|
| 1 | +<?php |
| 2 | +/** |
| 3 | + * @author Magebit <info@magebit.com> |
| 4 | + * @copyright Copyright (c) Magebit, Ltd. (https://magebit.com) |
| 5 | + * @license MIT |
| 6 | + */ |
| 7 | +declare(strict_types=1); |
| 8 | + |
| 9 | +namespace Magebit\Mcp\Test\Unit\Model\OAuth; |
| 10 | + |
| 11 | +use Magebit\Mcp\Model\OAuth\FormActionCspWhitelister; |
| 12 | +use Magento\Csp\Model\Collector\DynamicCollector; |
| 13 | +use Magento\Csp\Model\Policy\FetchPolicy; |
| 14 | +use Magento\Csp\Model\Policy\FetchPolicyFactory; |
| 15 | +use PHPUnit\Framework\MockObject\MockObject; |
| 16 | +use PHPUnit\Framework\TestCase; |
| 17 | + |
| 18 | +class FormActionCspWhitelisterTest extends TestCase |
| 19 | +{ |
| 20 | + private DynamicCollector&MockObject $collector; |
| 21 | + private FetchPolicyFactory&MockObject $policyFactory; |
| 22 | + private FormActionCspWhitelister $whitelister; |
| 23 | + |
| 24 | + protected function setUp(): void |
| 25 | + { |
| 26 | + $this->collector = $this->createMock(DynamicCollector::class); |
| 27 | + $this->policyFactory = $this->createMock(FetchPolicyFactory::class); |
| 28 | + // Build a real FetchPolicy from the requested args so assertions exercise the real DTO. |
| 29 | + $this->policyFactory->method('create')->willReturnCallback( |
| 30 | + static fn (array $data): FetchPolicy => new FetchPolicy( |
| 31 | + (string) $data['id'], |
| 32 | + (bool) ($data['noneAllowed'] ?? true), |
| 33 | + (array) ($data['hostSources'] ?? []), |
| 34 | + (array) ($data['schemeSources'] ?? []), |
| 35 | + (bool) ($data['selfAllowed'] ?? false) |
| 36 | + ) |
| 37 | + ); |
| 38 | + $this->whitelister = new FormActionCspWhitelister($this->collector, $this->policyFactory); |
| 39 | + } |
| 40 | + |
| 41 | + public function testWhitelistsRedirectOriginForFormAction(): void |
| 42 | + { |
| 43 | + $this->collector->expects(self::once())->method('add')->with( |
| 44 | + self::callback(static function (FetchPolicy $policy): bool { |
| 45 | + return $policy->getId() === 'form-action' |
| 46 | + && $policy->isSelfAllowed() === true |
| 47 | + && $policy->getHostSources() === ['https://claude.ai']; |
| 48 | + }) |
| 49 | + ); |
| 50 | + |
| 51 | + $this->whitelister->whitelistRedirectTarget('https://claude.ai/api/mcp/auth_callback'); |
| 52 | + } |
| 53 | + |
| 54 | + public function testIncludesNonDefaultPortInOrigin(): void |
| 55 | + { |
| 56 | + $this->collector->expects(self::once())->method('add')->with( |
| 57 | + self::callback( |
| 58 | + static fn (FetchPolicy $policy): bool => $policy->getHostSources() === ['http://localhost:33418'] |
| 59 | + ) |
| 60 | + ); |
| 61 | + |
| 62 | + $this->whitelister->whitelistRedirectTarget('http://localhost:33418/oauth/callback'); |
| 63 | + } |
| 64 | + |
| 65 | + public function testIgnoresEmptyRedirectUri(): void |
| 66 | + { |
| 67 | + $this->collector->expects(self::never())->method('add'); |
| 68 | + $this->whitelister->whitelistRedirectTarget(''); |
| 69 | + } |
| 70 | + |
| 71 | + public function testIgnoresRedirectUriWithoutHost(): void |
| 72 | + { |
| 73 | + $this->collector->expects(self::never())->method('add'); |
| 74 | + $this->whitelister->whitelistRedirectTarget('/relative/path'); |
| 75 | + } |
| 76 | +} |
0 commit comments