From e1cd64613591cf5a990442a69ebf188258bd0cb5 Mon Sep 17 00:00:00 2001
From: George Goldberg <george@gberg.me>
Date: Tue, 6 Feb 2018 15:34:08 +0000
Subject: XYZ-37: Advanced Permissions Phase 1 Backend. (#8159)

* XYZ-13: Update Permission and Role structs to new design.

* XYZ-10: Role store.

* XYZ-9/XYZ-44: Roles API endpoints and WebSocket message.

* XYZ-8: Switch server permissions checks to store backed roles.

* XYZ-58: Proper validation of roles where required.

* XYZ-11/XYZ-55: Migration to store backed roles from policy config.

* XYZ-37: Update unit tests to work with database roles.

* XYZ-56: Remove the "guest" role.

* Changes to SetDefaultRolesFromConfig.

* Short-circuit the store if nothing has changed.

* Address first round of review comments.

* Address second round of review comments.
---
 app/app_test.go | 340 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 339 insertions(+), 1 deletion(-)

(limited to 'app/app_test.go')

diff --git a/app/app_test.go b/app/app_test.go
index 25b19ead8..6d62bf249 100644
--- a/app/app_test.go
+++ b/app/app_test.go
@@ -9,7 +9,6 @@ import (
 	"testing"
 
 	l4g "github.com/alecthomas/log4go"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -71,3 +70,342 @@ func TestUpdateConfig(t *testing.T) {
 		*cfg.ServiceSettings.SiteURL = "foo"
 	})
 }
+
+func TestDoAdvancedPermissionsMigration(t *testing.T) {
+	th := Setup()
+	defer th.TearDown()
+
+	if testStoreSqlSupplier == nil {
+		t.Skip("This test requires a TestStore to be run.")
+	}
+
+	th.ResetRoleMigration()
+
+	th.App.DoAdvancedPermissionsMigration()
+
+	roleNames := []string{
+		"system_user",
+		"system_admin",
+		"team_user",
+		"team_admin",
+		"channel_user",
+		"channel_admin",
+		"system_post_all",
+		"system_post_all_public",
+		"system_user_access_token",
+		"team_post_all",
+		"team_post_all_public",
+	}
+
+	roles1, err1 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err1)
+	assert.Equal(t, len(roles1), len(roleNames))
+
+	expected1 := map[string][]string{
+		"channel_user": []string{
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_POST.Id,
+		},
+		"channel_admin": []string{
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		},
+		"team_user": []string{
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+		},
+		"team_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"team_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"team_admin": []string{
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		},
+		"system_user": []string{
+			model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
+			model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
+			model.PERMISSION_PERMANENT_DELETE_USER.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+		},
+		"system_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"system_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"system_user_access_token": []string{
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+		},
+		"system_admin": []string{
+			model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
+			model.PERMISSION_MANAGE_SYSTEM.Id,
+			model.PERMISSION_MANAGE_ROLES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_EDIT_OTHER_USERS.Id,
+			model.PERMISSION_MANAGE_OAUTH.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+			model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
+			model.PERMISSION_MANAGE_JOBS.Id,
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		},
+	}
+
+	// Check the migration matches what's expected.
+	for name, permissions := range expected1 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, role.Permissions, permissions)
+	}
+
+	// Add a license and change the policy config.
+	isLicensed := utils.IsLicensed()
+	license := utils.License()
+	restrictPublicChannel := *th.App.Config().TeamSettings.RestrictPublicChannelManagement
+	restrictPrivateChannel := *th.App.Config().TeamSettings.RestrictPrivateChannelManagement
+
+	defer func() {
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPublicChannelManagement = restrictPublicChannel })
+		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.RestrictPrivateChannelManagement = restrictPrivateChannel })
+		utils.SetIsLicensed(isLicensed)
+		utils.SetLicense(license)
+	}()
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.TeamSettings.RestrictPublicChannelManagement = model.PERMISSIONS_TEAM_ADMIN
+	})
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.TeamSettings.RestrictPrivateChannelManagement = model.PERMISSIONS_TEAM_ADMIN
+	})
+	utils.SetIsLicensed(true)
+	utils.SetLicense(&model.License{Features: &model.Features{}})
+	utils.License().Features.SetDefaults()
+
+	// Check the migration doesn't change anything if run again.
+	th.App.DoAdvancedPermissionsMigration()
+
+	roles2, err2 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err2)
+	assert.Equal(t, len(roles2), len(roleNames))
+
+	for name, permissions := range expected1 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, permissions, role.Permissions)
+	}
+
+	// Reset the database
+	th.ResetRoleMigration()
+
+	// Do the migration again with different policy config settings and a license.
+	th.App.DoAdvancedPermissionsMigration()
+
+	// Check the role permissions.
+	expected2 := map[string][]string{
+		"channel_user": []string{
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_POST.Id,
+		},
+		"channel_admin": []string{
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+		},
+		"team_user": []string{
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+		},
+		"team_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"team_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"team_admin": []string{
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+		},
+		"system_user": []string{
+			model.PERMISSION_CREATE_DIRECT_CHANNEL.Id,
+			model.PERMISSION_CREATE_GROUP_CHANNEL.Id,
+			model.PERMISSION_PERMANENT_DELETE_USER.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+		},
+		"system_post_all": []string{
+			model.PERMISSION_CREATE_POST.Id,
+		},
+		"system_post_all_public": []string{
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+		},
+		"system_user_access_token": []string{
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+		},
+		"system_admin": []string{
+			model.PERMISSION_ASSIGN_SYSTEM_ADMIN_ROLE.Id,
+			model.PERMISSION_MANAGE_SYSTEM.Id,
+			model.PERMISSION_MANAGE_ROLES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_MANAGE_PUBLIC_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_MEMBERS.Id,
+			model.PERMISSION_DELETE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_CREATE_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_MANAGE_PRIVATE_CHANNEL_PROPERTIES.Id,
+			model.PERMISSION_DELETE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_CREATE_PRIVATE_CHANNEL.Id,
+			model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH.Id,
+			model.PERMISSION_MANAGE_OTHERS_WEBHOOKS.Id,
+			model.PERMISSION_EDIT_OTHER_USERS.Id,
+			model.PERMISSION_MANAGE_OAUTH.Id,
+			model.PERMISSION_INVITE_USER.Id,
+			model.PERMISSION_DELETE_POST.Id,
+			model.PERMISSION_DELETE_OTHERS_POSTS.Id,
+			model.PERMISSION_CREATE_TEAM.Id,
+			model.PERMISSION_ADD_USER_TO_TEAM.Id,
+			model.PERMISSION_LIST_USERS_WITHOUT_TEAM.Id,
+			model.PERMISSION_MANAGE_JOBS.Id,
+			model.PERMISSION_CREATE_POST_PUBLIC.Id,
+			model.PERMISSION_CREATE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_READ_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_REVOKE_USER_ACCESS_TOKEN.Id,
+			model.PERMISSION_LIST_TEAM_CHANNELS.Id,
+			model.PERMISSION_JOIN_PUBLIC_CHANNELS.Id,
+			model.PERMISSION_READ_PUBLIC_CHANNEL.Id,
+			model.PERMISSION_VIEW_TEAM.Id,
+			model.PERMISSION_READ_CHANNEL.Id,
+			model.PERMISSION_UPLOAD_FILE.Id,
+			model.PERMISSION_GET_PUBLIC_LINK.Id,
+			model.PERMISSION_CREATE_POST.Id,
+			model.PERMISSION_EDIT_POST.Id,
+			model.PERMISSION_USE_SLASH_COMMANDS.Id,
+			model.PERMISSION_EDIT_OTHERS_POSTS.Id,
+			model.PERMISSION_REMOVE_USER_FROM_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM.Id,
+			model.PERMISSION_IMPORT_TEAM.Id,
+			model.PERMISSION_MANAGE_TEAM_ROLES.Id,
+			model.PERMISSION_MANAGE_CHANNEL_ROLES.Id,
+			model.PERMISSION_MANAGE_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_OTHERS_SLASH_COMMANDS.Id,
+			model.PERMISSION_MANAGE_WEBHOOKS.Id,
+		},
+	}
+
+	roles3, err3 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err3)
+	assert.Equal(t, len(roles3), len(roleNames))
+
+	for name, permissions := range expected2 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, permissions, role.Permissions)
+	}
+
+	// Remove the license.
+	utils.SetIsLicensed(false)
+
+	// Do the migration again.
+	th.ResetRoleMigration()
+	th.App.DoAdvancedPermissionsMigration()
+
+	// Check the role permissions.
+	roles4, err4 := th.App.GetRolesByNames(roleNames)
+	assert.Nil(t, err4)
+	assert.Equal(t, len(roles4), len(roleNames))
+
+	for name, permissions := range expected1 {
+		role, err := th.App.GetRoleByName(name)
+		assert.Nil(t, err)
+		assert.Equal(t, permissions, role.Permissions)
+	}
+}
-- 
cgit v1.2.3-1-g7c22