misc_pterodactyl-panel/tests/Integration/Api/Client/Server/Schedule/ScheduleAuthorizationTest.php

<?php

namespace Pterodactyl\Tests\Integration\Api\Client\Server\Schedule;

use Pterodactyl\Models\Subuser;
use Pterodactyl\Models\Schedule;
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;

class ScheduleAuthorizationTest extends ClientApiIntegrationTestCase
{
    /**
     * Tests that a subuser with access to two servers cannot improperly access a resource
     * on Server A when providing a URL that points to Server B. This prevents a regression
     * in the code where controllers didn't properly validate that a resource was assigned
     * to the server that was also present in the URL.
     *
     * The comments within the test code itself are better at explaining exactly what is
     * being tested and protected against.
     *
     * @dataProvider methodDataProvider
     */
    public function testAccessToAServersSchedulesIsRestrictedProperly(string $method, string $endpoint)
    {
        // The API $user is the owner of $server1.
        [$user, $server1] = $this->generateTestAccount();
        // Will be a subuser of $server2.
        $server2 = $this->createServerModel();
        // And as no access to $server3.
        $server3 = $this->createServerModel();

        // Set the API $user as a subuser of server 2, but with no permissions
        // to do anything with the schedules for that server.
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);

        $schedule1 = Schedule::factory()->create(['server_id' => $server1->id]);
        $schedule2 = Schedule::factory()->create(['server_id' => $server2->id]);
        $schedule3 = Schedule::factory()->create(['server_id' => $server3->id]);

        // This is the only valid call for this test, accessing the schedule for the same
        // server that the API user is the owner of.
        $response = $this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule1->id . $endpoint));
        $this->assertTrue($response->status() <= 204 || $response->status() === 400 || $response->status() === 422);

        // This request fails because the schedule is valid for that server but the user
        // making the request is not authorized to perform that action.
        $this->actingAs($user)->json($method, $this->link($server2, '/schedules/' . $schedule2->id . $endpoint))->assertForbidden();

        // Both of these should report a 404 error due to the schedules being linked to
        // servers that are not the same as the server in the request, or are assigned
        // to a server for which the user making the request has no access to.
        $this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule2->id . $endpoint))->assertNotFound();
        $this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();
        $this->actingAs($user)->json($method, $this->link($server2, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();
        $this->actingAs($user)->json($method, $this->link($server3, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();
    }

    /**
     * @return \string[][]
     */
    public function methodDataProvider(): array
    {
        return [
            ['GET', ''],
            ['POST', ''],
            ['DELETE', ''],
            ['POST', '/execute'],
            ['POST', '/tasks'],
        ];
    }
}
Add test coverage to cehck the authorization state of client resources 2021-01-20 05:20:55 +00:00			`<?php`

			`namespace Pterodactyl\Tests\Integration\Api\Client\Server\Schedule;`

			`use Pterodactyl\Models\Subuser;`
			`use Pterodactyl\Models\Schedule;`
			`use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;`

			`class ScheduleAuthorizationTest extends ClientApiIntegrationTestCase`
			`{`
			`/**`
			`* Tests that a subuser with access to two servers cannot improperly access a resource`
			`* on Server A when providing a URL that points to Server B. This prevents a regression`
			`* in the code where controllers didn't properly validate that a resource was assigned`
			`* to the server that was also present in the URL.`
			`*`
			`* The comments within the test code itself are better at explaining exactly what is`
			`* being tested and protected against.`
			`*`
			`* @dataProvider methodDataProvider`
			`*/`
			`public function testAccessToAServersSchedulesIsRestrictedProperly(string $method, string $endpoint)`
			`{`
			`// The API $user is the owner of $server1.`
			`[$user, $server1] = $this->generateTestAccount();`
			`// Will be a subuser of $server2.`
			`$server2 = $this->createServerModel();`
			`// And as no access to $server3.`
			`$server3 = $this->createServerModel();`

			`// Set the API $user as a subuser of server 2, but with no permissions`
			`// to do anything with the schedules for that server.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);`
Add test coverage to cehck the authorization state of client resources 2021-01-20 05:20:55 +00:00
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`$schedule1 = Schedule::factory()->create(['server_id' => $server1->id]);`
			`$schedule2 = Schedule::factory()->create(['server_id' => $server2->id]);`
			`$schedule3 = Schedule::factory()->create(['server_id' => $server3->id]);`
Add test coverage to cehck the authorization state of client resources 2021-01-20 05:20:55 +00:00
			`// This is the only valid call for this test, accessing the schedule for the same`
			`// server that the API user is the owner of.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`$response = $this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule1->id . $endpoint));`
Add test coverage to cehck the authorization state of client resources 2021-01-20 05:20:55 +00:00			`$this->assertTrue($response->status() <= 204 \|\| $response->status() === 400 \|\| $response->status() === 422);`

			`// This request fails because the schedule is valid for that server but the user`
			`// making the request is not authorized to perform that action.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`$this->actingAs($user)->json($method, $this->link($server2, '/schedules/' . $schedule2->id . $endpoint))->assertForbidden();`
Add test coverage to cehck the authorization state of client resources 2021-01-20 05:20:55 +00:00
			`// Both of these should report a 404 error due to the schedules being linked to`
			`// servers that are not the same as the server in the request, or are assigned`
			`// to a server for which the user making the request has no access to.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`$this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule2->id . $endpoint))->assertNotFound();`
			`$this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();`
			`$this->actingAs($user)->json($method, $this->link($server2, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();`
			`$this->actingAs($user)->json($method, $this->link($server3, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();`
Add test coverage to cehck the authorization state of client resources 2021-01-20 05:20:55 +00:00			`}`

			`/**`
			`* @return \string[][]`
			`*/`
			`public function methodDataProvider(): array`
			`{`
			`return [`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 20:09:16 +00:00			`['GET', ''],`
			`['POST', ''],`
			`['DELETE', ''],`
			`['POST', '/execute'],`
			`['POST', '/tasks'],`
Add test coverage to cehck the authorization state of client resources 2021-01-20 05:20:55 +00:00			`];`
			`}`
			`}`