From e0390632b3c941670671d968b8828bcefbf71581 Mon Sep 17 00:00:00 2001 From: Martin Kraft Date: Thu, 17 May 2018 11:37:00 -0400 Subject: MM-10264: Adds CLI command to import and export permissions. (#8787) * MM-10264: Adds CLI command to import and export permissions. * MM-10264: Changes Scheme Name to DisplayName and adds Name slug field. * MM-10264: Changes display name max size. * MM-10264: Another merge fix. * MM-10264: Changes for more Schemes methods checking for migration. * MM-10264: More updates for Schemes migration checking. --- app/apptestlib.go | 34 +++++++ app/permissions.go | 143 +++++++++++++++++++++++++++ app/permissions_test.go | 253 ++++++++++++++++++++++++++++++++++++++++++++++++ app/scheme.go | 16 ++- 4 files changed, 445 insertions(+), 1 deletion(-) create mode 100644 app/permissions_test.go (limited to 'app') diff --git a/app/apptestlib.go b/app/apptestlib.go index b245ddabf..ffd1da055 100644 --- a/app/apptestlib.go +++ b/app/apptestlib.go @@ -316,6 +316,40 @@ func (me *TestHelper) AddUserToChannel(user *model.User, channel *model.Channel) return member } +func (me *TestHelper) CreateScheme() (*model.Scheme, []*model.Role) { + utils.DisableDebugLogForTest() + + scheme, err := me.App.CreateScheme(&model.Scheme{ + DisplayName: "Test Scheme Display Name", + Name: model.NewId(), + Description: "Test scheme description", + Scope: model.SCHEME_SCOPE_TEAM, + }) + if err != nil { + panic(err) + } + + roleIDs := []string{ + scheme.DefaultTeamAdminRole, + scheme.DefaultTeamUserRole, + scheme.DefaultChannelAdminRole, + scheme.DefaultChannelUserRole, + } + + var roles []*model.Role + for _, roleID := range roleIDs { + role, err := me.App.GetRole(roleID) + if err != nil { + panic(err) + } + roles = append(roles, role) + } + + utils.EnableDebugLogForTest() + + return scheme, roles +} + func (me *TestHelper) TearDown() { me.App.Shutdown() os.Remove(me.tempConfigPath) diff --git a/app/permissions.go b/app/permissions.go index 75aa2ecf9..70b8cc689 100644 --- a/app/permissions.go +++ b/app/permissions.go @@ -4,9 +4,17 @@ package app import ( + "bufio" + "encoding/json" + "fmt" + "io" + "github.com/mattermost/mattermost-server/model" + "github.com/pkg/errors" ) +const permissionsExportBatchSize = 100 + func (a *App) ResetPermissionsSystem() *model.AppError { // Reset all Teams to not have a scheme. if result := <-a.Srv.Store.Team().ResetAllTeamSchemes(); result.Err != nil { @@ -38,3 +46,138 @@ func (a *App) ResetPermissionsSystem() *model.AppError { return nil } + +func (a *App) ExportPermissions(w io.Writer) error { + + next := a.SchemesIterator(permissionsExportBatchSize) + var schemeBatch []*model.Scheme + + for schemeBatch = next(); len(schemeBatch) > 0; schemeBatch = next() { + + for _, scheme := range schemeBatch { + + roleIDs := []string{ + scheme.DefaultTeamAdminRole, + scheme.DefaultTeamUserRole, + scheme.DefaultChannelAdminRole, + scheme.DefaultChannelUserRole, + } + + roles := []*model.Role{} + for _, roleID := range roleIDs { + if len(roleID) == 0 { + continue + } + role, err := a.GetRole(roleID) + if err != nil { + return err + } + roles = append(roles, role) + } + + schemeExport, err := json.Marshal(&model.SchemeConveyor{ + Name: scheme.Name, + DisplayName: scheme.DisplayName, + Description: scheme.Description, + Scope: scheme.Scope, + TeamAdmin: scheme.DefaultTeamAdminRole, + TeamUser: scheme.DefaultTeamUserRole, + ChannelAdmin: scheme.DefaultChannelAdminRole, + ChannelUser: scheme.DefaultChannelUserRole, + Roles: roles, + }) + if err != nil { + return err + } + + schemeExport = append(schemeExport, []byte("\n")...) + + _, err = w.Write(schemeExport) + if err != nil { + return err + } + } + + } + + return nil +} + +func (a *App) ImportPermissions(jsonl io.Reader) error { + createdSchemeIDs := []string{} + + scanner := bufio.NewScanner(jsonl) + + for scanner.Scan() { + var schemeConveyor *model.SchemeConveyor + err := json.Unmarshal(scanner.Bytes(), &schemeConveyor) + if err != nil { + return err + } + + // Create the new Scheme. The new Roles are created automatically. + var appErr *model.AppError + schemeCreated, appErr := a.CreateScheme(schemeConveyor.Scheme()) + if appErr != nil { + return errors.New(appErr.Message) + } + createdSchemeIDs = append(createdSchemeIDs, schemeCreated.Id) + + schemeIn := schemeConveyor.Scheme() + roleIDTuples := [][]string{ + {schemeCreated.DefaultTeamAdminRole, schemeIn.DefaultTeamAdminRole}, + {schemeCreated.DefaultTeamUserRole, schemeIn.DefaultTeamUserRole}, + {schemeCreated.DefaultChannelAdminRole, schemeIn.DefaultChannelAdminRole}, + {schemeCreated.DefaultChannelUserRole, schemeIn.DefaultChannelUserRole}, + } + for _, roleIDTuple := range roleIDTuples { + if len(roleIDTuple[0]) == 0 || len(roleIDTuple[1]) == 0 { + continue + } + + err = updateRole(a, schemeConveyor, roleIDTuple[0], roleIDTuple[1]) + if err != nil { + // Delete the new Schemes. The new Roles are deleted automatically. + for _, schemeID := range createdSchemeIDs { + a.DeleteScheme(schemeID) + } + return err + } + } + } + + if err := scanner.Err(); err != nil { + return err + } + + return nil +} + +func updateRole(a *App, sc *model.SchemeConveyor, roleCreatedID, defaultRoleID string) error { + var err *model.AppError + + roleCreated, err := a.GetRole(roleCreatedID) + if err != nil { + return errors.New(err.Message) + } + + var roleIn *model.Role + for _, role := range sc.Roles { + if role.Id == defaultRoleID { + roleIn = role + break + } + } + + roleCreated.Name = roleIn.Name + roleCreated.DisplayName = roleIn.DisplayName + roleCreated.Description = roleIn.Description + roleCreated.Permissions = roleIn.Permissions + + _, err = a.UpdateRole(roleCreated) + if err != nil { + return errors.New(fmt.Sprintf("%v: %v\n", err.Message, err.DetailedError)) + } + + return nil +} diff --git a/app/permissions_test.go b/app/permissions_test.go new file mode 100644 index 000000000..575e21429 --- /dev/null +++ b/app/permissions_test.go @@ -0,0 +1,253 @@ +package app + +import ( + "encoding/json" + "fmt" + "strings" + "testing" + + "github.com/mattermost/mattermost-server/model" +) + +type testWriter struct { + write func(p []byte) (int, error) +} + +func (tw testWriter) Write(p []byte) (int, error) { + return tw.write(p) +} + +func TestExportPermissions(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + var scheme *model.Scheme + var roles []*model.Role + withMigrationMarkedComplete(th, func() { + scheme, roles = th.CreateScheme() + }) + + results := [][]byte{} + + tw := testWriter{ + write: func(p []byte) (int, error) { + results = append(results, p) + return len(p), nil + }, + } + + err := th.App.ExportPermissions(tw) + if err != nil { + t.Error(err) + } + + if len(results) == 0 { + t.Error("Expected export to have returned something.") + } + + firstResult := results[0] + + var row map[string]interface{} + err = json.Unmarshal(firstResult, &row) + if err != nil { + t.Error(err) + } + + getRoleByID := func(id string) string { + for _, role := range roles { + if role.Id == id { + return role.Id + } + } + return "" + } + + expectations := map[string]func(str string) string{ + scheme.DisplayName: func(str string) string { return row["display_name"].(string) }, + scheme.Name: func(str string) string { return row["name"].(string) }, + scheme.Description: func(str string) string { return row["description"].(string) }, + scheme.Scope: func(str string) string { return row["scope"].(string) }, + scheme.DefaultTeamAdminRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultTeamUserRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultChannelAdminRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultChannelUserRole: func(str string) string { return getRoleByID(str) }, + } + + for key, valF := range expectations { + expected := key + actual := valF(key) + if actual != expected { + t.Errorf("Expected %v but got %v.", expected, actual) + } + } + +} + +func TestImportPermissions(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := model.NewId() + + var results []*model.Scheme + var beforeCount int + withMigrationMarkedComplete(th, func() { + + var appErr *model.AppError + results, appErr = th.App.GetSchemes(scope, 0, 100) + if appErr != nil { + panic(appErr) + } + beforeCount = len(results) + + json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + r := strings.NewReader(json) + + err := th.App.ImportPermissions(r) + if err != nil { + t.Error(err) + } + results, appErr = th.App.GetSchemes(scope, 0, 100) + if appErr != nil { + panic(appErr) + } + + }) + + actual := len(results) + expected := beforeCount + 1 + if actual != expected { + t.Errorf("Expected %v roles but got %v.", expected, actual) + } + + newScheme := results[0] + + channelAdminRole, appErr := th.App.GetRole(newScheme.DefaultChannelAdminRole) + if appErr != nil { + t.Error(appErr) + } + + channelUserRole, appErr := th.App.GetRole(newScheme.DefaultChannelUserRole) + if appErr != nil { + t.Error(appErr) + } + + expectations := map[string]string{ + newScheme.DisplayName: displayName, + newScheme.Name: name, + newScheme.Description: description, + newScheme.Scope: scope, + newScheme.DefaultTeamAdminRole: "", + newScheme.DefaultTeamUserRole: "", + channelAdminRole.Name: roleName1, + channelUserRole.Name: roleName2, + } + + for actual, expected := range expectations { + if actual != expected { + t.Errorf("Expected %v but got %v.", expected, actual) + } + } + +} + +func TestImportPermissions_idempotentScheme(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := model.NewId() + + json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + jsonl := strings.Repeat(json+"\n", 4) + r := strings.NewReader(jsonl) + + var results []*model.Scheme + var expected int + withMigrationMarkedComplete(th, func() { + var appErr *model.AppError + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + expected = len(results) + 1 + + err := th.App.ImportPermissions(r) + if err == nil { + t.Error(err) + } + + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + }) + actual := len(results) + + if expected != actual { + t.Errorf("Expected count to be %v but got %v", expected, actual) + } + +} + +func TestImportPermissions_schemeDeletedOnRoleFailure(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := "some invalid role name" + + jsonl := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + r := strings.NewReader(jsonl) + + var results []*model.Scheme + var expected int + withMigrationMarkedComplete(th, func() { + var appErr *model.AppError + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + expected = len(results) + + err := th.App.ImportPermissions(r) + if err == nil { + t.Error(err) + } + + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + }) + actual := len(results) + + if expected != actual { + t.Errorf("Expected count to be %v but got %v", expected, actual) + } + +} + +func withMigrationMarkedComplete(th *TestHelper, f func()) { + // Mark the migration as done. + <-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2) + <-th.App.Srv.Store.System().Save(&model.System{Name: model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2, Value: "true"}) + // Un-mark the migration at the end of the test. + defer func() { + <-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2) + }() + f() +} diff --git a/app/scheme.go b/app/scheme.go index f1dc256b2..c44690954 100644 --- a/app/scheme.go +++ b/app/scheme.go @@ -4,8 +4,10 @@ package app import ( - "github.com/mattermost/mattermost-server/model" "net/http" + + "github.com/mattermost/mattermost-server/model" + "github.com/mattermost/mattermost-server/store" ) func (a *App) GetScheme(id string) (*model.Scheme, *model.AppError) { @@ -146,3 +148,15 @@ func (a *App) IsPhase2MigrationCompleted() *model.AppError { return nil } + +func (a *App) SchemesIterator(batchSize int) func() []*model.Scheme { + offset := 0 + return func() []*model.Scheme { + var result store.StoreResult + if result = <-a.Srv.Store.Scheme().GetAllPage("", offset, batchSize); result.Err != nil { + return []*model.Scheme{} + } + offset += batchSize + return result.Data.([]*model.Scheme) + } +} -- cgit v1.2.3-1-g7c22