2016-09-26 18:48:55 +00:00
|
|
|
package service
|
2016-09-01 04:51:38 +00:00
|
|
|
|
|
|
|
import (
|
2017-03-15 15:55:30 +00:00
|
|
|
"context"
|
2016-09-01 04:51:38 +00:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/go-kit/kit/endpoint"
|
2017-06-22 19:50:45 +00:00
|
|
|
"github.com/kolide/fleet/server/config"
|
|
|
|
"github.com/kolide/fleet/server/contexts/viewer"
|
|
|
|
"github.com/kolide/fleet/server/datastore/inmem"
|
|
|
|
"github.com/kolide/fleet/server/kolide"
|
2016-09-14 18:40:51 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2016-09-29 04:21:39 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
2016-09-01 04:51:38 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// TestEndpointPermissions tests that
|
|
|
|
// the endpoint.Middleware correctly grants or denies
|
|
|
|
// permissions to access or modify resources
|
|
|
|
func TestEndpointPermissions(t *testing.T) {
|
|
|
|
req := struct{}{}
|
2017-01-09 15:10:02 +00:00
|
|
|
ds, err := inmem.New(config.TestConfig())
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
2016-09-01 04:51:38 +00:00
|
|
|
createTestUsers(t, ds)
|
2017-01-09 15:10:02 +00:00
|
|
|
|
|
|
|
admin1, err := ds.User("admin1")
|
|
|
|
assert.Nil(t, err)
|
|
|
|
admin1Session, err := ds.NewSession(&kolide.Session{
|
|
|
|
UserID: admin1.ID,
|
|
|
|
Key: "admin1",
|
|
|
|
})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
|
|
|
user1, err := ds.User("user1")
|
|
|
|
assert.Nil(t, err)
|
|
|
|
user1Session, err := ds.NewSession(&kolide.Session{
|
|
|
|
UserID: user1.ID,
|
|
|
|
Key: "user1",
|
|
|
|
})
|
|
|
|
assert.Nil(t, err)
|
|
|
|
|
|
|
|
user2, err := ds.User("user2")
|
|
|
|
assert.Nil(t, err)
|
|
|
|
user2Session, err := ds.NewSession(&kolide.Session{
|
|
|
|
UserID: user2.ID,
|
|
|
|
Key: "user2",
|
|
|
|
})
|
|
|
|
assert.Nil(t, err)
|
2016-09-01 04:51:38 +00:00
|
|
|
user2.Enabled = false
|
|
|
|
|
|
|
|
e := endpoint.Nop // a test endpoint
|
|
|
|
var endpointTests = []struct {
|
|
|
|
endpoint endpoint.Endpoint
|
|
|
|
// who is making the request
|
2016-09-26 17:14:39 +00:00
|
|
|
vc *viewer.Viewer
|
2016-09-01 04:51:38 +00:00
|
|
|
// what resource are we editing
|
|
|
|
requestID uint
|
|
|
|
// what error to expect
|
|
|
|
wantErr interface{}
|
2016-09-15 14:52:17 +00:00
|
|
|
// custom request struct
|
|
|
|
request interface{}
|
2016-09-01 04:51:38 +00:00
|
|
|
}{
|
|
|
|
{
|
|
|
|
endpoint: mustBeAdmin(e),
|
|
|
|
wantErr: errNoContext,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: canReadUser(e),
|
|
|
|
wantErr: errNoContext,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: canModifyUser(e),
|
|
|
|
wantErr: errNoContext,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: mustBeAdmin(e),
|
2017-01-09 15:10:02 +00:00
|
|
|
vc: &viewer.Viewer{User: admin1, Session: admin1Session},
|
2016-09-01 04:51:38 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: mustBeAdmin(e),
|
2017-01-09 15:10:02 +00:00
|
|
|
vc: &viewer.Viewer{User: user1, Session: user1Session},
|
2016-09-23 02:41:58 +00:00
|
|
|
wantErr: permissionError{message: "must be an admin"},
|
2016-09-01 04:51:38 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: canModifyUser(e),
|
2017-01-09 15:10:02 +00:00
|
|
|
vc: &viewer.Viewer{User: admin1, Session: admin1Session},
|
2016-09-01 04:51:38 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: canModifyUser(e),
|
2017-01-09 15:10:02 +00:00
|
|
|
vc: &viewer.Viewer{User: user1, Session: user1Session},
|
2016-09-23 02:41:58 +00:00
|
|
|
wantErr: permissionError{message: "no write permissions on user"},
|
2016-09-01 04:51:38 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: canModifyUser(e),
|
2017-01-09 15:10:02 +00:00
|
|
|
vc: &viewer.Viewer{User: user1, Session: user1Session},
|
2016-09-01 04:51:38 +00:00
|
|
|
requestID: admin1.ID,
|
2016-09-23 02:41:58 +00:00
|
|
|
wantErr: permissionError{message: "no write permissions on user"},
|
2016-09-01 04:51:38 +00:00
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: canReadUser(e),
|
2017-01-09 15:10:02 +00:00
|
|
|
vc: &viewer.Viewer{User: user1, Session: user1Session},
|
2016-09-01 04:51:38 +00:00
|
|
|
requestID: admin1.ID,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
endpoint: canReadUser(e),
|
2017-01-09 15:10:02 +00:00
|
|
|
vc: &viewer.Viewer{User: user2, Session: user2Session},
|
2016-09-01 04:51:38 +00:00
|
|
|
requestID: admin1.ID,
|
2016-09-23 02:41:58 +00:00
|
|
|
wantErr: permissionError{message: "no read permissions on user"},
|
2016-09-01 04:51:38 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2016-09-14 18:40:51 +00:00
|
|
|
for _, tt := range endpointTests {
|
2016-09-15 14:52:17 +00:00
|
|
|
tt := tt
|
|
|
|
t.Run("", func(st *testing.T) {
|
|
|
|
st.Parallel()
|
|
|
|
ctx := context.Background()
|
|
|
|
if tt.vc != nil {
|
2016-09-26 17:14:39 +00:00
|
|
|
ctx = viewer.NewContext(ctx, *tt.vc)
|
2016-09-15 14:52:17 +00:00
|
|
|
}
|
|
|
|
if tt.requestID != 0 {
|
|
|
|
ctx = context.WithValue(ctx, "request-id", tt.requestID)
|
|
|
|
}
|
|
|
|
var request interface{}
|
|
|
|
if tt.request != nil {
|
|
|
|
request = tt.request
|
|
|
|
} else {
|
|
|
|
request = req
|
|
|
|
}
|
|
|
|
_, eerr := tt.endpoint(ctx, request)
|
2016-09-23 02:41:58 +00:00
|
|
|
assert.IsType(st, tt.wantErr, eerr)
|
|
|
|
if ferr, ok := eerr.(permissionError); ok {
|
|
|
|
assert.Equal(st, tt.wantErr.(permissionError).message, ferr.Error())
|
2016-09-15 14:52:17 +00:00
|
|
|
}
|
|
|
|
})
|
2016-09-01 04:51:38 +00:00
|
|
|
}
|
|
|
|
}
|
2016-09-29 04:21:39 +00:00
|
|
|
|
|
|
|
// TestGetNodeKey tests the reflection logic for pulling the node key from
|
|
|
|
// various (fake) request types
|
|
|
|
func TestGetNodeKey(t *testing.T) {
|
|
|
|
type Foo struct {
|
|
|
|
Foo string
|
|
|
|
NodeKey string
|
|
|
|
}
|
|
|
|
|
|
|
|
type Bar struct {
|
|
|
|
Bar string
|
|
|
|
NodeKey string
|
|
|
|
}
|
|
|
|
|
|
|
|
type Nope struct {
|
|
|
|
Nope string
|
|
|
|
}
|
|
|
|
|
|
|
|
type Almost struct {
|
|
|
|
NodeKey int
|
|
|
|
}
|
|
|
|
|
|
|
|
var getNodeKeyTests = []struct {
|
|
|
|
i interface{}
|
|
|
|
expectKey string
|
|
|
|
shouldErr bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
i: Foo{Foo: "foo", NodeKey: "fookey"},
|
|
|
|
expectKey: "fookey",
|
|
|
|
shouldErr: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
i: Bar{Bar: "bar", NodeKey: "barkey"},
|
|
|
|
expectKey: "barkey",
|
|
|
|
shouldErr: false,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
i: Nope{Nope: "nope"},
|
|
|
|
expectKey: "",
|
|
|
|
shouldErr: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
i: Almost{NodeKey: 10},
|
|
|
|
expectKey: "",
|
|
|
|
shouldErr: true,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tt := range getNodeKeyTests {
|
|
|
|
t.Run("", func(t *testing.T) {
|
|
|
|
key, err := getNodeKey(tt.i)
|
|
|
|
assert.Equal(t, tt.expectKey, key)
|
|
|
|
if tt.shouldErr {
|
|
|
|
assert.IsType(t, osqueryError{}, err)
|
|
|
|
} else {
|
|
|
|
assert.Nil(t, err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthenticatedHost(t *testing.T) {
|
2016-11-25 18:08:22 +00:00
|
|
|
ds, err := inmem.New(config.TestConfig())
|
2016-09-29 04:21:39 +00:00
|
|
|
require.Nil(t, err)
|
2017-01-20 19:48:54 +00:00
|
|
|
_, err = ds.NewAppConfig(&kolide.AppConfig{EnrollSecret: "foobarbaz"})
|
|
|
|
require.Nil(t, err)
|
2016-11-14 18:22:54 +00:00
|
|
|
svc, err := newTestService(ds, nil)
|
2016-09-29 04:21:39 +00:00
|
|
|
require.Nil(t, err)
|
|
|
|
|
|
|
|
endpoint := authenticatedHost(
|
|
|
|
svc,
|
|
|
|
func(ctx context.Context, request interface{}) (interface{}, error) {
|
|
|
|
return nil, nil
|
|
|
|
},
|
|
|
|
)
|
|
|
|
|
|
|
|
ctx := context.Background()
|
2017-01-20 19:48:54 +00:00
|
|
|
goodNodeKey, err := svc.EnrollAgent(ctx, "foobarbaz", "host123")
|
2016-09-29 04:21:39 +00:00
|
|
|
assert.Nil(t, err)
|
|
|
|
require.NotEmpty(t, goodNodeKey)
|
|
|
|
|
|
|
|
var authenticatedHostTests = []struct {
|
|
|
|
nodeKey string
|
|
|
|
shouldErr bool
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
nodeKey: "invalid",
|
|
|
|
shouldErr: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
nodeKey: "",
|
|
|
|
shouldErr: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
nodeKey: goodNodeKey,
|
|
|
|
shouldErr: false,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, tt := range authenticatedHostTests {
|
|
|
|
t.Run("", func(t *testing.T) {
|
|
|
|
var r = struct{ NodeKey string }{NodeKey: tt.nodeKey}
|
|
|
|
_, err = endpoint(context.Background(), r)
|
|
|
|
if tt.shouldErr {
|
|
|
|
assert.IsType(t, osqueryError{}, err)
|
|
|
|
} else {
|
|
|
|
assert.Nil(t, err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|