Updated test case for method spoofing

Author: WendellAdriel

packages/http/tests/Mappers/PsrRequestToGenericRequestMapperTest.php

@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tempest\Http\Tests\Mappers;
+
+use Laminas\Diactoros\ServerRequest;
+use Laminas\Diactoros\Stream;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ServerRequestInterface;
+use ReflectionClass;
+use ReflectionMethod;
+use Tempest\Cryptography\Encryption\Encrypter;
+use Tempest\Http\Mappers\PsrRequestToGenericRequestMapper;
+use Tempest\Http\Method;
+
+final class PsrRequestToGenericRequestMapperTest extends TestCase
+{
+    private PsrRequestToGenericRequestMapper $mapper;
+    private Encrypter $encrypter;
+    private ReflectionMethod $requestMethod;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->encrypter = $this->createMock(Encrypter::class);
+        $this->encrypter->method('decrypt')->willReturnArgument(0);
+
+        $this->mapper = new PsrRequestToGenericRequestMapper($this->encrypter);
+
+        $reflection = new ReflectionClass($this->mapper);
+        $this->requestMethod = $reflection->getMethod('requestMethod');
+        $this->requestMethod->setAccessible(true);
+    }
+
+    #[DataProvider('nonPostMethodsProvider')]
+    public function test_non_post_requests_are_not_affected_by_method_param(string $originalMethod): void
+    {
+        $request = $this->createServerRequest(
+            $originalMethod,
+            ['_method' => 'DELETE'],
+        );
+
+        $method = $this->requestMethod->invoke($this->mapper, $request, ['_method' => 'DELETE']);
+
+        $this->assertSame(Method::from($originalMethod), $method);
+    }
+
+    #[DataProvider('validSpoofedMethodsProvider')]
+    public function test_post_with_valid_method_is_spoofed(string $spoofedMethod): void
+    {
+        $request = $this->createServerRequest(
+            'POST',
+            ['_method' => $spoofedMethod],
+        );
+
+        $method = $this->requestMethod->invoke($this->mapper, $request, ['_method' => $spoofedMethod]);
+
+        $this->assertSame(Method::from(strtoupper($spoofedMethod)), $method);
+    }
+
+    public function test_post_with_invalid_method_is_not_spoofed(): void
+    {
+        $request = $this->createServerRequest(
+            'POST',
+            ['_method' => 'INVALID'],
+        );
+
+        $method = $this->requestMethod->invoke($this->mapper, $request, ['_method' => 'INVALID']);
+
+        $this->assertSame(Method::POST, $method);
+    }
+
+    public function test_method_param_is_case_insensitive(): void
+    {
+        $request = $this->createServerRequest(
+            'POST',
+            ['_method' => 'delete'],
+        );
+
+        $method = $this->requestMethod->invoke($this->mapper, $request, ['_method' => 'delete']);
+
+        $this->assertSame(Method::DELETE, $method);
+    }
+
+    public static function nonPostMethodsProvider(): array
+    {
+        return [
+            ['GET'],
+            ['PUT'],
+            ['PATCH'],
+            ['DELETE'],
+            ['HEAD'],
+            ['OPTIONS'],
+            ['TRACE'],
+            ['CONNECT'],
+        ];
+    }
+
+    public static function validSpoofedMethodsProvider(): array
+    {
+        return [
+            ['PUT'],
+            ['PATCH'],
+            ['DELETE'],
+        ];
+    }
+
+    private function createServerRequest(string $method, array $body = []): ServerRequestInterface
+    {
+        $request = new ServerRequest([], [], '/', $method);
+
+        if (! empty($body)) {
+            $request = $request->withParsedBody($body);
+        }
+
+        $stream = new Stream('php://temp', 'r+');
+        $request = $request->withBody($stream);
+
+        return $request;
+    }
+}