misc_pterodactyl-panel/tests/Unit/Http/Middleware/API/AuthenticateKeyTest.php

<?php

namespace Tests\Unit\Http\Middleware\API;

use Mockery as m;
use Cake\Chronos\Chronos;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Contracts\Encryption\Encrypter;
use Tests\Unit\Http\Middleware\MiddlewareTestCase;
use Pterodactyl\Http\Middleware\Api\AuthenticateKey;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;

class AuthenticateKeyTest extends MiddlewareTestCase
{
    /**
     * @var \Illuminate\Auth\AuthManager|\Mockery\Mock
     */
    private $auth;

    /**
     * @var \Illuminate\Contracts\Encryption\Encrypter|\Mockery\Mock
     */
    private $encrypter;

    /**
     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface|\Mockery\Mock
     */
    private $repository;

    /**
     * Setup tests.
     */
    public function setUp(): void
    {
        parent::setUp();
        Chronos::setTestNow(Chronos::now());

        $this->auth = m::mock(AuthManager::class);
        $this->encrypter = m::mock(Encrypter::class);
        $this->repository = m::mock(ApiKeyRepositoryInterface::class);
    }

    /**
     * Test that a missing bearer token will throw an exception.
     */
    public function testMissingBearerTokenThrowsException()
    {
        $this->request->shouldReceive('user')->andReturnNull();
        $this->request->shouldReceive('bearerToken')->withNoArgs()->once()->andReturnNull();

        try {
            $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);
        } catch (HttpException $exception) {
            $this->assertEquals(401, $exception->getStatusCode());
            $this->assertEquals(['WWW-Authenticate' => 'Bearer'], $exception->getHeaders());
        }
    }

    /**
     * Test that an invalid API identifier throws an exception.
     *
     * @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
     */
    public function testInvalidIdentifier()
    {
        $this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn('abcd1234');
        $this->repository->shouldReceive('findFirstWhere')->andThrow(new RecordNotFoundException);

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);
    }

    /**
     * Test that a valid token can continue past the middleware.
     */
    public function testValidToken()
    {
        $model = factory(ApiKey::class)->make();

        $this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn($model->identifier . 'decrypted');
        $this->repository->shouldReceive('findFirstWhere')->with([
            ['identifier', '=', $model->identifier],
            ['key_type', '=', ApiKey::TYPE_APPLICATION],
        ])->once()->andReturn($model);
        $this->encrypter->shouldReceive('decrypt')->with($model->token)->once()->andReturn('decrypted');
        $this->auth->shouldReceive('guard->loginUsingId')->with($model->user_id)->once()->andReturnNull();

        $this->repository->shouldReceive('withoutFreshModel->update')->with($model->id, [
            'last_used_at' => Chronos::now(),
        ])->once()->andReturnNull();

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);
        $this->assertEquals($model, $this->request->attributes->get('api_key'));
    }

    /**
     * Test that a valid token can continue past the middleware when set as a user token.
     */
    public function testValidTokenWithUserKey()
    {
        $model = factory(ApiKey::class)->make();

        $this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn($model->identifier . 'decrypted');
        $this->repository->shouldReceive('findFirstWhere')->with([
            ['identifier', '=', $model->identifier],
            ['key_type', '=', ApiKey::TYPE_ACCOUNT],
        ])->once()->andReturn($model);
        $this->encrypter->shouldReceive('decrypt')->with($model->token)->once()->andReturn('decrypted');
        $this->auth->shouldReceive('guard->loginUsingId')->with($model->user_id)->once()->andReturnNull();

        $this->repository->shouldReceive('withoutFreshModel->update')->with($model->id, [
            'last_used_at' => Chronos::now(),
        ])->once()->andReturnNull();

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_ACCOUNT);
        $this->assertEquals($model, $this->request->attributes->get('api_key'));
    }

    /**
     * Test that we can still make it though this middleware if the user is logged in and passing
     * through a cookie.
     */
    public function testAccessWithoutToken()
    {
        $user = factory(User::class)->make(['id' => 123]);

        $this->request->shouldReceive('user')->andReturn($user);
        $this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturnNull();

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_ACCOUNT);
        $model = $this->request->attributes->get('api_key');

        $this->assertSame(ApiKey::TYPE_ACCOUNT, $model->key_type);
        $this->assertSame(123, $model->user_id);
        $this->assertNull($model->identifier);
    }

    /**
     * Test that a valid token identifier with an invalid token attached to it
     * triggers an exception.
     *
     * @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
     */
    public function testInvalidTokenForIdentifier()
    {
        $model = factory(ApiKey::class)->make();

        $this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn($model->identifier . 'asdf');
        $this->repository->shouldReceive('findFirstWhere')->with([
            ['identifier', '=', $model->identifier],
            ['key_type', '=', ApiKey::TYPE_APPLICATION],
        ])->once()->andReturn($model);
        $this->encrypter->shouldReceive('decrypt')->with($model->token)->once()->andReturn('decrypted');

        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);
    }

    /**
     * Return an instance of the middleware with mocked dependencies for testing.
     *
     * @return \Pterodactyl\Http\Middleware\Api\AuthenticateKey
     */
    private function getMiddleware(): AuthenticateKey
    {
        return new AuthenticateKey($this->repository, $this->auth, $this->encrypter);
    }
}
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`<?php`

Fix some broken tests 2018-02-25 21:34:01 +00:00			`namespace Tests\Unit\Http\Middleware\API;`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00
			`use Mockery as m;`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`use Cake\Chronos\Chronos;`
Add test, fix behavior of model creation 2018-07-15 05:58:33 +00:00			`use Pterodactyl\Models\User;`
Rename APIKey to ApiKey 2018-01-14 18:06:15 +00:00			`use Pterodactyl\Models\ApiKey;`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`use Illuminate\Auth\AuthManager;`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`use Illuminate\Contracts\Encryption\Encrypter;`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`use Tests\Unit\Http\Middleware\MiddlewareTestCase;`
Fix some broken tests 2018-02-25 21:34:01 +00:00			`use Pterodactyl\Http\Middleware\Api\AuthenticateKey;`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`use Symfony\Component\HttpKernel\Exception\HttpException;`
			`use Pterodactyl\Exceptions\Repository\RecordNotFoundException;`
			`use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;`

			`class AuthenticateKeyTest extends MiddlewareTestCase`
			`{`
			`/**`
			`* @var \Illuminate\Auth\AuthManager\|\Mockery\Mock`
			`*/`
			`private $auth;`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* @var \Illuminate\Contracts\Encryption\Encrypter\|\Mockery\Mock`
			`*/`
			`private $encrypter;`

Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`/**`
			`* @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface\|\Mockery\Mock`
			`*/`
			`private $repository;`

			`/**`
			`* Setup tests.`
			`*/`
Fix tests by adding required return type hints 2020-05-09 16:00:52 +00:00			`public function setUp(): void`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`{`
			`parent::setUp();`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`Chronos::setTestNow(Chronos::now());`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00
			`$this->auth = m::mock(AuthManager::class);`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`$this->encrypter = m::mock(Encrypter::class);`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`$this->repository = m::mock(ApiKeyRepositoryInterface::class);`
			`}`

			`/**`
			`* Test that a missing bearer token will throw an exception.`
			`*/`
			`public function testMissingBearerTokenThrowsException()`
			`{`
Add test, fix behavior of model creation 2018-07-15 05:58:33 +00:00			`$this->request->shouldReceive('user')->andReturnNull();`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`$this->request->shouldReceive('bearerToken')->withNoArgs()->once()->andReturnNull();`

			`try {`
Fix some broken tests 2018-02-25 21:34:01 +00:00			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`} catch (HttpException $exception) {`
			`$this->assertEquals(401, $exception->getStatusCode());`
			`$this->assertEquals(['WWW-Authenticate' => 'Bearer'], $exception->getHeaders());`
			`}`
			`}`

			`/**`
Spelling mistakes for tests 2018-05-13 15:05:52 +00:00			`* Test that an invalid API identifier throws an exception.`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`*`
			`* @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException`
			`*/`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`public function testInvalidIdentifier()`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`{`
			`$this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn('abcd1234');`
			`$this->repository->shouldReceive('findFirstWhere')->andThrow(new RecordNotFoundException);`

Fix some broken tests 2018-02-25 21:34:01 +00:00			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`}`

			`/**`
			`* Test that a valid token can continue past the middleware.`
			`*/`
			`public function testValidToken()`
			`{`
Rename APIKey to ApiKey 2018-01-14 18:06:15 +00:00			`$model = factory(ApiKey::class)->make();`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`$this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn($model->identifier . 'decrypted');`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$this->repository->shouldReceive('findFirstWhere')->with([`
			`['identifier', '=', $model->identifier],`
			`['key_type', '=', ApiKey::TYPE_APPLICATION],`
			`])->once()->andReturn($model);`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`$this->encrypter->shouldReceive('decrypt')->with($model->token)->once()->andReturn('decrypted');`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`$this->auth->shouldReceive('guard->loginUsingId')->with($model->user_id)->once()->andReturnNull();`

Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$this->repository->shouldReceive('withoutFreshModel->update')->with($model->id, [`
			`'last_used_at' => Chronos::now(),`
			`])->once()->andReturnNull();`

Fix some broken tests 2018-02-25 21:34:01 +00:00			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);`
			`$this->assertEquals($model, $this->request->attributes->get('api_key'));`
			`}`

			`/**`
			`* Test that a valid token can continue past the middleware when set as a user token.`
			`*/`
			`public function testValidTokenWithUserKey()`
			`{`
			`$model = factory(ApiKey::class)->make();`

			`$this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn($model->identifier . 'decrypted');`
			`$this->repository->shouldReceive('findFirstWhere')->with([`
			`['identifier', '=', $model->identifier],`
			`['key_type', '=', ApiKey::TYPE_ACCOUNT],`
			`])->once()->andReturn($model);`
			`$this->encrypter->shouldReceive('decrypt')->with($model->token)->once()->andReturn('decrypted');`
			`$this->auth->shouldReceive('guard->loginUsingId')->with($model->user_id)->once()->andReturnNull();`

			`$this->repository->shouldReceive('withoutFreshModel->update')->with($model->id, [`
			`'last_used_at' => Chronos::now(),`
			`])->once()->andReturnNull();`

			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_ACCOUNT);`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`$this->assertEquals($model, $this->request->attributes->get('api_key'));`
			`}`

Add test, fix behavior of model creation 2018-07-15 05:58:33 +00:00			`/**`
			`* Test that we can still make it though this middleware if the user is logged in and passing`
			`* through a cookie.`
			`*/`
			`public function testAccessWithoutToken()`
			`{`
			`$user = factory(User::class)->make(['id' => 123]);`

			`$this->request->shouldReceive('user')->andReturn($user);`
			`$this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturnNull();`

			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_ACCOUNT);`
			`$model = $this->request->attributes->get('api_key');`

			`$this->assertSame(ApiKey::TYPE_ACCOUNT, $model->key_type);`
			`$this->assertSame(123, $model->user_id);`
			`$this->assertNull($model->identifier);`
			`}`

Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`/**`
			`* Test that a valid token identifier with an invalid token attached to it`
			`* triggers an exception.`
			`*`
			`* @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException`
			`*/`
			`public function testInvalidTokenForIdentifier()`
			`{`
Rename APIKey to ApiKey 2018-01-14 18:06:15 +00:00			`$model = factory(ApiKey::class)->make();`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00
			`$this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn($model->identifier . 'asdf');`
Update interface to begin change to seperate account API keys and application keys Main difference is permissions, cleaner UI for normal users, and account keys use permissions assigned to servers and subusers while application keys use R/W ACLs stored in the key table. 2018-01-14 19:30:55 +00:00			`$this->repository->shouldReceive('findFirstWhere')->with([`
			`['identifier', '=', $model->identifier],`
			`['key_type', '=', ApiKey::TYPE_APPLICATION],`
			`])->once()->andReturn($model);`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`$this->encrypter->shouldReceive('decrypt')->with($model->token)->once()->andReturn('decrypted');`

Fix some broken tests 2018-02-25 21:34:01 +00:00			`$this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), ApiKey::TYPE_APPLICATION);`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`}`

Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`/**`
			`* Return an instance of the middleware with mocked dependencies for testing.`
			`*`
Fix some broken tests 2018-02-25 21:34:01 +00:00			`* @return \Pterodactyl\Http\Middleware\Api\AuthenticateKey`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`*/`
			`private function getMiddleware(): AuthenticateKey`
			`{`
Change the way API keys are stored and validated; clarify API namespacing Previously, a single key was used to access the API, this has not changed in terms of what the user sees. However, API keys now use an identifier and token internally. The identifier is the first 16 characters of the key, and the token is the remaining 32. The token is stored encrypted at rest in the database and the identifier is used by the API middleware to grab that record and make a timing attack safe comparison. 2018-01-13 22:06:19 +00:00			`return new AuthenticateKey($this->repository, $this->auth, $this->encrypter);`
Pop some tests for new middleware in there. 2017-11-19 20:34:55 +00:00			`}`
			`}`