStoreCreatesCustomRoleWithPinAndAudit(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$this->actingPin($db);
|
|
$db->lastInsertId = 10;
|
|
|
|
$response = $this->controller($this->post($this->createForm(), '/admin/roles'), $db)->store();
|
|
|
|
self::assertSame(302, $response->status());
|
|
self::assertSame(['begin', 'commit'], $db->transactionEvents);
|
|
self::assertTrue($db->wrote('INSERT INTO role '));
|
|
self::assertTrue($db->wrote('INSERT INTO role_permission'));
|
|
$audit = $this->findWrite($db, 'INSERT INTO audit_log');
|
|
self::assertNotNull($audit);
|
|
self::assertSame('role.manage', $audit['params']['code'] ?? null);
|
|
self::assertSame(9, $audit['params']['uid'] ?? null); // acteur = PIN
|
|
}
|
|
|
|
public function testStoreRejectsDuplicateCodeWith409(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$this->actingPin($db);
|
|
$db->roleCodeTaken = true;
|
|
|
|
$response = $this->controller($this->post($this->createForm(), '/admin/roles'), $db)->store();
|
|
|
|
self::assertSame(409, $response->status());
|
|
self::assertFalse($db->wrote('INSERT INTO role '));
|
|
}
|
|
|
|
public function testStoreRejectsInvalidCode(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$response = $this->controller($this->post($this->createForm(['code' => 'Bad Code!']), '/admin/roles'), $db)->store();
|
|
|
|
self::assertSame(422, $response->status());
|
|
self::assertFalse($db->wrote('INSERT INTO role '));
|
|
}
|
|
|
|
public function testStoreRejectsInvalidCsrf(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$response = $this->controller($this->post($this->createForm(['_csrf' => 'bad']), '/admin/roles'), $db)->store();
|
|
|
|
self::assertSame(403, $response->status());
|
|
}
|
|
|
|
public function testStoreWithoutValidPinLogsFailed(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->actingUserRow = null;
|
|
|
|
$response = $this->controller($this->post($this->createForm(['pin' => '0000']), '/admin/roles'), $db)->store();
|
|
|
|
self::assertSame(422, $response->status());
|
|
self::assertFalse($db->wrote('INSERT INTO role '));
|
|
self::assertSame(['pin.failed'], $db->auditActions());
|
|
}
|
|
|
|
public function testUpdateNotFound(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->roleManageRow = null;
|
|
|
|
self::assertSame(404, $this->controller($this->post($this->createForm(), '/admin/roles/9'), $db)->update(['id' => '9'])->status());
|
|
}
|
|
|
|
public function testUpdateAppliesWithPinAndAuditDiff(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->roleManageRow = ['id' => 5, 'code' => 'counter', 'label' => 'Counter', 'description' => null, 'default_route' => '/counter/orders', 'order_source' => 'counter', 'is_active' => 1];
|
|
$db->permissionCodes = ['stats.read']; // permissions actuelles (diff RG-6 reutilise ce bouton)
|
|
$this->actingPin($db);
|
|
|
|
// perm_1 (role.manage) coche, is_active coche.
|
|
$form = ['_csrf' => $this->csrf, 'label' => 'Counter', 'default_route' => '/counter/orders', 'order_source' => 'counter', 'perm_1' => '1', 'is_active' => '1', 'pin_email' => 'sam@wakdo.local', 'pin' => '4729'];
|
|
$response = $this->controller($this->post($form, '/admin/roles/5'), $db)->update(['id' => '5']);
|
|
|
|
self::assertSame(302, $response->status());
|
|
self::assertTrue($db->wrote('UPDATE role SET'));
|
|
self::assertTrue($db->wrote('INSERT INTO role_permission'));
|
|
self::assertSame('role.manage', ($this->findWrite($db, 'INSERT INTO audit_log')['params']['code'] ?? null));
|
|
}
|
|
|
|
public function testUpdateBlocksRemovingRoleManageFromAdmin(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->roleManageRow = ['id' => 1, 'code' => 'admin', 'label' => 'Administrator', 'description' => null, 'default_route' => '/admin/dashboard', 'order_source' => null, 'is_active' => 1];
|
|
|
|
// role.manage (perm_1) NON coche -> retirerait role.manage a l'admin.
|
|
$form = ['_csrf' => $this->csrf, 'label' => 'Administrator', 'perm_2' => '1', 'is_active' => '1', 'pin_email' => 'sam@wakdo.local', 'pin' => '4729'];
|
|
$response = $this->controller($this->post($form, '/admin/roles/1'), $db)->update(['id' => '1']);
|
|
|
|
self::assertSame(422, $response->status());
|
|
self::assertStringContainsString('administrateur', $response->body());
|
|
self::assertFalse($db->wrote('UPDATE role SET'));
|
|
}
|
|
|
|
public function testUpdateBlocksDeactivatingAdminRole(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->roleManageRow = ['id' => 1, 'code' => 'admin', 'label' => 'Administrator', 'description' => null, 'default_route' => '/admin/dashboard', 'order_source' => null, 'is_active' => 1];
|
|
|
|
// role.manage conserve mais is_active absent -> desactivation de l'admin -> bloque.
|
|
$form = ['_csrf' => $this->csrf, 'label' => 'Administrator', 'perm_1' => '1', 'pin_email' => 'sam@wakdo.local', 'pin' => '4729'];
|
|
$response = $this->controller($this->post($form, '/admin/roles/1'), $db)->update(['id' => '1']);
|
|
|
|
self::assertSame(422, $response->status());
|
|
self::assertFalse($db->wrote('UPDATE role SET'));
|
|
}
|
|
|
|
public function testUpdateLockedActorReturns422WithoutEffect(): void
|
|
{
|
|
$db = $this->permittedDb();
|
|
$db->roleManageRow = ['id' => 5, 'code' => 'counter', 'label' => 'Counter', 'description' => null, 'default_route' => null, 'order_source' => 'counter', 'is_active' => 1];
|
|
$this->actingPin($db);
|
|
$db->pinThrottleLockoutUntil = date('Y-m-d H:i:s', time() + 300);
|
|
|
|
$form = ['_csrf' => $this->csrf, 'label' => 'Counter', 'perm_1' => '1', 'is_active' => '1', 'pin_email' => 'sam@wakdo.local', 'pin' => '4729'];
|
|
$response = $this->controller($this->post($form, '/admin/roles/5'), $db)->update(['id' => '5']);
|
|
|
|
self::assertSame(422, $response->status());
|
|
self::assertSame([], $db->auditActions()); // pas de pin.failed sous verrou
|
|
self::assertFalse($db->wrote('UPDATE role SET'));
|
|
}
|
|
}
|