XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)

* XYZ-13: Update Permission and Role structs to new design. * XYZ-10: Role store. * XYZ-9/XYZ-44: Roles API endpoints and WebSocket message. * XYZ-8: Switch server permissions checks to store backed roles. * XYZ-58: Proper validation of roles where required. * XYZ-11/XYZ-55: Migration to store backed roles from policy config. * XYZ-37: Update unit tests to work with database roles. * XYZ-56: Remove the "guest" role. * Changes to SetDefaultRolesFromConfig. * Short-circuit the store if nothing has changed. * Address first round of review comments. * Address second round of review comments.
author: George Goldberg <george@gberg.me> 2018-02-06 15:34:08 +0000
committer: GitHub <noreply@github.com> 2018-02-06 15:34:08 +0000
commit: e1cd64613591cf5a990442a69ebf188258bd0cb5 (patch)
tree: ad9f247a2c75b0bc03de93dbbfc038afb6b69545 /app/app_test.go
parent: 1c7f25773a77ceb9e84feabe3907e7f93f6870e4 (diff)
download: chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.gz
chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.bz2
chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.zip
1 files changed, 339 insertions, 1 deletions
diff --git a/app/app_test.go b/app/app_test.go
index 25b19ead8..6d62bf249 100644
--- a/app/app_test.go
+++ b/app/app_test.go
@@ -9,7 +9,6 @@ import (
 	"testing"
 
 	l4g "github.com/alecthomas/log4go"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -71,3 +70,342 @@ func TestUpdateConfig(t *testing.T) {
 		*cfg.ServiceSettings.SiteURL = "foo"
 	})
 }
+
+func TestDoAdvancedPermissionsMigration(t *testing.T) {
+	th := Setup()
+	defer th.TearDown()
+
+	if testStoreSqlSupplier == nil {
+		t.Skip("This test requires a TestStore to be run.")
+	}
+
+	th.ResetRoleMigration()
+
+	th.App.DoAdvancedPermissionsMigration()
+
+	roleNames := []string{
+		"system_user",
+		"system_admin",
+		"team_user",
+		"team_admin",
+		"channel_user",
+		"channel_admin",
+		"system_post_all",
+		"system_post_all_public",
+		"system_user_access_token",
+		"team_post_all",
+		"team_post_all_public",
+	}
+
+	roles1, err1 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err1)
+	assert.Equal(t, len(roles1), len(roleNames))
+
+	expected1 := map[string][]string{
+		"channel_user": []string{
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_POST.Id,
+		},
+		"channel_admin": []string{
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		},
+		"team_user": []string{
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+		},
+		"team_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"team_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"team_admin": []string{
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		},
+		"system_user": []string{
+			model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
+			model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
+			model.PERMISSION_PERMANENT_DELETE_USER.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+		},
+		"system_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"system_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"system_user_access_token": []string{
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+		},
+		"system_admin": []string{
+			model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
+			model.PERMISSION_MANAGE_SYSTEM.Id,
+			model.PERMISSION_MANAGE_ROLES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_EDIT_OTHER_USERS.Id,
+			model.PERMISSION_MANAGE_OAUTH.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+			model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
+			model.PERMISSION_MANAGE_JOBS.Id,
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		},
+	}
+
+	// Check the migration matches what's expected.
+	for name, permissions := range expected1 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, role.Permissions, permissions)
+	}
+
+	// Add a license and change the policy config.
+	isLicensed := utils.IsLicensed()
+	license := utils.License()
+	restrictPublicChannel := *th.App.Config().TeamSettings.RestrictPublicChannelManagement
+	restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManagement
+
+	defer func() {
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelManagement = restrictPublicChannel })
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManagement = restrictPrivateChannel })
+		utils.SetIsLicensed(isLicensed)
+		utils.SetLicense(license)
+	}()
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_TEAM_ADMIN
+	})
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_TEAM_ADMIN
+	})
+	utils.SetIsLicensed(true)
+	utils.SetLicense(&model.License{Features: &model.Features{}})
+	utils.License().Features.SetDefaults()
+
+	// Check the migration doesn't change anything if run again.
+	th.App.DoAdvancedPermissionsMigration()
+
+	roles2, err2 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err2)
+	assert.Equal(t, len(roles2), len(roleNames))
+
+	for name, permissions := range expected1 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, permissions, role.Permissions)
+	}
+
+	// Reset the database
+	th.ResetRoleMigration()
+
+	// Do the migration again with different policy config settings and a license.
+	th.App.DoAdvancedPermissionsMigration()
+
+	// Check the role permissions.
+	expected2 := map[string][]string{
+		"channel_user": []string{
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_POST.Id,
+		},
+		"channel_admin": []string{
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		},
+		"team_user": []string{
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+		},
+		"team_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"team_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"team_admin": []string{
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		},
+		"system_user": []string{
+			model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
+			model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
+			model.PERMISSION_PERMANENT_DELETE_USER.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+		},
+		"system_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"system_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"system_user_access_token": []string{
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+		},
+		"system_admin": []string{
+			model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
+			model.PERMISSION_MANAGE_SYSTEM.Id,
+			model.PERMISSION_MANAGE_ROLES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_EDIT_OTHER_USERS.Id,
+			model.PERMISSION_MANAGE_OAUTH.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+			model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
+			model.PERMISSION_MANAGE_JOBS.Id,
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		},
+	}
+
+	roles3, err3 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err3)
+	assert.Equal(t, len(roles3), len(roleNames))
+
+	for name, permissions := range expected2 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, permissions, role.Permissions)
+	}
+
+	// Remove the license.
+	utils.SetIsLicensed(false)
+
+	// Do the migration again.
+	th.ResetRoleMigration()
+	th.App.DoAdvancedPermissionsMigration()
+
+	// Check the role permissions.
+	roles4, err4 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err4)
+	assert.Equal(t, len(roles4), len(roleNames))
+
+	for name, permissions := range expected1 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, permissions, role.Permissions)
+	}
+}
author	George Goldberg <george@gberg.me>	2018-02-06 15:34:08 +0000
committer	GitHub <noreply@github.com>	2018-02-06 15:34:08 +0000
commit	e1cd64613591cf5a990442a69ebf188258bd0cb5 (patch)
tree	ad9f247a2c75b0bc03de93dbbfc038afb6b69545 /app/app_test.go
parent	1c7f25773a77ceb9e84feabe3907e7f93f6870e4 (diff)
download	chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.gz chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.tar.bz2 chat-e1cd64613591cf5a990442a69ebf188258bd0cb5.zip