From 213782ff62beb27f4cb4512c3d4f336b220bd599 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Fri, 9 Dec 2016 23:42:07 +0300 Subject: [PATCH 1/8] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D0=B0=20=D0=BF=D0=BE=D0=B4=D0=B4=D0=B5=D1=80=D0=B6=D0=BA?= =?UTF-8?q?=D0=B0=20=D0=B4=D0=BB=D1=8F=20"=D0=B2=D0=BD=D1=83=D1=82=D1=80?= =?UTF-8?q?=D0=B5=D0=BD=D0=BD=D0=B8=D1=85"=20scopes,=20=D0=B7=D0=B0=D0=BF?= =?UTF-8?q?=D1=80=D0=BE=D1=81=D0=B8=D1=82=D1=8C=20=D0=BA=D0=BE=D1=82=D0=BE?= =?UTF-8?q?=D1=80=D1=8B=D0=B5=20=D0=B2=D0=BE=20=D0=B2=D1=80=D0=B5=D0=BC?= =?UTF-8?q?=D1=8F=20oauth=20=D0=BF=D1=80=D0=BE=D1=86=D0=B5=D1=81=D1=81?= =?UTF-8?q?=D0=B0=20=D0=BD=D0=B5=D0=BB=D1=8C=D0=B7=D1=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../OAuth2/Storage/ScopeStorage.php | 3 +- common/components/Annotations/Reader.php | 18 +++++ common/components/Annotations/RedisCache.php | 65 +++++++++++++++++++ common/models/OauthScope.php | 55 ++++++++++++++-- composer.json | 3 +- .../api/functional/OauthAuthCodeCest.php | 15 +++++ .../common/unit/models/OauthScopeTest.php | 12 ++++ 7 files changed, 162 insertions(+), 9 deletions(-) create mode 100644 common/components/Annotations/Reader.php create mode 100644 common/components/Annotations/RedisCache.php create mode 100644 tests/codeception/common/unit/models/OauthScopeTest.php diff --git a/api/components/OAuth2/Storage/ScopeStorage.php b/api/components/OAuth2/Storage/ScopeStorage.php index be42d1e..f653af8 100644 --- a/api/components/OAuth2/Storage/ScopeStorage.php +++ b/api/components/OAuth2/Storage/ScopeStorage.php @@ -12,7 +12,8 @@ class ScopeStorage extends AbstractStorage implements ScopeInterface { * @inheritdoc */ public function get($scope, $grantType = null, $clientId = null) { - if (!in_array($scope, OauthScope::getScopes(), true)) { + $scopes = $grantType === 'authorization_code' ? OauthScope::getPublicScopes() : OauthScope::getScopes(); + if (!in_array($scope, $scopes, true)) { return null; } diff --git a/common/components/Annotations/Reader.php b/common/components/Annotations/Reader.php new file mode 100644 index 0000000..3397fa4 --- /dev/null +++ b/common/components/Annotations/Reader.php @@ -0,0 +1,18 @@ +cache и как-то надобность в отдельном кэше отпала, так что пока забьём + * и оставим как заготовку на будущее + * + * @return \Minime\Annotations\Interfaces\ReaderInterface + */ + public static function createFromDefaults() { + return parent::createFromDefaults(); + //return new self(new \Minime\Annotations\Parser(), new RedisCache()); + } + +} diff --git a/common/components/Annotations/RedisCache.php b/common/components/Annotations/RedisCache.php new file mode 100644 index 0000000..4556347 --- /dev/null +++ b/common/components/Annotations/RedisCache.php @@ -0,0 +1,65 @@ +getRedisKey($key)->setValue(Json::encode($annotations))->expire(3600); + $this->getRedisKeysSet()->add($key); + } + + /** + * Retrieves cached annotations from docblock uuid + * + * @param string $key cache entry uuid + * @return array cached annotation AST + */ + public function get($key) { + $result = $this->getRedisKey($key)->getValue(); + if ($result === null) { + return []; + } + + return Json::decode($result); + } + + /** + * Resets cache + */ + public function clear() { + /** @var array $keys */ + $keys = $this->getRedisKeysSet()->getValue(); + foreach ($keys as $key) { + $this->getRedisKey($key)->delete(); + } + } + + private function getRedisKey(string $key): Key { + return new Key('annotations', 'cache', $key); + } + + private function getRedisKeysSet(): Set { + return new Set('annotations', 'cache', 'keys'); + } + +} diff --git a/common/models/OauthScope.php b/common/models/OauthScope.php index 9fbf035..958d2da 100644 --- a/common/models/OauthScope.php +++ b/common/models/OauthScope.php @@ -1,6 +1,11 @@ getConstants(); + $reader = Reader::createFromDefaults(); + foreach ($constants as $constName => $value) { + $annotations = $reader->getConstantAnnotations(static::class, $constName); + $isInternal = $annotations->get('internal', false); + $keyValue = [ + 'value' => $value, + ]; + if ($isInternal) { + $keyValue['internal'] = true; + } + $scopes[$constName] = $keyValue; + } + + Yii::$app->cache->set($cacheKey, $scopes, 3600); + } + + return $scopes; } } diff --git a/composer.json b/composer.json index c786485..689fbe4 100644 --- a/composer.json +++ b/composer.json @@ -27,7 +27,8 @@ "ely/amqp-controller": "dev-master#d7f8cdbc66c45e477c9c7d5d509bc0c1b11fd3ec", "ely/email-renderer": "dev-master#ef1cb3f7a13196524b97ca5aa0a2d5867f2d9207", "predis/predis": "^1.0", - "mito/yii2-sentry": "dev-fix_init#27f00805cb906f73b2c6f8181c1c655decb9be70" + "mito/yii2-sentry": "dev-fix_init#27f00805cb906f73b2c6f8181c1c655decb9be70", + "minime/annotations": "~3.0" }, "require-dev": { "yiisoft/yii2-codeception": "*", diff --git a/tests/codeception/api/functional/OauthAuthCodeCest.php b/tests/codeception/api/functional/OauthAuthCodeCest.php index 2ed740f..be61f3e 100644 --- a/tests/codeception/api/functional/OauthAuthCodeCest.php +++ b/tests/codeception/api/functional/OauthAuthCodeCest.php @@ -281,6 +281,21 @@ class OauthAuthCodeCest { 'statusCode' => 400, ]); $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); + + $I->wantTo('check behavior on request internal scope'); + $this->route->$action($this->buildQueryParams('ely', 'http://ely.by', 'code', [ + S::MINECRAFT_SERVER_SESSION, + S::ACCOUNT_BLOCK, + ])); + $I->canSeeResponseCodeIs(400); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'error' => 'invalid_scope', + 'parameter' => S::ACCOUNT_BLOCK, + 'statusCode' => 400, + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.redirectUri'); } } diff --git a/tests/codeception/common/unit/models/OauthScopeTest.php b/tests/codeception/common/unit/models/OauthScopeTest.php new file mode 100644 index 0000000..8adbca6 --- /dev/null +++ b/tests/codeception/common/unit/models/OauthScopeTest.php @@ -0,0 +1,12 @@ + Date: Sun, 11 Dec 2016 14:37:55 +0300 Subject: [PATCH 2/8] =?UTF-8?q?=D0=91=D0=B0=D0=B7=D0=BE=D0=B2=D0=B0=D1=8F?= =?UTF-8?q?=20=D1=80=D0=B5=D0=B0=D0=BB=D0=B8=D0=B7=D0=B0=D1=86=D0=B8=D1=8F?= =?UTF-8?q?=20API=20=D0=B4=D0=BB=D1=8F=20=D0=B1=D0=BB=D0=BE=D0=BA=D0=B8?= =?UTF-8?q?=D1=80=D0=BE=D0=B2=D0=BA=D0=B8=20=D0=B0=D0=BA=D0=BA=D0=B0=D1=83?= =?UTF-8?q?=D0=BD=D1=82=D0=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../controllers/AccountsController.php | 30 +++++++ api/modules/internal/models/BlockForm.php | 80 +++++++++++++++++++ common/models/amqp/AccountBanned.php | 14 ++++ 3 files changed, 124 insertions(+) create mode 100644 api/modules/internal/controllers/AccountsController.php create mode 100644 api/modules/internal/models/BlockForm.php create mode 100644 common/models/amqp/AccountBanned.php diff --git a/api/modules/internal/controllers/AccountsController.php b/api/modules/internal/controllers/AccountsController.php new file mode 100644 index 0000000..2c86fd3 --- /dev/null +++ b/api/modules/internal/controllers/AccountsController.php @@ -0,0 +1,30 @@ + [ + 'class' => AccessControl::class, + 'rules' => [ + [ + 'actions' => ['block'], + 'allow' => true, + 'roles' => [S::ACCOUNT_BLOCK], + ], + ], + ], + ]); + } + + public function actionBlock(int $accountId) { + + } + +} diff --git a/api/modules/internal/models/BlockForm.php b/api/modules/internal/models/BlockForm.php new file mode 100644 index 0000000..a60b757 --- /dev/null +++ b/api/modules/internal/models/BlockForm.php @@ -0,0 +1,80 @@ + self::DURATION_FOREVER], + [['message'], 'string'], + ]; + } + + public function getAccount(): Account { + return $this->account; + } + + public function ban(): bool { + $transaction = Yii::$app->db->beginTransaction(); + + $account = $this->account; + $account->status = Account::STATUS_BANNED; + $account->save(); + + $this->createTask(); + + $transaction->commit(); + + return true; + } + + public function createTask() { + $model = new AccountBanned(); + $model->accountId = $this->account->id; + $model->duration = $this->duration; + $model->message = $this->message; + + $message = Amqp::getInstance()->prepareMessage($model, [ + 'delivery_mode' => AMQPMessage::DELIVERY_MODE_PERSISTENT, + ]); + + Amqp::sendToEventsExchange('accounts.account-banned', $message); + } + + public function __construct(Account $account, array $config = []) { + $this->account = $account; + parent::__construct($config); + } + +} diff --git a/common/models/amqp/AccountBanned.php b/common/models/amqp/AccountBanned.php new file mode 100644 index 0000000..1b1198e --- /dev/null +++ b/common/models/amqp/AccountBanned.php @@ -0,0 +1,14 @@ + Date: Fri, 16 Dec 2016 11:32:13 +0300 Subject: [PATCH 3/8] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D1=8B=20unit-=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4?= =?UTF-8?q?=D0=BB=D1=8F=20=D1=84=D0=BE=D1=80=D0=BC=D1=8B=20=D0=B1=D0=BB?= =?UTF-8?q?=D0=BE=D0=BA=D0=B8=D1=80=D0=BE=D0=B2=D0=BA=D0=B8=20=D0=B0=D0=BA?= =?UTF-8?q?=D0=BA=D0=B0=D1=83=D0=BD=D1=82=D0=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/modules/internal/models/BlockForm.php | 7 ++- .../modules/internal/models/BlockFormTest.php | 47 +++++++++++++++++++ 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 tests/codeception/api/unit/modules/internal/models/BlockFormTest.php diff --git a/api/modules/internal/models/BlockForm.php b/api/modules/internal/models/BlockForm.php index a60b757..7cb0bdb 100644 --- a/api/modules/internal/models/BlockForm.php +++ b/api/modules/internal/models/BlockForm.php @@ -7,6 +7,7 @@ use common\models\Account; use common\models\amqp\AccountBanned; use PhpAmqpLib\Message\AMQPMessage; use Yii; +use yii\base\ErrorException; class BlockForm extends ApiForm { @@ -27,7 +28,7 @@ class BlockForm extends ApiForm { * * @var string */ - public $message; + public $message = ''; /** * @var Account @@ -50,7 +51,9 @@ class BlockForm extends ApiForm { $account = $this->account; $account->status = Account::STATUS_BANNED; - $account->save(); + if (!$account->save()) { + throw new ErrorException('Cannot ban account'); + } $this->createTask(); diff --git a/tests/codeception/api/unit/modules/internal/models/BlockFormTest.php b/tests/codeception/api/unit/modules/internal/models/BlockFormTest.php new file mode 100644 index 0000000..055eaec --- /dev/null +++ b/tests/codeception/api/unit/modules/internal/models/BlockFormTest.php @@ -0,0 +1,47 @@ +getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $model = new BlockForm($account); + $this->assertTrue($model->ban()); + $this->assertEquals(Account::STATUS_BANNED, $account->status); + $this->tester->canSeeAmqpMessageIsCreated('events'); + } + + public function testCreateTask() { + $account = new Account(); + $account->id = 3; + + $model = new BlockForm($account); + $model->createTask(); + $message = json_decode($this->tester->grabLastSentAmqpMessage('events')->body, true); + $this->assertSame(3, $message['accountId']); + $this->assertSame(-1, $message['duration']); + $this->assertSame('', $message['message']); + + $model = new BlockForm($account); + $model->duration = 123; + $model->message = 'test'; + $model->createTask(); + $message = json_decode($this->tester->grabLastSentAmqpMessage('events')->body, true); + $this->assertSame(3, $message['accountId']); + $this->assertSame(123, $message['duration']); + $this->assertSame('test', $message['message']); + } + +} From 1e7039c05c2df7cebe33772741ed2b11594bbe9f Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Fri, 16 Dec 2016 11:36:21 +0300 Subject: [PATCH 4/8] =?UTF-8?q?=D0=A0=D0=B5=D0=B0=D0=BB=D0=B8=D0=B7=D0=BE?= =?UTF-8?q?=D0=B2=D0=B0=D0=BD=20=D0=BA=D0=BE=D0=BD=D1=82=D1=80=D0=BE=D0=BB?= =?UTF-8?q?=D0=BB=D0=B5=D1=80=20=D0=B4=D0=BB=D1=8F=20=D1=84=D0=BE=D1=80?= =?UTF-8?q?=D0=BC=D1=8B=20=D0=B7=D0=B0=D0=BF=D1=80=D0=BE=D1=81=D0=B0=20?= =?UTF-8?q?=D0=BD=D0=B0=20=D0=B1=D0=BB=D0=BE=D0=BA=D0=B8=D1=80=D0=BE=D0=B2?= =?UTF-8?q?=D0=BA=D1=83=20=D0=B0=D0=BA=D0=BA=D0=B0=D1=83=D0=BD=D1=82=D0=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../controllers/AccountsController.php | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/api/modules/internal/controllers/AccountsController.php b/api/modules/internal/controllers/AccountsController.php index 2c86fd3..fd4eb56 100644 --- a/api/modules/internal/controllers/AccountsController.php +++ b/api/modules/internal/controllers/AccountsController.php @@ -3,8 +3,12 @@ namespace api\modules\internal\controllers; use api\components\ApiUser\AccessControl; use api\controllers\Controller; +use api\modules\internal\models\BlockForm; +use common\models\Account; use common\models\OauthScope as S; +use Yii; use yii\helpers\ArrayHelper; +use yii\web\NotFoundHttpException; class AccountsController extends Controller { @@ -24,7 +28,28 @@ class AccountsController extends Controller { } public function actionBlock(int $accountId) { + $account = $this->findAccount($accountId); + $model = new BlockForm($account); + $model->load(Yii::$app->request->post()); + if (!$model->ban()) { + return [ + 'success' => false, + 'errors' => $model->getFirstErrors(), + ]; + } + return [ + 'success' => true, + ]; + } + + private function findAccount(int $accountId): Account { + $account = Account::findOne($accountId); + if ($account === null) { + throw new NotFoundHttpException(); + } + + return $account; } } From 79bbc12206818d36d4d1e50d02ae4f84907cf838 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Sun, 18 Dec 2016 02:20:53 +0300 Subject: [PATCH 5/8] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=20=D0=BA=D0=BE=D0=BD=D1=82=D1=80=D0=BE=D0=BB=D0=BB=D0=B5?= =?UTF-8?q?=D1=80=20=D0=B4=D0=BB=D1=8F=20=D0=B1=D0=BB=D0=BE=D0=BA=D0=B8?= =?UTF-8?q?=D1=80=D0=BE=D0=B2=D0=BA=D0=B8=20=D0=B0=D0=BA=D0=BA=D0=B0=D1=83?= =?UTF-8?q?=D0=BD=D1=82=D0=B0=20=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=20client=5Fcredentials=20grant=20=D0=B4=D0=BB=D1=8F=20oA?= =?UTF-8?q?uth=20=D0=A0=D0=B5=D1=84=D0=B0=D0=BA=D1=82=D0=BE=D1=80=D0=B8?= =?UTF-8?q?=D0=BD=D0=B3=20=D1=81=D1=82=D1=80=D1=83=D0=BA=D1=82=D1=83=D1=80?= =?UTF-8?q?=D1=8B=20OauthScopes=20=D1=87=D1=82=D0=BE=D0=B1=D1=8B=20=D0=BC?= =?UTF-8?q?=D0=BE=D0=B6=D0=BD=D0=BE=20=D0=B1=D1=8B=D0=BB=D0=BE=20=D1=80?= =?UTF-8?q?=D0=B0=D0=B7=D0=B4=D0=B5=D0=BB=D0=B8=D1=82=D1=8C=20=D0=B2=D0=BB?= =?UTF-8?q?=D0=B0=D0=B4=D0=B5=D0=BB=D1=8C=D1=86=D0=B0=20=D0=BF=D1=80=D0=B0?= =?UTF-8?q?=D0=B2=20=D0=BD=D0=B0=20=D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE?= =?UTF-8?q?=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8C=D1=81=D0=BA=D0=B8=D0=B5=20?= =?UTF-8?q?=D0=B8=20=D0=BE=D0=B1=D1=89=D0=B8=D0=B5=20(=D0=BC=D0=B0=D1=88?= =?UTF-8?q?=D0=B8=D0=BD=D0=BD=D1=8B=D0=B5)=20=D0=98=D1=81=D0=BF=D1=80?= =?UTF-8?q?=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0=20=D1=81=D1=82=D0=B8=D0=BB?= =?UTF-8?q?=D0=B8=D1=81=D1=82=D0=B8=D0=BA=D0=B0=20=D0=BA=D0=BE=D0=B4=D0=B0?= =?UTF-8?q?,=20=D0=B2=D0=BD=D0=B5=D0=B4=D1=80=D1=8F=D1=8E=D1=82=D1=81?= =?UTF-8?q?=D1=8F=20=D1=84=D0=B8=D1=88=D0=BA=D0=B8=20PHP=207.1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/components/ApiUser/Component.php | 4 +- api/components/ApiUser/Identity.php | 13 ++--- .../OAuth2/Entities/ClientEntity.php | 10 ++++ .../OAuth2/Grants/ClientCredentialsGrant.php | 20 ++++++++ .../OAuth2/Storage/ClientStorage.php | 1 + .../OAuth2/Storage/ScopeStorage.php | 24 ++++++++- api/config/config.php | 8 ++- api/controllers/OauthController.php | 13 ++--- api/modules/internal/Module.php | 19 +++++++ .../controllers/AccountsController.php | 11 ++-- api/modules/internal/helpers/Error.php | 8 +++ .../models/{BlockForm.php => BanForm.php} | 22 ++++++-- common/models/OauthScope.php | 41 +++++++-------- common/models/OauthScopeQuery.php | 50 +++++++++++++++++++ ..._oauth_clients_allow_null_redirect_uri.php | 15 ++++++ .../codeception/api/_pages/InternalRoute.php | 16 ++++++ .../api/functional/_steps/OauthSteps.php | 21 ++++++-- .../api/functional/internal/BanCest.php | 47 +++++++++++++++++ .../{BlockFormTest.php => BanFormTest.php} | 25 ++++++++-- .../common/fixtures/data/oauth-clients.php | 20 ++++++++ .../common/unit/models/OauthScopeTest.php | 12 ----- 21 files changed, 332 insertions(+), 68 deletions(-) create mode 100644 api/components/OAuth2/Grants/ClientCredentialsGrant.php create mode 100644 api/modules/internal/Module.php create mode 100644 api/modules/internal/helpers/Error.php rename api/modules/internal/models/{BlockForm.php => BanForm.php} (76%) create mode 100644 common/models/OauthScopeQuery.php create mode 100644 console/migrations/m161228_101022_oauth_clients_allow_null_redirect_uri.php create mode 100644 tests/codeception/api/_pages/InternalRoute.php create mode 100644 tests/codeception/api/functional/internal/BanCest.php rename tests/codeception/api/unit/modules/internal/models/{BlockFormTest.php => BanFormTest.php} (64%) delete mode 100644 tests/codeception/common/unit/models/OauthScopeTest.php diff --git a/api/components/ApiUser/Component.php b/api/components/ApiUser/Component.php index 46acfc1..d6f4655 100644 --- a/api/components/ApiUser/Component.php +++ b/api/components/ApiUser/Component.php @@ -6,8 +6,8 @@ use yii\web\User as YiiUserComponent; /** * @property Identity|null $identity * - * @method Identity|null getIdentity() - * @method Identity|null loginByAccessToken(string $token, $type = null) + * @method Identity|null getIdentity($autoRenew = true) + * @method Identity|null loginByAccessToken($token, $type = null) */ class Component extends YiiUserComponent { diff --git a/api/components/ApiUser/Identity.php b/api/components/ApiUser/Identity.php index fb3510d..953b5a7 100644 --- a/api/components/ApiUser/Identity.php +++ b/api/components/ApiUser/Identity.php @@ -26,7 +26,8 @@ class Identity implements IdentityInterface { /** * @inheritdoc */ - public static function findIdentityByAccessToken($token, $type = null) { + public static function findIdentityByAccessToken($token, $type = null): self { + /** @var AccessTokenEntity|null $model */ $model = Yii::$app->oauth->getAuthServer()->getAccessTokenStorage()->get($token); if ($model === null) { throw new UnauthorizedHttpException('Incorrect token'); @@ -41,19 +42,19 @@ class Identity implements IdentityInterface { $this->_accessToken = $accessToken; } - public function getAccount() : Account { + public function getAccount(): Account { return $this->getSession()->account; } - public function getClient() : OauthClient { + public function getClient(): OauthClient { return $this->getSession()->client; } - public function getSession() : OauthSession { + public function getSession(): OauthSession { return OauthSession::findOne($this->_accessToken->getSessionId()); } - public function getAccessToken() : AccessTokenEntity { + public function getAccessToken(): AccessTokenEntity { return $this->_accessToken; } @@ -62,7 +63,7 @@ class Identity implements IdentityInterface { * У нас права привязываются к токенам, так что возвращаем именно его id. * @inheritdoc */ - public function getId() { + public function getId(): string { return $this->_accessToken->getId(); } diff --git a/api/components/OAuth2/Entities/ClientEntity.php b/api/components/OAuth2/Entities/ClientEntity.php index 8636cf1..e88f424 100644 --- a/api/components/OAuth2/Entities/ClientEntity.php +++ b/api/components/OAuth2/Entities/ClientEntity.php @@ -3,6 +3,8 @@ namespace api\components\OAuth2\Entities; class ClientEntity extends \League\OAuth2\Server\Entity\ClientEntity { + private $isTrusted; + public function setId(string $id) { $this->id = $id; } @@ -19,4 +21,12 @@ class ClientEntity extends \League\OAuth2\Server\Entity\ClientEntity { $this->redirectUri = $redirectUri; } + public function setIsTrusted(bool $isTrusted) { + $this->isTrusted = $isTrusted; + } + + public function isTrusted(): bool { + return $this->isTrusted; + } + } diff --git a/api/components/OAuth2/Grants/ClientCredentialsGrant.php b/api/components/OAuth2/Grants/ClientCredentialsGrant.php new file mode 100644 index 0000000..4e7b467 --- /dev/null +++ b/api/components/OAuth2/Grants/ClientCredentialsGrant.php @@ -0,0 +1,20 @@ +server); + } + + protected function createRefreshTokenEntity() { + return new Entities\RefreshTokenEntity($this->server); + } + + protected function createSessionEntity() { + return new Entities\SessionEntity($this->server); + } + +} diff --git a/api/components/OAuth2/Storage/ClientStorage.php b/api/components/OAuth2/Storage/ClientStorage.php index 90d024b..9a339f0 100644 --- a/api/components/OAuth2/Storage/ClientStorage.php +++ b/api/components/OAuth2/Storage/ClientStorage.php @@ -74,6 +74,7 @@ class ClientStorage extends AbstractStorage implements ClientInterface { $entity->setId($model->id); $entity->setName($model->name); $entity->setSecret($model->secret); + $entity->setIsTrusted($model->is_trusted); $entity->setRedirectUri($model->redirect_uri); return $entity; diff --git a/api/components/OAuth2/Storage/ScopeStorage.php b/api/components/OAuth2/Storage/ScopeStorage.php index f653af8..d5223e5 100644 --- a/api/components/OAuth2/Storage/ScopeStorage.php +++ b/api/components/OAuth2/Storage/ScopeStorage.php @@ -1,10 +1,12 @@ onlyPublic()->usersScopes(); + } elseif ($grantType === 'client_credentials') { + $query->machineScopes(); + $isTrusted = false; + if ($clientId !== null) { + $client = $this->server->getClientStorage()->get($clientId); + if (!$client instanceof ClientEntity) { + throw new ErrorException('client storage must return instance of ' . ClientEntity::class); + } + + $isTrusted = $client->isTrusted(); + } + + if (!$isTrusted) { + $query->onlyPublic(); + } + } + + $scopes = $query->all(); if (!in_array($scope, $scopes, true)) { return null; } diff --git a/api/config/config.php b/api/config/config.php index 68e83c2..fcb7178 100644 --- a/api/config/config.php +++ b/api/config/config.php @@ -7,7 +7,7 @@ $params = array_merge( return [ 'id' => 'accounts-site-api', 'basePath' => dirname(__DIR__), - 'bootstrap' => ['log', 'authserver'], + 'bootstrap' => ['log', 'authserver', 'internal'], 'controllerNamespace' => 'api\controllers', 'params' => $params, 'components' => [ @@ -75,10 +75,11 @@ return [ ], 'oauth' => [ 'class' => api\components\OAuth2\Component::class, - 'grantTypes' => ['authorization_code'], + 'grantTypes' => ['authorization_code', 'client_credentials'], 'grantMap' => [ 'authorization_code' => api\components\OAuth2\Grants\AuthCodeGrant::class, 'refresh_token' => api\components\OAuth2\Grants\RefreshTokenGrant::class, + 'client_credentials' => api\components\OAuth2\Grants\ClientCredentialsGrant::class, ], ], 'errorHandler' => [ @@ -96,5 +97,8 @@ return [ 'mojang' => [ 'class' => api\modules\mojang\Module::class, ], + 'internal' => [ + 'class' => api\modules\internal\Module::class, + ], ], ]; diff --git a/api/controllers/OauthController.php b/api/controllers/OauthController.php index 8df62a0..9428287 100644 --- a/api/controllers/OauthController.php +++ b/api/controllers/OauthController.php @@ -7,7 +7,9 @@ use api\components\OAuth2\Exception\AccessDeniedException; use common\models\Account; use common\models\OauthClient; use common\models\OauthScope; +use League\OAuth2\Server\AuthorizationServer; use League\OAuth2\Server\Exception\OAuthException; +use League\OAuth2\Server\Grant\AuthCodeGrant; use Yii; use yii\filters\AccessControl; use yii\helpers\ArrayHelper; @@ -274,17 +276,12 @@ class OauthController extends Controller { return $response; } - /** - * @return \League\OAuth2\Server\AuthorizationServer - */ - private function getServer() { + private function getServer(): AuthorizationServer { return Yii::$app->oauth->authServer; } - /** - * @return \League\OAuth2\Server\Grant\AuthCodeGrant - */ - private function getGrantType() { + private function getGrantType(): AuthCodeGrant { + /** @noinspection PhpIncompatibleReturnTypeInspection */ return $this->getServer()->getGrantType('authorization_code'); } diff --git a/api/modules/internal/Module.php b/api/modules/internal/Module.php new file mode 100644 index 0000000..5213e72 --- /dev/null +++ b/api/modules/internal/Module.php @@ -0,0 +1,19 @@ +getUrlManager()->addRules([ + '/internal///' => "{$this->id}//", + ], false); + } + +} diff --git a/api/modules/internal/controllers/AccountsController.php b/api/modules/internal/controllers/AccountsController.php index fd4eb56..e666a0c 100644 --- a/api/modules/internal/controllers/AccountsController.php +++ b/api/modules/internal/controllers/AccountsController.php @@ -3,7 +3,7 @@ namespace api\modules\internal\controllers; use api\components\ApiUser\AccessControl; use api\controllers\Controller; -use api\modules\internal\models\BlockForm; +use api\modules\internal\models\BanForm; use common\models\Account; use common\models\OauthScope as S; use Yii; @@ -14,11 +14,14 @@ class AccountsController extends Controller { public function behaviors() { return ArrayHelper::merge(parent::behaviors(), [ + 'authenticator' => [ + 'user' => Yii::$app->apiUser, + ], 'access' => [ 'class' => AccessControl::class, 'rules' => [ [ - 'actions' => ['block'], + 'actions' => ['ban'], 'allow' => true, 'roles' => [S::ACCOUNT_BLOCK], ], @@ -27,9 +30,9 @@ class AccountsController extends Controller { ]); } - public function actionBlock(int $accountId) { + public function actionBan(int $accountId) { $account = $this->findAccount($accountId); - $model = new BlockForm($account); + $model = new BanForm($account); $model->load(Yii::$app->request->post()); if (!$model->ban()) { return [ diff --git a/api/modules/internal/helpers/Error.php b/api/modules/internal/helpers/Error.php new file mode 100644 index 0000000..86b45b5 --- /dev/null +++ b/api/modules/internal/helpers/Error.php @@ -0,0 +1,8 @@ + self::DURATION_FOREVER], [['message'], 'string'], + [['account'], 'validateAccountActivity'], ]; } @@ -46,7 +48,17 @@ class BlockForm extends ApiForm { return $this->account; } + public function validateAccountActivity() { + if ($this->account->status === Account::STATUS_BANNED) { + $this->addError('account', E::ACCOUNT_ALREADY_BANNED); + } + } + public function ban(): bool { + if (!$this->validate()) { + return false; + } + $transaction = Yii::$app->db->beginTransaction(); $account = $this->account; @@ -62,7 +74,7 @@ class BlockForm extends ApiForm { return true; } - public function createTask() { + public function createTask(): void { $model = new AccountBanned(); $model->accountId = $this->account->id; $model->duration = $this->duration; diff --git a/common/models/OauthScope.php b/common/models/OauthScope.php index 958d2da..bb4da54 100644 --- a/common/models/OauthScope.php +++ b/common/models/OauthScope.php @@ -4,32 +4,33 @@ namespace common\models; use common\components\Annotations\Reader; use ReflectionClass; use Yii; -use yii\helpers\ArrayHelper; class OauthScope { + /** + * @owner user + */ const OFFLINE_ACCESS = 'offline_access'; + /** + * @owner user + */ const MINECRAFT_SERVER_SESSION = 'minecraft_server_session'; + /** + * @owner user + */ const ACCOUNT_INFO = 'account_info'; + /** + * @owner user + */ const ACCOUNT_EMAIL = 'account_email'; - - /** @internal */ + /** + * @internal + * @owner machine + */ const ACCOUNT_BLOCK = 'account_block'; - public static function getScopes(): array { - return ArrayHelper::getColumn(static::queryScopes(), 'value'); - } - - public static function getPublicScopes(): array { - return ArrayHelper::getColumn(array_filter(static::queryScopes(), function($value) { - return !isset($value['internal']); - }), 'value'); - } - - public static function getInternalScopes(): array { - return ArrayHelper::getColumn(array_filter(static::queryScopes(), function($value) { - return isset($value['internal']); - }), 'value'); + public static function find(): OauthScopeQuery { + return new OauthScopeQuery(static::queryScopes()); } private static function queryScopes(): array { @@ -43,12 +44,12 @@ class OauthScope { foreach ($constants as $constName => $value) { $annotations = $reader->getConstantAnnotations(static::class, $constName); $isInternal = $annotations->get('internal', false); + $owner = $annotations->get('owner', 'user'); $keyValue = [ 'value' => $value, + 'internal' => $isInternal, + 'owner' => $owner, ]; - if ($isInternal) { - $keyValue['internal'] = true; - } $scopes[$constName] = $keyValue; } diff --git a/common/models/OauthScopeQuery.php b/common/models/OauthScopeQuery.php new file mode 100644 index 0000000..27577c5 --- /dev/null +++ b/common/models/OauthScopeQuery.php @@ -0,0 +1,50 @@ +internal = false; + return $this; + } + + public function onlyInternal(): self { + $this->internal = true; + return $this; + } + + public function usersScopes(): self { + $this->owner = 'user'; + return $this; + } + + public function machineScopes(): self { + $this->owner = 'machine'; + return $this; + } + + public function all(): array { + return ArrayHelper::getColumn(array_filter($this->scopes, function($value) { + $shouldCheckInternal = $this->internal !== null; + $isInternalMatch = $value['internal'] === $this->internal; + $shouldCheckOwner = $this->owner !== null; + $isOwnerMatch = $value['owner'] === $this->owner; + + return (!$shouldCheckInternal || $isInternalMatch) + && (!$shouldCheckOwner || $isOwnerMatch); + }), 'value'); + } + + public function __construct(array $scopes) { + $this->scopes = $scopes; + } + +} diff --git a/console/migrations/m161228_101022_oauth_clients_allow_null_redirect_uri.php b/console/migrations/m161228_101022_oauth_clients_allow_null_redirect_uri.php new file mode 100644 index 0000000..1734f95 --- /dev/null +++ b/console/migrations/m161228_101022_oauth_clients_allow_null_redirect_uri.php @@ -0,0 +1,15 @@ +alterColumn('{{%oauth_clients}}', 'redirect_uri', $this->string()); + } + + public function safeDown() { + $this->alterColumn('{{%oauth_clients}}', 'redirect_uri', $this->string()->notNull()); + } + +} diff --git a/tests/codeception/api/_pages/InternalRoute.php b/tests/codeception/api/_pages/InternalRoute.php new file mode 100644 index 0000000..36ce520 --- /dev/null +++ b/tests/codeception/api/_pages/InternalRoute.php @@ -0,0 +1,16 @@ +route = '/internal/accounts/' . $accountId . '/ban'; + $this->actor->sendPOST($this->getUrl()); + } + +} diff --git a/tests/codeception/api/functional/_steps/OauthSteps.php b/tests/codeception/api/functional/_steps/OauthSteps.php index c16aaf6..3e0c467 100644 --- a/tests/codeception/api/functional/_steps/OauthSteps.php +++ b/tests/codeception/api/functional/_steps/OauthSteps.php @@ -3,11 +3,12 @@ namespace tests\codeception\api\functional\_steps; use common\models\OauthScope as S; use tests\codeception\api\_pages\OauthRoute; +use tests\codeception\api\FunctionalTester; -class OauthSteps extends \tests\codeception\api\FunctionalTester { +class OauthSteps extends FunctionalTester { public function getAuthCode(array $permissions = []) { - // TODO: по идее можно напрямую сделать зпись в базу, что ускорит процесс тестирования + // TODO: по идее можно напрямую сделать запись в базу, что ускорит процесс тестирования $this->loggedInAsActiveAccount(); $route = new OauthRoute($this); $route->complete([ @@ -31,7 +32,7 @@ class OauthSteps extends \tests\codeception\api\FunctionalTester { } public function getRefreshToken(array $permissions = []) { - // TODO: по идее можно напрямую сделать зпись в базу, что ускорит процесс тестирования + // TODO: по идее можно напрямую сделать запись в базу, что ускорит процесс тестирования $authCode = $this->getAuthCode(array_merge([S::OFFLINE_ACCESS], $permissions)); $response = $this->issueToken($authCode); @@ -51,4 +52,18 @@ class OauthSteps extends \tests\codeception\api\FunctionalTester { return json_decode($this->grabResponse(), true); } + public function getAccessTokenByClientCredentialsGrant(array $permissions = [], $useTrusted = true) { + $route = new OauthRoute($this); + $route->issueToken([ + 'client_id' => $useTrusted ? 'trusted-client' : 'default-client', + 'client_secret' => $useTrusted ? 'tXBbyvMcyaOgHMOAXBpN2EC7uFoJAaL9' : 'AzWRy7ZjS1yRQUk2vRBDic8fprOKDB1W', + 'grant_type' => 'client_credentials', + 'scope' => implode(',', $permissions), + ]); + + $response = json_decode($this->grabResponse(), true); + + return $response['access_token']; + } + } diff --git a/tests/codeception/api/functional/internal/BanCest.php b/tests/codeception/api/functional/internal/BanCest.php new file mode 100644 index 0000000..9f46806 --- /dev/null +++ b/tests/codeception/api/functional/internal/BanCest.php @@ -0,0 +1,47 @@ +route = new InternalRoute($I); + } + + public function testBanAccount(OauthSteps $I) { + $accessToken = $I->getAccessTokenByClientCredentialsGrant([S::ACCOUNT_BLOCK]); + $I->amBearerAuthenticated($accessToken); + + $this->route->ban(1); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + } + + public function testBanBannedAccount(OauthSteps $I) { + $accessToken = $I->getAccessTokenByClientCredentialsGrant([S::ACCOUNT_BLOCK]); + $I->amBearerAuthenticated($accessToken); + + $this->route->ban(10); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'account' => 'error.account_already_banned', + ], + ]); + } + +} diff --git a/tests/codeception/api/unit/modules/internal/models/BlockFormTest.php b/tests/codeception/api/unit/modules/internal/models/BanFormTest.php similarity index 64% rename from tests/codeception/api/unit/modules/internal/models/BlockFormTest.php rename to tests/codeception/api/unit/modules/internal/models/BanFormTest.php index 055eaec..b63c15a 100644 --- a/tests/codeception/api/unit/modules/internal/models/BlockFormTest.php +++ b/tests/codeception/api/unit/modules/internal/models/BanFormTest.php @@ -1,11 +1,26 @@ status = Account::STATUS_ACTIVE; + $form = new BanForm($account); + $form->validateAccountActivity(); + $this->assertEmpty($form->getErrors('account')); + + $account = new Account(); + $account->status = Account::STATUS_BANNED; + $form = new BanForm($account); + $form->validateAccountActivity(); + $this->assertEquals([E::ACCOUNT_ALREADY_BANNED], $form->getErrors('account')); + } public function testBan() { /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ @@ -17,7 +32,7 @@ class BlockFormTest extends TestCase { ->method('save') ->willReturn(true); - $model = new BlockForm($account); + $model = new BanForm($account); $this->assertTrue($model->ban()); $this->assertEquals(Account::STATUS_BANNED, $account->status); $this->tester->canSeeAmqpMessageIsCreated('events'); @@ -27,14 +42,14 @@ class BlockFormTest extends TestCase { $account = new Account(); $account->id = 3; - $model = new BlockForm($account); + $model = new BanForm($account); $model->createTask(); $message = json_decode($this->tester->grabLastSentAmqpMessage('events')->body, true); $this->assertSame(3, $message['accountId']); $this->assertSame(-1, $message['duration']); $this->assertSame('', $message['message']); - $model = new BlockForm($account); + $model = new BanForm($account); $model->duration = 123; $model->message = 'test'; $model->createTask(); diff --git a/tests/codeception/common/fixtures/data/oauth-clients.php b/tests/codeception/common/fixtures/data/oauth-clients.php index e7ddba5..e8c2dfc 100644 --- a/tests/codeception/common/fixtures/data/oauth-clients.php +++ b/tests/codeception/common/fixtures/data/oauth-clients.php @@ -30,4 +30,24 @@ return [ 'is_trusted' => 0, 'created_at' => 1479937982, ], + 'trustedClient' => [ + 'id' => 'trusted-client', + 'secret' => 'tXBbyvMcyaOgHMOAXBpN2EC7uFoJAaL9', + 'name' => 'Trusted client', + 'description' => 'Это клиент, которому мы доверяем', + 'redirect_uri' => null, + 'account_id' => null, + 'is_trusted' => 1, + 'created_at' => 1482922663, + ], + 'defaultClient' => [ + 'id' => 'default-client', + 'secret' => 'AzWRy7ZjS1yRQUk2vRBDic8fprOKDB1W', + 'name' => 'Default client', + 'description' => 'Это обычный клиент, каких может быть много', + 'redirect_uri' => null, + 'account_id' => null, + 'is_trusted' => 0, + 'created_at' => 1482922711, + ], ]; diff --git a/tests/codeception/common/unit/models/OauthScopeTest.php b/tests/codeception/common/unit/models/OauthScopeTest.php deleted file mode 100644 index 8adbca6..0000000 --- a/tests/codeception/common/unit/models/OauthScopeTest.php +++ /dev/null @@ -1,12 +0,0 @@ - Date: Thu, 29 Dec 2016 02:01:26 +0300 Subject: [PATCH 6/8] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=20=D0=BE=D0=B1=D1=80=D0=B0=D0=B1=D0=BE=D1=82=D1=87=D0=B8?= =?UTF-8?q?=D0=BA=20=D0=B4=D0=BB=D1=8F=20=D1=81=D0=BE=D0=B1=D1=8B=D1=82?= =?UTF-8?q?=D0=B8=D1=8F=20=D0=B1=D0=BB=D0=BE=D0=BA=D0=B8=D1=80=D0=BE=D0=B2?= =?UTF-8?q?=D0=BA=D0=B8=20=D0=B0=D0=BA=D0=BA=D0=B0=D1=83=D0=BD=D1=82=D0=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/config/config.php | 9 ----- autocompletion.php | 12 +++---- common/config/config.php | 9 +++++ common/models/Account.php | 15 ++++++--- .../controllers/AccountQueueController.php | 33 +++++++++++++++++-- .../common/fixtures/data/account-sessions.php | 8 +++++ .../common/fixtures/data/oauth-sessions.php | 7 ++++ .../AccountQueueControllerTest.php | 19 +++++++++++ 8 files changed, 89 insertions(+), 23 deletions(-) diff --git a/api/config/config.php b/api/config/config.php index fcb7178..c00e318 100644 --- a/api/config/config.php +++ b/api/config/config.php @@ -73,15 +73,6 @@ return [ 'response' => [ 'format' => yii\web\Response::FORMAT_JSON, ], - 'oauth' => [ - 'class' => api\components\OAuth2\Component::class, - 'grantTypes' => ['authorization_code', 'client_credentials'], - 'grantMap' => [ - 'authorization_code' => api\components\OAuth2\Grants\AuthCodeGrant::class, - 'refresh_token' => api\components\OAuth2\Grants\RefreshTokenGrant::class, - 'client_credentials' => api\components\OAuth2\Grants\ClientCredentialsGrant::class, - ], - ], 'errorHandler' => [ 'class' => api\components\ErrorHandler::class, ], diff --git a/autocompletion.php b/autocompletion.php index f91608c..d01c0d8 100644 --- a/autocompletion.php +++ b/autocompletion.php @@ -16,12 +16,13 @@ class Yii extends \yii\BaseYii { * Class BaseApplication * Used for properties that are identical for both WebApplication and ConsoleApplication * - * @property \yii\swiftmailer\Mailer $mailer - * @property \common\components\Redis\Connection $redis + * @property \yii\swiftmailer\Mailer $mailer + * @property \common\components\Redis\Connection $redis * @property \common\components\RabbitMQ\Component $amqp - * @property \GuzzleHttp\Client $guzzle - * @property \common\components\EmailRenderer $emailRenderer - * @property \mito\sentry\Component $sentry + * @property \GuzzleHttp\Client $guzzle + * @property \common\components\EmailRenderer $emailRenderer + * @property \mito\sentry\Component $sentry + * @property \api\components\OAuth2\Component $oauth */ abstract class BaseApplication extends yii\base\Application { } @@ -33,7 +34,6 @@ abstract class BaseApplication extends yii\base\Application { * @property \api\components\User\Component $user User component. * @property \api\components\ApiUser\Component $apiUser Api User component. * @property \api\components\ReCaptcha\Component $reCaptcha - * @property \api\components\OAuth2\Component $oauth * * @method \api\components\User\Component getUser() */ diff --git a/common/config/config.php b/common/config/config.php index 39ad823..10eb75a 100644 --- a/common/config/config.php +++ b/common/config/config.php @@ -69,6 +69,15 @@ return [ 'class' => common\components\EmailRenderer::class, 'basePath' => '/images/emails', ], + 'oauth' => [ + 'class' => api\components\OAuth2\Component::class, + 'grantTypes' => ['authorization_code', 'client_credentials'], + 'grantMap' => [ + 'authorization_code' => api\components\OAuth2\Grants\AuthCodeGrant::class, + 'refresh_token' => api\components\OAuth2\Grants\RefreshTokenGrant::class, + 'client_credentials' => api\components\OAuth2\Grants\ClientCredentialsGrant::class, + ], + ], ], 'aliases' => [ '@bower' => '@vendor/bower-asset', diff --git a/common/models/Account.php b/common/models/Account.php index 2bc1e93..ba346da 100644 --- a/common/models/Account.php +++ b/common/models/Account.php @@ -29,10 +29,11 @@ use const common\LATEST_RULES_VERSION; * @property string $profileLink ссылка на профиль на Ely без поддержки static url (только для записи) * * Отношения: - * @property EmailActivation[] $emailActivations - * @property OauthSession[] $oauthSessions - * @property UsernameHistory[] $usernameHistory - * @property AccountSession[] $sessions + * @property EmailActivation[] $emailActivations + * @property OauthSession[] $oauthSessions + * @property UsernameHistory[] $usernameHistory + * @property AccountSession[] $sessions + * @property MinecraftAccessKey[] $minecraftAccessKeys * * Поведения: * @mixin TimestampBehavior @@ -99,7 +100,7 @@ class Account extends ActiveRecord { } public function getOauthSessions() { - return $this->hasMany(OauthSession::class, ['owner_id' => 'id']); + return $this->hasMany(OauthSession::class, ['owner_id' => 'id'])->andWhere(['owner_type' => 'user']); } public function getUsernameHistory() { @@ -110,6 +111,10 @@ class Account extends ActiveRecord { return $this->hasMany(AccountSession::class, ['account_id' => 'id']); } + public function getMinecraftAccessKeys() { + return $this->hasMany(MinecraftAccessKey::class, ['account_id' => 'id']); + } + /** * Выполняет проверку, принадлежит ли этому нику аккаунт у Mojang * diff --git a/console/controllers/AccountQueueController.php b/console/controllers/AccountQueueController.php index fe3d910..be77b59 100644 --- a/console/controllers/AccountQueueController.php +++ b/console/controllers/AccountQueueController.php @@ -3,10 +3,13 @@ namespace console\controllers; use common\components\Mojang\Api as MojangApi; use common\components\Mojang\exceptions\NoContentException; +use common\models\Account; +use common\models\amqp\AccountBanned; use common\models\amqp\UsernameChanged; use common\models\MojangUsername; use Ely\Amqp\Builder\Configurator; use GuzzleHttp\Exception\RequestException; +use Yii; class AccountQueueController extends AmqpController { @@ -17,16 +20,18 @@ class AccountQueueController extends AmqpController { public function configure(Configurator $configurator) { $configurator->exchange->topic()->durable(); $configurator->queue->name('accounts-accounts-events')->durable(); - $configurator->bind->routingKey('accounts.username-changed'); + $configurator->bind->routingKey('accounts.username-changed') + ->add()->routingKey('account.account-banned'); } public function getRoutesMap() { return [ 'accounts.username-changed' => 'routeUsernameChanged', + 'accounts.account-banned' => 'routeAccountBanned', ]; } - public function routeUsernameChanged(UsernameChanged $body) { + public function routeUsernameChanged(UsernameChanged $body): bool { $mojangApi = $this->createMojangApi(); try { $response = $mojangApi->usernameToUUID($body->newUsername); @@ -58,10 +63,32 @@ class AccountQueueController extends AmqpController { return true; } + public function routeAccountBanned(AccountBanned $body): bool { + $account = Account::findOne($body->accountId); + if ($account === null) { + Yii::warning('Cannot find banned account ' . $body->accountId . '. Skipping.'); + return true; + } + + foreach ($account->sessions as $authSession) { + $authSession->delete(); + } + + foreach ($account->minecraftAccessKeys as $key) { + $key->delete(); + } + + foreach ($account->oauthSessions as $oauthSession) { + $oauthSession->delete(); + } + + return true; + } + /** * @return MojangApi */ - protected function createMojangApi() : MojangApi { + protected function createMojangApi(): MojangApi { return new MojangApi(); } diff --git a/tests/codeception/common/fixtures/data/account-sessions.php b/tests/codeception/common/fixtures/data/account-sessions.php index fb9581b..1a68919 100644 --- a/tests/codeception/common/fixtures/data/account-sessions.php +++ b/tests/codeception/common/fixtures/data/account-sessions.php @@ -16,4 +16,12 @@ return [ 'created_at' => time(), 'last_refreshed_at' => time(), ], + 'banned-user-session' => [ + 'id' => 3, + 'account_id' => 10, + 'refresh_token' => 'Af7fIuV6eL61tRUHn40yhmDRXN1OQxKR', + 'last_used_ip' => ip2long('182.123.234.123'), + 'created_at' => time(), + 'last_refreshed_at' => time(), + ], ]; diff --git a/tests/codeception/common/fixtures/data/oauth-sessions.php b/tests/codeception/common/fixtures/data/oauth-sessions.php index ebbc2d2..69e0536 100644 --- a/tests/codeception/common/fixtures/data/oauth-sessions.php +++ b/tests/codeception/common/fixtures/data/oauth-sessions.php @@ -7,4 +7,11 @@ return [ 'client_id' => 'test1', 'client_redirect_uri' => 'http://test1.net/oauth', ], + 'banned-account-session' => [ + 'id' => 2, + 'owner_type' => 'user', + 'owner_id' => 10, + 'client_id' => 'test1', + 'client_redirect_uri' => 'http://test1.net/oauth', + ], ]; diff --git a/tests/codeception/console/unit/controllers/AccountQueueControllerTest.php b/tests/codeception/console/unit/controllers/AccountQueueControllerTest.php index 4aaa57f..4c9e236 100644 --- a/tests/codeception/console/unit/controllers/AccountQueueControllerTest.php +++ b/tests/codeception/console/unit/controllers/AccountQueueControllerTest.php @@ -4,6 +4,7 @@ namespace codeception\console\unit\controllers; use common\components\Mojang\Api; use common\components\Mojang\exceptions\NoContentException; use common\components\Mojang\response\UsernameToUUIDResponse; +use common\models\amqp\AccountBanned; use common\models\amqp\UsernameChanged; use common\models\MojangUsername; use console\controllers\AccountQueueController; @@ -143,4 +144,22 @@ class AccountQueueControllerTest extends TestCase { $this->assertNotEquals($mojangInfo->uuid, $mojangUsername->uuid); } + public function testRouteAccountBanned() { + /** @var \common\models\Account $bannedAccount */ + $bannedAccount = $this->tester->grabFixture('accounts', 'banned-account'); + $this->tester->haveFixtures([ + 'oauthSessions' => \tests\codeception\common\fixtures\OauthSessionFixture::class, + 'minecraftAccessKeys' => \tests\codeception\common\fixtures\MinecraftAccessKeyFixture::class, + 'authSessions' => \tests\codeception\common\fixtures\AccountSessionFixture::class, + ]); + + $body = new AccountBanned(); + $body->accountId = $bannedAccount->id; + + $this->controller->routeAccountBanned($body); + $this->assertEmpty($bannedAccount->sessions); + $this->assertEmpty($bannedAccount->minecraftAccessKeys); + $this->assertEmpty($bannedAccount->oauthSessions); + } + } From 6f81c38b7fb6520b8a8cc3a4697e57c5840c2322 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Thu, 5 Jan 2017 00:57:04 +0300 Subject: [PATCH 7/8] =?UTF-8?q?=D0=A0=D0=B5=D0=B0=D0=BB=D0=B8=D0=B7=D0=BE?= =?UTF-8?q?=D0=B2=D0=B0=D0=BD=D0=B0=20=D1=84=D0=BE=D1=80=D0=BC=D0=B0=20?= =?UTF-8?q?=D1=80=D0=B0=D0=B7=D0=B1=D0=BB=D0=BE=D0=BA=D0=B8=D1=80=D0=BE?= =?UTF-8?q?=D0=B2=D0=BA=D0=B8=20=D0=B0=D0=BA=D0=BA=D0=B0=D1=83=D0=BD=D1=82?= =?UTF-8?q?=D0=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../controllers/AccountsController.php | 30 ++++++++ api/modules/internal/helpers/Error.php | 1 + api/modules/internal/models/PardonForm.php | 72 +++++++++++++++++++ common/models/amqp/AccountPardoned.php | 10 +++ .../codeception/api/_pages/InternalRoute.php | 5 ++ .../api/functional/internal/PardonCest.php | 47 ++++++++++++ .../internal/models/PardonFormTest.php | 52 ++++++++++++++ 7 files changed, 217 insertions(+) create mode 100644 api/modules/internal/models/PardonForm.php create mode 100644 common/models/amqp/AccountPardoned.php create mode 100644 tests/codeception/api/functional/internal/PardonCest.php create mode 100644 tests/codeception/api/unit/modules/internal/models/PardonFormTest.php diff --git a/api/modules/internal/controllers/AccountsController.php b/api/modules/internal/controllers/AccountsController.php index e666a0c..34f4dbe 100644 --- a/api/modules/internal/controllers/AccountsController.php +++ b/api/modules/internal/controllers/AccountsController.php @@ -4,6 +4,7 @@ namespace api\modules\internal\controllers; use api\components\ApiUser\AccessControl; use api\controllers\Controller; use api\modules\internal\models\BanForm; +use api\modules\internal\models\PardonForm; use common\models\Account; use common\models\OauthScope as S; use Yii; @@ -30,8 +31,22 @@ class AccountsController extends Controller { ]); } + public function verbs() { + return [ + 'ban' => ['POST', 'DELETE'], + ]; + } + public function actionBan(int $accountId) { $account = $this->findAccount($accountId); + if (Yii::$app->request->isPost) { + return $this->banAccount($account); + } else { + return $this->pardonAccount($account); + } + } + + private function banAccount(Account $account) { $model = new BanForm($account); $model->load(Yii::$app->request->post()); if (!$model->ban()) { @@ -46,6 +61,21 @@ class AccountsController extends Controller { ]; } + private function pardonAccount(Account $account) { + $model = new PardonForm($account); + $model->load(Yii::$app->request->post()); + if (!$model->pardon()) { + return [ + 'success' => false, + 'errors' => $model->getFirstErrors(), + ]; + } + + return [ + 'success' => true, + ]; + } + private function findAccount(int $accountId): Account { $account = Account::findOne($accountId); if ($account === null) { diff --git a/api/modules/internal/helpers/Error.php b/api/modules/internal/helpers/Error.php index 86b45b5..7a7dec6 100644 --- a/api/modules/internal/helpers/Error.php +++ b/api/modules/internal/helpers/Error.php @@ -4,5 +4,6 @@ namespace api\modules\internal\helpers; final class Error { public const ACCOUNT_ALREADY_BANNED = 'error.account_already_banned'; + public const ACCOUNT_NOT_BANNED = 'error.account_not_banned'; } diff --git a/api/modules/internal/models/PardonForm.php b/api/modules/internal/models/PardonForm.php new file mode 100644 index 0000000..60c10e5 --- /dev/null +++ b/api/modules/internal/models/PardonForm.php @@ -0,0 +1,72 @@ +account; + } + + public function validateAccountBanned(): void { + if ($this->account->status !== Account::STATUS_BANNED) { + $this->addError('account', E::ACCOUNT_NOT_BANNED); + } + } + + public function pardon(): bool { + if (!$this->validate()) { + return false; + } + + $transaction = Yii::$app->db->beginTransaction(); + + $account = $this->account; + $account->status = Account::STATUS_ACTIVE; + if (!$account->save()) { + throw new ErrorException('Cannot pardon account'); + } + + $this->createTask(); + + $transaction->commit(); + + return true; + } + + public function createTask(): void { + $model = new AccountPardoned(); + $model->accountId = $this->account->id; + + $message = Amqp::getInstance()->prepareMessage($model, [ + 'delivery_mode' => AMQPMessage::DELIVERY_MODE_PERSISTENT, + ]); + + Amqp::sendToEventsExchange('accounts.account-pardoned', $message); + } + + public function __construct(Account $account, array $config = []) { + $this->account = $account; + parent::__construct($config); + } + +} diff --git a/common/models/amqp/AccountPardoned.php b/common/models/amqp/AccountPardoned.php new file mode 100644 index 0000000..31599ed --- /dev/null +++ b/common/models/amqp/AccountPardoned.php @@ -0,0 +1,10 @@ +actor->sendPOST($this->getUrl()); } + public function pardon($accountId) { + $this->route = '/internal/accounts/' . $accountId . '/ban'; + $this->actor->sendDELETE($this->getUrl()); + } + } diff --git a/tests/codeception/api/functional/internal/PardonCest.php b/tests/codeception/api/functional/internal/PardonCest.php new file mode 100644 index 0000000..c7aea10 --- /dev/null +++ b/tests/codeception/api/functional/internal/PardonCest.php @@ -0,0 +1,47 @@ +route = new InternalRoute($I); + } + + public function testPardonAccount(OauthSteps $I) { + $accessToken = $I->getAccessTokenByClientCredentialsGrant([S::ACCOUNT_BLOCK]); + $I->amBearerAuthenticated($accessToken); + + $this->route->pardon(10); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => true, + ]); + } + + public function testPardonNotBannedAccount(OauthSteps $I) { + $accessToken = $I->getAccessTokenByClientCredentialsGrant([S::ACCOUNT_BLOCK]); + $I->amBearerAuthenticated($accessToken); + + $this->route->pardon(1); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'success' => false, + 'errors' => [ + 'account' => 'error.account_not_banned', + ], + ]); + } + +} diff --git a/tests/codeception/api/unit/modules/internal/models/PardonFormTest.php b/tests/codeception/api/unit/modules/internal/models/PardonFormTest.php new file mode 100644 index 0000000..c05d9a0 --- /dev/null +++ b/tests/codeception/api/unit/modules/internal/models/PardonFormTest.php @@ -0,0 +1,52 @@ +status = Account::STATUS_BANNED; + $form = new PardonForm($account); + $form->validateAccountBanned(); + $this->assertEmpty($form->getErrors('account')); + + $account = new Account(); + $account->status = Account::STATUS_ACTIVE; + $form = new PardonForm($account); + $form->validateAccountBanned(); + $this->assertEquals([E::ACCOUNT_NOT_BANNED], $form->getErrors('account')); + } + + public function testPardon() { + /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */ + $account = $this->getMockBuilder(Account::class) + ->setMethods(['save']) + ->getMock(); + + $account->expects($this->once()) + ->method('save') + ->willReturn(true); + + $account->status = Account::STATUS_BANNED; + $model = new PardonForm($account); + $this->assertTrue($model->pardon()); + $this->assertEquals(Account::STATUS_ACTIVE, $account->status); + $this->tester->canSeeAmqpMessageIsCreated('events'); + } + + public function testCreateTask() { + $account = new Account(); + $account->id = 3; + + $model = new PardonForm($account); + $model->createTask(); + $message = json_decode($this->tester->grabLastSentAmqpMessage('events')->body, true); + $this->assertSame(3, $message['accountId']); + } + +} From 7241e93fe56b50f752d78450ea4078104b402ca3 Mon Sep 17 00:00:00 2001 From: ErickSkrauch Date: Thu, 5 Jan 2017 02:01:31 +0300 Subject: [PATCH 8/8] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D0=B5?= =?UTF-8?q?=D0=BD=D1=8B=20=D1=82=D0=B5=D1=81=D1=82=D1=8B=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20oauth=20=D0=B0=D0=B2=D1=82=D0=BE=D1=80=D0=B8=D0=B7?= =?UTF-8?q?=D0=B0=D1=86=D0=B8=D0=B8=20=D0=BF=D0=BE=20client=5Fcredentials?= =?UTF-8?q?=20grant=20type?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- composer.json | 2 +- .../OauthClientCredentialsGrantCest.php | 120 ++++++++++++++++++ 2 files changed, 121 insertions(+), 1 deletion(-) create mode 100644 tests/codeception/api/functional/OauthClientCredentialsGrantCest.php diff --git a/composer.json b/composer.json index 689fbe4..2734f1e 100644 --- a/composer.json +++ b/composer.json @@ -18,7 +18,7 @@ "yiisoft/yii2": "2.0.10", "yiisoft/yii2-swiftmailer": "*", "ramsey/uuid": "^3.5.0", - "league/oauth2-server": "dev-improvements#b9277ccd664dcb80a766b73674d21de686cb9dda", + "league/oauth2-server": "dev-improvements#fbaa9b0bd3d8050235ba7dde90f731764122bc20", "yiisoft/yii2-redis": "~2.0.0", "guzzlehttp/guzzle": "^6.0.0", "php-amqplib/php-amqplib": "^2.6.2", diff --git a/tests/codeception/api/functional/OauthClientCredentialsGrantCest.php b/tests/codeception/api/functional/OauthClientCredentialsGrantCest.php new file mode 100644 index 0000000..e27ccbb --- /dev/null +++ b/tests/codeception/api/functional/OauthClientCredentialsGrantCest.php @@ -0,0 +1,120 @@ +route = new OauthRoute($I); + } + + public function testIssueTokenWithWrongArgs(FunctionalTester $I) { + $I->wantTo('check behavior on on request without any credentials'); + $this->route->issueToken($this->buildParams()); + $I->canSeeResponseCodeIs(400); + $I->canSeeResponseContainsJson([ + 'error' => 'invalid_request', + ]); + + $I->wantTo('check behavior on passing invalid client_id'); + $this->route->issueToken($this->buildParams( + 'invalid-client', + 'invalid-secret', + ['invalid-scope'] + )); + $I->canSeeResponseCodeIs(401); + $I->canSeeResponseContainsJson([ + 'error' => 'invalid_client', + ]); + + $I->wantTo('check behavior on passing invalid client_secret'); + $this->route->issueToken($this->buildParams( + 'ely', + 'invalid-secret', + ['invalid-scope'] + )); + $I->canSeeResponseCodeIs(401); + $I->canSeeResponseContainsJson([ + 'error' => 'invalid_client', + ]); + + $I->wantTo('check behavior on passing invalid client_secret'); + $this->route->issueToken($this->buildParams( + 'ely', + 'invalid-secret', + ['invalid-scope'] + )); + $I->canSeeResponseCodeIs(401); + $I->canSeeResponseContainsJson([ + 'error' => 'invalid_client', + ]); + } + + public function testIssueTokenWithPublicScopes(OauthSteps $I) { + // TODO: у нас пока нет публичных скоупов, поэтому тест прогоняется с пустым набором + $this->route->issueToken($this->buildParams( + 'ely', + 'ZuM1vGchJz-9_UZ5HC3H3Z9Hg5PzdbkM', + [] + )); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'token_type' => 'Bearer', + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.access_token'); + $I->canSeeResponseJsonMatchesJsonPath('$.expires_in'); + } + + public function testIssueTokenWithInternalScopes(OauthSteps $I) { + $this->route->issueToken($this->buildParams( + 'ely', + 'ZuM1vGchJz-9_UZ5HC3H3Z9Hg5PzdbkM', + [S::ACCOUNT_BLOCK] + )); + $I->canSeeResponseCodeIs(400); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'error' => 'invalid_scope', + ]); + + $this->route->issueToken($this->buildParams( + 'trusted-client', + 'tXBbyvMcyaOgHMOAXBpN2EC7uFoJAaL9', + [S::ACCOUNT_BLOCK] + )); + $I->canSeeResponseCodeIs(200); + $I->canSeeResponseIsJson(); + $I->canSeeResponseContainsJson([ + 'token_type' => 'Bearer', + ]); + $I->canSeeResponseJsonMatchesJsonPath('$.access_token'); + $I->canSeeResponseJsonMatchesJsonPath('$.expires_in'); + } + + private function buildParams($clientId = null, $clientSecret = null, array $scopes = null) { + $params = ['grant_type' => 'client_credentials']; + if ($clientId !== null) { + $params['client_id'] = $clientId; + } + + if ($clientSecret !== null) { + $params['client_secret'] = $clientSecret; + } + + if ($scopes !== null) { + $params['scope'] = implode(',', $scopes); + } + + return $params; + } + +}