Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix test coverage for creating account API keys

Browse source
This commit is contained in:
Dane Everitt 2021-08-07 15:20:43 -07:00
parent 3d14974d64
commit 815ce0e451
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
6 changed files with 62 additions and 148 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
app/Models/PersonalAccessToken.php
View file

@ -4,9 +4,12 @@ namespace Pterodactyl\Models;
use Illuminate\Support\Str; use Illuminate\Support\Str;
use Laravel\Sanctum\Contracts\HasAbilities; use Laravel\Sanctum\Contracts\HasAbilities;
use Illuminate\Database\Eloquent\Factories\HasFactory;
class PersonalAccessToken extends Model implements HasAbilities class PersonalAccessToken extends Model implements HasAbilities
{ {
use HasFactory;
public const RESOURCE_NAME = 'personal_access_token'; public const RESOURCE_NAME = 'personal_access_token';
/** /**

53
app/Services/Acl/Api/AdminAcl.php
View file

@ -2,17 +2,8 @@
namespace Pterodactyl\Services\Acl\Api; namespace Pterodactyl\Services\Acl\Api;
use ReflectionClass;
use Pterodactyl\Models\ApiKey;
class AdminAcl class AdminAcl
{ {
/**
* Resource permission columns in the api_keys table begin
* with this identifier.
*/
public const COLUMN_IDENTIFIER = 'r_';
/** /**
* The different types of permissions available for API keys. This * The different types of permissions available for API keys. This
* implements a read/write/none permissions scheme for all endpoints. * implements a read/write/none permissions scheme for all endpoints.
@ -36,48 +27,4 @@ class AdminAcl
public const RESOURCE_SERVER_DATABASES = 'server_databases'; public const RESOURCE_SERVER_DATABASES = 'server_databases';
public const RESOURCE_ROLES = 'roles'; public const RESOURCE_ROLES = 'roles';
public const RESOURCE_MOUNTS = 'mounts'; public const RESOURCE_MOUNTS = 'mounts';
/**
* Determine if an API key has permission to perform a specific read/write operation.
*
* @param int $permission
* @param int $action
* @return bool
*/
public static function can(int $permission, int $action = self::READ)
{
if ($permission & $action) {
return true;
}
return false;
}
/**
* Determine if an API Key model has permission to access a given resource
* at a specific action level.
*
* @param \Pterodactyl\Models\ApiKey $key
* @param string $resource
* @param int $action
* @return bool
*/
public static function check(ApiKey $key, string $resource, int $action = self::READ)
{
return self::can(data_get($key, self::COLUMN_IDENTIFIER . $resource, self::NONE), $action);
}
/**
* Return a list of all resource constants defined in this ACL.
*
* @return array
*/
public static function getResourceList(): array
{
$reflect = new ReflectionClass(__CLASS__);
return collect($reflect->getConstants())->filter(function ($value, $key) {
return substr($key, 0, 9) === 'RESOURCE_';
})->values()->toArray();
}
} }

28
database/Factories/PersonalAccessTokenFactory.php Normal file
View file

@ -0,0 +1,28 @@
<?php
namespace Database\Factories;
use Illuminate\Support\Str;
use Pterodactyl\Models\PersonalAccessToken;
use Illuminate\Database\Eloquent\Factories\Factory;
class PersonalAccessTokenFactory extends Factory
{
/**
* @var string
*/
protected $model = PersonalAccessToken::class;
/**
* @return array
*/
public function definition()
{
return [
'token_id' => PersonalAccessToken::generateTokenIdentifier(),
'token' => hash('sha256', Str::random(PersonalAccessToken::TOKEN_LENGTH)),
'description' => 'Generated test token',
'abilities' => ['*'],
];
}
}

14
tests/Integration/Api/Application/ApplicationApiIntegrationTestCase.php
View file

@ -34,7 +34,7 @@ abstract class ApplicationApiIntegrationTestCase extends IntegrationTestCase
{ {
parent::setUp(); parent::setUp();
$this->user = $this->createApiUser(); $this->user = User::factory()->create(['root_admin' => true]);
$this->key = $this->createApiKey($this->user); $this->key = $this->createApiKey($this->user);
$this->withHeader('Accept', 'application/vnd.pterodactyl.v1+json'); $this->withHeader('Accept', 'application/vnd.pterodactyl.v1+json');
@ -85,18 +85,6 @@ abstract class ApplicationApiIntegrationTestCase extends IntegrationTestCase
$this->withHeader('Authorization', 'Bearer ' . $key->identifier . decrypt($key->token)); $this->withHeader('Authorization', 'Bearer ' . $key->identifier . decrypt($key->token));
} }
/**
* Create an administrative user.
*
* @return \Pterodactyl\Models\User
*/
protected function createApiUser(): User
{
return User::factory()->create([
'root_admin' => true,
]);
}
/** /**
* Create a new application API key for a given user model. * Create a new application API key for a given user model.
* *

109
tests/Integration/Api/Client/ApiKeyControllerTest.php
View file

@ -4,7 +4,8 @@ namespace Pterodactyl\Tests\Integration\Api\Client;
use Pterodactyl\Models\User; use Pterodactyl\Models\User;
use Illuminate\Http\Response; use Illuminate\Http\Response;
use Pterodactyl\Models\ApiKey; use Pterodactyl\Models\PersonalAccessToken;
use Pterodactyl\Transformers\Api\Client\PersonalAccessTokenTransformer;
class ApiKeyControllerTest extends ClientApiIntegrationTestCase class ApiKeyControllerTest extends ClientApiIntegrationTestCase
{ {
@ -13,7 +14,7 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
*/ */
protected function tearDown(): void protected function tearDown(): void
{ {
ApiKey::query()->forceDelete(); PersonalAccessToken::query()->forceDelete();
parent::tearDown(); parent::tearDown();
} }
@ -25,11 +26,8 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
{ {
/** @var \Pterodactyl\Models\User $user */ /** @var \Pterodactyl\Models\User $user */
$user = User::factory()->create(); $user = User::factory()->create();
/** @var \Pterodactyl\Models\ApiKey $key */ $token = $user->createToken('test');
$key = ApiKey::factory()->create([ $token = $token->accessToken;
'user_id' => $user->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
$response = $this->actingAs($user)->get('/api/client/account/api-keys'); $response = $this->actingAs($user)->get('/api/client/account/api-keys');
@ -38,13 +36,14 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
'object' => 'list', 'object' => 'list',
'data' => [ 'data' => [
[ [
'object' => 'api_key', 'object' => 'personal_access_token',
'attributes' => [ 'attributes' => [
'identifier' => $key->identifier, 'token_id' => $token->token_id,
'description' => $key->memo, 'description' => $token->description,
'allowed_ips' => $key->allowed_ips, 'abilities' => ['*'],
'last_used_at' => null, 'last_used_at' => null,
'created_at' => $key->created_at->toIso8601String(), 'updated_at' => $this->formatTimestamp($token->updated_at),
'created_at' => $this->formatTimestamp($token->created_at),
], ],
], ],
], ],
@ -64,34 +63,24 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
// Small sub-test to ensure we're always comparing the number of keys to the // Small sub-test to ensure we're always comparing the number of keys to the
// specific logged in account, and not just the total number of keys stored in // specific logged in account, and not just the total number of keys stored in
// the database. // the database.
ApiKey::factory()->times(10)->create([ PersonalAccessToken::factory()->times(10)->create([
'user_id' => User::factory()->create()->id, 'user_id' => User::factory()->create()->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]); ]);
$response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [ $response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [
'description' => 'Test Description', 'description' => 'Test Description',
'allowed_ips' => ['127.0.0.1'],
]); ]);
$response->assertOk(); $response->assertOk();
/** @var \Pterodactyl\Models\ApiKey $key */ $key = PersonalAccessToken::query()->where('token_id', $response->json('attributes.token_id'))->firstOrFail();
$key = ApiKey::query()->where('identifier', $response->json('attributes.identifier'))->firstOrFail();
$response->assertJson([ $response->assertJson([
'object' => 'api_key', 'object' => 'personal_access_token',
'attributes' => [ 'attributes' => (new PersonalAccessTokenTransformer())->transform($key),
'identifier' => $key->identifier,
'description' => 'Test Description',
'allowed_ips' => ['127.0.0.1'],
'last_used_at' => null,
'created_at' => $key->created_at->toIso8601String(),
],
'meta' => [
'secret_token' => decrypt($key->token),
],
]); ]);
$this->assertEquals($key->token, hash('sha256', substr($response->json('meta.secret_token'), 16)));
} }
/** /**
@ -104,14 +93,10 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
{ {
/** @var \Pterodactyl\Models\User $user */ /** @var \Pterodactyl\Models\User $user */
$user = User::factory()->create(); $user = User::factory()->create();
ApiKey::factory()->times(5)->create([ PersonalAccessToken::factory()->times(10)->create(['user_id' => $user->id]);
'user_id' => $user->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
$response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [ $response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [
'description' => 'Test Description', 'description' => 'Test Description',
'allowed_ips' => ['127.0.0.1'],
]); ]);
$response->assertStatus(Response::HTTP_BAD_REQUEST); $response->assertStatus(Response::HTTP_BAD_REQUEST);
@ -131,7 +116,6 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
$response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [ $response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [
'description' => '', 'description' => '',
'allowed_ips' => ['127.0.0.1'],
]); ]);
$response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY); $response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY);
@ -140,7 +124,6 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
$response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [ $response = $this->actingAs($user)->postJson('/api/client/account/api-keys', [
'description' => str_repeat('a', 501), 'description' => str_repeat('a', 501),
'allowed_ips' => ['127.0.0.1'],
]); ]);
$response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY); $response->assertStatus(Response::HTTP_UNPROCESSABLE_ENTITY);
@ -155,16 +138,12 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
{ {
/** @var \Pterodactyl\Models\User $user */ /** @var \Pterodactyl\Models\User $user */
$user = User::factory()->create(); $user = User::factory()->create();
/** @var \Pterodactyl\Models\ApiKey $key */ $token = $user->createToken('test');
$key = ApiKey::factory()->create([
'user_id' => $user->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
$response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $key->identifier); $response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $token->accessToken->token_id);
$response->assertStatus(Response::HTTP_NO_CONTENT); $response->assertNoContent();
$this->assertDatabaseMissing('api_keys', ['id' => $key->id]); $this->assertDatabaseMissing('personal_access_tokens', ['id' => $token->accessToken->id]);
} }
/** /**
@ -174,16 +153,12 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
{ {
/** @var \Pterodactyl\Models\User $user */ /** @var \Pterodactyl\Models\User $user */
$user = User::factory()->create(); $user = User::factory()->create();
/** @var \Pterodactyl\Models\ApiKey $key */ $token = $user->createToken('test');
$key = ApiKey::factory()->create([
'user_id' => $user->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
$response = $this->actingAs($user)->delete('/api/client/account/api-keys/1234'); $response = $this->actingAs($user)->delete('/api/client/account/api-keys/ptdl_1234');
$response->assertNotFound(); $response->assertNoContent();
$this->assertDatabaseHas('api_keys', ['id' => $key->id]); $this->assertDatabaseHas('personal_access_tokens', ['id' => $token->accessToken->id]);
} }
/** /**
@ -196,35 +171,11 @@ class ApiKeyControllerTest extends ClientApiIntegrationTestCase
$user = User::factory()->create(); $user = User::factory()->create();
/** @var \Pterodactyl\Models\User $user2 */ /** @var \Pterodactyl\Models\User $user2 */
$user2 = User::factory()->create(); $user2 = User::factory()->create();
/** @var \Pterodactyl\Models\ApiKey $key */ $token = $user2->createToken('test');
$key = ApiKey::factory()->create([
'user_id' => $user2->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
$response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $key->identifier); $response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $token->accessToken->token_id);
$response->assertNotFound(); $response->assertNoContent();
$this->assertDatabaseHas('api_keys', ['id' => $key->id]); $this->assertDatabaseHas('personal_access_tokens', ['id' => $token->accessToken->id]);
}
/**
* Tests that an application API key also belonging to the logged in user cannot be
* deleted through this endpoint if it exists.
*/
public function testApplicationApiKeyCannotBeDeleted()
{
/** @var \Pterodactyl\Models\User $user */
$user = User::factory()->create();
/** @var \Pterodactyl\Models\ApiKey $key */
$key = ApiKey::factory()->create([
'user_id' => $user->id,
'key_type' => ApiKey::TYPE_APPLICATION,
]);
$response = $this->actingAs($user)->delete('/api/client/account/api-keys/' . $key->identifier);
$response->assertNotFound();
$this->assertDatabaseHas('api_keys', ['id' => $key->id]);
} }
} }

3
tests/Integration/Api/Client/ClientApiIntegrationTestCase.php
View file

@ -6,7 +6,6 @@ use ReflectionClass;
use Pterodactyl\Models\Node; use Pterodactyl\Models\Node;
use Pterodactyl\Models\Task; use Pterodactyl\Models\Task;
use Pterodactyl\Models\User; use Pterodactyl\Models\User;
use Webmozart\Assert\Assert;
use InvalidArgumentException; use InvalidArgumentException;
use Pterodactyl\Models\Backup; use Pterodactyl\Models\Backup;
use Pterodactyl\Models\Server; use Pterodactyl\Models\Server;
@ -60,7 +59,6 @@ abstract class ClientApiIntegrationTestCase extends IntegrationTestCase
*/ */
protected function link($model, $append = null): string protected function link($model, $append = null): string
{ {
$link = '';
switch (get_class($model)) { switch (get_class($model)) {
case Server::class: case Server::class:
$link = "/api/client/servers/{$model->uuid}"; $link = "/api/client/servers/{$model->uuid}";
@ -99,7 +97,6 @@ abstract class ClientApiIntegrationTestCase extends IntegrationTestCase
return [$user, $this->createServerModel(['user_id' => $user->id])]; return [$user, $this->createServerModel(['user_id' => $user->id])];
} }
/** @var \Pterodactyl\Models\Server $server */
$server = $this->createServerModel(); $server = $this->createServerModel();
Subuser::query()->create([ Subuser::query()->create([