Change how API keys are validated (#771)

tests/Unit/Http/Middleware/API/AuthenticateIPAccessTest.php

@@ -0,0 +1,82 @@
+<?php
+
+namespace Tests\Unit\Http\Middleware\API;
+
+use Pterodactyl\Models\APIKey;
+use Tests\Unit\Http\Middleware\MiddlewareTestCase;
+use Pterodactyl\Http\Middleware\API\AuthenticateIPAccess;
+
+class AuthenticateIPAccessTest extends MiddlewareTestCase
+{
+    /**
+     * Setup tests.
+     */
+    public function setUp()
+    {
+        parent::setUp();
+    }
+
+    /**
+     * Test middleware when there are no IP restrictions.
+     */
+    public function testWithNoIPRestrictions()
+    {
+        $model = factory(APIKey::class)->make(['allowed_ips' => []]);
+        $this->setRequestAttribute('api_key', $model);
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Test middleware works correctly when a valid IP accesses
+     * and there is an IP restriction.
+     */
+    public function testWithValidIP()
+    {
+        $model = factory(APIKey::class)->make(['allowed_ips' => ['127.0.0.1']]);
+        $this->setRequestAttribute('api_key', $model);
+
+        $this->request->shouldReceive('ip')->withNoArgs()->once()->andReturn('127.0.0.1');
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Test that a CIDR range can be used.
+     */
+    public function testValidIPAganistCIDRRange()
+    {
+        $model = factory(APIKey::class)->make(['allowed_ips' => ['192.168.1.1/28']]);
+        $this->setRequestAttribute('api_key', $model);
+
+        $this->request->shouldReceive('ip')->withNoArgs()->once()->andReturn('192.168.1.15');
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Test that an exception is thrown when an invalid IP address
+     * tries to connect and there is an IP restriction.
+     *
+     * @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+     */
+    public function testWithInvalidIP()
+    {
+        $model = factory(APIKey::class)->make(['allowed_ips' => ['127.0.0.1']]);
+        $this->setRequestAttribute('api_key', $model);
+
+        $this->request->shouldReceive('ip')->withNoArgs()->once()->andReturn('127.0.0.2');
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Return an instance of the middleware to be used when testing.
+     *
+     * @return \Pterodactyl\Http\Middleware\API\AuthenticateIPAccess
+     */
+    private function getMiddleware(): AuthenticateIPAccess
+    {
+        return new AuthenticateIPAccess();
+    }
+}

tests/Unit/Http/Middleware/API/AuthenticateKeyTest.php

@@ -0,0 +1,90 @@
+<?php
+
+namespace Tests\Unit\Http\Middleware\API;
+
+use Mockery as m;
+use Pterodactyl\Models\APIKey;
+use Illuminate\Auth\AuthManager;
+use Tests\Unit\Http\Middleware\MiddlewareTestCase;
+use Pterodactyl\Http\Middleware\API\AuthenticateKey;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
+
+class AuthenticateKeyTest extends MiddlewareTestCase
+{
+    /**
+     * @var \Illuminate\Auth\AuthManager|\Mockery\Mock
+     */
+    private $auth;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface|\Mockery\Mock
+     */
+    private $repository;
+
+    /**
+     * Setup tests.
+     */
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->auth = m::mock(AuthManager::class);
+        $this->repository = m::mock(ApiKeyRepositoryInterface::class);
+    }
+
+    /**
+     * Test that a missing bearer token will throw an exception.
+     */
+    public function testMissingBearerTokenThrowsException()
+    {
+        $this->request->shouldReceive('bearerToken')->withNoArgs()->once()->andReturnNull();
+
+        try {
+            $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+        } catch (HttpException $exception) {
+            $this->assertEquals(401, $exception->getStatusCode());
+            $this->assertEquals(['WWW-Authenticate' => 'Bearer'], $exception->getHeaders());
+        }
+    }
+
+    /**
+     * Test that an invalid API token throws an exception.
+     *
+     * @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+     */
+    public function testInvalidTokenThrowsException()
+    {
+        $this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn('abcd1234');
+        $this->repository->shouldReceive('findFirstWhere')->andThrow(new RecordNotFoundException);
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Test that a valid token can continue past the middleware.
+     */
+    public function testValidToken()
+    {
+        $model = factory(APIKey::class)->make();
+
+        $this->request->shouldReceive('bearerToken')->withNoArgs()->twice()->andReturn($model->token);
+        $this->repository->shouldReceive('findFirstWhere')->with([['token', '=', $model->token]])->once()->andReturn($model);
+
+        $this->auth->shouldReceive('guard->loginUsingId')->with($model->user_id)->once()->andReturnNull();
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+        $this->assertEquals($model, $this->request->attributes->get('api_key'));
+    }
+
+    /**
+     * Return an instance of the middleware with mocked dependencies for testing.
+     *
+     * @return \Pterodactyl\Http\Middleware\API\AuthenticateKey
+     */
+    private function getMiddleware(): AuthenticateKey
+    {
+        return new AuthenticateKey($this->repository, $this->auth);
+    }
+}

tests/Unit/Http/Middleware/API/HasPermissionToResourceTest.php

@@ -0,0 +1,109 @@
+<?php
+
+namespace Tests\Unit\Http\Middleware\API;
+
+use Mockery as m;
+use Pterodactyl\Models\User;
+use Pterodactyl\Models\APIKey;
+use Pterodactyl\Models\APIPermission;
+use Tests\Unit\Http\Middleware\MiddlewareTestCase;
+use Pterodactyl\Http\Middleware\API\HasPermissionToResource;
+use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
+
+class HasPermissionToResourceTest extends MiddlewareTestCase
+{
+    /**
+     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface|\Mockery\Mock
+     */
+    private $repository;
+
+    /**
+     * Setup tests.
+     */
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->repository = m::mock(ApiKeyRepositoryInterface::class);
+    }
+
+    /**
+     * Test that a non-admin user cannot access admin level routes.
+     *
+     * @expectedException \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
+     */
+    public function testNonAdminAccessingAdminLevel()
+    {
+        $model = factory(APIKey::class)->make();
+        $this->setRequestAttribute('api_key', $model);
+        $this->setRequestUser(factory(User::class)->make(['root_admin' => false]));
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Test non-admin accessing non-admin route.
+     */
+    public function testAccessingAllowedRoute()
+    {
+        $model = factory(APIKey::class)->make();
+        $model->setRelation('permissions', collect([
+            factory(APIPermission::class)->make(['permission' => 'user.test-route']),
+        ]));
+        $this->setRequestAttribute('api_key', $model);
+        $this->setRequestUser(factory(User::class)->make(['root_admin' => false]));
+
+        $this->request->shouldReceive('route->getName')->withNoArgs()->once()->andReturn('api.user.test.route');
+        $this->repository->shouldReceive('loadPermissions')->with($model)->once()->andReturn($model);
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), 'user');
+    }
+
+    /**
+     * Test admin accessing administrative route.
+     */
+    public function testAccessingAllowedAdminRoute()
+    {
+        $model = factory(APIKey::class)->make();
+        $model->setRelation('permissions', collect([
+            factory(APIPermission::class)->make(['permission' => 'test-route']),
+        ]));
+        $this->setRequestAttribute('api_key', $model);
+        $this->setRequestUser(factory(User::class)->make(['root_admin' => true]));
+
+        $this->request->shouldReceive('route->getName')->withNoArgs()->once()->andReturn('api.admin.test.route');
+        $this->repository->shouldReceive('loadPermissions')->with($model)->once()->andReturn($model);
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Test a user accessing a disallowed route.
+     *
+     * @expectedException \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+     */
+    public function testAccessingDisallowedRoute()
+    {
+        $model = factory(APIKey::class)->make();
+        $model->setRelation('permissions', collect([
+            factory(APIPermission::class)->make(['permission' => 'user.other-route']),
+        ]));
+        $this->setRequestAttribute('api_key', $model);
+        $this->setRequestUser(factory(User::class)->make(['root_admin' => false]));
+
+        $this->request->shouldReceive('route->getName')->withNoArgs()->once()->andReturn('api.user.test.route');
+        $this->repository->shouldReceive('loadPermissions')->with($model)->once()->andReturn($model);
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions(), 'user');
+    }
+
+    /**
+     * Return an instance of the middleware with mocked dependencies for testing.
+     *
+     * @return \Pterodactyl\Http\Middleware\API\HasPermissionToResource
+     */
+    private function getMiddleware(): HasPermissionToResource
+    {
+        return new HasPermissionToResource($this->repository);
+    }
+}

tests/Unit/Http/Middleware/API/SetSessionDriverTest.php

@@ -0,0 +1,69 @@
+<?php
+
+namespace Tests\Unit\Http\Middleware\API;
+
+use Mockery as m;
+use Barryvdh\Debugbar\LaravelDebugbar;
+use Illuminate\Contracts\Config\Repository;
+use Illuminate\Contracts\Foundation\Application;
+use Tests\Unit\Http\Middleware\MiddlewareTestCase;
+use Pterodactyl\Http\Middleware\API\SetSessionDriver;
+
+class SetSessionDriverTest extends MiddlewareTestCase
+{
+    /**
+     * @var \Illuminate\Contracts\Foundation\Application|\Mockery\Mock
+     */
+    private $appMock;
+
+    /**
+     * @var \Illuminate\Contracts\Config\Repository|\Mockery\Mock
+     */
+    private $config;
+
+    /**
+     * Setup tests.
+     */
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->appMock = m::mock(Application::class);
+        $this->config = m::mock(Repository::class);
+    }
+
+    /**
+     * Test that a production environment does not try to disable debug bar.
+     */
+    public function testProductionEnvironment()
+    {
+        $this->appMock->shouldReceive('environment')->withNoArgs()->once()->andReturn('production');
+        $this->config->shouldReceive('set')->with('session.driver', 'array')->once()->andReturnNull();
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Test that a local environment does disable debug bar.
+     */
+    public function testLocalEnvironment()
+    {
+        $this->appMock->shouldReceive('environment')->withNoArgs()->once()->andReturn('local');
+        $this->appMock->shouldReceive('make')->with(LaravelDebugbar::class)->once()->andReturnSelf();
+        $this->appMock->shouldReceive('disable')->withNoArgs()->once()->andReturnNull();
+
+        $this->config->shouldReceive('set')->with('session.driver', 'array')->once()->andReturnNull();
+
+        $this->getMiddleware()->handle($this->request, $this->getClosureAssertions());
+    }
+
+    /**
+     * Return an instance of the middleware with mocked dependencies for testing.
+     *
+     * @return \Pterodactyl\Http\Middleware\API\SetSessionDriver
+     */
+    private function getMiddleware(): SetSessionDriver
+    {
+        return new SetSessionDriver($this->appMock, $this->config);
+    }
+}