misc_pterodactyl-panel/tests/Unit/Http/Middleware/Api/Daemon/DaemonAuthenticateTest.php

<?php

namespace Tests\Unit\Http\Middleware\Api\Daemon;

use Mockery as m;
use Pterodactyl\Models\Node;
use Illuminate\Contracts\Encryption\Encrypter;
use Tests\Unit\Http\Middleware\MiddlewareTestCase;
use Pterodactyl\Repositories\Eloquent\NodeRepository;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

class DaemonAuthenticateTest extends MiddlewareTestCase
{
    /**
     * @var \Mockery\MockInterface
     */
    private $repository;

    /**
     * @var \Mockery\MockInterface
     */
    private $encrypter;

    /**
     * Setup tests.
     */
    public function setUp(): void
    {
        parent::setUp();

        $this->encrypter = m::mock(Encrypter::class);
        $this->repository = m::mock(NodeRepository::class);
    }

    /**
     * Test that if we are accessing the daemon.configuration route this middleware is not
     * applied in order to allow an unauthenticated request to use a token to grab data.
     */
    public function testResponseShouldContinueIfRouteIsExempted()
    {
        $this->request->expects('route->getName')->withNoArgs()->andReturn('daemon.configuration');

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
    }

    /**
     * Test that not passing in the bearer token will result in a HTTP/401 error with the
     * proper response headers.
     */
    public function testResponseShouldFailIfNoTokenIsProvided()
    {
        $this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');
        $this->request->expects('bearerToken')->withNoArgs()->andReturnNull();

        try {
            $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
        } catch (HttpException $exception) {
            $this->assertEquals(401, $exception->getStatusCode(), 'Assert that a status code of 401 is returned.');
            $this->assertTrue(is_array($exception->getHeaders()), 'Assert that an array of headers is returned.');
            $this->assertArrayHasKey('WWW-Authenticate', $exception->getHeaders(), 'Assert exception headers contains WWW-Authenticate.');
            $this->assertEquals('Bearer', $exception->getHeaders()['WWW-Authenticate']);
        }
    }

    /**
     * Test that passing in an invalid node daemon secret will result in a bad request
     * exception being returned.
     *
     * @param string $token
     * @dataProvider badTokenDataProvider
     */
    public function testResponseShouldFailIfTokenFormatIsIncorrect(string $token)
    {
        $this->expectException(BadRequestHttpException::class);

        $this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');
        $this->request->expects('bearerToken')->withNoArgs()->andReturn($token);

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
    }

    /**
     * Test that an access denied error is returned if the node is valid but the token
     * provided is not valid.
     */
    public function testResponseShouldFailIfTokenIsNotValid()
    {
        $this->expectException(AccessDeniedHttpException::class);

        /** @var \Pterodactyl\Models\Node $model */
        $model = factory(Node::class)->make();

        $this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');
        $this->request->expects('bearerToken')->withNoArgs()->andReturn($model->daemon_token_id . '.random_string_123');

        $this->repository->expects('findFirstWhere')->with(['daemon_token_id' => $model->daemon_token_id])->andReturn($model);
        $this->encrypter->expects('decrypt')->with($model->daemon_token)->andReturns(decrypt($model->daemon_token));

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
    }

    /**
     * Test that an access denied exception is returned if the node is not found using
     * the token ID provided.
     */
    public function testResponseShouldFailIfNodeIsNotFound()
    {
        $this->expectException(AccessDeniedHttpException::class);

        $this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');
        $this->request->expects('bearerToken')->withNoArgs()->andReturn('abcd1234.random_string_123');

        $this->repository->expects('findFirstWhere')->with(['daemon_token_id' => 'abcd1234'])->andThrow(RecordNotFoundException::class);

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
    }

    /**
     * Test a successful middleware process.
     */
    public function testSuccessfulMiddlewareProcess()
    {
        /** @var \Pterodactyl\Models\Node $model */
        $model = factory(Node::class)->make();

        $this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');
        $this->request->expects('bearerToken')->withNoArgs()->andReturn($model->daemon_token_id . '.' . decrypt($model->daemon_token));

        $this->repository->expects('findFirstWhere')->with(['daemon_token_id' => $model->daemon_token_id])->andReturn($model);
        $this->encrypter->expects('decrypt')->with($model->daemon_token)->andReturns(decrypt($model->daemon_token));

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
        $this->assertRequestHasAttribute('node');
        $this->assertRequestAttributeEquals($model, 'node');
    }

    /**
     * Provides different tokens that should trigger a bad request exception due to
     * their formatting.
     *
     * @return array|\string[][]
     */
    public function badTokenDataProvider(): array
    {
        return [
            ['foo'],
            ['foobar'],
            ['foo-bar'],
            ['foo.bar.baz'],
            ['.foo'],
            ['foo.'],
            ['foo..bar'],
        ];
    }

    /**
     * Return an instance of the middleware using mocked dependencies.
     *
     * @return \Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate
     */
    private function getMiddleware(): DaemonAuthenticate
    {
        return new DaemonAuthenticate($this->encrypter, $this->repository);
    }
}
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`<?php`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`namespace Tests\Unit\Http\Middleware\Api\Daemon;`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
			`use Mockery as m;`
			`use Pterodactyl\Models\Node;`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`use Illuminate\Contracts\Encryption\Encrypter;`
More middleware tests 2017-11-02 01:45:43 +00:00			`use Tests\Unit\Http\Middleware\MiddlewareTestCase;`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`use Pterodactyl\Repositories\Eloquent\NodeRepository;`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
			`use Pterodactyl\Exceptions\Repository\RecordNotFoundException;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;`
			`use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
More middleware tests 2017-11-02 01:45:43 +00:00			`class DaemonAuthenticateTest extends MiddlewareTestCase`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`{`
			`/**`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`* @var \Mockery\MockInterface`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`*/`
			`private $repository;`

Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`/**`
			`* @var \Mockery\MockInterface`
			`*/`
			`private $encrypter;`

Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`/**`
			`* Setup tests.`
			`*/`
Fix tests by adding required return type hints 2020-05-09 16:00:52 +00:00			`public function setUp(): void`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`{`
			`parent::setUp();`

Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`$this->encrypter = m::mock(Encrypter::class);`
			`$this->repository = m::mock(NodeRepository::class);`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`}`

			`/**`
			`* Test that if we are accessing the daemon.configuration route this middleware is not`
			`* applied in order to allow an unauthenticated request to use a token to grab data.`
			`*/`
			`public function testResponseShouldContinueIfRouteIsExempted()`
			`{`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`$this->request->expects('route->getName')->withNoArgs()->andReturn('daemon.configuration');`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions());`
			`}`

			`/**`
			`* Test that not passing in the bearer token will result in a HTTP/401 error with the`
			`* proper response headers.`
			`*/`
			`public function testResponseShouldFailIfNoTokenIsProvided()`
			`{`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`$this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');`
			`$this->request->expects('bearerToken')->withNoArgs()->andReturnNull();`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
			`try {`
			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions());`
			`} catch (HttpException $exception) {`
			`$this->assertEquals(401, $exception->getStatusCode(), 'Assert that a status code of 401 is returned.');`
			`$this->assertTrue(is_array($exception->getHeaders()), 'Assert that an array of headers is returned.');`
			`$this->assertArrayHasKey('WWW-Authenticate', $exception->getHeaders(), 'Assert exception headers contains WWW-Authenticate.');`
			`$this->assertEquals('Bearer', $exception->getHeaders()['WWW-Authenticate']);`
			`}`
			`}`

			`/**`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`* Test that passing in an invalid node daemon secret will result in a bad request`
			`* exception being returned.`
Implement fix to allow root admins to view all servers. closes #722 2017-11-05 18:38:39 +00:00			`*`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`* @param string $token`
			`* @dataProvider badTokenDataProvider`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`*/`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`public function testResponseShouldFailIfTokenFormatIsIncorrect(string $token)`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`{`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`$this->expectException(BadRequestHttpException::class);`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`$this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');`
			`$this->request->expects('bearerToken')->withNoArgs()->andReturn($token);`

			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions());`
			`}`

			`/**`
			`* Test that an access denied error is returned if the node is valid but the token`
			`* provided is not valid.`
			`*/`
			`public function testResponseShouldFailIfTokenIsNotValid()`
			`{`
			`$this->expectException(AccessDeniedHttpException::class);`

			`/** @var \Pterodactyl\Models\Node $model */`
			`$model = factory(Node::class)->make();`

			`$this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');`
			`$this->request->expects('bearerToken')->withNoArgs()->andReturn($model->daemon_token_id . '.random_string_123');`

			`$this->repository->expects('findFirstWhere')->with(['daemon_token_id' => $model->daemon_token_id])->andReturn($model);`
			`$this->encrypter->expects('decrypt')->with($model->daemon_token)->andReturns(decrypt($model->daemon_token));`

			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions());`
			`}`

			`/**`
			`* Test that an access denied exception is returned if the node is not found using`
			`* the token ID provided.`
			`*/`
			`public function testResponseShouldFailIfNodeIsNotFound()`
			`{`
			`$this->expectException(AccessDeniedHttpException::class);`

			`$this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');`
			`$this->request->expects('bearerToken')->withNoArgs()->andReturn('abcd1234.random_string_123');`

			`$this->repository->expects('findFirstWhere')->with(['daemon_token_id' => 'abcd1234'])->andThrow(RecordNotFoundException::class);`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
Implement fix to allow root admins to view all servers. closes #722 2017-11-05 18:38:39 +00:00			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions());`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`}`

			`/**`
			`* Test a successful middleware process.`
			`*/`
			`public function testSuccessfulMiddlewareProcess()`
			`{`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`/** @var \Pterodactyl\Models\Node $model */`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`$model = factory(Node::class)->make();`

Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`$this->request->expects('route->getName')->withNoArgs()->andReturn('random.route');`
			`$this->request->expects('bearerToken')->withNoArgs()->andReturn($model->daemon_token_id . '.' . decrypt($model->daemon_token));`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`$this->repository->expects('findFirstWhere')->with(['daemon_token_id' => $model->daemon_token_id])->andReturn($model);`
			`$this->encrypter->expects('decrypt')->with($model->daemon_token)->andReturns(decrypt($model->daemon_token));`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00
			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions());`
More middleware tests 2017-11-02 01:45:43 +00:00			`$this->assertRequestHasAttribute('node');`
			`$this->assertRequestAttributeEquals($model, 'node');`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`}`

Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`/**`
			`* Provides different tokens that should trigger a bad request exception due to`
			`* their formatting.`
			`*`
			`* @return array\|\string[][]`
			`*/`
			`public function badTokenDataProvider(): array`
			`{`
			`return [`
			`['foo'],`
			`['foobar'],`
			`['foo-bar'],`
			`['foo.bar.baz'],`
			`['.foo'],`
			`['foo.'],`
			`['foo..bar'],`
			`];`
			`}`

Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`/**`
			`* Return an instance of the middleware using mocked dependencies.`
			`*`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`* @return \Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`*/`
			`private function getMiddleware(): DaemonAuthenticate`
			`{`
Return Http test cases to a passing state 2020-06-24 04:59:37 +00:00			`return new DaemonAuthenticate($this->encrypter, $this->repository);`
Begin adding unit tests for middleware 2017-10-30 02:40:34 +00:00			`}`
			`}`