mirror of
https://github.com/mattermost/mattermost.git
synced 2026-04-13 04:57:45 -04:00
71ca373de7
Some checks are pending
API / build (push) Waiting to run
Server CI / Compute Go Version (push) Waiting to run
Server CI / Check mocks (push) Blocked by required conditions
Server CI / Check go mod tidy (push) Blocked by required conditions
Server CI / check-style (push) Blocked by required conditions
Server CI / Check serialization methods for hot structs (push) Blocked by required conditions
Server CI / Vet API (push) Blocked by required conditions
Server CI / Check migration files (push) Blocked by required conditions
Server CI / Generate email templates (push) Blocked by required conditions
Server CI / Check store layers (push) Blocked by required conditions
Server CI / Check mmctl docs (push) Blocked by required conditions
Server CI / Postgres with binary parameters (push) Blocked by required conditions
Server CI / Postgres (shard 0) (push) Blocked by required conditions
Server CI / Postgres (shard 1) (push) Blocked by required conditions
Server CI / Postgres (shard 2) (push) Blocked by required conditions
Server CI / Postgres (shard 3) (push) Blocked by required conditions
Server CI / Merge Postgres Test Results (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 0) (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 1) (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 2) (push) Blocked by required conditions
Server CI / Postgres FIPS (shard 3) (push) Blocked by required conditions
Server CI / Merge Postgres FIPS Test Results (push) Blocked by required conditions
Server CI / Generate Test Coverage (push) Blocked by required conditions
Server CI / Run mmctl tests (push) Blocked by required conditions
Server CI / Run mmctl tests (FIPS) (push) Blocked by required conditions
Server CI / Build mattermost server app (push) Blocked by required conditions
Tools CI / check-style (mattermost-govet) (push) Waiting to run
Tools CI / Test (mattermost-govet) (push) Waiting to run
Web App CI / check-lint (push) Waiting to run
Web App CI / check-i18n (push) Blocked by required conditions
Web App CI / check-external-links (push) Blocked by required conditions
Web App CI / check-types (push) Blocked by required conditions
Web App CI / test (platform) (push) Blocked by required conditions
Web App CI / test (mattermost-redux) (push) Blocked by required conditions
Web App CI / test (channels shard 1/4) (push) Blocked by required conditions
Web App CI / test (channels shard 2/4) (push) Blocked by required conditions
Web App CI / test (channels shard 3/4) (push) Blocked by required conditions
Web App CI / test (channels shard 4/4) (push) Blocked by required conditions
Web App CI / upload-coverage (push) Blocked by required conditions
Web App CI / build (push) Blocked by required conditions
* Replace hardcoded test passwords with model.NewTestPassword() Add model.NewTestPassword() utility that generates 14+ character passwords meeting complexity requirements for FIPS compliance. Replace all short hardcoded test passwords across the test suite with calls to this function. * Enforce FIPS compliance for passwords and HMAC keys FIPS OpenSSL requires HMAC keys to be at least 14 bytes. PBKDF2 uses the password as the HMAC key internally, so short passwords cause PKCS5_PBKDF2_HMAC to fail. - Add FIPSEnabled and PasswordFIPSMinimumLength build-tag constants - Raise the password minimum length floor to 14 when compiled with requirefips, applied in SetDefaults only when unset and validated independently in IsValid - Return ErrMismatchedHashAndPassword for too-short passwords in PBKDF2 CompareHashAndPassword rather than a cryptic OpenSSL error - Validate atmos/camo HMAC key length under FIPS and lengthen test keys accordingly - Adjust password validation tests to use PasswordFIPSMinimumLength so they work under both FIPS and non-FIPS builds * CI: shard FIPS test suite and extract merge template Run FIPS tests on PRs that touch go.mod or have 'fips' in the branch name. Shard FIPS tests across 4 runners matching the normal Postgres suite. Extract the test result merge logic into a reusable workflow template to deduplicate the normal and FIPS merge jobs. * more * Fix email test helper to respect FIPS minimum password length * Fix test helpers to respect FIPS minimum password length * Remove unnecessary "disable strict password requirements" blocks from test helpers * Fix CodeRabbit review comments on PR #35905 - Add server-test-merge-template.yml to server-ci.yml pull_request.paths so changes to the reusable merge workflow trigger Server CI validation - Skip merge-postgres-fips-test-results job when test-postgres-normal-fips was skipped, preventing failures due to missing artifacts - Set guest.Password on returned guest in CreateGuestAndClient helper to keep contract consistent with CreateUserWithClient - Use shared LowercaseLetters/UppercaseLetters/NUMBERS/PasswordFIPSMinimumLength constants in NewTestPassword() to avoid drift if FIPS floor changes https://claude.ai/code/session_01HmE9QkZM3cAoXn2J7XrK2f * Rename FIPS test artifact to match server-ci-report pattern The server-ci-report job searches for artifacts matching "*-test-logs", so rename from postgres-server-test-logs-fips to postgres-server-fips-test-logs to be included in the report. --------- Co-authored-by: Claude <noreply@anthropic.com>
855 lines
29 KiB
Go
855 lines
29 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package api4
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"testing"
|
|
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestGetRemoteClustersWithSecureConnectionManagerRole(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
// Create a remote cluster for testing
|
|
newRC := &model.RemoteCluster{
|
|
RemoteId: model.NewId(),
|
|
Name: "test-remote",
|
|
SiteURL: "http://example.com",
|
|
CreatorId: th.SystemAdminUser.Id,
|
|
Token: model.NewId(),
|
|
}
|
|
_, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
|
|
// Create a user with only the system_secure_connection_manager role
|
|
scmUser := th.CreateUser(t)
|
|
_, appErr = th.App.UpdateUserRoles(th.Context, scmUser.Id, model.SystemUserRoleId+" "+model.SecureConnectionManagerRoleId, false)
|
|
require.Nil(t, appErr)
|
|
|
|
scmClient := th.CreateClient()
|
|
_, _, err := scmClient.Login(context.Background(), scmUser.Email, scmUser.Password)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("regular user should be denied", func(t *testing.T) {
|
|
_, resp, err := th.Client.GetRemoteClusters(context.Background(), 0, 999999, model.RemoteClusterQueryFilter{})
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("system_secure_connection_manager user should have access", func(t *testing.T) {
|
|
rcs, resp, err := scmClient.GetRemoteClusters(context.Background(), 0, 999999, model.RemoteClusterQueryFilter{})
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, rcs)
|
|
})
|
|
}
|
|
|
|
func TestGetRemoteClustersWithSharedChannelManagerRole(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
// Create a remote cluster for testing
|
|
newRC := &model.RemoteCluster{
|
|
RemoteId: model.NewId(),
|
|
Name: "test-remote",
|
|
SiteURL: "http://example.com",
|
|
CreatorId: th.SystemAdminUser.Id,
|
|
Token: model.NewId(),
|
|
}
|
|
_, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
|
|
// Create a user with only the system_shared_channel_manager role
|
|
scmUser := th.CreateUser(t)
|
|
_, appErr = th.App.UpdateUserRoles(th.Context, scmUser.Id, model.SystemUserRoleId+" "+model.SharedChannelManagerRoleId, false)
|
|
require.Nil(t, appErr)
|
|
|
|
scmClient := th.CreateClient()
|
|
_, _, err := scmClient.Login(context.Background(), scmUser.Email, scmUser.Password)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("regular user should be denied", func(t *testing.T) {
|
|
_, resp, err := th.Client.GetRemoteClusters(context.Background(), 0, 999999, model.RemoteClusterQueryFilter{})
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("system_shared_channel_manager user should have access", func(t *testing.T) {
|
|
rcs, resp, err := scmClient.GetRemoteClusters(context.Background(), 0, 999999, model.RemoteClusterQueryFilter{})
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, rcs)
|
|
})
|
|
}
|
|
|
|
func TestCreateRemoteClusterWithSecureConnectionManagerRole(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "http://localhost:8065" })
|
|
|
|
// Create a user with only the system_secure_connection_manager role
|
|
scmUser := th.CreateUser(t)
|
|
_, appErr := th.App.UpdateUserRoles(th.Context, scmUser.Id, model.SystemUserRoleId+" "+model.SecureConnectionManagerRoleId, false)
|
|
require.Nil(t, appErr)
|
|
|
|
scmClient := th.CreateClient()
|
|
_, _, err := scmClient.Login(context.Background(), scmUser.Email, scmUser.Password)
|
|
require.NoError(t, err)
|
|
|
|
rcPayload := &model.RemoteClusterWithPassword{
|
|
RemoteCluster: &model.RemoteCluster{
|
|
Name: "test-from-scm",
|
|
DefaultTeamId: th.BasicTeam.Id,
|
|
},
|
|
Password: model.NewTestPassword(),
|
|
}
|
|
|
|
t.Run("regular user should be denied", func(t *testing.T) {
|
|
_, resp, err := th.Client.CreateRemoteCluster(context.Background(), rcPayload)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("system_secure_connection_manager user should have access", func(t *testing.T) {
|
|
rcWithInvite, resp, err := scmClient.CreateRemoteCluster(context.Background(), rcPayload)
|
|
CheckCreatedStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, rcWithInvite)
|
|
})
|
|
}
|
|
|
|
func TestCreateRemoteClusterDeniedForSharedChannelManagerRole(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "http://localhost:8065" })
|
|
|
|
// Create a user with only the system_shared_channel_manager role
|
|
scmUser := th.CreateUser(t)
|
|
_, appErr := th.App.UpdateUserRoles(th.Context, scmUser.Id, model.SystemUserRoleId+" "+model.SharedChannelManagerRoleId, false)
|
|
require.Nil(t, appErr)
|
|
|
|
scmClient := th.CreateClient()
|
|
_, _, err := scmClient.Login(context.Background(), scmUser.Email, scmUser.Password)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("system_shared_channel_manager should be denied create", func(t *testing.T) {
|
|
rcPayload := &model.RemoteClusterWithPassword{
|
|
RemoteCluster: &model.RemoteCluster{
|
|
Name: "test-from-scm",
|
|
DefaultTeamId: th.BasicTeam.Id,
|
|
},
|
|
Password: model.NewTestPassword(),
|
|
}
|
|
_, resp, err := scmClient.CreateRemoteCluster(context.Background(), rcPayload)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
}
|
|
|
|
func TestGetRemoteClusters(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
t.Run("Should not work if the remote cluster service is not enabled", func(t *testing.T) {
|
|
th := Setup(t)
|
|
rcs, resp, err := th.SystemAdminClient.GetRemoteClusters(context.Background(), 0, 999999, model.RemoteClusterQueryFilter{})
|
|
CheckNotImplementedStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rcs)
|
|
})
|
|
|
|
th := setupForSharedChannels(t)
|
|
|
|
newRCs := []*model.RemoteCluster{
|
|
{
|
|
RemoteId: model.NewId(),
|
|
Name: "remote1",
|
|
SiteURL: "http://example1.com",
|
|
CreatorId: th.SystemAdminUser.Id,
|
|
Token: model.NewId(),
|
|
RemoteToken: model.NewId(),
|
|
},
|
|
{
|
|
RemoteId: model.NewId(),
|
|
Name: "remote2",
|
|
SiteURL: "http://example2.com",
|
|
CreatorId: th.SystemAdminUser.Id,
|
|
},
|
|
{
|
|
RemoteId: model.NewId(),
|
|
Name: "remote3",
|
|
SiteURL: "http://example3.com",
|
|
CreatorId: th.SystemAdminUser.Id,
|
|
PluginID: model.NewId(),
|
|
},
|
|
{
|
|
RemoteId: model.NewId(),
|
|
Name: "remote4",
|
|
SiteURL: "http://example4.com",
|
|
CreatorId: th.SystemAdminUser.Id,
|
|
DeleteAt: 123,
|
|
},
|
|
}
|
|
|
|
for _, rc := range newRCs {
|
|
_, appErr := th.App.AddRemoteCluster(rc)
|
|
require.Nil(t, appErr)
|
|
}
|
|
|
|
t.Run("The returned data should be sanitized", func(t *testing.T) {
|
|
rcs, resp, err := th.SystemAdminClient.GetRemoteClusters(context.Background(), 0, 999999, model.RemoteClusterQueryFilter{})
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.Contains(t, rcs[0].Name, "remote")
|
|
require.Zero(t, rcs[0].Token)
|
|
require.Zero(t, rcs[0].RemoteToken)
|
|
})
|
|
|
|
testCases := []struct {
|
|
Name string
|
|
Client *model.Client4
|
|
Page int
|
|
PerPage int
|
|
Filter model.RemoteClusterQueryFilter
|
|
ExpectedStatusCode int
|
|
ExpectedError bool
|
|
ExpectedNames []string
|
|
}{
|
|
{
|
|
Name: "Should reject if the user has not sufficient permissions",
|
|
Client: th.Client,
|
|
Page: 0,
|
|
PerPage: 999999,
|
|
Filter: model.RemoteClusterQueryFilter{},
|
|
ExpectedStatusCode: 403,
|
|
ExpectedError: true,
|
|
ExpectedNames: []string{},
|
|
},
|
|
{
|
|
Name: "Should return all remote clusters",
|
|
Client: th.SystemAdminClient,
|
|
Page: 0,
|
|
PerPage: 999999,
|
|
Filter: model.RemoteClusterQueryFilter{},
|
|
ExpectedStatusCode: 200,
|
|
ExpectedError: false,
|
|
ExpectedNames: []string{"remote1", "remote2", "remote3"},
|
|
},
|
|
{
|
|
Name: "Should return all remote clusters including deleted",
|
|
Client: th.SystemAdminClient,
|
|
Page: 0,
|
|
PerPage: 999999,
|
|
Filter: model.RemoteClusterQueryFilter{IncludeDeleted: true},
|
|
ExpectedStatusCode: 200,
|
|
ExpectedError: false,
|
|
ExpectedNames: []string{"remote1", "remote2", "remote3", "remote4"},
|
|
},
|
|
{
|
|
Name: "Should return all remote clusters but those belonging to plugins",
|
|
Client: th.SystemAdminClient,
|
|
Page: 0,
|
|
PerPage: 999999,
|
|
Filter: model.RemoteClusterQueryFilter{ExcludePlugins: true},
|
|
ExpectedStatusCode: 200,
|
|
ExpectedError: false,
|
|
ExpectedNames: []string{"remote1", "remote2"},
|
|
},
|
|
{
|
|
Name: "Should return all remote clusters but those belonging to plugins, including deleted",
|
|
Client: th.SystemAdminClient,
|
|
Page: 0,
|
|
PerPage: 999999,
|
|
Filter: model.RemoteClusterQueryFilter{ExcludePlugins: true, IncludeDeleted: true},
|
|
ExpectedStatusCode: 200,
|
|
ExpectedError: false,
|
|
ExpectedNames: []string{"remote1", "remote2", "remote4"},
|
|
},
|
|
{
|
|
Name: "Should return only remote clusters belonging to plugins",
|
|
Client: th.SystemAdminClient,
|
|
Page: 0,
|
|
PerPage: 999999,
|
|
Filter: model.RemoteClusterQueryFilter{OnlyPlugins: true},
|
|
ExpectedStatusCode: 200,
|
|
ExpectedError: false,
|
|
ExpectedNames: []string{"remote3"},
|
|
},
|
|
{
|
|
Name: "Should work as a paginated endpoint",
|
|
Client: th.SystemAdminClient,
|
|
Page: 1,
|
|
PerPage: 1,
|
|
Filter: model.RemoteClusterQueryFilter{},
|
|
ExpectedStatusCode: 200,
|
|
ExpectedError: false,
|
|
ExpectedNames: []string{"remote2"},
|
|
},
|
|
{
|
|
Name: "Should return an empty set with a successful status",
|
|
Client: th.SystemAdminClient,
|
|
Page: 0,
|
|
PerPage: 999999,
|
|
Filter: model.RemoteClusterQueryFilter{InChannel: model.NewId()},
|
|
ExpectedStatusCode: 200,
|
|
ExpectedError: false,
|
|
ExpectedNames: []string{},
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.Name, func(t *testing.T) {
|
|
rcs, resp, err := tc.Client.GetRemoteClusters(context.Background(), tc.Page, tc.PerPage, tc.Filter)
|
|
checkHTTPStatus(t, resp, tc.ExpectedStatusCode)
|
|
if tc.ExpectedError {
|
|
require.Error(t, err)
|
|
} else {
|
|
require.NoError(t, err)
|
|
}
|
|
require.Len(t, rcs, len(tc.ExpectedNames))
|
|
names := []string{}
|
|
for _, rc := range rcs {
|
|
names = append(names, rc.Name)
|
|
}
|
|
require.ElementsMatch(t, tc.ExpectedNames, names)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestCreateRemoteCluster(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
rcWithTeamAndPassword := &model.RemoteClusterWithPassword{
|
|
RemoteCluster: &model.RemoteCluster{
|
|
Name: "remotecluster",
|
|
DefaultTeamId: model.NewId(),
|
|
Token: model.NewId(),
|
|
},
|
|
Password: model.NewTestPassword(),
|
|
}
|
|
|
|
t.Run("Should not work if the remote cluster service is not enabled", func(t *testing.T) {
|
|
th := Setup(t)
|
|
|
|
rcWithInvite, resp, err := th.SystemAdminClient.CreateRemoteCluster(context.Background(), rcWithTeamAndPassword)
|
|
CheckNotImplementedStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rcWithInvite)
|
|
})
|
|
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
t.Run("Should not work if the user doesn't have the right permissions", func(t *testing.T) {
|
|
rcWithInvite, resp, err := th.Client.CreateRemoteCluster(context.Background(), rcWithTeamAndPassword)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rcWithInvite)
|
|
})
|
|
|
|
t.Run("Should not work if the siteURL is not set in the configuration", func(t *testing.T) {
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "" })
|
|
rcWithInvite, resp, err := th.SystemAdminClient.CreateRemoteCluster(context.Background(), rcWithTeamAndPassword)
|
|
CheckUnprocessableEntityStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rcWithInvite)
|
|
})
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "http://localhost:8065" })
|
|
|
|
t.Run("Should not work if no default team id is provided", func(t *testing.T) {
|
|
rcWithoutDefaultTeamId := &model.RemoteClusterWithPassword{
|
|
RemoteCluster: &model.RemoteCluster{
|
|
Name: "remotecluster-nodefaultteamid",
|
|
Token: model.NewId(),
|
|
},
|
|
Password: "",
|
|
}
|
|
|
|
rcWithInvite, resp, err := th.SystemAdminClient.CreateRemoteCluster(context.Background(), rcWithoutDefaultTeamId)
|
|
CheckBadRequestStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.ErrorContains(t, err, "remote_cluster.default_team_id")
|
|
require.Zero(t, rcWithInvite)
|
|
})
|
|
|
|
t.Run("Should generate a password if none is given", func(t *testing.T) {
|
|
// clean the password and check the response
|
|
rcWithTeamNoPassword := &model.RemoteClusterWithPassword{
|
|
RemoteCluster: &model.RemoteCluster{
|
|
Name: "remotecluster-nopasswd",
|
|
DefaultTeamId: model.NewId(),
|
|
Token: model.NewId(),
|
|
},
|
|
Password: "",
|
|
}
|
|
|
|
rcWithInvite, resp, err := th.SystemAdminClient.CreateRemoteCluster(context.Background(), rcWithTeamNoPassword)
|
|
CheckCreatedStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.NotZero(t, rcWithInvite.Invite)
|
|
// when the password is not provided, it is returned as part
|
|
// of the response
|
|
require.NotZero(t, rcWithInvite.Password)
|
|
require.Len(t, rcWithInvite.Password, 16)
|
|
|
|
rc, appErr := th.App.GetRemoteCluster(rcWithInvite.RemoteCluster.RemoteId, false)
|
|
require.Nil(t, appErr)
|
|
require.Equal(t, rcWithTeamNoPassword.Name, rc.Name)
|
|
|
|
rci, appErr := th.App.DecryptRemoteClusterInvite(rcWithInvite.Invite, rcWithInvite.Password)
|
|
require.Nil(t, appErr)
|
|
require.Equal(t, rc.RemoteId, rci.RemoteId)
|
|
require.Equal(t, rc.Token, rci.Token)
|
|
require.Equal(t, th.App.GetSiteURL(), rci.SiteURL)
|
|
})
|
|
|
|
t.Run("Should return a sanitized remote cluster and its invite", func(t *testing.T) {
|
|
rcWithInvite, resp, err := th.SystemAdminClient.CreateRemoteCluster(context.Background(), rcWithTeamAndPassword)
|
|
CheckCreatedStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.Equal(t, rcWithTeamAndPassword.Name, rcWithInvite.RemoteCluster.Name)
|
|
require.Equal(t, rcWithTeamAndPassword.DefaultTeamId, rcWithInvite.RemoteCluster.DefaultTeamId)
|
|
require.NotZero(t, rcWithInvite.Invite)
|
|
require.Zero(t, rcWithInvite.RemoteCluster.Token)
|
|
require.Zero(t, rcWithInvite.RemoteCluster.RemoteToken)
|
|
// when the password is provided as an input, is not returned
|
|
// by the endpoint
|
|
require.Zero(t, rcWithInvite.Password)
|
|
|
|
rc, appErr := th.App.GetRemoteCluster(rcWithInvite.RemoteCluster.RemoteId, false)
|
|
require.Nil(t, appErr)
|
|
require.Equal(t, rcWithTeamAndPassword.Name, rc.Name)
|
|
|
|
rci, appErr := th.App.DecryptRemoteClusterInvite(rcWithInvite.Invite, rcWithTeamAndPassword.Password)
|
|
require.Nil(t, appErr)
|
|
require.Equal(t, rc.RemoteId, rci.RemoteId)
|
|
require.Equal(t, rc.Token, rci.Token)
|
|
require.Equal(t, th.App.GetSiteURL(), rci.SiteURL)
|
|
})
|
|
}
|
|
|
|
func TestRemoteClusterAcceptinvite(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
rcAcceptInvite := &model.RemoteClusterAcceptInvite{
|
|
Name: "remotecluster",
|
|
Invite: "myinvitecode",
|
|
Password: model.NewTestPassword(),
|
|
DefaultTeamId: "",
|
|
}
|
|
|
|
t.Run("Should not work if the remote cluster service is not enabled", func(t *testing.T) {
|
|
th := Setup(t)
|
|
|
|
rc, resp, err := th.SystemAdminClient.RemoteClusterAcceptInvite(context.Background(), rcAcceptInvite)
|
|
CheckNotImplementedStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rc)
|
|
})
|
|
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
rcAcceptInvite.DefaultTeamId = th.BasicTeam.Id
|
|
|
|
remoteId := model.NewId()
|
|
invite := &model.RemoteClusterInvite{
|
|
RemoteId: remoteId,
|
|
SiteURL: "http://localhost:8065",
|
|
Token: "token",
|
|
}
|
|
encrypted, err := invite.Encrypt(rcAcceptInvite.Password)
|
|
require.NoError(t, err)
|
|
encoded := base64.URLEncoding.EncodeToString(encrypted)
|
|
rcAcceptInvite.Invite = encoded
|
|
|
|
t.Run("Should not work if the siteURL is not set in the configuration", func(t *testing.T) {
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "" })
|
|
rc, resp, err := th.SystemAdminClient.RemoteClusterAcceptInvite(context.Background(), rcAcceptInvite)
|
|
CheckUnprocessableEntityStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rc)
|
|
})
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "http://localhost:8065" })
|
|
|
|
t.Run("should fail if the name parameter is not valid", func(t *testing.T) {
|
|
rcAcceptInvite.Name = ""
|
|
defer func() { rcAcceptInvite.Name = "remotecluster" }()
|
|
|
|
rc, resp, err := th.SystemAdminClient.RemoteClusterAcceptInvite(context.Background(), rcAcceptInvite)
|
|
CheckBadRequestStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rc)
|
|
})
|
|
|
|
t.Run("should fail if the default team parameter is empty", func(t *testing.T) {
|
|
rcAcceptInvite.DefaultTeamId = ""
|
|
defer func() { rcAcceptInvite.DefaultTeamId = th.BasicTeam.Id }()
|
|
|
|
rc, resp, err := th.SystemAdminClient.RemoteClusterAcceptInvite(context.Background(), rcAcceptInvite)
|
|
CheckBadRequestStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rc)
|
|
})
|
|
|
|
t.Run("should fail if the default team provided doesn't exist", func(t *testing.T) {
|
|
rcAcceptInvite.DefaultTeamId = model.NewId()
|
|
defer func() { rcAcceptInvite.DefaultTeamId = th.BasicTeam.Id }()
|
|
|
|
rc, resp, err := th.SystemAdminClient.RemoteClusterAcceptInvite(context.Background(), rcAcceptInvite)
|
|
CheckBadRequestStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rc)
|
|
})
|
|
|
|
t.Run("should fail with the correct status code if the invite returns an app error", func(t *testing.T) {
|
|
rcAcceptInvite.Invite = "malformedinvite"
|
|
// reset the invite after
|
|
defer func() { rcAcceptInvite.Invite = encoded }()
|
|
|
|
rc, resp, err := th.SystemAdminClient.RemoteClusterAcceptInvite(context.Background(), rcAcceptInvite)
|
|
CheckBadRequestStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rc)
|
|
})
|
|
|
|
t.Run("should not work if the user doesn't have the right permissions", func(t *testing.T) {
|
|
rc, resp, err := th.Client.RemoteClusterAcceptInvite(context.Background(), rcAcceptInvite)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, rc)
|
|
})
|
|
|
|
t.Run("should return a sanitized remote cluster if the action succeeds", func(t *testing.T) {
|
|
t.Skip("Requires server2server communication: ToBeImplemented")
|
|
})
|
|
}
|
|
|
|
func TestGenerateRemoteClusterInvite(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
password := model.NewTestPassword()
|
|
|
|
newRC := &model.RemoteCluster{
|
|
Name: "remotecluster",
|
|
SiteURL: model.SiteURLPending + model.NewId(),
|
|
Token: model.NewId(),
|
|
}
|
|
|
|
t.Run("Should not work if the remote cluster service is not enabled", func(t *testing.T) {
|
|
th := Setup(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
|
|
inviteCode, resp, err := th.SystemAdminClient.GenerateRemoteClusterInvite(context.Background(), rc.RemoteId, password)
|
|
CheckNotImplementedStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Zero(t, inviteCode)
|
|
})
|
|
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
|
|
t.Run("Should not work if the siteURL is not set in the configuration", func(t *testing.T) {
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "" })
|
|
inviteCode, resp, err := th.SystemAdminClient.GenerateRemoteClusterInvite(context.Background(), rc.RemoteId, password)
|
|
CheckUnprocessableEntityStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, inviteCode)
|
|
})
|
|
|
|
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.SiteURL = "http://localhost:8065" })
|
|
|
|
t.Run("Should not work if the user doesn't have the right permissions", func(t *testing.T) {
|
|
inviteCode, resp, err := th.Client.GenerateRemoteClusterInvite(context.Background(), rc.RemoteId, password)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, inviteCode)
|
|
})
|
|
|
|
t.Run("should not work if the remote cluster doesn't exist", func(t *testing.T) {
|
|
inviteCode, resp, err := th.SystemAdminClient.GenerateRemoteClusterInvite(context.Background(), model.NewId(), password)
|
|
CheckNotFoundStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, inviteCode)
|
|
})
|
|
|
|
t.Run("should not work if the password has been provided", func(t *testing.T) {
|
|
inviteCode, resp, err := th.SystemAdminClient.GenerateRemoteClusterInvite(context.Background(), rc.RemoteId, "")
|
|
CheckBadRequestStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, inviteCode)
|
|
})
|
|
|
|
t.Run("should generate a valid invite code", func(t *testing.T) {
|
|
inviteCode, resp, err := th.SystemAdminClient.GenerateRemoteClusterInvite(context.Background(), rc.RemoteId, password)
|
|
CheckCreatedStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.NotEmpty(t, inviteCode)
|
|
|
|
invite, appErr := th.App.DecryptRemoteClusterInvite(inviteCode, password)
|
|
require.Nil(t, appErr)
|
|
require.Equal(t, rc.RemoteId, invite.RemoteId)
|
|
require.Equal(t, rc.Token, invite.Token)
|
|
})
|
|
|
|
t.Run("should return bad request if the cluster is already confirmed", func(t *testing.T) {
|
|
rc.SiteURL = "http://example.com"
|
|
savedRC, appErr := th.App.UpdateRemoteCluster(rc)
|
|
require.Nil(t, appErr)
|
|
require.Equal(t, rc.SiteURL, savedRC.SiteURL)
|
|
|
|
inviteCode, resp, err := th.SystemAdminClient.GenerateRemoteClusterInvite(context.Background(), rc.RemoteId, password)
|
|
CheckBadRequestStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, inviteCode)
|
|
})
|
|
}
|
|
|
|
func TestGetRemoteCluster(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
newRC := &model.RemoteCluster{
|
|
Name: "remotecluster",
|
|
SiteURL: "http://example.com",
|
|
Token: model.NewId(),
|
|
}
|
|
|
|
t.Run("Should not work if the remote cluster service is not enabled", func(t *testing.T) {
|
|
th := Setup(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
require.NotZero(t, rc.Token)
|
|
|
|
fetchedRC, resp, err := th.SystemAdminClient.GetRemoteCluster(context.Background(), rc.RemoteId)
|
|
CheckNotImplementedStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, fetchedRC)
|
|
})
|
|
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
newRC.DefaultTeamId = th.BasicTeam.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
|
|
t.Run("Should not work if the user doesn't have the right permissions", func(t *testing.T) {
|
|
fetchedRC, resp, err := th.Client.GetRemoteCluster(context.Background(), rc.RemoteId)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, fetchedRC)
|
|
})
|
|
|
|
t.Run("should return not found if the id doesn't exist", func(t *testing.T) {
|
|
fetchedRC, resp, err := th.SystemAdminClient.GetRemoteCluster(context.Background(), model.NewId())
|
|
CheckNotFoundStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, fetchedRC)
|
|
})
|
|
|
|
t.Run("should return a sanitized remote cluster", func(t *testing.T) {
|
|
fetchedRC, resp, err := th.SystemAdminClient.GetRemoteCluster(context.Background(), rc.RemoteId)
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.Equal(t, rc.RemoteId, fetchedRC.RemoteId)
|
|
require.Equal(t, th.BasicTeam.Id, fetchedRC.DefaultTeamId)
|
|
require.Empty(t, fetchedRC.Token)
|
|
})
|
|
}
|
|
|
|
func TestGetRemoteClusterWithManagerRoles(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
// Create a remote cluster for testing
|
|
newRC := &model.RemoteCluster{
|
|
RemoteId: model.NewId(),
|
|
Name: "test-remote",
|
|
SiteURL: "http://example.com",
|
|
CreatorId: th.SystemAdminUser.Id,
|
|
DefaultTeamId: th.BasicTeam.Id,
|
|
Token: model.NewId(),
|
|
}
|
|
_, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
|
|
// Create a user with only the system_shared_channel_manager role
|
|
sharedChannelUser := th.CreateUser(t)
|
|
_, appErr = th.App.UpdateUserRoles(th.Context, sharedChannelUser.Id, model.SystemUserRoleId+" "+model.SharedChannelManagerRoleId, false)
|
|
require.Nil(t, appErr)
|
|
|
|
sharedChannelClient := th.CreateClient()
|
|
_, _, err := sharedChannelClient.Login(context.Background(), sharedChannelUser.Email, sharedChannelUser.Password)
|
|
require.NoError(t, err)
|
|
|
|
// Create a user with only the system_secure_connection_manager role
|
|
secureConnUser := th.CreateUser(t)
|
|
_, appErr = th.App.UpdateUserRoles(th.Context, secureConnUser.Id, model.SystemUserRoleId+" "+model.SecureConnectionManagerRoleId, false)
|
|
require.Nil(t, appErr)
|
|
|
|
secureConnClient := th.CreateClient()
|
|
_, _, err = secureConnClient.Login(context.Background(), secureConnUser.Email, secureConnUser.Password)
|
|
require.NoError(t, err)
|
|
|
|
t.Run("regular user should be denied", func(t *testing.T) {
|
|
_, resp, err := th.Client.GetRemoteCluster(context.Background(), newRC.RemoteId)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("system_shared_channel_manager user should have access", func(t *testing.T) {
|
|
fetchedRC, resp, err := sharedChannelClient.GetRemoteCluster(context.Background(), newRC.RemoteId)
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.Equal(t, newRC.RemoteId, fetchedRC.RemoteId)
|
|
require.Empty(t, fetchedRC.Token)
|
|
})
|
|
|
|
t.Run("system_secure_connection_manager user should have access", func(t *testing.T) {
|
|
fetchedRC, resp, err := secureConnClient.GetRemoteCluster(context.Background(), newRC.RemoteId)
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.Equal(t, newRC.RemoteId, fetchedRC.RemoteId)
|
|
require.Empty(t, fetchedRC.Token)
|
|
})
|
|
}
|
|
|
|
func TestPatchRemoteCluster(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
newRC := &model.RemoteCluster{
|
|
Name: "remotecluster",
|
|
DisplayName: "initialvalue",
|
|
SiteURL: "http://example.com",
|
|
Token: model.NewId(),
|
|
}
|
|
|
|
rcp := &model.RemoteClusterPatch{DisplayName: model.NewPointer("different value")}
|
|
|
|
t.Run("Should not work if the remote cluster service is not enabled", func(t *testing.T) {
|
|
th := Setup(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
|
|
patchedRC, resp, err := th.SystemAdminClient.PatchRemoteCluster(context.Background(), rc.RemoteId, rcp)
|
|
CheckNotImplementedStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, patchedRC)
|
|
})
|
|
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
|
|
t.Run("Should not work if the user doesn't have the right permissions", func(t *testing.T) {
|
|
patchedRC, resp, err := th.Client.PatchRemoteCluster(context.Background(), rc.RemoteId, rcp)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, patchedRC)
|
|
})
|
|
|
|
t.Run("should not work if the remote cluster is nonexistent", func(t *testing.T) {
|
|
patchedRC, resp, err := th.SystemAdminClient.PatchRemoteCluster(context.Background(), model.NewId(), rcp)
|
|
CheckNotFoundStatus(t, resp)
|
|
require.Error(t, err)
|
|
require.Empty(t, patchedRC)
|
|
})
|
|
|
|
t.Run("should correctly patch the remote cluster", func(t *testing.T) {
|
|
newTeamId := model.NewId()
|
|
rcp := &model.RemoteClusterPatch{
|
|
DisplayName: model.NewPointer("patched!"),
|
|
DefaultTeamId: model.NewPointer(newTeamId),
|
|
}
|
|
|
|
patchedRC, resp, err := th.SystemAdminClient.PatchRemoteCluster(context.Background(), rc.RemoteId, rcp)
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
require.Equal(t, "patched!", patchedRC.DisplayName)
|
|
require.Equal(t, newTeamId, patchedRC.DefaultTeamId)
|
|
})
|
|
}
|
|
|
|
func TestDeleteRemoteCluster(t *testing.T) {
|
|
mainHelper.Parallel(t)
|
|
newRC := &model.RemoteCluster{
|
|
Name: "remotecluster",
|
|
DisplayName: "initialvalue",
|
|
SiteURL: "http://example.com",
|
|
Token: model.NewId(),
|
|
}
|
|
|
|
t.Run("Should not work if the remote cluster service is not enabled", func(t *testing.T) {
|
|
th := Setup(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
|
|
resp, err := th.SystemAdminClient.DeleteRemoteCluster(context.Background(), rc.RemoteId)
|
|
CheckNotImplementedStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
th := setupForSharedChannels(t).InitBasic(t)
|
|
|
|
newRC.CreatorId = th.SystemAdminUser.Id
|
|
|
|
rc, appErr := th.App.AddRemoteCluster(newRC)
|
|
require.Nil(t, appErr)
|
|
require.NotZero(t, rc.RemoteId)
|
|
|
|
t.Run("Should not work if the user doesn't have the right permissions", func(t *testing.T) {
|
|
resp, err := th.Client.DeleteRemoteCluster(context.Background(), rc.RemoteId)
|
|
CheckForbiddenStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("should not work if the remote cluster is nonexistent", func(t *testing.T) {
|
|
resp, err := th.SystemAdminClient.DeleteRemoteCluster(context.Background(), model.NewId())
|
|
CheckNotFoundStatus(t, resp)
|
|
require.Error(t, err)
|
|
})
|
|
|
|
t.Run("should correctly delete the remote cluster", func(t *testing.T) {
|
|
// ensure the remote cluster is not deleted
|
|
initialRC, appErr := th.App.GetRemoteCluster(rc.RemoteId, false)
|
|
require.Nil(t, appErr)
|
|
require.NotEmpty(t, initialRC)
|
|
require.Zero(t, initialRC.DeleteAt)
|
|
|
|
resp, err := th.SystemAdminClient.DeleteRemoteCluster(context.Background(), rc.RemoteId)
|
|
CheckOKStatus(t, resp)
|
|
require.NoError(t, err)
|
|
|
|
deletedRC, appErr := th.App.GetRemoteCluster(rc.RemoteId, true)
|
|
require.Nil(t, appErr)
|
|
require.NotEmpty(t, deletedRC)
|
|
require.NotZero(t, deletedRC.DeleteAt)
|
|
})
|
|
}
|