func (s *userManagerSuite) SetUpTest(c *gc.C) {
s.JujuConnSuite.SetUpTest(c)
s.createLocalLoginMacaroon = func(tag names.UserTag) (*macaroon.Macaroon, error) {
return nil, errors.NotSupportedf("CreateLocalLoginMacaroon")
}
s.resources = common.NewResources()
s.resources.RegisterNamed("createLocalLoginMacaroon", common.ValueResource{
func(tag names.UserTag) (*macaroon.Macaroon, error) {
return s.createLocalLoginMacaroon(tag)
},
})
adminTag := s.AdminUserTag(c)
s.adminName = adminTag.Name()
s.authorizer = apiservertesting.FakeAuthorizer{
Tag: adminTag,
}
var err error
s.usermanager, err = usermanager.NewUserManagerAPI(s.State, s.resources, s.authorizer)
c.Assert(err, jc.ErrorIsNil)
s.BlockHelper = commontesting.NewBlockHelper(s.APIState)
s.AddCleanup(func(*gc.C) { s.BlockHelper.Close() })
}
func (s *userManagerSuite) TestNewUserManagerAPIRefusesNonClient(c *gc.C) {
anAuthoriser := s.authorizer
anAuthoriser.Tag = names.NewMachineTag("1")
endPoint, err := usermanager.NewUserManagerAPI(s.State, nil, anAuthoriser)
c.Assert(endPoint, gc.IsNil)
c.Assert(err, gc.ErrorMatches, "permission denied")
}
func (s *userManagerSuite) TestSetPasswordForOther(c *gc.C) {
alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"})
barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"})
usermanager, err := usermanager.NewUserManagerAPI(
s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()})
c.Assert(err, jc.ErrorIsNil)
args := params.EntityPasswords{
Changes: []params.EntityPassword{{
Tag: barb.Tag().String(),
Password: "******",
}}}
results, err := usermanager.SetPassword(args)
c.Assert(err, jc.ErrorIsNil)
c.Assert(results.Results, gc.HasLen, 1)
c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{
Error: ¶ms.Error{
Message: "permission denied",
Code: params.CodeUnauthorized,
}})
err = barb.Refresh()
c.Assert(err, jc.ErrorIsNil)
c.Assert(barb.PasswordValid("new-password"), jc.IsFalse)
}
func (s *userManagerSuite) TestRemoveUserSelfAsNormalUser(c *gc.C) {
// Create a user to delete.
jjam := s.Factory.MakeUser(c, &factory.UserParams{
Name: "jimmyjam",
NoModelUser: true,
})
usermanager, err := usermanager.NewUserManagerAPI(
s.State, s.resources, apiservertesting.FakeAuthorizer{
Tag: jjam.Tag(),
})
c.Assert(err, jc.ErrorIsNil)
// Make sure the user exists.
ui, err := s.usermanager.UserInfo(params.UserInfoRequest{
Entities: []params.Entity{{Tag: jjam.Tag().String()}},
})
c.Assert(err, jc.ErrorIsNil)
c.Check(ui.Results, gc.HasLen, 1)
c.Assert(ui.Results[0].Result.Username, gc.DeepEquals, jjam.Name())
// Remove the user as the user
_, err = usermanager.RemoveUser(params.Entities{
Entities: []params.Entity{{Tag: jjam.Tag().String()}}})
c.Assert(err, gc.ErrorMatches, "permission denied")
// Check if deleted.
err = jjam.Refresh()
c.Assert(err, jc.ErrorIsNil)
}
func (s *userManagerSuite) TestCannotSetPasswordWhenNotAUser(c *gc.C) {
machine1, err := s.State.AddMachine("quantal", state.JobManageEnviron)
c.Assert(err, gc.IsNil)
s.authorizer = apiservertesting.FakeAuthorizer{
Tag: machine1.Tag(),
}
_, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer)
c.Assert(err, gc.ErrorMatches, "permission denied")
}
func (s *userManagerSuite) SetUpTest(c *gc.C) {
s.JujuConnSuite.SetUpTest(c)
user, err := s.State.User("admin")
c.Assert(err, gc.IsNil)
s.authorizer = apiservertesting.FakeAuthorizer{
Tag: user.Tag(),
}
s.usermanager, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer)
c.Assert(err, gc.IsNil)
}
func (s *userManagerSuite) SetUpTest(c *gc.C) {
s.JujuConnSuite.SetUpTest(c)
adminTag := s.AdminUserTag(c)
s.adminName = adminTag.Name()
s.authorizer = apiservertesting.FakeAuthorizer{
Tag: adminTag,
}
var err error
s.usermanager, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer)
c.Assert(err, gc.IsNil)
}
func (s *userManagerSuite) TestAgentUnauthorized(c *gc.C) {
machine1, err := s.State.AddMachine("quantal", state.JobManageEnviron)
c.Assert(err, gc.IsNil)
// Create a FakeAuthorizer so we can check permissions,
// set up assuming machine 1 has logged in.
s.authorizer = apiservertesting.FakeAuthorizer{
Tag: machine1.Tag(),
}
s.usermanager, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer)
c.Assert(err, gc.ErrorMatches, "permission denied")
}
func (s *userManagerSuite) SetUpTest(c *gc.C) {
s.JujuConnSuite.SetUpTest(c)
adminTag := s.AdminUserTag(c)
s.adminName = adminTag.Name()
s.authorizer = apiservertesting.FakeAuthorizer{
Tag: adminTag,
}
var err error
s.usermanager, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer)
c.Assert(err, jc.ErrorIsNil)
s.BlockHelper = commontesting.NewBlockHelper(s.APIState)
s.AddCleanup(func(*gc.C) { s.BlockHelper.Close() })
}
func (s *userManagerSuite) TestEnableUserAsNormalUser(c *gc.C) {
alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"})
usermanager, err := usermanager.NewUserManagerAPI(
s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()})
c.Assert(err, jc.ErrorIsNil)
barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true})
args := params.Entities{
[]params.Entity{{barb.Tag().String()}},
}
_, err = usermanager.EnableUser(args)
c.Assert(err, gc.ErrorMatches, "permission denied")
err = barb.Refresh()
c.Assert(err, jc.ErrorIsNil)
c.Assert(barb.IsDisabled(), jc.IsTrue)
}
func (s *userManagerSuite) TestAddUserAsNormalUser(c *gc.C) {
alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"})
usermanager, err := usermanager.NewUserManagerAPI(
s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()})
c.Assert(err, jc.ErrorIsNil)
args := params.AddUsers{
Users: []params.AddUser{{
Username: "******",
DisplayName: "Foo Bar",
Password: "******",
}}}
_, err = usermanager.AddUser(args)
c.Assert(err, gc.ErrorMatches, "permission denied")
_, err = s.State.User(names.NewLocalUserTag("foobar"))
c.Assert(err, jc.Satisfies, errors.IsNotFound)
}
func (s *userManagerSuite) TestSetPasswordForSelf(c *gc.C) {
alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"})
usermanager, err := usermanager.NewUserManagerAPI(
s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()})
c.Assert(err, jc.ErrorIsNil)
args := params.EntityPasswords{
Changes: []params.EntityPassword{{
Tag: alex.Tag().String(),
Password: "******",
}}}
results, err := usermanager.SetPassword(args)
c.Assert(err, jc.ErrorIsNil)
c.Assert(results.Results, gc.HasLen, 1)
c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil})
err = alex.Refresh()
c.Assert(err, jc.ErrorIsNil)
c.Assert(alex.PasswordValid("new-password"), jc.IsTrue)
}
func (s *userManagerSuite) TestUserInfoNonControllerAdmin(c *gc.C) {
s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"})
userAardvark := s.Factory.MakeUser(c, &factory.UserParams{Name: "aardvark", DisplayName: "Aard Vark"})
authorizer := apiservertesting.FakeAuthorizer{
Tag: userAardvark.Tag(),
}
usermanager, err := usermanager.NewUserManagerAPI(s.State, s.resources, authorizer)
c.Assert(err, jc.ErrorIsNil)
args := params.UserInfoRequest{Entities: []params.Entity{
{Tag: userAardvark.Tag().String()},
{Tag: names.NewUserTag("foobar").String()},
}}
results, err := usermanager.UserInfo(args)
c.Assert(err, jc.ErrorIsNil)
// Non admin users can only see themselves.
c.Assert(results, jc.DeepEquals, params.UserInfoResults{
Results: []params.UserInfoResult{
{
Result: ¶ms.UserInfo{
Username: "******",
DisplayName: "Aard Vark",
Access: "login",
CreatedBy: s.adminName,
DateCreated: userAardvark.DateCreated(),
LastConnection: lastLoginPointer(c, userAardvark),
},
}, {
Error: ¶ms.Error{
Message: "permission denied",
Code: params.CodeUnauthorized,
},
},
},
})
}
