278 lines
8.1 KiB
Go
278 lines
8.1 KiB
Go
package http
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"io"
|
|
stdhttp "net/http"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
|
|
)
|
|
|
|
func TestAPIUsersList(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
makeUser(t, srv, "op1", store.RoleOperator)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
req, _ := stdhttp.NewRequest("GET", ts.URL+"/api/users", nil)
|
|
req.AddCookie(cookie)
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("GET: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusOK {
|
|
body, _ := io.ReadAll(res.Body)
|
|
t.Fatalf("status: got %d body=%s", res.StatusCode, body)
|
|
}
|
|
var got listUsersResponse
|
|
_ = json.NewDecoder(res.Body).Decode(&got)
|
|
if len(got.Users) != 2 {
|
|
t.Errorf("count: got %d want 2", len(got.Users))
|
|
}
|
|
}
|
|
|
|
func TestAPIUserCreate(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
body, _ := json.Marshal(map[string]any{
|
|
"username": "Bob", "email": "bob@example.com", "role": "operator",
|
|
})
|
|
req, _ := stdhttp.NewRequest("POST", ts.URL+"/api/users", bytes.NewReader(body))
|
|
req.AddCookie(cookie)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("POST: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusCreated {
|
|
body, _ := io.ReadAll(res.Body)
|
|
t.Fatalf("status: got %d body=%s", res.StatusCode, body)
|
|
}
|
|
var got struct {
|
|
ID string `json:"id"`
|
|
SetupURL string `json:"setup_url"`
|
|
}
|
|
_ = json.NewDecoder(res.Body).Decode(&got)
|
|
if got.ID == "" || got.SetupURL == "" {
|
|
t.Errorf("missing fields: %+v", got)
|
|
}
|
|
if !strings.Contains(got.SetupURL, "/setup?token=") {
|
|
t.Errorf("setup_url shape: %q", got.SetupURL)
|
|
}
|
|
|
|
// Verify lowercase-normalised.
|
|
u, err := srv.deps.Store.GetUserByUsername(t.Context(), "bob")
|
|
if err != nil {
|
|
t.Fatalf("get: %v", err)
|
|
}
|
|
if u.Username != "bob" {
|
|
t.Errorf("username: got %q want bob", u.Username)
|
|
}
|
|
if !u.MustChangePassword {
|
|
t.Error("must_change_password not set")
|
|
}
|
|
}
|
|
|
|
func TestAPIUserCreateRejectsDuplicateEnabled(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
makeUser(t, srv, "alice", store.RoleOperator)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
body, _ := json.Marshal(map[string]any{
|
|
"username": "ALICE", "role": "operator",
|
|
})
|
|
req, _ := stdhttp.NewRequest("POST", ts.URL+"/api/users", bytes.NewReader(body))
|
|
req.AddCookie(cookie)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("POST: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusConflict {
|
|
t.Errorf("status: got %d want 409", res.StatusCode)
|
|
}
|
|
}
|
|
|
|
func TestAPIUserGet(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
target := makeUser(t, srv, "carol", store.RoleViewer)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
req, _ := stdhttp.NewRequest("GET", ts.URL+"/api/users/"+target, nil)
|
|
req.AddCookie(cookie)
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("GET: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusOK {
|
|
t.Errorf("status: got %d", res.StatusCode)
|
|
}
|
|
}
|
|
|
|
func TestAPIUserPatchRoleAndEmail(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
target := makeUser(t, srv, "carol", store.RoleViewer)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
body, _ := json.Marshal(map[string]any{
|
|
"role": "operator", "email": "carol@example.com",
|
|
})
|
|
req, _ := stdhttp.NewRequest("PATCH", ts.URL+"/api/users/"+target, bytes.NewReader(body))
|
|
req.AddCookie(cookie)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("PATCH: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusOK {
|
|
body, _ := io.ReadAll(res.Body)
|
|
t.Errorf("status: got %d body=%s", res.StatusCode, body)
|
|
}
|
|
got, _ := srv.deps.Store.GetUserByID(t.Context(), target)
|
|
if got.Role != store.RoleOperator {
|
|
t.Errorf("role: got %q", got.Role)
|
|
}
|
|
if got.Email == nil || *got.Email != "carol@example.com" {
|
|
t.Errorf("email: got %v", got.Email)
|
|
}
|
|
}
|
|
|
|
func TestAPIUserPatchRejectsLastAdminDemote(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
body, _ := json.Marshal(map[string]any{"role": "viewer"})
|
|
req, _ := stdhttp.NewRequest("PATCH", ts.URL+"/api/users/"+adminID, bytes.NewReader(body))
|
|
req.AddCookie(cookie)
|
|
req.Header.Set("Content-Type", "application/json")
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("PATCH: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusConflict {
|
|
t.Errorf("status: got %d want 409", res.StatusCode)
|
|
}
|
|
}
|
|
|
|
func TestAPIUserDisable(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
makeUser(t, srv, "admin2", store.RoleAdmin) // satisfy last-admin guard
|
|
target := makeUser(t, srv, "victim", store.RoleOperator)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
req, _ := stdhttp.NewRequest("POST", ts.URL+"/api/users/"+target+"/disable", nil)
|
|
req.AddCookie(cookie)
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("POST: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusOK {
|
|
t.Errorf("status: got %d", res.StatusCode)
|
|
}
|
|
u, _ := srv.deps.Store.GetUserByID(t.Context(), target)
|
|
if u.DisabledAt == nil {
|
|
t.Error("disabled_at not set")
|
|
}
|
|
}
|
|
|
|
func TestAPIUserDisableRejectsLastAdmin(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
req, _ := stdhttp.NewRequest("POST", ts.URL+"/api/users/"+adminID+"/disable", nil)
|
|
req.AddCookie(cookie)
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("POST: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusConflict {
|
|
t.Errorf("status: got %d want 409", res.StatusCode)
|
|
}
|
|
}
|
|
|
|
func TestAPIUserRegenerateSetup(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
target := makeUser(t, srv, "newbie", store.RoleViewer)
|
|
_ = srv.deps.Store.SetMustChangePassword(t.Context(), target, true)
|
|
_ = srv.deps.Store.SetSetupToken(t.Context(), store.SetupToken{
|
|
UserID: target, TokenHash: "old", ExpiresAt: time.Now().UTC().Add(time.Hour),
|
|
CreatedAt: time.Now().UTC(),
|
|
})
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
req, _ := stdhttp.NewRequest("POST", ts.URL+"/api/users/"+target+"/regenerate-setup", nil)
|
|
req.AddCookie(cookie)
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("POST: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusOK {
|
|
t.Errorf("status: got %d", res.StatusCode)
|
|
}
|
|
var got struct {
|
|
SetupURL string `json:"setup_url"`
|
|
}
|
|
_ = json.NewDecoder(res.Body).Decode(&got)
|
|
if !strings.Contains(got.SetupURL, "/setup?token=") {
|
|
t.Errorf("setup_url: %q", got.SetupURL)
|
|
}
|
|
if _, err := srv.deps.Store.LookupSetupToken(t.Context(), "old"); err == nil {
|
|
t.Error("old token should be replaced")
|
|
}
|
|
}
|
|
|
|
func TestAPIUserForceLogout(t *testing.T) {
|
|
t.Parallel()
|
|
srv, ts, _ := rawTestServerWithUI(t)
|
|
adminID := makeUser(t, srv, "admin1", store.RoleAdmin)
|
|
target := makeUser(t, srv, "victim", store.RoleOperator)
|
|
loginAs(t, srv, target) // create a session for the victim
|
|
cookie := loginAs(t, srv, adminID)
|
|
|
|
req, _ := stdhttp.NewRequest("POST", ts.URL+"/api/users/"+target+"/force-logout", nil)
|
|
req.AddCookie(cookie)
|
|
res, err := stdhttp.DefaultClient.Do(req)
|
|
if err != nil {
|
|
t.Fatalf("POST: %v", err)
|
|
}
|
|
defer res.Body.Close()
|
|
if res.StatusCode != stdhttp.StatusOK {
|
|
t.Errorf("status: got %d", res.StatusCode)
|
|
}
|
|
rr, _ := srv.deps.Store.DeleteSessionsByUserID(t.Context(), target)
|
|
if rr != 0 {
|
|
t.Errorf("expected 0 remaining sessions, got %d", rr)
|
|
}
|
|
}
|