github.com/axw/juju@v0.0.0-20161005053422-4bd6544d08d4/apiserver/usermanager/usermanager_test.go (about) 1 // Copyright 2014 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package usermanager_test 5 6 import ( 7 "fmt" 8 "time" 9 10 "github.com/juju/errors" 11 jc "github.com/juju/testing/checkers" 12 gc "gopkg.in/check.v1" 13 "gopkg.in/juju/names.v2" 14 15 "github.com/juju/juju/apiserver/common" 16 commontesting "github.com/juju/juju/apiserver/common/testing" 17 "github.com/juju/juju/apiserver/controller" 18 "github.com/juju/juju/apiserver/params" 19 apiservertesting "github.com/juju/juju/apiserver/testing" 20 "github.com/juju/juju/apiserver/usermanager" 21 jujutesting "github.com/juju/juju/juju/testing" 22 "github.com/juju/juju/permission" 23 "github.com/juju/juju/state" 24 "github.com/juju/juju/testing/factory" 25 ) 26 27 type userManagerSuite struct { 28 jujutesting.JujuConnSuite 29 30 usermanager *usermanager.UserManagerAPI 31 authorizer apiservertesting.FakeAuthorizer 32 adminName string 33 resources *common.Resources 34 35 commontesting.BlockHelper 36 } 37 38 var _ = gc.Suite(&userManagerSuite{}) 39 40 func (s *userManagerSuite) SetUpTest(c *gc.C) { 41 s.JujuConnSuite.SetUpTest(c) 42 43 s.resources = common.NewResources() 44 adminTag := s.AdminUserTag(c) 45 s.adminName = adminTag.Name() 46 s.authorizer = apiservertesting.FakeAuthorizer{ 47 Tag: adminTag, 48 } 49 var err error 50 s.usermanager, err = usermanager.NewUserManagerAPI(s.State, s.resources, s.authorizer) 51 c.Assert(err, jc.ErrorIsNil) 52 53 s.BlockHelper = commontesting.NewBlockHelper(s.APIState) 54 s.AddCleanup(func(*gc.C) { s.BlockHelper.Close() }) 55 } 56 57 func (s *userManagerSuite) TestNewUserManagerAPIRefusesNonClient(c *gc.C) { 58 anAuthoriser := s.authorizer 59 anAuthoriser.Tag = names.NewMachineTag("1") 60 endPoint, err := usermanager.NewUserManagerAPI(s.State, s.resources, anAuthoriser) 61 c.Assert(endPoint, gc.IsNil) 62 c.Assert(err, gc.ErrorMatches, "permission denied") 63 } 64 65 func (s *userManagerSuite) assertAddUser(c *gc.C, access params.UserAccessPermission, sharedModelTags []string) { 66 sharedModelState := s.Factory.MakeModel(c, nil) 67 defer sharedModelState.Close() 68 69 args := params.AddUsers{ 70 Users: []params.AddUser{{ 71 Username: "foobar", 72 DisplayName: "Foo Bar", 73 Password: "password", 74 }}} 75 76 result, err := s.usermanager.AddUser(args) 77 // Check that the call is successful 78 c.Assert(err, jc.ErrorIsNil) 79 c.Assert(result.Results, gc.HasLen, 1) 80 foobarTag := names.NewLocalUserTag("foobar") 81 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{ 82 Tag: foobarTag.String()}) 83 // Check that the call results in a new user being created 84 user, err := s.State.User(foobarTag) 85 c.Assert(err, jc.ErrorIsNil) 86 c.Assert(user, gc.NotNil) 87 c.Assert(user.Name(), gc.Equals, "foobar") 88 c.Assert(user.DisplayName(), gc.Equals, "Foo Bar") 89 } 90 91 func (s *userManagerSuite) TestAddUser(c *gc.C) { 92 s.assertAddUser(c, params.UserAccessPermission(""), nil) 93 } 94 95 func (s *userManagerSuite) TestAddUserWithSecretKey(c *gc.C) { 96 args := params.AddUsers{ 97 Users: []params.AddUser{{ 98 Username: "foobar", 99 DisplayName: "Foo Bar", 100 Password: "", // assign secret key 101 }}} 102 103 result, err := s.usermanager.AddUser(args) 104 // Check that the call is succesful 105 c.Assert(err, jc.ErrorIsNil) 106 c.Assert(result.Results, gc.HasLen, 1) 107 foobarTag := names.NewLocalUserTag("foobar") 108 109 // Check that the call results in a new user being created 110 user, err := s.State.User(foobarTag) 111 c.Assert(err, jc.ErrorIsNil) 112 c.Assert(user, gc.NotNil) 113 c.Assert(user.Name(), gc.Equals, "foobar") 114 c.Assert(user.DisplayName(), gc.Equals, "Foo Bar") 115 c.Assert(user.SecretKey(), gc.NotNil) 116 c.Assert(user.PasswordValid(""), jc.IsFalse) 117 118 // Check that the secret key returned by the API matches what 119 // is in state. 120 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{ 121 Tag: foobarTag.String(), 122 SecretKey: user.SecretKey(), 123 }) 124 } 125 126 func (s *userManagerSuite) TestBlockAddUser(c *gc.C) { 127 args := params.AddUsers{ 128 Users: []params.AddUser{{ 129 Username: "foobar", 130 DisplayName: "Foo Bar", 131 Password: "password", 132 }}} 133 134 s.BlockAllChanges(c, "TestBlockAddUser") 135 result, err := s.usermanager.AddUser(args) 136 // Check that the call is blocked. 137 s.AssertBlocked(c, err, "TestBlockAddUser") 138 // Check that there's no results. 139 c.Assert(result.Results, gc.HasLen, 0) 140 //check that user is not created. 141 foobarTag := names.NewLocalUserTag("foobar") 142 // Check that the call results in a new user being created. 143 _, err = s.State.User(foobarTag) 144 c.Assert(err, gc.ErrorMatches, `user "foobar" not found`) 145 } 146 147 func (s *userManagerSuite) TestAddUserAsNormalUser(c *gc.C) { 148 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 149 usermanager, err := usermanager.NewUserManagerAPI( 150 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 151 c.Assert(err, jc.ErrorIsNil) 152 153 args := params.AddUsers{ 154 Users: []params.AddUser{{ 155 Username: "foobar", 156 DisplayName: "Foo Bar", 157 Password: "password", 158 }}} 159 160 _, err = usermanager.AddUser(args) 161 c.Assert(err, gc.ErrorMatches, "permission denied") 162 163 _, err = s.State.User(names.NewLocalUserTag("foobar")) 164 c.Assert(err, jc.Satisfies, errors.IsNotFound) 165 } 166 167 func (s *userManagerSuite) TestDisableUser(c *gc.C) { 168 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 169 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 170 171 args := params.Entities{ 172 Entities: []params.Entity{ 173 {alex.Tag().String()}, 174 {barb.Tag().String()}, 175 {names.NewLocalUserTag("ellie").String()}, 176 {names.NewUserTag("fred@remote").String()}, 177 {"not-a-tag"}, 178 }} 179 result, err := s.usermanager.DisableUser(args) 180 c.Assert(err, jc.ErrorIsNil) 181 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 182 Results: []params.ErrorResult{ 183 {Error: nil}, 184 {Error: nil}, 185 {Error: ¶ms.Error{ 186 Message: "permission denied", 187 Code: params.CodeUnauthorized, 188 }}, 189 {Error: ¶ms.Error{ 190 Message: "permission denied", 191 Code: params.CodeUnauthorized, 192 }}, 193 {Error: ¶ms.Error{ 194 Message: `"not-a-tag" is not a valid tag`, 195 }}, 196 }}) 197 err = alex.Refresh() 198 c.Assert(err, jc.ErrorIsNil) 199 c.Assert(alex.IsDisabled(), jc.IsTrue) 200 201 err = barb.Refresh() 202 c.Assert(err, jc.ErrorIsNil) 203 c.Assert(barb.IsDisabled(), jc.IsTrue) 204 } 205 206 func (s *userManagerSuite) TestBlockDisableUser(c *gc.C) { 207 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 208 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 209 210 args := params.Entities{ 211 Entities: []params.Entity{ 212 {alex.Tag().String()}, 213 {barb.Tag().String()}, 214 {names.NewLocalUserTag("ellie").String()}, 215 {names.NewUserTag("fred@remote").String()}, 216 {"not-a-tag"}, 217 }} 218 219 s.BlockAllChanges(c, "TestBlockDisableUser") 220 _, err := s.usermanager.DisableUser(args) 221 // Check that the call is blocked 222 s.AssertBlocked(c, err, "TestBlockDisableUser") 223 224 err = alex.Refresh() 225 c.Assert(err, jc.ErrorIsNil) 226 c.Assert(alex.IsDisabled(), jc.IsFalse) 227 228 err = barb.Refresh() 229 c.Assert(err, jc.ErrorIsNil) 230 c.Assert(barb.IsDisabled(), jc.IsTrue) 231 } 232 233 func (s *userManagerSuite) TestEnableUser(c *gc.C) { 234 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 235 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 236 237 args := params.Entities{ 238 Entities: []params.Entity{ 239 {alex.Tag().String()}, 240 {barb.Tag().String()}, 241 {names.NewLocalUserTag("ellie").String()}, 242 {names.NewUserTag("fred@remote").String()}, 243 {"not-a-tag"}, 244 }} 245 result, err := s.usermanager.EnableUser(args) 246 c.Assert(err, jc.ErrorIsNil) 247 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 248 Results: []params.ErrorResult{ 249 {Error: nil}, 250 {Error: nil}, 251 {Error: ¶ms.Error{ 252 Message: "permission denied", 253 Code: params.CodeUnauthorized, 254 }}, 255 {Error: ¶ms.Error{ 256 Message: "permission denied", 257 Code: params.CodeUnauthorized, 258 }}, 259 {Error: ¶ms.Error{ 260 Message: `"not-a-tag" is not a valid tag`, 261 }}, 262 }}) 263 err = alex.Refresh() 264 c.Assert(err, jc.ErrorIsNil) 265 c.Assert(alex.IsDisabled(), jc.IsFalse) 266 267 err = barb.Refresh() 268 c.Assert(err, jc.ErrorIsNil) 269 c.Assert(barb.IsDisabled(), jc.IsFalse) 270 } 271 272 func (s *userManagerSuite) TestBlockEnableUser(c *gc.C) { 273 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 274 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 275 276 args := params.Entities{ 277 Entities: []params.Entity{ 278 {alex.Tag().String()}, 279 {barb.Tag().String()}, 280 {names.NewLocalUserTag("ellie").String()}, 281 {names.NewUserTag("fred@remote").String()}, 282 {"not-a-tag"}, 283 }} 284 285 s.BlockAllChanges(c, "TestBlockEnableUser") 286 _, err := s.usermanager.EnableUser(args) 287 // Check that the call is blocked 288 s.AssertBlocked(c, err, "TestBlockEnableUser") 289 290 err = alex.Refresh() 291 c.Assert(err, jc.ErrorIsNil) 292 c.Assert(alex.IsDisabled(), jc.IsFalse) 293 294 err = barb.Refresh() 295 c.Assert(err, jc.ErrorIsNil) 296 c.Assert(barb.IsDisabled(), jc.IsTrue) 297 } 298 299 func (s *userManagerSuite) TestDisableUserAsNormalUser(c *gc.C) { 300 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 301 usermanager, err := usermanager.NewUserManagerAPI( 302 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 303 c.Assert(err, jc.ErrorIsNil) 304 305 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 306 307 args := params.Entities{ 308 []params.Entity{{barb.Tag().String()}}, 309 } 310 _, err = usermanager.DisableUser(args) 311 c.Assert(err, gc.ErrorMatches, "permission denied") 312 313 err = barb.Refresh() 314 c.Assert(err, jc.ErrorIsNil) 315 c.Assert(barb.IsDisabled(), jc.IsFalse) 316 } 317 318 func (s *userManagerSuite) TestEnableUserAsNormalUser(c *gc.C) { 319 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 320 usermanager, err := usermanager.NewUserManagerAPI( 321 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 322 c.Assert(err, jc.ErrorIsNil) 323 324 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 325 326 args := params.Entities{ 327 []params.Entity{{barb.Tag().String()}}, 328 } 329 _, err = usermanager.EnableUser(args) 330 c.Assert(err, gc.ErrorMatches, "permission denied") 331 332 err = barb.Refresh() 333 c.Assert(err, jc.ErrorIsNil) 334 c.Assert(barb.IsDisabled(), jc.IsTrue) 335 } 336 337 func (s *userManagerSuite) TestUserInfo(c *gc.C) { 338 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 339 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 340 err := controller.ChangeControllerAccess( 341 s.State, s.AdminUserTag(c), names.NewUserTag("fred@external"), 342 params.GrantControllerAccess, permission.AddModelAccess) 343 c.Assert(err, jc.ErrorIsNil) 344 345 args := params.UserInfoRequest{ 346 Entities: []params.Entity{ 347 { 348 Tag: userFoo.Tag().String(), 349 }, { 350 Tag: userBar.Tag().String(), 351 }, { 352 Tag: names.NewLocalUserTag("ellie").String(), 353 }, { 354 Tag: names.NewUserTag("fred@external").String(), 355 }, { 356 Tag: "not-a-tag", 357 }, 358 }} 359 360 results, err := s.usermanager.UserInfo(args) 361 c.Assert(err, jc.ErrorIsNil) 362 var expected params.UserInfoResults 363 for _, r := range []struct { 364 user *state.User 365 info *params.UserInfo 366 err *params.Error 367 }{ 368 { 369 user: userFoo, 370 info: ¶ms.UserInfo{ 371 Username: "foobar", 372 DisplayName: "Foo Bar", 373 Access: "login", 374 }, 375 }, { 376 user: userBar, 377 info: ¶ms.UserInfo{ 378 Username: "barfoo", 379 DisplayName: "Bar Foo", 380 Access: "login", 381 Disabled: true, 382 }, 383 }, { 384 err: ¶ms.Error{ 385 Message: "permission denied", 386 Code: params.CodeUnauthorized, 387 }, 388 }, { 389 info: ¶ms.UserInfo{ 390 Username: "fred@external", 391 Access: "addmodel", 392 }, 393 }, { 394 err: ¶ms.Error{ 395 Message: `"not-a-tag" is not a valid tag`, 396 }, 397 }, 398 } { 399 if r.info != nil { 400 if names.NewUserTag(r.info.Username).IsLocal() { 401 r.info.DateCreated = r.user.DateCreated() 402 r.info.LastConnection = lastLoginPointer(c, r.user) 403 r.info.CreatedBy = s.adminName 404 } 405 } 406 expected.Results = append(expected.Results, params.UserInfoResult{Result: r.info, Error: r.err}) 407 } 408 409 c.Assert(results, jc.DeepEquals, expected) 410 } 411 412 func (s *userManagerSuite) TestUserInfoAll(c *gc.C) { 413 admin, err := s.State.User(s.AdminUserTag(c)) 414 c.Assert(err, jc.ErrorIsNil) 415 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 416 userAardvark := s.Factory.MakeUser(c, &factory.UserParams{Name: "aardvark", DisplayName: "Aard Vark", Disabled: true}) 417 418 args := params.UserInfoRequest{IncludeDisabled: true} 419 results, err := s.usermanager.UserInfo(args) 420 c.Assert(err, jc.ErrorIsNil) 421 var expected params.UserInfoResults 422 for _, r := range []struct { 423 user *state.User 424 info *params.UserInfo 425 }{{ 426 user: userAardvark, 427 info: ¶ms.UserInfo{ 428 Username: "aardvark", 429 DisplayName: "Aard Vark", 430 Access: "login", 431 Disabled: true, 432 }, 433 }, { 434 user: admin, 435 info: ¶ms.UserInfo{ 436 Username: s.adminName, 437 DisplayName: admin.DisplayName(), 438 Access: "superuser", 439 }, 440 }, { 441 user: userFoo, 442 info: ¶ms.UserInfo{ 443 Username: "foobar", 444 DisplayName: "Foo Bar", 445 Access: "login", 446 }, 447 }} { 448 r.info.CreatedBy = s.adminName 449 r.info.DateCreated = r.user.DateCreated() 450 r.info.LastConnection = lastLoginPointer(c, r.user) 451 expected.Results = append(expected.Results, params.UserInfoResult{Result: r.info}) 452 } 453 c.Assert(results, jc.DeepEquals, expected) 454 455 results, err = s.usermanager.UserInfo(params.UserInfoRequest{}) 456 c.Assert(err, jc.ErrorIsNil) 457 // Same results as before, but without the deactivated user 458 expected.Results = expected.Results[1:] 459 c.Assert(results, jc.DeepEquals, expected) 460 } 461 462 func (s *userManagerSuite) TestUserInfoNonControllerAdmin(c *gc.C) { 463 s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 464 userAardvark := s.Factory.MakeUser(c, &factory.UserParams{Name: "aardvark", DisplayName: "Aard Vark"}) 465 466 authorizer := apiservertesting.FakeAuthorizer{ 467 Tag: userAardvark.Tag(), 468 } 469 usermanager, err := usermanager.NewUserManagerAPI(s.State, s.resources, authorizer) 470 c.Assert(err, jc.ErrorIsNil) 471 472 args := params.UserInfoRequest{Entities: []params.Entity{ 473 {Tag: userAardvark.Tag().String()}, 474 {Tag: names.NewUserTag("foobar").String()}, 475 }} 476 results, err := usermanager.UserInfo(args) 477 c.Assert(err, jc.ErrorIsNil) 478 // Non admin users can only see themselves. 479 c.Assert(results, jc.DeepEquals, params.UserInfoResults{ 480 Results: []params.UserInfoResult{ 481 { 482 Result: ¶ms.UserInfo{ 483 Username: "aardvark", 484 DisplayName: "Aard Vark", 485 Access: "login", 486 CreatedBy: s.adminName, 487 DateCreated: userAardvark.DateCreated(), 488 LastConnection: lastLoginPointer(c, userAardvark), 489 }, 490 }, { 491 Error: ¶ms.Error{ 492 Message: "permission denied", 493 Code: params.CodeUnauthorized, 494 }, 495 }, 496 }, 497 }) 498 } 499 500 func (s *userManagerSuite) TestUserInfoEveryonePermission(c *gc.C) { 501 _, err := s.State.AddControllerUser(state.UserAccessSpec{ 502 User: names.NewUserTag("everyone@external"), 503 Access: permission.AddModelAccess, 504 CreatedBy: s.AdminUserTag(c), 505 }) 506 c.Assert(err, jc.ErrorIsNil) 507 _, err = s.State.AddControllerUser(state.UserAccessSpec{ 508 User: names.NewUserTag("aardvark@external"), 509 Access: permission.LoginAccess, 510 CreatedBy: s.AdminUserTag(c), 511 }) 512 c.Assert(err, jc.ErrorIsNil) 513 514 args := params.UserInfoRequest{Entities: []params.Entity{{Tag: names.NewUserTag("aardvark@external").String()}}} 515 results, err := s.usermanager.UserInfo(args) 516 c.Assert(err, jc.ErrorIsNil) 517 // Non admin users can only see themselves. 518 c.Assert(results, jc.DeepEquals, params.UserInfoResults{ 519 Results: []params.UserInfoResult{{Result: ¶ms.UserInfo{ 520 Username: "aardvark@external", 521 Access: "addmodel", 522 }}}, 523 }) 524 } 525 526 func lastLoginPointer(c *gc.C, user *state.User) *time.Time { 527 lastLogin, err := user.LastLogin() 528 if err != nil { 529 if state.IsNeverLoggedInError(err) { 530 return nil 531 } 532 c.Fatal(err) 533 } 534 return &lastLogin 535 } 536 537 func (s *userManagerSuite) TestSetPassword(c *gc.C) { 538 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 539 540 args := params.EntityPasswords{ 541 Changes: []params.EntityPassword{{ 542 Tag: alex.Tag().String(), 543 Password: "new-password", 544 }}} 545 results, err := s.usermanager.SetPassword(args) 546 c.Assert(err, jc.ErrorIsNil) 547 c.Assert(results.Results, gc.HasLen, 1) 548 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 549 550 err = alex.Refresh() 551 c.Assert(err, jc.ErrorIsNil) 552 553 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 554 } 555 556 func (s *userManagerSuite) TestBlockSetPassword(c *gc.C) { 557 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 558 559 args := params.EntityPasswords{ 560 Changes: []params.EntityPassword{{ 561 Tag: alex.Tag().String(), 562 Password: "new-password", 563 }}} 564 565 s.BlockAllChanges(c, "TestBlockSetPassword") 566 _, err := s.usermanager.SetPassword(args) 567 // Check that the call is blocked 568 s.AssertBlocked(c, err, "TestBlockSetPassword") 569 570 err = alex.Refresh() 571 c.Assert(err, jc.ErrorIsNil) 572 573 c.Assert(alex.PasswordValid("new-password"), jc.IsFalse) 574 } 575 576 func (s *userManagerSuite) TestSetPasswordForSelf(c *gc.C) { 577 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 578 usermanager, err := usermanager.NewUserManagerAPI( 579 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 580 c.Assert(err, jc.ErrorIsNil) 581 582 args := params.EntityPasswords{ 583 Changes: []params.EntityPassword{{ 584 Tag: alex.Tag().String(), 585 Password: "new-password", 586 }}} 587 results, err := usermanager.SetPassword(args) 588 c.Assert(err, jc.ErrorIsNil) 589 c.Assert(results.Results, gc.HasLen, 1) 590 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 591 592 err = alex.Refresh() 593 c.Assert(err, jc.ErrorIsNil) 594 595 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 596 } 597 598 func (s *userManagerSuite) TestSetPasswordForOther(c *gc.C) { 599 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 600 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", NoModelUser: true}) 601 usermanager, err := usermanager.NewUserManagerAPI( 602 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 603 c.Assert(err, jc.ErrorIsNil) 604 605 args := params.EntityPasswords{ 606 Changes: []params.EntityPassword{{ 607 Tag: barb.Tag().String(), 608 Password: "new-password", 609 }}} 610 results, err := usermanager.SetPassword(args) 611 c.Assert(err, jc.ErrorIsNil) 612 c.Assert(results.Results, gc.HasLen, 1) 613 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{ 614 Error: ¶ms.Error{ 615 Message: "permission denied", 616 Code: params.CodeUnauthorized, 617 }}) 618 619 err = barb.Refresh() 620 c.Assert(err, jc.ErrorIsNil) 621 622 c.Assert(barb.PasswordValid("new-password"), jc.IsFalse) 623 } 624 625 func (s *userManagerSuite) TestRemoveUserBadTag(c *gc.C) { 626 tag := "not-a-tag" 627 got, err := s.usermanager.RemoveUser(params.Entities{ 628 Entities: []params.Entity{{Tag: tag}}}) 629 c.Assert(got.Results, gc.HasLen, 1) 630 c.Assert(err, gc.Equals, nil) 631 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 632 Message: "\"not-a-tag\" is not a valid tag", 633 }) 634 } 635 636 func (s *userManagerSuite) TestRemoveUserNonExistent(c *gc.C) { 637 tag := "user-harvey" 638 got, err := s.usermanager.RemoveUser(params.Entities{ 639 Entities: []params.Entity{{Tag: tag}}}) 640 c.Assert(got.Results, gc.HasLen, 1) 641 c.Assert(err, gc.Equals, nil) 642 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 643 Message: "failed to delete user \"harvey\": user \"harvey\" not found", 644 Code: "not found", 645 }) 646 } 647 648 func (s *userManagerSuite) TestRemoveUser(c *gc.C) { 649 // Create a user to delete. 650 jjam := s.Factory.MakeUser(c, &factory.UserParams{Name: "jimmyjam"}) 651 652 expectedError := fmt.Sprintf("%q user not found", jjam.Name()) 653 654 // Remove the user 655 got, err := s.usermanager.RemoveUser(params.Entities{ 656 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 657 c.Assert(got.Results, gc.HasLen, 1) 658 659 c.Check(got.Results[0].Error, gc.IsNil) // Uses gc.IsNil as it's a typed nil. 660 c.Assert(err, jc.ErrorIsNil) 661 662 // Check if deleted. 663 err = jjam.Refresh() 664 c.Check(err, jc.ErrorIsNil) 665 c.Assert(jjam.IsDeleted(), jc.IsTrue) 666 667 // Try again and verify we get the expected error. 668 got, err = s.usermanager.RemoveUser(params.Entities{ 669 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 670 c.Check(got.Results, gc.HasLen, 1) 671 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 672 Message: expectedError, 673 Code: "user not found", 674 }) 675 c.Assert(err, jc.ErrorIsNil) 676 } 677 678 func (s *userManagerSuite) TestRemoveUserAsNormalUser(c *gc.C) { 679 // Create a user to delete. 680 jjam := s.Factory.MakeUser(c, &factory.UserParams{Name: "jimmyjam"}) 681 // Create a user to delete jjam. 682 chuck := s.Factory.MakeUser(c, &factory.UserParams{ 683 Name: "chuck", 684 NoModelUser: true, 685 }) 686 687 // Authenticate as chuck. 688 usermanager, err := usermanager.NewUserManagerAPI( 689 s.State, s.resources, apiservertesting.FakeAuthorizer{ 690 Tag: chuck.Tag(), 691 }) 692 c.Assert(err, jc.ErrorIsNil) 693 694 // Make sure the user exists. 695 ui, err := s.usermanager.UserInfo(params.UserInfoRequest{ 696 Entities: []params.Entity{{Tag: jjam.Tag().String()}}, 697 }) 698 c.Check(err, jc.ErrorIsNil) 699 c.Check(ui.Results, gc.HasLen, 1) 700 c.Assert(ui.Results[0].Result.Username, gc.DeepEquals, jjam.Name()) 701 702 // Remove jjam as chuck and fail. 703 _, err = usermanager.RemoveUser(params.Entities{ 704 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 705 c.Assert(err, gc.ErrorMatches, "permission denied") 706 707 // Make sure jjam is still around. 708 err = jjam.Refresh() 709 c.Assert(err, jc.ErrorIsNil) 710 } 711 712 func (s *userManagerSuite) TestRemoveUserSelfAsNormalUser(c *gc.C) { 713 // Create a user to delete. 714 jjam := s.Factory.MakeUser(c, &factory.UserParams{ 715 Name: "jimmyjam", 716 NoModelUser: true, 717 }) 718 usermanager, err := usermanager.NewUserManagerAPI( 719 s.State, s.resources, apiservertesting.FakeAuthorizer{ 720 Tag: jjam.Tag(), 721 }) 722 c.Assert(err, jc.ErrorIsNil) 723 724 // Make sure the user exists. 725 ui, err := s.usermanager.UserInfo(params.UserInfoRequest{ 726 Entities: []params.Entity{{Tag: jjam.Tag().String()}}, 727 }) 728 c.Assert(err, jc.ErrorIsNil) 729 c.Check(ui.Results, gc.HasLen, 1) 730 c.Assert(ui.Results[0].Result.Username, gc.DeepEquals, jjam.Name()) 731 732 // Remove the user as the user 733 _, err = usermanager.RemoveUser(params.Entities{ 734 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 735 c.Assert(err, gc.ErrorMatches, "permission denied") 736 737 // Check if deleted. 738 err = jjam.Refresh() 739 c.Assert(err, jc.ErrorIsNil) 740 } 741 742 func (s *userManagerSuite) TestRemoveUserAsSelfAdmin(c *gc.C) { 743 744 expectedError := "cannot delete controller owner \"admin\"" 745 746 // Remove admin as admin. 747 got, err := s.usermanager.RemoveUser(params.Entities{ 748 Entities: []params.Entity{{Tag: s.AdminUserTag(c).String()}}}) 749 c.Assert(got.Results, gc.HasLen, 1) 750 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 751 Message: expectedError, 752 }) 753 c.Assert(err, jc.ErrorIsNil) 754 755 // Try again to see if we succeeded. 756 got, err = s.usermanager.RemoveUser(params.Entities{ 757 Entities: []params.Entity{{Tag: s.AdminUserTag(c).String()}}}) 758 c.Assert(got.Results, gc.HasLen, 1) 759 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 760 Message: expectedError, 761 }) 762 c.Assert(err, jc.ErrorIsNil) 763 764 ui, err := s.usermanager.UserInfo(params.UserInfoRequest{}) 765 c.Check(err, jc.ErrorIsNil) 766 c.Assert(ui.Results, gc.HasLen, 1) 767 768 } 769 770 func (s *userManagerSuite) TestRemoveUserBulkSharedModels(c *gc.C) { 771 // Create users. 772 jjam := s.Factory.MakeUser(c, &factory.UserParams{ 773 Name: "jimmyjam", 774 }) 775 alice := s.Factory.MakeUser(c, &factory.UserParams{ 776 Name: "alice", 777 }) 778 bob := s.Factory.MakeUser(c, &factory.UserParams{ 779 Name: "bob", 780 }) 781 782 // Get a handle on the current model. 783 model, err := s.State.Model() 784 c.Assert(err, jc.ErrorIsNil) 785 users, err := model.Users() 786 787 // Make sure the users exist. 788 var userNames []string 789 for _, u := range users { 790 userNames = append(userNames, u.UserTag.Name()) 791 } 792 c.Assert(userNames, jc.SameContents, []string{"admin", jjam.Name(), alice.Name(), bob.Name()}) 793 794 // Remove 2 users. 795 got, err := s.usermanager.RemoveUser(params.Entities{ 796 Entities: []params.Entity{ 797 {Tag: jjam.Tag().String()}, 798 {Tag: alice.Tag().String()}, 799 }}) 800 c.Check(got.Results, gc.HasLen, 2) 801 var paramErr *params.Error 802 c.Check(got.Results[0].Error, jc.DeepEquals, paramErr) 803 c.Check(got.Results[1].Error, jc.DeepEquals, paramErr) 804 c.Assert(err, jc.ErrorIsNil) 805 806 // Make sure users were deleted. 807 err = jjam.Refresh() 808 c.Assert(jjam.IsDeleted(), jc.IsTrue) 809 err = alice.Refresh() 810 c.Assert(alice.IsDeleted(), jc.IsTrue) 811 812 }