ElyBy-Mirror/accounts
1
0
Fork 0
mirror of https://github.com/elyby/accounts.git synced 2025-05-31 14:11:46 +05:30
Code Issues Packages Projects Releases Wiki Activity

Fixed almost everything, but all functional tests are broken at the last minute :(

Browse Source
This commit is contained in:
ErickSkrauch
2019-08-02 03:29:20 +03:00
parent 6bd054e743
commit f2ab7346aa
45 changed files with 504 additions and 377 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
common/codeception.dist.yml
View File

@@ -17,5 +17,6 @@ coverage:
exclude:
- config/*
- mail/*
- tests/*
- codeception.dist.yml
- codeception.yml

2
common/config/config.php
View File

@@ -98,7 +98,7 @@ return [
'class' => api\components\OAuth2\Component::class,
],
'authManager' => [
'class' => common\rbac\Manager::class,
'class' => \api\rbac\Manager::class,
'itemFile' => '@common/rbac/.generated/items.php',
'ruleFile' => '@common/rbac/.generated/rules.php',
],

2
common/rbac/.generated/.gitignore vendored
View File

@@ -1,2 +0,0 @@
*
!.gitignore

34
common/rbac/Manager.php
View File

@@ -1,34 +0,0 @@
<?php
namespace common\rbac;
use Yii;
use yii\rbac\PhpManager;
class Manager extends PhpManager {
/**
* In our application the permissions are given not to users but to tokens,
* so we receive $accessToken here and extract all the assigned scopes from it.
*
* In Yii2, the mechanism of recursive permissions checking requires that the array with permissions
* is indexed by the keys of these rights, so at the end we turn the array inside out.
*
* @param string $accessToken
* @return string[]
*/
public function getAssignments($accessToken): array {
$identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
if ($identity === null) {
return [];
}
/** @noinspection NullPointerExceptionInspection */
$permissions = $identity->getAssignedPermissions();
if (empty($permissions)) {
return [];
}
return array_flip($permissions);
}
}

39
common/rbac/Permissions.php
View File

@@ -1,39 +0,0 @@
<?php
namespace common\rbac;
final class Permissions {
// Top level Controller permissions
public const OBTAIN_ACCOUNT_INFO = 'obtain_account_info';
public const CHANGE_ACCOUNT_LANGUAGE = 'change_account_language';
public const CHANGE_ACCOUNT_USERNAME = 'change_account_username';
public const CHANGE_ACCOUNT_PASSWORD = 'change_account_password';
public const CHANGE_ACCOUNT_EMAIL = 'change_account_email';
public const MANAGE_TWO_FACTOR_AUTH = 'manage_two_factor_auth';
public const BLOCK_ACCOUNT = 'block_account';
public const COMPLETE_OAUTH_FLOW = 'complete_oauth_flow';
public const CREATE_OAUTH_CLIENTS = 'create_oauth_clients';
public const VIEW_OAUTH_CLIENTS = 'view_oauth_clients';
public const MANAGE_OAUTH_CLIENTS = 'manage_oauth_clients';
// Personal level controller permissions
public const OBTAIN_OWN_ACCOUNT_INFO = 'obtain_own_account_info';
public const OBTAIN_OWN_EXTENDED_ACCOUNT_INFO = 'obtain_own_extended_account_info';
public const CHANGE_OWN_ACCOUNT_LANGUAGE = 'change_own_account_language';
public const ACCEPT_NEW_PROJECT_RULES = 'accept_new_project_rules';
public const CHANGE_OWN_ACCOUNT_USERNAME = 'change_own_account_username';
public const CHANGE_OWN_ACCOUNT_PASSWORD = 'change_own_account_password';
public const CHANGE_OWN_ACCOUNT_EMAIL = 'change_own_account_email';
public const MANAGE_OWN_TWO_FACTOR_AUTH = 'manage_own_two_factor_auth';
public const MINECRAFT_SERVER_SESSION = 'minecraft_server_session';
public const VIEW_OWN_OAUTH_CLIENTS = 'view_own_oauth_clients';
public const MANAGE_OWN_OAUTH_CLIENTS = 'manage_own_oauth_clients';
// Data permissions
public const OBTAIN_ACCOUNT_EMAIL = 'obtain_account_email';
public const OBTAIN_EXTENDED_ACCOUNT_INFO = 'obtain_account_extended_info';
// Service permissions
public const ESCAPE_IDENTITY_VERIFICATION = 'escape_identity_verification';
}

8
common/rbac/Roles.php
View File

@@ -1,8 +0,0 @@
<?php
namespace common\rbac;
final class Roles {
public const ACCOUNTS_WEB_USER = 'accounts_web_user';
}

57
common/rbac/rules/AccountOwner.php
View File

@@ -1,57 +0,0 @@
<?php
namespace common\rbac\rules;
use common\models\Account;
use Yii;
use yii\rbac\Rule;
class AccountOwner extends Rule {
public $name = 'account_owner';
/**
* In our application the permissions are given not to users but to tokens,
* so we receive $accessToken here and extract all the assigned scopes from it.
*
* @param string|int $accessToken
* @param \yii\rbac\Item $item
* @param array $params the "accountId" parameter must be passed as the id of the account
* to which the request is made
* the "optionalRules" parameter allows you to disable the mandatory acceptance
* of the latest version of the rules
*
* @return bool a value indicating whether the rule permits the auth item it is associated with.
*/
public function execute($accessToken, $item, $params): bool {
$accountId = $params['accountId'] ?? null;
if ($accountId === null) {
return false;
}
$identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
if ($identity === null) {
return false;
}
$account = $identity->getAccount();
if ($account === null) {
return false;
}
if ($account->id !== (int)$accountId) {
return false;
}
if ($account->status !== Account::STATUS_ACTIVE) {
return false;
}
$actualRulesOptional = $params['optionalRules'] ?? false;
if (!$actualRulesOptional && !$account->isAgreedWithActualRules()) {
return false;
}
return true;
}
}

61
common/rbac/rules/OauthClientOwner.php
View File

@@ -1,61 +0,0 @@
<?php
declare(strict_types=1);
namespace common\rbac\rules;
use common\models\OauthClient;
use common\rbac\Permissions as P;
use Yii;
use yii\rbac\Rule;
class OauthClientOwner extends Rule {
public $name = 'oauth_client_owner';
/**
* Accepts 2 params:
* - clientId - it's the client id, that user want access to.
* - accountId - if it is passed to check the VIEW_OAUTH_CLIENTS permission, then it will
* check, that current user have access to the provided account.
*
* @param string|int $accessToken
* @param \yii\rbac\Item $item
* @param array $params
*
* @return bool a value indicating whether the rule permits the auth item it is associated with.
*/
public function execute($accessToken, $item, $params): bool {
$accountId = $params['accountId'] ?? null;
if ($accountId !== null && $item->name === P::VIEW_OWN_OAUTH_CLIENTS) {
return (new AccountOwner())->execute($accessToken, $item, ['accountId' => $accountId]);
}
$clientId = $params['clientId'] ?? null;
if ($clientId === null) {
return false;
}
/** @var OauthClient|null $client */
$client = OauthClient::findOne($clientId);
if ($client === null) {
return true;
}
$identity = Yii::$app->user->findIdentityByAccessToken($accessToken);
if ($identity === null) {
return false;
}
$account = $identity->getAccount();
if ($account === null) {
return false;
}
if ($account->id !== $client->account_id) {
return false;
}
return true;
}
}

59
common/tests/unit/rbac/rules/AccountOwnerTest.php
View File

@@ -1,59 +0,0 @@
<?php
declare(strict_types=1);
namespace common\tests\unit\rbac\rules;
use api\components\User\Component;
use api\components\User\IdentityInterface;
use common\models\Account;
use common\rbac\rules\AccountOwner;
use common\tests\unit\TestCase;
use Yii;
use yii\rbac\Item;
use const common\LATEST_RULES_VERSION;
class AccountOwnerTest extends TestCase {
public function testIdentityIsNull() {
$component = mock(Component::class . '[findIdentityByAccessToken]');
$component->makePartial();
$component->shouldReceive('findIdentityByAccessToken')->andReturn(null);
Yii::$app->set('user', $component);
$this->assertFalse((new AccountOwner())->execute('some token', new Item(), ['accountId' => 123]));
}
public function testExecute() {
$rule = new AccountOwner();
$item = new Item();
$account = new Account();
$account->id = 1;
$account->status = Account::STATUS_ACTIVE;
$account->rules_agreement_version = LATEST_RULES_VERSION;
$identity = mock(IdentityInterface::class);
$identity->shouldReceive('getAccount')->andReturn($account);
$component = mock(Component::class . '[findIdentityByAccessToken]');
$component->makePartial();
$component->shouldReceive('findIdentityByAccessToken')->withArgs(['token'])->andReturn($identity);
Yii::$app->set('user', $component);
$this->assertFalse($rule->execute('token', $item, []));
$this->assertFalse($rule->execute('token', $item, ['accountId' => 2]));
$this->assertFalse($rule->execute('token', $item, ['accountId' => '2']));
$this->assertTrue($rule->execute('token', $item, ['accountId' => 1]));
$this->assertTrue($rule->execute('token', $item, ['accountId' => '1']));
$account->rules_agreement_version = null;
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1]));
$this->assertTrue($rule->execute('token', $item, ['accountId' => 1, 'optionalRules' => true]));
$account->rules_agreement_version = LATEST_RULES_VERSION;
$account->status = Account::STATUS_BANNED;
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1]));
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1, 'optionalRules' => true]));
}
}

55
common/tests/unit/rbac/rules/OauthClientOwnerTest.php
View File

@@ -1,55 +0,0 @@
<?php
declare(strict_types=1);
namespace common\tests\unit\rbac\rules;
use api\components\User\Component;
use api\components\User\IdentityInterface;
use common\models\Account;
use common\rbac\Permissions as P;
use common\rbac\rules\OauthClientOwner;
use common\tests\fixtures\OauthClientFixture;
use common\tests\unit\TestCase;
use Yii;
use yii\rbac\Item;
use const common\LATEST_RULES_VERSION;
class OauthClientOwnerTest extends TestCase {
public function _fixtures(): array {
return [
'oauthClients' => OauthClientFixture::class,
];
}
public function testExecute() {
$rule = new OauthClientOwner();
$item = new Item();
$account = new Account();
$account->id = 1;
$account->status = Account::STATUS_ACTIVE;
$account->rules_agreement_version = LATEST_RULES_VERSION;
/** @var IdentityInterface|\Mockery\MockInterface $identity */
$identity = mock(IdentityInterface::class);
$identity->shouldReceive('getAccount')->andReturn($account);
/** @var Component|\Mockery\MockInterface $component */
$component = mock(Component::class . '[findIdentityByAccessToken]');
$component->makePartial();
$component->shouldReceive('findIdentityByAccessToken')->withArgs(['token'])->andReturn($identity);
Yii::$app->set('user', $component);
$this->assertFalse($rule->execute('token', $item, []));
$this->assertTrue($rule->execute('token', $item, ['clientId' => 'admin-oauth-client']));
$this->assertTrue($rule->execute('token', $item, ['clientId' => 'not-exists-client']));
$account->id = 2;
$this->assertFalse($rule->execute('token', $item, ['clientId' => 'admin-oauth-client']));
$item->name = P::VIEW_OWN_OAUTH_CLIENTS;
$this->assertTrue($rule->execute('token', $item, ['accountId' => 2]));
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1]));
}
}