168a47f2b8
Extrait l'helper authenticatedClient(), $alwaysBootKernel et getEm() dans une classe de base commune aux tests fonctionnels API Platform du module Core. Supprime la duplication entre PermissionApiTest et RoleApiTest (flaggee en code review de la Task 2). Prepare le terrain pour le nouveau UserRbacApiTest introduit avec la Task 4.
352 lines
13 KiB
PHP
352 lines
13 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Module\Core\Api;
|
|
|
|
use App\Module\Core\Domain\Entity\Permission;
|
|
use App\Module\Core\Domain\Entity\Role;
|
|
use App\Module\Core\Domain\Security\SystemRoles;
|
|
|
|
/**
|
|
* Tests fonctionnels de l'exposition API Platform de l'entite Role (CRUD nominal).
|
|
*
|
|
* Strategie :
|
|
* - Les roles systeme `admin` et `user` sont deja charges par les fixtures
|
|
* (cf. AppFixtures::ensureSystemRole). On ne les touche JAMAIS.
|
|
* - Les roles et permissions crees pour les tests ont le prefixe `test.` et
|
|
* sont purges en setUp + tearDown par DQL prefixe.
|
|
* - Les cas 403 sur role systeme et 400 sur modification de `code` sont
|
|
* reportes a la Task 3 (RoleProcessor) et ne sont PAS testes ici.
|
|
*
|
|
* @internal
|
|
*/
|
|
final class RoleApiTest extends AbstractApiTestCase
|
|
{
|
|
// Prefixe pour les roles de test : `test_` (underscore) parce que les
|
|
// codes de role doivent matcher `/^[a-z][a-z0-9_]*$/` (pas de point
|
|
// autorise, contrairement aux permissions).
|
|
private const TEST_ROLE_PREFIX = 'test_';
|
|
|
|
// Prefixe pour les permissions de test : `test.` (point) parce que les
|
|
// codes de permission doivent contenir au moins un `.` (convention
|
|
// module.resource.action validee dans le constructeur Permission).
|
|
private const TEST_PERMISSION_PREFIX = 'test.';
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
|
|
self::bootKernel();
|
|
$em = $this->getEm();
|
|
|
|
// Nettoyage defensif au cas ou un run precedent aurait laisse des restes.
|
|
$this->cleanupTestData();
|
|
|
|
// Permissions de test reutilisables (notamment pour le PATCH).
|
|
$p1 = new Permission('test.core.roles.view', 'View roles (test)', 'core');
|
|
$p2 = new Permission('test.core.roles.manage', 'Manage roles (test)', 'core');
|
|
$em->persist($p1);
|
|
$em->persist($p2);
|
|
|
|
// Role custom existant : utilise pour les GET / PATCH / DELETE.
|
|
$editor = new Role('test_editor', 'Editeur (test)', false, 'Role de test editeur');
|
|
$em->persist($editor);
|
|
|
|
// Deuxieme role custom : pour enrichir les collections.
|
|
$viewer = new Role('test_viewer', 'Visualisateur (test)', false);
|
|
$em->persist($viewer);
|
|
|
|
$em->flush();
|
|
$em->clear();
|
|
}
|
|
|
|
protected function tearDown(): void
|
|
{
|
|
$this->cleanupTestData();
|
|
parent::tearDown();
|
|
}
|
|
|
|
public function testPostCreatesCustomRoleAsAdmin(): void
|
|
{
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$response = $client->request('POST', '/api/roles', [
|
|
'headers' => ['Content-Type' => 'application/ld+json'],
|
|
'json' => [
|
|
'code' => 'test_new_editor',
|
|
'label' => 'Nouvel editeur',
|
|
'description' => 'Role de test',
|
|
],
|
|
]);
|
|
|
|
self::assertResponseStatusCodeSame(201);
|
|
$data = $response->toArray();
|
|
self::assertSame('test_new_editor', $data['code']);
|
|
self::assertSame('Nouvel editeur', $data['label']);
|
|
self::assertFalse($data['isSystem']);
|
|
|
|
// Verification cote base : le role existe et isSystem = false.
|
|
$persisted = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_new_editor']);
|
|
self::assertNotNull($persisted);
|
|
self::assertFalse($persisted->isSystem());
|
|
}
|
|
|
|
public function testPostWithDuplicateCodeReturns422(): void
|
|
{
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$client->request('POST', '/api/roles', [
|
|
'headers' => ['Content-Type' => 'application/ld+json'],
|
|
'json' => [
|
|
// `admin` est un role systeme charge par les fixtures.
|
|
'code' => SystemRoles::ADMIN_CODE,
|
|
'label' => 'Tentative de doublon',
|
|
],
|
|
]);
|
|
|
|
self::assertResponseStatusCodeSame(422);
|
|
}
|
|
|
|
public function testPostWithInvalidCodeReturns422(): void
|
|
{
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$client->request('POST', '/api/roles', [
|
|
'headers' => ['Content-Type' => 'application/ld+json'],
|
|
'json' => [
|
|
// Majuscules interdites par la regex snake_case.
|
|
'code' => 'BadCode',
|
|
'label' => 'Code invalide',
|
|
],
|
|
]);
|
|
|
|
self::assertResponseStatusCodeSame(422);
|
|
}
|
|
|
|
public function testPostWithIsSystemTrueIgnoresItAndPersistsFalse(): void
|
|
{
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$response = $client->request('POST', '/api/roles', [
|
|
'headers' => ['Content-Type' => 'application/ld+json'],
|
|
'json' => [
|
|
'code' => 'test_sneaky',
|
|
'label' => 'Tentative systeme',
|
|
'isSystem' => true,
|
|
],
|
|
]);
|
|
|
|
self::assertResponseStatusCodeSame(201);
|
|
$data = $response->toArray();
|
|
self::assertFalse($data['isSystem']);
|
|
|
|
$persisted = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_sneaky']);
|
|
self::assertNotNull($persisted);
|
|
self::assertFalse($persisted->isSystem());
|
|
}
|
|
|
|
public function testGetCollectionAsAdminReturnsRoles(): void
|
|
{
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$response = $client->request('GET', '/api/roles');
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
self::assertArrayHasKey('member', $data);
|
|
// Au moins admin systeme + user systeme + test_editor + test_viewer.
|
|
self::assertGreaterThanOrEqual(4, $data['totalItems']);
|
|
$codes = array_column($data['member'], 'code');
|
|
self::assertContains('test_editor', $codes);
|
|
}
|
|
|
|
public function testGetCollectionFilterByIsSystemTrue(): void
|
|
{
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$response = $client->request('GET', '/api/roles', [
|
|
'query' => ['isSystem' => 'true'],
|
|
]);
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
foreach ($data['member'] as $item) {
|
|
self::assertTrue($item['isSystem']);
|
|
}
|
|
$codes = array_column($data['member'], 'code');
|
|
self::assertNotContains('test_editor', $codes);
|
|
self::assertNotContains('test_viewer', $codes);
|
|
}
|
|
|
|
public function testGetItemReturnsAllReadFields(): void
|
|
{
|
|
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
|
|
self::assertNotNull($role);
|
|
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$response = $client->request('GET', '/api/roles/'.$role->getId());
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
self::assertSame('test_editor', $data['code']);
|
|
self::assertSame('Editeur (test)', $data['label']);
|
|
self::assertSame('Role de test editeur', $data['description']);
|
|
self::assertFalse($data['isSystem']);
|
|
self::assertArrayHasKey('permissions', $data);
|
|
self::assertIsArray($data['permissions']);
|
|
}
|
|
|
|
public function testPatchCustomRoleUpdatesLabelAndAddsPermission(): void
|
|
{
|
|
$em = $this->getEm();
|
|
$role = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
|
|
self::assertNotNull($role);
|
|
$permission = $em->getRepository(Permission::class)->findOneBy(['code' => 'test.core.roles.view']);
|
|
self::assertNotNull($permission);
|
|
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$response = $client->request('PATCH', '/api/roles/'.$role->getId(), [
|
|
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
|
'json' => [
|
|
'label' => 'Editeur modifie',
|
|
'permissions' => ['/api/permissions/'.$permission->getId()],
|
|
],
|
|
]);
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
self::assertSame('Editeur modifie', $data['label']);
|
|
self::assertCount(1, $data['permissions']);
|
|
|
|
// Verification cote base.
|
|
$em->clear();
|
|
|
|
/** @var Role $reloaded */
|
|
$reloaded = $em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
|
|
self::assertSame('Editeur modifie', $reloaded->getLabel());
|
|
self::assertCount(1, $reloaded->getPermissions());
|
|
}
|
|
|
|
public function testDeleteCustomRoleReturns204(): void
|
|
{
|
|
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_viewer']);
|
|
self::assertNotNull($role);
|
|
$id = $role->getId();
|
|
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$client->request('DELETE', '/api/roles/'.$id);
|
|
|
|
self::assertResponseStatusCodeSame(204);
|
|
|
|
$em = $this->getEm();
|
|
$em->clear();
|
|
self::assertNull($em->getRepository(Role::class)->find($id));
|
|
}
|
|
|
|
public function testDeleteSystemRoleReturns403(): void
|
|
{
|
|
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
|
|
self::assertNotNull($role);
|
|
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$client->request('DELETE', '/api/roles/'.$role->getId());
|
|
|
|
self::assertResponseStatusCodeSame(403);
|
|
|
|
// Le role systeme doit toujours exister.
|
|
$em = $this->getEm();
|
|
$em->clear();
|
|
self::assertNotNull($em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]));
|
|
}
|
|
|
|
public function testPatchSystemRoleLabelReturns200(): void
|
|
{
|
|
$em = $this->getEm();
|
|
$role = $em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
|
|
self::assertNotNull($role);
|
|
$originalLabel = $role->getLabel();
|
|
$roleId = $role->getId();
|
|
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
|
|
try {
|
|
$response = $client->request('PATCH', '/api/roles/'.$roleId, [
|
|
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
|
'json' => ['label' => 'Administrateur (modifie test)'],
|
|
]);
|
|
|
|
self::assertResponseIsSuccessful();
|
|
$data = $response->toArray();
|
|
self::assertSame('Administrateur (modifie test)', $data['label']);
|
|
self::assertSame(SystemRoles::ADMIN_CODE, $data['code']);
|
|
self::assertTrue($data['isSystem']);
|
|
} finally {
|
|
// Restauration defensive du label original pour ne pas polluer
|
|
// les tests suivants (les fixtures systeme sont partagees).
|
|
$em = $this->getEm();
|
|
|
|
/** @var null|Role $reloaded */
|
|
$reloaded = $em->getRepository(Role::class)->findOneBy(['code' => SystemRoles::ADMIN_CODE]);
|
|
if (null !== $reloaded && $reloaded->getLabel() !== $originalLabel) {
|
|
$reloaded->setLabel($originalLabel);
|
|
$em->flush();
|
|
}
|
|
}
|
|
}
|
|
|
|
public function testPatchRoleCodeChangeReturns400(): void
|
|
{
|
|
$role = $this->getEm()->getRepository(Role::class)->findOneBy(['code' => 'test_editor']);
|
|
self::assertNotNull($role);
|
|
|
|
$client = $this->authenticatedClient('admin', 'admin');
|
|
$client->request('PATCH', '/api/roles/'.$role->getId(), [
|
|
'headers' => ['Content-Type' => 'application/merge-patch+json'],
|
|
'json' => ['code' => 'test_editor_renamed'],
|
|
]);
|
|
|
|
self::assertResponseStatusCodeSame(400);
|
|
|
|
// Verification cote base : le code d'origine n'a pas bouge.
|
|
$em = $this->getEm();
|
|
$em->clear();
|
|
self::assertNotNull($em->getRepository(Role::class)->findOneBy(['code' => 'test_editor']));
|
|
self::assertNull($em->getRepository(Role::class)->findOneBy(['code' => 'test_editor_renamed']));
|
|
}
|
|
|
|
public function testUnauthenticatedGetCollectionReturns401(): void
|
|
{
|
|
$client = self::createClient();
|
|
$client->request('GET', '/api/roles');
|
|
|
|
self::assertResponseStatusCodeSame(401);
|
|
}
|
|
|
|
public function testNonAdminGetCollectionReturns403(): void
|
|
{
|
|
$client = $this->authenticatedClient('alice', 'alice');
|
|
$client->request('GET', '/api/roles');
|
|
|
|
self::assertResponseStatusCodeSame(403);
|
|
}
|
|
|
|
/**
|
|
* Purge les donnees de test (roles et permissions prefixees `test.`).
|
|
* Ne touche JAMAIS aux roles systeme `admin` et `user` charges par les
|
|
* fixtures.
|
|
*/
|
|
private function cleanupTestData(): void
|
|
{
|
|
$em = $this->getEm();
|
|
|
|
// Le cascade FK de la migration #343 (ON DELETE CASCADE sur
|
|
// role_permission.role_id et permission_id) nettoie automatiquement
|
|
// role_permission lors du DELETE SQL emis par Doctrine, meme via DQL
|
|
// bulk delete : le cascade est applique au niveau FK par PostgreSQL,
|
|
// pas par l'Unit of Work Doctrine. Verifie par comptage avant/apres
|
|
// runs successifs de la suite (stable a la ligne de base systeme).
|
|
$em->createQuery(
|
|
'DELETE FROM '.Role::class.' r WHERE r.code LIKE :prefix'
|
|
)->setParameter('prefix', self::TEST_ROLE_PREFIX.'%')->execute();
|
|
|
|
$em->createQuery(
|
|
'DELETE FROM '.Permission::class.' p WHERE p.code LIKE :prefix'
|
|
)->setParameter('prefix', self::TEST_PERMISSION_PREFIX.'%')->execute();
|
|
}
|
|
}
|