mirror of
https://github.com/coollabsio/coolify.git
synced 2026-03-11 08:55:47 +00:00
162 lines
5 KiB
PHP
162 lines
5 KiB
PHP
<?php
|
|
|
|
use App\Models\CloudInitScript;
|
|
use App\Models\CloudProviderToken;
|
|
use App\Models\InstanceSettings;
|
|
use App\Models\PersonalAccessToken;
|
|
use App\Models\PrivateKey;
|
|
use App\Models\Team;
|
|
use App\Models\User;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Str;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
beforeEach(function () {
|
|
InstanceSettings::updateOrCreate(['id' => 0]);
|
|
|
|
$this->team = Team::factory()->create();
|
|
|
|
$this->admin = User::factory()->create();
|
|
$this->admin->teams()->attach($this->team, ['role' => 'admin']);
|
|
|
|
$this->member = User::factory()->create();
|
|
$this->member->teams()->attach($this->team, ['role' => 'member']);
|
|
|
|
DB::table('private_keys')->insert([
|
|
'uuid' => (string) Str::uuid(),
|
|
'name' => 'Team SSH Key',
|
|
'description' => 'Key for testing',
|
|
'private_key' => 'test-key-content',
|
|
'team_id' => $this->team->id,
|
|
'created_at' => now(),
|
|
'updated_at' => now(),
|
|
]);
|
|
|
|
$this->privateKey = PrivateKey::where('team_id', $this->team->id)->first();
|
|
});
|
|
|
|
// --- Private Key Policy ---
|
|
|
|
test('admin can create private key', function () {
|
|
$this->actingAs($this->admin);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('create', PrivateKey::class))->toBeTrue();
|
|
});
|
|
|
|
test('member cannot create private key', function () {
|
|
$this->actingAs($this->member);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('create', PrivateKey::class))->toBeFalse();
|
|
});
|
|
|
|
test('admin can view private key', function () {
|
|
expect($this->admin->can('view', $this->privateKey))->toBeTrue();
|
|
});
|
|
|
|
test('member can view own team private key', function () {
|
|
expect($this->member->can('view', $this->privateKey))->toBeTrue();
|
|
});
|
|
|
|
test('admin can update private key', function () {
|
|
expect($this->admin->can('update', $this->privateKey))->toBeTrue();
|
|
});
|
|
|
|
test('member cannot update private key', function () {
|
|
expect($this->member->can('update', $this->privateKey))->toBeFalse();
|
|
});
|
|
|
|
test('admin can delete private key', function () {
|
|
expect($this->admin->can('delete', $this->privateKey))->toBeTrue();
|
|
});
|
|
|
|
test('member cannot delete private key', function () {
|
|
expect($this->member->can('delete', $this->privateKey))->toBeFalse();
|
|
});
|
|
|
|
test('user from different team cannot view private key', function () {
|
|
$otherTeam = Team::factory()->create();
|
|
$otherUser = User::factory()->create();
|
|
$otherUser->teams()->attach($otherTeam, ['role' => 'admin']);
|
|
|
|
expect($otherUser->can('view', $this->privateKey))->toBeFalse();
|
|
});
|
|
|
|
// --- Cloud Provider Token Policy ---
|
|
|
|
test('admin can create cloud provider token', function () {
|
|
$this->actingAs($this->admin);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('create', CloudProviderToken::class))->toBeTrue();
|
|
});
|
|
|
|
test('member cannot create cloud provider token', function () {
|
|
$this->actingAs($this->member);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('create', CloudProviderToken::class))->toBeFalse();
|
|
});
|
|
|
|
test('admin can view any cloud provider tokens', function () {
|
|
$this->actingAs($this->admin);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('viewAny', CloudProviderToken::class))->toBeTrue();
|
|
});
|
|
|
|
// --- Cloud Init Script Policy ---
|
|
|
|
test('admin can create cloud init script', function () {
|
|
$this->actingAs($this->admin);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('create', CloudInitScript::class))->toBeTrue();
|
|
});
|
|
|
|
test('member cannot create cloud init script', function () {
|
|
$this->actingAs($this->member);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('create', CloudInitScript::class))->toBeFalse();
|
|
});
|
|
|
|
test('admin can view any cloud init scripts', function () {
|
|
$this->actingAs($this->admin);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('viewAny', CloudInitScript::class))->toBeTrue();
|
|
});
|
|
|
|
// --- Personal Access Token (API Token) Policy ---
|
|
|
|
test('any user can create personal access token', function () {
|
|
$this->actingAs($this->member);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('create', PersonalAccessToken::class))->toBeTrue();
|
|
});
|
|
|
|
test('admin can use root permissions for api tokens', function () {
|
|
$this->actingAs($this->admin);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('useRootPermissions', PersonalAccessToken::class))->toBeTrue();
|
|
});
|
|
|
|
test('member cannot use root permissions for api tokens', function () {
|
|
$this->actingAs($this->member);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('useRootPermissions', PersonalAccessToken::class))->toBeFalse();
|
|
});
|
|
|
|
test('member cannot use write permissions for api tokens', function () {
|
|
$this->actingAs($this->member);
|
|
session(['currentTeam' => $this->team]);
|
|
|
|
expect(auth()->user()->can('useWritePermissions', PersonalAccessToken::class))->toBeFalse();
|
|
});
|