mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 00:45:19 +00:00
3757aace08
#8129 Apart from fixing the issue in #8129, this change also introduces UUIDs to Fleet errors. To be able to match a returned error from the API to a error in the Fleet logs. See https://fleetdm.slack.com/archives/C019WG4GH0A/p1677780622769939 for more context. Samples with the changes in this PR: ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d '' { "message": "Bad request", "errors": [ { "name": "base", "reason": "Expected JSON Body" } ], "uuid": "a01f6e10-354c-4ff0-b96e-1f64adb500b0" } ``` ``` curl -k -H "Authorization: Bearer $TEST_TOKEN" -H 'Content-Type:application/json' "https://localhost:8080/api/v1/fleet/sso" -d 'asd' { "message": "Bad request", "errors": [ { "name": "base", "reason": "json decoder error" } ], "uuid": "5f716a64-7550-464b-a1dd-e6a505a9f89d" } ``` ``` curl -k -X GET -H "Authorization: Bearer badtoken" "https://localhost:8080/api/latest/fleet/teams" { "message": "Authentication required", "errors": [ { "name": "base", "reason": "Authentication required" } ], "uuid": "efe45bc0-f956-4bf9-ba4f-aa9020a9aaaf" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Authorization header required", "errors": [ { "name": "base", "reason": "Authorization header required" } ], "uuid": "57f78cd0-4559-464f-9df7-36c9ef7c89b3" } ``` ``` curl -k -X PATCH -H "Authorization: Bearer $TEST_TOKEN" "https://localhost:8080/api/latest/fleet/users/14" -d '{"name": "Manuel2", "password": "what", "new_password": "p4ssw0rd.12345"}' { "message": "Permission Denied", "uuid": "7f0220ad-6de7-4faf-8b6c-8d7ff9d2ca06" } ``` - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
253 lines
7.1 KiB
Go
253 lines
7.1 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/WatchBeam/clock"
|
|
"github.com/fleetdm/fleet/v4/server/authz"
|
|
"github.com/fleetdm/fleet/v4/server/config"
|
|
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/mock"
|
|
"github.com/fleetdm/fleet/v4/server/ptr"
|
|
"github.com/fleetdm/fleet/v4/server/test"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"gopkg.in/guregu/null.v3"
|
|
)
|
|
|
|
func TestInviteNewUserMock(t *testing.T) {
|
|
ms := new(mock.Store)
|
|
ms.UserByEmailFunc = mock.UserWithEmailNotFound()
|
|
ms.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
|
|
return &fleet.AppConfig{ServerSettings: fleet.ServerSettings{ServerURL: "https://acme.co"}}, nil
|
|
}
|
|
|
|
ms.NewInviteFunc = func(ctx context.Context, i *fleet.Invite) (*fleet.Invite, error) {
|
|
return i, nil
|
|
}
|
|
mailer := &mockMailService{SendEmailFn: func(e fleet.Email) error { return nil }}
|
|
|
|
svc := validationMiddleware{&Service{
|
|
ds: ms,
|
|
config: config.TestConfig(),
|
|
mailService: mailer,
|
|
clock: clock.NewMockClock(),
|
|
authz: authz.Must(),
|
|
}, ms, nil}
|
|
|
|
payload := fleet.InvitePayload{
|
|
Email: ptr.String("user@acme.co"),
|
|
}
|
|
|
|
// happy path
|
|
invite, err := svc.InviteNewUser(test.UserContext(context.Background(), test.UserAdmin), payload)
|
|
require.Nil(t, err)
|
|
assert.Equal(t, test.UserAdmin.ID, invite.InvitedBy)
|
|
assert.True(t, ms.NewInviteFuncInvoked)
|
|
assert.True(t, ms.AppConfigFuncInvoked)
|
|
assert.True(t, mailer.Invoked)
|
|
|
|
ms.UserByEmailFunc = mock.UserByEmailWithUser(new(fleet.User))
|
|
_, err = svc.InviteNewUser(test.UserContext(context.Background(), test.UserAdmin), payload)
|
|
require.NotNil(t, err, "should err if the user we're inviting already exists")
|
|
}
|
|
|
|
func TestUpdateInvite(t *testing.T) {
|
|
ms := new(mock.Store)
|
|
ms.InviteFunc = func(ctx context.Context, id uint) (*fleet.Invite, error) {
|
|
if id != 1 {
|
|
return nil, sql.ErrNoRows
|
|
}
|
|
|
|
return &fleet.Invite{
|
|
ID: 1,
|
|
Name: "John Appleseed",
|
|
Email: "john_appleseed@example.com",
|
|
GlobalRole: null.NewString("observer", true),
|
|
}, nil
|
|
}
|
|
ms.UpdateInviteFunc = func(ctx context.Context, id uint, i *fleet.Invite) (*fleet.Invite, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
mailer := &mockMailService{SendEmailFn: func(e fleet.Email) error { return nil }}
|
|
|
|
svc := validationMiddleware{&Service{
|
|
ds: ms,
|
|
config: config.TestConfig(),
|
|
mailService: mailer,
|
|
clock: clock.NewMockClock(),
|
|
authz: authz.Must(),
|
|
}, ms, nil}
|
|
|
|
// email is the same
|
|
payload := fleet.InvitePayload{
|
|
Name: ptr.String("Johnny Appleseed"),
|
|
Email: ptr.String("john_appleseed@example.com"),
|
|
}
|
|
|
|
ctx := test.UserContext(context.Background(), test.UserAdmin)
|
|
|
|
// update the invite (email is the same)
|
|
_, err := svc.UpdateInvite(ctx, 1, payload)
|
|
require.NoError(t, err)
|
|
require.True(t, ms.InviteFuncInvoked)
|
|
}
|
|
|
|
func TestVerifyInvite(t *testing.T) {
|
|
ms := new(mock.Store)
|
|
svc, ctx := newTestService(t, ms, nil, nil)
|
|
|
|
ms.InviteByTokenFunc = func(ctx context.Context, token string) (*fleet.Invite, error) {
|
|
return &fleet.Invite{
|
|
ID: 1,
|
|
Token: "abcd",
|
|
UpdateCreateTimestamps: fleet.UpdateCreateTimestamps{
|
|
CreateTimestamp: fleet.CreateTimestamp{
|
|
CreatedAt: time.Now().AddDate(-1, 0, 0),
|
|
},
|
|
},
|
|
}, nil
|
|
}
|
|
wantErr := fleet.NewInvalidArgumentError("invite_token", "Invite token has expired.")
|
|
_, err := svc.VerifyInvite(test.UserContext(ctx, test.UserAdmin), "abcd")
|
|
assert.Equal(t, err, wantErr)
|
|
|
|
wantErr = fleet.NewInvalidArgumentError("invite_token", "Invite Token does not match Email Address.")
|
|
|
|
_, err = svc.VerifyInvite(test.UserContext(ctx, test.UserAdmin), "bad_token")
|
|
assert.Equal(t, err, wantErr)
|
|
}
|
|
|
|
func TestDeleteInvite(t *testing.T) {
|
|
ms := new(mock.Store)
|
|
svc, ctx := newTestService(t, ms, nil, nil)
|
|
|
|
ms.DeleteInviteFunc = func(context.Context, uint) error { return nil }
|
|
err := svc.DeleteInvite(test.UserContext(ctx, test.UserAdmin), 1)
|
|
require.Nil(t, err)
|
|
assert.True(t, ms.DeleteInviteFuncInvoked)
|
|
}
|
|
|
|
func TestListInvites(t *testing.T) {
|
|
ms := new(mock.Store)
|
|
svc, ctx := newTestService(t, ms, nil, nil)
|
|
|
|
ms.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {
|
|
return nil, nil
|
|
}
|
|
_, err := svc.ListInvites(test.UserContext(ctx, test.UserAdmin), fleet.ListOptions{})
|
|
require.Nil(t, err)
|
|
assert.True(t, ms.ListInvitesFuncInvoked)
|
|
}
|
|
|
|
func TestInvitesAuth(t *testing.T) {
|
|
ds := new(mock.Store)
|
|
svc, ctx := newTestService(t, ds, nil, nil)
|
|
|
|
ds.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {
|
|
return nil, nil
|
|
}
|
|
ds.DeleteInviteFunc = func(context.Context, uint) error { return nil }
|
|
ds.UserByEmailFunc = func(ctx context.Context, email string) (*fleet.User, error) {
|
|
return nil, newNotFoundError()
|
|
}
|
|
ds.NewInviteFunc = func(ctx context.Context, i *fleet.Invite) (*fleet.Invite, error) {
|
|
return &fleet.Invite{}, nil
|
|
}
|
|
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
|
|
return &fleet.AppConfig{}, nil
|
|
}
|
|
var testCases = []struct {
|
|
name string
|
|
user *fleet.User
|
|
shouldFailWrite bool
|
|
shouldFailRead bool
|
|
}{
|
|
{
|
|
"global admin",
|
|
&fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)},
|
|
false,
|
|
false,
|
|
},
|
|
{
|
|
"global maintainer",
|
|
&fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)},
|
|
true,
|
|
true,
|
|
},
|
|
{
|
|
"global observer",
|
|
&fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)},
|
|
true,
|
|
true,
|
|
},
|
|
{
|
|
"team admin, belongs to team",
|
|
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleAdmin}}},
|
|
true,
|
|
true,
|
|
},
|
|
{
|
|
"team maintainer, belongs to team",
|
|
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleMaintainer}}},
|
|
true,
|
|
true,
|
|
},
|
|
{
|
|
"team observer, belongs to team",
|
|
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleObserver}}},
|
|
true,
|
|
true,
|
|
},
|
|
{
|
|
"team maintainer, DOES NOT belong to team",
|
|
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleMaintainer}}},
|
|
true,
|
|
true,
|
|
},
|
|
{
|
|
"team admin, DOES NOT belong to team",
|
|
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleAdmin}}},
|
|
true,
|
|
true,
|
|
},
|
|
{
|
|
"team observer, DOES NOT belong to team",
|
|
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleObserver}}},
|
|
true,
|
|
true,
|
|
},
|
|
}
|
|
for _, tt := range testCases {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
ctx := viewer.NewContext(ctx, viewer.Viewer{User: tt.user})
|
|
|
|
_, err := svc.InviteNewUser(ctx, fleet.InvitePayload{
|
|
Email: ptr.String("e@mail.com"),
|
|
Name: ptr.String("name"),
|
|
Position: ptr.String("someposition"),
|
|
SSOEnabled: ptr.Bool(false),
|
|
GlobalRole: null.StringFromPtr(tt.user.GlobalRole),
|
|
Teams: []fleet.UserTeam{
|
|
{
|
|
Team: fleet.Team{ID: 1},
|
|
Role: fleet.RoleMaintainer,
|
|
},
|
|
},
|
|
})
|
|
checkAuthErr(t, tt.shouldFailWrite, err)
|
|
|
|
_, err = svc.ListInvites(ctx, fleet.ListOptions{})
|
|
checkAuthErr(t, tt.shouldFailRead, err)
|
|
|
|
err = svc.DeleteInvite(ctx, 99)
|
|
checkAuthErr(t, tt.shouldFailWrite, err)
|
|
})
|
|
}
|
|
}
|