fleet/server/service/invites_test.go

253 lines
7.1 KiB
Go
Raw Normal View History

package service
import (
"context"
"database/sql"
"testing"
"time"
"github.com/WatchBeam/clock"
2021-06-26 04:46:51 +00:00
"github.com/fleetdm/fleet/v4/server/authz"
"github.com/fleetdm/fleet/v4/server/config"
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
2021-06-26 04:46:51 +00:00
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/mock"
"github.com/fleetdm/fleet/v4/server/ptr"
"github.com/fleetdm/fleet/v4/server/test"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"gopkg.in/guregu/null.v3"
)
func TestInviteNewUserMock(t *testing.T) {
ms := new(mock.Store)
ms.UserByEmailFunc = mock.UserWithEmailNotFound()
ms.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &fleet.AppConfig{ServerSettings: fleet.ServerSettings{ServerURL: "https://acme.co"}}, nil
}
ms.NewInviteFunc = func(ctx context.Context, i *fleet.Invite) (*fleet.Invite, error) {
return i, nil
}
mailer := &mockMailService{SendEmailFn: func(e fleet.Email) error { return nil }}
svc := validationMiddleware{&Service{
ds: ms,
config: config.TestConfig(),
mailService: mailer,
clock: clock.NewMockClock(),
authz: authz.Must(),
}, ms, nil}
payload := fleet.InvitePayload{
Email: ptr.String("user@acme.co"),
}
// happy path
invite, err := svc.InviteNewUser(test.UserContext(context.Background(), test.UserAdmin), payload)
require.Nil(t, err)
assert.Equal(t, test.UserAdmin.ID, invite.InvitedBy)
assert.True(t, ms.NewInviteFuncInvoked)
assert.True(t, ms.AppConfigFuncInvoked)
assert.True(t, mailer.Invoked)
ms.UserByEmailFunc = mock.UserByEmailWithUser(new(fleet.User))
_, err = svc.InviteNewUser(test.UserContext(context.Background(), test.UserAdmin), payload)
require.NotNil(t, err, "should err if the user we're inviting already exists")
}
func TestUpdateInvite(t *testing.T) {
ms := new(mock.Store)
ms.InviteFunc = func(ctx context.Context, id uint) (*fleet.Invite, error) {
if id != 1 {
return nil, sql.ErrNoRows
}
return &fleet.Invite{
ID: 1,
Name: "John Appleseed",
Email: "john_appleseed@example.com",
GlobalRole: null.NewString("observer", true),
}, nil
}
ms.UpdateInviteFunc = func(ctx context.Context, id uint, i *fleet.Invite) (*fleet.Invite, error) {
return nil, nil
}
mailer := &mockMailService{SendEmailFn: func(e fleet.Email) error { return nil }}
svc := validationMiddleware{&Service{
ds: ms,
config: config.TestConfig(),
mailService: mailer,
clock: clock.NewMockClock(),
authz: authz.Must(),
}, ms, nil}
// email is the same
payload := fleet.InvitePayload{
Name: ptr.String("Johnny Appleseed"),
Email: ptr.String("john_appleseed@example.com"),
}
ctx := test.UserContext(context.Background(), test.UserAdmin)
// update the invite (email is the same)
_, err := svc.UpdateInvite(ctx, 1, payload)
require.NoError(t, err)
require.True(t, ms.InviteFuncInvoked)
}
func TestVerifyInvite(t *testing.T) {
ms := new(mock.Store)
svc, ctx := newTestService(t, ms, nil, nil)
ms.InviteByTokenFunc = func(ctx context.Context, token string) (*fleet.Invite, error) {
return &fleet.Invite{
ID: 1,
Token: "abcd",
UpdateCreateTimestamps: fleet.UpdateCreateTimestamps{
CreateTimestamp: fleet.CreateTimestamp{
CreatedAt: time.Now().AddDate(-1, 0, 0),
},
},
}, nil
}
wantErr := fleet.NewInvalidArgumentError("invite_token", "Invite token has expired.")
_, err := svc.VerifyInvite(test.UserContext(ctx, test.UserAdmin), "abcd")
assert.Equal(t, err, wantErr)
wantErr = fleet.NewInvalidArgumentError("invite_token", "Invite Token does not match Email Address.")
_, err = svc.VerifyInvite(test.UserContext(ctx, test.UserAdmin), "bad_token")
assert.Equal(t, err, wantErr)
}
func TestDeleteInvite(t *testing.T) {
ms := new(mock.Store)
svc, ctx := newTestService(t, ms, nil, nil)
ms.DeleteInviteFunc = func(context.Context, uint) error { return nil }
err := svc.DeleteInvite(test.UserContext(ctx, test.UserAdmin), 1)
require.Nil(t, err)
assert.True(t, ms.DeleteInviteFuncInvoked)
}
func TestListInvites(t *testing.T) {
ms := new(mock.Store)
svc, ctx := newTestService(t, ms, nil, nil)
ms.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {
return nil, nil
}
_, err := svc.ListInvites(test.UserContext(ctx, test.UserAdmin), fleet.ListOptions{})
require.Nil(t, err)
assert.True(t, ms.ListInvitesFuncInvoked)
}
func TestInvitesAuth(t *testing.T) {
ds := new(mock.Store)
svc, ctx := newTestService(t, ds, nil, nil)
ds.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {
return nil, nil
}
ds.DeleteInviteFunc = func(context.Context, uint) error { return nil }
ds.UserByEmailFunc = func(ctx context.Context, email string) (*fleet.User, error) {
Add UUID to Fleet errors and clean up error msgs (#10411) #8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
2023-03-13 16:44:06 +00:00
return nil, newNotFoundError()
}
ds.NewInviteFunc = func(ctx context.Context, i *fleet.Invite) (*fleet.Invite, error) {
return &fleet.Invite{}, nil
}
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &fleet.AppConfig{}, nil
}
var testCases = []struct {
name string
user *fleet.User
shouldFailWrite bool
shouldFailRead bool
}{
{
"global admin",
&fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)},
false,
false,
},
{
"global maintainer",
&fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)},
true,
true,
},
{
"global observer",
&fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)},
true,
true,
},
{
"team admin, belongs to team",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleAdmin}}},
true,
true,
},
{
"team maintainer, belongs to team",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleMaintainer}}},
true,
true,
},
{
"team observer, belongs to team",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleObserver}}},
true,
true,
},
{
"team maintainer, DOES NOT belong to team",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleMaintainer}}},
true,
true,
},
{
"team admin, DOES NOT belong to team",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleAdmin}}},
true,
true,
},
{
"team observer, DOES NOT belong to team",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleObserver}}},
true,
true,
},
}
for _, tt := range testCases {
t.Run(tt.name, func(t *testing.T) {
ctx := viewer.NewContext(ctx, viewer.Viewer{User: tt.user})
_, err := svc.InviteNewUser(ctx, fleet.InvitePayload{
Email: ptr.String("e@mail.com"),
Name: ptr.String("name"),
Position: ptr.String("someposition"),
SSOEnabled: ptr.Bool(false),
GlobalRole: null.StringFromPtr(tt.user.GlobalRole),
Teams: []fleet.UserTeam{
{
Team: fleet.Team{ID: 1},
Role: fleet.RoleMaintainer,
},
},
})
checkAuthErr(t, tt.shouldFailWrite, err)
_, err = svc.ListInvites(ctx, fleet.ListOptions{})
checkAuthErr(t, tt.shouldFailRead, err)
err = svc.DeleteInvite(ctx, 99)
checkAuthErr(t, tt.shouldFailWrite, err)
})
}
}