func (s *S) TestUserAddRole(c *check.C) {
_, err := permission.NewRole("r1", "app")
c.Assert(err, check.IsNil)
_, err = permission.NewRole("r2", "app")
c.Assert(err, check.IsNil)
u := User{Email: "*****@*****.**", Password: "******"}
err = u.Create()
c.Assert(err, check.IsNil)
err = u.AddRole("r1", "c1")
c.Assert(err, check.IsNil)
err = u.AddRole("r1", "c2")
c.Assert(err, check.IsNil)
err = u.AddRole("r2", "x")
c.Assert(err, check.IsNil)
err = u.AddRole("r2", "x")
c.Assert(err, check.IsNil)
err = u.AddRole("r3", "a")
c.Assert(err, check.Equals, permission.ErrRoleNotFound)
expected := []RoleInstance{
{Name: "r1", ContextValue: "c1"},
{Name: "r1", ContextValue: "c2"},
{Name: "r2", ContextValue: "x"},
}
sort.Sort(roleInstanceList(expected))
sort.Sort(roleInstanceList(u.Roles))
c.Assert(u.Roles, check.DeepEquals, expected)
uDB, err := GetUserByEmail("*****@*****.**")
c.Assert(err, check.IsNil)
sort.Sort(roleInstanceList(uDB.Roles))
c.Assert(uDB.Roles, check.DeepEquals, expected)
}
func (s *S) TestAddDefaultRole(c *check.C) {
_, err := permission.NewRole("r1", "team")
c.Assert(err, check.IsNil)
_, err = permission.NewRole("r2", "team")
c.Assert(err, check.IsNil)
_, err = permission.NewRole("r3", "global")
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
body := bytes.NewBufferString("team-create=r1&team-create=r2&user-create=r3")
req, err := http.NewRequest("POST", "/role/default", body)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleDefaultCreate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
r1, err := permission.FindRole("r1")
c.Assert(err, check.IsNil)
c.Assert(r1.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()})
r2, err := permission.FindRole("r2")
c.Assert(err, check.IsNil)
c.Assert(r2.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()})
r3, err := permission.FindRole("r3")
c.Assert(err, check.IsNil)
c.Assert(r3.Events, check.DeepEquals, []string{permission.RoleEventUserCreate.String()})
}
func (s *S) TestUserPermissionsWithRemovedRole(c *check.C) {
role, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
u := User{Email: "*****@*****.**", Password: "******"}
err = u.Create()
c.Assert(err, check.IsNil)
err = u.AddRole(role.Name, "team")
c.Assert(err, check.IsNil)
conn, err := db.Conn()
c.Assert(err, check.IsNil)
defer conn.Close()
err = conn.Roles().RemoveId(role.Name)
c.Assert(err, check.IsNil)
perms, err := u.Permissions()
c.Assert(err, check.IsNil)
c.Assert(perms, check.IsNil)
r1, err := permission.NewRole("r1", "app")
c.Assert(err, check.IsNil)
err = r1.AddPermissions("app.update.env", "app.deploy")
c.Assert(err, check.IsNil)
err = u.AddRole("r1", "myapp")
c.Assert(err, check.IsNil)
err = u.AddRole("r1", "myapp2")
c.Assert(err, check.IsNil)
perms, err = u.Permissions()
c.Assert(err, check.IsNil)
c.Assert(perms, check.DeepEquals, []permission.Permission{
{Scheme: permission.PermAppDeploy, Context: permission.Context(permission.CtxApp, "myapp")},
{Scheme: permission.PermAppUpdateEnv, Context: permission.Context(permission.CtxApp, "myapp")},
{Scheme: permission.PermAppDeploy, Context: permission.Context(permission.CtxApp, "myapp2")},
{Scheme: permission.PermAppUpdateEnv, Context: permission.Context(permission.CtxApp, "myapp2")},
})
}
func (s *S) TestAddDefaultRole(c *check.C) {
_, err := permission.NewRole("r1", "team", "")
c.Assert(err, check.IsNil)
_, err = permission.NewRole("r2", "team", "")
c.Assert(err, check.IsNil)
_, err = permission.NewRole("r3", "global", "")
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
body := bytes.NewBufferString("team-create=r1&team-create=r2&user-create=r3")
req, err := http.NewRequest("POST", "/role/default", body)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleDefaultCreate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
r1, err := permission.FindRole("r1")
c.Assert(err, check.IsNil)
c.Assert(r1.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()})
r2, err := permission.FindRole("r2")
c.Assert(err, check.IsNil)
c.Assert(r2.Events, check.DeepEquals, []string{permission.RoleEventTeamCreate.String()})
r3, err := permission.FindRole("r3")
c.Assert(err, check.IsNil)
c.Assert(r3.Events, check.DeepEquals, []string{permission.RoleEventUserCreate.String()})
c.Assert(eventtest.EventDesc{
Target: event.Target{Type: event.TargetTypeRole, Value: "r1"},
Owner: token.GetUserName(),
Kind: "role.default.create",
StartCustomData: []map[string]interface{}{
{"name": "team-create", "value": []string{"r1", "r2"}},
{"name": "user-create", "value": "r3"},
},
}, eventtest.HasEvent)
c.Assert(eventtest.EventDesc{
Target: event.Target{Type: event.TargetTypeRole, Value: "r2"},
Owner: token.GetUserName(),
Kind: "role.default.create",
StartCustomData: []map[string]interface{}{
{"name": "team-create", "value": []string{"r1", "r2"}},
{"name": "user-create", "value": "r3"},
},
}, eventtest.HasEvent)
c.Assert(eventtest.EventDesc{
Target: event.Target{Type: event.TargetTypeRole, Value: "r3"},
Owner: token.GetUserName(),
Kind: "role.default.create",
StartCustomData: []map[string]interface{}{
{"name": "team-create", "value": []string{"r1", "r2"}},
{"name": "user-create", "value": "r3"},
},
}, eventtest.HasEvent)
}
func (s *S) TestDissociateRole(c *check.C) {
_, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdateDissociate,
Context: permission.Context(permission.CtxGlobal, ""),
})
u, err := auth.GetUserByEmail("*****@*****.**")
c.Assert(err, check.IsNil)
err = u.AddRole("test", "myteam")
c.Assert(err, check.IsNil)
c.Assert(u.Roles, check.HasLen, 2)
req, err := http.NewRequest("DELETE", "/roles/test/user/[email protected]?context=myteam", nil)
c.Assert(err, check.IsNil)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(err, check.IsNil)
c.Assert(recorder.Code, check.Equals, http.StatusOK)
u, err = auth.GetUserByEmail("*****@*****.**")
c.Assert(err, check.IsNil)
c.Assert(u.Roles, check.HasLen, 1)
}
func (s *S) TestRemoveDefaultRole(c *check.C) {
r1, err := permission.NewRole("r1", "team", "")
c.Assert(err, check.IsNil)
err = r1.AddEvent(permission.RoleEventTeamCreate.String())
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
req, err := http.NewRequest("DELETE", "/role/default?team-create=r1", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleDefaultDelete,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
r1, err = permission.FindRole("r1")
c.Assert(err, check.IsNil)
c.Assert(r1.Events, check.DeepEquals, []string{})
c.Assert(eventtest.EventDesc{
Target: event.Target{Type: event.TargetTypeRole, Value: "r1"},
Owner: token.GetUserName(),
Kind: "role.default.delete",
StartCustomData: []map[string]interface{}{
{"name": "team-create", "value": "r1"},
},
}, eventtest.HasEvent)
}
func (s *S) TestRemoveRole(c *check.C) {
s.conn.Roles().DropCollection()
_, err := permission.NewRole("test", "app")
c.Assert(err, check.IsNil)
req, err := http.NewRequest("DELETE", "/roles/test", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleDelete,
Context: permission.Context(permission.CtxGlobal, ""),
})
user, err := token.User()
c.Assert(err, check.IsNil)
err = user.AddRole("test", "app")
c.Assert(err, check.IsNil)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(recorder.Code, check.Equals, http.StatusOK)
roles, err := permission.ListRoles()
c.Assert(err, check.IsNil)
c.Assert(roles, check.HasLen, 1)
user, err = token.User()
c.Assert(err, check.IsNil)
c.Assert(user.Roles, check.HasLen, 1)
}
func (s *S) TestAssignRoleCheckGandalf(c *check.C) {
role, err := permission.NewRole("test", "app", "")
c.Assert(err, check.IsNil)
err = role.AddPermissions("app.deploy")
c.Assert(err, check.IsNil)
emptyToken := customUserWithPermission(c, "user2")
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err = app.CreateApp(&a, s.user)
c.Assert(err, check.IsNil)
roleBody := bytes.NewBufferString(fmt.Sprintf("email=%s&context=myapp", emptyToken.GetUserName()))
req, err := http.NewRequest("POST", "/roles/test/user", roleBody)
c.Assert(err, check.IsNil)
token := customUserWithPermission(c, "user1", permission.Permission{
Scheme: permission.PermRoleUpdateAssign,
Context: permission.Context(permission.CtxGlobal, ""),
}, permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxApp, "myapp"),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(err, check.IsNil)
c.Assert(recorder.Code, check.Equals, http.StatusOK)
emptyUser, err := emptyToken.User()
c.Assert(err, check.IsNil)
users, err := repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email, emptyToken.GetUserName()})
c.Assert(emptyUser.Roles, check.HasLen, 1)
}
func (s *S) benchmarkAddPermissionToRole(c *check.C, body string) []string {
c.StopTimer()
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err := app.CreateApp(&a, s.user)
c.Assert(err, check.IsNil)
role, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
err = role.AddPermissions("app.create")
c.Assert(err, check.IsNil)
nUsers := 100
var userEmails []string
for i := 0; i < nUsers; i++ {
email := fmt.Sprintf("*****@*****.**", i)
userEmails = append(userEmails, email)
user := &auth.User{Email: email, Password: "******"}
_, err = nativeScheme.Create(user)
c.Assert(err, check.IsNil)
err = user.AddRole("test", s.team.Name)
c.Assert(err, check.IsNil)
}
recorder := httptest.NewRecorder()
m := RunServer(true)
c.StartTimer()
for i := 0; i < c.N; i++ {
b := bytes.NewBufferString(body)
request, err := http.NewRequest("POST", "/roles/test/permissions", b)
c.Assert(err, check.IsNil)
request.Header.Add("Authorization", "bearer "+s.token.GetValue())
request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
m.ServeHTTP(recorder, request)
}
c.StopTimer()
c.Assert(recorder.Code, check.Equals, http.StatusOK)
return userEmails
}
func (s *S) TestRemovePermissionsFromRole(c *check.C) {
r, err := permission.NewRole("test", "team", "")
c.Assert(err, check.IsNil)
defer permission.DestroyRole(r.Name)
err = r.AddPermissions("app.update")
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
req, err := http.NewRequest("DELETE", "/roles/test/permissions/app.update", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
r, err = permission.FindRole("test")
c.Assert(err, check.IsNil)
c.Assert(r.SchemeNames, check.DeepEquals, []string{})
c.Assert(eventtest.EventDesc{
Target: event.Target{Type: event.TargetTypeRole, Value: "test"},
Owner: token.GetUserName(),
Kind: "role.update.permission.remove",
StartCustomData: []map[string]interface{}{
{"name": ":name", "value": "test"},
{"name": ":permission", "value": "app.update"},
},
}, eventtest.HasEvent)
}
func (s *S) TestAddPermissionsToARole(c *check.C) {
_, err := permission.NewRole("test", "team", "")
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
b := bytes.NewBufferString(`permission=app.update&permission=app.deploy`)
req, err := http.NewRequest("POST", "/roles/test/permissions", b)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
r, err := permission.FindRole("test")
c.Assert(err, check.IsNil)
sort.Strings(r.SchemeNames)
c.Assert(r.SchemeNames, check.DeepEquals, []string{"app.deploy", "app.update"})
c.Assert(eventtest.EventDesc{
Target: event.Target{Type: event.TargetTypeRole, Value: "test"},
Owner: token.GetUserName(),
Kind: "role.update.permission.add",
StartCustomData: []map[string]interface{}{
{"name": "permission", "value": []string{"app.update", "app.deploy"}},
},
}, eventtest.HasEvent)
}
func (s *S) TestRemoveRole(c *check.C) {
s.conn.Roles().DropCollection()
_, err := permission.NewRole("test", "app", "")
c.Assert(err, check.IsNil)
req, err := http.NewRequest("DELETE", "/roles/test", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleDelete,
Context: permission.Context(permission.CtxGlobal, ""),
})
user, err := token.User()
c.Assert(err, check.IsNil)
err = user.AddRole("test", "app")
c.Assert(err, check.IsNil)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(recorder.Code, check.Equals, http.StatusOK)
roles, err := permission.ListRoles()
c.Assert(err, check.IsNil)
c.Assert(roles, check.HasLen, 1)
user, err = token.User()
c.Assert(err, check.IsNil)
c.Assert(user.Roles, check.HasLen, 1)
c.Assert(eventtest.EventDesc{
Target: event.Target{Type: event.TargetTypeRole, Value: "test"},
Owner: token.GetUserName(),
Kind: "role.delete",
StartCustomData: []map[string]interface{}{
{"name": ":name", "value": "test"},
},
}, eventtest.HasEvent)
}
func (s *S) TestAssignRoleNotAuthorized(c *check.C) {
role, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
err = role.AddPermissions("app.create")
c.Assert(err, check.IsNil)
emptyToken := customUserWithPermission(c, "user2")
roleBody := bytes.NewBufferString(fmt.Sprintf("email=%s&context=myteam", emptyToken.GetUserName()))
req, err := http.NewRequest("POST", "/roles/test/user", roleBody)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdateAssign,
Context: permission.Context(permission.CtxGlobal, ""),
}, permission.Permission{
Scheme: permission.PermAppCreate,
Context: permission.Context(permission.CtxTeam, "otherteam"),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(err, check.IsNil)
c.Assert(recorder.Code, check.Equals, http.StatusForbidden)
c.Assert(recorder.Body.String(), check.Equals, "User not authorized to use permission app.create(team myteam)\n")
emptyUser, err := emptyToken.User()
c.Assert(err, check.IsNil)
c.Assert(emptyUser.Roles, check.HasLen, 0)
}
func (s *S) TestRemovePermissionsFromRoleSyncGitRepository(c *check.C) {
r, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
defer permission.DestroyRole(r.Name)
err = r.AddPermissions("app.deploy")
c.Assert(err, check.IsNil)
user := &auth.User{Email: "*****@*****.**", Password: "******"}
_, err = nativeScheme.Create(user)
c.Assert(err, check.IsNil)
err = user.AddRole("test", s.team.Name)
c.Assert(err, check.IsNil)
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err = app.CreateApp(&a, s.user)
err = repository.Manager().GrantAccess(a.Name, user.Email)
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
req, err := http.NewRequest("DELETE", "/roles/test/permissions/app.deploy", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
r, err = permission.FindRole("test")
c.Assert(err, check.IsNil)
c.Assert(r.SchemeNames, check.DeepEquals, []string{})
users, err := repositorytest.Granted(a.Name)
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email})
}
func (s *S) TestUserPermissions(c *check.C) {
u := User{Email: "*****@*****.**", Password: "******"}
err := u.Create()
c.Assert(err, check.IsNil)
perms, err := u.Permissions()
c.Assert(err, check.IsNil)
c.Assert(perms, check.DeepEquals, []permission.Permission{
{Scheme: permission.PermUser, Context: permission.Context(permission.CtxUser, u.Email)},
})
r1, err := permission.NewRole("r1", "app", "")
c.Assert(err, check.IsNil)
err = r1.AddPermissions("app.update.env", "app.deploy")
c.Assert(err, check.IsNil)
err = u.AddRole("r1", "myapp")
c.Assert(err, check.IsNil)
err = u.AddRole("r1", "myapp2")
c.Assert(err, check.IsNil)
perms, err = u.Permissions()
c.Assert(err, check.IsNil)
c.Assert(perms, check.DeepEquals, []permission.Permission{
{Scheme: permission.PermUser, Context: permission.Context(permission.CtxUser, u.Email)},
{Scheme: permission.PermAppDeploy, Context: permission.Context(permission.CtxApp, "myapp")},
{Scheme: permission.PermAppUpdateEnv, Context: permission.Context(permission.CtxApp, "myapp")},
{Scheme: permission.PermAppDeploy, Context: permission.Context(permission.CtxApp, "myapp2")},
{Scheme: permission.PermAppUpdateEnv, Context: permission.Context(permission.CtxApp, "myapp2")},
})
}
func (s *S) TestAddPermissionsToARoleSyncGitRepository(c *check.C) {
_, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
user := &auth.User{Email: "*****@*****.**", Password: "******"}
_, err = nativeScheme.Create(user)
c.Assert(err, check.IsNil)
err = user.AddRole("test", s.team.Name)
c.Assert(err, check.IsNil)
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err = app.CreateApp(&a, s.user)
c.Assert(err, check.IsNil)
users, err := repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email})
rec := httptest.NewRecorder()
b := bytes.NewBufferString(`permission=app.update&permission=app.deploy`)
req, err := http.NewRequest("POST", "/roles/test/permissions", b)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
users, err = repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email, user.Email})
}
func (s *S) TestDissociateRoleNotAuthorized(c *check.C) {
role, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
err = role.AddPermissions("app.create")
c.Assert(err, check.IsNil)
otherToken := customUserWithPermission(c, "user2")
otherUser, err := otherToken.User()
c.Assert(err, check.IsNil)
err = otherUser.AddRole(role.Name, "myteam")
c.Assert(err, check.IsNil)
url := fmt.Sprintf("/roles/test/user/%s?context=myteam", otherToken.GetUserName())
req, err := http.NewRequest("DELETE", url, nil)
c.Assert(err, check.IsNil)
token := customUserWithPermission(c, "user1", permission.Permission{
Scheme: permission.PermRoleUpdateDissociate,
Context: permission.Context(permission.CtxGlobal, ""),
}, permission.Permission{
Scheme: permission.PermAppCreate,
Context: permission.Context(permission.CtxTeam, "otherteam"),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(err, check.IsNil)
c.Assert(recorder.Code, check.Equals, http.StatusForbidden)
c.Assert(recorder.Body.String(), check.Equals, "User not authorized to use permission app.create(team myteam)\n")
otherUser, err = otherToken.User()
c.Assert(err, check.IsNil)
c.Assert(otherUser.Roles, check.HasLen, 1)
}
func (s *S) TestListUsersWithPermissions(c *check.C) {
u1 := User{Email: "*****@*****.**", Password: "******"}
err := u1.Create()
c.Assert(err, check.IsNil)
u2 := User{Email: "*****@*****.**", Password: "******"}
err = u2.Create()
c.Assert(err, check.IsNil)
r1, err := permission.NewRole("r1", "app", "")
c.Assert(err, check.IsNil)
err = r1.AddPermissions("app.update.env", "app.deploy")
c.Assert(err, check.IsNil)
err = u1.AddRole("r1", "myapp1")
c.Assert(err, check.IsNil)
err = u2.AddRole("r1", "myapp2")
c.Assert(err, check.IsNil)
users, err := ListUsersWithPermissions(permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxApp, "myapp1"),
})
c.Assert(err, check.IsNil)
c.Assert(users, check.HasLen, 1)
c.Assert(users[0].Email, check.Equals, u1.Email)
users, err = ListUsersWithPermissions(permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxApp, "myapp2"),
})
c.Assert(err, check.IsNil)
c.Assert(users, check.HasLen, 1)
c.Assert(users[0].Email, check.Equals, u2.Email)
}
func (s *S) TestListPermissions(c *check.C) {
role, err := permission.NewRole("test", "app")
c.Assert(err, check.IsNil)
err = role.AddPermissions("app")
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
req, err := http.NewRequest("GET", "/permissions", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
var data []permissionSchemeData
err = json.Unmarshal(rec.Body.Bytes(), &data)
c.Assert(err, check.IsNil)
c.Assert(len(data) > 0, check.Equals, true)
c.Assert(data[0], check.DeepEquals, permissionSchemeData{
Name: "",
Contexts: []string{"global"},
})
}
func createRole(name, contextType string) (permission.Role, error) {
role, err := permission.NewRole(name, contextType, "")
if err == permission.ErrRoleAlreadyExists {
role, err = permission.FindRole(name)
}
return role, err
}
func addRole(w http.ResponseWriter, r *http.Request, t auth.Token) error {
if !permission.Check(t, permission.PermRoleCreate) {
return permission.ErrUnauthorized
}
_, err := permission.NewRole(r.FormValue("name"), r.FormValue("context"))
if err == nil {
w.WriteHeader(http.StatusCreated)
}
return err
}
func (s *S) TestRemoveRole(c *check.C) {
_, err := permission.NewRole("test", "app")
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
role := bytes.NewBufferString(`{"name": "test"}`)
req, err := http.NewRequest("DELETE", "/role", role)
c.Assert(err, check.IsNil)
err = removeRole(rec, req, nil)
c.Assert(err, check.IsNil)
}
func (s *S) TestListRoles(c *check.C) {
_, err := permission.NewRole("test", "app")
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
req, err := http.NewRequest("GET", "/role", nil)
c.Assert(err, check.IsNil)
expected := `[{"name":"test","context":"app"}]`
err = listRoles(rec, req, nil)
c.Assert(err, check.IsNil)
c.Assert(rec.Body.String(), check.Equals, expected)
}
func createTokenForUser(user *auth.User, perm, contextType, contextValue string, c *check.C) auth.Token {
token, err := nativeScheme.Login(map[string]string{"email": user.Email, "password": "******"})
c.Assert(err, check.IsNil)
role, err := permission.NewRole("provisioner-docker-"+user.Email+perm, contextType, "")
c.Assert(err, check.IsNil)
err = role.AddPermissions(perm)
c.Assert(err, check.IsNil)
err = user.AddRole(role.Name, contextValue)
c.Assert(err, check.IsNil)
return token
}
func addRole(w http.ResponseWriter, r *http.Request, t auth.Token) error {
defer r.Body.Close()
b, err := ioutil.ReadAll(r.Body)
if err != nil {
return err
}
var params map[string]string
err = json.Unmarshal(b, ¶ms)
_, err = permission.NewRole(params["name"], params["context"])
return err
}
func (s *S) TestAddPermissionsToARole(c *check.C) {
r, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
defer permission.DestroyRole(r.Name)
rec := httptest.NewRecorder()
url := fmt.Sprintf("/role/%s/permissions?:name=%s", r.Name, r.Name)
b := bytes.NewBufferString(`{"permissions": ["app.update"]}`)
req, err := http.NewRequest("POST", url, b)
c.Assert(err, check.IsNil)
err = addPermissions(rec, req, nil)
c.Assert(err, check.IsNil)
}
func (s *S) TestRemoveRoleUnauthorized(c *check.C) {
_, err := permission.NewRole("test", "app")
c.Assert(err, check.IsNil)
req, err := http.NewRequest("DELETE", "/roles/test", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(recorder.Code, check.Equals, http.StatusForbidden)
}
func (s *S) TestAddRolesForEvent(c *check.C) {
r1, err := permission.NewRole("r1", "team", "")
c.Assert(err, check.IsNil)
err = r1.AddEvent(permission.RoleEventTeamCreate.String())
c.Assert(err, check.IsNil)
u1 := User{Email: "*****@*****.**", Password: "******"}
err = u1.Create()
c.Assert(err, check.IsNil)
err = u1.AddRolesForEvent(permission.RoleEventTeamCreate, "team1")
c.Assert(err, check.IsNil)
u, err := GetUserByEmail(u1.Email)
c.Assert(err, check.IsNil)
c.Assert(u.Roles, check.DeepEquals, []RoleInstance{{Name: "r1", ContextValue: "team1"}})
}
func addSuperRole(u *auth.User) error {
defaultRoleName := "AllowAll"
r, err := permission.FindRole(defaultRoleName)
if err != nil {
r, err = permission.NewRole(defaultRoleName, string(permission.CtxGlobal), "")
if err != nil {
return err
}
}
err = r.AddPermissions("*")
if err != nil {
return err
}
return u.AddRole(defaultRoleName, "")
}
func createToken(c *check.C) auth.Token {
user := &auth.User{Email: "platform-admin" + "@groundcontrol.com", Password: "******", Quota: quota.Unlimited}
nativeScheme.Remove(user)
_, err := nativeScheme.Create(user)
c.Assert(err, check.IsNil)
token, err := nativeScheme.Login(map[string]string{"email": user.Email, "password": "******"})
c.Assert(err, check.IsNil)
role, err := permission.NewRole("platform-admin", string(permission.CtxGlobal))
c.Assert(err, check.IsNil)
err = role.AddPermissions("*")
c.Assert(err, check.IsNil)
err = user.AddRole(role.Name, "")
c.Assert(err, check.IsNil)
return token
}