Make host comparison case-insensitive, fix substring comparison (#15)

Author: webignition

src/HostComparer.php

@@ -0,0 +1,15 @@
+<?php
+
+namespace webignition\Guzzle\Middleware\HttpAuthentication;
+
+class HostComparer
+{
+    public function isHostMatch(string $requestHost, string $authenticationHost)
+    {
+        $requestHost = strtolower($requestHost);
+        $authenticationHost = strtolower($authenticationHost);
+
+        return $requestHost === $authenticationHost
+            || preg_match('*' . preg_quote($authenticationHost, '*') . '$*i', $requestHost) > 0;
+    }
+}

src/HttpAuthenticationMiddleware.php

@@ -6,6 +6,11 @@
 
 class HttpAuthenticationMiddleware
 {
+    /**
+     * @var HostComparer
+     */
+    private $hostComparer;
+
     /**
      * @var string
      */
@@ -14,13 +19,18 @@ class HttpAuthenticationMiddleware
     /**
      * @var string
      */
-    private $credentials = null;
+    private $credentials = '';
 
     /**
      * @var null string
      */
     private $host = null;
 
+    public function __construct(HostComparer $hostComparer)
+    {
+        $this->hostComparer = $hostComparer;
+    }
+
     public function setType(string $type)
     {
         $this->type = $type;
@@ -59,12 +69,7 @@ public function __invoke(callable $handler): callable
                 return $handler($request, $options);
             }
 
-            $requestHost = $request->getHeaderLine('host');
-
-            $hasHostMatch = $requestHost === $this->host
-                && preg_match('/' . preg_quote($this->host, '//') . '$/', $requestHost) > 0;
-
-            if (!$hasHostMatch) {
+            if (!$this->hostComparer->isHostMatch($request->getHeaderLine('host'), $this->host)) {
                 return $handler($request, $options);
             }
 

tests/HostComparerTest.php

@@ -0,0 +1,60 @@
+<?php
+/** @noinspection PhpDocSignatureInspection */
+
+namespace webignition\Guzzle\Middleware\HttpAuthentication\Tests;
+
+use webignition\Guzzle\Middleware\HttpAuthentication\HostComparer;
+
+class HostComparerTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @var HostComparer
+     */
+    private $hostComparer;
+
+    protected function setUp()
+    {
+        parent::setUp();
+
+        $this->hostComparer = new HostComparer();
+    }
+
+    /**
+     * @dataProvider isHostMatchDataProvider
+     */
+    public function testIsHostMatch(string $requestHost, string $authenticationHost, bool $expectedIsHostMatch)
+    {
+        $this->assertEquals($expectedIsHostMatch, $this->hostComparer->isHostMatch($requestHost, $authenticationHost));
+    }
+
+    public function isHostMatchDataProvider(): array
+    {
+        return [
+            'lowercase equality' => [
+                'requestHost' => 'example.com',
+                'authenticationHost' => 'example.com',
+                'expectedIsHostMatch' => true,
+            ],
+            'uppercase equality' => [
+                'requestHost' => 'EXAMPLE.COM',
+                'authenticationHost' => 'EXAMPLE.COM',
+                'expectedIsHostMatch' => true,
+            ],
+            'authentication host is ending substring of request host' => [
+                'requestHost' => 'subdomain.example.com',
+                'authenticationHost' => 'example.com',
+                'expectedIsHostMatch' => true,
+            ],
+            'simple inequality' => [
+                'requestHost' => 'example.com',
+                'authenticationHost' => 'example.org',
+                'expectedIsHostMatch' => false,
+            ],
+            'authentication host is middle substring of request host' => [
+                'requestHost' => 'subdomain.example.com.org',
+                'authenticationHost' => 'example.com',
+                'expectedIsHostMatch' => false,
+            ],
+        ];
+    }
+}

tests/HttpAuthenticationMiddlewareTest.php

@@ -1,4 +1,5 @@
 <?php
+/** @noinspection PhpDocSignatureInspection */
 
 namespace webignition\Guzzle\Middleware\HttpAuthentication\Tests;
 
@@ -7,6 +8,7 @@
 use webignition\Guzzle\Middleware\HttpAuthentication\AuthorizationType;
 use webignition\Guzzle\Middleware\HttpAuthentication\AuthorizationHeader;
 use webignition\Guzzle\Middleware\HttpAuthentication\CredentialsFactory;
+use webignition\Guzzle\Middleware\HttpAuthentication\HostComparer;
 use webignition\Guzzle\Middleware\HttpAuthentication\HttpAuthenticationMiddleware;
 
 class HttpAuthenticationMiddlewareTest extends \PHPUnit\Framework\TestCase
@@ -25,16 +27,11 @@ protected function setUp()
     {
         parent::setUp();
 
-        $this->httpAuthenticationMiddleware = new HttpAuthenticationMiddleware();
+        $this->httpAuthenticationMiddleware = new HttpAuthenticationMiddleware(new HostComparer());
     }
 
     /**
      * @dataProvider invokeAuthorizationNotSetDataProvider
-     *
-     * @param string $requestHost
-     * @param string|null $type
-     * @param string|null $credentials
-     * @param string|null $host
      */
     public function testInvokeAuthorizationNotSet(
         string $requestHost,
@@ -181,13 +178,13 @@ function ($returnedRequest, $returnedOptions) use ($originalRequest, $options) {
     /**
      * @return MockInterface|RequestInterface
      */
-    private function createOriginalRequest(): RequestInterface
+    private function createOriginalRequest(string $host = self::HOST): RequestInterface
     {
         $request = \Mockery::mock(RequestInterface::class);
         $request
             ->shouldReceive('getHeaderLine')
             ->with('host')
-            ->andReturn(self::HOST);
+            ->andReturn($host);
 
         return $request;
     }