Pass secret from the options. Created firewall rule creation test.

dave83649 · dave83649 · commit 980c879f48ed · 2022-04-01T16:27:08.000+02:00
diff --git a/src/Processor.php b/src/Processor.php
@@ -62,6 +62,14 @@ class Processor
      */
     private $response;
 
+    /**
+     * The secret that is used for the firewall rules integrity.
+     * Default is set to "secret" for easy PHPUnit testing.
+     *
+     * @var string
+     */
+    private $secret = 'secret';
+
     /**
      * Creates a new processor instance.
      *
@@ -83,6 +91,8 @@ public function __construct(
         $this->whitelistRules = $whitelistRules;
         $this->options = array_merge($this->options, $options);
         $this->extension = $extension;
+
+        $this->secret = isset($options['secret']) ? $options['secret'] : 'secret';
         $this->request = new Request($this->options);
         $this->response = new Response($this->options);
     }
@@ -135,9 +145,9 @@ public function launch($mustExit = true)
         // Since the Opis/Closure package does not support PHP 8.1+, we have to use Laravel's ported version for 8.1+.
         require dirname(__FILE__) . '/../vendor/autoload.php';
         if (PHP_VERSION_ID < 80100) {
-            \Opis\Closure\SerializableClosure::setSecretKey('secret');
+            \Opis\Closure\SerializableClosure::setSecretKey($this->secret);
         } else {
-            \Laravel\SerializableClosure\SerializableClosure::setSecretKey('secret');
+            \Laravel\SerializableClosure\SerializableClosure::setSecretKey($this->secret);
         }
 
         foreach ($this->firewallRules as $rule) {
diff --git a/tests/FirewallRuleCreationTest.php b/tests/FirewallRuleCreationTest.php
@@ -0,0 +1,130 @@
+<?php
+
+declare(strict_types=1);
+
+use PHPUnit\Framework\TestCase;
+use Patchstack\Processor;
+use Patchstack\Extensions\Test\Extension;
+
+final class FirewallRuleCreationTest extends TestCase
+{
+    /**
+     * @var Processor
+     */
+    protected $processor;
+
+    /**
+     * @var array
+     */
+    protected $rules;
+
+    /**
+     * Setup the test for testing the header location redirect.
+     *
+     * @return void
+     */
+    protected function setUp(): void
+    {
+        $this->rules = json_decode(file_get_contents(dirname(__FILE__) . '/data/Rules.json'));
+    }
+
+    /**
+     * Setup the firewall processor.
+     *
+     * @param  array $rules
+     * @return void
+     */
+    private function setUpFirewallProcessor(array $rules)
+    {
+        $this->processor = new Processor(
+            $rules,
+            [],
+            [],
+            [],
+            new Extension()
+        );
+    }
+
+    /**
+     * Alters the payload between tests.
+     * For most firewall rules there's no difference if testing against GET or POST.
+     * Therefore, both can be used for testing payloads.
+     *
+     * @return void
+     */
+    private function alterPayload(array $payload = [])
+    {
+        $_POST = [];
+        $_GET = [];
+
+        $_POST = isset($payload['POST']) ? $payload['POST'] : [];
+        $_GET = isset($payload['GET']) ? $payload['GET'] : [];
+    }
+
+    /**
+     * Test the creation of firewall rules.
+     *
+     * @return void
+     */
+    public function testFirewallRuleCreation()
+    {
+        // Since the Opis/Closure package does not support PHP 8.1+, we have to use Laravel's ported version for 8.1+.
+        require dirname(__FILE__) . '/../vendor/autoload.php';
+        if (PHP_VERSION_ID < 80100) {
+            \Opis\Closure\SerializableClosure::setSecretKey('secret');
+            class_alias('\Opis\Closure\SerializableClosure', 'SerializeClosure');
+        } else {
+            \Laravel\SerializableClosure\SerializableClosure::setSecretKey('secret');
+            class_alias('\Laravel\SerializableClosure\SerializableClosure', 'SerializeClosure');
+        }
+
+        // Create the firewall rule.
+        $function = function () {
+            return isset($_GET['test']);
+        };
+        $wrapper = new SerializeClosure($function);
+        $rule = (object) [
+            'id' => 1,
+            'title' => 'Block request with test query parameter in the URL.',
+            'rule' => base64_encode(serialize($wrapper)),
+            'cat' => 'TEST',
+            'type' => 'BLOCK'
+        ];
+
+        // Test the rule.
+        $this->setUpFirewallProcessor([$rule]);
+        $this->alterPayload(
+            ['GET' => [
+            'test' => 'yes'
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+
+        // Create the more complex firewall rule.
+        $function = function () {
+            if (!isset($_POST['exec'])) {
+                return false;
+            }
+
+            $payload = json_decode(base64_decode($_POST['exec']), true);
+            return $payload && isset($payload['user_role']) && $payload['user_role'] == 'administrator';
+        };
+        $wrapper = new SerializeClosure($function);
+        $rule = (object) [
+            'id' => 1,
+            'title' => 'Block request with encoded payload',
+            'rule' => base64_encode(serialize($wrapper)),
+            'cat' => 'TEST',
+            'type' => 'BLOCK'
+        ];
+
+        // Test the rule.
+        $this->setUpFirewallProcessor([$rule]);
+        $this->alterPayload(
+            ['POST' => [
+            'exec' => base64_encode(json_encode(['user_role' => 'administrator']))
+            ]]
+        );
+        $this->assertFalse($this->processor->launch(false));
+    }
+}
