Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SOX-78 tokens #1085

Merged
merged 3 commits into from
Jun 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions apiary.apib
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@ Lists all tokens in the project.
"canManageTokens": false,
"canReadAllFileUploads": false,
"canPurgeTrash": false,
"canManageProtectedDefaultBranch": false,
"expires": null,
"isExpired": false,
"isDisabled": false,
Expand Down Expand Up @@ -199,6 +200,7 @@ Lists all tokens in the project.
"canManageTokens": false,
"canReadAllFileUploads": false,
"canPurgeTrash": false,
"canManageProtectedDefaultBranch": false,
"expires": null,
"isExpired": false,
"isDisabled": false,
Expand Down Expand Up @@ -243,6 +245,7 @@ Lists all tokens in the project - **same as for default branch**.
"canManageTokens": false,
"canReadAllFileUploads": false,
"canPurgeTrash": false,
"canManageProtectedDefaultBranch": false,
"expires": null,
"isExpired": false,
"isDisabled": false,
Expand Down Expand Up @@ -270,6 +273,7 @@ Lists all tokens in the project - **same as for default branch**.
"canManageTokens": false,
"canReadAllFileUploads": false,
"canPurgeTrash": false,
"canManageProtectedDefaultBranch": false,
"expires": null,
"isExpired": false,
"isDisabled": false,
Expand Down Expand Up @@ -341,6 +345,7 @@ In this case, you are allowed to set the `description` and token expiration via
"canManageTokens": false,
"canReadAllFileUploads": false,
"canPurgeTrash": false,
"canManageProtectedDefaultBranch": false,
"expires": null,
"isExpired": false,
"isDisabled": false,
Expand Down Expand Up @@ -487,6 +492,7 @@ bucket permissions, don't forget to specify the previous permissions.
"canManageTokens": false,
"canReadAllFileUploads": false,
"canPurgeTrash": false,
"canManageProtectedDefaultBranch": false,
"expires": null,
"isExpired": false,
"isDisabled": false,
Expand Down
1 change: 1 addition & 0 deletions phpunit.xml.dist
Original file line number Diff line number Diff line change
Expand Up @@ -306,6 +306,7 @@
<testsuite name="sync-sox-snowflake">
<!--This is temporary to check something-->
<directory>tests/Backend/SOX</directory>
<exclude>tests/Backend/SOX/SOXTokensTest.php</exclude>
</testsuite>
<testsuite name="unit">
<directory>tests-unit</directory>
Expand Down
1 change: 1 addition & 0 deletions tests/Backend/SOX/SOXCommonTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ public function testCreateBucketInDefaultBranch(): void
$client = $this->getDefaultBranchStorageApiClient();
$token = $client->verifyToken();
$this->assertArrayNotHasKey('admin', $token);
$this->assertTrue($token['canManageProtectedDefaultBranch']);
$bucketId = $client->createBucket('test', 'in');
$client->dropBucket($bucketId, ['async' => true]);

Expand Down
84 changes: 84 additions & 0 deletions tests/Backend/SOX/SOXTokensTest.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
<?php

declare(strict_types=1);

namespace Keboola\Test\Backend\SOX;

use Generator;
use Keboola\StorageApi\Client;
use Keboola\StorageApi\ClientException;
use Keboola\StorageApi\Tokens;
use Keboola\Test\StorageApiTestCase;

class SOXTokensTest extends StorageApiTestCase
{
private function getDefaultBranchTokenId(): int
{
[, $tokenId,] = explode('-', STORAGE_API_DEFAULT_BRANCH_TOKEN);
return (int) $tokenId;
}

public function tokensProvider(): Generator
{
yield 'nobody can see token (privileged)' => [
$this->getDefaultBranchStorageApiClient(),
];
yield 'nobody can see token (productionManager)' => [
$this->getDefaultClient(),
];
yield 'nobody can see token (developer)' => [
$this->getDeveloperStorageApiClient(),
];
yield 'nobody can see token (reviewer)' => [
$this->getReviewerStorageApiClient(),
];
yield 'nobody can see token (readOnly)' => [
$this->getReadOnlyStorageApiClient(),
];
}

/**
* @dataProvider tokensProvider
*/
public function testTokensVisibility(Client $client): void
{
$tokens = new Tokens($client);
$tokenList = $tokens->listTokens();
foreach ($tokenList as $token) {
// check all tokens are without decrypted token
$this->assertArrayNotHasKey('token', $token);
}

$token = $client->verifyToken();
// not visible in detail
$this->assertArrayNotHasKey('token', $token);
}

public function testCannotRefreshCanManageProtectedBranchTokenEvenSelf(): void
{
$client = $this->getDefaultBranchStorageApiClient();
$tokens = new Tokens($client);
$this->expectExceptionCode(400);
$this->expectExceptionMessage('Token with canManageProtectedDefaultBranch privilege cannot be refreshed');
$tokens->refreshToken($this->getDefaultBranchTokenId());
}

/**
* @dataProvider tokensProvider
*/
public function testCannotShareCanManageProtectedBranchTokenEvenSelf(Client $client): void
{
$tokens = new Tokens($client);
try {
$tokens->shareToken(
$this->getDefaultBranchTokenId(),
'test@devel.keboola.com',
'hi'
);
$this->fail('Nobody can do this.');
} catch (ClientException $e) {
$this->assertSame(403, $e->getCode());
$this->assertSame('You don\'t have access to the resource.', $e->getMessage());
}
}
}