github.com/altoros/juju-vmware@v0.0.0-20150312064031-f19ae857ccca/apiserver/usermanager/usermanager_test.go (about) 1 // Copyright 2014 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package usermanager_test 5 6 import ( 7 "github.com/juju/errors" 8 "github.com/juju/names" 9 jc "github.com/juju/testing/checkers" 10 gc "gopkg.in/check.v1" 11 12 "github.com/juju/juju/apiserver/common" 13 "github.com/juju/juju/apiserver/params" 14 apiservertesting "github.com/juju/juju/apiserver/testing" 15 "github.com/juju/juju/apiserver/usermanager" 16 jujutesting "github.com/juju/juju/juju/testing" 17 "github.com/juju/juju/testing/factory" 18 ) 19 20 type userManagerSuite struct { 21 jujutesting.JujuConnSuite 22 23 usermanager *usermanager.UserManagerAPI 24 authorizer apiservertesting.FakeAuthorizer 25 adminName string 26 } 27 28 var _ = gc.Suite(&userManagerSuite{}) 29 30 func (s *userManagerSuite) SetUpTest(c *gc.C) { 31 s.JujuConnSuite.SetUpTest(c) 32 33 adminTag := s.AdminUserTag(c) 34 s.adminName = adminTag.Name() 35 s.authorizer = apiservertesting.FakeAuthorizer{ 36 Tag: adminTag, 37 } 38 var err error 39 s.usermanager, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer) 40 c.Assert(err, jc.ErrorIsNil) 41 } 42 43 func (s *userManagerSuite) TestNewUserManagerAPIRefusesNonClient(c *gc.C) { 44 anAuthoriser := s.authorizer 45 anAuthoriser.Tag = names.NewMachineTag("1") 46 endPoint, err := usermanager.NewUserManagerAPI(s.State, nil, anAuthoriser) 47 c.Assert(endPoint, gc.IsNil) 48 c.Assert(err, gc.ErrorMatches, "permission denied") 49 } 50 51 func (s *userManagerSuite) TestAddUser(c *gc.C) { 52 args := params.AddUsers{ 53 Users: []params.AddUser{{ 54 Username: "foobar", 55 DisplayName: "Foo Bar", 56 Password: "password", 57 }}} 58 59 result, err := s.usermanager.AddUser(args) 60 // Check that the call is succesful 61 c.Assert(err, jc.ErrorIsNil) 62 c.Assert(result.Results, gc.HasLen, 1) 63 foobarTag := names.NewLocalUserTag("foobar") 64 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{ 65 Tag: foobarTag.String()}) 66 // Check that the call results in a new user being created 67 user, err := s.State.User(foobarTag) 68 c.Assert(err, jc.ErrorIsNil) 69 c.Assert(user, gc.NotNil) 70 c.Assert(user.Name(), gc.Equals, "foobar") 71 c.Assert(user.DisplayName(), gc.Equals, "Foo Bar") 72 } 73 74 func (s *userManagerSuite) TestBlockAddUser(c *gc.C) { 75 args := params.AddUsers{ 76 Users: []params.AddUser{{ 77 Username: "foobar", 78 DisplayName: "Foo Bar", 79 Password: "password", 80 }}} 81 82 s.AssertConfigParameterUpdated(c, "block-all-changes", true) 83 result, err := s.usermanager.AddUser(args) 84 // Check that the call is blocked 85 c.Assert(errors.Cause(err), gc.ErrorMatches, common.ErrOperationBlocked.Error()) 86 c.Assert(result.Results, gc.HasLen, 1) 87 //check that user is not created 88 foobarTag := names.NewLocalUserTag("foobar") 89 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{}) 90 // Check that the call results in a new user being created 91 _, err = s.State.User(foobarTag) 92 c.Assert(err, gc.ErrorMatches, `user "foobar" not found`) 93 } 94 95 func (s *userManagerSuite) TestAddUserAsNormalUser(c *gc.C) { 96 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 97 usermanager, err := usermanager.NewUserManagerAPI( 98 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 99 c.Assert(err, jc.ErrorIsNil) 100 101 args := params.AddUsers{ 102 Users: []params.AddUser{{ 103 Username: "foobar", 104 DisplayName: "Foo Bar", 105 Password: "password", 106 }}} 107 108 _, err = usermanager.AddUser(args) 109 c.Assert(err, gc.ErrorMatches, "permission denied") 110 111 _, err = s.State.User(names.NewLocalUserTag("foobar")) 112 c.Assert(err, jc.Satisfies, errors.IsNotFound) 113 } 114 115 func (s *userManagerSuite) TestDisableUser(c *gc.C) { 116 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 117 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 118 119 args := params.Entities{ 120 Entities: []params.Entity{ 121 {alex.Tag().String()}, 122 {barb.Tag().String()}, 123 {names.NewLocalUserTag("ellie").String()}, 124 {names.NewUserTag("fred@remote").String()}, 125 {"not-a-tag"}, 126 }} 127 result, err := s.usermanager.DisableUser(args) 128 c.Assert(err, jc.ErrorIsNil) 129 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 130 Results: []params.ErrorResult{ 131 {Error: nil}, 132 {Error: nil}, 133 {Error: ¶ms.Error{ 134 Message: "permission denied", 135 Code: params.CodeUnauthorized, 136 }}, 137 {Error: ¶ms.Error{ 138 Message: "permission denied", 139 Code: params.CodeUnauthorized, 140 }}, 141 {Error: ¶ms.Error{ 142 Message: `"not-a-tag" is not a valid tag`, 143 }}, 144 }}) 145 err = alex.Refresh() 146 c.Assert(err, jc.ErrorIsNil) 147 c.Assert(alex.IsDisabled(), jc.IsTrue) 148 149 err = barb.Refresh() 150 c.Assert(err, jc.ErrorIsNil) 151 c.Assert(barb.IsDisabled(), jc.IsTrue) 152 } 153 154 func (s *userManagerSuite) TestBlockDisableUser(c *gc.C) { 155 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 156 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 157 158 args := params.Entities{ 159 Entities: []params.Entity{ 160 {alex.Tag().String()}, 161 {barb.Tag().String()}, 162 {names.NewLocalUserTag("ellie").String()}, 163 {names.NewUserTag("fred@remote").String()}, 164 {"not-a-tag"}, 165 }} 166 167 s.AssertConfigParameterUpdated(c, "block-all-changes", true) 168 _, err := s.usermanager.DisableUser(args) 169 // Check that the call is blocked 170 c.Assert(errors.Cause(err), gc.ErrorMatches, common.ErrOperationBlocked.Error()) 171 172 err = alex.Refresh() 173 c.Assert(err, jc.ErrorIsNil) 174 c.Assert(alex.IsDisabled(), jc.IsFalse) 175 176 err = barb.Refresh() 177 c.Assert(err, jc.ErrorIsNil) 178 c.Assert(barb.IsDisabled(), jc.IsTrue) 179 } 180 181 func (s *userManagerSuite) TestEnableUser(c *gc.C) { 182 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 183 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 184 185 args := params.Entities{ 186 Entities: []params.Entity{ 187 {alex.Tag().String()}, 188 {barb.Tag().String()}, 189 {names.NewLocalUserTag("ellie").String()}, 190 {names.NewUserTag("fred@remote").String()}, 191 {"not-a-tag"}, 192 }} 193 result, err := s.usermanager.EnableUser(args) 194 c.Assert(err, jc.ErrorIsNil) 195 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 196 Results: []params.ErrorResult{ 197 {Error: nil}, 198 {Error: nil}, 199 {Error: ¶ms.Error{ 200 Message: "permission denied", 201 Code: params.CodeUnauthorized, 202 }}, 203 {Error: ¶ms.Error{ 204 Message: "permission denied", 205 Code: params.CodeUnauthorized, 206 }}, 207 {Error: ¶ms.Error{ 208 Message: `"not-a-tag" is not a valid tag`, 209 }}, 210 }}) 211 err = alex.Refresh() 212 c.Assert(err, jc.ErrorIsNil) 213 c.Assert(alex.IsDisabled(), jc.IsFalse) 214 215 err = barb.Refresh() 216 c.Assert(err, jc.ErrorIsNil) 217 c.Assert(barb.IsDisabled(), jc.IsFalse) 218 } 219 220 func (s *userManagerSuite) TestBlockEnableUser(c *gc.C) { 221 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 222 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 223 224 args := params.Entities{ 225 Entities: []params.Entity{ 226 {alex.Tag().String()}, 227 {barb.Tag().String()}, 228 {names.NewLocalUserTag("ellie").String()}, 229 {names.NewUserTag("fred@remote").String()}, 230 {"not-a-tag"}, 231 }} 232 233 s.AssertConfigParameterUpdated(c, "block-all-changes", true) 234 _, err := s.usermanager.EnableUser(args) 235 // Check that the call is blocked 236 c.Assert(errors.Cause(err), gc.ErrorMatches, common.ErrOperationBlocked.Error()) 237 238 err = alex.Refresh() 239 c.Assert(err, jc.ErrorIsNil) 240 c.Assert(alex.IsDisabled(), jc.IsFalse) 241 242 err = barb.Refresh() 243 c.Assert(err, jc.ErrorIsNil) 244 c.Assert(barb.IsDisabled(), jc.IsTrue) 245 } 246 247 func (s *userManagerSuite) TestDisableUserAsNormalUser(c *gc.C) { 248 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 249 usermanager, err := usermanager.NewUserManagerAPI( 250 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 251 c.Assert(err, jc.ErrorIsNil) 252 253 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 254 255 args := params.Entities{ 256 []params.Entity{{barb.Tag().String()}}, 257 } 258 _, err = usermanager.DisableUser(args) 259 c.Assert(err, gc.ErrorMatches, "permission denied") 260 261 err = barb.Refresh() 262 c.Assert(err, jc.ErrorIsNil) 263 c.Assert(barb.IsDisabled(), jc.IsFalse) 264 } 265 266 func (s *userManagerSuite) TestEnableUserAsNormalUser(c *gc.C) { 267 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 268 usermanager, err := usermanager.NewUserManagerAPI( 269 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 270 c.Assert(err, jc.ErrorIsNil) 271 272 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 273 274 args := params.Entities{ 275 []params.Entity{{barb.Tag().String()}}, 276 } 277 _, err = usermanager.EnableUser(args) 278 c.Assert(err, gc.ErrorMatches, "permission denied") 279 280 err = barb.Refresh() 281 c.Assert(err, jc.ErrorIsNil) 282 c.Assert(barb.IsDisabled(), jc.IsTrue) 283 } 284 285 func (s *userManagerSuite) TestUserInfo(c *gc.C) { 286 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 287 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 288 289 args := params.UserInfoRequest{ 290 Entities: []params.Entity{ 291 { 292 Tag: userFoo.Tag().String(), 293 }, { 294 Tag: userBar.Tag().String(), 295 }, { 296 Tag: names.NewLocalUserTag("ellie").String(), 297 }, { 298 Tag: names.NewUserTag("not@remote").String(), 299 }, { 300 Tag: "not-a-tag", 301 }, 302 }} 303 304 results, err := s.usermanager.UserInfo(args) 305 c.Assert(err, jc.ErrorIsNil) 306 expected := params.UserInfoResults{ 307 Results: []params.UserInfoResult{ 308 { 309 Result: ¶ms.UserInfo{ 310 Username: "foobar", 311 DisplayName: "Foo Bar", 312 CreatedBy: s.adminName, 313 DateCreated: userFoo.DateCreated(), 314 LastConnection: userFoo.LastLogin(), 315 }, 316 }, { 317 Result: ¶ms.UserInfo{ 318 Username: "barfoo", 319 DisplayName: "Bar Foo", 320 CreatedBy: s.adminName, 321 DateCreated: userBar.DateCreated(), 322 LastConnection: userBar.LastLogin(), 323 Disabled: true, 324 }, 325 }, { 326 Error: ¶ms.Error{ 327 Message: "permission denied", 328 Code: params.CodeUnauthorized, 329 }, 330 }, { 331 Error: ¶ms.Error{ 332 Message: "permission denied", 333 Code: params.CodeUnauthorized, 334 }, 335 }, { 336 Error: ¶ms.Error{ 337 Message: `"not-a-tag" is not a valid tag`, 338 }, 339 }}, 340 } 341 342 c.Assert(results, jc.DeepEquals, expected) 343 } 344 345 func (s *userManagerSuite) TestUserInfoAll(c *gc.C) { 346 admin, err := s.State.User(s.AdminUserTag(c)) 347 c.Assert(err, jc.ErrorIsNil) 348 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 349 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 350 351 args := params.UserInfoRequest{IncludeDisabled: true} 352 results, err := s.usermanager.UserInfo(args) 353 c.Assert(err, jc.ErrorIsNil) 354 expected := params.UserInfoResults{ 355 Results: []params.UserInfoResult{ 356 { 357 Result: ¶ms.UserInfo{ 358 Username: "barfoo", 359 DisplayName: "Bar Foo", 360 CreatedBy: s.adminName, 361 DateCreated: userBar.DateCreated(), 362 LastConnection: userBar.LastLogin(), 363 Disabled: true, 364 }, 365 }, { 366 Result: ¶ms.UserInfo{ 367 Username: s.adminName, 368 DisplayName: admin.DisplayName(), 369 CreatedBy: s.adminName, 370 DateCreated: admin.DateCreated(), 371 LastConnection: admin.LastLogin(), 372 }, 373 }, { 374 Result: ¶ms.UserInfo{ 375 Username: "foobar", 376 DisplayName: "Foo Bar", 377 CreatedBy: s.adminName, 378 DateCreated: userFoo.DateCreated(), 379 LastConnection: userFoo.LastLogin(), 380 }, 381 }}, 382 } 383 c.Assert(results, jc.DeepEquals, expected) 384 385 results, err = s.usermanager.UserInfo(params.UserInfoRequest{}) 386 c.Assert(err, jc.ErrorIsNil) 387 // Same results as before, but without the deactivated barfoo user 388 expected.Results = expected.Results[1:] 389 c.Assert(results, jc.DeepEquals, expected) 390 } 391 392 func (s *userManagerSuite) TestSetPassword(c *gc.C) { 393 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 394 395 args := params.EntityPasswords{ 396 Changes: []params.EntityPassword{{ 397 Tag: alex.Tag().String(), 398 Password: "new-password", 399 }}} 400 results, err := s.usermanager.SetPassword(args) 401 c.Assert(err, jc.ErrorIsNil) 402 c.Assert(results.Results, gc.HasLen, 1) 403 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 404 405 err = alex.Refresh() 406 c.Assert(err, jc.ErrorIsNil) 407 408 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 409 } 410 411 func (s *userManagerSuite) TestBlockSetPassword(c *gc.C) { 412 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 413 414 args := params.EntityPasswords{ 415 Changes: []params.EntityPassword{{ 416 Tag: alex.Tag().String(), 417 Password: "new-password", 418 }}} 419 420 s.AssertConfigParameterUpdated(c, "block-all-changes", true) 421 _, err := s.usermanager.SetPassword(args) 422 // Check that the call is blocked 423 c.Assert(errors.Cause(err), gc.ErrorMatches, common.ErrOperationBlocked.Error()) 424 425 err = alex.Refresh() 426 c.Assert(err, jc.ErrorIsNil) 427 428 c.Assert(alex.PasswordValid("new-password"), jc.IsFalse) 429 } 430 431 func (s *userManagerSuite) TestSetPasswordForSelf(c *gc.C) { 432 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 433 usermanager, err := usermanager.NewUserManagerAPI( 434 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 435 c.Assert(err, jc.ErrorIsNil) 436 437 args := params.EntityPasswords{ 438 Changes: []params.EntityPassword{{ 439 Tag: alex.Tag().String(), 440 Password: "new-password", 441 }}} 442 results, err := usermanager.SetPassword(args) 443 c.Assert(err, jc.ErrorIsNil) 444 c.Assert(results.Results, gc.HasLen, 1) 445 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 446 447 err = alex.Refresh() 448 c.Assert(err, jc.ErrorIsNil) 449 450 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 451 } 452 453 func (s *userManagerSuite) TestSetPasswordForOther(c *gc.C) { 454 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 455 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 456 usermanager, err := usermanager.NewUserManagerAPI( 457 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 458 c.Assert(err, jc.ErrorIsNil) 459 460 args := params.EntityPasswords{ 461 Changes: []params.EntityPassword{{ 462 Tag: barb.Tag().String(), 463 Password: "new-password", 464 }}} 465 results, err := usermanager.SetPassword(args) 466 c.Assert(err, jc.ErrorIsNil) 467 c.Assert(results.Results, gc.HasLen, 1) 468 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{ 469 Error: ¶ms.Error{ 470 Message: "permission denied", 471 Code: params.CodeUnauthorized, 472 }}) 473 474 err = barb.Refresh() 475 c.Assert(err, jc.ErrorIsNil) 476 477 c.Assert(barb.PasswordValid("new-password"), jc.IsFalse) 478 }