tests/Integration/Api/Client/Server/Database/DatabaseAuthorizationTest.php

<?php

namespace App\Tests\Integration\Api\Client\Server\Database;

use App\Models\Database;
use App\Models\DatabaseHost;
use App\Models\Subuser;
use App\Services\Databases\DatabaseManagementService;
use App\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
use PHPUnit\Framework\Attributes\DataProvider;

class DatabaseAuthorizationTest extends ClientApiIntegrationTestCase
{
    #[DataProvider('methodDataProvider')]
    public function test_access_to_a_servers_databases_is_restricted_properly(string $method, string $endpoint): void
    {
        // The API $user is the owner of $server1.
        [$user, $server1] = $this->generateTestAccount();
        // Will be a subuser of $server2.
        $server2 = $this->createServerModel();
        // And as no access to $server3.
        $server3 = $this->createServerModel();

        $host = DatabaseHost::factory()->create([]);

        // Set the API $user as a subuser of server 2, but with no permissions
        // to do anything with the databases for that server.
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);

        $database1 = Database::factory()->create(['server_id' => $server1->id, 'database_host_id' => $host->id]);
        $database2 = Database::factory()->create(['server_id' => $server2->id, 'database_host_id' => $host->id]);
        $database3 = Database::factory()->create(['server_id' => $server3->id, 'database_host_id' => $host->id]);

        $this
            ->mock(DatabaseManagementService::class)
            ->expects($method === 'POST' ? 'rotatePassword' : 'delete')
            ->andReturn($method === 'POST' ? 'foo' : null);

        // This is the only valid call for this test, accessing the database for the same
        // server that the API user is the owner of.
        $this->actingAs($user)->json($method, $this->link($server1, '/databases/' . $database1->id . $endpoint))
            ->assertStatus($method === 'DELETE' ? 204 : 200);

        // This request fails because the database is valid for that server but the user
        // making the request is not authorized to perform that action.
        $this->actingAs($user)->json($method, $this->link($server2, '/databases/' . $database2->id . $endpoint))->assertForbidden();

        // Both of these should report a 404 error due to the database being linked to
        // servers that are not the same as the server in the request, or are assigned
        // to a server for which the user making the request has no access to.
        $this->actingAs($user)->json($method, $this->link($server1, '/databases/' . $database2->id . $endpoint))->assertNotFound();
        $this->actingAs($user)->json($method, $this->link($server1, '/databases/' . $database3->id . $endpoint))->assertNotFound();
        $this->actingAs($user)->json($method, $this->link($server2, '/databases/' . $database3->id . $endpoint))->assertNotFound();
        $this->actingAs($user)->json($method, $this->link($server3, '/databases/' . $database3->id . $endpoint))->assertNotFound();
    }

    public static function methodDataProvider(): array
    {
        return [
            ['POST', '/rotate-password'],
            ['DELETE', ''],
        ];
    }
}
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`<?php`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`namespace App\Tests\Integration\Api\Client\Server\Database;`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Models\Database;`
			`use App\Models\DatabaseHost;`
Enable "ordered imports" (#1746) 2025-09-24 13:34:19 +02:00			`use App\Models\Subuser;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Services\Databases\DatabaseManagementService;`
			`use App\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;`
Use PestPHP (#962) * Install Pest * Don’t use bootstrap file anymore * Fix comment * Think this is needed * Reset this * Switch dataproviders to attributes * Fix these * Support in memory databases * Fix this migration * Switch this back for now * Add missing import * Truncate and reseed database * These are replaced now * Switch ci to use pest 2025-01-30 16:39:17 -05:00			`use PHPUnit\Framework\Attributes\DataProvider;`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`class DatabaseAuthorizationTest extends ClientApiIntegrationTestCase`
			`{`
Use PestPHP (#962) * Install Pest * Don’t use bootstrap file anymore * Fix comment * Think this is needed * Reset this * Switch dataproviders to attributes * Fix these * Support in memory databases * Fix this migration * Switch this back for now * Add missing import * Truncate and reseed database * These are replaced now * Switch ci to use pest 2025-01-30 16:39:17 -05:00			`#[DataProvider('methodDataProvider')]`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_access_to_a_servers_databases_is_restricted_properly(string $method, string $endpoint): void`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`{`
			`// The API $user is the owner of $server1.`
			`[$user, $server1] = $this->generateTestAccount();`
			`// Will be a subuser of $server2.`
			`$server2 = $this->createServerModel();`
			`// And as no access to $server3.`
			`$server3 = $this->createServerModel();`

Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$host = DatabaseHost::factory()->create([]);`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`// Set the API $user as a subuser of server 2, but with no permissions`
			`// to do anything with the databases for that server.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$database1 = Database::factory()->create(['server_id' => $server1->id, 'database_host_id' => $host->id]);`
			`$database2 = Database::factory()->create(['server_id' => $server2->id, 'database_host_id' => $host->id]);`
			`$database3 = Database::factory()->create(['server_id' => $server3->id, 'database_host_id' => $host->id]);`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`$this`
Refactor & Catch DatabaseManagementService (#1671) Co-authored-by: notCharles <charles@pelican.dev> 2025-09-06 22:57:11 +02:00			`->mock(DatabaseManagementService::class)`
			`->expects($method === 'POST' ? 'rotatePassword' : 'delete')`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`->andReturn($method === 'POST' ? 'foo' : null);`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`// This is the only valid call for this test, accessing the database for the same`
			`// server that the API user is the owner of.`
Remove hashids (#282) and close #269 2024-05-30 00:41:44 +02:00			`$this->actingAs($user)->json($method, $this->link($server1, '/databases/' . $database1->id . $endpoint))`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`->assertStatus($method === 'DELETE' ? 204 : 200);`

			`// This request fails because the database is valid for that server but the user`
			`// making the request is not authorized to perform that action.`
Remove hashids (#282) and close #269 2024-05-30 00:41:44 +02:00			`$this->actingAs($user)->json($method, $this->link($server2, '/databases/' . $database2->id . $endpoint))->assertForbidden();`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`// Both of these should report a 404 error due to the database being linked to`
			`// servers that are not the same as the server in the request, or are assigned`
			`// to a server for which the user making the request has no access to.`
Remove hashids (#282) and close #269 2024-05-30 00:41:44 +02:00			`$this->actingAs($user)->json($method, $this->link($server1, '/databases/' . $database2->id . $endpoint))->assertNotFound();`
			`$this->actingAs($user)->json($method, $this->link($server1, '/databases/' . $database3->id . $endpoint))->assertNotFound();`
			`$this->actingAs($user)->json($method, $this->link($server2, '/databases/' . $database3->id . $endpoint))->assertNotFound();`
			`$this->actingAs($user)->json($method, $this->link($server3, '/databases/' . $database3->id . $endpoint))->assertNotFound();`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`}`

Laravel 10 (#4706) 2023-02-23 12:30:16 -07:00			`public static function methodDataProvider(): array`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`{`
			`return [`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`['POST', '/rotate-password'],`
			`['DELETE', ''],`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`];`
			`}`
			`}`