2016-09-26 18:48:55 +00:00
|
|
|
package service
|
2016-09-04 19:43:12 +00:00
|
|
|
|
|
|
|
|
import (
|
2016-09-16 04:35:52 +00:00
|
|
|
"fmt"
|
2021-10-11 14:17:21 +00:00
|
|
|
"net/http"
|
2016-09-04 19:43:12 +00:00
|
|
|
"net/http/httptest"
|
2021-10-11 14:17:21 +00:00
|
|
|
"regexp"
|
2016-09-04 19:43:12 +00:00
|
|
|
"testing"
|
|
|
|
|
|
2021-10-11 14:17:21 +00:00
|
|
|
"github.com/fleetdm/fleet/v4/server/config"
|
2021-08-04 13:40:04 +00:00
|
|
|
"github.com/fleetdm/fleet/v4/server/mock"
|
2021-09-10 17:48:33 +00:00
|
|
|
kitlog "github.com/go-kit/kit/log"
|
2021-03-26 18:23:29 +00:00
|
|
|
"github.com/gorilla/mux"
|
2021-10-11 14:17:21 +00:00
|
|
|
"github.com/pkg/errors"
|
2016-09-04 19:43:12 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2021-10-11 14:17:21 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2021-06-18 15:51:47 +00:00
|
|
|
"github.com/throttled/throttled/v2/store/memstore"
|
2016-09-04 19:43:12 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestAPIRoutes(t *testing.T) {
|
2021-08-04 13:40:04 +00:00
|
|
|
ds := new(mock.Store)
|
2016-09-04 19:43:12 +00:00
|
|
|
|
2021-06-03 23:24:15 +00:00
|
|
|
svc := newTestService(ds, nil, nil)
|
2016-09-04 19:43:12 +00:00
|
|
|
|
|
|
|
|
r := mux.NewRouter()
|
2021-03-26 18:23:29 +00:00
|
|
|
limitStore, _ := memstore.New(0)
|
2021-09-10 17:48:33 +00:00
|
|
|
ke := MakeFleetServerEndpoints(svc, "", limitStore, kitlog.NewNopLogger())
|
2021-06-04 23:51:18 +00:00
|
|
|
kh := makeKitHandlers(ke, nil)
|
|
|
|
|
attachFleetAPIRoutes(r, kh)
|
2016-09-04 19:43:12 +00:00
|
|
|
handler := mux.NewRouter()
|
2016-09-29 04:21:39 +00:00
|
|
|
handler.PathPrefix("/").Handler(r)
|
2016-09-04 19:43:12 +00:00
|
|
|
|
|
|
|
|
var routes = []struct {
|
|
|
|
|
verb string
|
|
|
|
|
uri string
|
|
|
|
|
}{
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/users",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/users",
|
2016-09-15 14:52:17 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/users/1",
|
2016-09-15 14:52:17 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "PATCH",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/users/1",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/login",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/forgot_password",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/reset_password",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
2016-09-16 04:35:52 +00:00
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/me",
|
2016-09-16 04:35:52 +00:00
|
|
|
},
|
2016-09-22 00:45:57 +00:00
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/config",
|
2016-09-22 00:45:57 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "PATCH",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/config",
|
2016-09-22 00:45:57 +00:00
|
|
|
},
|
2016-09-29 02:44:05 +00:00
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/invites",
|
2016-09-29 02:44:05 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/invites",
|
2016-09-29 02:44:05 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "DELETE",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/invites/1",
|
2016-09-29 02:44:05 +00:00
|
|
|
},
|
2016-09-04 19:43:12 +00:00
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/queries/1",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/queries",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/queries",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "PATCH",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/queries/1",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "DELETE",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/queries/1",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
2016-12-09 17:12:45 +00:00
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/queries/delete",
|
2016-12-09 17:12:45 +00:00
|
|
|
},
|
2016-11-16 21:07:50 +00:00
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/queries/run",
|
2016-11-16 21:07:50 +00:00
|
|
|
},
|
2016-09-04 19:43:12 +00:00
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/packs",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/packs",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "PATCH",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/packs/1",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "DELETE",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/packs/1",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
|
|
|
|
{
|
2016-12-13 22:22:05 +00:00
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/packs/1/scheduled",
|
2016-09-04 19:43:12 +00:00
|
|
|
},
|
2016-09-29 04:21:39 +00:00
|
|
|
{
|
2018-06-15 14:13:11 +00:00
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/schedule",
|
2018-06-15 14:13:11 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "DELETE",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/schedule/1",
|
2018-06-15 14:13:11 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "PATCH",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/schedule/1",
|
2018-06-15 14:13:11 +00:00
|
|
|
}, {
|
2016-09-29 04:21:39 +00:00
|
|
|
verb: "POST",
|
|
|
|
|
uri: "/api/v1/osquery/enroll",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
|
|
|
|
uri: "/api/v1/osquery/config",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
|
|
|
|
uri: "/api/v1/osquery/distributed/read",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
|
|
|
|
uri: "/api/v1/osquery/distributed/write",
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
|
|
|
|
uri: "/api/v1/osquery/log",
|
|
|
|
|
},
|
2016-10-03 03:14:35 +00:00
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/labels/1",
|
2016-10-03 03:14:35 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/labels",
|
2016-10-03 03:14:35 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "POST",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/labels",
|
2016-10-03 03:14:35 +00:00
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
verb: "DELETE",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/labels/1",
|
2016-10-03 03:14:35 +00:00
|
|
|
},
|
2016-10-06 00:10:44 +00:00
|
|
|
{
|
|
|
|
|
verb: "DELETE",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/hosts/1",
|
2016-10-06 00:10:44 +00:00
|
|
|
},
|
2017-01-04 21:16:17 +00:00
|
|
|
{
|
|
|
|
|
verb: "GET",
|
2021-02-10 20:13:11 +00:00
|
|
|
uri: "/api/v1/fleet/host_summary",
|
2017-01-04 21:16:17 +00:00
|
|
|
},
|
2016-09-04 19:43:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, route := range routes {
|
2016-09-16 04:35:52 +00:00
|
|
|
t.Run(fmt.Sprintf(": %v", route.uri), func(st *testing.T) {
|
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
handler.ServeHTTP(
|
|
|
|
|
recorder,
|
|
|
|
|
httptest.NewRequest(route.verb, route.uri, nil),
|
|
|
|
|
)
|
|
|
|
|
assert.NotEqual(st, 404, recorder.Code)
|
2021-10-11 14:17:21 +00:00
|
|
|
assert.NotEqual(st, 405, recorder.Code, route.verb) // if it matches a path but with wrong verb
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestAPIRoutesConflicts(t *testing.T) {
|
|
|
|
|
ds := new(mock.Store)
|
|
|
|
|
|
|
|
|
|
svc := newTestService(ds, nil, nil)
|
|
|
|
|
limitStore, _ := memstore.New(0)
|
|
|
|
|
h := MakeHandler(svc, config.TestConfig(), kitlog.NewNopLogger(), limitStore)
|
|
|
|
|
router := h.(*mux.Router)
|
|
|
|
|
|
|
|
|
|
type testCase struct {
|
|
|
|
|
name string
|
|
|
|
|
path string
|
|
|
|
|
verb string
|
|
|
|
|
want int
|
|
|
|
|
}
|
|
|
|
|
var cases []testCase
|
|
|
|
|
|
|
|
|
|
// build the test cases: for each route, generate a request designed to match
|
|
|
|
|
// it, and override its handler to return a unique status code. If the
|
|
|
|
|
// request doesn't result in that status code, then some other route
|
|
|
|
|
// conflicts with it and took precedence - a route conflict. The route's name
|
|
|
|
|
// is used to name the sub-test for that route.
|
|
|
|
|
status := 200
|
|
|
|
|
reSimpleVar, reNumVar := regexp.MustCompile(`\{(\w+)\}`), regexp.MustCompile(`\{\w+:[^\}]+\}`)
|
|
|
|
|
err := router.Walk(func(route *mux.Route, router *mux.Router, ancestores []*mux.Route) error {
|
|
|
|
|
name := route.GetName()
|
|
|
|
|
path, err := route.GetPathTemplate()
|
|
|
|
|
if err != nil {
|
|
|
|
|
// all our routes should have paths
|
|
|
|
|
return errors.Wrap(err, name)
|
|
|
|
|
}
|
|
|
|
|
meths, err := route.GetMethods()
|
|
|
|
|
if err != nil || len(meths) == 0 {
|
|
|
|
|
// only route without method is distributed_query_results (websocket)
|
|
|
|
|
if name != "distributed_query_results" {
|
|
|
|
|
return errors.Wrap(err, name+" "+path)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
path = reSimpleVar.ReplaceAllString(path, "$1")
|
|
|
|
|
// for now at least, the only times we use regexp-constrained vars is
|
|
|
|
|
// for numeric arguments.
|
|
|
|
|
path = reNumVar.ReplaceAllString(path, "1")
|
|
|
|
|
|
|
|
|
|
routeStatus := status
|
|
|
|
|
route.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(routeStatus) })
|
|
|
|
|
for _, meth := range meths {
|
|
|
|
|
cases = append(cases, testCase{
|
|
|
|
|
name: name,
|
|
|
|
|
path: path,
|
|
|
|
|
verb: meth,
|
|
|
|
|
want: status,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
status++
|
|
|
|
|
return nil
|
|
|
|
|
})
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
|
t.Run(c.name, func(t *testing.T) {
|
|
|
|
|
t.Log(c.verb, c.path)
|
|
|
|
|
req := httptest.NewRequest(c.verb, c.path, nil)
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
router.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, c.want, rr.Code)
|
2016-09-16 04:35:52 +00:00
|
|
|
})
|
2016-09-04 19:43:12 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// TODO refactor this test to match new patterns
|
|
|
|
|
// func TestModifyUserPermissions(t *testing.T) {
|
|
|
|
|
// var (
|
|
|
|
|
// admin, enabled bool
|
|
|
|
|
// uid uint
|
|
|
|
|
// )
|
|
|
|
|
// ms := new(mock.Store)
|
2021-06-06 22:07:29 +00:00
|
|
|
// ms.SessionByKeyFunc = func(key string) (*fleet.Session, error) {
|
|
|
|
|
// return &fleet.Session{AccessedAt: time.Now(), UserID: uid, ID: 1}, nil
|
2021-04-07 01:27:10 +00:00
|
|
|
// }
|
2021-06-06 22:07:29 +00:00
|
|
|
// ms.DestroySessionFunc = func(session *fleet.Session) error {
|
2021-04-07 01:27:10 +00:00
|
|
|
// return nil
|
|
|
|
|
// }
|
2021-06-06 22:07:29 +00:00
|
|
|
// ms.MarkSessionAccessedFunc = func(session *fleet.Session) error {
|
2021-04-07 01:27:10 +00:00
|
|
|
// return nil
|
|
|
|
|
// }
|
2021-06-06 22:07:29 +00:00
|
|
|
// ms.UserByIDFunc = func(id uint) (*fleet.User, error) {
|
|
|
|
|
// return &fleet.User{ID: id, Enabled: enabled, Admin: admin}, nil
|
2021-04-07 01:27:10 +00:00
|
|
|
// }
|
2021-06-06 22:07:29 +00:00
|
|
|
// ms.SaveUserFunc = func(u *fleet.User) error {
|
2021-04-07 01:27:10 +00:00
|
|
|
// // Return an error so that the endpoint returns
|
|
|
|
|
// return errors.New("foo")
|
|
|
|
|
// }
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// svc, err := newTestService(ms, nil, nil)
|
|
|
|
|
// assert.Nil(t, err)
|
|
|
|
|
// limitStore, _ := memstore.New(0)
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// handler := MakeHandler(
|
|
|
|
|
// svc,
|
2021-06-07 01:10:58 +00:00
|
|
|
// config.FleetConfig{},
|
2021-04-07 01:27:10 +00:00
|
|
|
// log.NewNopLogger(),
|
|
|
|
|
// limitStore,
|
|
|
|
|
// )
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// testCases := []struct {
|
|
|
|
|
// ActingUserID uint
|
|
|
|
|
// ActingUserAdmin bool
|
|
|
|
|
// ActingUserEnabled bool
|
|
|
|
|
// TargetUserID uint
|
|
|
|
|
// Authorized bool
|
|
|
|
|
// }{
|
|
|
|
|
// // Disabled regular user
|
|
|
|
|
// {
|
|
|
|
|
// ActingUserID: 1,
|
|
|
|
|
// ActingUserAdmin: false,
|
|
|
|
|
// ActingUserEnabled: false,
|
|
|
|
|
// TargetUserID: 1,
|
|
|
|
|
// Authorized: false,
|
|
|
|
|
// },
|
|
|
|
|
// // Enabled regular user acting on self
|
|
|
|
|
// {
|
|
|
|
|
// ActingUserID: 1,
|
|
|
|
|
// ActingUserAdmin: false,
|
|
|
|
|
// ActingUserEnabled: true,
|
|
|
|
|
// TargetUserID: 1,
|
|
|
|
|
// Authorized: true,
|
|
|
|
|
// },
|
|
|
|
|
// // Enabled regular user acting on other
|
|
|
|
|
// {
|
|
|
|
|
// ActingUserID: 2,
|
|
|
|
|
// ActingUserAdmin: false,
|
|
|
|
|
// ActingUserEnabled: true,
|
|
|
|
|
// TargetUserID: 1,
|
|
|
|
|
// Authorized: false,
|
|
|
|
|
// },
|
|
|
|
|
// // Disabled admin user
|
|
|
|
|
// {
|
|
|
|
|
// ActingUserID: 1,
|
|
|
|
|
// ActingUserAdmin: true,
|
|
|
|
|
// ActingUserEnabled: false,
|
|
|
|
|
// TargetUserID: 1,
|
|
|
|
|
// Authorized: false,
|
|
|
|
|
// },
|
|
|
|
|
// // Enabled admin user acting on self
|
|
|
|
|
// {
|
|
|
|
|
// ActingUserID: 1,
|
|
|
|
|
// ActingUserAdmin: true,
|
|
|
|
|
// ActingUserEnabled: true,
|
|
|
|
|
// TargetUserID: 1,
|
|
|
|
|
// Authorized: true,
|
|
|
|
|
// },
|
|
|
|
|
// // Enabled admin user acting on other
|
|
|
|
|
// {
|
|
|
|
|
// ActingUserID: 2,
|
|
|
|
|
// ActingUserAdmin: true,
|
|
|
|
|
// ActingUserEnabled: true,
|
|
|
|
|
// TargetUserID: 1,
|
|
|
|
|
// Authorized: true,
|
|
|
|
|
// },
|
|
|
|
|
// }
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// for _, tt := range testCases {
|
|
|
|
|
// t.Run("", func(t *testing.T) {
|
|
|
|
|
// // Set user params
|
|
|
|
|
// uid = tt.ActingUserID
|
|
|
|
|
// admin, enabled = tt.ActingUserAdmin, tt.ActingUserEnabled
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// recorder := httptest.NewRecorder()
|
|
|
|
|
// path := fmt.Sprintf("/api/v1/fleet/users/%d", tt.TargetUserID)
|
|
|
|
|
// request := httptest.NewRequest("PATCH", path, bytes.NewBufferString("{}"))
|
2021-06-07 01:10:58 +00:00
|
|
|
// request.Header.Add("Authorization", "Bearer fake_session_token")
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// handler.ServeHTTP(recorder, request)
|
|
|
|
|
// if tt.Authorized {
|
|
|
|
|
// assert.NotEqual(t, 403, recorder.Code)
|
|
|
|
|
// } else {
|
|
|
|
|
// assert.Equal(t, 403, recorder.Code)
|
|
|
|
|
// }
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// })
|
|
|
|
|
// }
|
2018-09-13 17:41:30 +00:00
|
|
|
|
2021-04-07 01:27:10 +00:00
|
|
|
// }
|
