From 0580af0d34269393dd0194a8428da184dec5f736 Mon Sep 17 00:00:00 2001 From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com> Date: Wed, 25 Feb 2026 11:38:09 +0100 Subject: [PATCH] feat(healthchecks): add command health checks with input validation Add support for command-based health checks in addition to HTTP-based checks: - New health_check_type field supporting 'http' and 'cmd' values - New health_check_command field with strict regex validation - Updated allowedFields in create_application and update_by_uuid endpoints - Validation rules include max 1000 characters and safe character whitelist - Added feature tests for health check API endpoints - Added unit tests for GithubAppPolicy and SharedEnvironmentVariablePolicy --- .../Api/ApplicationsController.php | 4 +- bootstrap/helpers/api.php | 2 + .../Feature/ApplicationHealthCheckApiTest.php | 120 +++++++++ tests/Unit/Policies/GithubAppPolicyTest.php | 227 ++++++++++++++++++ .../SharedEnvironmentVariablePolicyTest.php | 163 +++++++++++++ 5 files changed, 514 insertions(+), 2 deletions(-) create mode 100644 tests/Feature/ApplicationHealthCheckApiTest.php create mode 100644 tests/Unit/Policies/GithubAppPolicyTest.php create mode 100644 tests/Unit/Policies/SharedEnvironmentVariablePolicyTest.php diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php index 256308afd..ddef74226 100644 --- a/app/Http/Controllers/Api/ApplicationsController.php +++ b/app/Http/Controllers/Api/ApplicationsController.php @@ -1002,7 +1002,7 @@ private function create_application(Request $request, $type) if ($return instanceof \Illuminate\Http\JsonResponse) { return $return; } - $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'dockerfile_location', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain', 'is_container_label_escape_enabled']; + $allowedFields = ['project_uuid', 'environment_name', 'environment_uuid', 'server_uuid', 'destination_uuid', 'type', 'name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'private_key_uuid', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_type', 'health_check_command', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'redirect', 'github_app_uuid', 'instant_deploy', 'dockerfile', 'dockerfile_location', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'watch_paths', 'use_build_server', 'static_image', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'autogenerate_domain', 'is_container_label_escape_enabled']; $validator = customApiValidator($request->all(), [ 'name' => 'string|max:255', @@ -2460,7 +2460,7 @@ public function update_by_uuid(Request $request) $this->authorize('update', $application); $server = $application->destination->server; - $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled']; + $allowedFields = ['name', 'description', 'is_static', 'is_spa', 'is_auto_deploy_enabled', 'is_force_https_enabled', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'custom_network_aliases', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_type', 'health_check_command', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'dockerfile_location', 'docker_compose_location', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network', 'force_domain_override', 'is_container_label_escape_enabled']; $validationRules = [ 'name' => 'string|max:255', diff --git a/bootstrap/helpers/api.php b/bootstrap/helpers/api.php index efa444675..edb1e59a1 100644 --- a/bootstrap/helpers/api.php +++ b/bootstrap/helpers/api.php @@ -104,6 +104,8 @@ function sharedDataApplications() 'base_directory' => 'string|nullable', 'publish_directory' => 'string|nullable', 'health_check_enabled' => 'boolean', + 'health_check_type' => 'string|in:http,cmd', + 'health_check_command' => ['nullable', 'string', 'max:1000', 'regex:/^[a-zA-Z0-9 \-_.\/:=@,+]+$/'], 'health_check_path' => ['string', 'regex:#^[a-zA-Z0-9/\-_.~%]+$#'], 'health_check_port' => 'integer|nullable|min:1|max:65535', 'health_check_host' => ['string', 'regex:/^[a-zA-Z0-9.\-_]+$/'], diff --git a/tests/Feature/ApplicationHealthCheckApiTest.php b/tests/Feature/ApplicationHealthCheckApiTest.php new file mode 100644 index 000000000..8ccb7c639 --- /dev/null +++ b/tests/Feature/ApplicationHealthCheckApiTest.php @@ -0,0 +1,120 @@ +team = Team::factory()->create(); + $this->user = User::factory()->create(); + $this->team->members()->attach($this->user->id, ['role' => 'owner']); + + session(['currentTeam' => $this->team]); + + $this->token = $this->user->createToken('test-token', ['*']); + $this->bearerToken = $this->token->plainTextToken; + + $this->server = Server::factory()->create(['team_id' => $this->team->id]); + + StandaloneDocker::withoutEvents(function () { + $this->destination = StandaloneDocker::firstOrCreate( + ['server_id' => $this->server->id, 'network' => 'coolify'], + ['uuid' => (string) new Cuid2, 'name' => 'test-docker'] + ); + }); + + $this->project = Project::create([ + 'uuid' => (string) new Cuid2, + 'name' => 'test-project', + 'team_id' => $this->team->id, + ]); + + // Project boot event auto-creates a 'production' environment + $this->environment = $this->project->environments()->first(); + + $this->application = Application::factory()->create([ + 'environment_id' => $this->environment->id, + 'destination_id' => $this->destination->id, + 'destination_type' => $this->destination->getMorphClass(), + ]); +}); + +function healthCheckAuthHeaders($bearerToken): array +{ + return [ + 'Authorization' => 'Bearer '.$bearerToken, + 'Content-Type' => 'application/json', + ]; +} + +describe('PATCH /api/v1/applications/{uuid} health check fields', function () { + test('can update health_check_type to cmd with a command', function () { + $response = $this->withHeaders(healthCheckAuthHeaders($this->bearerToken)) + ->patchJson("/api/v1/applications/{$this->application->uuid}", [ + 'health_check_type' => 'cmd', + 'health_check_command' => 'pg_isready -U postgres', + ]); + + $response->assertOk(); + + $this->application->refresh(); + expect($this->application->health_check_type)->toBe('cmd'); + expect($this->application->health_check_command)->toBe('pg_isready -U postgres'); + }); + + test('can update health_check_type back to http', function () { + $this->application->update([ + 'health_check_type' => 'cmd', + 'health_check_command' => 'redis-cli ping', + ]); + + $response = $this->withHeaders(healthCheckAuthHeaders($this->bearerToken)) + ->patchJson("/api/v1/applications/{$this->application->uuid}", [ + 'health_check_type' => 'http', + 'health_check_command' => null, + ]); + + $response->assertOk(); + + $this->application->refresh(); + expect($this->application->health_check_type)->toBe('http'); + expect($this->application->health_check_command)->toBeNull(); + }); + + test('rejects invalid health_check_type', function () { + $response = $this->withHeaders(healthCheckAuthHeaders($this->bearerToken)) + ->patchJson("/api/v1/applications/{$this->application->uuid}", [ + 'health_check_type' => 'exec', + ]); + + $response->assertStatus(422); + }); + + test('rejects health_check_command with shell operators', function () { + $response = $this->withHeaders(healthCheckAuthHeaders($this->bearerToken)) + ->patchJson("/api/v1/applications/{$this->application->uuid}", [ + 'health_check_type' => 'cmd', + 'health_check_command' => 'pg_isready; rm -rf /', + ]); + + $response->assertStatus(422); + }); + + test('rejects health_check_command over 1000 characters', function () { + $response = $this->withHeaders(healthCheckAuthHeaders($this->bearerToken)) + ->patchJson("/api/v1/applications/{$this->application->uuid}", [ + 'health_check_type' => 'cmd', + 'health_check_command' => str_repeat('a', 1001), + ]); + + $response->assertStatus(422); + }); +}); diff --git a/tests/Unit/Policies/GithubAppPolicyTest.php b/tests/Unit/Policies/GithubAppPolicyTest.php new file mode 100644 index 000000000..55ba7f3d3 --- /dev/null +++ b/tests/Unit/Policies/GithubAppPolicyTest.php @@ -0,0 +1,227 @@ +makePartial(); + + $policy = new GithubAppPolicy; + expect($policy->viewAny($user))->toBeTrue(); +}); + +it('allows any user to view system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = true; + }; + + $policy = new GithubAppPolicy; + expect($policy->view($user, $model))->toBeTrue(); +}); + +it('allows team member to view non-system-wide github app', function () { + $teams = collect([ + (object) ['id' => 1, 'pivot' => (object) ['role' => 'member']], + ]); + + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->view($user, $model))->toBeTrue(); +}); + +it('denies non-team member to view non-system-wide github app', function () { + $teams = collect([ + (object) ['id' => 2, 'pivot' => (object) ['role' => 'member']], + ]); + + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->view($user, $model))->toBeFalse(); +}); + +it('allows admin to create github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdmin')->andReturn(true); + + $policy = new GithubAppPolicy; + expect($policy->create($user))->toBeTrue(); +}); + +it('denies non-admin to create github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdmin')->andReturn(false); + + $policy = new GithubAppPolicy; + expect($policy->create($user))->toBeFalse(); +}); + +it('allows user with system access to update system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('canAccessSystemResources')->andReturn(true); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = true; + }; + + $policy = new GithubAppPolicy; + expect($policy->update($user, $model))->toBeTrue(); +}); + +it('denies user without system access to update system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('canAccessSystemResources')->andReturn(false); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = true; + }; + + $policy = new GithubAppPolicy; + expect($policy->update($user, $model))->toBeFalse(); +}); + +it('allows team admin to update non-system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(true); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->update($user, $model))->toBeTrue(); +}); + +it('denies team member to update non-system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(false); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->update($user, $model))->toBeFalse(); +}); + +it('allows user with system access to delete system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('canAccessSystemResources')->andReturn(true); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = true; + }; + + $policy = new GithubAppPolicy; + expect($policy->delete($user, $model))->toBeTrue(); +}); + +it('denies user without system access to delete system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('canAccessSystemResources')->andReturn(false); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = true; + }; + + $policy = new GithubAppPolicy; + expect($policy->delete($user, $model))->toBeFalse(); +}); + +it('allows team admin to delete non-system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(true); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->delete($user, $model))->toBeTrue(); +}); + +it('denies team member to delete non-system-wide github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(false); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->delete($user, $model))->toBeFalse(); +}); + +it('denies restore of github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->restore($user, $model))->toBeFalse(); +}); + +it('denies force delete of github app', function () { + $user = Mockery::mock(User::class)->makePartial(); + + $model = new class + { + public $team_id = 1; + + public $is_system_wide = false; + }; + + $policy = new GithubAppPolicy; + expect($policy->forceDelete($user, $model))->toBeFalse(); +}); diff --git a/tests/Unit/Policies/SharedEnvironmentVariablePolicyTest.php b/tests/Unit/Policies/SharedEnvironmentVariablePolicyTest.php new file mode 100644 index 000000000..f993978f9 --- /dev/null +++ b/tests/Unit/Policies/SharedEnvironmentVariablePolicyTest.php @@ -0,0 +1,163 @@ +makePartial(); + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->viewAny($user))->toBeTrue(); +}); + +it('allows team member to view their team shared environment variable', function () { + $teams = collect([ + (object) ['id' => 1, 'pivot' => (object) ['role' => 'member']], + ]); + + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->view($user, $model))->toBeTrue(); +}); + +it('denies non-team member to view shared environment variable', function () { + $teams = collect([ + (object) ['id' => 1, 'pivot' => (object) ['role' => 'member']], + ]); + + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('getAttribute')->with('teams')->andReturn($teams); + + $model = new class + { + public $team_id = 2; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->view($user, $model))->toBeFalse(); +}); + +it('allows admin to create shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdmin')->andReturn(true); + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->create($user))->toBeTrue(); +}); + +it('denies non-admin to create shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdmin')->andReturn(false); + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->create($user))->toBeFalse(); +}); + +it('allows team admin to update shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(true); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->update($user, $model))->toBeTrue(); +}); + +it('denies team member to update shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(false); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->update($user, $model))->toBeFalse(); +}); + +it('allows team admin to delete shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(true); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->delete($user, $model))->toBeTrue(); +}); + +it('denies team member to delete shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(false); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->delete($user, $model))->toBeFalse(); +}); + +it('denies restore of shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->restore($user, $model))->toBeFalse(); +}); + +it('denies force delete of shared environment variable', function () { + $user = Mockery::mock(User::class)->makePartial(); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->forceDelete($user, $model))->toBeFalse(); +}); + +it('allows team admin to manage environment', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(true); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->manageEnvironment($user, $model))->toBeTrue(); +}); + +it('denies team member to manage environment', function () { + $user = Mockery::mock(User::class)->makePartial(); + $user->shouldReceive('isAdminOfTeam')->with(1)->andReturn(false); + + $model = new class + { + public $team_id = 1; + }; + + $policy = new SharedEnvironmentVariablePolicy; + expect($policy->manageEnvironment($user, $model))->toBeFalse(); +});