github.com/niedbalski/juju@v0.0.0-20190215020005-8ff100488e47/apiserver/facades/client/usermanager/usermanager_test.go (about) 1 // Copyright 2014 Canonical Ltd. 2 // Licensed under the AGPLv3, see LICENCE file for details. 3 4 package usermanager_test 5 6 import ( 7 "fmt" 8 "time" 9 10 "github.com/juju/errors" 11 jc "github.com/juju/testing/checkers" 12 gc "gopkg.in/check.v1" 13 "gopkg.in/juju/names.v2" 14 15 "github.com/juju/juju/apiserver/common" 16 commontesting "github.com/juju/juju/apiserver/common/testing" 17 "github.com/juju/juju/apiserver/facades/client/controller" 18 "github.com/juju/juju/apiserver/facades/client/usermanager" 19 "github.com/juju/juju/apiserver/params" 20 apiservertesting "github.com/juju/juju/apiserver/testing" 21 jujutesting "github.com/juju/juju/juju/testing" 22 "github.com/juju/juju/permission" 23 "github.com/juju/juju/state" 24 "github.com/juju/juju/testing/factory" 25 ) 26 27 type userManagerSuite struct { 28 jujutesting.JujuConnSuite 29 30 usermanager *usermanager.UserManagerAPI 31 authorizer apiservertesting.FakeAuthorizer 32 adminName string 33 resources *common.Resources 34 35 commontesting.BlockHelper 36 } 37 38 var _ = gc.Suite(&userManagerSuite{}) 39 40 func (s *userManagerSuite) SetUpTest(c *gc.C) { 41 s.JujuConnSuite.SetUpTest(c) 42 43 s.resources = common.NewResources() 44 adminTag := s.AdminUserTag(c) 45 s.adminName = adminTag.Name() 46 s.authorizer = apiservertesting.FakeAuthorizer{ 47 Tag: adminTag, 48 } 49 var err error 50 s.usermanager, err = usermanager.NewUserManagerAPI(s.State, s.resources, s.authorizer) 51 c.Assert(err, jc.ErrorIsNil) 52 53 s.BlockHelper = commontesting.NewBlockHelper(s.APIState) 54 s.AddCleanup(func(*gc.C) { s.BlockHelper.Close() }) 55 } 56 57 func (s *userManagerSuite) TestNewUserManagerAPIRefusesNonClient(c *gc.C) { 58 anAuthoriser := s.authorizer 59 anAuthoriser.Tag = names.NewMachineTag("1") 60 endPoint, err := usermanager.NewUserManagerAPI(s.State, s.resources, anAuthoriser) 61 c.Assert(endPoint, gc.IsNil) 62 c.Assert(err, gc.ErrorMatches, "permission denied") 63 } 64 65 func (s *userManagerSuite) assertAddUser(c *gc.C, access params.UserAccessPermission, sharedModelTags []string) { 66 sharedModelState := s.Factory.MakeModel(c, nil) 67 defer sharedModelState.Close() 68 69 args := params.AddUsers{ 70 Users: []params.AddUser{{ 71 Username: "foobar", 72 DisplayName: "Foo Bar", 73 Password: "password", 74 }}} 75 76 result, err := s.usermanager.AddUser(args) 77 // Check that the call is successful 78 c.Assert(err, jc.ErrorIsNil) 79 c.Assert(result.Results, gc.HasLen, 1) 80 foobarTag := names.NewLocalUserTag("foobar") 81 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{ 82 Tag: foobarTag.String()}) 83 // Check that the call results in a new user being created 84 user, err := s.State.User(foobarTag) 85 c.Assert(err, jc.ErrorIsNil) 86 c.Assert(user, gc.NotNil) 87 c.Assert(user.Name(), gc.Equals, "foobar") 88 c.Assert(user.DisplayName(), gc.Equals, "Foo Bar") 89 } 90 91 func (s *userManagerSuite) TestAddUser(c *gc.C) { 92 s.assertAddUser(c, params.UserAccessPermission(""), nil) 93 } 94 95 func (s *userManagerSuite) TestAddUserWithSecretKey(c *gc.C) { 96 args := params.AddUsers{ 97 Users: []params.AddUser{{ 98 Username: "foobar", 99 DisplayName: "Foo Bar", 100 Password: "", // assign secret key 101 }}} 102 103 result, err := s.usermanager.AddUser(args) 104 // Check that the call is successful 105 c.Assert(err, jc.ErrorIsNil) 106 c.Assert(result.Results, gc.HasLen, 1) 107 foobarTag := names.NewLocalUserTag("foobar") 108 109 // Check that the call results in a new user being created 110 user, err := s.State.User(foobarTag) 111 c.Assert(err, jc.ErrorIsNil) 112 c.Assert(user, gc.NotNil) 113 c.Assert(user.Name(), gc.Equals, "foobar") 114 c.Assert(user.DisplayName(), gc.Equals, "Foo Bar") 115 c.Assert(user.SecretKey(), gc.NotNil) 116 c.Assert(user.PasswordValid(""), jc.IsFalse) 117 118 // Check that the secret key returned by the API matches what 119 // is in state. 120 c.Assert(result.Results[0], gc.DeepEquals, params.AddUserResult{ 121 Tag: foobarTag.String(), 122 SecretKey: user.SecretKey(), 123 }) 124 } 125 126 func (s *userManagerSuite) TestBlockAddUser(c *gc.C) { 127 args := params.AddUsers{ 128 Users: []params.AddUser{{ 129 Username: "foobar", 130 DisplayName: "Foo Bar", 131 Password: "password", 132 }}} 133 134 s.BlockAllChanges(c, "TestBlockAddUser") 135 result, err := s.usermanager.AddUser(args) 136 // Check that the call is blocked. 137 s.AssertBlocked(c, err, "TestBlockAddUser") 138 // Check that there's no results. 139 c.Assert(result.Results, gc.HasLen, 0) 140 //check that user is not created. 141 foobarTag := names.NewLocalUserTag("foobar") 142 // Check that the call results in a new user being created. 143 _, err = s.State.User(foobarTag) 144 c.Assert(err, gc.ErrorMatches, `user "foobar" not found`) 145 } 146 147 func (s *userManagerSuite) TestAddUserAsNormalUser(c *gc.C) { 148 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 149 usermanager, err := usermanager.NewUserManagerAPI( 150 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 151 c.Assert(err, jc.ErrorIsNil) 152 153 args := params.AddUsers{ 154 Users: []params.AddUser{{ 155 Username: "foobar", 156 DisplayName: "Foo Bar", 157 Password: "password", 158 }}} 159 160 _, err = usermanager.AddUser(args) 161 c.Assert(err, gc.ErrorMatches, "permission denied") 162 163 _, err = s.State.User(names.NewLocalUserTag("foobar")) 164 c.Assert(err, jc.Satisfies, errors.IsNotFound) 165 } 166 167 func (s *userManagerSuite) TestDisableUser(c *gc.C) { 168 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 169 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 170 171 args := params.Entities{ 172 Entities: []params.Entity{ 173 {alex.Tag().String()}, 174 {barb.Tag().String()}, 175 {names.NewLocalUserTag("ellie").String()}, 176 {names.NewUserTag("fred@remote").String()}, 177 {"not-a-tag"}, 178 }} 179 result, err := s.usermanager.DisableUser(args) 180 c.Assert(err, jc.ErrorIsNil) 181 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 182 Results: []params.ErrorResult{ 183 {Error: nil}, 184 {Error: nil}, 185 {Error: ¶ms.Error{ 186 Message: "permission denied", 187 Code: params.CodeUnauthorized, 188 }}, 189 {Error: ¶ms.Error{ 190 Message: "permission denied", 191 Code: params.CodeUnauthorized, 192 }}, 193 {Error: ¶ms.Error{ 194 Message: `"not-a-tag" is not a valid tag`, 195 }}, 196 }}) 197 err = alex.Refresh() 198 c.Assert(err, jc.ErrorIsNil) 199 c.Assert(alex.IsDisabled(), jc.IsTrue) 200 201 err = barb.Refresh() 202 c.Assert(err, jc.ErrorIsNil) 203 c.Assert(barb.IsDisabled(), jc.IsTrue) 204 } 205 206 func (s *userManagerSuite) TestBlockDisableUser(c *gc.C) { 207 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 208 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 209 210 args := params.Entities{ 211 Entities: []params.Entity{ 212 {alex.Tag().String()}, 213 {barb.Tag().String()}, 214 {names.NewLocalUserTag("ellie").String()}, 215 {names.NewUserTag("fred@remote").String()}, 216 {"not-a-tag"}, 217 }} 218 219 s.BlockAllChanges(c, "TestBlockDisableUser") 220 _, err := s.usermanager.DisableUser(args) 221 // Check that the call is blocked 222 s.AssertBlocked(c, err, "TestBlockDisableUser") 223 224 err = alex.Refresh() 225 c.Assert(err, jc.ErrorIsNil) 226 c.Assert(alex.IsDisabled(), jc.IsFalse) 227 228 err = barb.Refresh() 229 c.Assert(err, jc.ErrorIsNil) 230 c.Assert(barb.IsDisabled(), jc.IsTrue) 231 } 232 233 func (s *userManagerSuite) TestEnableUser(c *gc.C) { 234 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 235 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 236 237 args := params.Entities{ 238 Entities: []params.Entity{ 239 {alex.Tag().String()}, 240 {barb.Tag().String()}, 241 {names.NewLocalUserTag("ellie").String()}, 242 {names.NewUserTag("fred@remote").String()}, 243 {"not-a-tag"}, 244 }} 245 result, err := s.usermanager.EnableUser(args) 246 c.Assert(err, jc.ErrorIsNil) 247 c.Assert(result, gc.DeepEquals, params.ErrorResults{ 248 Results: []params.ErrorResult{ 249 {Error: nil}, 250 {Error: nil}, 251 {Error: ¶ms.Error{ 252 Message: "permission denied", 253 Code: params.CodeUnauthorized, 254 }}, 255 {Error: ¶ms.Error{ 256 Message: "permission denied", 257 Code: params.CodeUnauthorized, 258 }}, 259 {Error: ¶ms.Error{ 260 Message: `"not-a-tag" is not a valid tag`, 261 }}, 262 }}) 263 err = alex.Refresh() 264 c.Assert(err, jc.ErrorIsNil) 265 c.Assert(alex.IsDisabled(), jc.IsFalse) 266 267 err = barb.Refresh() 268 c.Assert(err, jc.ErrorIsNil) 269 c.Assert(barb.IsDisabled(), jc.IsFalse) 270 } 271 272 func (s *userManagerSuite) TestBlockEnableUser(c *gc.C) { 273 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex"}) 274 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 275 276 args := params.Entities{ 277 Entities: []params.Entity{ 278 {alex.Tag().String()}, 279 {barb.Tag().String()}, 280 {names.NewLocalUserTag("ellie").String()}, 281 {names.NewUserTag("fred@remote").String()}, 282 {"not-a-tag"}, 283 }} 284 285 s.BlockAllChanges(c, "TestBlockEnableUser") 286 _, err := s.usermanager.EnableUser(args) 287 // Check that the call is blocked 288 s.AssertBlocked(c, err, "TestBlockEnableUser") 289 290 err = alex.Refresh() 291 c.Assert(err, jc.ErrorIsNil) 292 c.Assert(alex.IsDisabled(), jc.IsFalse) 293 294 err = barb.Refresh() 295 c.Assert(err, jc.ErrorIsNil) 296 c.Assert(barb.IsDisabled(), jc.IsTrue) 297 } 298 299 func (s *userManagerSuite) TestDisableUserAsNormalUser(c *gc.C) { 300 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 301 usermanager, err := usermanager.NewUserManagerAPI( 302 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 303 c.Assert(err, jc.ErrorIsNil) 304 305 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb"}) 306 307 args := params.Entities{ 308 []params.Entity{{barb.Tag().String()}}, 309 } 310 _, err = usermanager.DisableUser(args) 311 c.Assert(err, gc.ErrorMatches, "permission denied") 312 313 err = barb.Refresh() 314 c.Assert(err, jc.ErrorIsNil) 315 c.Assert(barb.IsDisabled(), jc.IsFalse) 316 } 317 318 func (s *userManagerSuite) TestEnableUserAsNormalUser(c *gc.C) { 319 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 320 usermanager, err := usermanager.NewUserManagerAPI( 321 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 322 c.Assert(err, jc.ErrorIsNil) 323 324 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", Disabled: true}) 325 326 args := params.Entities{ 327 []params.Entity{{barb.Tag().String()}}, 328 } 329 _, err = usermanager.EnableUser(args) 330 c.Assert(err, gc.ErrorMatches, "permission denied") 331 332 err = barb.Refresh() 333 c.Assert(err, jc.ErrorIsNil) 334 c.Assert(barb.IsDisabled(), jc.IsTrue) 335 } 336 337 func (s *userManagerSuite) TestUserInfo(c *gc.C) { 338 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 339 userBar := s.Factory.MakeUser(c, &factory.UserParams{Name: "barfoo", DisplayName: "Bar Foo", Disabled: true}) 340 err := controller.ChangeControllerAccess( 341 s.State, s.AdminUserTag(c), names.NewUserTag("fred@external"), 342 params.GrantControllerAccess, permission.SuperuserAccess) 343 c.Assert(err, jc.ErrorIsNil) 344 err = controller.ChangeControllerAccess( 345 s.State, s.AdminUserTag(c), names.NewUserTag("everyone@external"), 346 params.GrantControllerAccess, permission.SuperuserAccess) 347 c.Assert(err, jc.ErrorIsNil) 348 349 args := params.UserInfoRequest{ 350 Entities: []params.Entity{ 351 { 352 Tag: userFoo.Tag().String(), 353 }, { 354 Tag: userBar.Tag().String(), 355 }, { 356 Tag: names.NewLocalUserTag("ellie").String(), 357 }, { 358 Tag: names.NewUserTag("fred@external").String(), 359 }, { 360 Tag: names.NewUserTag("mary@external").String(), 361 }, { 362 Tag: "not-a-tag", 363 }, 364 }} 365 366 results, err := s.usermanager.UserInfo(args) 367 c.Assert(err, jc.ErrorIsNil) 368 var expected params.UserInfoResults 369 for _, r := range []struct { 370 user *state.User 371 info *params.UserInfo 372 err *params.Error 373 }{ 374 { 375 user: userFoo, 376 info: ¶ms.UserInfo{ 377 Username: "foobar", 378 DisplayName: "Foo Bar", 379 Access: "login", 380 }, 381 }, { 382 user: userBar, 383 info: ¶ms.UserInfo{ 384 Username: "barfoo", 385 DisplayName: "Bar Foo", 386 Access: "", 387 Disabled: true, 388 }, 389 }, { 390 err: ¶ms.Error{ 391 Message: "permission denied", 392 Code: params.CodeUnauthorized, 393 }, 394 }, { 395 info: ¶ms.UserInfo{ 396 Username: "fred@external", 397 Access: "superuser", 398 }, 399 }, { 400 info: ¶ms.UserInfo{ 401 Username: "mary@external", 402 Access: "superuser", 403 }, 404 }, { 405 err: ¶ms.Error{ 406 Message: `"not-a-tag" is not a valid tag`, 407 }, 408 }, 409 } { 410 if r.info != nil { 411 if names.NewUserTag(r.info.Username).IsLocal() { 412 r.info.DateCreated = r.user.DateCreated() 413 r.info.LastConnection = lastLoginPointer(c, r.user) 414 r.info.CreatedBy = s.adminName 415 } 416 } 417 expected.Results = append(expected.Results, params.UserInfoResult{Result: r.info, Error: r.err}) 418 } 419 420 c.Assert(results, jc.DeepEquals, expected) 421 } 422 423 func (s *userManagerSuite) TestUserInfoAll(c *gc.C) { 424 admin, err := s.State.User(s.AdminUserTag(c)) 425 c.Assert(err, jc.ErrorIsNil) 426 userFoo := s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 427 userAardvark := s.Factory.MakeUser(c, &factory.UserParams{Name: "aardvark", DisplayName: "Aard Vark", Disabled: true}) 428 429 args := params.UserInfoRequest{IncludeDisabled: true} 430 results, err := s.usermanager.UserInfo(args) 431 c.Assert(err, jc.ErrorIsNil) 432 var expected params.UserInfoResults 433 for _, r := range []struct { 434 user *state.User 435 info *params.UserInfo 436 }{{ 437 user: userAardvark, 438 info: ¶ms.UserInfo{ 439 Username: "aardvark", 440 DisplayName: "Aard Vark", 441 Access: "", 442 Disabled: true, 443 }, 444 }, { 445 user: admin, 446 info: ¶ms.UserInfo{ 447 Username: s.adminName, 448 DisplayName: admin.DisplayName(), 449 Access: "superuser", 450 }, 451 }, { 452 user: userFoo, 453 info: ¶ms.UserInfo{ 454 Username: "foobar", 455 DisplayName: "Foo Bar", 456 Access: "login", 457 }, 458 }} { 459 r.info.CreatedBy = s.adminName 460 r.info.DateCreated = r.user.DateCreated() 461 r.info.LastConnection = lastLoginPointer(c, r.user) 462 expected.Results = append(expected.Results, params.UserInfoResult{Result: r.info}) 463 } 464 c.Assert(results, jc.DeepEquals, expected) 465 466 results, err = s.usermanager.UserInfo(params.UserInfoRequest{}) 467 c.Assert(err, jc.ErrorIsNil) 468 // Same results as before, but without the deactivated user 469 expected.Results = expected.Results[1:] 470 c.Assert(results, jc.DeepEquals, expected) 471 } 472 473 func (s *userManagerSuite) TestUserInfoNonControllerAdmin(c *gc.C) { 474 s.Factory.MakeUser(c, &factory.UserParams{Name: "foobar", DisplayName: "Foo Bar"}) 475 userAardvark := s.Factory.MakeUser(c, &factory.UserParams{Name: "aardvark", DisplayName: "Aard Vark"}) 476 477 authorizer := apiservertesting.FakeAuthorizer{ 478 Tag: userAardvark.Tag(), 479 } 480 usermanager, err := usermanager.NewUserManagerAPI(s.State, s.resources, authorizer) 481 c.Assert(err, jc.ErrorIsNil) 482 483 args := params.UserInfoRequest{Entities: []params.Entity{ 484 {Tag: userAardvark.Tag().String()}, 485 {Tag: names.NewUserTag("foobar").String()}, 486 }} 487 results, err := usermanager.UserInfo(args) 488 c.Assert(err, jc.ErrorIsNil) 489 // Non admin users can only see themselves. 490 c.Assert(results, jc.DeepEquals, params.UserInfoResults{ 491 Results: []params.UserInfoResult{ 492 { 493 Result: ¶ms.UserInfo{ 494 Username: "aardvark", 495 DisplayName: "Aard Vark", 496 Access: "login", 497 CreatedBy: s.adminName, 498 DateCreated: userAardvark.DateCreated(), 499 LastConnection: lastLoginPointer(c, userAardvark), 500 }, 501 }, { 502 Error: ¶ms.Error{ 503 Message: "permission denied", 504 Code: params.CodeUnauthorized, 505 }, 506 }, 507 }, 508 }) 509 } 510 511 func (s *userManagerSuite) TestUserInfoEveryonePermission(c *gc.C) { 512 _, err := s.State.AddControllerUser(state.UserAccessSpec{ 513 User: names.NewUserTag("everyone@external"), 514 Access: permission.SuperuserAccess, 515 CreatedBy: s.AdminUserTag(c), 516 }) 517 c.Assert(err, jc.ErrorIsNil) 518 _, err = s.State.AddControllerUser(state.UserAccessSpec{ 519 User: names.NewUserTag("aardvark@external"), 520 Access: permission.LoginAccess, 521 CreatedBy: s.AdminUserTag(c), 522 }) 523 c.Assert(err, jc.ErrorIsNil) 524 525 args := params.UserInfoRequest{Entities: []params.Entity{{Tag: names.NewUserTag("aardvark@external").String()}}} 526 results, err := s.usermanager.UserInfo(args) 527 c.Assert(err, jc.ErrorIsNil) 528 // Non admin users can only see themselves. 529 c.Assert(results, jc.DeepEquals, params.UserInfoResults{ 530 Results: []params.UserInfoResult{{Result: ¶ms.UserInfo{ 531 Username: "aardvark@external", 532 Access: "superuser", 533 }}}, 534 }) 535 } 536 537 func lastLoginPointer(c *gc.C, user *state.User) *time.Time { 538 lastLogin, err := user.LastLogin() 539 if err != nil { 540 if state.IsNeverLoggedInError(err) { 541 return nil 542 } 543 c.Fatal(err) 544 } 545 return &lastLogin 546 } 547 548 func (s *userManagerSuite) TestSetPassword(c *gc.C) { 549 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 550 551 args := params.EntityPasswords{ 552 Changes: []params.EntityPassword{{ 553 Tag: alex.Tag().String(), 554 Password: "new-password", 555 }}} 556 results, err := s.usermanager.SetPassword(args) 557 c.Assert(err, jc.ErrorIsNil) 558 c.Assert(results.Results, gc.HasLen, 1) 559 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 560 561 err = alex.Refresh() 562 c.Assert(err, jc.ErrorIsNil) 563 564 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 565 } 566 567 func (s *userManagerSuite) TestBlockSetPassword(c *gc.C) { 568 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 569 570 args := params.EntityPasswords{ 571 Changes: []params.EntityPassword{{ 572 Tag: alex.Tag().String(), 573 Password: "new-password", 574 }}} 575 576 s.BlockAllChanges(c, "TestBlockSetPassword") 577 _, err := s.usermanager.SetPassword(args) 578 // Check that the call is blocked 579 s.AssertBlocked(c, err, "TestBlockSetPassword") 580 581 err = alex.Refresh() 582 c.Assert(err, jc.ErrorIsNil) 583 584 c.Assert(alex.PasswordValid("new-password"), jc.IsFalse) 585 } 586 587 func (s *userManagerSuite) TestSetPasswordForSelf(c *gc.C) { 588 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 589 usermanager, err := usermanager.NewUserManagerAPI( 590 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 591 c.Assert(err, jc.ErrorIsNil) 592 593 args := params.EntityPasswords{ 594 Changes: []params.EntityPassword{{ 595 Tag: alex.Tag().String(), 596 Password: "new-password", 597 }}} 598 results, err := usermanager.SetPassword(args) 599 c.Assert(err, jc.ErrorIsNil) 600 c.Assert(results.Results, gc.HasLen, 1) 601 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{Error: nil}) 602 603 err = alex.Refresh() 604 c.Assert(err, jc.ErrorIsNil) 605 606 c.Assert(alex.PasswordValid("new-password"), jc.IsTrue) 607 } 608 609 func (s *userManagerSuite) TestSetPasswordForOther(c *gc.C) { 610 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 611 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", NoModelUser: true}) 612 usermanager, err := usermanager.NewUserManagerAPI( 613 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 614 c.Assert(err, jc.ErrorIsNil) 615 616 args := params.EntityPasswords{ 617 Changes: []params.EntityPassword{{ 618 Tag: barb.Tag().String(), 619 Password: "new-password", 620 }}} 621 results, err := usermanager.SetPassword(args) 622 c.Assert(err, jc.ErrorIsNil) 623 c.Assert(results.Results, gc.HasLen, 1) 624 c.Assert(results.Results[0], gc.DeepEquals, params.ErrorResult{ 625 Error: ¶ms.Error{ 626 Message: "permission denied", 627 Code: params.CodeUnauthorized, 628 }}) 629 630 err = barb.Refresh() 631 c.Assert(err, jc.ErrorIsNil) 632 633 c.Assert(barb.PasswordValid("new-password"), jc.IsFalse) 634 } 635 636 func (s *userManagerSuite) TestRemoveUserBadTag(c *gc.C) { 637 tag := "not-a-tag" 638 got, err := s.usermanager.RemoveUser(params.Entities{ 639 Entities: []params.Entity{{Tag: tag}}}) 640 c.Assert(got.Results, gc.HasLen, 1) 641 c.Assert(err, gc.Equals, nil) 642 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 643 Message: "\"not-a-tag\" is not a valid tag", 644 }) 645 } 646 647 func (s *userManagerSuite) TestRemoveUserNonExistent(c *gc.C) { 648 tag := "user-harvey" 649 got, err := s.usermanager.RemoveUser(params.Entities{ 650 Entities: []params.Entity{{Tag: tag}}}) 651 c.Assert(got.Results, gc.HasLen, 1) 652 c.Assert(err, gc.Equals, nil) 653 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 654 Message: "failed to delete user \"harvey\": user \"harvey\" not found", 655 Code: "not found", 656 }) 657 } 658 659 func (s *userManagerSuite) TestRemoveUser(c *gc.C) { 660 // Create a user to delete. 661 jjam := s.Factory.MakeUser(c, &factory.UserParams{Name: "jimmyjam"}) 662 663 expectedError := fmt.Sprintf("failed to delete user %q: user %q is permanently deleted", jjam.Name(), jjam.Name()) 664 665 // Remove the user 666 got, err := s.usermanager.RemoveUser(params.Entities{ 667 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 668 c.Assert(got.Results, gc.HasLen, 1) 669 670 c.Check(got.Results[0].Error, gc.IsNil) // Uses gc.IsNil as it's a typed nil. 671 c.Assert(err, jc.ErrorIsNil) 672 673 // Check if deleted. 674 err = jjam.Refresh() 675 c.Check(err, jc.ErrorIsNil) 676 c.Assert(jjam.IsDeleted(), jc.IsTrue) 677 678 // Try again and verify we get the expected error. 679 got, err = s.usermanager.RemoveUser(params.Entities{ 680 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 681 c.Check(got.Results, gc.HasLen, 1) 682 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 683 Message: expectedError, 684 Code: "", 685 }) 686 c.Assert(err, jc.ErrorIsNil) 687 } 688 689 func (s *userManagerSuite) TestRemoveUserAsNormalUser(c *gc.C) { 690 // Create a user to delete. 691 jjam := s.Factory.MakeUser(c, &factory.UserParams{Name: "jimmyjam"}) 692 // Create a user to delete jjam. 693 chuck := s.Factory.MakeUser(c, &factory.UserParams{ 694 Name: "chuck", 695 NoModelUser: true, 696 }) 697 698 // Authenticate as chuck. 699 usermanager, err := usermanager.NewUserManagerAPI( 700 s.State, s.resources, apiservertesting.FakeAuthorizer{ 701 Tag: chuck.Tag(), 702 }) 703 c.Assert(err, jc.ErrorIsNil) 704 705 // Make sure the user exists. 706 ui, err := s.usermanager.UserInfo(params.UserInfoRequest{ 707 Entities: []params.Entity{{Tag: jjam.Tag().String()}}, 708 }) 709 c.Check(err, jc.ErrorIsNil) 710 c.Check(ui.Results, gc.HasLen, 1) 711 c.Assert(ui.Results[0].Result.Username, gc.DeepEquals, jjam.Name()) 712 713 // Remove jjam as chuck and fail. 714 _, err = usermanager.RemoveUser(params.Entities{ 715 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 716 c.Assert(err, gc.ErrorMatches, "permission denied") 717 718 // Make sure jjam is still around. 719 err = jjam.Refresh() 720 c.Assert(err, jc.ErrorIsNil) 721 } 722 723 func (s *userManagerSuite) TestRemoveUserSelfAsNormalUser(c *gc.C) { 724 // Create a user to delete. 725 jjam := s.Factory.MakeUser(c, &factory.UserParams{ 726 Name: "jimmyjam", 727 NoModelUser: true, 728 }) 729 usermanager, err := usermanager.NewUserManagerAPI( 730 s.State, s.resources, apiservertesting.FakeAuthorizer{ 731 Tag: jjam.Tag(), 732 }) 733 c.Assert(err, jc.ErrorIsNil) 734 735 // Make sure the user exists. 736 ui, err := s.usermanager.UserInfo(params.UserInfoRequest{ 737 Entities: []params.Entity{{Tag: jjam.Tag().String()}}, 738 }) 739 c.Assert(err, jc.ErrorIsNil) 740 c.Check(ui.Results, gc.HasLen, 1) 741 c.Assert(ui.Results[0].Result.Username, gc.DeepEquals, jjam.Name()) 742 743 // Remove the user as the user 744 _, err = usermanager.RemoveUser(params.Entities{ 745 Entities: []params.Entity{{Tag: jjam.Tag().String()}}}) 746 c.Assert(err, gc.ErrorMatches, "permission denied") 747 748 // Check if deleted. 749 err = jjam.Refresh() 750 c.Assert(err, jc.ErrorIsNil) 751 } 752 753 func (s *userManagerSuite) TestRemoveUserAsSelfAdmin(c *gc.C) { 754 755 expectedError := "cannot delete controller owner \"admin\"" 756 757 // Remove admin as admin. 758 got, err := s.usermanager.RemoveUser(params.Entities{ 759 Entities: []params.Entity{{Tag: s.AdminUserTag(c).String()}}}) 760 c.Assert(got.Results, gc.HasLen, 1) 761 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 762 Message: expectedError, 763 }) 764 c.Assert(err, jc.ErrorIsNil) 765 766 // Try again to see if we succeeded. 767 got, err = s.usermanager.RemoveUser(params.Entities{ 768 Entities: []params.Entity{{Tag: s.AdminUserTag(c).String()}}}) 769 c.Assert(got.Results, gc.HasLen, 1) 770 c.Check(got.Results[0].Error, jc.DeepEquals, ¶ms.Error{ 771 Message: expectedError, 772 }) 773 c.Assert(err, jc.ErrorIsNil) 774 775 ui, err := s.usermanager.UserInfo(params.UserInfoRequest{}) 776 c.Check(err, jc.ErrorIsNil) 777 c.Assert(ui.Results, gc.HasLen, 1) 778 779 } 780 781 func (s *userManagerSuite) TestRemoveUserBulkSharedModels(c *gc.C) { 782 // Create users. 783 jjam := s.Factory.MakeUser(c, &factory.UserParams{ 784 Name: "jimmyjam", 785 }) 786 alice := s.Factory.MakeUser(c, &factory.UserParams{ 787 Name: "alice", 788 }) 789 bob := s.Factory.MakeUser(c, &factory.UserParams{ 790 Name: "bob", 791 }) 792 793 // Get a handle on the current model. 794 model, err := s.State.Model() 795 c.Assert(err, jc.ErrorIsNil) 796 users, err := model.Users() 797 798 // Make sure the users exist. 799 var userNames []string 800 for _, u := range users { 801 userNames = append(userNames, u.UserTag.Name()) 802 } 803 c.Assert(userNames, jc.SameContents, []string{"admin", jjam.Name(), alice.Name(), bob.Name()}) 804 805 // Remove 2 users. 806 got, err := s.usermanager.RemoveUser(params.Entities{ 807 Entities: []params.Entity{ 808 {Tag: jjam.Tag().String()}, 809 {Tag: alice.Tag().String()}, 810 }}) 811 c.Check(got.Results, gc.HasLen, 2) 812 var paramErr *params.Error 813 c.Check(got.Results[0].Error, jc.DeepEquals, paramErr) 814 c.Check(got.Results[1].Error, jc.DeepEquals, paramErr) 815 c.Assert(err, jc.ErrorIsNil) 816 817 // Make sure users were deleted. 818 err = jjam.Refresh() 819 c.Assert(jjam.IsDeleted(), jc.IsTrue) 820 err = alice.Refresh() 821 c.Assert(alice.IsDeleted(), jc.IsTrue) 822 823 } 824 825 func (s *userManagerSuite) TestResetPassword(c *gc.C) { 826 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 827 c.Assert(alex.PasswordValid("password"), jc.IsTrue) 828 829 args := params.Entities{Entities: []params.Entity{{Tag: alex.Tag().String()}}} 830 results, err := s.usermanager.ResetPassword(args) 831 c.Assert(err, jc.ErrorIsNil) 832 c.Assert(results.Results, gc.HasLen, 1) 833 834 err = alex.Refresh() 835 c.Assert(err, jc.ErrorIsNil) 836 c.Assert(results.Results[0].Tag, gc.DeepEquals, alex.Tag().String()) 837 c.Assert(results.Results[0].SecretKey, gc.DeepEquals, alex.SecretKey()) 838 c.Assert(alex.PasswordValid("password"), jc.IsFalse) 839 } 840 841 func (s *userManagerSuite) TestResetPasswordMultiple(c *gc.C) { 842 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 843 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", NoModelUser: true}) 844 c.Assert(alex.PasswordValid("password"), jc.IsTrue) 845 c.Assert(barb.PasswordValid("password"), jc.IsTrue) 846 847 args := params.Entities{Entities: []params.Entity{ 848 {Tag: alex.Tag().String()}, 849 {Tag: barb.Tag().String()}, 850 }} 851 results, err := s.usermanager.ResetPassword(args) 852 c.Assert(err, jc.ErrorIsNil) 853 err = alex.Refresh() 854 c.Assert(err, jc.ErrorIsNil) 855 err = barb.Refresh() 856 c.Assert(err, jc.ErrorIsNil) 857 c.Assert(results.Results, gc.DeepEquals, []params.AddUserResult{ 858 { 859 Tag: alex.Tag().String(), 860 SecretKey: alex.SecretKey(), 861 }, 862 { 863 Tag: barb.Tag().String(), 864 SecretKey: barb.SecretKey(), 865 }, 866 }) 867 c.Assert(alex.PasswordValid("password"), jc.IsFalse) 868 c.Assert(barb.PasswordValid("password"), jc.IsFalse) 869 } 870 871 func (s *userManagerSuite) TestBlockResetPassword(c *gc.C) { 872 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 873 args := params.Entities{Entities: []params.Entity{{Tag: alex.Tag().String()}}} 874 c.Assert(alex.PasswordValid("password"), jc.IsTrue) 875 876 s.BlockAllChanges(c, "TestBlockResetPassword") 877 _, err := s.usermanager.ResetPassword(args) 878 // Check that the call is blocked 879 s.AssertBlocked(c, err, "TestBlockResetPassword") 880 881 err = alex.Refresh() 882 c.Assert(err, jc.ErrorIsNil) 883 c.Assert(alex.PasswordValid("password"), jc.IsTrue) 884 } 885 886 func (s *userManagerSuite) TestResetPasswordControllerAdminForSelf(c *gc.C) { 887 alex, err := s.State.User(s.AdminUserTag(c)) 888 c.Assert(err, jc.ErrorIsNil) 889 args := params.Entities{Entities: []params.Entity{{Tag: alex.Tag().String()}}} 890 c.Assert(alex.PasswordValid("dummy-secret"), jc.IsTrue) 891 892 results, err := s.usermanager.ResetPassword(args) 893 c.Assert(err, jc.ErrorIsNil) 894 c.Assert(results.Results, gc.HasLen, 1) 895 896 err = alex.Refresh() 897 c.Assert(err, jc.ErrorIsNil) 898 c.Assert(results.Results, gc.DeepEquals, []params.AddUserResult{ 899 { 900 Tag: alex.Tag().String(), 901 Error: common.ServerError(common.ErrPerm), 902 }, 903 }) 904 c.Assert(alex.PasswordValid("dummy-secret"), jc.IsTrue) 905 } 906 907 func (s *userManagerSuite) TestResetPasswordNotControllerAdmin(c *gc.C) { 908 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 909 c.Assert(alex.PasswordValid("password"), jc.IsTrue) 910 barb := s.Factory.MakeUser(c, &factory.UserParams{Name: "barb", NoModelUser: true}) 911 c.Assert(barb.PasswordValid("password"), jc.IsTrue) 912 usermanager, err := usermanager.NewUserManagerAPI( 913 s.State, s.resources, apiservertesting.FakeAuthorizer{Tag: alex.Tag()}) 914 c.Assert(err, jc.ErrorIsNil) 915 916 args := params.Entities{Entities: []params.Entity{ 917 {Tag: alex.Tag().String()}, 918 {Tag: barb.Tag().String()}, 919 }} 920 results, err := usermanager.ResetPassword(args) 921 c.Assert(err, jc.ErrorIsNil) 922 923 err = alex.Refresh() 924 c.Assert(err, jc.ErrorIsNil) 925 err = barb.Refresh() 926 c.Assert(err, jc.ErrorIsNil) 927 c.Assert(results.Results, gc.DeepEquals, []params.AddUserResult{ 928 { 929 Tag: alex.Tag().String(), 930 Error: common.ServerError(common.ErrPerm), 931 }, 932 { 933 Tag: barb.Tag().String(), 934 Error: common.ServerError(common.ErrPerm), 935 }, 936 }) 937 938 c.Assert(alex.PasswordValid("password"), jc.IsTrue) 939 c.Assert(barb.PasswordValid("password"), jc.IsTrue) 940 } 941 942 func (s *userManagerSuite) TestResetPasswordFail(c *gc.C) { 943 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true, Disabled: true}) 944 args := params.Entities{Entities: []params.Entity{ 945 {Tag: "user-invalid"}, 946 {Tag: alex.Tag().String()}, 947 }} 948 949 results, err := s.usermanager.ResetPassword(args) 950 c.Assert(err, jc.ErrorIsNil) 951 c.Assert(results.Results, gc.DeepEquals, []params.AddUserResult{ 952 { 953 Tag: "user-invalid", 954 Error: common.ServerError(common.ErrPerm), 955 }, 956 { 957 Tag: alex.Tag().String(), 958 Error: common.ServerError(fmt.Errorf("cannot reset password for user \"alex\": user deactivated")), 959 }, 960 }) 961 } 962 963 func (s *userManagerSuite) TestResetPasswordMixedResult(c *gc.C) { 964 alex := s.Factory.MakeUser(c, &factory.UserParams{Name: "alex", NoModelUser: true}) 965 c.Assert(alex.PasswordValid("password"), jc.IsTrue) 966 args := params.Entities{Entities: []params.Entity{ 967 {Tag: "user-invalid"}, 968 {Tag: alex.Tag().String()}, 969 }} 970 971 results, err := s.usermanager.ResetPassword(args) 972 c.Assert(err, jc.ErrorIsNil) 973 err = alex.Refresh() 974 c.Assert(err, jc.ErrorIsNil) 975 c.Assert(results.Results, gc.DeepEquals, []params.AddUserResult{ 976 { 977 Tag: "user-invalid", 978 Error: common.ServerError(common.ErrPerm), 979 }, 980 { 981 Tag: alex.Tag().String(), 982 SecretKey: alex.SecretKey(), 983 }, 984 }) 985 c.Assert(alex.PasswordValid("password"), jc.IsFalse) 986 } 987 988 func (s *userManagerSuite) TestResetPasswordEmpty(c *gc.C) { 989 results, err := s.usermanager.ResetPassword(params.Entities{}) 990 c.Assert(err, jc.ErrorIsNil) 991 c.Assert(results.Results, gc.HasLen, 0) 992 }