36 lines
1.4 KiB
PHP
36 lines
1.4 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch17ZeroTrustInternalHeaderContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_internal_proxy_and_service_headers_do_not_grant_privilege(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny([
|
|
'users', 'roles', 'permissions', 'school-years', 'finance', 'inventory', 'settings', 'audit', 'admin', 'reports',
|
|
]);
|
|
|
|
$spoofHeaders = [
|
|
'X-Internal-Request' => 'true',
|
|
'X-Service-Name' => 'trusted-admin-service',
|
|
'X-Authenticated-User' => (string) $this->admin->id,
|
|
'X-User-Role' => 'administrator',
|
|
'X-Original-URI' => '/api/v1/admin/users',
|
|
'X-Forwarded-For' => '127.0.0.1',
|
|
'X-Real-IP' => '10.0.0.1',
|
|
'X-Envoy-External-Address' => '127.0.0.1',
|
|
];
|
|
|
|
foreach (array_slice($routes, 0, 80) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
$response = $this->withHeaders($spoofHeaders)->requestAs($this->studentUser, $method, $uri, $this->payloadFor($method, $uri));
|
|
|
|
$this->assertControlled($response, $method, $uri);
|
|
$this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' trusted spoofed internal headers.');
|
|
}
|
|
}
|
|
}
|