MM-11327: Restrict Teams by Email (#9142)

* Check a team's AllowedDomains setting before adding users to the team. * Updated AddUser tests to validate AllowedDomains restriction. * Updated variable name to match convention. * Removed AllowedDomains from team sanitization. * Update AppError's Where to match the calling function. * Added tests for user matching allowedDomains, and multi domain values of allowedDomains. * Added test to make sure we block users who have a subdomain of a whitelisted domain. * Revert "Removed AllowedDomains from team sanitization." This reverts commit 17c2afea584da40c7d769787ae86408e9700510c. * Update sanitization tests to include dockerhost, now that we enforce AllowedDomains. * Added tests to verify the interplay between the global and per team domain restrictions. * Validate AllowedDomains property against RestrictCreationToDomains before updating a team. * Remove team.AllowedDomains from sanitization. * Add i18n string for the team allowed domains restriction app error.
author: Gabe Van Engel <gabe@schizoid.net> 2018-08-28 08:06:57 -0700
committer: Harrison Healey <harrisonmhealey@gmail.com> 2018-08-28 11:06:57 -0400
commit: 347ee1d205c95f5fd766e206cc65bfb9782a2623 (patch)
tree: 7ee22b4d399d0419d18f1e0d40ed35d17e45a4c6 /app/team_test.go
parent: 19e69681d73b0b2e30d6f2749c3e61da4eca5863 (diff)
download: chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.tar.gz
chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.tar.bz2
chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.zip
1 files changed, 151 insertions, 22 deletions
diff --git a/app/team_test.go b/app/team_test.go
index 429e07931..1f2dd5318 100644
--- a/app/team_test.go
+++ b/app/team_test.go
@@ -73,13 +73,99 @@ func TestAddUserToTeam(t *testing.T) {
 	th := Setup().InitBasic()
 	defer th.TearDown()
 
-	user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
-	ruser, _ := th.App.CreateUser(&user)
+	t.Run("add user", func(t *testing.T) {
+		user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser, _ := th.App.CreateUser(&user)
+		defer th.App.PermanentDeleteUser(&user)
 
-	if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err != nil {
-		t.Log(err)
-		t.Fatal("Should add user to the team")
-	}
+		if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err != nil {
+			t.Log(err)
+			t.Fatal("Should add user to the team")
+		}
+	})
+
+	t.Run("allow user by domain", func(t *testing.T) {
+		th.BasicTeam.AllowedDomains = "example.com"
+		if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil {
+			t.Log(err)
+			t.Fatal("Should update the team")
+		}
+
+		user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser, _ := th.App.CreateUser(&user)
+		defer th.App.PermanentDeleteUser(&user)
+
+		if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err != nil {
+			t.Log(err)
+			t.Fatal("Should have allowed whitelisted user")
+		}
+	})
+
+	t.Run("block user by domain", func(t *testing.T) {
+		th.BasicTeam.AllowedDomains = "example.com"
+		if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil {
+			t.Log(err)
+			t.Fatal("Should update the team")
+		}
+
+		user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser, _ := th.App.CreateUser(&user)
+		defer th.App.PermanentDeleteUser(&user)
+
+		if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err == nil || err.Where != "JoinUserToTeam" {
+			t.Log(err)
+			t.Fatal("Should not add restricted user")
+		}
+	})
+
+	t.Run("block user with subdomain", func(t *testing.T) {
+		th.BasicTeam.AllowedDomains = "example.com"
+		if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil {
+			t.Log(err)
+			t.Fatal("Should update the team")
+		}
+
+		user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser, _ := th.App.CreateUser(&user)
+		defer th.App.PermanentDeleteUser(&user)
+
+		if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err == nil || err.Where != "JoinUserToTeam" {
+			t.Log(err)
+			t.Fatal("Should not add restricted user")
+		}
+	})
+
+	t.Run("allow users by multiple domains", func(t *testing.T) {
+		th.BasicTeam.AllowedDomains = "foo.com, bar.com"
+		if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil {
+			t.Log(err)
+			t.Fatal("Should update the team")
+		}
+
+		user1 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@foo.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser1, _ := th.App.CreateUser(&user1)
+		user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@bar.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser2, _ := th.App.CreateUser(&user2)
+		user3 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser3, _ := th.App.CreateUser(&user3)
+		defer th.App.PermanentDeleteUser(&user1)
+		defer th.App.PermanentDeleteUser(&user2)
+		defer th.App.PermanentDeleteUser(&user3)
+
+		if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser1.Id, ""); err != nil {
+			t.Log(err)
+			t.Fatal("Should have allowed whitelisted user1")
+		}
+		if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser2.Id, ""); err != nil {
+			t.Log(err)
+			t.Fatal("Should have allowed whitelisted user2")
+		}
+		if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser3.Id, ""); err == nil || err.Where != "JoinUserToTeam" {
+			t.Log(err)
+			t.Fatal("Should not have allowed restricted user3")
+		}
+
+	})
 }
 
 func TestAddUserToTeamByToken(t *testing.T) {
@@ -158,19 +244,62 @@ func TestAddUserToTeamByToken(t *testing.T) {
 			t.Fatal("The token must be deleted after be used")
 		}
 	})
+
+	t.Run("block user", func(t *testing.T) {
+		th.BasicTeam.AllowedDomains = "example.com"
+		if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil {
+			t.Log(err)
+			t.Fatal("Should update the team")
+		}
+
+		user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser, _ := th.App.CreateUser(&user)
+		defer th.App.PermanentDeleteUser(&user)
+
+		token := model.NewToken(
+			TOKEN_TYPE_TEAM_INVITATION,
+			model.MapToJson(map[string]string{"teamId": th.BasicTeam.Id}),
+		)
+		<-th.App.Srv.Store.Token().Save(token)
+
+		if _, err := th.App.AddUserToTeamByToken(ruser.Id, token.Token); err == nil || err.Where != "JoinUserToTeam" {
+			t.Log(err)
+			t.Fatal("Should not add restricted user")
+		}
+	})
 }
 
 func TestAddUserToTeamByTeamId(t *testing.T) {
 	th := Setup().InitBasic()
 	defer th.TearDown()
 
-	user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
-	ruser, _ := th.App.CreateUser(&user)
+	t.Run("add user", func(t *testing.T) {
+		user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser, _ := th.App.CreateUser(&user)
+
+		if err := th.App.AddUserToTeamByTeamId(th.BasicTeam.Id, ruser); err != nil {
+			t.Log(err)
+			t.Fatal("Should add user to the team")
+		}
+	})
+
+	t.Run("block user", func(t *testing.T) {
+		th.BasicTeam.AllowedDomains = "example.com"
+		if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil {
+			t.Log(err)
+			t.Fatal("Should update the team")
+		}
+
+		user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""}
+		ruser, _ := th.App.CreateUser(&user)
+		defer th.App.PermanentDeleteUser(&user)
+
+		if err := th.App.AddUserToTeamByTeamId(th.BasicTeam.Id, ruser); err == nil || err.Where != "JoinUserToTeam" {
+			t.Log(err)
+			t.Fatal("Should not add restricted user")
+		}
+	})
 
-	if err := th.App.AddUserToTeamByTeamId(th.BasicTeam.Id, ruser); err != nil {
-		t.Log(err)
-		t.Fatal("Should add user to the team")
-	}
 }
 
 func TestPermanentDeleteTeam(t *testing.T) {
@@ -264,7 +393,7 @@ func TestSanitizeTeam(t *testing.T) {
 		}
 
 		sanitized := th.App.SanitizeTeam(session, copyTeam())
-		if sanitized.Email != "" && sanitized.AllowedDomains != "" {
+		if sanitized.Email != "" {
 			t.Fatal("should've sanitized team")
 		}
 	})
@@ -283,7 +412,7 @@ func TestSanitizeTeam(t *testing.T) {
 		}
 
 		sanitized := th.App.SanitizeTeam(session, copyTeam())
-		if sanitized.Email != "" && sanitized.AllowedDomains != "" {
+		if sanitized.Email != "" {
 			t.Fatal("should've sanitized team")
 		}
 	})
@@ -302,7 +431,7 @@ func TestSanitizeTeam(t *testing.T) {
 		}
 
 		sanitized := th.App.SanitizeTeam(session, copyTeam())
-		if sanitized.Email == "" && sanitized.AllowedDomains == "" {
+		if sanitized.Email == "" {
 			t.Fatal("shouldn't have sanitized team")
 		}
 	})
@@ -321,7 +450,7 @@ func TestSanitizeTeam(t *testing.T) {
 		}
 
 		sanitized := th.App.SanitizeTeam(session, copyTeam())
-		if sanitized.Email != "" && sanitized.AllowedDomains != "" {
+		if sanitized.Email != "" {
 			t.Fatal("should've sanitized team")
 		}
 	})
@@ -340,7 +469,7 @@ func TestSanitizeTeam(t *testing.T) {
 		}
 
 		sanitized := th.App.SanitizeTeam(session, copyTeam())
-		if sanitized.Email == "" && sanitized.AllowedDomains == "" {
+		if sanitized.Email == "" {
 			t.Fatal("shouldn't have sanitized team")
 		}
 	})
@@ -359,7 +488,7 @@ func TestSanitizeTeam(t *testing.T) {
 		}
 
 		sanitized := th.App.SanitizeTeam(session, copyTeam())
-		if sanitized.Email == "" && sanitized.AllowedDomains == "" {
+		if sanitized.Email == "" {
 			t.Fatal("shouldn't have sanitized team")
 		}
 	})
@@ -402,11 +531,11 @@ func TestSanitizeTeams(t *testing.T) {
 
 		sanitized := th.App.SanitizeTeams(session, teams)
 
-		if sanitized[0].Email != "" && sanitized[0].AllowedDomains != "" {
+		if sanitized[0].Email != "" {
 			t.Fatal("should've sanitized first team")
 		}
 
-		if sanitized[1].Email == "" && sanitized[1].AllowedDomains == "" {
+		if sanitized[1].Email == "" {
 			t.Fatal("shouldn't have sanitized second team")
 		}
 	})
@@ -439,11 +568,11 @@ func TestSanitizeTeams(t *testing.T) {
 
 		sanitized := th.App.SanitizeTeams(session, teams)
 
-		if sanitized[0].Email == "" && sanitized[0].AllowedDomains == "" {
+		if sanitized[0].Email == "" {
 			t.Fatal("shouldn't have sanitized first team")
 		}
 
-		if sanitized[1].Email == "" && sanitized[1].AllowedDomains == "" {
+		if sanitized[1].Email == "" {
 			t.Fatal("shouldn't have sanitized second team")
 		}
 	})
author	Gabe Van Engel <gabe@schizoid.net>	2018-08-28 08:06:57 -0700
committer	Harrison Healey <harrisonmhealey@gmail.com>	2018-08-28 11:06:57 -0400
commit	347ee1d205c95f5fd766e206cc65bfb9782a2623 (patch)
tree	7ee22b4d399d0419d18f1e0d40ed35d17e45a4c6 /app/team_test.go
parent	19e69681d73b0b2e30d6f2749c3e61da4eca5863 (diff)
download	chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.tar.gz chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.tar.bz2 chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.zip