2021-01-20 05:20:55 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Backup;
|
|
|
|
|
|
|
|
use Carbon\CarbonImmutable;
|
|
|
|
use Pterodactyl\Models\Backup;
|
|
|
|
use Pterodactyl\Models\Subuser;
|
|
|
|
use Pterodactyl\Services\Backups\DeleteBackupService;
|
|
|
|
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
|
|
|
|
|
|
|
|
class BackupAuthorizationTest extends ClientApiIntegrationTestCase
|
|
|
|
{
|
|
|
|
/**
|
|
|
|
* @dataProvider methodDataProvider
|
|
|
|
*/
|
|
|
|
public function testAccessToAServersBackupIsRestrictedProperly(string $method, string $endpoint)
|
|
|
|
{
|
|
|
|
// The API $user is the owner of $server1.
|
|
|
|
[$user, $server1] = $this->generateTestAccount();
|
|
|
|
// Will be a subuser of $server2.
|
|
|
|
$server2 = $this->createServerModel();
|
|
|
|
// And as no access to $server3.
|
|
|
|
$server3 = $this->createServerModel();
|
|
|
|
|
|
|
|
// Set the API $user as a subuser of server 2, but with no permissions
|
|
|
|
// to do anything with the backups for that server.
|
2021-01-23 20:09:16 +00:00
|
|
|
Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);
|
2021-01-20 05:20:55 +00:00
|
|
|
|
2021-01-23 20:09:16 +00:00
|
|
|
$backup1 = Backup::factory()->create(['server_id' => $server1->id, 'completed_at' => CarbonImmutable::now()]);
|
|
|
|
$backup2 = Backup::factory()->create(['server_id' => $server2->id, 'completed_at' => CarbonImmutable::now()]);
|
|
|
|
$backup3 = Backup::factory()->create(['server_id' => $server3->id, 'completed_at' => CarbonImmutable::now()]);
|
2021-01-20 05:20:55 +00:00
|
|
|
|
2022-11-29 17:53:59 +00:00
|
|
|
$this->instance(DeleteBackupService::class, $mock = \Mockery::mock(DeleteBackupService::class));
|
2021-01-20 05:20:55 +00:00
|
|
|
|
|
|
|
if ($method === 'DELETE') {
|
|
|
|
$mock->expects('handle')->andReturnUndefined();
|
|
|
|
}
|
|
|
|
|
|
|
|
// This is the only valid call for this test, accessing the backup for the same
|
|
|
|
// server that the API user is the owner of.
|
2021-01-23 20:09:16 +00:00
|
|
|
$this->actingAs($user)->json($method, $this->link($server1, '/backups/' . $backup1->uuid . $endpoint))
|
2021-01-20 05:20:55 +00:00
|
|
|
->assertStatus($method === 'DELETE' ? 204 : 200);
|
|
|
|
|
|
|
|
// This request fails because the backup is valid for that server but the user
|
|
|
|
// making the request is not authorized to perform that action.
|
2021-01-23 20:09:16 +00:00
|
|
|
$this->actingAs($user)->json($method, $this->link($server2, '/backups/' . $backup2->uuid . $endpoint))->assertForbidden();
|
2021-01-20 05:20:55 +00:00
|
|
|
|
|
|
|
// Both of these should report a 404 error due to the backup being linked to
|
|
|
|
// servers that are not the same as the server in the request, or are assigned
|
|
|
|
// to a server for which the user making the request has no access to.
|
2021-01-23 20:09:16 +00:00
|
|
|
$this->actingAs($user)->json($method, $this->link($server1, '/backups/' . $backup2->uuid . $endpoint))->assertNotFound();
|
|
|
|
$this->actingAs($user)->json($method, $this->link($server1, '/backups/' . $backup3->uuid . $endpoint))->assertNotFound();
|
|
|
|
$this->actingAs($user)->json($method, $this->link($server2, '/backups/' . $backup3->uuid . $endpoint))->assertNotFound();
|
|
|
|
$this->actingAs($user)->json($method, $this->link($server3, '/backups/' . $backup3->uuid . $endpoint))->assertNotFound();
|
2021-01-20 05:20:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
public function methodDataProvider(): array
|
|
|
|
{
|
|
|
|
return [
|
2021-01-23 20:09:16 +00:00
|
|
|
['GET', ''],
|
|
|
|
['GET', '/download'],
|
|
|
|
['DELETE', ''],
|
2021-01-20 05:20:55 +00:00
|
|
|
];
|
|
|
|
}
|
|
|
|
}
|