github.com/juju/juju@v0.0.0-20240430160146-1752b71fcf00/state/user_test.go (about) 1 // Copyright 2013, 2014 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package state_test 5 6 import ( 7 "fmt" 8 "regexp" 9 "strings" 10 "time" 11 12 "github.com/juju/errors" 13 "github.com/juju/names/v5" 14 jc "github.com/juju/testing/checkers" 15 "github.com/juju/utils/v3" 16 gc "gopkg.in/check.v1" 17 18 "github.com/juju/juju/core/permission" 19 "github.com/juju/juju/state" 20 "github.com/juju/juju/testing" 21 "github.com/juju/juju/testing/factory" 22 ) 23 24 type UserSuite struct { 25 ConnSuite 26 } 27 28 var _ = gc.Suite(&UserSuite{}) 29 30 func (s *UserSuite) TestAddInvalidNames(c *gc.C) { 31 for _, name := range []string{ 32 "", 33 "a", 34 "b^b", 35 "a.", 36 "a-", 37 "user@local", 38 "@ubuntuone", 39 } { 40 c.Logf("check invalid name %q", name) 41 user, err := s.State.AddUser(name, "ignored", "ignored", "ignored") 42 c.Check(err, gc.ErrorMatches, `invalid user name "`+regexp.QuoteMeta(name)+`"`) 43 c.Check(user, gc.IsNil) 44 } 45 } 46 47 func (s *UserSuite) TestAddUser(c *gc.C) { 48 name := "f00-Bar.ram77" 49 displayName := "Display" 50 password := "password" 51 creator := "admin" 52 53 now := testing.NonZeroTime().Round(time.Second).UTC() 54 55 user, err := s.State.AddUser(name, displayName, password, creator) 56 c.Assert(err, jc.ErrorIsNil) 57 c.Assert(user, gc.NotNil) 58 c.Assert(user.Name(), gc.Equals, name) 59 c.Assert(user.DisplayName(), gc.Equals, displayName) 60 c.Assert(user.PasswordValid(password), jc.IsTrue) 61 c.Assert(user.CreatedBy(), gc.Equals, creator) 62 c.Assert(user.DateCreated().After(now) || 63 user.DateCreated().Equal(now), jc.IsTrue) 64 lastLogin, err := user.LastLogin() 65 c.Assert(err, jc.Satisfies, state.IsNeverLoggedInError) 66 c.Assert(lastLogin, gc.DeepEquals, time.Time{}) 67 68 user, err = s.State.User(user.UserTag()) 69 c.Assert(err, jc.ErrorIsNil) 70 c.Assert(user, gc.NotNil) 71 c.Assert(user.Name(), gc.Equals, name) 72 c.Assert(user.DisplayName(), gc.Equals, displayName) 73 c.Assert(user.PasswordValid(password), jc.IsTrue) 74 c.Assert(user.CreatedBy(), gc.Equals, creator) 75 c.Assert(user.DateCreated().After(now) || 76 user.DateCreated().Equal(now), jc.IsTrue) 77 lastLogin, err = user.LastLogin() 78 c.Assert(err, jc.Satisfies, state.IsNeverLoggedInError) 79 c.Assert(lastLogin, gc.DeepEquals, time.Time{}) 80 } 81 82 func (s *UserSuite) TestCheckUserExists(c *gc.C) { 83 user := s.Factory.MakeUser(c, nil) 84 exists, err := state.CheckUserExists(s.State, user.Name()) 85 c.Assert(err, jc.ErrorIsNil) 86 c.Assert(exists, jc.IsTrue) 87 exists, err = state.CheckUserExists(s.State, strings.ToUpper(user.Name())) 88 c.Assert(err, jc.ErrorIsNil) 89 c.Assert(exists, jc.IsTrue) 90 exists, err = state.CheckUserExists(s.State, "notAUser") 91 c.Assert(err, jc.ErrorIsNil) 92 c.Assert(exists, jc.IsFalse) 93 } 94 95 func (s *UserSuite) TestString(c *gc.C) { 96 user := s.Factory.MakeUser(c, &factory.UserParams{Name: "foo"}) 97 c.Assert(user.String(), gc.Equals, "foo") 98 } 99 100 func (s *UserSuite) TestUpdateLastLogin(c *gc.C) { 101 now := testing.NonZeroTime().Round(time.Second).UTC() 102 user := s.Factory.MakeUser(c, nil) 103 err := user.UpdateLastLogin() 104 c.Assert(err, jc.ErrorIsNil) 105 lastLogin, err := user.LastLogin() 106 c.Assert(err, jc.ErrorIsNil) 107 c.Assert(lastLogin.After(now) || 108 lastLogin.Equal(now), jc.IsTrue) 109 } 110 111 func (s *UserSuite) TestSetPassword(c *gc.C) { 112 user := s.Factory.MakeUser(c, nil) 113 testSetPassword(c, func() (state.Authenticator, error) { 114 return s.State.User(user.UserTag()) 115 }) 116 } 117 118 func (s *UserSuite) TestAddUserSetsSalt(c *gc.C) { 119 user := s.Factory.MakeUser(c, &factory.UserParams{Password: "a-password"}) 120 salt, hash := state.GetUserPasswordSaltAndHash(user) 121 c.Assert(hash, gc.Not(gc.Equals), "") 122 c.Assert(salt, gc.Not(gc.Equals), "") 123 c.Assert(utils.UserPasswordHash("a-password", salt), gc.Equals, hash) 124 c.Assert(user.PasswordValid("a-password"), jc.IsTrue) 125 } 126 127 func (s *UserSuite) TestSetPasswordChangesSalt(c *gc.C) { 128 user := s.Factory.MakeUser(c, nil) 129 origSalt, origHash := state.GetUserPasswordSaltAndHash(user) 130 c.Assert(origSalt, gc.Not(gc.Equals), "") 131 user.SetPassword("a-password") 132 newSalt, newHash := state.GetUserPasswordSaltAndHash(user) 133 c.Assert(newSalt, gc.Not(gc.Equals), "") 134 c.Assert(newSalt, gc.Not(gc.Equals), origSalt) 135 c.Assert(newHash, gc.Not(gc.Equals), origHash) 136 c.Assert(user.PasswordValid("a-password"), jc.IsTrue) 137 } 138 139 func (s *UserSuite) TestRemoveUserNonExistent(c *gc.C) { 140 err := s.State.RemoveUser(names.NewUserTag("harvey")) 141 c.Assert(errors.IsNotFound(err), jc.IsTrue) 142 } 143 144 func (s *UserSuite) TestAllUsersSkipsDeletedUsers(c *gc.C) { 145 user := s.Factory.MakeUser(c, &factory.UserParams{Name: "one"}) 146 _ = s.Factory.MakeUser(c, &factory.UserParams{Name: "two"}) 147 _ = s.Factory.MakeUser(c, &factory.UserParams{Name: "three"}) 148 149 all, err := s.State.AllUsers(true) 150 c.Check(err, jc.ErrorIsNil) 151 c.Check(len(all), jc.DeepEquals, 4) 152 153 var got []string 154 for _, u := range all { 155 got = append(got, u.Name()) 156 } 157 c.Check(got, jc.SameContents, []string{"test-admin", "one", "two", "three"}) 158 159 s.State.RemoveUser(user.UserTag()) 160 161 all, err = s.State.AllUsers(true) 162 got = nil 163 for _, u := range all { 164 got = append(got, u.Name()) 165 } 166 c.Check(err, jc.ErrorIsNil) 167 c.Check(len(all), jc.DeepEquals, 3) 168 c.Check(got, jc.SameContents, []string{"test-admin", "two", "three"}) 169 170 } 171 172 func (s *UserSuite) TestRemoveUser(c *gc.C) { 173 user := s.Factory.MakeUser(c, &factory.UserParams{Password: "so sekrit"}) 174 175 // Assert user exists and can authenticate. 176 c.Assert(user.PasswordValid("so sekrit"), jc.IsTrue) 177 178 // Look for the user. 179 u, err := s.State.User(user.UserTag()) 180 c.Check(err, jc.ErrorIsNil) 181 c.Assert(u, jc.DeepEquals, user) 182 183 // Remove the user. 184 err = s.State.RemoveUser(user.UserTag()) 185 c.Check(err, jc.ErrorIsNil) 186 187 // Check that we cannot update last login. 188 err = u.UpdateLastLogin() 189 c.Check(err, gc.NotNil) 190 c.Check(err, jc.Satisfies, state.IsDeletedUserError) 191 c.Check(err.Error(), jc.DeepEquals, 192 fmt.Sprintf("cannot update last login: user %q is permanently deleted", user.Name())) 193 194 // Check that we cannot set a password. 195 err = u.SetPassword("should fail too") 196 c.Check(err, gc.NotNil) 197 c.Check(err, jc.Satisfies, state.IsDeletedUserError) 198 c.Check(err.Error(), jc.DeepEquals, 199 fmt.Sprintf("cannot set password: user %q is permanently deleted", user.Name())) 200 201 // Check that we cannot set the password hash. 202 err = u.SetPasswordHash("also", "fail") 203 c.Check(err, gc.NotNil) 204 c.Check(err, jc.Satisfies, state.IsDeletedUserError) 205 c.Check(err.Error(), jc.DeepEquals, 206 fmt.Sprintf("cannot set password hash: user %q is permanently deleted", user.Name())) 207 208 // Check that we cannot validate a password. 209 c.Check(u.PasswordValid("should fail"), jc.IsFalse) 210 211 // Check that we cannot enable the user. 212 err = u.Enable() 213 c.Check(err, gc.NotNil) 214 c.Check(err, jc.Satisfies, state.IsDeletedUserError) 215 c.Check(err.Error(), jc.DeepEquals, 216 fmt.Sprintf("cannot enable: user %q is permanently deleted", user.Name())) 217 218 // Check that we cannot disable the user. 219 err = u.Disable() 220 c.Check(err, gc.NotNil) 221 c.Check(err, jc.Satisfies, state.IsDeletedUserError) 222 c.Check(err.Error(), jc.DeepEquals, 223 fmt.Sprintf("cannot disable: user %q is permanently deleted", user.Name())) 224 225 // Check again to verify the user cannot be retrieved. 226 u, err = s.State.User(user.UserTag()) 227 c.Check(err, gc.ErrorMatches, `user "username-\d+" is permanently deleted`) 228 } 229 230 func (s *UserSuite) TestRemoveUserUppercaseName(c *gc.C) { 231 name := "NameWithUppercase" 232 user := s.Factory.MakeUser(c, &factory.UserParams{ 233 Name: name, 234 Password: "wow very sea cret", 235 }) 236 237 // Assert user exists and can authenticate. 238 c.Assert(user.PasswordValid("wow very sea cret"), jc.IsTrue) 239 240 // Look for the user. 241 u, err := s.State.User(user.UserTag()) 242 c.Check(err, jc.ErrorIsNil) 243 c.Assert(u, jc.DeepEquals, user) 244 245 // Remove the user. 246 err = s.State.RemoveUser(user.UserTag()) 247 c.Check(err, jc.ErrorIsNil) 248 249 // Check to verify the user cannot be retrieved. 250 _, err = s.State.User(user.UserTag()) 251 c.Check(err, gc.ErrorMatches, fmt.Sprintf(`user "%s" is permanently deleted`, name)) 252 } 253 254 func (s *UserSuite) TestRemoveUserRemovesUserAccess(c *gc.C) { 255 user := s.Factory.MakeUser(c, &factory.UserParams{Password: "so sekrit"}) 256 257 // Assert user exists and can authenticate. 258 c.Assert(user.PasswordValid("so sekrit"), jc.IsTrue) 259 260 s.State.SetUserAccess(user.UserTag(), s.Model.ModelTag(), permission.AdminAccess) 261 s.State.SetUserAccess(user.UserTag(), s.State.ControllerTag(), permission.SuperuserAccess) 262 263 uam, err := s.State.UserAccess(user.UserTag(), s.Model.ModelTag()) 264 c.Check(err, jc.ErrorIsNil) 265 c.Check(uam.Access, gc.Equals, permission.AdminAccess) 266 267 uac, err := s.State.UserAccess(user.UserTag(), s.State.ControllerTag()) 268 c.Check(err, jc.ErrorIsNil) 269 c.Check(uac.Access, gc.Equals, permission.SuperuserAccess) 270 271 // Look for the user. 272 u, err := s.State.User(user.UserTag()) 273 c.Check(err, jc.ErrorIsNil) 274 c.Check(u, jc.DeepEquals, user) 275 276 // Remove the user. 277 err = s.State.RemoveUser(user.UserTag()) 278 c.Check(err, jc.ErrorIsNil) 279 280 uam, err = s.State.UserAccess(user.UserTag(), s.Model.ModelTag()) 281 c.Check(err, gc.ErrorMatches, fmt.Sprintf("user %q is permanently deleted", user.UserTag().Name())) 282 283 uac, err = s.State.UserAccess(user.UserTag(), s.State.ControllerTag()) 284 c.Assert(err, gc.ErrorMatches, fmt.Sprintf("user %q is permanently deleted", user.UserTag().Name())) 285 } 286 287 func (s *UserSuite) TestRecreatedUsersResetPermissions(c *gc.C) { 288 user := s.Factory.MakeUser(c, &factory.UserParams{Password: "so sekrit"}) 289 290 // Assert user exists and can authenticate. 291 c.Assert(user.PasswordValid("so sekrit"), jc.IsTrue) 292 293 s.State.SetUserAccess(user.UserTag(), s.Model.ModelTag(), permission.AdminAccess) 294 s.State.SetUserAccess(user.UserTag(), s.State.ControllerTag(), permission.SuperuserAccess) 295 296 uam, err := s.State.UserAccess(user.UserTag(), s.Model.ModelTag()) 297 c.Check(err, jc.ErrorIsNil) 298 c.Check(uam.Access, gc.Equals, permission.AdminAccess) 299 300 uac, err := s.State.UserAccess(user.UserTag(), s.State.ControllerTag()) 301 c.Check(err, jc.ErrorIsNil) 302 c.Check(uac.Access, gc.Equals, permission.SuperuserAccess) 303 304 // Look for the user. 305 u, err := s.State.User(user.UserTag()) 306 c.Check(err, jc.ErrorIsNil) 307 c.Check(u, jc.DeepEquals, user) 308 309 // Remove the user. 310 err = s.State.RemoveUser(user.UserTag()) 311 c.Check(err, jc.ErrorIsNil) 312 313 // Add the user again with other password and access 314 userRecreated := s.Factory.MakeUser(c, &factory.UserParams{ 315 Password: "otherpassword", 316 Access: permission.ReadAccess}) 317 318 // Assert user exists and can authenticate. 319 c.Assert(userRecreated.PasswordValid("otherpassword"), jc.IsTrue) 320 321 // Check that the recreated user does not have the permissions set previously 322 urac, err := s.State.UserAccess(userRecreated.UserTag(), s.State.ControllerTag()) 323 c.Check(err, jc.ErrorIsNil) 324 c.Check(urac.Access, gc.Equals, permission.LoginAccess) 325 326 // No model access was set yet 327 uram, err := s.State.UserAccess(userRecreated.UserTag(), s.Model.ModelTag()) 328 c.Assert(err, jc.ErrorIsNil) 329 c.Check(uram.Access, gc.Equals, permission.ReadAccess) 330 } 331 332 func (s *UserSuite) TestDisableUser(c *gc.C) { 333 user := s.Factory.MakeUser(c, &factory.UserParams{Password: "a-password"}) 334 c.Assert(user.IsDisabled(), jc.IsFalse) 335 c.Assert(s.activeUsers(c), jc.DeepEquals, []string{"test-admin", user.Name()}) 336 337 err := user.Disable() 338 c.Assert(err, jc.ErrorIsNil) 339 c.Assert(user.IsDisabled(), jc.IsTrue) 340 c.Assert(user.PasswordValid("a-password"), jc.IsFalse) 341 c.Assert(s.activeUsers(c), jc.DeepEquals, []string{"test-admin"}) 342 343 err = user.Enable() 344 c.Assert(err, jc.ErrorIsNil) 345 c.Assert(user.IsDisabled(), jc.IsFalse) 346 c.Assert(user.PasswordValid("a-password"), jc.IsTrue) 347 c.Assert(s.activeUsers(c), jc.DeepEquals, []string{"test-admin", user.Name()}) 348 } 349 350 func (s *UserSuite) TestDisableUserUppercaseName(c *gc.C) { 351 name := "NameWithUppercase" 352 user := s.Factory.MakeUser(c, &factory.UserParams{Password: "a-password", Name: name}) 353 c.Assert(user.IsDisabled(), jc.IsFalse) 354 c.Assert(s.activeUsers(c), jc.DeepEquals, []string{name, "test-admin"}) 355 356 err := user.Disable() 357 c.Assert(err, jc.ErrorIsNil) 358 c.Assert(user.IsDisabled(), jc.IsTrue) 359 c.Assert(user.PasswordValid("a-password"), jc.IsFalse) 360 c.Assert(s.activeUsers(c), jc.DeepEquals, []string{"test-admin"}) 361 362 err = user.Enable() 363 c.Assert(err, jc.ErrorIsNil) 364 c.Assert(user.IsDisabled(), jc.IsFalse) 365 c.Assert(user.PasswordValid("a-password"), jc.IsTrue) 366 c.Assert(s.activeUsers(c), jc.DeepEquals, []string{name, "test-admin"}) 367 } 368 369 func (s *UserSuite) TestDisableUserDisablesUserAccess(c *gc.C) { 370 user := s.Factory.MakeUser(c, &factory.UserParams{Password: "so sekrit"}) 371 372 // Assert user exists and can authenticate. 373 c.Assert(user.PasswordValid("so sekrit"), jc.IsTrue) 374 375 s.State.SetUserAccess(user.UserTag(), s.Model.ModelTag(), permission.AdminAccess) 376 s.State.SetUserAccess(user.UserTag(), s.State.ControllerTag(), permission.SuperuserAccess) 377 378 uam, err := s.State.UserAccess(user.UserTag(), s.Model.ModelTag()) 379 c.Check(err, jc.ErrorIsNil) 380 c.Check(uam.Access, gc.Equals, permission.AdminAccess) 381 382 uac, err := s.State.UserAccess(user.UserTag(), s.State.ControllerTag()) 383 c.Check(err, jc.ErrorIsNil) 384 c.Check(uac.Access, gc.Equals, permission.SuperuserAccess) 385 386 // Look for the user. 387 u, err := s.State.User(user.UserTag()) 388 c.Check(err, jc.ErrorIsNil) 389 c.Check(u, jc.DeepEquals, user) 390 391 // Disable the user. 392 err = u.Disable() 393 c.Check(err, jc.ErrorIsNil) 394 395 uam, err = s.State.UserAccess(user.UserTag(), s.Model.ModelTag()) 396 c.Check(err, gc.ErrorMatches, fmt.Sprintf("user %q is disabled", user.UserTag().Name())) 397 398 uac, err = s.State.UserAccess(user.UserTag(), s.State.ControllerTag()) 399 c.Assert(err, gc.ErrorMatches, fmt.Sprintf("user %q is disabled", user.UserTag().Name())) 400 401 // Re-enable the user. 402 err = u.Refresh() 403 c.Check(err, jc.ErrorIsNil) 404 err = u.Enable() 405 c.Check(err, jc.ErrorIsNil) 406 407 uam, err = s.State.UserAccess(user.UserTag(), s.Model.ModelTag()) 408 c.Check(err, jc.ErrorIsNil) 409 c.Check(uam.Access, gc.Equals, permission.AdminAccess) 410 411 uac, err = s.State.UserAccess(user.UserTag(), s.State.ControllerTag()) 412 c.Check(err, jc.ErrorIsNil) 413 c.Check(uac.Access, gc.Equals, permission.SuperuserAccess) 414 } 415 416 func (s *UserSuite) activeUsers(c *gc.C) []string { 417 users, err := s.State.AllUsers(false) 418 c.Assert(err, jc.ErrorIsNil) 419 names := make([]string, len(users)) 420 for i, u := range users { 421 names[i] = u.Name() 422 } 423 return names 424 } 425 426 func (s *UserSuite) TestSetPasswordHash(c *gc.C) { 427 user := s.Factory.MakeUser(c, nil) 428 429 salt, err := utils.RandomSalt() 430 c.Assert(err, jc.ErrorIsNil) 431 err = user.SetPasswordHash(utils.UserPasswordHash("foo", salt), salt) 432 c.Assert(err, jc.ErrorIsNil) 433 434 c.Assert(user.PasswordValid("foo"), jc.IsTrue) 435 c.Assert(user.PasswordValid("bar"), jc.IsFalse) 436 437 // User passwords should *not* use the fast PasswordHash function 438 hash := utils.AgentPasswordHash("foo-12345678901234567890") 439 c.Assert(err, jc.ErrorIsNil) 440 err = user.SetPasswordHash(hash, "") 441 c.Assert(err, jc.ErrorIsNil) 442 443 c.Assert(user.PasswordValid("foo-12345678901234567890"), jc.IsFalse) 444 } 445 446 func (s *UserSuite) TestSetPasswordHashUppercaseName(c *gc.C) { 447 name := "NameWithUppercase" 448 user := s.Factory.MakeUser(c, &factory.UserParams{Name: name}) 449 450 salt, err := utils.RandomSalt() 451 c.Assert(err, jc.ErrorIsNil) 452 err = user.SetPasswordHash(utils.UserPasswordHash("foo", salt), salt) 453 c.Assert(err, jc.ErrorIsNil) 454 455 c.Assert(user.PasswordValid("foo"), jc.IsTrue) 456 c.Assert(user.PasswordValid("bar"), jc.IsFalse) 457 458 // User passwords should *not* use the fast PasswordHash function 459 hash := utils.AgentPasswordHash("foo-12345678901234567890") 460 c.Assert(err, jc.ErrorIsNil) 461 err = user.SetPasswordHash(hash, "") 462 c.Assert(err, jc.ErrorIsNil) 463 464 c.Assert(user.PasswordValid("foo-12345678901234567890"), jc.IsFalse) 465 } 466 467 func (s *UserSuite) TestSetPasswordHashWithSalt(c *gc.C) { 468 user := s.Factory.MakeUser(c, nil) 469 470 err := user.SetPasswordHash(utils.UserPasswordHash("foo", "salted"), "salted") 471 c.Assert(err, jc.ErrorIsNil) 472 473 c.Assert(user.PasswordValid("foo"), jc.IsTrue) 474 salt, _ := state.GetUserPasswordSaltAndHash(user) 475 c.Assert(salt, gc.Equals, "salted") 476 } 477 478 func (s *UserSuite) TestCantDisableAdmin(c *gc.C) { 479 user, err := s.State.User(s.Owner) 480 c.Assert(err, jc.ErrorIsNil) 481 err = user.Disable() 482 c.Assert(err, gc.ErrorMatches, "cannot disable controller model owner") 483 } 484 485 func (s *UserSuite) TestCaseSensitiveUsersErrors(c *gc.C) { 486 s.Factory.MakeUser(c, &factory.UserParams{Name: "Bob"}) 487 488 _, err := s.State.AddUser( 489 "boB", "ignored", "ignored", "ignored") 490 c.Assert(err, gc.ErrorMatches, "user boB already exists") 491 } 492 493 func (s *UserSuite) TestCaseInsensitiveLookup(c *gc.C) { 494 expectedUser := s.Factory.MakeUser(c, &factory.UserParams{Name: "Bob"}) 495 496 assertCaseInsensitiveLookup := func(name string) { 497 userTag := names.NewUserTag(name) 498 obtainedUser, err := s.State.User(userTag) 499 c.Assert(err, jc.ErrorIsNil) 500 c.Assert(obtainedUser, gc.DeepEquals, expectedUser) 501 } 502 503 assertCaseInsensitiveLookup("bob") 504 assertCaseInsensitiveLookup("bOb") 505 assertCaseInsensitiveLookup("boB") 506 assertCaseInsensitiveLookup("BOB") 507 } 508 509 func (s *UserSuite) TestAllUsers(c *gc.C) { 510 // Create in non-alphabetical order. 511 s.Factory.MakeUser(c, &factory.UserParams{Name: "conrad"}) 512 s.Factory.MakeUser(c, &factory.UserParams{Name: "adam"}) 513 s.Factory.MakeUser(c, &factory.UserParams{Name: "debbie", Disabled: true}) 514 s.Factory.MakeUser(c, &factory.UserParams{Name: "barbara"}) 515 s.Factory.MakeUser(c, &factory.UserParams{Name: "fred", Disabled: true}) 516 s.Factory.MakeUser(c, &factory.UserParams{Name: "erica"}) 517 // There is the existing controller owner called "test-admin" 518 519 includeDeactivated := false 520 users, err := s.State.AllUsers(includeDeactivated) 521 c.Assert(err, jc.ErrorIsNil) 522 c.Assert(users, gc.HasLen, 5) 523 c.Check(users[0].Name(), gc.Equals, "adam") 524 c.Check(users[1].Name(), gc.Equals, "barbara") 525 c.Check(users[2].Name(), gc.Equals, "conrad") 526 c.Check(users[3].Name(), gc.Equals, "erica") 527 c.Check(users[4].Name(), gc.Equals, "test-admin") 528 529 includeDeactivated = true 530 users, err = s.State.AllUsers(includeDeactivated) 531 c.Assert(err, jc.ErrorIsNil) 532 c.Assert(users, gc.HasLen, 7) 533 c.Check(users[0].Name(), gc.Equals, "adam") 534 c.Check(users[1].Name(), gc.Equals, "barbara") 535 c.Check(users[2].Name(), gc.Equals, "conrad") 536 c.Check(users[3].Name(), gc.Equals, "debbie") 537 c.Check(users[4].Name(), gc.Equals, "erica") 538 c.Check(users[5].Name(), gc.Equals, "fred") 539 c.Check(users[6].Name(), gc.Equals, "test-admin") 540 } 541 542 func (s *UserSuite) TestAddDeletedUser(c *gc.C) { 543 s.Factory.MakeUser(c, &factory.UserParams{Name: "bob"}) 544 545 _ = s.State.RemoveUser(names.NewUserTag("bob")) 546 547 u, err := s.State.AddUser( 548 "bob", "displayname", "password", "creator") 549 550 c.Assert(err, jc.ErrorIsNil) 551 c.Assert(u.Name(), gc.Equals, "bob") 552 c.Assert(u.DisplayName(), gc.Equals, "displayname") 553 c.Assert(u.CreatedBy(), gc.Equals, "creator") 554 } 555 556 func (s *UserSuite) TestAddUserNoSecretKey(c *gc.C) { 557 u, err := s.State.AddUser("bob", "display", "pass", "admin") 558 c.Assert(err, jc.ErrorIsNil) 559 c.Assert(u.SecretKey(), gc.IsNil) 560 } 561 562 func (s *UserSuite) TestAddUserSecretKey(c *gc.C) { 563 u, err := s.State.AddUserWithSecretKey("bob", "display", "admin") 564 c.Assert(err, jc.ErrorIsNil) 565 c.Assert(u.SecretKey(), gc.HasLen, 32) 566 c.Assert(u.PasswordValid(""), jc.IsFalse) 567 } 568 569 func (s *UserSuite) TestSetPasswordClearsSecretKey(c *gc.C) { 570 u, err := s.State.AddUserWithSecretKey("bob", "display", "admin") 571 c.Assert(err, jc.ErrorIsNil) 572 c.Assert(u.SecretKey(), gc.HasLen, 32) 573 err = u.SetPassword("anything") 574 c.Assert(err, jc.ErrorIsNil) 575 c.Assert(u.SecretKey(), gc.IsNil) 576 err = u.Refresh() 577 c.Assert(err, jc.ErrorIsNil) 578 c.Assert(u.SecretKey(), gc.IsNil) 579 } 580 581 func (s *UserSuite) TestResetPassword(c *gc.C) { 582 u, err := s.State.AddUserWithSecretKey("bob", "display", "admin") 583 c.Assert(err, jc.ErrorIsNil) 584 c.Assert(u.SecretKey(), gc.HasLen, 32) 585 oldKey := u.SecretKey() 586 587 key, err := u.ResetPassword() 588 c.Assert(err, jc.ErrorIsNil) 589 c.Assert(key, gc.Not(gc.DeepEquals), oldKey) 590 c.Assert(key, gc.NotNil) 591 c.Assert(u.SecretKey(), gc.DeepEquals, key) 592 } 593 594 func (s *UserSuite) TestResetPasswordUppercaseName(c *gc.C) { 595 u, err := s.State.AddUserWithSecretKey("BobHasAnUppercaseName", "display", "admin") 596 c.Assert(err, jc.ErrorIsNil) 597 c.Assert(u.SecretKey(), gc.HasLen, 32) 598 oldKey := u.SecretKey() 599 600 key, err := u.ResetPassword() 601 c.Assert(err, jc.ErrorIsNil) 602 c.Assert(key, gc.Not(gc.DeepEquals), oldKey) 603 c.Assert(key, gc.NotNil) 604 c.Assert(u.SecretKey(), gc.DeepEquals, key) 605 } 606 607 func (s *UserSuite) TestResetPasswordFailIfDeactivated(c *gc.C) { 608 u, err := s.State.AddUser("bob", "display", "pass", "admin") 609 c.Assert(err, jc.ErrorIsNil) 610 611 err = u.Disable() 612 c.Assert(err, jc.ErrorIsNil) 613 614 _, err = u.ResetPassword() 615 c.Assert(err, gc.ErrorMatches, `cannot reset password for user "bob": user deactivated`) 616 c.Assert(u.SecretKey(), gc.IsNil) 617 } 618 619 func (s *UserSuite) TestResetPasswordFailIfDeleted(c *gc.C) { 620 u, err := s.State.AddUser("bob", "display", "pass", "admin") 621 c.Assert(err, jc.ErrorIsNil) 622 623 err = s.State.RemoveUser(u.Tag().(names.UserTag)) 624 c.Assert(err, jc.ErrorIsNil) 625 626 _, err = u.ResetPassword() 627 c.Assert(err, gc.ErrorMatches, `cannot reset password for user "bob": user "bob" is permanently deleted`) 628 c.Assert(u.SecretKey(), gc.IsNil) 629 } 630 631 func (s *UserSuite) TestResetPasswordIfPasswordSet(c *gc.C) { 632 u, err := s.State.AddUser("bob", "display", "pass", "admin") 633 c.Assert(err, jc.ErrorIsNil) 634 635 err = u.SetPassword("anything") 636 c.Assert(err, jc.ErrorIsNil) 637 c.Assert(u.PasswordValid("anything"), jc.IsTrue) 638 c.Assert(u.SecretKey(), gc.IsNil) 639 640 key, err := u.ResetPassword() 641 c.Assert(err, jc.ErrorIsNil) 642 c.Assert(u.SecretKey(), gc.DeepEquals, key) 643 c.Assert(u.PasswordValid("anything"), jc.IsFalse) 644 }