mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
163 lines
4.2 KiB
Go
163 lines
4.2 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/contexts/license"
|
|
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/mock"
|
|
"github.com/fleetdm/fleet/v4/server/ptr"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestServiceSoftwareTitlesAuth(t *testing.T) {
|
|
ds := new(mock.Store)
|
|
|
|
ds.ListSoftwareTitlesFunc = func(ctx context.Context, opt fleet.SoftwareTitleListOptions, tmf fleet.TeamFilter) ([]fleet.SoftwareTitle, int, *fleet.PaginationMetadata, error) {
|
|
return []fleet.SoftwareTitle{}, 0, &fleet.PaginationMetadata{}, nil
|
|
}
|
|
ds.SoftwareTitleByIDFunc = func(ctx context.Context, id uint, teamID *uint, tmFilter fleet.TeamFilter) (*fleet.SoftwareTitle, error) {
|
|
return &fleet.SoftwareTitle{}, nil
|
|
}
|
|
ds.TeamExistsFunc = func(ctx context.Context, teamID uint) (bool, error) { return true, nil }
|
|
|
|
svc, ctx := newTestService(t, ds, nil, nil)
|
|
|
|
for _, tc := range []struct {
|
|
name string
|
|
user *fleet.User
|
|
shouldFailGlobalRead bool
|
|
shouldFailTeamRead bool
|
|
}{
|
|
{
|
|
name: "global-admin",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
GlobalRole: ptr.String(fleet.RoleAdmin),
|
|
},
|
|
shouldFailGlobalRead: false,
|
|
shouldFailTeamRead: false,
|
|
},
|
|
{
|
|
name: "global-maintainer",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
GlobalRole: ptr.String(fleet.RoleMaintainer),
|
|
},
|
|
shouldFailGlobalRead: false,
|
|
shouldFailTeamRead: false,
|
|
},
|
|
{
|
|
name: "global-observer",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
GlobalRole: ptr.String(fleet.RoleObserver),
|
|
},
|
|
shouldFailGlobalRead: false,
|
|
shouldFailTeamRead: false,
|
|
},
|
|
{
|
|
name: "team-admin-belongs-to-team",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
Teams: []fleet.UserTeam{{
|
|
Team: fleet.Team{ID: 1},
|
|
Role: fleet.RoleAdmin,
|
|
}},
|
|
},
|
|
shouldFailGlobalRead: true,
|
|
shouldFailTeamRead: false,
|
|
},
|
|
{
|
|
name: "team-maintainer-belongs-to-team",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
Teams: []fleet.UserTeam{{
|
|
Team: fleet.Team{ID: 1},
|
|
Role: fleet.RoleMaintainer,
|
|
}},
|
|
},
|
|
shouldFailGlobalRead: true,
|
|
shouldFailTeamRead: false,
|
|
},
|
|
{
|
|
name: "team-observer-belongs-to-team",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
Teams: []fleet.UserTeam{{
|
|
Team: fleet.Team{ID: 1},
|
|
Role: fleet.RoleObserver,
|
|
}},
|
|
},
|
|
shouldFailGlobalRead: true,
|
|
shouldFailTeamRead: false,
|
|
},
|
|
{
|
|
name: "team-admin-does-not-belong-to-team",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
Teams: []fleet.UserTeam{{
|
|
Team: fleet.Team{ID: 2},
|
|
Role: fleet.RoleAdmin,
|
|
}},
|
|
},
|
|
shouldFailGlobalRead: true,
|
|
shouldFailTeamRead: true,
|
|
},
|
|
{
|
|
name: "team-maintainer-does-not-belong-to-team",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
Teams: []fleet.UserTeam{{
|
|
Team: fleet.Team{ID: 2},
|
|
Role: fleet.RoleMaintainer,
|
|
}},
|
|
},
|
|
shouldFailGlobalRead: true,
|
|
shouldFailTeamRead: true,
|
|
},
|
|
{
|
|
name: "team-observer-does-not-belong-to-team",
|
|
user: &fleet.User{
|
|
ID: 1,
|
|
Teams: []fleet.UserTeam{{
|
|
Team: fleet.Team{ID: 2},
|
|
Role: fleet.RoleObserver,
|
|
}},
|
|
},
|
|
shouldFailGlobalRead: true,
|
|
shouldFailTeamRead: true,
|
|
},
|
|
} {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
ctx := viewer.NewContext(ctx, viewer.Viewer{User: tc.user})
|
|
premiumCtx := license.NewContext(ctx, &fleet.LicenseInfo{Tier: fleet.TierPremium})
|
|
|
|
// List all software titles.
|
|
_, _, _, err := svc.ListSoftwareTitles(ctx, fleet.SoftwareTitleListOptions{})
|
|
checkAuthErr(t, tc.shouldFailGlobalRead, err)
|
|
|
|
// List software for a team.
|
|
_, _, _, err = svc.ListSoftwareTitles(premiumCtx, fleet.SoftwareTitleListOptions{
|
|
TeamID: ptr.Uint(1),
|
|
})
|
|
checkAuthErr(t, tc.shouldFailTeamRead, err)
|
|
|
|
// List software for a team should fail no matter what
|
|
// with a non-premium context
|
|
if !tc.shouldFailTeamRead {
|
|
_, _, _, err = svc.ListSoftwareTitles(ctx, fleet.SoftwareTitleListOptions{
|
|
TeamID: ptr.Uint(1),
|
|
})
|
|
require.ErrorContains(t, err, "Requires Fleet Premium license")
|
|
}
|
|
|
|
// Get a software title for a team
|
|
_, err = svc.SoftwareTitleByID(ctx, 1, ptr.Uint(1))
|
|
checkAuthErr(t, tc.shouldFailTeamRead, err)
|
|
})
|
|
}
|
|
}
|