From e1faf53c4ffccc9e3b615e2300fc2c3a546d3219 Mon Sep 17 00:00:00 2001 From: zajca Date: Mon, 19 Jun 2023 14:37:52 +0200 Subject: [PATCH 1/3] test tokens visibility --- tests/Backend/SOX/SOXCommonTest.php | 1 + tests/Backend/SOX/SOXTokensTest.php | 84 +++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 tests/Backend/SOX/SOXTokensTest.php diff --git a/tests/Backend/SOX/SOXCommonTest.php b/tests/Backend/SOX/SOXCommonTest.php index 8cc4c5a88..4b0fe946a 100644 --- a/tests/Backend/SOX/SOXCommonTest.php +++ b/tests/Backend/SOX/SOXCommonTest.php @@ -14,6 +14,7 @@ public function testCreateBucketInDefaultBranch(): void $client = $this->getDefaultBranchStorageApiClient(); $token = $client->verifyToken(); $this->assertArrayNotHasKey('admin', $token); + $this->assertTrue($token['canManageProtectedDefaultBranch']); $bucketId = $client->createBucket('test', 'in'); $client->dropBucket($bucketId, ['async' => true]); diff --git a/tests/Backend/SOX/SOXTokensTest.php b/tests/Backend/SOX/SOXTokensTest.php new file mode 100644 index 000000000..0dc8e18a9 --- /dev/null +++ b/tests/Backend/SOX/SOXTokensTest.php @@ -0,0 +1,84 @@ + [ + $this->getDefaultBranchStorageApiClient(), + ]; + yield 'nobody can see token (productionManager)' => [ + $this->getDefaultClient(), + ]; + yield 'nobody can see token (developer)' => [ + $this->getDeveloperStorageApiClient(), + ]; + yield 'nobody can see token (reviewer)' => [ + $this->getReviewerStorageApiClient(), + ]; + yield 'nobody can see token (readOnly)' => [ + $this->getReadOnlyStorageApiClient(), + ]; + } + + /** + * @dataProvider tokensProvider + */ + public function testTokensVisibility(Client $client): void + { + $tokens = new Tokens($client); + $tokenList = $tokens->listTokens(); + foreach ($tokenList as $token) { + // check all tokens are without decrypted token + $this->assertArrayNotHasKey('token', $token); + } + + $token = $client->verifyToken(); + // not visible in detail + $this->assertArrayNotHasKey('token', $token); + } + + public function testCannotRefreshCanManageProtectedBranchTokenEvenSelf(): void + { + $client = $this->getDefaultBranchStorageApiClient(); + $tokens = new Tokens($client); + $this->expectExceptionCode(400); + $this->expectExceptionMessage('Token with canManageProtectedDefaultBranch privilege cannot be refreshed'); + $tokens->refreshToken($this->getDefaultBranchTokenId()); + } + + /** + * @dataProvider tokensProvider + */ + public function testCannotShareCanManageProtectedBranchTokenEvenSelf(Client $client): void + { + $tokens = new Tokens($client); + try { + $tokens->shareToken( + $this->getDefaultBranchTokenId(), + 'test@devel.keboola.com', + 'hi' + ); + $this->fail('Nobody can do this.'); + } catch (ClientException $e) { + $this->assertSame(403, $e->getCode()); + $this->assertSame('You don\'t have access to the resource.', $e->getMessage()); + } + } +} From ca9a8f7a2e39efaa61f66993ebfe5b7f84e9cefd Mon Sep 17 00:00:00 2001 From: zajca Date: Mon, 19 Jun 2023 14:40:09 +0200 Subject: [PATCH 2/3] update api docs --- apiary.apib | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apiary.apib b/apiary.apib index 530687605..99a2bed6d 100644 --- a/apiary.apib +++ b/apiary.apib @@ -172,6 +172,7 @@ Lists all tokens in the project. "canManageTokens": false, "canReadAllFileUploads": false, "canPurgeTrash": false, + "canManageProtectedDefaultBranch": false, "expires": null, "isExpired": false, "isDisabled": false, @@ -199,6 +200,7 @@ Lists all tokens in the project. "canManageTokens": false, "canReadAllFileUploads": false, "canPurgeTrash": false, + "canManageProtectedDefaultBranch": false, "expires": null, "isExpired": false, "isDisabled": false, @@ -243,6 +245,7 @@ Lists all tokens in the project - **same as for default branch**. "canManageTokens": false, "canReadAllFileUploads": false, "canPurgeTrash": false, + "canManageProtectedDefaultBranch": false, "expires": null, "isExpired": false, "isDisabled": false, @@ -270,6 +273,7 @@ Lists all tokens in the project - **same as for default branch**. "canManageTokens": false, "canReadAllFileUploads": false, "canPurgeTrash": false, + "canManageProtectedDefaultBranch": false, "expires": null, "isExpired": false, "isDisabled": false, @@ -341,6 +345,7 @@ In this case, you are allowed to set the `description` and token expiration via "canManageTokens": false, "canReadAllFileUploads": false, "canPurgeTrash": false, + "canManageProtectedDefaultBranch": false, "expires": null, "isExpired": false, "isDisabled": false, @@ -487,6 +492,7 @@ bucket permissions, don't forget to specify the previous permissions. "canManageTokens": false, "canReadAllFileUploads": false, "canPurgeTrash": false, + "canManageProtectedDefaultBranch": false, "expires": null, "isExpired": false, "isDisabled": false, From e79abe47d7095050310777414eb3447838797939 Mon Sep 17 00:00:00 2001 From: zajca Date: Mon, 19 Jun 2023 14:47:12 +0200 Subject: [PATCH 3/3] update files in sox suite --- phpunit.xml.dist | 1 + 1 file changed, 1 insertion(+) diff --git a/phpunit.xml.dist b/phpunit.xml.dist index cf479a6f8..90cc96a57 100644 --- a/phpunit.xml.dist +++ b/phpunit.xml.dist @@ -306,6 +306,7 @@ tests/Backend/SOX + tests/Backend/SOX/SOXTokensTest.php tests-unit