mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2026-03-08 08:19:35 +00:00
0d58262e19
* Add manual backup creation and delete buttons to Update Manager - Add "Create Backup" button in the backups tab for on-demand backups - Add delete buttons (trash icons) for update logs and backups - New controller routes with CSRF protection and permission checks - Use data-turbo-confirm for CSP-safe confirmation dialogs - Add deleteLog() method to UpdateExecutor with filename validation * Add Docker backup support: download button, SQLite restore fix, decouple from auto-update - Decouple backup creation/restore UI from can_auto_update so Docker and other non-git installations can use backup features - Add backup download endpoint for saving backups externally - Fix SQLite restore to use configured DATABASE_URL path instead of hardcoded var/app.db (affects Docker and custom SQLite paths) - Show Docker-specific warning about var/backups/ not being persisted - Pass is_docker flag to template via InstallationTypeDetector * Add tests for backup/update manager improvements - Controller tests: auth, CSRF validation, 404 for missing backups, restore disabled check - UpdateExecutor: deleteLog validation, non-existent file, successful deletion - BackupManager: deleteBackup validation for missing/non-zip files * Fix test failures: add locale prefix to URLs, correct log directory path * Fix auth test: expect 401 instead of redirect for HTTP Basic auth * Improve test coverage for update manager controller Add happy-path tests for backup creation, deletion, download, and log deletion with valid CSRF tokens. Also test the locked state blocking backup creation. * Fix CSRF tests: initialize session before getting tokens * Fix CSRF tests: extract tokens from rendered page HTML * Harden backup security: password confirmation, CSRF, env toggle Address security review feedback from jbtronics: - Add IS_AUTHENTICATED_FULLY to all sensitive endpoints (create/delete backup, delete log, download backup, start update, restore) - Change backup download from GET to POST with CSRF token - Require password confirmation before downloading backups (backups contain sensitive data like password hashes and secrets) - Add DISABLE_BACKUP_DOWNLOAD env var (default: disabled) to control whether backup downloads are allowed - Add password confirmation modal with security warning in template - Add comprehensive tests: auth checks, env var blocking, POST-only enforcement, status/progress endpoint auth * Fix download modal: use per-backup modals for CSP/Turbo compatibility - Replace shared modal + inline JS with per-backup modals that have filename pre-set in hidden fields (no JavaScript needed) - Add data-turbo="false" to download forms for native browser handling - Add data-bs-dismiss="modal" to submit button to auto-close modal - Add hidden username field for Chrome accessibility best practice - Fix test: GET on POST-only route returns 404 not 405 * Fixed translation keys * Fixed text justification in download modal * Hardenened security of deleteLogEndpoint * Show whether backup, restores and updates are allowed or disabled by sysadmin on update manager * Added documentation for update manager related env variables --------- Co-authored-by: Jan Böhmer <mail@jan-boehmer.de>
112 lines
3.8 KiB
PHP
112 lines
3.8 KiB
PHP
<?php
|
|
/*
|
|
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
|
|
*
|
|
* Copyright (C) 2019 - 2024 Jan Böhmer (https://github.com/jbtronics)
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published
|
|
* by the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Tests\Services\System;
|
|
|
|
use App\Services\System\BackupManager;
|
|
use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
|
|
|
|
final class BackupManagerTest extends KernelTestCase
|
|
{
|
|
private ?BackupManager $backupManager = null;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
self::bootKernel();
|
|
$this->backupManager = self::getContainer()->get(BackupManager::class);
|
|
}
|
|
|
|
public function testGetBackupDir(): void
|
|
{
|
|
$backupDir = $this->backupManager->getBackupDir();
|
|
|
|
// Should end with var/backups
|
|
$this->assertStringEndsWith('var/backups', $backupDir);
|
|
}
|
|
|
|
public function testGetBackupsReturnsEmptyArrayWhenNoBackups(): void
|
|
{
|
|
// If there are no backups (or the directory doesn't exist), should return empty array
|
|
$backups = $this->backupManager->getBackups();
|
|
|
|
$this->assertIsArray($backups);
|
|
}
|
|
|
|
public function testGetBackupDetailsReturnsNullForNonExistentFile(): void
|
|
{
|
|
$details = $this->backupManager->getBackupDetails('non-existent-backup.zip');
|
|
|
|
$this->assertNull($details);
|
|
}
|
|
|
|
public function testGetBackupDetailsReturnsNullForNonZipFile(): void
|
|
{
|
|
$details = $this->backupManager->getBackupDetails('not-a-zip.txt');
|
|
|
|
$this->assertNull($details);
|
|
}
|
|
|
|
/**
|
|
* Test that version parsing from filename works correctly.
|
|
* This tests the regex pattern used in getBackupDetails.
|
|
*/
|
|
public function testVersionParsingFromFilename(): void
|
|
{
|
|
// Test the regex pattern directly
|
|
$filename = 'pre-update-v2.5.1-to-v2.6.0-2024-01-30-185400.zip';
|
|
$matches = [];
|
|
|
|
$result = preg_match('/pre-update-v([\d.]+)-to-v?([\d.]+)-/', $filename, $matches);
|
|
|
|
$this->assertSame(1, $result);
|
|
$this->assertSame('2.5.1', $matches[1]);
|
|
$this->assertSame('2.6.0', $matches[2]);
|
|
}
|
|
|
|
public function testDeleteBackupReturnsFalseForNonExistentFile(): void
|
|
{
|
|
$this->assertFalse($this->backupManager->deleteBackup('non-existent.zip'));
|
|
}
|
|
|
|
public function testDeleteBackupReturnsFalseForNonZipFile(): void
|
|
{
|
|
$this->assertFalse($this->backupManager->deleteBackup('not-a-zip.txt'));
|
|
}
|
|
|
|
/**
|
|
* Test version parsing with different filename formats.
|
|
*/
|
|
public function testVersionParsingVariants(): void
|
|
{
|
|
// Without 'v' prefix on target version
|
|
$filename1 = 'pre-update-v1.0.0-to-2.0.0-2024-01-30-185400.zip';
|
|
preg_match('/pre-update-v([\d.]+)-to-v?([\d.]+)-/', $filename1, $matches1);
|
|
$this->assertSame('1.0.0', $matches1[1]);
|
|
$this->assertSame('2.0.0', $matches1[2]);
|
|
|
|
// With 'v' prefix on target version
|
|
$filename2 = 'pre-update-v1.0.0-to-v2.0.0-2024-01-30-185400.zip';
|
|
preg_match('/pre-update-v([\d.]+)-to-v?([\d.]+)-/', $filename2, $matches2);
|
|
$this->assertSame('1.0.0', $matches2[1]);
|
|
$this->assertSame('2.0.0', $matches2[2]);
|
|
}
|
|
}
|