model_test.go 8.63 KB
Newer Older
1
2
3
package backend

import (
ale's avatar
ale committed
4
	"context"
5
	"testing"
6
	"time"
7

ale's avatar
ale committed
8
	"github.com/go-test/deep"
ale's avatar
ale committed
9

10
	as "git.autistici.org/ai3/accountserver"
ale's avatar
ale committed
11
	"git.autistici.org/ai3/accountserver/ldaptest"
12
13
)

ale's avatar
ale committed
14
15
16
17
const (
	testLDAPPort = 42871
	testLDAPAddr = "ldap://127.0.0.1:42871"
	testUser1    = "uno@investici.org"
18
	testUser2    = "due@investici.org"
ale's avatar
ale committed
19
)
ale's avatar
ale committed
20

21
func startServerAndGetUser(t testing.TB) (func(), as.Backend, *as.RawUser) {
22
23
24
	return startServerAndGetUserWithName(t, testUser1)
}

25
func startServerAndGetUser2(t testing.TB) (func(), as.Backend, *as.RawUser) {
26
27
28
	return startServerAndGetUserWithName(t, testUser2)
}

29
func startServer(t testing.TB) (func(), as.Backend) {
ale's avatar
ale committed
30
	stop := ldaptest.StartServer(t, &ldaptest.Config{
31
32
33
34
35
36
37
38
		Dir:  "../ldaptest",
		Port: testLDAPPort,
		Base: "dc=example,dc=com",
		LDIFs: []string{
			"testdata/base.ldif",
			"testdata/test1.ldif",
			"testdata/test2.ldif",
		},
ale's avatar
ale committed
39
40
41
42
43
44
	})

	b, err := NewLDAPBackend(testLDAPAddr, "cn=manager,dc=example,dc=com", "password", "dc=example,dc=com")
	if err != nil {
		t.Fatal("NewLDAPBackend", err)
	}
45

46
47
48
	return stop, b
}

49
func startServerAndGetUserWithName(t testing.TB, username string) (func(), as.Backend, *as.RawUser) {
50
51
	stop, b := startServer(t)

ale's avatar
ale committed
52
	tx, _ := b.NewTransaction()
53
	user, err := tx.GetUser(context.Background(), username)
54
	if err != nil {
ale's avatar
ale committed
55
56
57
		t.Fatal("GetUser", err)
	}
	if user == nil {
58
		t.Fatalf("could not find test user %s", username)
ale's avatar
ale committed
59
60
	}

61
62
63
	return stop, b, user
}

64
65
66
67
68
69
70
71
72
73
74
75
76
77
func TestModel_GetUser_NotFound(t *testing.T) {
	stop, b := startServer(t)
	defer stop()

	tx, _ := b.NewTransaction()
	user, err := tx.GetUser(context.Background(), "wrong_user")
	if err != nil {
		t.Fatalf("GetUser(wrong_user) should have returned no error, got: %v", err)
	}
	if user != nil {
		t.Fatal("GetUser(wrong_user) returned non-nil user")
	}
}

78
79
80
func TestModel_GetUser(t *testing.T) {
	stop, _, user := startServerAndGetUser(t)
	defer stop()
ale's avatar
ale committed
81
82

	if user.Name != testUser1 {
83
		t.Errorf("bad username: expected %s, got %s", testUser1, user.Name)
ale's avatar
ale committed
84
	}
85
	if len(user.Resources) != 5 {
86
87
88
89
90
		t.Errorf("expected 5 resources, got %d", len(user.Resources))
	}
	expectedPwChangeStamp := time.Date(2018, 11, 14, 0, 0, 0, 0, time.UTC)
	if user.LastPasswordChangeStamp != expectedPwChangeStamp {
		t.Errorf("bad last password change timestamp: expected %s, got %s", expectedPwChangeStamp, user.LastPasswordChangeStamp)
ale's avatar
ale committed
91
92
93
	}

	// Test a specific resource (the database).
94
95
96
97
	db := user.GetSingleResourceByType(as.ResourceTypeDatabase)
	expectedDB := &as.Resource{
		ID: as.NewResourceID(
			as.ResourceTypeDatabase,
ale's avatar
ale committed
98
99
100
101
			testUser1,
			"alias=uno",
			"unodb",
		),
102
103
104
		Type: as.ResourceTypeDatabase,
		ParentID: as.NewResourceID(
			as.ResourceTypeWebsite,
ale's avatar
ale committed
105
106
107
108
109
110
			testUser1,
			"uno",
		),
		Name:          "unodb",
		Shard:         "host2",
		OriginalShard: "host2",
111
112
		Status:        as.ResourceStatusActive,
		Database: &as.Database{
ale's avatar
ale committed
113
114
			CleartextPassword: "password",
			DBUser:            "unodb",
115
116
		},
	}
ale's avatar
ale committed
117
118
	if err := deep.Equal(db, expectedDB); err != nil {
		t.Fatalf("returned database resource differs: %v", err)
119
120
121
	}
}

122
123
124
125
126
127
128
129
130
131
132
133
func TestModel_GetUser_Has2FA(t *testing.T) {
	stop, _, user := startServerAndGetUser2(t)
	defer stop()

	if !user.Has2FA {
		t.Errorf("user %s does not appear to have 2FA enabled", testUser2)
	}
	if !user.HasEncryptionKeys {
		t.Errorf("user %s does not appear to have encryption keys", testUser2)
	}
}

134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
func TestModel_GetUser_Resources(t *testing.T) {
	stop, b, user := startServerAndGetUser(t)
	defer stop()

	// Fetch individually all user resources, one by one, and
	// check that they match what we have already.
	tx2, _ := b.NewTransaction()
	for _, r := range user.Resources {
		fr, err := tx2.GetResource(context.Background(), r.ID)
		if err != nil {
			t.Errorf("could not fetch resource %s: %v", r.ID, err)
			continue
		}
		if fr == nil {
			t.Errorf("resource %s is missing", r.ID)
			continue
		}
		// It's ok if Group is unset in the GetResource response.
		rr := *r
		rr.Group = ""
		if err := deep.Equal(fr, &rr); err != nil {
			t.Errorf("error in fetched resource %s: %v", r.ID, err)
			continue
		}
	}
}

ale's avatar
ale committed
161
func TestModel_SetResourceStatus(t *testing.T) {
ale's avatar
ale committed
162
163
	stop := ldaptest.StartServer(t, &ldaptest.Config{
		Dir:   "../ldaptest",
ale's avatar
ale committed
164
165
166
167
168
		Port:  testLDAPPort,
		Base:  "dc=example,dc=com",
		LDIFs: []string{"testdata/base.ldif", "testdata/test1.ldif"},
	})
	defer stop()
169

ale's avatar
ale committed
170
	b, err := NewLDAPBackend(testLDAPAddr, "cn=manager,dc=example,dc=com", "password", "dc=example,dc=com")
171
	if err != nil {
ale's avatar
ale committed
172
		t.Fatal("NewLDAPBackend", err)
173
174
	}

ale's avatar
ale committed
175
	tx, _ := b.NewTransaction()
176
	rsrcID := as.NewResourceID(as.ResourceTypeEmail, testUser1, testUser1)
177
	r, err := tx.GetResource(context.Background(), rsrcID)
ale's avatar
ale committed
178
179
	if err != nil {
		t.Fatal("GetResource", err)
180
	}
ale's avatar
ale committed
181
182
183
184
	if r == nil {
		t.Fatalf("could not find test resource %s", rsrcID)
	}

185
	r.Status = as.ResourceStatusInactive
186
	if err := tx.UpdateResource(context.Background(), r); err != nil {
ale's avatar
ale committed
187
188
189
190
		t.Fatal("UpdateResource", err)
	}
	if err := tx.Commit(context.Background()); err != nil {
		t.Fatalf("commit error: %v", err)
191
192
	}
}
193

ale's avatar
ale committed
194
func TestModel_HasAnyResource(t *testing.T) {
ale's avatar
ale committed
195
196
	stop := ldaptest.StartServer(t, &ldaptest.Config{
		Dir:   "../ldaptest",
ale's avatar
ale committed
197
		Port:  testLDAPPort,
198
		Base:  "dc=example,dc=com",
ale's avatar
ale committed
199
		LDIFs: []string{"testdata/base.ldif", "testdata/test1.ldif"},
200
201
202
	})
	defer stop()

ale's avatar
ale committed
203
	b, err := NewLDAPBackend(testLDAPAddr, "cn=manager,dc=example,dc=com", "password", "dc=example,dc=com")
204
205
206
	if err != nil {
		t.Fatal("NewLDAPBackend", err)
	}
ale's avatar
ale committed
207
208
209
210

	tx, _ := b.NewTransaction()

	// Request that should succeed.
211
212
213
	ok, err := tx.HasAnyResource(context.Background(), []as.FindResourceRequest{
		{Type: as.ResourceTypeEmail, Name: "foo"},
		{Type: as.ResourceTypeEmail, Name: testUser1},
ale's avatar
ale committed
214
215
216
217
218
	})
	if err != nil {
		t.Fatal("HasAnyResource", err)
	}
	if !ok {
219
		t.Fatal("could not find test email resource")
ale's avatar
ale committed
220
221
222
	}

	// Request that should fail (bad resource type).
223
224
	ok, err = tx.HasAnyResource(context.Background(), []as.FindResourceRequest{
		{Type: as.ResourceTypeDatabase, Name: testUser1},
ale's avatar
ale committed
225
226
227
228
229
230
231
	})
	if err != nil {
		t.Fatal("HasAnyResource", err)
	}
	if ok {
		t.Fatal("oops, found non existing resource")
	}
232
}
233
234
235
236
237
238
239
240

func TestModel_SetUserPassword(t *testing.T) {
	stop, b, user := startServerAndGetUser(t)
	defer stop()

	encPass := "encrypted password"

	tx, _ := b.NewTransaction()
241
	if err := tx.SetUserPassword(context.Background(), &user.User, encPass); err != nil {
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
		t.Fatal("SetUserPassword", err)
	}
	if err := tx.Commit(context.Background()); err != nil {
		t.Fatal("Commit", err)
	}

	// Verify that the new password is set.
	pwattr := tx.(*backendTX).readAttributeValues(
		context.Background(),
		"mail=uno@investici.org,uid=uno@investici.org,ou=People,dc=example,dc=com",
		"userPassword",
	)
	if len(pwattr) == 0 {
		t.Fatalf("no userPassword attribute on mail= object")
	}
	if len(pwattr) > 1 {
		t.Fatalf("more than one userPassword found on mail= object")
	}
	if pwattr[0] != encPass {
		t.Fatalf("bad userPassword, got %s, expected %s", pwattr[0], encPass)
	}
}

func TestModel_SetUserEncryptionKeys_Add(t *testing.T) {
	stop, b, user := startServerAndGetUser(t)
	defer stop()

	tx, _ := b.NewTransaction()
270
	keys := []*as.UserEncryptionKey{
271
		{
272
			ID:  as.UserEncryptionKeyMainID,
273
274
275
			Key: []byte("very secret key"),
		},
	}
276
	if err := tx.SetUserEncryptionKeys(context.Background(), &user.User, keys); err != nil {
277
278
279
280
281
282
283
284
285
286
287
288
		t.Fatal("SetUserEncryptionKeys", err)
	}
	if err := tx.Commit(context.Background()); err != nil {
		t.Fatal("Commit", err)
	}
}

func TestModel_SetUserEncryptionKeys_Replace(t *testing.T) {
	stop, b, user := startServerAndGetUser2(t)
	defer stop()

	tx, _ := b.NewTransaction()
289
	keys := []*as.UserEncryptionKey{
290
		{
291
			ID:  as.UserEncryptionKeyMainID,
292
293
294
			Key: []byte("very secret key"),
		},
	}
295
	if err := tx.SetUserEncryptionKeys(context.Background(), &user.User, keys); err != nil {
296
297
298
299
300
301
		t.Fatal("SetUserEncryptionKeys", err)
	}
	if err := tx.Commit(context.Background()); err != nil {
		t.Fatal("Commit", err)
	}
}
ale's avatar
ale committed
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338

func TestModel_NextUID(t *testing.T) {
	stop, b, user := startServerAndGetUser(t)
	defer stop()
	tx, _ := b.NewTransaction()

	// User UID should not be available.
	ok, err := tx.(*backendTX).isUIDAvailable(context.Background(), user.UID)
	if err != nil {
		t.Fatal("isUIDAvailable", err)
	}
	if ok {
		t.Fatalf("oops, the uid of the existing user (%d) appears to be available", user.UID)
	}

	// Check a UID that should be available instead.
	freeUID := 4096
	ok, err = tx.(*backendTX).isUIDAvailable(context.Background(), freeUID)
	if err != nil {
		t.Fatal("isUIDAvailable", err)
	}
	if !ok {
		t.Fatalf("oops, a supposedly free uid (%d) appears to be unavailable", freeUID)
	}

	// Generate a new UID.
	uid, err := tx.NextUID(context.Background())
	if err != nil {
		t.Fatal("NextUID", err)
	}
	if uid == 0 {
		t.Fatal("uid is 0")
	}
	if uid == user.UID { // not that it's likely
		t.Fatalf("uid is the same as the existing user ID (%d)", user.UID)
	}
}