github.com/Pankov404/juju@v0.0.0-20150703034450-be266991dceb/apiserver/usermanager/usermanager_test.go (about) 1 // Copyright 2014 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package usermanager_test 5 6 import ( 7 "github.com/juju/errors" 8 "github.com/juju/names" 9 jc "github.com/juju/testing/checkers" 10 gc "gopkg.in/check.v1" 11 12 commontesting "github.com/juju/juju/apiserver/common/testing" 13 "github.com/juju/juju/apiserver/params" 14 apiservertesting "github.com/juju/juju/apiserver/testing" 15 "github.com/juju/juju/apiserver/usermanager" 16 jujutesting "github.com/juju/juju/juju/testing" 17 "github.com/juju/juju/testing/factory" 18 ) 19 20 type userManagerSuite struct { 21 jujutesting.JujuConnSuite 22 23 usermanager *usermanager.UserManagerAPI 24 authorizer apiservertesting.FakeAuthorizer 25 adminName string 26 27 commontesting.BlockHelper 28 } 29 30 var _ = gc.Suite(&userManagerSuite{}) 31 32 func (s *userManagerSuite) SetUpTest(c *gc.C) { 33 s.JujuConnSuite.SetUpTest(c) 34 35 adminTag := s.AdminUserTag(c) 36 s.adminName = adminTag.Name() 37 s.authorizer = apiservertesting.FakeAuthorizer{ 38 Tag: adminTag, 39 } 40 var err error 41 s.usermanager, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer) 42 c.Assert(err, jc.ErrorIsNil) 43 44 s.BlockHelper = commontesting.NewBlockHelper(s.APIState) 45 s.AddCleanup(func(*gc.C) { s.BlockHelper.Close() }) 46 } 47 48 func (s *userManagerSuite) TestNewUserManagerAPIRefusesNonClient(c *gc.C) { 49 anAuthoriser := s.authorizer 50 anAuthoriser.Tag = names.NewMachineTag("1") 51 endPoint, err := usermanager.NewUserManagerAPI(s.State, nil, anAuthoriser) 52 c.Assert(endPoint, gc.IsNil) 53 c.Assert(err, gc.ErrorMatches, "permission denied") 54 } 55 56 func (s *userManagerSuite) TestAddUser(c *gc.C) { 57 args := params.AddUsers{ 58 Users: []params.AddUser{{ 59 Username: "foobar", 60 DisplayName: "Foo Bar", 61 Password: "password", 62 }}} 63 64 result, err := s.usermanager.AddUser(args) 65 // Check that the call is succesful 66 c.Assert(err, jc.ErrorIsNil) 67 c.Assert(result.Results, gc.HasLen, 1) 68 foobarTag := names.NewLocalUserTag("foobar") 69 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{ 70 Tag: foobarTag.String()}) 71 // Check that the call results in a new user being created 72 user, err := s.State.User(foobarTag) 73 c.Assert(err, jc.ErrorIsNil) 74 c.Assert(user, gc.NotNil) 75 c.Assert(user.Name(), gc.Equals, "foobar") 76 c.Assert(user.DisplayName(), gc.Equals, "Foo Bar") 77 } 78 79 func (s *userManagerSuite) TestBlockAddUser(c *gc.C) { 80 args := params.AddUsers{ 81 Users: []params.AddUser{{ 82 Username: "foobar", 83 DisplayName: "Foo Bar", 84 Password: "password", 85 }}} 86 87 s.BlockAllChanges(c, "TestBlockAddUser") 88 result, err := s.usermanager.AddUser(args) 89 // Check that the call is blocked 90 s.AssertBlocked(c, err, "TestBlockAddUser") 91 c.Assert(result.Results, gc.HasLen, 1) 92 //check that user is not created 93 foobarTag := names.NewLocalUserTag("foobar") 94 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{}) 95 // Check that the call results in a new user being created 96 _, err = s.State.User(foobarTag) 97 c.Assert(err, gc.ErrorMatches, `user "foobar" not found`) 98 } 99 100 func (s *userManagerSuite) TestAddUserAsNormalUser(c *gc.C) { 101 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 102 usermanager, err := usermanager.NewUserManagerAPI( 103 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 104 c.Assert(err, jc.ErrorIsNil) 105 106 args := params.AddUsers{ 107 Users: []params.AddUser{{ 108 Username: "foobar", 109 DisplayName: "Foo Bar", 110 Password: "password", 111 }}} 112 113 _, err = usermanager.AddUser(args) 114 c.Assert(err, gc.ErrorMatches, "permission denied") 115 116 _, err = s.State.User(names.NewLocalUserTag("foobar")) 117 c.Assert(err, jc.Satisfies, errors.IsNotFound) 118 } 119 120 func (s *userManagerSuite) TestDisableUser(c *gc.C) { 121 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 122 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 123 124 args := params.Entities{ 125 Entities: []params.Entity{ 126 {alex.Tag().String()}, 127 {barb.Tag().String()}, 128 {names.NewLocalUserTag("ellie").String()}, 129 {names.NewUserTag("fred@remote").String()}, 130 {"not-a-tag"}, 131 }} 132 result, err := s.usermanager.DisableUser(args) 133 c.Assert(err, jc.ErrorIsNil) 134 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 135 Results: []params.ErrorResult{ 136 {Error: nil}, 137 {Error: nil}, 138 {Error: ¶ms.Error{ 139 Message: "permission denied", 140 Code: params.CodeUnauthorized, 141 }}, 142 {Error: ¶ms.Error{ 143 Message: "permission denied", 144 Code: params.CodeUnauthorized, 145 }}, 146 {Error: ¶ms.Error{ 147 Message: `"not-a-tag" is not a valid tag`, 148 }}, 149 }}) 150 err = alex.Refresh() 151 c.Assert(err, jc.ErrorIsNil) 152 c.Assert(alex.IsDisabled(), jc.IsTrue) 153 154 err = barb.Refresh() 155 c.Assert(err, jc.ErrorIsNil) 156 c.Assert(barb.IsDisabled(), jc.IsTrue) 157 } 158 159 func (s *userManagerSuite) TestBlockDisableUser(c *gc.C) { 160 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 161 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 162 163 args := params.Entities{ 164 Entities: []params.Entity{ 165 {alex.Tag().String()}, 166 {barb.Tag().String()}, 167 {names.NewLocalUserTag("ellie").String()}, 168 {names.NewUserTag("fred@remote").String()}, 169 {"not-a-tag"}, 170 }} 171 172 s.BlockAllChanges(c, "TestBlockDisableUser") 173 _, err := s.usermanager.DisableUser(args) 174 // Check that the call is blocked 175 s.AssertBlocked(c, err, "TestBlockDisableUser") 176 177 err = alex.Refresh() 178 c.Assert(err, jc.ErrorIsNil) 179 c.Assert(alex.IsDisabled(), jc.IsFalse) 180 181 err = barb.Refresh() 182 c.Assert(err, jc.ErrorIsNil) 183 c.Assert(barb.IsDisabled(), jc.IsTrue) 184 } 185 186 func (s *userManagerSuite) TestEnableUser(c *gc.C) { 187 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 188 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 189 190 args := params.Entities{ 191 Entities: []params.Entity{ 192 {alex.Tag().String()}, 193 {barb.Tag().String()}, 194 {names.NewLocalUserTag("ellie").String()}, 195 {names.NewUserTag("fred@remote").String()}, 196 {"not-a-tag"}, 197 }} 198 result, err := s.usermanager.EnableUser(args) 199 c.Assert(err, jc.ErrorIsNil) 200 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 201 Results: []params.ErrorResult{ 202 {Error: nil}, 203 {Error: nil}, 204 {Error: ¶ms.Error{ 205 Message: "permission denied", 206 Code: params.CodeUnauthorized, 207 }}, 208 {Error: ¶ms.Error{ 209 Message: "permission denied", 210 Code: params.CodeUnauthorized, 211 }}, 212 {Error: ¶ms.Error{ 213 Message: `"not-a-tag" is not a valid tag`, 214 }}, 215 }}) 216 err = alex.Refresh() 217 c.Assert(err, jc.ErrorIsNil) 218 c.Assert(alex.IsDisabled(), jc.IsFalse) 219 220 err = barb.Refresh() 221 c.Assert(err, jc.ErrorIsNil) 222 c.Assert(barb.IsDisabled(), jc.IsFalse) 223 } 224 225 func (s *userManagerSuite) TestBlockEnableUser(c *gc.C) { 226 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 227 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 228 229 args := params.Entities{ 230 Entities: []params.Entity{ 231 {alex.Tag().String()}, 232 {barb.Tag().String()}, 233 {names.NewLocalUserTag("ellie").String()}, 234 {names.NewUserTag("fred@remote").String()}, 235 {"not-a-tag"}, 236 }} 237 238 s.BlockAllChanges(c, "TestBlockEnableUser") 239 _, err := s.usermanager.EnableUser(args) 240 // Check that the call is blocked 241 s.AssertBlocked(c, err, "TestBlockEnableUser") 242 243 err = alex.Refresh() 244 c.Assert(err, jc.ErrorIsNil) 245 c.Assert(alex.IsDisabled(), jc.IsFalse) 246 247 err = barb.Refresh() 248 c.Assert(err, jc.ErrorIsNil) 249 c.Assert(barb.IsDisabled(), jc.IsTrue) 250 } 251 252 func (s *userManagerSuite) TestDisableUserAsNormalUser(c *gc.C) { 253 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 254 usermanager, err := usermanager.NewUserManagerAPI( 255 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 256 c.Assert(err, jc.ErrorIsNil) 257 258 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 259 260 args := params.Entities{ 261 []params.Entity{{barb.Tag().String()}}, 262 } 263 _, err = usermanager.DisableUser(args) 264 c.Assert(err, gc.ErrorMatches, "permission denied") 265 266 err = barb.Refresh() 267 c.Assert(err, jc.ErrorIsNil) 268 c.Assert(barb.IsDisabled(), jc.IsFalse) 269 } 270 271 func (s *userManagerSuite) TestEnableUserAsNormalUser(c *gc.C) { 272 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 273 usermanager, err := usermanager.NewUserManagerAPI( 274 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 275 c.Assert(err, jc.ErrorIsNil) 276 277 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 278 279 args := params.Entities{ 280 []params.Entity{{barb.Tag().String()}}, 281 } 282 _, err = usermanager.EnableUser(args) 283 c.Assert(err, gc.ErrorMatches, "permission denied") 284 285 err = barb.Refresh() 286 c.Assert(err, jc.ErrorIsNil) 287 c.Assert(barb.IsDisabled(), jc.IsTrue) 288 } 289 290 func (s *userManagerSuite) TestUserInfo(c *gc.C) { 291 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 292 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 293 294 args := params.UserInfoRequest{ 295 Entities: []params.Entity{ 296 { 297 Tag: userFoo.Tag().String(), 298 }, { 299 Tag: userBar.Tag().String(), 300 }, { 301 Tag: names.NewLocalUserTag("ellie").String(), 302 }, { 303 Tag: names.NewUserTag("not@remote").String(), 304 }, { 305 Tag: "not-a-tag", 306 }, 307 }} 308 309 results, err := s.usermanager.UserInfo(args) 310 c.Assert(err, jc.ErrorIsNil) 311 expected := params.UserInfoResults{ 312 Results: []params.UserInfoResult{ 313 { 314 Result: ¶ms.UserInfo{ 315 Username: "foobar", 316 DisplayName: "Foo Bar", 317 CreatedBy: s.adminName, 318 DateCreated: userFoo.DateCreated(), 319 LastConnection: userFoo.LastLogin(), 320 }, 321 }, { 322 Result: ¶ms.UserInfo{ 323 Username: "barfoo", 324 DisplayName: "Bar Foo", 325 CreatedBy: s.adminName, 326 DateCreated: userBar.DateCreated(), 327 LastConnection: userBar.LastLogin(), 328 Disabled: true, 329 }, 330 }, { 331 Error: ¶ms.Error{ 332 Message: "permission denied", 333 Code: params.CodeUnauthorized, 334 }, 335 }, { 336 Error: ¶ms.Error{ 337 Message: "permission denied", 338 Code: params.CodeUnauthorized, 339 }, 340 }, { 341 Error: ¶ms.Error{ 342 Message: `"not-a-tag" is not a valid tag`, 343 }, 344 }}, 345 } 346 347 c.Assert(results, jc.DeepEquals, expected) 348 } 349 350 func (s *userManagerSuite) TestUserInfoAll(c *gc.C) { 351 admin, err := s.State.User(s.AdminUserTag(c)) 352 c.Assert(err, jc.ErrorIsNil) 353 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 354 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 355 356 args := params.UserInfoRequest{IncludeDisabled: true} 357 results, err := s.usermanager.UserInfo(args) 358 c.Assert(err, jc.ErrorIsNil) 359 expected := params.UserInfoResults{ 360 Results: []params.UserInfoResult{ 361 { 362 Result: ¶ms.UserInfo{ 363 Username: "barfoo", 364 DisplayName: "Bar Foo", 365 CreatedBy: s.adminName, 366 DateCreated: userBar.DateCreated(), 367 LastConnection: userBar.LastLogin(), 368 Disabled: true, 369 }, 370 }, { 371 Result: ¶ms.UserInfo{ 372 Username: s.adminName, 373 DisplayName: admin.DisplayName(), 374 CreatedBy: s.adminName, 375 DateCreated: admin.DateCreated(), 376 LastConnection: admin.LastLogin(), 377 }, 378 }, { 379 Result: ¶ms.UserInfo{ 380 Username: "foobar", 381 DisplayName: "Foo Bar", 382 CreatedBy: s.adminName, 383 DateCreated: userFoo.DateCreated(), 384 LastConnection: userFoo.LastLogin(), 385 }, 386 }}, 387 } 388 c.Assert(results, jc.DeepEquals, expected) 389 390 results, err = s.usermanager.UserInfo(params.UserInfoRequest{}) 391 c.Assert(err, jc.ErrorIsNil) 392 // Same results as before, but without the deactivated barfoo user 393 expected.Results = expected.Results[1:] 394 c.Assert(results, jc.DeepEquals, expected) 395 } 396 397 func (s *userManagerSuite) TestSetPassword(c *gc.C) { 398 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 399 400 args := params.EntityPasswords{ 401 Changes: []params.EntityPassword{{ 402 Tag: alex.Tag().String(), 403 Password: "new-password", 404 }}} 405 results, err := s.usermanager.SetPassword(args) 406 c.Assert(err, jc.ErrorIsNil) 407 c.Assert(results.Results, gc.HasLen, 1) 408 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 409 410 err = alex.Refresh() 411 c.Assert(err, jc.ErrorIsNil) 412 413 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 414 } 415 416 func (s *userManagerSuite) TestBlockSetPassword(c *gc.C) { 417 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 418 419 args := params.EntityPasswords{ 420 Changes: []params.EntityPassword{{ 421 Tag: alex.Tag().String(), 422 Password: "new-password", 423 }}} 424 425 s.BlockAllChanges(c, "TestBlockSetPassword") 426 _, err := s.usermanager.SetPassword(args) 427 // Check that the call is blocked 428 s.AssertBlocked(c, err, "TestBlockSetPassword") 429 430 err = alex.Refresh() 431 c.Assert(err, jc.ErrorIsNil) 432 433 c.Assert(alex.PasswordValid("new-password"), jc.IsFalse) 434 } 435 436 func (s *userManagerSuite) TestSetPasswordForSelf(c *gc.C) { 437 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 438 usermanager, err := usermanager.NewUserManagerAPI( 439 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 440 c.Assert(err, jc.ErrorIsNil) 441 442 args := params.EntityPasswords{ 443 Changes: []params.EntityPassword{{ 444 Tag: alex.Tag().String(), 445 Password: "new-password", 446 }}} 447 results, err := usermanager.SetPassword(args) 448 c.Assert(err, jc.ErrorIsNil) 449 c.Assert(results.Results, gc.HasLen, 1) 450 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 451 452 err = alex.Refresh() 453 c.Assert(err, jc.ErrorIsNil) 454 455 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 456 } 457 458 func (s *userManagerSuite) TestSetPasswordForOther(c *gc.C) { 459 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 460 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 461 usermanager, err := usermanager.NewUserManagerAPI( 462 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 463 c.Assert(err, jc.ErrorIsNil) 464 465 args := params.EntityPasswords{ 466 Changes: []params.EntityPassword{{ 467 Tag: barb.Tag().String(), 468 Password: "new-password", 469 }}} 470 results, err := usermanager.SetPassword(args) 471 c.Assert(err, jc.ErrorIsNil) 472 c.Assert(results.Results, gc.HasLen, 1) 473 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{ 474 Error: ¶ms.Error{ 475 Message: "permission denied", 476 Code: params.CodeUnauthorized, 477 }}) 478 479 err = barb.Refresh() 480 c.Assert(err, jc.ErrorIsNil) 481 482 c.Assert(barb.PasswordValid("new-password"), jc.IsFalse) 483 }