14248567688

Committed 03 Apr 2025 04:57PM UTC coverage: 7.308% (+0.02%) from 7.286%

Build # 14248567688

Build Type

push

github

Committed by

web-flow

Commit Message

test: various fixes (#7063)

Run Details

12514 of 171232 relevant lines covered (7.31%)

12.07 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/tests/Functional/GraphQl/SecurityTest.php

<?php

/*
 * This file is part of the API Platform project.
 *
 * (c) Kévin Dunglas <dunglas@gmail.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

declare(strict_types=1);

namespace ApiPlatform\Tests\Functional\GraphQl;

use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
use ApiPlatform\Tests\Fixtures\TestBundle\Document\SecuredDummy as DocumentSecuredDummy;
use ApiPlatform\Tests\Fixtures\TestBundle\Document\SecuredDummyCollection as DocumentSecuredDummyCollection;
use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummy;
use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummyCollection;
use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummyCollectionParent;
use ApiPlatform\Tests\RecreateSchemaTrait;
use ApiPlatform\Tests\SetupClassResourcesTrait;

final class SecurityTest extends ApiTestCase
{
    use RecreateSchemaTrait;
    use SetupClassResourcesTrait;
    protected static ?bool $alwaysBootKernel = false;

    /**
     * @return class-string[]
     */
    public static function getResources(): array
    {
        return [SecuredDummy::class, SecuredDummyCollection::class, SecuredDummyCollectionParent::class];
    }

    public function testQueryItem(): void
    {
        $resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;
        $this->recreateSchema([$resource]);
        $this->loadFixtures($resource);
        $client = self::createClient();
        $response = $client->request('POST', '/graphql', ['json' => [
            'query' => <<<QUERY
    {
      securedDummy(id: "/secured_dummies/1") {
        title
        description
      }
    }
QUERY,
        ]]);

        $d = $response->toArray();
        $this->assertEquals('Access Denied.', $d['errors'][0]['message']);
    }

    public function testCreateItemUnauthorized(): void
    {
        $resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;
        $this->recreateSchema([$resource]);
        $client = self::createClient();
        $response = $client->request('POST', '/graphql', ['json' => [
            'query' => <<<QUERY
mutation {
    createSecuredDummy(input: {owner: "me", title: "Hi", description: "Desc", adminOnlyProperty: "secret", clientMutationId: "auth"}) {
        securedDummy {
            title
            owner
        }
    }
}
QUERY,
        ]]);

        $d = $response->toArray();
        $this->assertEquals('Only admins can create a secured dummy.', $d['errors'][0]['message']);
    }

    public function testQueryItemWithNode(): void
    {
        $resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;
        $this->recreateSchema([$resource]);
        $this->loadFixtures($resource);
        $client = self::createClient();
        $response = $client->request('POST', '/graphql', ['json' => [
            'query' => <<<QUERY
    {
      node(id: "/secured_dummies/1") {
        ... on SecuredDummy {
            title
        }
      }
    }
QUERY,
        ]]);

        $d = $response->toArray();
        $this->assertEquals('Access Denied.', $d['errors'][0]['message']);
    }

    public function loadFixtures(string $resourceClass): void
    {
        $container = static::$kernel->getContainer();
        $registry = $this->isMongoDB() ? $container->get('doctrine_mongodb') : $container->get('doctrine');
        $manager = $registry->getManager();
        $s = new $resourceClass();
        $s->setTitle('Secured Dummy 1');
        $s->setDescription('Description 1');
        $s->setAdminOnlyProperty('admin secret');
        $s->setOwnerOnlyProperty('owner secret');
        $s->setAttributeBasedProperty('attribute based secret');
        $s->setOwner('user1');

        $manager->persist($s);
        $manager->flush();
    }

    public function testQueryCollection(): void
    {
        $resource = $this->isMongoDB() ? DocumentSecuredDummyCollection::class : SecuredDummyCollection::class;
        $this->recreateSchema([$resource, $resource.'Parent']);
        $this->loadFixturesQueryCollection($resource);
        $client = self::createClient();

        $response = $client->request('POST', '/graphql', ['headers' => ['Authorization' => 'Basic ZHVuZ2xhczprZXZpbg=='], 'json' => [
            'query' => <<<QUERY
    {
        securedDummyCollectionParents {
            edges {
              node {
               child {
                  title, ownerOnlyProperty, owner
                }
              }
            }
        }
    }
QUERY,
        ]]);

        $d = $response->toArray();
        $this->assertNull($d['data']['securedDummyCollectionParents']['edges'][1]['node']['child']['ownerOnlyProperty']);
    }

    public function loadFixturesQueryCollection(string $resourceClass): void
    {
        $parentResourceClass = $resourceClass.'Parent';
        $container = static::$kernel->getContainer();
        $registry = $this->isMongoDB() ? $container->get('doctrine_mongodb') : $container->get('doctrine');
        $manager = $registry->getManager();
        $s = new $resourceClass();
        $s->title = 'Foo';
        $s->ownerOnlyProperty = 'Foo by dunglas';
        $s->owner = 'dunglas';
        $manager->persist($s);
        $p = new $parentResourceClass();
        $p->child = $s;
        $manager->persist($p);
        $s = new $resourceClass();
        $s->title = 'Bar';
        $s->ownerOnlyProperty = 'Bar by admin';
        $s->owner = 'admin';
        $manager->persist($s);
        $p = new $parentResourceClass();
        $p->child = $s;
        $manager->persist($p);
        $s = new $resourceClass();
        $s->title = 'Baz';
        $s->ownerOnlyProperty = 'Baz by dunglas';
        $s->owner = 'dunglas';
        $manager->persist($s);
        $p = new $parentResourceClass();
        $p->child = $s;
        $manager->persist($p);
        $s = new $resourceClass();
        $s->ownerOnlyProperty = 'Bat by admin';
        $s->owner = 'admin';
        $s->title = 'Bat';
        $manager->persist($s);
        $p = new $parentResourceClass();
        $p->child = $s;
        $manager->persist($p);
        $manager->flush();
    }
}

1	<?php
2
3	/*
4	* This file is part of the API Platform project.
5	*
6	* (c) Kévin Dunglas <dunglas@gmail.com>
7	*
8	* For the full copyright and license information, please view the LICENSE
9	* file that was distributed with this source code.
10	*/
11
12	declare(strict_types=1);
13
14	namespace ApiPlatform\Tests\Functional\GraphQl;
15
16	use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
17	use ApiPlatform\Tests\Fixtures\TestBundle\Document\SecuredDummy as DocumentSecuredDummy;
18	use ApiPlatform\Tests\Fixtures\TestBundle\Document\SecuredDummyCollection as DocumentSecuredDummyCollection;
19	use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummy;
20	use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummyCollection;
21	use ApiPlatform\Tests\Fixtures\TestBundle\Entity\SecuredDummyCollectionParent;
22	use ApiPlatform\Tests\RecreateSchemaTrait;
23	use ApiPlatform\Tests\SetupClassResourcesTrait;
24
25	final class SecurityTest extends ApiTestCase
26	{
27	use RecreateSchemaTrait;
28	use SetupClassResourcesTrait;
29	protected static ?bool $alwaysBootKernel = false;
30
31	/**
32	* @return class-string[]
33	*/
34	public static function getResources(): array
35	{
36	return [SecuredDummy::class, SecuredDummyCollection::class, SecuredDummyCollectionParent::class];	×
37	}
38
39	public function testQueryItem(): void
40	{
41	$resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;	×
42	$this->recreateSchema([$resource]);	×
43	$this->loadFixtures($resource);	×
44	$client = self::createClient();	×
45	$response = $client->request('POST', '/graphql', ['json' => [	×
46	'query' => <<<QUERY	×
47	{
48	securedDummy(id: "/secured_dummies/1") {
49	title
50	description
51	}
52	}
53	QUERY,	×
54	]]);	×
55
56	$d = $response->toArray();	×
57	$this->assertEquals('Access Denied.', $d['errors'][0]['message']);	×
58	}
59
60	public function testCreateItemUnauthorized(): void
61	{
62	$resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;	×
63	$this->recreateSchema([$resource]);	×
64	$client = self::createClient();	×
65	$response = $client->request('POST', '/graphql', ['json' => [	×
66	'query' => <<<QUERY	×
67	mutation {
68	createSecuredDummy(input: {owner: "me", title: "Hi", description: "Desc", adminOnlyProperty: "secret", clientMutationId: "auth"}) {
69	securedDummy {
70	title
71	owner
72	}
73	}
74	}
75	QUERY,	×
76	]]);	×
77
78	$d = $response->toArray();	×
79	$this->assertEquals('Only admins can create a secured dummy.', $d['errors'][0]['message']);	×
80	}
81
82	public function testQueryItemWithNode(): void
83	{
84	$resource = $this->isMongoDB() ? DocumentSecuredDummy::class : SecuredDummy::class;	×
85	$this->recreateSchema([$resource]);	×
86	$this->loadFixtures($resource);	×
87	$client = self::createClient();	×
88	$response = $client->request('POST', '/graphql', ['json' => [	×
89	'query' => <<<QUERY	×
90	{
91	node(id: "/secured_dummies/1") {
92	... on SecuredDummy {
93	title
94	}
95	}
96	}
97	QUERY,	×
98	]]);	×
99
100	$d = $response->toArray();	×
101	$this->assertEquals('Access Denied.', $d['errors'][0]['message']);	×
102	}
103
104	public function loadFixtures(string $resourceClass): void
105	{
106	$container = static::$kernel->getContainer();	×
107	$registry = $this->isMongoDB() ? $container->get('doctrine_mongodb') : $container->get('doctrine');	×
108	$manager = $registry->getManager();	×
109	$s = new $resourceClass();	×
110	$s->setTitle('Secured Dummy 1');	×
111	$s->setDescription('Description 1');	×
112	$s->setAdminOnlyProperty('admin secret');	×
113	$s->setOwnerOnlyProperty('owner secret');	×
114	$s->setAttributeBasedProperty('attribute based secret');	×
115	$s->setOwner('user1');	×
116
117	$manager->persist($s);	×
118	$manager->flush();	×
119	}
120
121	public function testQueryCollection(): void
122	{
123	$resource = $this->isMongoDB() ? DocumentSecuredDummyCollection::class : SecuredDummyCollection::class;	×
124	$this->recreateSchema([$resource, $resource.'Parent']);	×
125	$this->loadFixturesQueryCollection($resource);	×
126	$client = self::createClient();	×
127
128	$response = $client->request('POST', '/graphql', ['headers' => ['Authorization' => 'Basic ZHVuZ2xhczprZXZpbg=='], 'json' => [	×
129	'query' => <<<QUERY	×
130	{
131	securedDummyCollectionParents {
132	edges {
133	node {
134	child {
135	title, ownerOnlyProperty, owner
136	}
137	}
138	}
139	}
140	}
141	QUERY,	×
142	]]);	×
143
144	$d = $response->toArray();	×
145	$this->assertNull($d['data']['securedDummyCollectionParents']['edges'][1]['node']['child']['ownerOnlyProperty']);	×
146	}
147
148	public function loadFixturesQueryCollection(string $resourceClass): void
149	{
150	$parentResourceClass = $resourceClass.'Parent';	×
151	$container = static::$kernel->getContainer();	×
152	$registry = $this->isMongoDB() ? $container->get('doctrine_mongodb') : $container->get('doctrine');	×
153	$manager = $registry->getManager();	×
154	$s = new $resourceClass();	×
155	$s->title = 'Foo';	×
156	$s->ownerOnlyProperty = 'Foo by dunglas';	×
157	$s->owner = 'dunglas';	×
158	$manager->persist($s);	×
159	$p = new $parentResourceClass();	×
160	$p->child = $s;	×
161	$manager->persist($p);	×
162	$s = new $resourceClass();	×
163	$s->title = 'Bar';	×
164	$s->ownerOnlyProperty = 'Bar by admin';	×
165	$s->owner = 'admin';	×
166	$manager->persist($s);	×
167	$p = new $parentResourceClass();	×
168	$p->child = $s;	×
169	$manager->persist($p);	×
170	$s = new $resourceClass();	×
171	$s->title = 'Baz';	×
172	$s->ownerOnlyProperty = 'Baz by dunglas';	×
173	$s->owner = 'dunglas';	×
174	$manager->persist($s);	×
175	$p = new $parentResourceClass();	×
176	$p->child = $s;	×
177	$manager->persist($p);	×
178	$s = new $resourceClass();	×
179	$s->ownerOnlyProperty = 'Bat by admin';	×
180	$s->owner = 'admin';	×
181	$s->title = 'Bat';	×
182	$manager->persist($s);	×
183	$p = new $parentResourceClass();	×
184	$p->child = $s;	×
185	$manager->persist($p);	×
186	$manager->flush();	×
187	}
188	}

api-platform / core / 14248567688

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous