73 lines
3.4 KiB
PHP
73 lines
3.4 KiB
PHP
|
<?php
|
||
|
|
|
||
|
|
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Schedule;
|
||
|
|
|
||
|
|
use Pterodactyl\Models\Subuser;
|
||
|
|
use Pterodactyl\Models\Schedule;
|
||
|
|
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
|
||
|
|
|
||
|
|
class ScheduleAuthorizationTest extends ClientApiIntegrationTestCase
|
||
|
|
{
|
||
|
|
/**
|
||
|
|
* Tests that a subuser with access to two servers cannot improperly access a resource
|
||
|
|
* on Server A when providing a URL that points to Server B. This prevents a regression
|
||
|
|
* in the code where controllers didn't properly validate that a resource was assigned
|
||
|
|
* to the server that was also present in the URL.
|
||
|
|
*
|
||
|
|
* The comments within the test code itself are better at explaining exactly what is
|
||
|
|
* being tested and protected against.
|
||
|
|
*
|
||
|
|
* @param string $method
|
||
|
|
* @param string $endpoint
|
||
|
|
* @dataProvider methodDataProvider
|
||
|
|
*/
|
||
|
|
public function testAccessToAServersSchedulesIsRestrictedProperly(string $method, string $endpoint)
|
||
|
|
{
|
||
|
|
// The API $user is the owner of $server1.
|
||
|
|
[$user, $server1] = $this->generateTestAccount();
|
||
|
|
// Will be a subuser of $server2.
|
||
|
|
$server2 = $this->createServerModel();
|
||
|
|
// And as no access to $server3.
|
||
|
|
$server3 = $this->createServerModel();
|
||
|
|
|
||
|
|
// Set the API $user as a subuser of server 2, but with no permissions
|
||
|
|
// to do anything with the schedules for that server.
|
||
|
|
factory(Subuser::class)->create(['server_id' => $server2->id, 'user_id' => $user->id]);
|
||
|
|
|
||
|
|
$schedule1 = factory(Schedule::class)->create(['server_id' => $server1->id]);
|
||
|
|
$schedule2 = factory(Schedule::class)->create(['server_id' => $server2->id]);
|
||
|
|
$schedule3 = factory(Schedule::class)->create(['server_id' => $server3->id]);
|
||
|
|
|
||
|
|
// This is the only valid call for this test, accessing the schedule for the same
|
||
|
|
// server that the API user is the owner of.
|
||
|
|
$response = $this->actingAs($user)->json($method, $this->link($server1, "/schedules/" . $schedule1->id . $endpoint));
|
||
|
|
$this->assertTrue($response->status() <= 204 || $response->status() === 400 || $response->status() === 422);
|
||
|
|
|
||
|
|
// This request fails because the schedule is valid for that server but the user
|
||
|
|
// making the request is not authorized to perform that action.
|
||
|
|
$this->actingAs($user)->json($method, $this->link($server2, "/schedules/" . $schedule2->id . $endpoint))->assertForbidden();
|
||
|
|
|
||
|
|
// Both of these should report a 404 error due to the schedules being linked to
|
||
|
|
// servers that are not the same as the server in the request, or are assigned
|
||
|
|
// to a server for which the user making the request has no access to.
|
||
|
|
$this->actingAs($user)->json($method, $this->link($server1, "/schedules/" . $schedule2->id . $endpoint))->assertNotFound();
|
||
|
|
$this->actingAs($user)->json($method, $this->link($server1, "/schedules/" . $schedule3->id . $endpoint))->assertNotFound();
|
||
|
|
$this->actingAs($user)->json($method, $this->link($server2, "/schedules/" . $schedule3->id . $endpoint))->assertNotFound();
|
||
|
|
$this->actingAs($user)->json($method, $this->link($server3, "/schedules/" . $schedule3->id . $endpoint))->assertNotFound();
|
||
|
|
}
|
||
|
|
|
||
|
|
/**
|
||
|
|
* @return \string[][]
|
||
|
|
*/
|
||
|
|
public function methodDataProvider(): array
|
||
|
|
{
|
||
|
|
return [
|
||
|
|
["GET", ""],
|
||
|
|
["POST", ""],
|
||
|
|
["DELETE", ""],
|
||
|
|
["POST", "/execute"],
|
||
|
|
["POST", "/tasks"],
|
||
|
|
];
|
||
|
|
}
|
||
|
|
}
|