From 8ef90ba8f8431f83e3ca4ac0d19eb77e7dd68585 Mon Sep 17 00:00:00 2001
From: Brian Retterer <bretterer@gmail.com>
Date: Mon, 6 Feb 2017 15:54:50 -0500
Subject: [PATCH] Fixes #198 Base URL Pinning.  You must make requests with the
 PHP SDK to only the URL specified as the Base URL

---
 src/DataStore/DefaultDataStore.php | 12 +++++
 tests/DataStore/DataStoreTest.php  | 72 ++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 tests/DataStore/DataStoreTest.php

diff --git a/src/DataStore/DefaultDataStore.php b/src/DataStore/DefaultDataStore.php
index 7cf98f7..22042a4 100644
--- a/src/DataStore/DefaultDataStore.php
+++ b/src/DataStore/DefaultDataStore.php
@@ -291,10 +291,22 @@ protected function qualify($href)
 
     private function executeRequest($httpMethod, $href, $body = '', array $query = array())
     {
+
         if ($href == null) {
             throw new \InvalidArgumentException("Cannot execute request against empty URL");
         }
 
+        // Base URL Pinning - issue #198
+	    $urlParts = parse_url($href);
+	    $baseUrlParts = parse_url($this->baseUrl);
+
+	    if(array_key_exists('host', $urlParts) && array_key_exists('host', $baseUrlParts)) {
+		    if ($urlParts['host'] !== $baseUrlParts['host']) {
+			    throw new \InvalidArgumentException("The HREF you are trying to access is not valid.  The HREF must be 
+		        the base url set when instantiating the Stormpath Client.");
+		    }
+	    }
+
         $headers = [];
         $headers['Accept'] = 'application/json';
 
diff --git a/tests/DataStore/DataStoreTest.php b/tests/DataStore/DataStoreTest.php
new file mode 100644
index 0000000..86952bf
--- /dev/null
+++ b/tests/DataStore/DataStoreTest.php
@@ -0,0 +1,72 @@
+<?php
+/**
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+namespace Stormpath\Tests\DataStore;
+
+class DataStoreTest extends \Stormpath\Tests\TestCase {
+	private static $application;
+	private static $inited;
+
+	private static $account;
+
+	protected static function init()
+	{
+		self::$application = \Stormpath\Resource\Application::instantiate(array('name' => makeUniqueName('ApplicationTest'), 'description' => 'Description of Main App', 'status' => 'enabled'));
+		self::createResource(\Stormpath\Resource\Application::PATH, self::$application, array('createDirectory' => true));
+		self::$inited = true;
+	}
+
+	public function setUp()
+	{
+		if (!self::$inited)
+		{
+			self::init();
+		}
+	}
+
+	public static function tearDownAfterClass()
+	{
+		if (self::$application && self::$application->href)
+		{
+			self::$application->delete();
+		}
+
+		parent::tearDownAfterClass();
+	}
+
+
+	/**
+	 * @test
+	 * @expectedException \InvalidArgumentException
+	 */
+	public function can_not_make_request_to_a_url_other_than_clients_base_url()
+	{
+	     $application = \Stormpath\Resource\Application::get('http://test.tld/applications/123');
+	}
+
+	/** @test */
+	public function can_make_request_to_url_that_is_base_url()
+	{
+		$application = \Stormpath\Resource\Application::get(self::$application->href);
+		$this->assertInstanceOf(\Stormpath\Resource\Application::class, $application);
+	}
+
+	
+	
+
+}
\ No newline at end of file