Merge pull request #1085 from keboola/zajca-sox-78

SOX-78 tokens

apiary.apib

@@ -172,6 +172,7 @@ Lists all tokens in the project.
                     "canManageTokens": false,
                     "canReadAllFileUploads": false,
                     "canPurgeTrash": false,
+                    "canManageProtectedDefaultBranch": false,
                     "expires": null,
                     "isExpired": false,
                     "isDisabled": false,
@@ -199,6 +200,7 @@ Lists all tokens in the project.
                     "canManageTokens": false,
                     "canReadAllFileUploads": false,
                     "canPurgeTrash": false,
+                    "canManageProtectedDefaultBranch": false,
                     "expires": null,
                     "isExpired": false,
                     "isDisabled": false,
@@ -243,6 +245,7 @@ Lists all tokens in the project - **same as for default branch**.
                     "canManageTokens": false,
                     "canReadAllFileUploads": false,
                     "canPurgeTrash": false,
+                    "canManageProtectedDefaultBranch": false,
                     "expires": null,
                     "isExpired": false,
                     "isDisabled": false,
@@ -270,6 +273,7 @@ Lists all tokens in the project - **same as for default branch**.
                     "canManageTokens": false,
                     "canReadAllFileUploads": false,
                     "canPurgeTrash": false,
+                    "canManageProtectedDefaultBranch": false,
                     "expires": null,
                     "isExpired": false,
                     "isDisabled": false,
@@ -341,6 +345,7 @@ In this case, you are allowed to set the `description` and token expiration via
                 "canManageTokens": false,
                 "canReadAllFileUploads": false,
                 "canPurgeTrash": false,
+                "canManageProtectedDefaultBranch": false,
                 "expires": null,
                 "isExpired": false,
                 "isDisabled": false,
@@ -487,6 +492,7 @@ bucket permissions, don't forget to specify the previous permissions.
                 "canManageTokens": false,
                 "canReadAllFileUploads": false,
                 "canPurgeTrash": false,
+                "canManageProtectedDefaultBranch": false,
                 "expires": null,
                 "isExpired": false,
                 "isDisabled": false,

phpunit.xml.dist

@@ -306,6 +306,7 @@
 	<testsuite name="sync-sox-snowflake">
 		<!--This is temporary to check something-->
 		<directory>tests/Backend/SOX</directory>
+		<exclude>tests/Backend/SOX/SOXTokensTest.php</exclude>
 	</testsuite>
 	<testsuite name="unit">
 		<directory>tests-unit</directory>

tests/Backend/SOX/SOXCommonTest.php

@@ -14,6 +14,7 @@ public function testCreateBucketInDefaultBranch(): void
         $client = $this->getDefaultBranchStorageApiClient();
         $token = $client->verifyToken();
         $this->assertArrayNotHasKey('admin', $token);
+        $this->assertTrue($token['canManageProtectedDefaultBranch']);
         $bucketId = $client->createBucket('test', 'in');
         $client->dropBucket($bucketId, ['async' => true]);
 

tests/Backend/SOX/SOXTokensTest.php

@@ -0,0 +1,84 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Keboola\Test\Backend\SOX;
+
+use Generator;
+use Keboola\StorageApi\Client;
+use Keboola\StorageApi\ClientException;
+use Keboola\StorageApi\Tokens;
+use Keboola\Test\StorageApiTestCase;
+
+class SOXTokensTest extends StorageApiTestCase
+{
+    private function getDefaultBranchTokenId(): int
+    {
+        [, $tokenId,] = explode('-', STORAGE_API_DEFAULT_BRANCH_TOKEN);
+        return (int) $tokenId;
+    }
+
+    public function tokensProvider(): Generator
+    {
+        yield 'nobody can see token (privileged)' => [
+            $this->getDefaultBranchStorageApiClient(),
+        ];
+        yield 'nobody can see token (productionManager)' => [
+            $this->getDefaultClient(),
+        ];
+        yield 'nobody can see token (developer)' => [
+            $this->getDeveloperStorageApiClient(),
+        ];
+        yield 'nobody can see token (reviewer)' => [
+            $this->getReviewerStorageApiClient(),
+        ];
+        yield 'nobody can see token (readOnly)' => [
+            $this->getReadOnlyStorageApiClient(),
+        ];
+    }
+
+    /**
+     * @dataProvider tokensProvider
+     */
+    public function testTokensVisibility(Client $client): void
+    {
+        $tokens = new Tokens($client);
+        $tokenList = $tokens->listTokens();
+        foreach ($tokenList as $token) {
+            // check all tokens are without decrypted token
+            $this->assertArrayNotHasKey('token', $token);
+        }
+
+        $token = $client->verifyToken();
+        // not visible in detail
+        $this->assertArrayNotHasKey('token', $token);
+    }
+
+    public function testCannotRefreshCanManageProtectedBranchTokenEvenSelf(): void
+    {
+        $client = $this->getDefaultBranchStorageApiClient();
+        $tokens = new Tokens($client);
+        $this->expectExceptionCode(400);
+        $this->expectExceptionMessage('Token with canManageProtectedDefaultBranch privilege cannot be refreshed');
+        $tokens->refreshToken($this->getDefaultBranchTokenId());
+    }
+
+    /**
+     * @dataProvider tokensProvider
+     */
+    public function testCannotShareCanManageProtectedBranchTokenEvenSelf(Client $client): void
+    {
+        $tokens = new Tokens($client);
+        try {
+            $tokens->shareToken(
+                $this->getDefaultBranchTokenId(),
+                'test@devel.keboola.com',
+                'hi'
+            );
+            $this->fail('Nobody can do this.');
+        } catch (ClientException $e) {
+            $this->assertSame(403, $e->getCode());
+            $this->assertSame('You don\'t have access to the resource.', $e->getMessage());
+        }
+    }
+}