mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
a756614c1a
#8593 This PR adds a new role `observer_plus` to Fleet. (The `GitOps` role will be added on a separate PR.) - [X] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [X] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [X] Documented any permissions changes - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - ~For Orbit and Fleet Desktop changes:~ - ~[ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux.~ - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~
140 lines
4.2 KiB
Go
140 lines
4.2 KiB
Go
package service
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/fleetdm/fleet/v4/server/authz"
|
|
"github.com/fleetdm/fleet/v4/server/fleet"
|
|
"github.com/fleetdm/fleet/v4/server/mock"
|
|
"github.com/fleetdm/fleet/v4/server/ptr"
|
|
"github.com/fleetdm/fleet/v4/server/test"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestListActivities(t *testing.T) {
|
|
ds := new(mock.Store)
|
|
svc, ctx := newTestService(t, ds, nil, nil)
|
|
|
|
globalUsers := []*fleet.User{test.UserAdmin, test.UserMaintainer, test.UserObserver, test.UserObserverPlus}
|
|
teamUsers := []*fleet.User{test.UserTeamAdminTeam1, test.UserTeamMaintainerTeam1, test.UserTeamObserverTeam1}
|
|
|
|
ds.ListActivitiesFunc = func(ctx context.Context, opts fleet.ListActivitiesOptions) ([]*fleet.Activity, *fleet.PaginationMetadata, error) {
|
|
return []*fleet.Activity{
|
|
{ID: 1},
|
|
{ID: 2},
|
|
}, nil, nil
|
|
}
|
|
|
|
// any global user can read activities
|
|
for _, u := range globalUsers {
|
|
activities, _, err := svc.ListActivities(test.UserContext(ctx, u), fleet.ListActivitiesOptions{})
|
|
require.NoError(t, err)
|
|
require.Len(t, activities, 2)
|
|
}
|
|
|
|
// team users cannot read activities
|
|
for _, u := range teamUsers {
|
|
_, _, err := svc.ListActivities(test.UserContext(ctx, u), fleet.ListActivitiesOptions{})
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), authz.ForbiddenErrorMessage)
|
|
}
|
|
|
|
// user with no roles cannot read activities
|
|
_, _, err := svc.ListActivities(test.UserContext(ctx, test.UserNoRoles), fleet.ListActivitiesOptions{})
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), authz.ForbiddenErrorMessage)
|
|
|
|
// no user in context
|
|
_, _, err = svc.ListActivities(ctx, fleet.ListActivitiesOptions{})
|
|
require.Error(t, err)
|
|
require.Contains(t, err.Error(), authz.ForbiddenErrorMessage)
|
|
}
|
|
|
|
func Test_logRoleChangeActivities(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
oldRole *string
|
|
newRole *string
|
|
oldTeamRoles map[uint]string
|
|
newTeamRoles map[uint]string
|
|
expectActivities []string
|
|
}{
|
|
{
|
|
name: "Empty",
|
|
}, {
|
|
name: "AddGlobal",
|
|
newRole: ptr.String("role"),
|
|
expectActivities: []string{"changed_user_global_role"},
|
|
}, {
|
|
name: "NoChangeGlobal",
|
|
oldRole: ptr.String("role"),
|
|
newRole: ptr.String("role"),
|
|
expectActivities: []string{},
|
|
}, {
|
|
name: "ChangeGlobal",
|
|
oldRole: ptr.String("old"),
|
|
newRole: ptr.String("role"),
|
|
expectActivities: []string{"changed_user_global_role"},
|
|
}, {
|
|
name: "Delete",
|
|
oldRole: ptr.String("old"),
|
|
newRole: nil,
|
|
expectActivities: []string{"deleted_user_global_role"},
|
|
}, {
|
|
name: "SwitchGlobalToTeams",
|
|
oldRole: ptr.String("old"),
|
|
newTeamRoles: map[uint]string{
|
|
1: "foo",
|
|
2: "bar",
|
|
3: "baz",
|
|
},
|
|
expectActivities: []string{"deleted_user_global_role", "changed_user_team_role", "changed_user_team_role", "changed_user_team_role"},
|
|
}, {
|
|
name: "DeleteModifyTeam",
|
|
oldTeamRoles: map[uint]string{
|
|
1: "foo",
|
|
2: "bar",
|
|
3: "baz",
|
|
},
|
|
newTeamRoles: map[uint]string{
|
|
2: "newRole",
|
|
3: "baz",
|
|
},
|
|
expectActivities: []string{"changed_user_team_role", "deleted_user_team_role"},
|
|
},
|
|
}
|
|
ctx := context.Background()
|
|
ds := new(mock.Store)
|
|
var activities []string
|
|
ds.NewActivityFunc = func(ctx context.Context, user *fleet.User, activity fleet.ActivityDetails) error {
|
|
activities = append(activities, activity.ActivityName())
|
|
return nil
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
activities = activities[:0]
|
|
oldTeams := make([]fleet.UserTeam, 0, len(tt.oldTeamRoles))
|
|
for id, r := range tt.oldTeamRoles {
|
|
oldTeams = append(oldTeams, fleet.UserTeam{
|
|
Team: fleet.Team{ID: id},
|
|
Role: r,
|
|
})
|
|
}
|
|
newTeams := make([]fleet.UserTeam, 0, len(tt.newTeamRoles))
|
|
for id, r := range tt.newTeamRoles {
|
|
newTeams = append(newTeams, fleet.UserTeam{
|
|
Team: fleet.Team{ID: id},
|
|
Role: r,
|
|
})
|
|
}
|
|
newUser := &fleet.User{
|
|
GlobalRole: tt.newRole,
|
|
Teams: newTeams,
|
|
}
|
|
require.NoError(t, fleet.LogRoleChangeActivities(ctx, ds, &fleet.User{}, tt.oldRole, oldTeams, newUser))
|
|
require.Equal(t, tt.expectActivities, activities)
|
|
})
|
|
}
|
|
}
|