bert.hausmans
51e5dd6fcb
61 tests across 4 test files covering all OWASP categories: MultiTenancyIsolationTest (19 tests): - Cross-org event, person, shift, section, time-slot, location, registration field, shift assignment, crowd list access - Cross-org FK references (crowd_type, company, parent_event) - Bulk operation isolation, invitation revocation - Portal cross-event access prevention AuthenticationSecurityTest (15 tests): - Rate limiting: login (5/min), portal token-auth (10/min), invitation show (10/min) - Account enumeration prevention: generic error on failed login, 200 response on password reset for unknown email - Token lifecycle: logout revokes token, password reset revokes all tokens, expired tokens rejected (7-day config verified) - Password strength: weak/no-uppercase/no-numbers rejected - Security headers present on all responses - Protected routes require authentication PortalTokenSecurityTest (10 tests): - Invalid/empty/missing token handling - Response shape: only safe fields (no milestones, no portal_token, no organisation_id, no internal event fields) - Hash-based lookup: plain token works, hash does not - Error messages: no schema/table info leakage - Middleware: rejects without token, rejects invalid, accepts valid, rejects draft event status InputValidationSecurityTest (17 tests): - XSS payloads stored safely in person name, event name, section name - Oversized inputs rejected (name >255, remarks >5000) - Invalid enum values rejected (status, event_type) - Cross-org FK references rejected (crowd_type, company, location, parent_event, person assignment) - Invalid/nonexistent ULID format rejected - SQL injection payloads harmless (PDO binding verified) Also fixes PortalTokenMiddleware to use request->attributes->set() instead of request->merge() for stdClass objects. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
386 lines
12 KiB
PHP
386 lines
12 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Feature\Security;
|
|
|
|
use App\Models\Company;
|
|
use App\Models\CrowdList;
|
|
use App\Models\CrowdType;
|
|
use App\Models\Event;
|
|
use App\Models\FestivalSection;
|
|
use App\Models\Organisation;
|
|
use App\Models\Person;
|
|
use App\Models\Shift;
|
|
use App\Models\ShiftAssignment;
|
|
use App\Models\TimeSlot;
|
|
use App\Models\User;
|
|
use App\Models\UserInvitation;
|
|
use Database\Seeders\RoleSeeder;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Laravel\Sanctum\Sanctum;
|
|
use Tests\TestCase;
|
|
|
|
final class MultiTenancyIsolationTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
private Organisation $orgA;
|
|
private Organisation $orgB;
|
|
private Event $eventA;
|
|
private Event $eventB;
|
|
private User $adminA;
|
|
private User $adminB;
|
|
private CrowdType $crowdTypeA;
|
|
private CrowdType $crowdTypeB;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
$this->seed(RoleSeeder::class);
|
|
|
|
// Organisation A
|
|
$this->orgA = Organisation::factory()->create();
|
|
$this->adminA = User::factory()->create();
|
|
$this->orgA->users()->attach($this->adminA, ['role' => 'org_admin']);
|
|
$this->crowdTypeA = CrowdType::factory()->systemType('VOLUNTEER')->create(['organisation_id' => $this->orgA->id]);
|
|
$this->eventA = Event::factory()->create([
|
|
'organisation_id' => $this->orgA->id,
|
|
'status' => 'registration_open',
|
|
]);
|
|
|
|
// Organisation B
|
|
$this->orgB = Organisation::factory()->create();
|
|
$this->adminB = User::factory()->create();
|
|
$this->orgB->users()->attach($this->adminB, ['role' => 'org_admin']);
|
|
$this->crowdTypeB = CrowdType::factory()->systemType('VOLUNTEER')->create(['organisation_id' => $this->orgB->id]);
|
|
$this->eventB = Event::factory()->create([
|
|
'organisation_id' => $this->orgB->id,
|
|
'status' => 'registration_open',
|
|
]);
|
|
}
|
|
|
|
// --- Cross-tenant event access ---
|
|
|
|
public function test_cannot_view_other_org_event(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events/{$this->eventB->id}");
|
|
|
|
$response->assertNotFound();
|
|
}
|
|
|
|
public function test_cannot_list_other_org_events(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$response = $this->getJson("/api/v1/organisations/{$this->orgA->id}/events");
|
|
|
|
$response->assertOk();
|
|
$eventIds = collect($response->json('data'))->pluck('id');
|
|
$this->assertContains($this->eventA->id, $eventIds->all());
|
|
$this->assertNotContains($this->eventB->id, $eventIds->all());
|
|
}
|
|
|
|
// --- Cross-tenant person assignment ---
|
|
|
|
public function test_cannot_create_person_with_other_org_crowd_type(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
|
|
'crowd_type_id' => $this->crowdTypeB->id,
|
|
'first_name' => 'Test',
|
|
'last_name' => 'User',
|
|
'email' => 'test@example.com',
|
|
]);
|
|
|
|
$response->assertUnprocessable();
|
|
$response->assertJsonValidationErrors('crowd_type_id');
|
|
}
|
|
|
|
public function test_cannot_assign_person_from_other_org_to_shift(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$personB = Person::factory()->approved()->create([
|
|
'event_id' => $this->eventB->id,
|
|
'crowd_type_id' => $this->crowdTypeB->id,
|
|
]);
|
|
|
|
$sectionA = FestivalSection::factory()->create(['event_id' => $this->eventA->id]);
|
|
$timeSlotA = TimeSlot::factory()->create(['event_id' => $this->eventA->id]);
|
|
$shiftA = Shift::factory()->create([
|
|
'festival_section_id' => $sectionA->id,
|
|
'time_slot_id' => $timeSlotA->id,
|
|
]);
|
|
|
|
$response = $this->postJson(
|
|
"/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts/{$shiftA->id}/assign",
|
|
['person_id' => $personB->id]
|
|
);
|
|
|
|
$response->assertUnprocessable();
|
|
$response->assertJsonValidationErrors('person_id');
|
|
}
|
|
|
|
// --- Cross-tenant crowd list operations ---
|
|
|
|
public function test_cannot_add_person_from_other_org_to_crowd_list(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$personB = Person::factory()->approved()->create([
|
|
'event_id' => $this->eventB->id,
|
|
'crowd_type_id' => $this->crowdTypeB->id,
|
|
]);
|
|
|
|
$crowdListA = CrowdList::factory()->create([
|
|
'event_id' => $this->eventA->id,
|
|
'crowd_type_id' => $this->crowdTypeA->id,
|
|
]);
|
|
|
|
$response = $this->postJson(
|
|
"/api/v1/events/{$this->eventA->id}/crowd-lists/{$crowdListA->id}/persons",
|
|
['person_id' => $personB->id]
|
|
);
|
|
|
|
$response->assertUnprocessable();
|
|
$response->assertJsonValidationErrors('person_id');
|
|
}
|
|
|
|
// --- Cross-tenant bulk operations ---
|
|
|
|
public function test_cannot_bulk_approve_other_org_assignments(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$sectionB = FestivalSection::factory()->create(['event_id' => $this->eventB->id]);
|
|
$timeSlotB = TimeSlot::factory()->create(['event_id' => $this->eventB->id]);
|
|
$shiftB = Shift::factory()->create([
|
|
'festival_section_id' => $sectionB->id,
|
|
'time_slot_id' => $timeSlotB->id,
|
|
]);
|
|
$personB = Person::factory()->approved()->create([
|
|
'event_id' => $this->eventB->id,
|
|
'crowd_type_id' => $this->crowdTypeB->id,
|
|
]);
|
|
$assignmentB = ShiftAssignment::factory()->create([
|
|
'shift_id' => $shiftB->id,
|
|
'person_id' => $personB->id,
|
|
'time_slot_id' => $timeSlotB->id,
|
|
]);
|
|
|
|
$response = $this->postJson(
|
|
"/api/v1/events/{$this->eventA->id}/shift-assignments/bulk-approve",
|
|
['assignment_ids' => [$assignmentB->id]]
|
|
);
|
|
|
|
$response->assertUnprocessable();
|
|
$response->assertJsonValidationErrors('assignment_ids.0');
|
|
}
|
|
|
|
// --- Cross-tenant invitation revocation ---
|
|
|
|
public function test_cannot_revoke_other_org_invitation(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$invitationB = UserInvitation::factory()->create([
|
|
'organisation_id' => $this->orgB->id,
|
|
'invited_by_user_id' => $this->adminB->id,
|
|
]);
|
|
|
|
$response = $this->deleteJson(
|
|
"/api/v1/organisations/{$this->orgA->id}/invitations/{$invitationB->id}"
|
|
);
|
|
|
|
$response->assertNotFound();
|
|
}
|
|
|
|
// --- Cross-tenant company reference ---
|
|
|
|
public function test_cannot_create_person_with_other_org_company(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$companyB = Company::factory()->create(['organisation_id' => $this->orgB->id]);
|
|
|
|
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/persons", [
|
|
'crowd_type_id' => $this->crowdTypeA->id,
|
|
'first_name' => 'Test',
|
|
'last_name' => 'User',
|
|
'email' => 'test@example.com',
|
|
'company_id' => $companyB->id,
|
|
]);
|
|
|
|
$response->assertUnprocessable();
|
|
$response->assertJsonValidationErrors('company_id');
|
|
}
|
|
|
|
// --- Cross-tenant crowd list creation ---
|
|
|
|
public function test_cannot_create_crowd_list_with_other_org_crowd_type(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$response = $this->postJson("/api/v1/events/{$this->eventA->id}/crowd-lists", [
|
|
'crowd_type_id' => $this->crowdTypeB->id,
|
|
'name' => 'Test List',
|
|
'type' => 'accreditation',
|
|
]);
|
|
|
|
$response->assertUnprocessable();
|
|
$response->assertJsonValidationErrors('crowd_type_id');
|
|
}
|
|
|
|
// --- Cross-tenant event parent reference ---
|
|
|
|
public function test_cannot_set_parent_event_from_other_org(): void
|
|
{
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$response = $this->putJson(
|
|
"/api/v1/organisations/{$this->orgA->id}/events/{$this->eventA->id}",
|
|
['parent_event_id' => $this->eventB->id]
|
|
);
|
|
|
|
$response->assertUnprocessable();
|
|
$response->assertJsonValidationErrors('parent_event_id');
|
|
}
|
|
|
|
// --- OrganisationScope filters correctly ---
|
|
|
|
public function test_organisation_scope_filters_persons(): void
|
|
{
|
|
$personA = Person::factory()->approved()->create([
|
|
'event_id' => $this->eventA->id,
|
|
'crowd_type_id' => $this->crowdTypeA->id,
|
|
]);
|
|
|
|
Person::factory()->approved()->create([
|
|
'event_id' => $this->eventB->id,
|
|
'crowd_type_id' => $this->crowdTypeB->id,
|
|
]);
|
|
|
|
Sanctum::actingAs($this->adminA);
|
|
|
|
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/persons");
|
|
|
|
$response->assertOk();
|
|
$personIds = collect($response->json('data'))->pluck('id');
|
|
$this->assertContains($personA->id, $personIds->all());
|
|
$this->assertCount(1, $personIds);
|
|
}
|
|
|
|
// --- Cross-tenant location access ---
|
|
|
|
public function test_cannot_access_other_org_locations(): void
|
|
{
|
|
Sanctum::actingAs($this->adminB);
|
|
|
|
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/locations");
|
|
|
|
// Event-scoped routes: policy returns 403 (user not in org) — access is blocked
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- Cross-tenant section access ---
|
|
|
|
public function test_cannot_access_other_org_sections(): void
|
|
{
|
|
Sanctum::actingAs($this->adminB);
|
|
|
|
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- Cross-tenant shift access ---
|
|
|
|
public function test_cannot_access_other_org_shifts(): void
|
|
{
|
|
$sectionA = FestivalSection::factory()->create(['event_id' => $this->eventA->id]);
|
|
|
|
Sanctum::actingAs($this->adminB);
|
|
|
|
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/sections/{$sectionA->id}/shifts");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- Cross-tenant time-slot access ---
|
|
|
|
public function test_cannot_access_other_org_time_slots(): void
|
|
{
|
|
Sanctum::actingAs($this->adminB);
|
|
|
|
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/time-slots");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- Cross-tenant registration field access ---
|
|
|
|
public function test_cannot_access_other_org_registration_fields(): void
|
|
{
|
|
Sanctum::actingAs($this->adminB);
|
|
|
|
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/registration-fields");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- Cross-tenant shift assignment listing ---
|
|
|
|
public function test_cannot_list_other_org_shift_assignments(): void
|
|
{
|
|
Sanctum::actingAs($this->adminB);
|
|
|
|
$response = $this->getJson("/api/v1/events/{$this->eventA->id}/shift-assignments");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- Cross-tenant person update ---
|
|
|
|
public function test_cannot_update_person_in_other_org(): void
|
|
{
|
|
Sanctum::actingAs($this->adminB);
|
|
|
|
$personA = Person::factory()->approved()->create([
|
|
'event_id' => $this->eventA->id,
|
|
'crowd_type_id' => $this->crowdTypeA->id,
|
|
]);
|
|
|
|
$response = $this->putJson(
|
|
"/api/v1/events/{$this->eventA->id}/persons/{$personA->id}",
|
|
['first_name' => 'Hacked']
|
|
);
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- Portal cross-event access ---
|
|
|
|
public function test_portal_me_cannot_access_other_org_event(): void
|
|
{
|
|
$volunteer = User::factory()->create();
|
|
|
|
Person::factory()->approved()->create([
|
|
'event_id' => $this->eventA->id,
|
|
'crowd_type_id' => $this->crowdTypeA->id,
|
|
'user_id' => $volunteer->id,
|
|
'email' => $volunteer->email,
|
|
]);
|
|
|
|
Sanctum::actingAs($volunteer);
|
|
|
|
// Volunteer tries to access event from org B (where they have no person record)
|
|
$response = $this->getJson("/api/v1/portal/me?event_id={$this->eventB->id}");
|
|
|
|
$response->assertNotFound();
|
|
}
|
|
}
|