empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-07 01:15:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
666ae8d787
fleet/ee/server/service/teams_test.go
Juan Fernandez 98d9f1b068
If user is a global/team observer/observer+, 'teams' endpoints should not include secrets (#12216) 
Fixed auth. issue with Obs/Obs+
2023-06-08 17:30:34 -04:00

97 lines
2.1 KiB
Go
Raw Blame History

package service
import (
"testing"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/ptr"
"github.com/stretchr/testify/require"
)
func TestObfuscateSecrets(t *testing.T) {
buildTeams := func(n int) []*fleet.Team {
r := make([]*fleet.Team, 0, n)
for i := 1; i <= n; i++ {
r = append(r, &fleet.Team{
ID: uint(i),
Secrets: []*fleet.EnrollSecret{
{Secret: "abc"},
{Secret: "123"},
},
})
}
return r
}
t.Run("no user", func(t *testing.T) {
err := obfuscateSecrets(nil, nil)
require.Error(t, err)
})
t.Run("no teams", func(t *testing.T) {
user := fleet.User{}
err := obfuscateSecrets(&user, nil)
require.NoError(t, err)
})
t.Run("user is not a global observer", func(t *testing.T) {
user := fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}
teams := buildTeams(3)
err := obfuscateSecrets(&user, teams)
require.NoError(t, err)
for _, team := range teams {
for _, s := range team.Secrets {
require.NotEqual(t, fleet.MaskedPassword, s.Secret)
}
}
})
t.Run("user is global observer", func(t *testing.T) {
roles := []*string{ptr.String(fleet.RoleObserver), ptr.String(fleet.RoleObserverPlus)}
for _, r := range roles {
user := &fleet.User{GlobalRole: r}
teams := buildTeams(3)
err := obfuscateSecrets(user, teams)
require.NoError(t, err)
for _, team := range teams {
for _, s := range team.Secrets {
require.Equal(t, fleet.MaskedPassword, s.Secret)
}
}
}
})
t.Run("user is observer in some teams", func(t *testing.T) {
teams := buildTeams(4)
// Make user an observer in the 'even' teams
user := &fleet.User{Teams: []fleet.UserTeam{
{
Team: *teams[1],
Role: fleet.RoleObserver,
},
{
Team: *teams[2],
Role: fleet.RoleAdmin,
},
{
Team: *teams[3],
Role: fleet.RoleObserverPlus,
},
}}
err := obfuscateSecrets(user, teams)
require.NoError(t, err)
for i, team := range teams {
for _, s := range team.Secrets {
require.Equal(t, fleet.MaskedPassword == s.Secret, i == 0 || i == 1 || i == 3)
}
}
})
}
Reference in New Issue View Git Blame Copy Permalink