banquise/pelican-panel-mirror
3
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-05-20 00:34:44 +02:00
Code Issues Packages Projects Releases Wiki Activity
pelican-panel-mirror/tests/Integration/Api/Remote/SftpAuthenticationControllerTest.php
Boy132 fc643f57f9
Admin Roles (#502) 
* add spatie/permissions

* add policies

* add role resource

* add root admin role handling

* replace some "root_admin" with function

* add model specific permissions

* make permission selection nicer

* fix user creation

* fix tests

* add back subuser checks in server policy

* add custom model for role

* assign new users to role if root_admin is set

* add api for roles

* fix phpstan

* add permissions for settings page

* remove "restore" and "forceDelete" permissions

* add user count to list

* prevent deletion if role has users

* update user list

* fix server policy

* remove old `root_admin` column

* small refactor

* fix tests

* forgot can checks here

* forgot use

* disable editing own roles & disable assigning root admin

* don't allow to rename root admin role

* remove php bombing exception handler

* fix role assignment when creating a user

* fix disableOptionWhen

* fix missing `root_admin` attribute on react frontend

* add permission check for bulk delete

* rename viewAny to viewList

* improve canAccessPanel check

* fix admin not displaying for non-root admins

* make sure non root admins can't edit root admins

* fix import

* fix settings page permission check

* fix server permissions for non-subusers

* fix settings page permission check v2

* small cleanup

* cleanup config file

* move consts from resouce into enum & model

* Update database/migrations/2024_08_01_114538_remove_root_admin_column.php

Co-authored-by: Lance Pioch <lancepioch@gmail.com>

* fix config

* fix phpstan

* fix phpstan 2.0

---------

Co-authored-by: Lance Pioch <lancepioch@gmail.com>
2024-09-21 12:27:41 +02:00

236 lines
7.3 KiB
PHP
Raw Blame History

<?php
namespace App\Tests\Integration\Api\Remote;
use App\Enums\ServerState;
use App\Models\Node;
use App\Models\User;
use App\Models\Server;
use App\Models\Permission;
use App\Models\Role;
use App\Models\UserSSHKey;
use App\Tests\Integration\IntegrationTestCase;
class SftpAuthenticationControllerTest extends IntegrationTestCase
{
protected User $user;
protected Server $server;
/**
* Sets up the tests.
*/
protected function setUp(): void
{
parent::setUp();
[$user, $server] = $this->generateTestAccount();
$user->update(['password' => password_hash('foobar', PASSWORD_DEFAULT)]);
$this->user = $user;
$this->server = $server;
$this->setAuthorization();
}
/**
* Test that a public key is validated correctly.
*/
public function testPublicKeyIsValidatedCorrectly(): void
{
$key = UserSSHKey::factory()->for($this->user)->create();
$this->postJson('/api/remote/sftp/auth', [])
->assertUnprocessable()
->assertJsonPath('errors.0.meta.source_field', 'username')
->assertJsonPath('errors.0.meta.rule', 'required')
->assertJsonPath('errors.1.meta.source_field', 'password')
->assertJsonPath('errors.1.meta.rule', 'required');
$data = [
'type' => 'public_key',
'username' => $this->getUsername(),
'password' => $key->public_key,
];
$this->postJson('/api/remote/sftp/auth', $data)
->assertOk()
->assertJsonPath('server', $this->server->uuid)
->assertJsonPath('permissions', ['*']);
$key->delete();
$this->postJson('/api/remote/sftp/auth', $data)->assertForbidden();
$this->postJson('/api/remote/sftp/auth', array_merge($data, ['type' => null]))->assertForbidden();
}
/**
* Test that an account password is validated correctly.
*/
public function testPasswordIsValidatedCorrectly(): void
{
$this->postJson('/api/remote/sftp/auth', [
'username' => $this->getUsername(),
'password' => '',
])
->assertUnprocessable()
->assertJsonPath('errors.0.meta.source_field', 'password')
->assertJsonPath('errors.0.meta.rule', 'required');
$this->postJson('/api/remote/sftp/auth', [
'username' => $this->getUsername(),
'password' => 'wrong password',
])
->assertForbidden();
$this->user->update(['password' => password_hash('foobar', PASSWORD_DEFAULT)]);
$this->postJson('/api/remote/sftp/auth', [
'username' => $this->getUsername(),
'password' => 'foobar',
])
->assertOk();
}
/**
* Test that providing an invalid key and/or invalid username triggers the throttle on
* the endpoint.
*
* @dataProvider authorizationTypeDataProvider
*/
public function testUserIsThrottledIfInvalidCredentialsAreProvided(): void
{
for ($i = 0; $i <= 10; $i++) {
$this->postJson('/api/remote/sftp/auth', [
'type' => 'public_key',
'username' => $i % 2 === 0 ? $this->user->username : $this->getUsername(),
'password' => 'invalid key',
])
->assertStatus($i === 10 ? 429 : 403);
}
}
/**
* Test that a request is rejected if the credentials are valid but the username indicates
* a server on a different node.
*
* @dataProvider authorizationTypeDataProvider
*/
public function testRequestIsRejectedIfServerBelongsToDifferentNode(string $type): void
{
$node2 = $this->createServerModel()->node;
$this->setAuthorization($node2);
$password = $type === 'public_key'
? UserSSHKey::factory()->for($this->user)->create()->public_key
: 'foobar';
$this->postJson('/api/remote/sftp/auth', [
'type' => 'public_key',
'username' => $this->getUsername(),
'password' => $password,
])
->assertForbidden();
}
public function testRequestIsDeniedIfUserLacksSftpPermission(): void
{
[$user, $server] = $this->generateTestAccount([Permission::ACTION_FILE_READ]);
$user->update(['password' => password_hash('foobar', PASSWORD_DEFAULT)]);
$this->setAuthorization($server->node);
$this->postJson('/api/remote/sftp/auth', [
'username' => $user->username . '.' . $server->uuid_short,
'password' => 'foobar',
])
->assertForbidden()
->assertJsonPath('errors.0.detail', 'You do not have permission to access SFTP for this server.');
}
/**
* @dataProvider serverStateDataProvider
*/
public function testInvalidServerStateReturnsConflictError(string $status): void
{
$this->server->update(['status' => $status]);
$this->postJson('/api/remote/sftp/auth', ['username' => $this->getUsername(), 'password' => 'foobar'])
->assertStatus(409);
}
/**
* Test that permissions are returned for the user account correctly.
*/
public function testUserPermissionsAreReturnedCorrectly(): void
{
[$user, $server] = $this->generateTestAccount([Permission::ACTION_FILE_READ, Permission::ACTION_FILE_SFTP]);
$user->update(['password' => password_hash('foobar', PASSWORD_DEFAULT)]);
$this->setAuthorization($server->node);
$data = [
'username' => $user->username . '.' . $server->uuid_short,
'password' => 'foobar',
];
$this->postJson('/api/remote/sftp/auth', $data)
->assertOk()
->assertJsonPath('permissions', [Permission::ACTION_FILE_READ, Permission::ACTION_FILE_SFTP]);
$user->syncRoles(Role::getRootAdmin());
$this->postJson('/api/remote/sftp/auth', $data)
->assertOk()
->assertJsonPath('permissions.0', '*');
$this->setAuthorization();
$data['username'] = $user->username . '.' . $this->server->uuid_short;
$this->post('/api/remote/sftp/auth', $data)
->assertOk()
->assertJsonPath('permissions.0', '*');
$user->syncRoles();
$this->post('/api/remote/sftp/auth', $data)->assertForbidden();
}
public static function authorizationTypeDataProvider(): array
{
return [
'password auth' => ['password'],
'public key auth' => ['public_key'],
];
}
public static function serverStateDataProvider(): array
{
return [
'installing' => [ServerState::Installing->value],
'suspended' => [ServerState::Suspended->value],
'restoring a backup' => [ServerState::RestoringBackup->value],
];
}
/**
* Returns the username for connecting to SFTP.
*/
protected function getUsername(bool $long = false): string
{
return $this->user->username . '.' . ($long ? $this->server->uuid : $this->server->uuid_short);
}
/**
* Sets the authorization header for the rest of the test.
*/
protected function setAuthorization(Node $node = null): void
{
$node = $node ?? $this->server->node;
$this->withHeader('Authorization', 'Bearer ' . $node->daemon_token_id . '.' . $node->daemon_token);
}
}
Reference in New Issue View Git Blame Copy Permalink