ElyBy-Mirror/accounts
1
0
Fork 0
mirror of https://github.com/elyby/accounts.git synced 2024-11-08 13:42:30 +05:30
Code Issues Packages Projects Releases Wiki Activity

Implemented account deletion. Not all cases covered with tests [skip ci]

Browse Source
This commit is contained in:
ErickSkrauch 2020-06-12 00:27:02 +03:00
parent c86817a93d
commit 0183e54442
No known key found for this signature in database
GPG Key ID: 669339FCBB30EE0E
56 changed files with 1041 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
api/config/routes.php
View File

@ -12,6 +12,7 @@ return [
// Accounts module routes
'GET /v1/accounts/<id:\d+>' => 'accounts/default/get',
'DELETE /v1/accounts/<id:\d+>' => 'accounts/default/delete',
'GET /v1/accounts/<id:\d+>/two-factor-auth' => 'accounts/default/get-two-factor-auth-credentials',
'POST /v1/accounts/<id:\d+>/two-factor-auth' => 'accounts/default/enable-two-factor-auth',
'DELETE /v1/accounts/<id:\d+>/two-factor-auth' => 'accounts/default/disable-two-factor-auth',

7
api/models/base/BaseAccountForm.php
View File

@ -1,14 +1,13 @@
<?php
declare(strict_types=1);
namespace api\models\base;
use common\models\Account;
class BaseAccountForm extends ApiForm {
/**
* @var Account
*/
private $account;
private Account $account;
public function __construct(Account $account, array $config = []) {
parent::__construct($config);

14
api/modules/accounts/actions/DeleteAccountAction.php Normal file
View File

@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace api\modules\accounts\actions;
use api\modules\accounts\models\DeleteAccountForm;
final class DeleteAccountAction extends BaseAccountAction {
protected function getFormClassName(): string {
return DeleteAccountForm::class;
}
}

14
api/modules/accounts/actions/RestoreAccountAction.php Normal file
View File

@ -0,0 +1,14 @@
<?php
declare(strict_types=1);
namespace api\modules\accounts\actions;
use api\modules\accounts\models\RestoreAccountForm;
final class RestoreAccountAction extends BaseAccountAction {
protected function getFormClassName(): string {
return RestoreAccountForm::class;
}
}

95
api/modules/accounts/controllers/DefaultController.php
View File

@ -1,4 +1,6 @@
<?php
declare(strict_types=1);
namespace api\modules\accounts\controllers;
use api\controllers\Controller;
@ -9,29 +11,13 @@ use api\rbac\Permissions as P;
use common\models\Account;
use Yii;
use yii\filters\AccessControl;
use yii\filters\VerbFilter;
use yii\helpers\ArrayHelper;
use yii\web\NotFoundHttpException;
class DefaultController extends Controller {
public function behaviors(): array {
$paramsCallback = function(): array {
$id = (int)Yii::$app->request->get('id');
if ($id === 0) {
$identity = Yii::$app->user->getIdentity();
if ($identity !== null) {
$account = $identity->getAccount();
if ($account !== null) {
$id = $account->id;
}
}
}
return [
'accountId' => $id,
];
};
return ArrayHelper::merge(parent::behaviors(), [
'access' => [
'class' => AccessControl::class,
@ -40,29 +26,28 @@ class DefaultController extends Controller {
'allow' => true,
'actions' => ['get'],
'roles' => [P::OBTAIN_ACCOUNT_INFO],
'roleParams' => function() use ($paramsCallback) {
return array_merge($paramsCallback(), [
'optionalRules' => true,
]);
},
'roleParams' => $this->createParams([
'optionalRules' => true,
'allowDeleted' => true,
]),
],
[
'allow' => true,
'actions' => ['username'],
'roles' => [P::CHANGE_ACCOUNT_USERNAME],
'roleParams' => $paramsCallback,
'roleParams' => $this->createParams(),
],
[
'allow' => true,
'actions' => ['password'],
'roles' => [P::CHANGE_ACCOUNT_PASSWORD],
'roleParams' => $paramsCallback,
'roleParams' => $this->createParams(),
],
[
'allow' => true,
'actions' => ['language'],
'roles' => [P::CHANGE_ACCOUNT_LANGUAGE],
'roleParams' => $paramsCallback,
'roleParams' => $this->createParams(),
],
[
'allow' => true,
@ -72,17 +57,15 @@ class DefaultController extends Controller {
'new-email-verification',
],
'roles' => [P::CHANGE_ACCOUNT_EMAIL],
'roleParams' => $paramsCallback,
'roleParams' => $this->createParams(),
],
[
'allow' => true,
'actions' => ['rules'],
'roles' => [P::ACCEPT_NEW_PROJECT_RULES],
'roleParams' => function() use ($paramsCallback) {
return array_merge($paramsCallback(), [
'optionalRules' => true,
]);
},
'roleParams' => $this->createParams([
'optionalRules' => true,
]),
],
[
'allow' => true,
@ -92,7 +75,7 @@ class DefaultController extends Controller {
'disable-two-factor-auth',
],
'roles' => [P::MANAGE_TWO_FACTOR_AUTH],
'roleParams' => $paramsCallback,
'roleParams' => $this->createParams(),
],
[
'allow' => true,
@ -101,8 +84,33 @@ class DefaultController extends Controller {
'pardon',
],
'roles' => [P::BLOCK_ACCOUNT],
'roleParams' => $paramsCallback,
'roleParams' => $this->createParams(),
],
[
'allow' => true,
'actions' => ['delete'],
'roles' => [P::DELETE_ACCOUNT],
'roleParams' => $this->createParams([
'optionalRules' => true,
'allowDeleted' => true, // This case will be validated by route handler
]),
],
[
'allow' => true,
'actions' => ['restore'],
'roles' => [P::RESTORE_ACCOUNT],
'roleParams' => $this->createParams([
'optionalRules' => true,
'allowDeleted' => true,
]),
],
],
],
'verb' => [
'class' => VerbFilter::class,
'actions' => [
'delete' => ['DELETE'],
'restore' => ['POST'],
],
],
]);
@ -121,6 +129,8 @@ class DefaultController extends Controller {
'disable-two-factor-auth' => actions\DisableTwoFactorAuthAction::class,
'ban' => actions\BanAccountAction::class,
'pardon' => actions\PardonAccountAction::class,
'delete' => actions\DeleteAccountAction::class,
'restore' => actions\RestoreAccountAction::class,
];
}
@ -144,6 +154,25 @@ class DefaultController extends Controller {
return parent::bindActionParams($action, $params);
}
private function createParams(array $options = []): callable {
return function() use ($options): array {
$id = (int)Yii::$app->request->get('id');
if ($id === 0) {
$identity = Yii::$app->user->getIdentity();
if ($identity !== null) {
$account = $identity->getAccount();
if ($account !== null) {
$id = $account->id;
}
}
}
return array_merge([
'accountId' => $id,
], $options);
};
}
private function findAccount(int $id): Account {
if ($id === 0) {
/** @noinspection NullPointerExceptionInspection */

8
api/modules/accounts/models/AccountInfo.php
View File

@ -1,4 +1,6 @@
<?php
declare(strict_types=1);
namespace api\modules\accounts\models;
use api\models\base\BaseAccountForm;
@ -14,7 +16,7 @@ class AccountInfo extends BaseAccountForm {
*/
public $user = 'user';
public function init() {
public function init(): void {
parent::init();
$this->user = Instance::ensure($this->user, User::class);
}
@ -35,6 +37,7 @@ class AccountInfo extends BaseAccountForm {
$authManagerParams = [
'accountId' => $account->id,
'optionalRules' => true,
'allowDeleted' => true,
];
if ($this->user->can(P::OBTAIN_ACCOUNT_EMAIL, $authManagerParams)) {
@ -42,7 +45,8 @@ class AccountInfo extends BaseAccountForm {
}
if ($this->user->can(P::OBTAIN_EXTENDED_ACCOUNT_INFO, $authManagerParams)) {
$response['isActive'] = $account->status === Account::STATUS_ACTIVE;
$response['isActive'] = !in_array($account->status, [Account::STATUS_REGISTERED, Account::STATUS_BANNED]);
$response['isDeleted'] = $account->status === Account::STATUS_DELETED;
$response['passwordChangedAt'] = $account->password_changed_at;
$response['hasMojangUsernameCollision'] = $account->hasMojangUsernameCollision();
$response['shouldAcceptRules'] = !$account->isAgreedWithActualRules();

2
api/modules/accounts/models/BanAccountForm.php
View File

@ -52,7 +52,7 @@ class BanAccountForm extends AccountActionForm {
$account->status = Account::STATUS_BANNED;
Assert::true($account->save(), 'Cannot ban account');
Yii::$app->queue->push(ClearAccountSessions::createFromAccount($account));
Yii::$app->queue->push(new ClearAccountSessions($account->id));
$transaction->commit();

50
api/modules/accounts/models/DeleteAccountForm.php Normal file
View File

@ -0,0 +1,50 @@
<?php
declare(strict_types=1);
namespace api\modules\accounts\models;
use api\modules\internal\helpers\Error as E;
use api\validators\PasswordRequiredValidator;
use common\models\Account;
use common\tasks\DeleteAccount;
use Webmozart\Assert\Assert;
use Yii;
final class DeleteAccountForm extends AccountActionForm {
public $password;
public function rules(): array {
return [
[['password'], PasswordRequiredValidator::class, 'account' => $this->getAccount()],
[['account'], 'validateAccountActivity'],
];
}
public function validateAccountActivity(): void {
if ($this->getAccount()->status === Account::STATUS_DELETED) {
$this->addError('account', E::ACCOUNT_ALREADY_DELETED);
}
}
public function performAction(): bool {
if (!$this->validate()) {
return false;
}
$transaction = Yii::$app->db->beginTransaction();
$account = $this->getAccount();
$account->status = Account::STATUS_DELETED;
$account->deleted_at = time();
Assert::true($account->save(), 'Cannot delete account');
// Schedule complete account erasing
Yii::$app->queue->delay($account->getDeleteAt()->diffInRealSeconds())->push(new DeleteAccount($account->id));
$transaction->commit();
return true;
}
}

42
api/modules/accounts/models/RestoreAccountForm.php Normal file
View File

@ -0,0 +1,42 @@
<?php
declare(strict_types=1);
namespace api\modules\accounts\models;
use api\modules\internal\helpers\Error as E;
use common\models\Account;
use Webmozart\Assert\Assert;
use Yii;
final class RestoreAccountForm extends AccountActionForm {
public function rules(): array {
return [
[['account'], 'validateAccountActivity'],
];
}
public function validateAccountActivity(): void {
if ($this->getAccount()->status !== Account::STATUS_DELETED) {
$this->addError('account', E::ACCOUNT_NOT_DELETED);
}
}
public function performAction(): bool {
if (!$this->validate()) {
return false;
}
$transaction = Yii::$app->db->beginTransaction();
$account = $this->getAccount();
$account->status = Account::STATUS_ACTIVE;
$account->deleted_at = null;
Assert::true($account->save(), 'Cannot restore account');
$transaction->commit();
return true;
}
}

10
api/modules/authserver/models/AuthenticationForm.php
View File

@ -52,10 +52,14 @@ class AuthenticationForm extends ApiForm {
Authserver::info("Trying to authenticate user by login = '{$this->username}'.");
// The previous authorization server implementation used the nickname field instead of username,
// so we keep such behavior
$attribute = strpos($this->username, '@') === false ? 'nickname' : 'email';
$loginForm = new LoginForm();
$loginForm->login = $this->username;
$loginForm->password = $this->password;
if (!$loginForm->validate()) {
if (!$loginForm->validate() || $loginForm->getAccount()->status === Account::STATUS_DELETED) {
$errors = $loginForm->getFirstErrors();
if (isset($errors['totp'])) {
Authserver::error("User with login = '{$this->username}' protected by two factor auth.");
@ -73,10 +77,6 @@ class AuthenticationForm extends ApiForm {
Authserver::error("User with login = '{$this->username}' passed wrong password.");
}
// The previous authorization server implementation used the nickname field instead of username,
// so we keep such behavior
$attribute = strpos($this->username, '@') === false ? 'nickname' : 'email';
// TODO: эта логика дублируется с логикой в SignoutForm
throw new ForbiddenOperationException("Invalid credentials. Invalid {$attribute} or password.");

2
api/modules/authserver/models/RefreshTokenForm.php
View File

@ -62,7 +62,7 @@ class RefreshTokenForm extends ApiForm {
$account = Account::findOne(['id' => $tokenReader->getAccountId()]);
}
if ($account === null) {
if ($account === null || $account->status === Account::STATUS_DELETED) {
throw new ForbiddenOperationException('Invalid token.');
}

5
api/modules/authserver/validators/AccessTokenValidator.php
View File

@ -13,10 +13,7 @@ use yii\validators\Validator;
class AccessTokenValidator extends Validator {
/**
* @var bool
*/
public $verifyExpiration = true;
public bool $verifyExpiration = true;
/**
* @param string $value

3
api/modules/internal/helpers/Error.php
View File

@ -6,4 +6,7 @@ final class Error {
public const ACCOUNT_ALREADY_BANNED = 'error.account_already_banned';
public const ACCOUNT_NOT_BANNED = 'error.account_not_banned';
public const ACCOUNT_ALREADY_DELETED = 'error.account_already_deleted';
public const ACCOUNT_NOT_DELETED = 'error.account_not_deleted';
}

7
api/modules/mojang/controllers/ApiController.php
View File

@ -32,7 +32,7 @@ class ApiController extends Controller {
// who used the nickname has not changed it to something else
$account = null;
if ($record !== null) {
if ($record->account->username === $record->username || $record->findNext($at) !== null) {
if ($record->account->username === $record->username || $record->findNextOwnerUsername($at) !== null) {
$account = $record->account;
}
}
@ -41,7 +41,7 @@ class ApiController extends Controller {
$account = Account::findOne(['username' => $username]);
}
if ($account === null) {
if ($account === null || $account->status === Account::STATUS_DELETED) {
return $this->noContentResponse();
}
@ -58,7 +58,7 @@ class ApiController extends Controller {
return $this->illegalArgumentResponse('Invalid uuid format.');
}
$account = Account::findOne(['uuid' => $uuid]);
$account = Account::find()->excludeDeleted()->andWhere(['uuid' => $uuid])->one();
if ($account === null) {
return $this->noContentResponse();
}
@ -103,6 +103,7 @@ class ApiController extends Controller {
/** @var Account[] $accounts */
$accounts = Account::find()
->andWhere(['username' => $usernames])
->excludeDeleted()
->orderBy(['username' => $usernames])
->limit(count($usernames))
->all();

3
api/modules/session/controllers/SessionController.php
View File

@ -121,7 +121,8 @@ class SessionController extends Controller {
throw new IllegalArgumentException('Invalid uuid format.');
}
$account = Account::findOne(['uuid' => $uuid]);
/** @var Account|null $account */
$account = Account::find()->excludeDeleted()->andWhere(['uuid' => $uuid])->one();
if ($account === null) {
throw new ForbiddenOperationException('Invalid uuid.');
}

4
api/modules/session/models/JoinForm.php
View File

@ -165,6 +165,10 @@ class JoinForm extends Model {
throw new ForbiddenOperationException('Invalid credentials');
}
if ($account->status === Account::STATUS_DELETED) {
throw new ForbiddenOperationException('Invalid credentials');
}
$this->account = $account;
}

4
api/rbac/Permissions.php
View File

@ -12,6 +12,8 @@ final class Permissions {
public const CHANGE_ACCOUNT_PASSWORD = 'change_account_password';
public const CHANGE_ACCOUNT_EMAIL = 'change_account_email';
public const MANAGE_TWO_FACTOR_AUTH = 'manage_two_factor_auth';
public const DELETE_ACCOUNT = 'delete_account';
public const RESTORE_ACCOUNT = 'restore_account';
public const BLOCK_ACCOUNT = 'block_account';
public const COMPLETE_OAUTH_FLOW = 'complete_oauth_flow';
public const CREATE_OAUTH_CLIENTS = 'create_oauth_clients';
@ -27,6 +29,8 @@ final class Permissions {
public const CHANGE_OWN_ACCOUNT_PASSWORD = 'change_own_account_password';
public const CHANGE_OWN_ACCOUNT_EMAIL = 'change_own_account_email';
public const MANAGE_OWN_TWO_FACTOR_AUTH = 'manage_own_two_factor_auth';
public const DELETE_OWN_ACCOUNT = 'delete_own_account';
public const RESTORE_OWN_ACCOUNT = 'restore_own_account';
public const MINECRAFT_SERVER_SESSION = 'minecraft_server_session';
public const VIEW_OWN_OAUTH_CLIENTS = 'view_own_oauth_clients';
public const MANAGE_OWN_OAUTH_CLIENTS = 'manage_own_oauth_clients';

8
api/rbac/rules/AccountOwner.php
View File

@ -8,7 +8,7 @@ use Webmozart\Assert\Assert;
use Yii;
use yii\rbac\Rule;
class AccountOwner extends Rule {
final class AccountOwner extends Rule {
public $name = 'account_owner';
@ -43,7 +43,11 @@ class AccountOwner extends Rule {
return false;
}
if ($account->status !== Account::STATUS_ACTIVE) {
$allowDeleted = $params['allowDeleted'] ?? false;
if ($account->status !== Account::STATUS_ACTIVE
// if deleted accounts are allowed, but the passed one is not in deleted state
&& (!$allowDeleted || $account->status !== Account::STATUS_DELETED)
) {
return false;
}

4
api/tests/_pages/AuthenticationRoute.php
View File

@ -24,10 +24,6 @@ class AuthenticationRoute extends BasePage {
$this->getActor()->sendPOST('/api/authentication/login', $params);
}
public function logout() {
$this->getActor()->sendPOST('/api/authentication/logout');
}
public function forgotPassword($login = null, $token = null) {
$this->getActor()->sendPOST('/api/authentication/forgot-password', [
'login' => $login,

26
api/tests/functional/LoginCest.php
View File

@ -1,10 +1,13 @@
<?php
declare(strict_types=1);
namespace api\tests\functional;
use api\tests\_pages\AuthenticationRoute;
use api\tests\FunctionalTester;
use OTPHP\TOTP;
// TODO: very outdated tests. Need to rewrite
class LoginCest {
public function testLoginEmailOrUsername(FunctionalTester $I) {
@ -215,4 +218,27 @@ class LoginCest {
$I->canSeeAuthCredentials(false);
}
public function testLoginIntoDeletedAccount(FunctionalTester $I) {
$route = new AuthenticationRoute($I);
$I->wantTo('login into account that marked for deleting');
$route->login('DeletedAccount', 'password_0');
$I->canSeeResponseContainsJson([
'success' => true,
]);
}
public function testLoginIntoBannedAccount(FunctionalTester $I) {
$route = new AuthenticationRoute($I);
$I->wantTo('login into banned account');
$route->login('Banned', 'password_0');
$I->canSeeResponseContainsJson([
'success' => false,
'errors' => [
'login' => 'error.account_banned',
],
]);
}
}

21
api/tests/functional/LogoutCest.php
View File

@ -1,19 +1,28 @@
<?php
declare(strict_types=1);
namespace api\tests\functional;
use api\tests\_pages\AuthenticationRoute;
use api\tests\FunctionalTester;
use Codeception\Example;
class LogoutCest {
public function testLoginEmailOrUsername(FunctionalTester $I) {
$route = new AuthenticationRoute($I);
$I->amAuthenticated();
$route->logout();
/**
* @dataProvider getLogoutCases
*/
public function logout(FunctionalTester $I, Example $example) {
$I->amAuthenticated($example[0]);
$I->sendPOST('/api/authentication/logout');
$I->canSeeResponseContainsJson([
'success' => true,
]);
}
protected function getLogoutCases() {
yield 'active account' => ['admin'];
yield 'account that not accepted the rules' => ['Veleyaba'];
yield 'account marked for deleting' => ['DeletedAccount'];
}
}

89
api/tests/functional/accounts/DeleteCest.php Normal file
View File

@ -0,0 +1,89 @@
<?php
declare(strict_types=1);
namespace api\tests\functional\accounts;
use api\tests\_pages\AccountsRoute;
use api\tests\FunctionalTester;
class DeleteCest {
public function deleteMyAccountWithValidPassword(FunctionalTester $I) {
$id = $I->amAuthenticated();
$I->sendDELETE("/api/v1/accounts/{$id}", [
'password' => 'password_0',
]);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => true,
]);
$I->sendGET("/api/v1/accounts/{$id}");
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'isDeleted' => true,
]);
}
public function deleteMyAccountWithNotAcceptedRules(FunctionalTester $I) {
$id = $I->amAuthenticated('Veleyaba');
$I->sendDELETE("/api/v1/accounts/{$id}", [
'password' => 'password_0',
]);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => true,
]);
$I->sendGET("/api/v1/accounts/{$id}");
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'isDeleted' => true,
'shouldAcceptRules' => true,
]);
}
public function deleteMyAccountWithInvalidPassword(FunctionalTester $I) {
$id = $I->amAuthenticated();
$I->sendDELETE("/api/v1/accounts/{$id}", [
'password' => 'invalid_password',
]);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => false,
'errors' => [
'password' => 'error.password_incorrect',
],
]);
}
public function deleteAlreadyDeletedAccount(FunctionalTester $I) {
$id = $I->amAuthenticated('DeletedAccount');
$I->sendDELETE("/api/v1/accounts/{$id}", [
'password' => 'password_0',
]);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => false,
'errors' => [
'account' => 'error.account_already_deleted',
],
]);
}
public function deleteNotMyAccount(FunctionalTester $I) {
$I->amAuthenticated();
$I->sendDELETE('/api/v1/accounts/2', [
'password' => 'password_0',
]);
$I->canSeeResponseCodeIs(403);
$I->canSeeResponseContainsJson([
'name' => 'Forbidden',
'message' => 'You are not allowed to perform this action.',
'code' => 0,
'status' => 403,
]);
}
}

23
api/tests/functional/accounts/GetCest.php
View File

@ -1,4 +1,6 @@
<?php
declare(strict_types=1);
namespace api\tests\functional\accounts;
use api\tests\_pages\AccountsRoute;
@ -6,10 +8,7 @@ use api\tests\FunctionalTester;
class GetCest {
/**
* @var AccountsRoute
*/
private $route;
private AccountsRoute $route;
public function _before(FunctionalTester $I) {
$this->route = new AccountsRoute($I);
@ -29,6 +28,7 @@ class GetCest {
'email' => 'admin@ely.by',
'lang' => 'en',
'isActive' => true,
'isDeleted' => false,
'hasMojangUsernameCollision' => false,
'shouldAcceptRules' => false,
'elyProfileLink' => 'http://ely.by/u1',
@ -51,6 +51,7 @@ class GetCest {
'email' => 'admin@ely.by',
'lang' => 'en',
'isActive' => true,
'isDeleted' => false,
'hasMojangUsernameCollision' => false,
'shouldAcceptRules' => false,
'elyProfileLink' => 'http://ely.by/u1',
@ -72,6 +73,7 @@ class GetCest {
'isOtpEnabled' => false,
'lang' => 'en',
'isActive' => true,
'isDeleted' => false,
'hasMojangUsernameCollision' => false,
'shouldAcceptRules' => true,
'elyProfileLink' => 'http://ely.by/u9',
@ -79,6 +81,19 @@ class GetCest {
$I->canSeeResponseJsonMatchesJsonPath('$.passwordChangedAt');
}
public function testGetInfoFromAccountMarkedForDeleting(FunctionalTester $I) {
// We're setting up a known expired token
$id = $I->amAuthenticated('DeletedAccount');
$I->sendGET("/api/v1/accounts/{$id}");
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'id' => $id,
'isActive' => true,
'isDeleted' => true,
]);
}
public function testGetInfoWithExpiredToken(FunctionalTester $I) {
// We're setting up a known expired token
$I->amBearerAuthenticated(

51
api/tests/functional/accounts/RestoreCest.php Normal file
View File

@ -0,0 +1,51 @@
<?php
declare(strict_types=1);
namespace api\tests\functional\accounts;
use api\tests\_pages\AccountsRoute;
use api\tests\FunctionalTester;
class RestoreCest {
public function restoreMyDeletedAccount(FunctionalTester $I) {
$id = $I->amAuthenticated('DeletedAccount');
$I->sendPOST("/api/v1/accounts/{$id}/restore");
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => true,
]);
$I->sendGET("/api/v1/accounts/{$id}");
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'isDeleted' => false,
]);
}
public function restoreNotDeletedAccount(FunctionalTester $I) {
$id = $I->amAuthenticated();
$I->sendPOST("/api/v1/accounts/{$id}/restore");
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseContainsJson([
'success' => false,
'errors' => [
'account' => 'error.account_not_deleted',
],
]);
}
public function restoreNotMyAccount(FunctionalTester $I) {
$I->amAuthenticated('DeletedAccount');
$I->sendPOST('/api/v1/accounts/1/restore');
$I->canSeeResponseCodeIs(403);
$I->canSeeResponseContainsJson([
'name' => 'Forbidden',
'message' => 'You are not allowed to perform this action.',
'code' => 0,
'status' => 403,
]);
}
}

14
api/tests/functional/authserver/AuthorizationCest.php
View File

@ -97,6 +97,20 @@ class AuthorizationCest {
]);
}
public function deletedAccount(FunctionalTester $I) {
$I->wantTo('authenticate in account marked for deletion');
$I->sendPOST('/api/authserver/authentication/authenticate', [
'username' => 'DeletedAccount',
'password' => 'password_0',
'clientToken' => Uuid::uuid4()->toString(),
]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Invalid credentials. Invalid nickname or password.',
]);
}
public function bannedAccount(FunctionalTester $I) {
$I->wantTo('authenticate in suspended account');
$I->sendPOST('/api/authserver/authentication/authenticate', [

13
api/tests/functional/authserver/RefreshCest.php
View File

@ -93,6 +93,19 @@ class RefreshCest {
]);
}
public function refreshTokenFromDeletedUser(AuthserverSteps $I) {
$I->wantTo('refresh token from account marked for deletion');
$I->sendPOST('/api/authserver/authentication/refresh', [
'accessToken' => '239ba889-7020-4383-8d99-cd8c8aab4a2f',
'clientToken' => '47443658-4ff8-45e7-b33e-dc8915ab6421',
]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Invalid token.',
]);
}
public function refreshTokenFromBannedUser(AuthserverSteps $I) {
$I->wantTo('refresh token from suspended account');
$I->sendPOST('/api/authserver/authentication/refresh', [

12
api/tests/functional/authserver/ValidateCest.php
View File

@ -79,4 +79,16 @@ class ValidateCest {
]);
}
public function credentialsFromBannedAccount(AuthserverSteps $I) {
$I->wantTo('get error on expired legacy accessToken');
$I->sendPOST('/api/authserver/authentication/validate', [
'accessToken' => '239ba889-7020-4383-8d99-cd8c8aab4a2f',
]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Invalid token.',
]);
}
}

7
api/tests/functional/mojang/UsernameToUuidCest.php
View File

@ -58,6 +58,13 @@ class UsernameToUuidCest {
$I->canSeeResponseEquals('');
}
public function getUuidForDeletedAccount(FunctionalTester $I) {
$I->wantTo('get uuid for account that marked for deleting');
$this->route->usernameToUuid('DeletedAccount');
$I->canSeeResponseCodeIs(204);
$I->canSeeResponseEquals('');
}
public function nonPassedUsername(FunctionalTester $I) {
$I->wantTo('get 404 on not passed username');
$this->route->usernameToUuid('');

4
api/tests/functional/mojang/UsernamesToUuidsCest.php
View File

@ -42,7 +42,7 @@ class UsernamesToUuidsCest {
public function getUuidsByPartialNonexistentUsernames(FunctionalTester $I) {
$I->wantTo('get uuids by few usernames and some nonexistent');
$this->route->uuidsByUsernames(['Admin', 'not-exists-user']);
$this->route->uuidsByUsernames(['Admin', 'DeletedAccount', 'not-exists-user']);
$I->canSeeResponseCodeIs(200);
$I->canSeeResponseIsJson();
$I->canSeeResponseContainsJson([
@ -51,6 +51,8 @@ class UsernamesToUuidsCest {
'name' => 'Admin',
],
]);
$I->cantSeeResponseJsonMatchesJsonPath('$.[?(@.name="DeletedAccount")]');
$I->cantSeeResponseJsonMatchesJsonPath('$.[?(@.name="not-exists-user")]');
}
public function passAllNonexistentUsernames(FunctionalTester $I) {

7
api/tests/functional/mojang/UuidToUsernamesHistoryCest.php
View File

@ -55,6 +55,13 @@ class UuidToUsernamesHistoryCest {
$I->canSeeResponseEquals('');
}
public function passUuidOfDeletedAccount(FunctionalTester $I) {
$I->wantTo('get username by passing uuid of the account marked for deleting');
$this->route->usernamesByUuid('6383de63-8f85-4ed5-92b7-5401a1fa68cd');
$I->canSeeResponseCodeIs(204);
$I->canSeeResponseEquals('');
}
public function passWrongUuidFormat(FunctionalTester $I) {
$I->wantTo('call profile route with invalid uuid string');
$this->route->usernamesByUuid('bla-bla-bla');

11
api/tests/functional/oauth/AuthCodeCest.php
View File

@ -195,4 +195,15 @@ class AuthCodeCest {
$I->canSeeResponseJsonMatchesJsonPath('$.redirectUri');
}
public function finalizeByAccountMarkedForDeletion(FunctionalTester $I) {
$I->amAuthenticated('DeletedAccount');
$I->sendPOST('/api/oauth2/v1/complete?' . http_build_query([
'client_id' => 'ely',
'redirect_uri' => 'http://ely.by',
'response_type' => 'code',
'scope' => 'minecraft_server_session',
]), ['accept' => true]);
$I->canSeeResponseCodeIs(403);
}
}

13
api/tests/functional/sessionserver/JoinCest.php
View File

@ -137,6 +137,19 @@ class JoinCest {
]);
}
public function joinByAccountMarkedForDeletion(FunctionalTester $I) {
$this->route->join([
'accessToken' => '239ba889-7020-4383-8d99-cd8c8aab4a2f',
'selectedProfile' => '6383de63-8f85-4ed5-92b7-5401a1fa68cd',
'serverId' => uuid(),
]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Invalid credentials',
]);
}
private function expectSuccessResponse(FunctionalTester $I) {
$I->seeResponseCodeIs(200);
$I->seeResponseIsJson();

11
api/tests/functional/sessionserver/JoinLegacyCest.php
View File

@ -106,6 +106,17 @@ class JoinLegacyCest {
$I->canSeeResponseContains('credentials can not be null.');
}
public function joinByAccountMarkedForDeletion(FunctionalTester $I) {
$I->wantTo('join to some server by legacy protocol with nil accessToken and selectedProfile');
$this->route->joinLegacy([
'sessionId' => 'token:239ba889-7020-4383-8d99-cd8c8aab4a2f:6383de63-8f85-4ed5-92b7-5401a1fa68cd',
'user' => 'DeletedAccount',
'serverId' => uuid(),
]);
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseContains('Ely.by authorization required');
}
private function expectSuccessResponse(FunctionalTester $I) {
$I->seeResponseCodeIs(200);
$I->canSeeResponseEquals('OK');

11
api/tests/functional/sessionserver/ProfileCest.php
View File

@ -58,4 +58,15 @@ class ProfileCest {
]);
}
public function getProfileOfAccountMarkedForDeletion(FunctionalTester $I) {
$this->route->profile('6383de63-8f85-4ed5-92b7-5401a1fa68cd');
$I->canSeeResponseCodeIs(401);
$I->canSeeResponseIsJson();
$I->seeResponseIsJson();
$I->canSeeResponseContainsJson([
'error' => 'ForbiddenOperationException',
'errorMessage' => 'Invalid uuid.',
]);
}
}

90
api/tests/unit/modules/accounts/models/DeleteAccountFormTest.php Normal file
View File

@ -0,0 +1,90 @@
<?php
declare(strict_types=1);
namespace api\tests\unit\modules\accounts\models;
use api\modules\accounts\models\DeleteAccountForm;
use api\tests\unit\TestCase;
use common\models\Account;
use common\tasks\CreateWebHooksDeliveries;
use common\tasks\DeleteAccount;
use common\tests\fixtures\AccountFixture;
use ReflectionObject;
use Yii;
use yii\queue\Queue;
class DeleteAccountFormTest extends TestCase {
/**
* @var Queue|\PHPUnit\Framework\MockObject\MockObject
*/
private Queue $queue;
public function _fixtures(): array {
return [
'accounts' => AccountFixture::class,
];
}
public function _before(): void {
parent::_before();
$this->queue = $this->createMock(Queue::class);
Yii::$app->set('queue', $this->queue);
}
public function testPerformAction() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'admin');
$this->queue
->expects($this->once())
->method('delay')
->with($this->equalToWithDelta(60 * 60 * 24 * 7, 5))
->willReturnSelf();
$this->queue
->expects($this->exactly(2))
->method('push')
->withConsecutive(
[$this->callback(function(CreateWebHooksDeliveries $task) use ($account): bool {
$this->assertSame($account->id, $task->payloads['id']);
return true;
})],
[$this->callback(function(DeleteAccount $task) use ($account): bool {
$obj = new ReflectionObject($task);
$property = $obj->getProperty('accountId');
$property->setAccessible(true);
$this->assertSame($account->id, $property->getValue($task));
return true;
})],
);
$model = new DeleteAccountForm($account, [
'password' => 'password_0',
]);
$this->assertTrue($model->performAction());
$this->assertSame(Account::STATUS_DELETED, $account->status);
$this->assertEqualsWithDelta(time(), $account->deleted_at, 5);
}
public function testPerformActionWithInvalidPassword() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'admin');
$model = new DeleteAccountForm($account, [
'password' => 'invalid password',
]);
$this->assertFalse($model->performAction());
$this->assertSame(['password' => ['error.password_incorrect']], $model->getErrors());
}
public function testPerformActionForAlreadyDeletedAccount() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'deleted-account');
$model = new DeleteAccountForm($account, [
'password' => 'password_0',
]);
$this->assertFalse($model->performAction());
$this->assertSame(['account' => ['error.account_already_deleted']], $model->getErrors());
}
}

61
api/tests/unit/modules/accounts/models/RestoreAccountFormTest.php Normal file
View File

@ -0,0 +1,61 @@
<?php
declare(strict_types=1);
namespace api\tests\unit\modules\accounts\models;
use api\modules\accounts\models\RestoreAccountForm;
use api\tests\unit\TestCase;
use common\models\Account;
use common\tasks\CreateWebHooksDeliveries;
use common\tests\fixtures\AccountFixture;
use Yii;
use yii\queue\Queue;
class RestoreAccountFormTest extends TestCase {
/**
* @var Queue|\PHPUnit\Framework\MockObject\MockObject
*/
private Queue $queue;
public function _fixtures(): array {
return [
'accounts' => AccountFixture::class,
];
}
public function _before(): void {
parent::_before();
$this->queue = $this->createMock(Queue::class);
Yii::$app->set('queue', $this->queue);
}
public function testPerformAction() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'deleted-account');
$this->queue
->expects($this->once())
->method('push')
->withConsecutive(
[$this->callback(function(CreateWebHooksDeliveries $task) use ($account): bool {
$this->assertSame($account->id, $task->payloads['id']);
return true;
})],
);
$model = new RestoreAccountForm($account);
$this->assertTrue($model->performAction());
$this->assertSame(Account::STATUS_ACTIVE, $account->status);
$this->assertNull($account->deleted_at);
}
public function testPerformActionForNotDeletedAccount() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'admin');
$model = new RestoreAccountForm($account);
$this->assertFalse($model->performAction());
$this->assertSame(['account' => ['error.account_not_deleted']], $model->getErrors());
}
}

20
api/tests/unit/modules/internal/models/BanFormTest.php → api/tests/unit/modules/internal/models/BanAccountFormTest.php
View File

@ -1,4 +1,6 @@
<?php
declare(strict_types=1);
namespace api\tests\unit\modules\internal\models;
use api\modules\accounts\models\BanAccountForm;
@ -6,8 +8,9 @@ use api\modules\internal\helpers\Error as E;
use api\tests\unit\TestCase;
use common\models\Account;
use common\tasks\ClearAccountSessions;
use ReflectionObject;
class BanFormTest extends TestCase {
class BanAccountFormTest extends TestCase {
public function testValidateAccountActivity() {
$account = new Account();
@ -25,13 +28,9 @@ class BanFormTest extends TestCase {
public function testBan() {
/** @var Account|\PHPUnit\Framework\MockObject\MockObject $account */
$account = $this->getMockBuilder(Account::class)
->setMethods(['save'])
->getMock();
$account->expects($this->once())
->method('save')
->willReturn(true);
$account = $this->createPartialMock(Account::class, ['save']);
$account->expects($this->once())->method('save')->willReturn(true);
$account->id = 123;
$model = new BanAccountForm($account);
$this->assertTrue($model->performAction());
@ -39,7 +38,10 @@ class BanFormTest extends TestCase {
/** @var ClearAccountSessions $job */
$job = $this->tester->grabLastQueuedJob();
$this->assertInstanceOf(ClearAccountSessions::class, $job);
$this->assertSame($job->accountId, $account->id);
$obj = new ReflectionObject($job);
$property = $obj->getProperty('accountId');
$property->setAccessible(true);
$this->assertSame(123, $property->getValue($job));
}
}

11
api/tests/unit/rbac/rules/AccountOwnerTest.php
View File

@ -39,14 +39,25 @@ class AccountOwnerTest extends TestCase {
Yii::$app->user->setIdentity($identity);
// Assert that account id matches
$this->assertFalse($rule->execute('token', $item, ['accountId' => 2]));
$this->assertFalse($rule->execute('token', $item, ['accountId' => '2']));
$this->assertTrue($rule->execute('token', $item, ['accountId' => 1]));
$this->assertTrue($rule->execute('token', $item, ['accountId' => '1']));
// Check accepted latest rules
$account->rules_agreement_version = null;
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1]));
$this->assertTrue($rule->execute('token', $item, ['accountId' => 1, 'optionalRules' => true]));
$account->rules_agreement_version = LATEST_RULES_VERSION;
$this->assertTrue($rule->execute('token', $item, ['accountId' => 1]));
// Check deleted account behavior
$account->status = Account::STATUS_DELETED;
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1]));
$this->assertTrue($rule->execute('token', $item, ['accountId' => 1, 'allowDeleted' => true]));
// Banned account should always be not allowed
$account->status = Account::STATUS_BANNED;
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1]));
$this->assertFalse($rule->execute('token', $item, ['accountId' => 1, 'optionalRules' => true]));

12
api/validators/PasswordRequiredValidator.php
View File

@ -1,20 +1,18 @@
<?php
declare(strict_types=1);
namespace api\validators;
use api\rbac\Permissions as P;
use common\helpers\Error as E;
use common\models\Account;
use yii\base\InvalidConfigException;
use yii\di\Instance;
use yii\validators\Validator;
use yii\web\User;
class PasswordRequiredValidator extends Validator {
/**
* @var Account
*/
public $account;
public Account $account;
/**
* @inheritdoc
@ -28,10 +26,6 @@ class PasswordRequiredValidator extends Validator {
public function init() {
parent::init();
if (!$this->account instanceof Account) {
throw new InvalidConfigException('account should be instance of ' . Account::class);
}
$this->user = Instance::ensure($this->user, User::class);
}

60
common/models/Account.php
View File

@ -3,8 +3,11 @@ declare(strict_types=1);
namespace common\models;
use Carbon\Carbon;
use common\components\UserPass;
use common\tasks\CreateWebHooksDeliveries;
use DateInterval;
use Webmozart\Assert\Assert;
use Yii;
use yii\base\InvalidConfigException;
use yii\behaviors\TimestampBehavior;
@ -14,21 +17,22 @@ use const common\LATEST_RULES_VERSION;
/**
* Fields:
* @property int $id
* @property string $uuid
* @property string $username
* @property string $email
* @property string $password_hash
* @property int $password_hash_strategy
* @property string $lang
* @property int $status
* @property int $rules_agreement_version
* @property string $registration_ip
* @property string $otp_secret
* @property int $is_otp_enabled
* @property int $created_at
* @property int $updated_at
* @property int $password_changed_at
* @property int $id
* @property string $uuid
* @property string $username
* @property string $email
* @property string $password_hash
* @property int $password_hash_strategy
* @property string $lang
* @property int $status
* @property int|null $rules_agreement_version
* @property string|null $registration_ip
* @property string|null $otp_secret
* @property int $is_otp_enabled
* @property int $created_at
* @property int $updated_at
* @property int $password_changed_at
* @property int|null $deleted_at shows the time, when the account was marked as deleted
*
* Getters-setters:
* @property-write string $password plain user's password
@ -55,8 +59,10 @@ class Account extends ActiveRecord {
public const PASS_HASH_STRATEGY_OLD_ELY = 0;
public const PASS_HASH_STRATEGY_YII2 = 1;
public const ACCOUNT_DELETION_DELAY = 'P7D';
public static function tableName(): string {
return '{{%accounts}}';
return 'accounts';
}
public static function find(): AccountQuery {
@ -153,17 +159,24 @@ class Account extends ActiveRecord {
return $this->registration_ip === null ? null : inet_ntop($this->registration_ip);
}
public function afterSave($insert, $changedAttributes) {
public function getDeleteAt(): Carbon {
Assert::notNull($this->deleted_at, 'This method should not be called on not deleted records');
return Carbon::createFromTimestamp($this->deleted_at)->add(new DateInterval(Account::ACCOUNT_DELETION_DELAY));
}
public function afterSave($insert, $changedAttributes): void {
parent::afterSave($insert, $changedAttributes);
if ($insert) {
return;
}
$meaningfulFields = ['username', 'email', 'uuid', 'status', 'lang'];
$meaningfulChangedAttributes = array_filter($changedAttributes, function(string $key) use ($meaningfulFields) {
return in_array($key, $meaningfulFields, true);
}, ARRAY_FILTER_USE_KEY);
$meaningfulFields = ['username', 'email', 'uuid', 'status', 'lang', 'deleted_at'];
$meaningfulChangedAttributes = array_filter(
$changedAttributes,
fn(string $key): bool => in_array($key, $meaningfulFields, true),
ARRAY_FILTER_USE_KEY,
);
if (empty($meaningfulChangedAttributes)) {
return;
}
@ -171,4 +184,9 @@ class Account extends ActiveRecord {
Yii::$app->queue->push(CreateWebHooksDeliveries::createAccountEdit($this, $meaningfulChangedAttributes));
}
public function afterDelete(): void {
parent::afterDelete();
Yii::$app->queue->push(CreateWebHooksDeliveries::createAccountDeletion($this));
}
}

4
common/models/AccountQuery.php
View File

@ -10,6 +10,10 @@ use yii\db\ActiveQuery;
*/
class AccountQuery extends ActiveQuery {
public function excludeDeleted(): self {
return $this->andWhere(['NOT', ['status' => Account::STATUS_DELETED]]);
}
public function andWhereLogin(string $login): self {
return $this->andWhere([$this->getLoginAttribute($login) => $login]);
}

29
common/models/UsernameHistory.php
View File

@ -1,29 +1,32 @@
<?php
declare(strict_types=1);
namespace common\models;
use yii\behaviors\TimestampBehavior;
use yii\db\ActiveQuery;
use yii\db\ActiveRecord;
/**
* Fields:
* @property integer $id
* @property string $username
* @property integer $account_id
* @property integer $applied_in
* @property int $id
* @property string $username
* @property int|null $account_id
* @property int $applied_in
*
* Relations:
* @property Account $account
* @property-read Account $account
*
* Behaviors:
* @mixin TimestampBehavior
*/
class UsernameHistory extends ActiveRecord {
public static function tableName() {
return '{{%usernames_history}}';
public static function tableName(): string {
return 'usernames_history';
}
public function behaviors() {
public function behaviors(): array {
return [
[
'class' => TimestampBehavior::class,
@ -33,19 +36,17 @@ class UsernameHistory extends ActiveRecord {
];
}
public function rules() {
return [];
}
public function getAccount() {
public function getAccount(): ActiveQuery {
return $this->hasOne(Account::class, ['id' => 'account_id']);
}
/**
* Find the username after the current of the account.
*
* @param int $afterTime
* @return UsernameHistory|null
*/
public function findNext(int $afterTime = null): ?self {
public function findNextOwnerUsername(int $afterTime = null): ?self {
return self::find()
->andWhere(['account_id' => $this->account_id])
->andWhere(['>', 'applied_in', $afterTime ?: $this->applied_in])

19
common/tasks/ClearAccountSessions.php
View File

@ -7,15 +7,12 @@ use common\models\Account;
use Yii;
use yii\queue\RetryableJobInterface;
class ClearAccountSessions implements RetryableJobInterface {
final class ClearAccountSessions implements RetryableJobInterface {
public $accountId;
private int $accountId;
public static function createFromAccount(Account $account): self {
$result = new static();
$result->accountId = $account->id;
return $result;
public function __construct(int $accountId) {
$this->accountId = $accountId;
}
/**
@ -40,23 +37,23 @@ class ClearAccountSessions implements RetryableJobInterface {
* @throws \Exception
*/
public function execute($queue): void {
$account = Account::findOne($this->accountId);
$account = Account::findOne(['id' => $this->accountId]);
if ($account === null) {
return;
}
/** @var \common\models\AccountSession $authSession */
foreach ($account->getSessions()->each(100, Yii::$app->unbufferedDb) as $authSession) {
/** @var \common\models\AccountSession $authSession */
$authSession->delete();
}
/** @var \common\models\MinecraftAccessKey $key */
foreach ($account->getMinecraftAccessKeys()->each(100, Yii::$app->unbufferedDb) as $key) {
/** @var \common\models\MinecraftAccessKey $key */
$key->delete();
}
/** @var \common\models\OauthSession $oauthSession */
foreach ($account->getOauthSessions()->each(100, Yii::$app->unbufferedDb) as $oauthSession) {
/** @var \common\models\OauthSession $oauthSession */
$oauthSession->delete();
}
}

24
common/tasks/ClearOauthSessions.php
View File

@ -7,26 +7,22 @@ use common\models\OauthClient;
use Yii;
use yii\queue\RetryableJobInterface;
class ClearOauthSessions implements RetryableJobInterface {
final class ClearOauthSessions implements RetryableJobInterface {
public string $clientId;
/**
* @var int
* @var int|null unix timestamp, that allows to limit this task to clear only some old sessions
*/
public $clientId;
public ?int $notSince;
/**
* @var int unix timestamp, that allows to limit this task to clear only some old sessions
*/
public $notSince;
public function __construct(string $clientId, int $notSince = null) {
$this->clientId = $clientId;
$this->notSince = $notSince;
}
public static function createFromOauthClient(OauthClient $client, int $notSince = null): self {
$result = new static();
$result->clientId = $client->id;
if ($notSince !== null) {
$result->notSince = $notSince;
}
return $result;
return new self($client->id, $notSince);
}
public function getTtr(): int {

41
common/tasks/CreateWebHooksDeliveries.php
View File

@ -8,39 +8,46 @@ use common\models\WebHook;
use Yii;
use yii\queue\RetryableJobInterface;
class CreateWebHooksDeliveries implements RetryableJobInterface {
final class CreateWebHooksDeliveries implements RetryableJobInterface {
/**
* @var string
*/
public $type;
public string $type;
/**
* @var array
*/
public $payloads;
public array $payloads;
public function __construct(string $type, array $payloads) {
$this->type = $type;
$this->payloads = $payloads;
}
public static function createAccountEdit(Account $account, array $changedAttributes): self {
$result = new static();
$result->type = 'account.edit';
$result->payloads = [
return new static('account.edit', [
'id' => $account->id,
'uuid' => $account->uuid,
'username' => $account->username,
'email' => $account->email,
'lang' => $account->lang,
'isActive' => $account->status === Account::STATUS_ACTIVE,
'isDeleted' => $account->status === Account::STATUS_DELETED,
'registered' => date('c', (int)$account->created_at),
'changedAttributes' => $changedAttributes,
];
]);
}
return $result;
public static function createAccountDeletion(Account $account): self {
return new static('account.deletion', [
'id' => $account->id,
'uuid' => $account->uuid,
'username' => $account->username,
'email' => $account->email,
'registered' => date('c', (int)$account->created_at),
'deleted' => date('c', (int)$account->deleted_at),
]);
}
/**
* @return int time to reserve in seconds
*/
public function getTtr() {
public function getTtr(): int {
return 10;
}
@ -50,14 +57,14 @@ class CreateWebHooksDeliveries implements RetryableJobInterface {
*
* @return bool
*/
public function canRetry($attempt, $error) {
public function canRetry($attempt, $error): bool {
return true;
}
/**
* @param \yii\queue\Queue $queue which pushed and is handling the job
*/
public function execute($queue) {
public function execute($queue): void {
/** @var WebHook[] $targets */
$targets = WebHook::find()
->joinWith('events e', false)

62
common/tasks/DeleteAccount.php Normal file
View File

@ -0,0 +1,62 @@
<?php
declare(strict_types=1);
namespace common\tasks;
use common\models\Account;
use Yii;
use yii\queue\RetryableJobInterface;
final class DeleteAccount implements RetryableJobInterface {
private int $accountId;
public function __construct(int $accountId) {
$this->accountId = $accountId;
}
public function getTtr(): int {
return PHP_INT_MAX; // Let it work as long as it needs to
}
public function canRetry($attempt, $error): bool {
return true;
}
/**
* @param \yii\queue\Queue $queue
* @throws \Throwable
*/
public function execute($queue): void {
$account = Account::findOne(['id' => $this->accountId]);
if ($account === null || $this->shouldAccountBeDeleted($account) === false) {
return;
}
$transaction = Yii::$app->db->beginTransaction();
(new ClearAccountSessions($account->id))->execute($queue);
foreach ($account->oauthClients as $oauthClient) {
(new ClearOauthSessions($oauthClient->id))->execute($queue);
}
/** @var \common\models\EmailActivation $emailActivation */
foreach ($account->getEmailActivations()->each(100, Yii::$app->unbufferedDb) as $emailActivation) {
$emailActivation->delete();
}
/** @var \common\models\UsernameHistory $usernameHistoryEntry */
foreach ($account->getUsernameHistory()->each(100, Yii::$app->unbufferedDb) as $usernameHistoryEntry) {
$usernameHistoryEntry->delete();
}
$account->delete();
$transaction->commit();
}
private function shouldAccountBeDeleted(Account $account): bool {
return $account->status === Account::STATUS_DELETED && $account->getDeleteAt()->subSecond()->isPast();
}
}

31
common/tests/fixtures/data/accounts.php vendored
View File

@ -13,6 +13,7 @@ return [
'created_at' => 1451775316,
'updated_at' => 1451775316,
'password_changed_at' => 1451775316,
'deleted_at' => null,
],
'user-with-old-password-type' => [
'id' => 2,
@ -27,6 +28,7 @@ return [
'created_at' => 1385225069,
'updated_at' => 1385225069,
'password_changed_at' => 1385225069,
'deleted_at' => null,
],
'not-activated-account' => [
'id' => 3,
@ -41,6 +43,7 @@ return [
'created_at' => 1453146616,
'updated_at' => 1453146616,
'password_changed_at' => 1453146616,
'deleted_at' => null,
],
'not-activated-account-with-expired-message' => [
'id' => 4,
@ -55,6 +58,7 @@ return [
'created_at' => 1457890086,
'updated_at' => 1457890086,
'password_changed_at' => 1457890086,
'deleted_at' => null,
],
'account-with-fresh-forgot-password-message' => [
'id' => 5,
@ -69,6 +73,7 @@ return [
'created_at' => 1462891432,
'updated_at' => 1462891432,
'password_changed_at' => 1462891432,
'deleted_at' => null,
],
'account-with-expired-forgot-password-message' => [
'id' => 6,
@ -83,6 +88,7 @@ return [
'created_at' => 1462891612,
'updated_at' => 1462891612,
'password_changed_at' => 1462891612,
'deleted_at' => null,
],
'account-with-change-email-init-state' => [
'id' => 7,
@ -97,6 +103,7 @@ return [
'created_at' => 1463427287,
'updated_at' => 1463427287,
'password_changed_at' => 1463427287,
'deleted_at' => null,
],
'account-with-change-email-finish-state' => [
'id' => 8,
@ -111,6 +118,7 @@ return [
'created_at' => 1463349615,
'updated_at' => 1463349615,
'password_changed_at' => 1463349615,
'deleted_at' => null,
],
'account-with-old-rules-version' => [
'id' => 9,
@ -125,6 +133,7 @@ return [
'created_at' => 1470499952,
'updated_at' => 1470499952,
'password_changed_at' => 1470499952,
'deleted_at' => null,
],
'banned-account' => [
'id' => 10,
@ -139,6 +148,7 @@ return [
'created_at' => 1472682343,
'updated_at' => 1472682343,
'password_changed_at' => 1472682343,
'deleted_at' => null,
],
'account-with-usernames-history' => [
'id' => 11,
@ -153,6 +163,7 @@ return [
'created_at' => 1474404139,
'updated_at' => 1474404149,
'password_changed_at' => 1474404149,
'deleted_at' => null,
],
'account-with-otp-secret' => [
'id' => 12,
@ -169,6 +180,7 @@ return [
'created_at' => 1485124615,
'updated_at' => 1485124615,
'password_changed_at' => 1485124615,
'deleted_at' => null,
],
'account-with-enabled-otp' => [
'id' => 13,
@ -185,6 +197,7 @@ return [
'created_at' => 1485124685,
'updated_at' => 1485124685,
'password_changed_at' => 1485124685,
'deleted_at' => null,
],
'account-with-two-oauth-clients' => [
'id' => 14,
@ -201,5 +214,23 @@ return [
'created_at' => 1519487320,
'updated_at' => 1519487320,
'password_changed_at' => 1519487320,
'deleted_at' => null,
],
'deleted-account' => [
'id' => 15,
'uuid' => '6383de63-8f85-4ed5-92b7-5401a1fa68cd',
'username' => 'DeletedAccount',
'email' => 'deleted-account@ely.by',
'password_hash' => '$2y$13$2rYkap5T6jG8z/mMK8a3Ou6aZxJcmAaTha6FEuujvHEmybSHRzW5e', # password_0
'password_hash_strategy' => \common\models\Account::PASS_HASH_STRATEGY_YII2,
'lang' => 'ru',
'status' => \common\models\Account::STATUS_DELETED,
'rules_agreement_version' => \common\LATEST_RULES_VERSION,
'otp_secret' => null,
'is_otp_enabled' => false,
'created_at' => 1591893532,
'updated_at' => 1591893532,
'password_changed_at' => 1591893532,
'deleted_at' => time(),
],
];

7
common/tests/fixtures/data/minecraft-access-keys.php vendored
View File

@ -21,4 +21,11 @@ return [
'created_at' => time() - 10,
'updated_at' => time() - 10,
],
'deleted-token' => [
'access_token' => '239ba889-7020-4383-8d99-cd8c8aab4a2f',
'client_token' => '47443658-4ff8-45e7-b33e-dc8915ab6421',
'account_id' => 15,
'created_at' => time() - 10,
'updated_at' => time() - 10,
],
];

6
common/tests/fixtures/data/usernames-history.php vendored
View File

@ -24,4 +24,10 @@ return [
'account_id' => 11,
'applied_in' => 1474404143,
],
[
'id' => 5,
'username' => 'DeletedAccount',
'account_id' => 15,
'applied_in' => 1591893532,
],
];

14
common/tests/unit/models/AccountTest.php
View File

@ -133,7 +133,19 @@ class AccountTest extends TestCase {
/** @var CreateWebHooksDeliveries $job */
$job = $this->tester->grabLastQueuedJob();
$this->assertInstanceOf(CreateWebHooksDeliveries::class, $job);
$this->assertSame($job->payloads['changedAttributes'], $changedAttributes);
$this->assertSame('account.edit', $job->type);
$this->assertSame($changedAttributes, $job->payloads['changedAttributes']);
}
public function testAfterDeletePushEvent() {
$account = new Account();
$account->id = 1;
$account->afterDelete();
/** @var CreateWebHooksDeliveries $job */
$job = $this->tester->grabLastQueuedJob();
$this->assertInstanceOf(CreateWebHooksDeliveries::class, $job);
$this->assertSame('account.deletion', $job->type);
$this->assertSame(1, $job->payloads['id']);
}
}

11
common/tests/unit/tasks/ClearAccountSessionsTest.php
View File

@ -3,7 +3,6 @@ declare(strict_types=1);
namespace common\tests\unit\tasks;
use common\models\Account;
use common\tasks\ClearAccountSessions;
use common\tests\fixtures;
use common\tests\unit\TestCase;
@ -23,18 +22,10 @@ class ClearAccountSessionsTest extends TestCase {
];
}
public function testCreateFromAccount() {
$account = new Account();
$account->id = 123;
$task = ClearAccountSessions::createFromAccount($account);
$this->assertSame(123, $task->accountId);
}
public function testExecute() {
/** @var \common\models\Account $bannedAccount */
$bannedAccount = $this->tester->grabFixture('accounts', 'banned-account');
$task = new ClearAccountSessions();
$task->accountId = $bannedAccount->id;
$task = new ClearAccountSessions($bannedAccount->id);
$task->execute($this->createMock(Queue::class));
$this->assertEmpty($bannedAccount->sessions);
$this->assertEmpty($bannedAccount->minecraftAccessKeys);

12
common/tests/unit/tasks/ClearOauthSessionsTest.php
View File

@ -1,4 +1,6 @@
<?php
declare(strict_types=1);
namespace common\tests\unit\tasks;
use common\models\OauthClient;
@ -33,22 +35,18 @@ class ClearOauthSessionsTest extends TestCase {
}
public function testExecute() {
$task = new ClearOauthSessions();
$task->clientId = 'deleted-oauth-client-with-sessions';
$task->notSince = 1519510065;
$task = new ClearOauthSessions('deleted-oauth-client-with-sessions', 1519510065);
$task->execute($this->createMock(Queue::class));
$this->assertFalse(OauthSession::find()->andWhere(['legacy_id' => 3])->exists());
$this->assertTrue(OauthSession::find()->andWhere(['legacy_id' => 4])->exists());
$task = new ClearOauthSessions();
$task->clientId = 'deleted-oauth-client-with-sessions';
$task = new ClearOauthSessions('deleted-oauth-client-with-sessions');
$task->execute($this->createMock(Queue::class));
$this->assertFalse(OauthSession::find()->andWhere(['legacy_id' => 4])->exists());
$task = new ClearOauthSessions();
$task->clientId = 'some-not-exists-client-id';
$task = new ClearOauthSessions('some-not-exists-client-id');
$task->execute($this->createMock(Queue::class));
}

6
common/tests/unit/tasks/CreateWebHooksDeliveriesTest.php
View File

@ -52,9 +52,7 @@ class CreateWebHooksDeliveriesTest extends TestCase {
}
public function testExecute() {
$task = new CreateWebHooksDeliveries();
$task->type = 'account.edit';
$task->payloads = [
$task = new CreateWebHooksDeliveries('account.edit', [
'id' => 123,
'uuid' => 'afc8dc7a-4bbf-4d3a-8699-68890088cf84',
'username' => 'mock-username',
@ -68,7 +66,7 @@ class CreateWebHooksDeliveriesTest extends TestCase {
'email' => 'old-email@ely.by',
'status' => 0,
],
];
]);
$task->execute($this->createMock(Queue::class));
/** @var DeliveryWebHook[] $tasks */
$tasks = $this->tester->grabQueueJobs();

90
common/tests/unit/tasks/DeleteAccountTest.php Normal file
View File

@ -0,0 +1,90 @@
<?php
declare(strict_types=1);
namespace common\tests\unit\tasks;
use common\models\Account;
use common\tasks\DeleteAccount;
use common\tests\fixtures;
use common\tests\unit\TestCase;
use yii\queue\Queue;
/**
* @covers \common\tasks\DeleteAccount
*/
class DeleteAccountTest extends TestCase {
public function _fixtures(): array {
return [
'accounts' => fixtures\AccountFixture::class,
'authSessions' => fixtures\AccountSessionFixture::class,
'emailActivations' => fixtures\EmailActivationFixture::class,
'minecraftAccessKeys' => fixtures\MinecraftAccessKeyFixture::class,
'usernamesHistory' => fixtures\UsernameHistoryFixture::class,
'oauthClients' => fixtures\OauthClientFixture::class,
'oauthSessions' => fixtures\OauthSessionFixture::class,
];
}
public function testExecute() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'admin');
$account->status = Account::STATUS_DELETED;
$account->deleted_at = time() - 60 * 60 * 24 * 7;
$account->save();
$task = new DeleteAccount($account->id);
$task->execute($this->createMock(Queue::class));
$this->assertEmpty($account->emailActivations);
$this->assertEmpty($account->sessions);
$this->assertEmpty($account->minecraftAccessKeys);
$this->assertEmpty($account->oauthSessions);
$this->assertEmpty($account->usernameHistory);
$this->assertEmpty($account->oauthClients);
$this->assertFalse($account->refresh());
}
/**
* When a user restores his account back, the task doesn't removed
* @throws \Throwable
*/
public function testExecuteOnNotDeletedAccount() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'admin');
// By default, this account is active
$task = new DeleteAccount($account->id);
$task->execute($this->createMock(Queue::class));
$this->assertNotEmpty($account->emailActivations);
$this->assertNotEmpty($account->sessions);
$this->assertNotEmpty($account->minecraftAccessKeys);
$this->assertNotEmpty($account->oauthSessions);
$this->assertNotEmpty($account->usernameHistory);
$this->assertNotEmpty($account->oauthClients);
$this->assertTrue($account->refresh());
}
/**
* User also might delete his account, restore it and delete again.
* For each deletion the job will be created, so assert, that job for restored deleting will not work
* @throws \Throwable
*/
public function testExecuteOnDeletedAccountWhichWasRestoredAndThenDeletedAgain() {
/** @var Account $account */
$account = $this->tester->grabFixture('accounts', 'admin');
$account->status = Account::STATUS_DELETED;
$account->deleted_at = time() - 60 * 60 * 24 * 2;
$account->save();
$task = new DeleteAccount($account->id);
$task->execute($this->createMock(Queue::class));
$this->assertNotEmpty($account->emailActivations);
$this->assertNotEmpty($account->sessions);
$this->assertNotEmpty($account->minecraftAccessKeys);
$this->assertNotEmpty($account->oauthSessions);
$this->assertNotEmpty($account->usernameHistory);
$this->assertNotEmpty($account->oauthClients);
$this->assertTrue($account->refresh());
}
}

8
console/controllers/RbacController.php
View File

@ -31,6 +31,8 @@ class RbacController extends Controller {
$permChangeAccountPassword = $this->createPermission(P::CHANGE_ACCOUNT_PASSWORD);
$permChangeAccountEmail = $this->createPermission(P::CHANGE_ACCOUNT_EMAIL);
$permManageTwoFactorAuth = $this->createPermission(P::MANAGE_TWO_FACTOR_AUTH);
$permDeleteAccount = $this->createPermission(P::DELETE_ACCOUNT);
$permRestoreAccount = $this->createPermission(P::RESTORE_ACCOUNT);
$permBlockAccount = $this->createPermission(P::BLOCK_ACCOUNT);
$permCreateOauthClients = $this->createPermission(P::CREATE_OAUTH_CLIENTS);
$permViewOauthClients = $this->createPermission(P::VIEW_OAUTH_CLIENTS);
@ -48,6 +50,8 @@ class RbacController extends Controller {
$permChangeOwnAccountPassword = $this->createPermission(P::CHANGE_OWN_ACCOUNT_PASSWORD, AccountOwner::class);
$permChangeOwnAccountEmail = $this->createPermission(P::CHANGE_OWN_ACCOUNT_EMAIL, AccountOwner::class);
$permManageOwnTwoFactorAuth = $this->createPermission(P::MANAGE_OWN_TWO_FACTOR_AUTH, AccountOwner::class);
$permDeleteOwnAccount = $this->createPermission(P::DELETE_OWN_ACCOUNT, AccountOwner::class);
$permRestoreOwnAccount = $this->createPermission(P::RESTORE_OWN_ACCOUNT, AccountOwner::class);
$permMinecraftServerSession = $this->createPermission(P::MINECRAFT_SERVER_SESSION);
$permViewOwnOauthClients = $this->createPermission(P::VIEW_OWN_OAUTH_CLIENTS, OauthClientOwner::class);
$permManageOwnOauthClients = $this->createPermission(P::MANAGE_OWN_OAUTH_CLIENTS, OauthClientOwner::class);
@ -63,6 +67,8 @@ class RbacController extends Controller {
$authManager->addChild($permChangeOwnAccountPassword, $permChangeAccountPassword);
$authManager->addChild($permChangeOwnAccountEmail, $permChangeAccountEmail);
$authManager->addChild($permManageOwnTwoFactorAuth, $permManageTwoFactorAuth);
$authManager->addChild($permDeleteOwnAccount, $permDeleteAccount);
$authManager->addChild($permRestoreOwnAccount, $permRestoreAccount);
$authManager->addChild($permViewOwnOauthClients, $permViewOauthClients);
$authManager->addChild($permManageOwnOauthClients, $permManageOauthClients);
@ -76,6 +82,8 @@ class RbacController extends Controller {
$authManager->addChild($roleAccountsWebUser, $permChangeOwnAccountPassword);
$authManager->addChild($roleAccountsWebUser, $permChangeOwnAccountEmail);
$authManager->addChild($roleAccountsWebUser, $permManageOwnTwoFactorAuth);
$authManager->addChild($roleAccountsWebUser, $permDeleteOwnAccount);
$authManager->addChild($roleAccountsWebUser, $permRestoreOwnAccount);
$authManager->addChild($roleAccountsWebUser, $permCompleteOauthFlow);
$authManager->addChild($roleAccountsWebUser, $permCreateOauthClients);
$authManager->addChild($roleAccountsWebUser, $permViewOwnOauthClients);

15
console/migrations/m200611_123017_accounts_deletion.php Normal file
View File

@ -0,0 +1,15 @@
<?php
use console\db\Migration;
class m200611_123017_accounts_deletion extends Migration {
public function safeUp() {
$this->addColumn('accounts', 'deleted_at', $this->integer(11)->unsigned());
}
public function safeDown() {
$this->dropColumn('accounts', 'deleted_at');
}
}