github.com/cloud-green/juju@v0.0.0-20151002100041-a00291338d3d/apiserver/usermanager/usermanager_test.go (about) 1 // Copyright 2014 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package usermanager_test 5 6 import ( 7 "time" 8 9 "github.com/juju/errors" 10 "github.com/juju/names" 11 jc "github.com/juju/testing/checkers" 12 gc "gopkg.in/check.v1" 13 14 commontesting "github.com/juju/juju/apiserver/common/testing" 15 "github.com/juju/juju/apiserver/params" 16 apiservertesting "github.com/juju/juju/apiserver/testing" 17 "github.com/juju/juju/apiserver/usermanager" 18 jujutesting "github.com/juju/juju/juju/testing" 19 "github.com/juju/juju/state" 20 "github.com/juju/juju/testing/factory" 21 ) 22 23 type userManagerSuite struct { 24 jujutesting.JujuConnSuite 25 26 usermanager *usermanager.UserManagerAPI 27 authorizer apiservertesting.FakeAuthorizer 28 adminName string 29 30 commontesting.BlockHelper 31 } 32 33 var _ = gc.Suite(&userManagerSuite{}) 34 35 func (s *userManagerSuite) SetUpTest(c *gc.C) { 36 s.JujuConnSuite.SetUpTest(c) 37 38 adminTag := s.AdminUserTag(c) 39 s.adminName = adminTag.Name() 40 s.authorizer = apiservertesting.FakeAuthorizer{ 41 Tag: adminTag, 42 } 43 var err error 44 s.usermanager, err = usermanager.NewUserManagerAPI(s.State, nil, s.authorizer) 45 c.Assert(err, jc.ErrorIsNil) 46 47 s.BlockHelper = commontesting.NewBlockHelper(s.APIState) 48 s.AddCleanup(func(*gc.C) { s.BlockHelper.Close() }) 49 } 50 51 func (s *userManagerSuite) TestNewUserManagerAPIRefusesNonClient(c *gc.C) { 52 anAuthoriser := s.authorizer 53 anAuthoriser.Tag = names.NewMachineTag("1") 54 endPoint, err := usermanager.NewUserManagerAPI(s.State, nil, anAuthoriser) 55 c.Assert(endPoint, gc.IsNil) 56 c.Assert(err, gc.ErrorMatches, "permission denied") 57 } 58 59 func (s *userManagerSuite) TestAddUser(c *gc.C) { 60 args := params.AddUsers{ 61 Users: []params.AddUser{{ 62 Username: "foobar", 63 DisplayName: "Foo Bar", 64 Password: "password", 65 }}} 66 67 result, err := s.usermanager.AddUser(args) 68 // Check that the call is succesful 69 c.Assert(err, jc.ErrorIsNil) 70 c.Assert(result.Results, gc.HasLen, 1) 71 foobarTag := names.NewLocalUserTag("foobar") 72 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{ 73 Tag: foobarTag.String()}) 74 // Check that the call results in a new user being created 75 user, err := s.State.User(foobarTag) 76 c.Assert(err, jc.ErrorIsNil) 77 c.Assert(user, gc.NotNil) 78 c.Assert(user.Name(), gc.Equals, "foobar") 79 c.Assert(user.DisplayName(), gc.Equals, "Foo Bar") 80 } 81 82 func (s *userManagerSuite) TestBlockAddUser(c *gc.C) { 83 args := params.AddUsers{ 84 Users: []params.AddUser{{ 85 Username: "foobar", 86 DisplayName: "Foo Bar", 87 Password: "password", 88 }}} 89 90 s.BlockAllChanges(c, "TestBlockAddUser") 91 result, err := s.usermanager.AddUser(args) 92 // Check that the call is blocked 93 s.AssertBlocked(c, err, "TestBlockAddUser") 94 c.Assert(result.Results, gc.HasLen, 1) 95 //check that user is not created 96 foobarTag := names.NewLocalUserTag("foobar") 97 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{}) 98 // Check that the call results in a new user being created 99 _, err = s.State.User(foobarTag) 100 c.Assert(err, gc.ErrorMatches, `user "foobar" not found`) 101 } 102 103 func (s *userManagerSuite) TestAddUserAsNormalUser(c *gc.C) { 104 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 105 usermanager, err := usermanager.NewUserManagerAPI( 106 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 107 c.Assert(err, jc.ErrorIsNil) 108 109 args := params.AddUsers{ 110 Users: []params.AddUser{{ 111 Username: "foobar", 112 DisplayName: "Foo Bar", 113 Password: "password", 114 }}} 115 116 _, err = usermanager.AddUser(args) 117 c.Assert(err, gc.ErrorMatches, "permission denied") 118 119 _, err = s.State.User(names.NewLocalUserTag("foobar")) 120 c.Assert(err, jc.Satisfies, errors.IsNotFound) 121 } 122 123 func (s *userManagerSuite) TestDisableUser(c *gc.C) { 124 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 125 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 126 127 args := params.Entities{ 128 Entities: []params.Entity{ 129 {alex.Tag().String()}, 130 {barb.Tag().String()}, 131 {names.NewLocalUserTag("ellie").String()}, 132 {names.NewUserTag("fred@remote").String()}, 133 {"not-a-tag"}, 134 }} 135 result, err := s.usermanager.DisableUser(args) 136 c.Assert(err, jc.ErrorIsNil) 137 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 138 Results: []params.ErrorResult{ 139 {Error: nil}, 140 {Error: nil}, 141 {Error: ¶ms.Error{ 142 Message: "permission denied", 143 Code: params.CodeUnauthorized, 144 }}, 145 {Error: ¶ms.Error{ 146 Message: "permission denied", 147 Code: params.CodeUnauthorized, 148 }}, 149 {Error: ¶ms.Error{ 150 Message: `"not-a-tag" is not a valid tag`, 151 }}, 152 }}) 153 err = alex.Refresh() 154 c.Assert(err, jc.ErrorIsNil) 155 c.Assert(alex.IsDisabled(), jc.IsTrue) 156 157 err = barb.Refresh() 158 c.Assert(err, jc.ErrorIsNil) 159 c.Assert(barb.IsDisabled(), jc.IsTrue) 160 } 161 162 func (s *userManagerSuite) TestBlockDisableUser(c *gc.C) { 163 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 164 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 165 166 args := params.Entities{ 167 Entities: []params.Entity{ 168 {alex.Tag().String()}, 169 {barb.Tag().String()}, 170 {names.NewLocalUserTag("ellie").String()}, 171 {names.NewUserTag("fred@remote").String()}, 172 {"not-a-tag"}, 173 }} 174 175 s.BlockAllChanges(c, "TestBlockDisableUser") 176 _, err := s.usermanager.DisableUser(args) 177 // Check that the call is blocked 178 s.AssertBlocked(c, err, "TestBlockDisableUser") 179 180 err = alex.Refresh() 181 c.Assert(err, jc.ErrorIsNil) 182 c.Assert(alex.IsDisabled(), jc.IsFalse) 183 184 err = barb.Refresh() 185 c.Assert(err, jc.ErrorIsNil) 186 c.Assert(barb.IsDisabled(), jc.IsTrue) 187 } 188 189 func (s *userManagerSuite) TestEnableUser(c *gc.C) { 190 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 191 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 192 193 args := params.Entities{ 194 Entities: []params.Entity{ 195 {alex.Tag().String()}, 196 {barb.Tag().String()}, 197 {names.NewLocalUserTag("ellie").String()}, 198 {names.NewUserTag("fred@remote").String()}, 199 {"not-a-tag"}, 200 }} 201 result, err := s.usermanager.EnableUser(args) 202 c.Assert(err, jc.ErrorIsNil) 203 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 204 Results: []params.ErrorResult{ 205 {Error: nil}, 206 {Error: nil}, 207 {Error: ¶ms.Error{ 208 Message: "permission denied", 209 Code: params.CodeUnauthorized, 210 }}, 211 {Error: ¶ms.Error{ 212 Message: "permission denied", 213 Code: params.CodeUnauthorized, 214 }}, 215 {Error: ¶ms.Error{ 216 Message: `"not-a-tag" is not a valid tag`, 217 }}, 218 }}) 219 err = alex.Refresh() 220 c.Assert(err, jc.ErrorIsNil) 221 c.Assert(alex.IsDisabled(), jc.IsFalse) 222 223 err = barb.Refresh() 224 c.Assert(err, jc.ErrorIsNil) 225 c.Assert(barb.IsDisabled(), jc.IsFalse) 226 } 227 228 func (s *userManagerSuite) TestBlockEnableUser(c *gc.C) { 229 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 230 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 231 232 args := params.Entities{ 233 Entities: []params.Entity{ 234 {alex.Tag().String()}, 235 {barb.Tag().String()}, 236 {names.NewLocalUserTag("ellie").String()}, 237 {names.NewUserTag("fred@remote").String()}, 238 {"not-a-tag"}, 239 }} 240 241 s.BlockAllChanges(c, "TestBlockEnableUser") 242 _, err := s.usermanager.EnableUser(args) 243 // Check that the call is blocked 244 s.AssertBlocked(c, err, "TestBlockEnableUser") 245 246 err = alex.Refresh() 247 c.Assert(err, jc.ErrorIsNil) 248 c.Assert(alex.IsDisabled(), jc.IsFalse) 249 250 err = barb.Refresh() 251 c.Assert(err, jc.ErrorIsNil) 252 c.Assert(barb.IsDisabled(), jc.IsTrue) 253 } 254 255 func (s *userManagerSuite) TestDisableUserAsNormalUser(c *gc.C) { 256 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 257 usermanager, err := usermanager.NewUserManagerAPI( 258 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 259 c.Assert(err, jc.ErrorIsNil) 260 261 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 262 263 args := params.Entities{ 264 []params.Entity{{barb.Tag().String()}}, 265 } 266 _, err = usermanager.DisableUser(args) 267 c.Assert(err, gc.ErrorMatches, "permission denied") 268 269 err = barb.Refresh() 270 c.Assert(err, jc.ErrorIsNil) 271 c.Assert(barb.IsDisabled(), jc.IsFalse) 272 } 273 274 func (s *userManagerSuite) TestEnableUserAsNormalUser(c *gc.C) { 275 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 276 usermanager, err := usermanager.NewUserManagerAPI( 277 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 278 c.Assert(err, jc.ErrorIsNil) 279 280 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 281 282 args := params.Entities{ 283 []params.Entity{{barb.Tag().String()}}, 284 } 285 _, err = usermanager.EnableUser(args) 286 c.Assert(err, gc.ErrorMatches, "permission denied") 287 288 err = barb.Refresh() 289 c.Assert(err, jc.ErrorIsNil) 290 c.Assert(barb.IsDisabled(), jc.IsTrue) 291 } 292 293 func (s *userManagerSuite) TestUserInfo(c *gc.C) { 294 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 295 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 296 297 args := params.UserInfoRequest{ 298 Entities: []params.Entity{ 299 { 300 Tag: userFoo.Tag().String(), 301 }, { 302 Tag: userBar.Tag().String(), 303 }, { 304 Tag: names.NewLocalUserTag("ellie").String(), 305 }, { 306 Tag: names.NewUserTag("not@remote").String(), 307 }, { 308 Tag: "not-a-tag", 309 }, 310 }} 311 312 results, err := s.usermanager.UserInfo(args) 313 c.Assert(err, jc.ErrorIsNil) 314 var expected params.UserInfoResults 315 for _, r := range []struct { 316 user *state.User 317 info *params.UserInfo 318 err *params.Error 319 }{ 320 { 321 user: userFoo, 322 info: ¶ms.UserInfo{ 323 Username: "foobar", 324 DisplayName: "Foo Bar", 325 }, 326 }, { 327 user: userBar, 328 info: ¶ms.UserInfo{ 329 Username: "barfoo", 330 DisplayName: "Bar Foo", 331 Disabled: true, 332 }, 333 }, { 334 err: ¶ms.Error{ 335 Message: "permission denied", 336 Code: params.CodeUnauthorized, 337 }, 338 }, { 339 err: ¶ms.Error{ 340 Message: "permission denied", 341 Code: params.CodeUnauthorized, 342 }, 343 }, { 344 err: ¶ms.Error{ 345 Message: `"not-a-tag" is not a valid tag`, 346 }, 347 }, 348 } { 349 if r.info != nil { 350 r.info.DateCreated = r.user.DateCreated() 351 r.info.LastConnection = lastLoginPointer(c, r.user) 352 r.info.CreatedBy = s.adminName 353 } 354 expected.Results = append(expected.Results, params.UserInfoResult{Result: r.info, Error: r.err}) 355 } 356 357 c.Assert(results, jc.DeepEquals, expected) 358 } 359 360 func (s *userManagerSuite) TestUserInfoAll(c *gc.C) { 361 admin, err := s.State.User(s.AdminUserTag(c)) 362 c.Assert(err, jc.ErrorIsNil) 363 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 364 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 365 366 args := params.UserInfoRequest{IncludeDisabled: true} 367 results, err := s.usermanager.UserInfo(args) 368 c.Assert(err, jc.ErrorIsNil) 369 var expected params.UserInfoResults 370 for _, r := range []struct { 371 user *state.User 372 info *params.UserInfo 373 }{ 374 { 375 user: userBar, 376 info: ¶ms.UserInfo{ 377 Username: "barfoo", 378 DisplayName: "Bar Foo", 379 Disabled: true, 380 }, 381 }, { 382 user: admin, 383 info: ¶ms.UserInfo{ 384 Username: s.adminName, 385 DisplayName: admin.DisplayName(), 386 }, 387 }, { 388 user: userFoo, 389 info: ¶ms.UserInfo{ 390 Username: "foobar", 391 DisplayName: "Foo Bar", 392 }, 393 }, 394 } { 395 r.info.CreatedBy = s.adminName 396 r.info.DateCreated = r.user.DateCreated() 397 r.info.LastConnection = lastLoginPointer(c, r.user) 398 expected.Results = append(expected.Results, params.UserInfoResult{Result: r.info}) 399 } 400 c.Assert(results, jc.DeepEquals, expected) 401 402 results, err = s.usermanager.UserInfo(params.UserInfoRequest{}) 403 c.Assert(err, jc.ErrorIsNil) 404 // Same results as before, but without the deactivated barfoo user 405 expected.Results = expected.Results[1:] 406 c.Assert(results, jc.DeepEquals, expected) 407 } 408 409 func lastLoginPointer(c *gc.C, user *state.User) *time.Time { 410 lastLogin, err := user.LastLogin() 411 if err != nil { 412 if state.IsNeverLoggedInError(err) { 413 return nil 414 } 415 c.Fatal(err) 416 } 417 return &lastLogin 418 } 419 420 func (s *userManagerSuite) TestSetPassword(c *gc.C) { 421 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 422 423 args := params.EntityPasswords{ 424 Changes: []params.EntityPassword{{ 425 Tag: alex.Tag().String(), 426 Password: "new-password", 427 }}} 428 results, err := s.usermanager.SetPassword(args) 429 c.Assert(err, jc.ErrorIsNil) 430 c.Assert(results.Results, gc.HasLen, 1) 431 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 432 433 err = alex.Refresh() 434 c.Assert(err, jc.ErrorIsNil) 435 436 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 437 } 438 439 func (s *userManagerSuite) TestBlockSetPassword(c *gc.C) { 440 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 441 442 args := params.EntityPasswords{ 443 Changes: []params.EntityPassword{{ 444 Tag: alex.Tag().String(), 445 Password: "new-password", 446 }}} 447 448 s.BlockAllChanges(c, "TestBlockSetPassword") 449 _, err := s.usermanager.SetPassword(args) 450 // Check that the call is blocked 451 s.AssertBlocked(c, err, "TestBlockSetPassword") 452 453 err = alex.Refresh() 454 c.Assert(err, jc.ErrorIsNil) 455 456 c.Assert(alex.PasswordValid("new-password"), jc.IsFalse) 457 } 458 459 func (s *userManagerSuite) TestSetPasswordForSelf(c *gc.C) { 460 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 461 usermanager, err := usermanager.NewUserManagerAPI( 462 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 463 c.Assert(err, jc.ErrorIsNil) 464 465 args := params.EntityPasswords{ 466 Changes: []params.EntityPassword{{ 467 Tag: alex.Tag().String(), 468 Password: "new-password", 469 }}} 470 results, err := usermanager.SetPassword(args) 471 c.Assert(err, jc.ErrorIsNil) 472 c.Assert(results.Results, gc.HasLen, 1) 473 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 474 475 err = alex.Refresh() 476 c.Assert(err, jc.ErrorIsNil) 477 478 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 479 } 480 481 func (s *userManagerSuite) TestSetPasswordForOther(c *gc.C) { 482 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 483 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 484 usermanager, err := usermanager.NewUserManagerAPI( 485 s.State, nil, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 486 c.Assert(err, jc.ErrorIsNil) 487 488 args := params.EntityPasswords{ 489 Changes: []params.EntityPassword{{ 490 Tag: barb.Tag().String(), 491 Password: "new-password", 492 }}} 493 results, err := usermanager.SetPassword(args) 494 c.Assert(err, jc.ErrorIsNil) 495 c.Assert(results.Results, gc.HasLen, 1) 496 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{ 497 Error: ¶ms.Error{ 498 Message: "permission denied", 499 Code: params.CodeUnauthorized, 500 }}) 501 502 err = barb.Refresh() 503 c.Assert(err, jc.ErrorIsNil) 504 505 c.Assert(barb.PasswordValid("new-password"), jc.IsFalse) 506 }