Add tests to test API + Fix issues with api (hestiacp#2587)

* Remove + sign from key generator
* Also % caused issues 
+ Add support for v-make-tmp-file
* Adjust hash_valid function to allow for Access:Secret key fromat
* Resolve issues with api

Legacy api broke due to changes for PHP8.1 causing v-add-user package field was empty 
New API didn't support v-make-tmp-file causing DNS cluster to break

* Fix issue with v-make-tmp-file not working (Hash / PW)
* Check if permissions alllow creation of tmp file
*  Fix issue with sync-dns-cluster not working 

When Debug mode is enable it will log  commands to /var/log/hestia/api.log

Author: jaapmarcus

bin/v-add-access-key

@@ -31,7 +31,7 @@ keygen() {
 
     local MATRIX='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
     if [[ "$USE_SPECIAL_CHARACTERS" == "yes" ]]; then
-        MATRIX+='_-+^~=%'
+        MATRIX+='_-^~='
     fi
 
     local PASS N

func/main.sh

@@ -1108,7 +1108,7 @@ is_service_format_valid() {
 }
 
 is_hash_format_valid() {
-  if ! [[ "$1" =~ ^[-_A-Za-z0-9]{1,32}$ ]]; then
+  if ! [[ "$1" =~ ^[[:alnum:]|\:|\=|_|-]{1,80}$ ]]; then
         check_result "$E_INVALID" "invalid $2 format :: $1"
     fi
 }
@@ -1297,16 +1297,33 @@ check_access_key_cmd() {
     local access_key_id="$(basename "$1")"
     local cmd=$2
     local -n user_arg_position=$3
-
+    
+    if [[ "$DEBUG_MODE" = "true" ]]; then 
+    new_timestamp
+      echo "[$date:$time] $1 $2" >> /var/log/hestia/api.log
+    fi
     if [[ -z "$access_key_id" || ! -f "$HESTIA/data/access-keys/${access_key_id}" ]]; then
         check_result "$E_FORBIDEN" "Access key $access_key_id doesn't exist"
     fi
-
+    
     if [[ -z "$cmd" ]]; then
         check_result "$E_FORBIDEN" "Command not provided"
+    elif [[ "$cmd" = 'v-make-tmp-file' ]]; then
+      USER="" PERMISSIONS=""
+      source_conf "${HESTIA}/data/access-keys/${access_key_id}"
+      local allowed_commands
+      if [[ -n "$PERMISSIONS" ]]; then
+          allowed_commands="$(get_apis_commands "$PERMISSIONS")"
+          if [[ -z "$(echo ",${allowed_commands}," | grep ",${hst_command},")" ]]; then
+              check_result "$E_FORBIDEN" "Key $access_key_id don't have permission to run the command $hst_command"
+          fi
+      elif [[ -z "$PERMISSIONS" && "$USER" != "admin" ]]; then
+          check_result "$E_FORBIDEN" "Key $access_key_id don't have permission to run the command $hst_command"
+      fi 
+      user_arg_position="0"
     elif [[ ! -e "$BIN/$cmd" ]]; then
         check_result "$E_FORBIDEN" "Command $cmd not found"
-    else
+    else 
         USER="" PERMISSIONS=""
         source_conf "${HESTIA}/data/access-keys/${access_key_id}"
 

install/deb/api/billing

@@ -1,2 +1,2 @@
 ROLE='admin'
-COMMANDS='v-add-user,v-delete-user,v-suspend-user,v-unsuspend-user,v-change-user-shell,v-list-user,v-list-users,v-make-tmp-file,v-add-domain,v-change-user-package'
+COMMANDS='v-add-user,v-delete-user,v-suspend-user,v-unsuspend-user,v-change-user-shell,v-list-user,v-list-users,v-make-tmp-file,v-add-domain,v-change-user-package,v-make-tmp-file'

install/deb/api/sync-dns-cluster

@@ -1,2 +1,2 @@
 ROLE='admin'
-COMMANDS='v-delete-dns-domains-src,v-insert-dns-domain,v-insert-dns-records,v-rebuild-dns-domains,v-delete-dns-record'
+COMMANDS='v-list-sys-config,v-list-user,v-add-cron-restart-job,v-delete-dns-domains-src,v-insert-dns-domain,v-insert-dns-record,v-insert-dns-records,v-rebuild-dns-domains,v-delete-dns-record,v-make-tmp-file,v-insert-dns-domain'

install/upgrade/versions/1.6.0.sh

@@ -69,9 +69,8 @@ if [ -z "$(grep v-update-lets $HESTIA/data/users/admin/cron.conf)" ]; then
 fi
 
 # Add apis if they don't exist
-if [[ ! -d $HESTIA/data/api ]]; then
-    cp -rf $HESTIA_INSTALL_DIR/api $HESTIA/data/
-fi
+# Changes have been made make sure to overwrite them to prevent issues in the future
+cp -rf $HESTIA_INSTALL_DIR/api $HESTIA/data/
 
 # Update Cloudflare address
 if [ -f /etc/nginx/nginx.conf ] && [ "$(grep 'set_real_ip_from 2405:8100::/32' /etc/nginx/nginx.conf)" = "" ];then

test/api.bats

@@ -0,0 +1,151 @@
+#!/usr/bin/env bats
+
+if [ "${PATH#*/usr/local/hestia/bin*}" = "$PATH" ]; then
+    . /etc/profile.d/hestia.sh
+fi
+
+load 'test_helper/bats-support/load'
+load 'test_helper/bats-assert/load'
+load 'test_helper/bats-file/load'
+
+
+function random() {
+    head /dev/urandom | tr -dc 0-9 | head -c$1
+}
+
+function setup() {
+    source /tmp/hestia-api-env.sh
+    source $HESTIA/func/main.sh
+    source $HESTIA/conf/hestia.conf
+    source $HESTIA/func/ip.sh
+}
+
+@test "[Success][ Admin/password ] List users" {
+    run curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "user=admin&password=$password&returncode=no&cmd=v-list-users&arg1=plain" "https://$server:$port/api/index.php"
+    assert_success
+    assert_output --partial "admin"
+}
+
+@test "[Success][ Hash ] List users" {
+    run curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "hash=$apikey&returncode=no&cmd=v-list-users&arg1=plain" "https://$server:$port/api/index.php"
+    assert_success
+    assert_output --partial "admin"
+}
+
+@test "[Fail][ APIV2 ] Create new user" {
+    run curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "hash=$accesskey&returncode=yes&cmd=v-add-user&arg1=hestiatest&arg2=strongpassword&arg3=info@hestiacp.com" "https://$server:$port/api/index.php"
+    assert_success
+    assert_output --partial "don't have permission to run the command v-add-user"
+}
+
+@test "[Success][ Hash ] Create tmp file" {
+    run curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "hash=$apikey&cmd=v-make-tmp-file&arg1=strongpassword&arg2=clusterpassword" "https://$server:$port/api/index.php"
+    assert_success
+    assert_output --partial "OK"
+}
+
+@test "[Success][ Hash ] Create new user" {
+    run curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "hash=$apikey&cmd=v-add-user&arg1=hestiatest&arg2=/tmp/clusterpassword&arg3=info@hestiacp.com&arg4=default" "https://$server:$port/api/index.php"
+    assert_success
+    assert_output --partial "OK"
+}
+
+@test "[Success][ Hash ] Check password" {
+    run curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "hash=$apikey&cmd=v-check-user-password&arg1=hestiatest&arg2=strongpassword" "https://$server:$port/api/index.php"
+    assert_success
+    assert_output --partial "OK"
+}
+
+
+@test "[Success][ Local ] Add user" {
+    run v-add-user hestiatest 1234BCD info@hestiacp.com
+    assert_success
+}
+
+@test "[Success][ Local ] Add DNS domain" {
+    run v-add-dns-domain hestiatest ilovehestiacp.com 127.0.0.1
+    assert_success
+}
+
+@test "[Success][ APIV2 ] Add remote DNS host" {
+    run v-add-remote-dns-host $server $port "$accesskey" '' api 'hestiatest'
+    assert_success
+}
+
+@test "[Success][ APIV2 ] Sync DNS cluster 1" {
+    run v-sync-dns-cluster
+    assert_success
+}
+
+@test "[Success][ Local ] nslookup ilovehestiacp.com" {
+    run nslookup ilovehestiacp.com $server
+    assert_success
+    assert_output --partial "127.0.0.1"
+}
+
+@test "[Success][ Local ] Add DNS domain 2" {
+    run v-add-dns-domain hestiatest ilovehestiacp.org 127.0.0.1
+    assert_success
+}
+
+@test "[Success][ Local ] Add DNS record" {
+    run v-add-dns-record hestiatest ilovehestiacp.org test A 127.0.0.1 yes 20
+    assert_success
+}
+
+@test "[Success][ Local ] nslookup test.ilovehestiacp.org" {
+    run nslookup test.ilovehestiacp.org $server
+    assert_failure 1
+    assert_output --partial "REFUSED"
+    
+    run nslookup test.ilovehestiacp.org localhost
+    assert_success
+    assert_output --partial "127.0.0.1"
+}
+
+@test "[Success][ APIV2 ] Sync DNS cluster 2" {
+    run v-sync-dns-cluster
+    assert_success
+    
+    run nslookup test.ilovehestiacp.org $server
+    assert_success
+    assert_output --partial "127.0.0.1"
+}
+
+@test "[Success][ Local ] Delete DNS record" {
+    run v-delete-dns-record hestiatest ilovehestiacp.org 20
+    assert_success
+}
+
+@test "[Success][ Local ] nslookup test.ilovehestiacp.org 2" {
+    run nslookup test.ilovehestiacp.org $server
+    assert_success
+    assert_output --partial "127.0.0.1"
+    
+    run nslookup test.ilovehestiacp.org localhost
+    assert_failure
+}
+
+@test "[Success][ APIV2 ] Sync DNS cluster 3" {
+    run v-sync-dns-cluster
+    assert_success
+    
+    run nslookup test.ilovehestiacp.org $server
+    assert_failure
+}
+
+
+@test "[Success][ APIV2 ] Delete remote DNS host" {
+    run v-delete-remote-dns-host $server
+    assert_success
+}
+
+
+@test "[Success][ Local ] Delete user" {
+    run v-delete-user hestiatest
+    assert_success
+}
+
+@test "[Success][ Hash ] Delete user" {
+    run curl -k -s -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "hash=$apikey&cmd=v-delete-user&arg1=hestiatest" "https://$server:$port/api/index.php"
+}

test/checks.bats

@@ -35,6 +35,10 @@ function setup() {
     source $HESTIA/func/ip.sh
 }
 
+@test "is_hash_format_valid accesskey:secret valid" {
+    run is_hash_format_valid 'bxDaKPyAfLPRgSkoqlkI:Pc8czGPRECp3GxTNMr3LF6zWc8cjfPrNHy_-=A' "hash"
+    assert_success
+}
 @test "is_access_key_id_format_valid valid" {
     run is_access_key_id_format_valid 'M0ocDoIKbsoXSqtk1mgc' "key"
     assert_success