XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)

* XYZ-13: Update Permission and Role structs to new design. * XYZ-10: Role store. * XYZ-9/XYZ-44: Roles API endpoints and WebSocket message. * XYZ-8: Switch server permissions checks to store backed roles. * XYZ-58: Proper validation of roles where required. * XYZ-11/XYZ-55: Migration to store backed roles from policy config. * XYZ-37: Update unit tests to work with database roles. * XYZ-56: Remove the "guest" role. * Changes to SetDefaultRolesFromConfig. * Short-circuit the store if nothing has changed. * Address first round of review comments. * Address second round of review comments.
author: George Goldberg <george@gberg.me> 2018-02-06 15:34:08 +0000
committer: GitHub <noreply@github.com> 2018-02-06 15:34:08 +0000
commit: e1cd64613591cf5a990442a69ebf188258bd0cb5 (patch)
tree: ad9f247a2c75b0bc03de93dbbfc038afb6b69545 /api4/oauth_test.go
parent: 1c7f25773a77ceb9e84feabe3907e7f93f6870e4 (diff)
download: chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.gz
chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.bz2
chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.zip
1 files changed, 57 insertions, 43 deletions
diff --git a/api4/oauth_test.go b/api4/oauth_test.go
index 8dd602456..0959442f0 100644
--- a/api4/oauth_test.go
+++ b/api4/oauth_test.go
@@ -19,13 +19,15 @@ func TestCreateOAuthApp(t *testing.T) {
 	AdminClient := th.SystemAdminClient
 
 	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
-	adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
 
@@ -41,13 +43,15 @@ func TestCreateOAuthApp(t *testing.T) {
 		t.Fatal("trusted did no match")
 	}
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Revoke permission from regular users.
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
 	_, resp = Client.CreateOAuthApp(oapp)
 	CheckForbiddenStatus(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
 	rapp, resp = Client.CreateOAuthApp(oapp)
 	CheckNoError(t, resp)
 	CheckCreatedStatus(t, resp)
@@ -87,13 +91,15 @@ func TestUpdateOAuthApp(t *testing.T) {
 	AdminClient := th.SystemAdminClient
 
 	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
-	adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	oapp := &model.OAuthApp{
 		Name:         "oapp",
@@ -171,8 +177,9 @@ func TestUpdateOAuthApp(t *testing.T) {
 
 	th.LoginBasic()
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Revoke permission from regular users.
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
 	_, resp = Client.UpdateOAuthApp(oapp)
 	CheckForbiddenStatus(t, resp)
 
@@ -181,6 +188,7 @@ func TestUpdateOAuthApp(t *testing.T) {
 	CheckNotFoundStatus(t, resp)
 
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = false })
+
 	_, resp = AdminClient.UpdateOAuthApp(oapp)
 	CheckNotImplementedStatus(t, resp)
 
@@ -200,14 +208,15 @@ func TestGetOAuthApps(t *testing.T) {
 	AdminClient := th.SystemAdminClient
 
 	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
-	adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
 
@@ -250,8 +259,8 @@ func TestGetOAuthApps(t *testing.T) {
 		t.Fatal("wrong apps returned")
 	}
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Revoke permission from regular users.
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	_, resp = Client.GetOAuthApps(0, 1000)
 	CheckForbiddenStatus(t, resp)
@@ -273,14 +282,15 @@ func TestGetOAuthApp(t *testing.T) {
 	AdminClient := th.SystemAdminClient
 
 	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
-	adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
 
@@ -319,8 +329,8 @@ func TestGetOAuthApp(t *testing.T) {
 	_, resp = Client.GetOAuthApp(rapp.Id)
 	CheckForbiddenStatus(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Revoke permission from regular users.
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	_, resp = Client.GetOAuthApp(rapp2.Id)
 	CheckForbiddenStatus(t, resp)
@@ -348,14 +358,15 @@ func TestGetOAuthAppInfo(t *testing.T) {
 	AdminClient := th.SystemAdminClient
 
 	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
-	adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
 
@@ -394,8 +405,8 @@ func TestGetOAuthAppInfo(t *testing.T) {
 	_, resp = Client.GetOAuthAppInfo(rapp.Id)
 	CheckNoError(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = true })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Revoke permission from regular users.
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	_, resp = Client.GetOAuthAppInfo(rapp2.Id)
 	CheckNoError(t, resp)
@@ -423,14 +434,15 @@ func TestDeleteOAuthApp(t *testing.T) {
 	AdminClient := th.SystemAdminClient
 
 	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
-	adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
 
@@ -464,8 +476,9 @@ func TestDeleteOAuthApp(t *testing.T) {
 	_, resp = Client.DeleteOAuthApp(rapp2.Id)
 	CheckNoError(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Revoke permission from regular users.
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
 	_, resp = Client.DeleteOAuthApp(rapp.Id)
 	CheckForbiddenStatus(t, resp)
 
@@ -491,14 +504,15 @@ func TestRegenerateOAuthAppSecret(t *testing.T) {
 	AdminClient := th.SystemAdminClient
 
 	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
-	adminOnly := *th.App.Config().ServiceSettings.EnableOnlyAdminIntegrations
+	defaultRolePermissions := th.SaveDefaultRolePermissions()
 	defer func() {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
-		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly })
+		th.RestoreDefaultRolePermissions(defaultRolePermissions)
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+
+	// Grant permission to regular users.
+	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
 
 	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
 
@@ -536,8 +550,9 @@ func TestRegenerateOAuthAppSecret(t *testing.T) {
 	_, resp = Client.RegenerateOAuthAppSecret(rapp2.Id)
 	CheckNoError(t, resp)
 
-	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOnlyAdminIntegrations = false })
-	th.App.SetDefaultRolesBasedOnConfig()
+	// Revoke permission from regular users.
+	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
+
 	_, resp = Client.RegenerateOAuthAppSecret(rapp.Id)
 	CheckForbiddenStatus(t, resp)
 
@@ -627,7 +642,6 @@ func TestAuthorizeOAuthApp(t *testing.T) {
 		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
 	}()
 	th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = true })
-	th.App.SetDefaultRolesBasedOnConfig()
 
 	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
author	George Goldberg <george@gberg.me>	2018-02-06 15:34:08 +0000
committer	GitHub <noreply@github.com>	2018-02-06 15:34:08 +0000
commit	e1cd64613591cf5a990442a69ebf188258bd0cb5 (patch)
tree	ad9f247a2c75b0bc03de93dbbfc038afb6b69545 /api4/oauth_test.go
parent	1c7f25773a77ceb9e84feabe3907e7f93f6870e4 (diff)
download	chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.gz chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.bz2 chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.zip