tests/phpunit/includes/api/ApiCSPReportTest.php

   1 <?php
   2
   3 /**
   4  * @group API
   5  * @group medium
   6  * @covers ApiCSPReport
   7  */
   8 class ApiCSPReportTest extends MediaWikiIntegrationTestCase {
   9
  10         public function setUp() {
  11                 parent::setUp();
  12                 $this->setMwGlobals( [
  13                         'CSPFalsePositiveUrls' => [],
  14                 ] );
  15         }
  16
  17         public function testInternalReportonly() {
  18                 $params = [
  19                         'reportonly' => '1',
  20                         'source' => 'internal',
  21                 ];
  22                 $cspReport = [
  23                         'document-uri' => 'https://doc.test/path',
  24                         'referrer' => 'https://referrer.test/path',
  25                         'violated-directive' => 'connet-src',
  26                         'disposition' => 'report',
  27                         'blocked-uri' => 'https://blocked.test/path?query',
  28                         'line-number' => 4,
  29                         'column-number' => 2,
  30                         'source-file' => 'https://source.test/path?query',
  31                 ];
  32
  33                 $log = $this->doExecute( $params, $cspReport );
  34
  35                 $this->assertEquals(
  36                         [
  37                                 [
  38                                         '[report-only] Received CSP report: ' .
  39                                                 '<https://blocked.test> blocked from being loaded on <https://doc.test/path>:4',
  40                                         [
  41                                                 'method' => 'ApiCSPReport::execute',
  42                                                 // FIXME
  43                                                 'user_id' => true,
  44                                                 'user-agent' => 'Test/0.0',
  45                                                 'source' => 'internal'
  46                                         ]
  47                                 ],
  48                         ],
  49                         $log,
  50                         'logged messages'
  51                 );
  52         }
  53
  54         public function testFalsePositiveOriginMatch() {
  55                 $params = [
  56                         'reportonly' => '1',
  57                         'source' => 'internal',
  58                 ];
  59                 $cspReport = [
  60                         'document-uri' => 'https://doc.test/path',
  61                         'referrer' => 'https://referrer.test/path',
  62                         'violated-directive' => 'connet-src',
  63                         'disposition' => 'report',
  64                         'blocked-uri' => 'https://blocked.test/path/file?query',
  65                         'line-number' => 4,
  66                         'column-number' => 2,
  67                         'source-file' => 'https://source.test/path/file?query',
  68                 ];
  69
  70                 $this->setMwGlobals( [
  71                         'wgCSPFalsePositiveUrls' => [
  72                                 'https://blocked.test/path/' => true,
  73                         ],
  74                 ] );
  75                 $log = $this->doExecute( $params, $cspReport );
  76
  77                 $this->assertSame(
  78                         [],
  79                         $log,
  80                         'logged messages'
  81                 );
  82         }
  83
  84         private function doExecute( array $params, array $cspReport ) {
  85                 $log = [];
  86                 $logger = $this->createMock( Psr\Log\AbstractLogger::class );
  87                 $logger->method( 'warning' )->will( $this->returnCallback(
  88                         function ( $msg, $ctx ) use ( &$log ) {
  89                                 unset( $ctx['csp-report'] );
  90                                 $log[] = [ $msg, $ctx ];
  91                         }
  92                 ) );
  93                 $this->setLogger( 'csp-report-only', $logger );
  94
  95                 $postBody = json_encode( [ 'csp-report' => $cspReport ] );
  96                 $req = $this->getMockBuilder( FauxRequest::class )
  97                         ->setMethods( [ 'getRawInput' ] )
  98                         ->setConstructorArgs( [ $params, /* $wasPosted */ true ] )
  99                         ->getMock();
 100                 $req->method( 'getRawInput' )->willReturn( $postBody );
 101                 $req->setHeaders( [
 102                         'Content-Type' => 'application/csp-report',
 103                         'User-Agent' => 'Test/0.0'
 104                 ] );
 105
 106                 $api = $this->getMockBuilder( ApiCSPReport::class )
 107                         ->disableOriginalConstructor()
 108                         ->setMethods( [ 'getParameter', 'getRequest', 'getResult' ] )
 109                         ->getMock();
 110                 $api->method( 'getParameter' )->will( $this->returnCallback(
 111                         function ( $key ) use ( $req ) {
 112                                 return $req->getRawVal( $key );
 113                         }
 114                 ) );
 115                 $api->method( 'getRequest' )->willReturn( $req );
 116                 $api->method( 'getResult' )->willReturn( new ApiResult( false ) );
 117
 118                 $api->execute();
 119                 return $log;
 120         }
 121 }