empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 01:15:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
0ef59081ba
fleet/server/service/sessions_test.go

374 lines
9.4 KiB
Go
Raw Normal View History

Migrate most users endpoints to the new pattern (#3366)
2022-01-10 19:43:39 +00:00
package service
Migrate remaining user-authenticated endpoints (#3796)
2022-01-25 14:34:00 +00:00
import (
"context"
"testing"
"time"
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
"github.com/fleetdm/fleet/v4/server/config"
Migrate remaining user-authenticated endpoints (#3796)
2022-01-25 14:34:00 +00:00
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
"github.com/fleetdm/fleet/v4/server/datastore/mysql"
Migrate remaining user-authenticated endpoints (#3796)
2022-01-25 14:34:00 +00:00
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/mock"
"github.com/fleetdm/fleet/v4/server/ptr"
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
"github.com/fleetdm/fleet/v4/server/test"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Migrate remaining user-authenticated endpoints (#3796)
2022-01-25 14:34:00 +00:00
)
func TestSessionAuth(t *testing.T) {
ds := new(mock.Store)
Refactor license so it is stored in the context (#8544)
2022-11-15 14:08:05 +00:00
svc, ctx := newTestService(t, ds, nil, nil)
Migrate remaining user-authenticated endpoints (#3796)
2022-01-25 14:34:00 +00:00
ds.ListSessionsForUserFunc = func(ctx context.Context, id uint) ([]*fleet.Session, error) {
if id == 999 {
return []*fleet.Session{
{ID: 1, UserID: id, AccessedAt: time.Now()},
}, nil
}
return nil, nil
}
ds.SessionByIDFunc = func(ctx context.Context, id uint) (*fleet.Session, error) {
return &fleet.Session{ID: id, UserID: 999, AccessedAt: time.Now()}, nil
}
ds.DestroySessionFunc = func(ctx context.Context, ssn *fleet.Session) error {
return nil
}
ds.MarkSessionAccessedFunc = func(ctx context.Context, ssn *fleet.Session) error {
return nil
}
testCases := []struct {
name string
user *fleet.User
shouldFailWrite bool
shouldFailRead bool
}{
{
"global admin",
&fleet.User{ID: 111, GlobalRole: ptr.String(fleet.RoleAdmin)},
false,
false,
},
{
"global maintainer",
&fleet.User{ID: 111, GlobalRole: ptr.String(fleet.RoleMaintainer)},
true,
true,
},
{
"global observer",
&fleet.User{ID: 111, GlobalRole: ptr.String(fleet.RoleObserver)},
true,
true,
},
{
"owner user",
&fleet.User{ID: 999},
false,
false,
},
{
"non-owner user",
&fleet.User{ID: 888},
true,
true,
},
}
for _, tt := range testCases {
t.Run(tt.name, func(t *testing.T) {
Refactor license so it is stored in the context (#8544)
2022-11-15 14:08:05 +00:00
ctx := viewer.NewContext(ctx, viewer.Viewer{User: tt.user})
Migrate remaining user-authenticated endpoints (#3796)
2022-01-25 14:34:00 +00:00
_, err := svc.GetInfoAboutSessionsForUser(ctx, 999)
checkAuthErr(t, tt.shouldFailRead, err)
_, err = svc.GetInfoAboutSession(ctx, 1)
checkAuthErr(t, tt.shouldFailRead, err)
err = svc.DeleteSession(ctx, 1)
checkAuthErr(t, tt.shouldFailWrite, err)
})
}
}
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
func TestAuthenticate(t *testing.T) {
ds := mysql.CreateMySQLDS(t)
defer ds.Close()
Refactor license so it is stored in the context (#8544)
2022-11-15 14:08:05 +00:00
svc, ctx := newTestService(t, ds, nil, nil)
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
createTestUsers(t, ds)
Add logging to capture user email upon successful login (#7927) * Log user email upon successful login * Add user email to logger context * Use logging.With Extras for login email
2022-09-27 19:32:46 +00:00
loginTests := []struct {
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
name string
email string
password string
wantErr error
}{
{
name: "admin1",
email: testUsers["admin1"].Email,
password: testUsers["admin1"].PlaintextPassword,
},
{
name: "user1",
email: testUsers["user1"].Email,
password: testUsers["user1"].PlaintextPassword,
},
}
for _, tt := range loginTests {
t.Run(tt.email, func(st *testing.T) {
Refactor license so it is stored in the context (#8544)
2022-11-15 14:08:05 +00:00
loggedIn, token, err := svc.Login(test.UserContext(ctx, test.UserAdmin), tt.email, tt.password)
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
require.Nil(st, err, "login unsuccessful")
assert.Equal(st, tt.email, loggedIn.Email)
assert.NotEmpty(st, token)
Refactor license so it is stored in the context (#8544)
2022-11-15 14:08:05 +00:00
sessions, err := svc.GetInfoAboutSessionsForUser(test.UserContext(ctx, test.UserAdmin), loggedIn.ID)
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
require.Nil(st, err)
require.Len(st, sessions, 1, "user should have one session")
session := sessions[0]
assert.NotZero(st, session.UserID)
assert.WithinDuration(st, time.Now(), session.AccessedAt, 3*time.Second,
"access time should be set with current time at session creation")
})
}
}
func TestGetSessionByKey(t *testing.T) {
ds := new(mock.Store)
Refactor license so it is stored in the context (#8544)
2022-11-15 14:08:05 +00:00
svc, ctx := newTestService(t, ds, nil, nil)
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
cfg := config.TestConfig()
theSession := &fleet.Session{UserID: 123, Key: "abc"}
ds.SessionByKeyFunc = func(ctx context.Context, key string) (*fleet.Session, error) {
return theSession, nil
}
ds.DestroySessionFunc = func(ctx context.Context, ssn *fleet.Session) error {
return nil
}
ds.MarkSessionAccessedFunc = func(ctx context.Context, ssn *fleet.Session) error {
return nil
}
cases := []struct {
desc string
accessed time.Duration
apiOnly bool
fail bool
}{
{"real user, accessed recently", -1 * time.Hour, false, false},
{"real user, accessed too long ago", -(cfg.Session.Duration + time.Hour), false, true},
{"api-only, accessed recently", -1 * time.Hour, true, false},
{"api-only, accessed long ago", -(cfg.Session.Duration + time.Hour), true, false},
}
for _, tc := range cases {
t.Run(tc.desc, func(t *testing.T) {
var authErr *fleet.AuthRequiredError
ds.SessionByKeyFuncInvoked, ds.DestroySessionFuncInvoked, ds.MarkSessionAccessedFuncInvoked = false, false, false
theSession.AccessedAt = time.Now().Add(tc.accessed)
theSession.APIOnly = ptr.Bool(tc.apiOnly)
Refactor license so it is stored in the context (#8544)
2022-11-15 14:08:05 +00:00
_, err := svc.GetSessionByKey(ctx, theSession.Key)
Migrate special-case endpoints to new pattern (#4511)
2022-03-08 16:27:38 +00:00
if tc.fail {
require.Error(t, err)
require.ErrorAs(t, err, &authErr)
require.True(t, ds.SessionByKeyFuncInvoked)
require.True(t, ds.DestroySessionFuncInvoked)
require.False(t, ds.MarkSessionAccessedFuncInvoked)
} else {
require.NoError(t, err)
require.True(t, ds.SessionByKeyFuncInvoked)
require.False(t, ds.DestroySessionFuncInvoked)
require.True(t, ds.MarkSessionAccessedFuncInvoked)
}
})
}
}
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
type testAuth struct {
userID string
userDisplayName string
requestID string
assertionAttributes []fleet.SAMLAttribute
}
var _ fleet.Auth = (*testAuth)(nil)
func (a *testAuth) UserID() string {
return a.userID
}
func (a *testAuth) UserDisplayName() string {
return a.userDisplayName
}
func (a *testAuth) RequestID() string {
return a.requestID
}
func (a *testAuth) AssertionAttributes() []fleet.SAMLAttribute {
return a.assertionAttributes
}
func TestGetSSOUser(t *testing.T) {
ds := new(mock.Store)
svc, ctx := newTestService(t, ds, nil, nil, &TestServerOpts{
License: &fleet.LicenseInfo{
Tier: fleet.TierPremium,
},
})
ds.NewActivityFunc = func(ctx context.Context, user *fleet.User, activity fleet.ActivityDetails) error {
return nil
}
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &fleet.AppConfig{
Do not return empty SSO and SMTP settings for non-global-admins (#12180) #11266 PS: I first attempted a serialization trick by introducing a new `appConfigResponse` and implementing `json.Marshal` to exclude these fields but it was too hacky and hard to maintain moving forward, so I'm bitting the bullet now. Happy to hear other ideas. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-07 19:06:36 +00:00
SSOSettings: &fleet.SSOSettings{
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
EnableSSO: true,
EnableSSOIdPLogin: true,
EnableJITProvisioning: true,
},
}, nil
}
ds.UserByEmailFunc = func(ctx context.Context, email string) (*fleet.User, error) {
Add UUID to Fleet errors and clean up error msgs (#10411) #8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 16:44:06 +00:00
return nil, newNotFoundError()
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
}
var newUser *fleet.User
ds.NewUserFunc = func(ctx context.Context, user *fleet.User) (*fleet.User, error) {
newUser = user
return user, nil
}
auth := &testAuth{
userID: "foo@example.com",
userDisplayName: "foo@example.com",
requestID: "foobar",
assertionAttributes: []fleet.SAMLAttribute{
{
Name: "FLEET_JIT_USER_ROLE_GLOBAL",
Values: []fleet.SAMLAttributeValue{
{Value: "admin"},
},
},
},
}
// Test SSO login with a non-existent user.
_, err := svc.GetSSOUser(ctx, auth)
require.NoError(t, err)
require.NotNil(t, newUser)
require.NotNil(t, newUser.GlobalRole)
require.Equal(t, "admin", *newUser.GlobalRole)
require.Empty(t, newUser.Teams)
// Test SSO login with the same (now existing) user (should update roles).
// (1) Check that when a user's role attributes are unchanged then SavedUser is not called.
ds.SaveUserFunc = func(ctx context.Context, user *fleet.User) error {
return nil
}
ds.UserByEmailFunc = func(ctx context.Context, email string) (*fleet.User, error) {
return newUser, nil
}
_, err = svc.GetSSOUser(ctx, auth)
require.NoError(t, err)
require.False(t, ds.SaveUserFuncInvoked)
// (2) Test SSO login with the same user with roles updated in its attributes.
var savedUser *fleet.User
ds.SaveUserFunc = func(ctx context.Context, user *fleet.User) error {
savedUser = user
return nil
}
ds.TeamFunc = func(ctx context.Context, tid uint) (*fleet.Team, error) {
return &fleet.Team{ID: tid}, nil
}
auth.assertionAttributes = []fleet.SAMLAttribute{
{
Name: "FLEET_JIT_USER_ROLE_TEAM_2",
Values: []fleet.SAMLAttributeValue{
{Value: "maintainer"},
},
},
}
_, err = svc.GetSSOUser(ctx, auth)
require.NoError(t, err)
require.NotNil(t, savedUser)
require.Nil(t, savedUser.GlobalRole)
require.Len(t, savedUser.Teams, 1)
require.Equal(t, uint(2), savedUser.Teams[0].ID)
require.Equal(t, "maintainer", savedUser.Teams[0].Role)
require.True(t, ds.SaveUserFuncInvoked)
Change role of existing users only if SSO attributes are present in the `SAMLResponse` (#11966) #10784 The removal of the now deprecated `sso_settings.enable_jit_role_sync` config will be tackled in: #10688. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-30 20:49:59 +00:00
// (3) Test existing user's role is not changed after a new login if EnableJITProvisioning is false.
Add `enable_jit_role_sync` config (#10478) #8411 We decided to only update roles for existing accounts if enabled by a new setting (disabled by default) `sso_settings.enable_jit_role_sync`. - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-14 20:17:08 +00:00
ds.SaveUserFuncInvoked = false
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &fleet.AppConfig{
Do not return empty SSO and SMTP settings for non-global-admins (#12180) #11266 PS: I first attempted a serialization trick by introducing a new `appConfigResponse` and implementing `json.Marshal` to exclude these fields but it was too hacky and hard to maintain moving forward, so I'm bitting the bullet now. Happy to hear other ideas. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-07 19:06:36 +00:00
SSOSettings: &fleet.SSOSettings{
Add `enable_jit_role_sync` config (#10478) #8411 We decided to only update roles for existing accounts if enabled by a new setting (disabled by default) `sso_settings.enable_jit_role_sync`. - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-14 20:17:08 +00:00
EnableSSO: true,
EnableSSOIdPLogin: true,
Change role of existing users only if SSO attributes are present in the `SAMLResponse` (#11966) #10784 The removal of the now deprecated `sso_settings.enable_jit_role_sync` config will be tackled in: #10688. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-05-30 20:49:59 +00:00
EnableJITProvisioning: false,
Add `enable_jit_role_sync` config (#10478) #8411 We decided to only update roles for existing accounts if enabled by a new setting (disabled by default) `sso_settings.enable_jit_role_sync`. - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-14 20:17:08 +00:00
},
}, nil
}
auth.assertionAttributes = []fleet.SAMLAttribute{
{
Name: "FLEET_JIT_USER_ROLE_TEAM_2",
Values: []fleet.SAMLAttributeValue{
{Value: "admin"},
},
},
}
_, err = svc.GetSSOUser(ctx, auth)
require.NoError(t, err)
require.False(t, ds.SaveUserFuncInvoked)
// (4) Test with invalid team ID in the attributes
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &fleet.AppConfig{
Do not return empty SSO and SMTP settings for non-global-admins (#12180) #11266 PS: I first attempted a serialization trick by introducing a new `appConfigResponse` and implementing `json.Marshal` to exclude these fields but it was too hacky and hard to maintain moving forward, so I'm bitting the bullet now. Happy to hear other ideas. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-06-07 19:06:36 +00:00
SSOSettings: &fleet.SSOSettings{
Add `enable_jit_role_sync` config (#10478) #8411 We decided to only update roles for existing accounts if enabled by a new setting (disabled by default) `sso_settings.enable_jit_role_sync`. - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-14 20:17:08 +00:00
EnableSSO: true,
EnableSSOIdPLogin: true,
EnableJITProvisioning: true,
},
}, nil
}
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
ds.TeamFunc = func(ctx context.Context, tid uint) (*fleet.Team, error) {
Add UUID to Fleet errors and clean up error msgs (#10411) #8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 16:44:06 +00:00
return nil, newNotFoundError()
Allow setting user roles during JIT provisioning (#10193) #8411 PS: I've opened #10209 to solve the issue with Golang Code Coverage CI checks. - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [x] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-01 23:18:40 +00:00
}
auth.assertionAttributes = []fleet.SAMLAttribute{
{
Name: "FLEET_JIT_USER_ROLE_TEAM_3",
Values: []fleet.SAMLAttributeValue{
{Value: "maintainer"},
},
},
}
_, err = svc.GetSSOUser(ctx, auth)
require.Error(t, err)
}
Reference in New Issue Copy Permalink