Unit tests and cleanup

Author: jekuaitk

.github/workflows/pr.yml

@@ -114,6 +114,35 @@ jobs:
         run: |
           ./scripts/code-analysis
 
+  php-unit-tests:
+    name: PHP unit tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        php-versions: [ '8.3' ]
+    steps:
+      - uses: actions/checkout@master
+      - name: Setup PHP, with composer and extensions
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php-versions }}
+          extensions: json
+          coverage: none
+          tools: composer:v2
+      # https://github.com/shivammathur/setup-php#cache-composer-dependencies
+      - name: Get composer cache directory
+        id: composer-cache
+        run: echo "::set-output name=dir::$(composer config cache-files-dir)"
+      - name: Cache dependencies
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.composer-cache.outputs.dir }}
+          key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }}
+          restore-keys: ${{ runner.os }}-composer-
+      - name: Code analysis
+        run: |
+          ./scripts/unit-tests
+
   coding-standards-markdown:
     name: Markdown coding standards
     runs-on: ubuntu-latest

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+* [PR-4](https://github.com/OS2web/os2web_key/pull/4)
+  Added HashiCorp Vault key provider
 * [PR-2](https://github.com/OS2web/os2web_key/pull/2)
   Updated documentation
 * [PR-1](https://github.com/OS2web/os2web_key/pull/1)

composer.json

@@ -19,17 +19,24 @@
     "require-dev": {
         "dealerdirect/phpcodesniffer-composer-installer": "^1.0",
         "drupal/coder": "^8.3",
+        "drupal/core-dev": "^9 || ^10",
         "ergebnis/composer-normalize": "^2.42",
         "mglaman/phpstan-drupal": "^1.2",
         "phpstan/extension-installer": "^1.3",
-        "phpstan/phpstan-deprecation-rules": "^1.1"
+        "phpstan/phpstan-deprecation-rules": "^1.1",
+        "phpunit/phpunit": "^9.6"
     },
     "repositories": [
         {
             "type": "composer",
             "url": "https://packages.drupal.org/8"
         }
     ],
+    "autoload-dev": {
+        "psr-4": {
+            "Drupal\\Tests\\os2web_key\\": "tests/src/"
+        }
+    },
     "config": {
         "allow-plugins": {
             "dealerdirect/phpcodesniffer-composer-installer": true,

os2web_key.services.yml

@@ -29,3 +29,4 @@ services:
       - '@logger.channel.os2web_key'
       - '@http_client'
       - '@os2web_key.psr16_cache'
+      - '@os2web_key.key_helper'

phpunit.xml

@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!-- For how to customize PHPUnit configuration, see core/tests/README.md. -->
+<!-- TODO set checkForUnintentionallyCoveredCode="true" once https://www.drupal.org/node/2626832 is resolved. -->
+<!-- PHPUnit expects functional tests to be run with either a privileged user
+ or your current system user. See core/tests/README.md and
+ https://www.drupal.org/node/2116263 for details.
+-->
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         bootstrap="tests/bootstrap.php" colors="true"
+         beStrictAboutTestsThatDoNotTestAnything="true"
+         beStrictAboutOutputDuringTests="true"
+         beStrictAboutChangesToGlobalState="true"
+         failOnWarning="true"
+         printerClass="\Drupal\Tests\Listeners\HtmlOutputPrinter"
+         cacheResult="false"
+         xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd">
+  <php>
+    <!-- Set error reporting to E_ALL. -->
+    <ini name="error_reporting" value="32767"/>
+    <!-- Do not limit the amount of memory tests take to run. -->
+    <ini name="memory_limit" value="-1"/>
+    <!-- Example SIMPLETEST_BASE_URL value: http://localhost -->
+    <env name="SIMPLETEST_BASE_URL" value=""/>
+    <!-- Example SIMPLETEST_DB value: mysql://username:password@localhost/database_name#table_prefix -->
+    <env name="SIMPLETEST_DB" value="mysql://db:db@mariadb/db"/>
+    <!-- Example BROWSERTEST_OUTPUT_DIRECTORY value: /path/to/webroot/sites/simpletest/browser_output -->
+    <env name="BROWSERTEST_OUTPUT_DIRECTORY" value=""/>
+    <!-- By default, browser tests will output links that use the base URL set
+     in SIMPLETEST_BASE_URL. However, if your SIMPLETEST_BASE_URL is an internal
+     path (such as may be the case in a virtual or Docker-based environment),
+     you can set the base URL used in the browser test output links to something
+     reachable from your host machine here. This will allow you to follow them
+     directly and view the output. -->
+    <env name="BROWSERTEST_OUTPUT_BASE_URL" value=""/>
+
+    <!-- Deprecation testing is managed through Symfony's PHPUnit Bridge.
+      The environment variable SYMFONY_DEPRECATIONS_HELPER is used to configure
+      the behavior of the deprecation tests.
+      See https://symfony.com/doc/current/components/phpunit_bridge.html#configuration
+      Drupal core's testing framework is setting this variable to its defaults.
+      Projects with their own requirements need to manage this variable
+      explicitly.
+    -->
+    <!-- To disable deprecation testing completely uncomment the next line. -->
+    <!-- <env name="SYMFONY_DEPRECATIONS_HELPER" value="disabled"/> -->
+    <!-- Deprecation errors can be selectively ignored by specifying a file of
+      regular expression patterns for exclusion.
+      See https://symfony.com/doc/current/components/phpunit_bridge.html#ignoring-deprecations
+      Uncomment the line below to specify a custom deprecations ignore file.
+      NOTE: it may be required to specify the full path to the file to run tests
+      correctly.
+    -->
+    <!-- <env name="SYMFONY_DEPRECATIONS_HELPER" value="ignoreFile=.deprecation-ignore.txt"/> -->
+
+    <!-- Example for changing the driver class for mink tests MINK_DRIVER_CLASS value: 'Drupal\FunctionalJavascriptTests\DrupalSelenium2Driver' -->
+    <env name="MINK_DRIVER_CLASS" value=''/>
+    <!-- Example for changing the driver args to mink tests MINK_DRIVER_ARGS value: '["http://127.0.0.1:8510"]' -->
+    <env name="MINK_DRIVER_ARGS" value=''/>
+    <!-- Example for changing the driver args to webdriver tests MINK_DRIVER_ARGS_WEBDRIVER value: '["chrome", { "goog:chromeOptions": { "w3c": false } }, "http://localhost:4444/wd/hub"]' For using the Firefox browser, replace "chrome" with "firefox" -->
+    <env name="MINK_DRIVER_ARGS_WEBDRIVER" value=''/>
+  </php>
+  <testsuites>
+    <testsuite name="unit">
+      <file>./tests/TestSuites/UnitTestSuite.php</file>
+    </testsuite>
+    <testsuite name="kernel">
+      <file>./tests/TestSuites/KernelTestSuite.php</file>
+    </testsuite>
+    <testsuite name="functional">
+      <file>./tests/TestSuites/FunctionalTestSuite.php</file>
+    </testsuite>
+    <testsuite name="functional-javascript">
+      <file>./tests/TestSuites/FunctionalJavascriptTestSuite.php</file>
+    </testsuite>
+    <testsuite name="build">
+      <file>./tests/TestSuites/BuildTestSuite.php</file>
+    </testsuite>
+  </testsuites>
+  <listeners>
+    <listener class="\Drupal\Tests\Listeners\DrupalListener">
+    </listener>
+  </listeners>
+  <!-- Settings for coverage reports. -->
+  <coverage>
+    <include>
+      <directory>./includes</directory>
+      <directory>./lib</directory>
+      <directory>./modules</directory>
+      <directory>../modules</directory>
+      <directory>../sites</directory>
+    </include>
+    <exclude>
+      <directory>./modules/*/src/Tests</directory>
+      <directory>./modules/*/tests</directory>
+      <directory>../modules/*/src/Tests</directory>
+      <directory>../modules/*/tests</directory>
+      <directory>../modules/*/*/src/Tests</directory>
+      <directory>../modules/*/*/tests</directory>
+      <directory suffix=".api.php">./lib/**</directory>
+      <directory suffix=".api.php">./modules/**</directory>
+      <directory suffix=".api.php">../modules/**</directory>
+    </exclude>
+  </coverage>
+</phpunit>

scripts/unit-tests

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+script_dir=$(pwd)
+module_name=$(basename "$script_dir")
+drupal_dir=vendor/drupal-module-code-analysis
+# Relative to $drupal_dir
+module_path=web/modules/contrib/$module_name
+
+cd "$script_dir" || exit
+
+drupal_composer() {
+  composer --working-dir="$drupal_dir" --no-interaction "$@"
+}
+
+# Create new Drupal 10 project
+if [ ! -f "$drupal_dir/composer.json" ]; then
+  composer --no-interaction create-project drupal/recommended-project:^10 "$drupal_dir"
+fi
+# Copy our code into the modules folder
+mkdir -p "$drupal_dir/$module_path"
+# https://stackoverflow.com/a/15373763
+rsync --archive --compress . --filter=':- .gitignore' --exclude "$drupal_dir" --exclude .git "$drupal_dir/$module_path"
+
+drupal_composer config minimum-stability dev
+
+# Allow ALL plugins
+# https://getcomposer.org/doc/06-config.md#allow-plugins
+drupal_composer config --no-plugins allow-plugins true
+
+# Making Drupal 10 compatible
+drupal_composer require psr/http-message:^1.0
+drupal_composer require mglaman/composer-drupal-lenient
+drupal_composer config --merge --json extra.drupal-lenient.allowed-list '["drupal/coc_forms_auto_export", "drupal/webform_node_element"]'
+
+drupal_composer require wikimedia/composer-merge-plugin
+drupal_composer config extra.merge-plugin.include "$module_path/composer.json"
+# https://www.drupal.org/project/drupal/issues/3220043#comment-14845434
+drupal_composer require --dev symfony/phpunit-bridge
+
+
+# Run PHPUnit
+(cd "$drupal_dir" && vendor/bin/phpunit "$module_path/tests/src/Unit/KeyHelperUnitTest.php")

src/KeyHelper.php

@@ -32,24 +32,14 @@ public function __construct(
    * @return array{cert: string, pkey: string}
    *   The certificates.
    */
-  public function getCertificates(KeyInterface $key, bool $parseCertificate = FALSE): array {
+  public function getCertificates(KeyInterface $key): array {
     $type = $key->getKeyType();
     if (!($type instanceof CertificateKeyType)) {
       throw $this->createSslRuntimeException(sprintf('Invalid key type: %s', $type::class), $key);
     }
-    $contents = $key->getKeyValue();
 
-    if ($parseCertificate) {
-      return $this->parseCertificates(
-        $contents,
-        $type->getInputFormat(),
-        $type->getPassphrase(),
-        $key
-      );
-    }
-    else {
-      return ['cert' => $contents];
-    }
+    return $this->parseCertificates($key->getKeyValue(), $type->getInputFormat(), $type->getPassphrase(), $key);
+
   }
 
   /**
@@ -90,7 +80,7 @@ public function getOidcValues(KeyInterface $key): array {
    * Parse certificates.
    *
    * @return array{cert: string, pkey: string}
-   *   The certificates.
+   *   The certificates, note that the certificate has no passphrase.
    */
   public function parseCertificates(
     string $contents,
@@ -102,6 +92,7 @@ public function parseCertificates(
       CertificateKeyType::CERT => NULL,
       CertificateKeyType::PKEY => NULL,
     ];
+
     switch ($format) {
       case CertificateKeyType::FORMAT_PFX:
         if (!openssl_pkcs12_read($contents, $certificates, $passphrase)) {
@@ -114,30 +105,42 @@ public function parseCertificates(
         if (FALSE === $certificate) {
           throw $this->createSslRuntimeException('Error reading certificate', $key);
         }
-        if (!@openssl_x509_export($certificate, $certificates['cert'])) {
+        if (!@openssl_x509_export($certificate, $certificates[CertificateKeyType::CERT])) {
           throw $this->createSslRuntimeException('Error exporting x509 certificate', $key);
         }
         $pkey = @openssl_pkey_get_private($contents, $passphrase);
         if (FALSE === $pkey) {
           throw $this->createSslRuntimeException('Error reading private key', $key);
         }
-        if (!@openssl_pkey_export($pkey, $certificates['pkey'])) {
+        if (!@openssl_pkey_export($pkey, $certificates[CertificateKeyType::PKEY])) {
           throw $this->createSslRuntimeException('Error exporting private key', $key);
         }
         break;
     }
 
     if (!isset($certificates[CertificateKeyType::CERT], $certificates[CertificateKeyType::PKEY])) {
-      throw $this->createRuntimeException("Cannot read certificate parts 'cert' and 'pkey'", $key);
+      throw $this->createRuntimeException("Cannot read certificate parts CertificateKeyType::CERT and CertificateKeyType::PKEY", $key);
     }
 
     return $certificates;
   }
 
   /**
-   * Create a passwordless certificate.
+   * Converts certificates to format.
+   *
+   * @param array $certificates
+   *   Output from parseCertificates.
+   * @param string $format
+   *   Format to convert into.
+   * @param ?KeyInterface $key
+   *   The key, for debugging purposes.
+   *
+   * @return string
+   *   The converted certificate.
+   *
+   * @see self::parseCertificates()
    */
-  public function createPasswordlessCertificate(array $certificates, string $format, ?KeyInterface $key): string {
+  public function convertCertificates(array $certificates, string $format, ?KeyInterface $key): string {
     $cert = $certificates[CertificateKeyType::CERT] ?? NULL;
     if (!isset($cert)) {
       throw $this->createRuntimeException('Certificate part "cert" not found', $key);
@@ -196,7 +199,14 @@ public function createRuntimeException(string $message, ?KeyInterface $key, ?str
    * Create an SSL runtime exception.
    */
   public function createSslRuntimeException(string $message, ?KeyInterface $key): RuntimeException {
-    return $this->createRuntimeException($message, $key, openssl_error_string() ?: NULL);
+    // @see https://www.php.net/manual/en/function.openssl-error-string.php.
+    $sslError = NULL;
+
+    while ($errorMessage = openssl_error_string()) {
+      $sslError = $errorMessage;
+    }
+
+    return $this->createRuntimeException($message, $key, $sslError);
   }
 
 }