func (s *S) TestAddPermissionsToARoleSyncGitRepository(c *check.C) {
_, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
user := &auth.User{Email: "*****@*****.**", Password: "******"}
_, err = nativeScheme.Create(user)
c.Assert(err, check.IsNil)
err = user.AddRole("test", s.team.Name)
c.Assert(err, check.IsNil)
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err = app.CreateApp(&a, s.user)
c.Assert(err, check.IsNil)
users, err := repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email})
rec := httptest.NewRecorder()
b := bytes.NewBufferString(`permission=app.update&permission=app.deploy`)
req, err := http.NewRequest("POST", "/roles/test/permissions", b)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
users, err = repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email, user.Email})
}
func (s *S) BenchmarkAddPermissionToRoleWithoutDeploy(c *check.C) {
s.benchmarkAddPermissionToRole(c, `permission=app.update&permission=app.read`)
users, err := repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
sort.Strings(users)
c.Assert(users, check.DeepEquals, []string{s.user.Email})
}
func (s *S) TestRemovePermissionsFromRoleSyncGitRepository(c *check.C) {
r, err := permission.NewRole("test", "team")
c.Assert(err, check.IsNil)
defer permission.DestroyRole(r.Name)
err = r.AddPermissions("app.deploy")
c.Assert(err, check.IsNil)
user := &auth.User{Email: "*****@*****.**", Password: "******"}
_, err = nativeScheme.Create(user)
c.Assert(err, check.IsNil)
err = user.AddRole("test", s.team.Name)
c.Assert(err, check.IsNil)
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err = app.CreateApp(&a, s.user)
err = repository.Manager().GrantAccess(a.Name, user.Email)
c.Assert(err, check.IsNil)
rec := httptest.NewRecorder()
req, err := http.NewRequest("DELETE", "/roles/test/permissions/app.deploy", nil)
c.Assert(err, check.IsNil)
token := userWithPermission(c, permission.Permission{
Scheme: permission.PermRoleUpdate,
Context: permission.Context(permission.CtxGlobal, ""),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
server := RunServer(true)
server.ServeHTTP(rec, req)
c.Assert(rec.Code, check.Equals, http.StatusOK)
r, err = permission.FindRole("test")
c.Assert(err, check.IsNil)
c.Assert(r.SchemeNames, check.DeepEquals, []string{})
users, err := repositorytest.Granted(a.Name)
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email})
}
func (s *S) TestAssignRoleCheckGandalf(c *check.C) {
role, err := permission.NewRole("test", "app", "")
c.Assert(err, check.IsNil)
err = role.AddPermissions("app.deploy")
c.Assert(err, check.IsNil)
emptyToken := customUserWithPermission(c, "user2")
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err = app.CreateApp(&a, s.user)
c.Assert(err, check.IsNil)
roleBody := bytes.NewBufferString(fmt.Sprintf("email=%s&context=myapp", emptyToken.GetUserName()))
req, err := http.NewRequest("POST", "/roles/test/user", roleBody)
c.Assert(err, check.IsNil)
token := customUserWithPermission(c, "user1", permission.Permission{
Scheme: permission.PermRoleUpdateAssign,
Context: permission.Context(permission.CtxGlobal, ""),
}, permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxApp, "myapp"),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(err, check.IsNil)
c.Assert(recorder.Code, check.Equals, http.StatusOK)
emptyUser, err := emptyToken.User()
c.Assert(err, check.IsNil)
users, err := repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email, emptyToken.GetUserName()})
c.Assert(emptyUser.Roles, check.HasLen, 1)
}
func (s *S) BenchmarkAddPermissionToRoleWithDeploy(c *check.C) {
userEmails := s.benchmarkAddPermissionToRole(c, `permission=app.update&permission=app.deploy`)
users, err := repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
userEmails = append(userEmails, s.user.Email)
sort.Strings(users)
sort.Strings(userEmails)
c.Assert(users, check.DeepEquals, userEmails)
}
func (s *S) TestDissociateRoleCheckGandalf(c *check.C) {
role, err := permission.NewRole("test", "app", "")
c.Assert(err, check.IsNil)
err = role.AddPermissions("app.deploy")
c.Assert(err, check.IsNil)
otherToken := customUserWithPermission(c, "user2")
otherUser, err := otherToken.User()
c.Assert(err, check.IsNil)
a := app.App{Name: "myapp", TeamOwner: s.team.Name}
err = app.CreateApp(&a, s.user)
c.Assert(err, check.IsNil)
err = otherUser.AddRole(role.Name, "myapp")
c.Assert(err, check.IsNil)
url := fmt.Sprintf("/roles/test/user/%s?context=myapp", otherToken.GetUserName())
req, err := http.NewRequest("DELETE", url, nil)
c.Assert(err, check.IsNil)
token := customUserWithPermission(c, "user1", permission.Permission{
Scheme: permission.PermRoleUpdateDissociate,
Context: permission.Context(permission.CtxGlobal, ""),
}, permission.Permission{
Scheme: permission.PermAppDeploy,
Context: permission.Context(permission.CtxApp, "myapp"),
})
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Authorization", "bearer "+token.GetValue())
recorder := httptest.NewRecorder()
server := RunServer(true)
server.ServeHTTP(recorder, req)
c.Assert(err, check.IsNil)
c.Assert(recorder.Code, check.Equals, http.StatusOK)
otherUser, err = otherToken.User()
c.Assert(err, check.IsNil)
c.Assert(otherUser.Roles, check.HasLen, 0)
users, err := repositorytest.Granted("myapp")
c.Assert(err, check.IsNil)
c.Assert(users, check.DeepEquals, []string{s.user.Email})
}