github.com/mattermost/mattermost-server/v5@v5.39.3/api4/role_test.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package api4 5 6 import ( 7 "context" 8 "strings" 9 "testing" 10 11 "github.com/stretchr/testify/assert" 12 "github.com/stretchr/testify/require" 13 14 "github.com/mattermost/mattermost-server/v5/model" 15 ) 16 17 func TestGetRole(t *testing.T) { 18 th := Setup(t) 19 defer th.TearDown() 20 21 role := &model.Role{ 22 Name: model.NewId(), 23 DisplayName: model.NewId(), 24 Description: model.NewId(), 25 Permissions: []string{"manage_system", "create_public_channel"}, 26 SchemeManaged: true, 27 } 28 29 role, err := th.App.Srv().Store.Role().Save(role) 30 require.NoError(t, err) 31 defer th.App.Srv().Store.Job().Delete(role.Id) 32 33 th.TestForAllClients(t, func(t *testing.T, client *model.Client4) { 34 received, resp := client.GetRole(role.Id) 35 CheckNoError(t, resp) 36 37 assert.Equal(t, received.Id, role.Id) 38 assert.Equal(t, received.Name, role.Name) 39 assert.Equal(t, received.DisplayName, role.DisplayName) 40 assert.Equal(t, received.Description, role.Description) 41 assert.EqualValues(t, received.Permissions, role.Permissions) 42 assert.Equal(t, received.SchemeManaged, role.SchemeManaged) 43 }) 44 45 th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) { 46 _, resp := client.GetRole("1234") 47 CheckBadRequestStatus(t, resp) 48 49 _, resp = client.GetRole(model.NewId()) 50 CheckNotFoundStatus(t, resp) 51 }) 52 } 53 54 func TestGetRoleByName(t *testing.T) { 55 th := Setup(t) 56 defer th.TearDown() 57 58 role := &model.Role{ 59 Name: model.NewId(), 60 DisplayName: model.NewId(), 61 Description: model.NewId(), 62 Permissions: []string{"manage_system", "create_public_channel"}, 63 SchemeManaged: true, 64 } 65 66 role, err := th.App.Srv().Store.Role().Save(role) 67 assert.NoError(t, err) 68 defer th.App.Srv().Store.Job().Delete(role.Id) 69 70 th.TestForAllClients(t, func(t *testing.T, client *model.Client4) { 71 received, resp := client.GetRoleByName(role.Name) 72 CheckNoError(t, resp) 73 74 assert.Equal(t, received.Id, role.Id) 75 assert.Equal(t, received.Name, role.Name) 76 assert.Equal(t, received.DisplayName, role.DisplayName) 77 assert.Equal(t, received.Description, role.Description) 78 assert.EqualValues(t, received.Permissions, role.Permissions) 79 assert.Equal(t, received.SchemeManaged, role.SchemeManaged) 80 }) 81 82 th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) { 83 _, resp := client.GetRoleByName(strings.Repeat("abcdefghij", 10)) 84 CheckBadRequestStatus(t, resp) 85 86 _, resp = client.GetRoleByName(model.NewId()) 87 CheckNotFoundStatus(t, resp) 88 }) 89 } 90 91 func TestGetRolesByNames(t *testing.T) { 92 th := Setup(t) 93 defer th.TearDown() 94 95 role1 := &model.Role{ 96 Name: model.NewId(), 97 DisplayName: model.NewId(), 98 Description: model.NewId(), 99 Permissions: []string{"manage_system", "create_public_channel"}, 100 SchemeManaged: true, 101 } 102 role2 := &model.Role{ 103 Name: model.NewId(), 104 DisplayName: model.NewId(), 105 Description: model.NewId(), 106 Permissions: []string{"manage_system", "delete_private_channel"}, 107 SchemeManaged: true, 108 } 109 role3 := &model.Role{ 110 Name: model.NewId(), 111 DisplayName: model.NewId(), 112 Description: model.NewId(), 113 Permissions: []string{"manage_system", "manage_public_channel_properties"}, 114 SchemeManaged: true, 115 } 116 117 role1, err := th.App.Srv().Store.Role().Save(role1) 118 assert.NoError(t, err) 119 defer th.App.Srv().Store.Job().Delete(role1.Id) 120 121 role2, err = th.App.Srv().Store.Role().Save(role2) 122 assert.NoError(t, err) 123 defer th.App.Srv().Store.Job().Delete(role2.Id) 124 125 role3, err = th.App.Srv().Store.Role().Save(role3) 126 assert.NoError(t, err) 127 defer th.App.Srv().Store.Job().Delete(role3.Id) 128 129 th.TestForAllClients(t, func(t *testing.T, client *model.Client4) { 130 // Check all three roles can be found. 131 received, resp := client.GetRolesByNames([]string{role1.Name, role2.Name, role3.Name}) 132 CheckNoError(t, resp) 133 134 assert.Contains(t, received, role1) 135 assert.Contains(t, received, role2) 136 assert.Contains(t, received, role3) 137 138 // Check a list of non-existent roles. 139 _, resp = client.GetRolesByNames([]string{model.NewId(), model.NewId()}) 140 CheckNoError(t, resp) 141 }) 142 143 th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) { 144 // Empty list should error. 145 _, resp := client.GetRolesByNames([]string{}) 146 CheckBadRequestStatus(t, resp) 147 }) 148 149 th.TestForAllClients(t, func(t *testing.T, client *model.Client4) { 150 // Invalid role name should error. 151 _, resp := client.GetRolesByNames([]string{model.NewId(), model.NewId(), "!!!!!!"}) 152 CheckBadRequestStatus(t, resp) 153 154 // Empty/whitespace rolenames should be ignored. 155 _, resp = client.GetRolesByNames([]string{model.NewId(), model.NewId(), "", " "}) 156 CheckNoError(t, resp) 157 }) 158 159 } 160 161 func TestPatchRole(t *testing.T) { 162 th := Setup(t) 163 defer th.TearDown() 164 165 role := &model.Role{ 166 Name: model.NewId(), 167 DisplayName: model.NewId(), 168 Description: model.NewId(), 169 Permissions: []string{"manage_system", "create_public_channel", "manage_slash_commands"}, 170 SchemeManaged: true, 171 } 172 173 role, err := th.App.Srv().Store.Role().Save(role) 174 assert.NoError(t, err) 175 defer th.App.Srv().Store.Job().Delete(role.Id) 176 177 patch := &model.RolePatch{ 178 Permissions: &[]string{"manage_system", "create_public_channel", "manage_incoming_webhooks", "manage_outgoing_webhooks"}, 179 } 180 181 th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) { 182 183 // Cannot edit a system admin 184 adminRole, err := th.App.Srv().Store.Role().GetByName(context.Background(), "system_admin") 185 assert.NoError(t, err) 186 defer th.App.Srv().Store.Job().Delete(adminRole.Id) 187 188 _, resp := client.PatchRole(adminRole.Id, patch) 189 CheckNotImplementedStatus(t, resp) 190 191 // Cannot give other roles read / write to system roles or manage roles because only system admin can do these actions 192 systemManager, err := th.App.Srv().Store.Role().GetByName(context.Background(), "system_manager") 193 assert.NoError(t, err) 194 defer th.App.Srv().Store.Job().Delete(systemManager.Id) 195 196 patchWriteSystemRoles := &model.RolePatch{ 197 Permissions: &[]string{model.PERMISSION_SYSCONSOLE_WRITE_USERMANAGEMENT_SYSTEM_ROLES.Id}, 198 } 199 200 _, resp = client.PatchRole(systemManager.Id, patchWriteSystemRoles) 201 CheckNotImplementedStatus(t, resp) 202 203 patchReadSystemRoles := &model.RolePatch{ 204 Permissions: &[]string{model.PERMISSION_SYSCONSOLE_READ_USERMANAGEMENT_SYSTEM_ROLES.Id}, 205 } 206 207 _, resp = client.PatchRole(systemManager.Id, patchReadSystemRoles) 208 CheckNotImplementedStatus(t, resp) 209 210 patchManageRoles := &model.RolePatch{ 211 Permissions: &[]string{model.PERMISSION_MANAGE_ROLES.Id}, 212 } 213 214 _, resp = client.PatchRole(systemManager.Id, patchManageRoles) 215 CheckNotImplementedStatus(t, resp) 216 }) 217 218 th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) { 219 received, resp := client.PatchRole(role.Id, patch) 220 CheckNoError(t, resp) 221 222 assert.Equal(t, received.Id, role.Id) 223 assert.Equal(t, received.Name, role.Name) 224 assert.Equal(t, received.DisplayName, role.DisplayName) 225 assert.Equal(t, received.Description, role.Description) 226 assert.EqualValues(t, received.Permissions, []string{"manage_system", "create_public_channel", "manage_incoming_webhooks", "manage_outgoing_webhooks"}) 227 assert.Equal(t, received.SchemeManaged, role.SchemeManaged) 228 229 // Check a no-op patch succeeds. 230 _, resp = client.PatchRole(role.Id, patch) 231 CheckNoError(t, resp) 232 233 _, resp = client.PatchRole("junk", patch) 234 CheckBadRequestStatus(t, resp) 235 }) 236 237 _, resp := th.Client.PatchRole(model.NewId(), patch) 238 CheckNotFoundStatus(t, resp) 239 240 _, resp = th.Client.PatchRole(role.Id, patch) 241 CheckForbiddenStatus(t, resp) 242 243 // Check a change that the license would not allow. 244 patch = &model.RolePatch{ 245 Permissions: &[]string{"manage_system", "manage_incoming_webhooks", "manage_outgoing_webhooks"}, 246 } 247 248 th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) { 249 _, resp := client.PatchRole(role.Id, patch) 250 CheckNotImplementedStatus(t, resp) 251 }) 252 253 // Add a license. 254 license := model.NewTestLicense() 255 license.Features.GuestAccountsPermissions = model.NewBool(false) 256 th.App.Srv().SetLicense(license) 257 258 // Try again, should succeed 259 th.TestForSystemAdminAndLocal(t, func(t *testing.T, client *model.Client4) { 260 received, resp := client.PatchRole(role.Id, patch) 261 CheckNoError(t, resp) 262 263 assert.Equal(t, received.Id, role.Id) 264 assert.Equal(t, received.Name, role.Name) 265 assert.Equal(t, received.DisplayName, role.DisplayName) 266 assert.Equal(t, received.Description, role.Description) 267 assert.EqualValues(t, received.Permissions, []string{"manage_system", "manage_incoming_webhooks", "manage_outgoing_webhooks"}) 268 assert.Equal(t, received.SchemeManaged, role.SchemeManaged) 269 270 t.Run("Check guest permissions editing without E20 license", func(t *testing.T) { 271 license := model.NewTestLicense() 272 license.Features.GuestAccountsPermissions = model.NewBool(false) 273 th.App.Srv().SetLicense(license) 274 275 guestRole, err := th.App.Srv().Store.Role().GetByName(context.Background(), "system_guest") 276 require.NoError(t, err) 277 received, resp = client.PatchRole(guestRole.Id, patch) 278 CheckNotImplementedStatus(t, resp) 279 }) 280 281 t.Run("Check guest permissions editing with E20 license", func(t *testing.T) { 282 license := model.NewTestLicense() 283 license.Features.GuestAccountsPermissions = model.NewBool(true) 284 th.App.Srv().SetLicense(license) 285 guestRole, err := th.App.Srv().Store.Role().GetByName(context.Background(), "system_guest") 286 require.NoError(t, err) 287 _, resp = client.PatchRole(guestRole.Id, patch) 288 CheckNoError(t, resp) 289 }) 290 }) 291 }