Users testcases

users/delete_test.go

@@ -42,19 +42,42 @@ func (self *UserManagerTestSuite) TestDeleteUser() {
 		"OrgAdmin", "UserO2", []string{"O1", "O2"}, reader_policy)
 	assert.NoError(self.T(), err)
 
+	// Lookup using ORG_ADMIN
 	user_record, err = users.GetUser(self.Ctx, "OrgAdmin", "UserO2")
 	assert.NoError(self.T(), err)
-	golden.Set("UserO2 is in O1 and O2", user_record)
+	golden.Set("OrgAdmin UserO2 is in O1 and O2", user_record)
+
+	// Lookup using O1's SERVER_ADMIN
+	user_record, err = users.GetUser(self.Ctx, "AdminO1", "UserO2")
+	assert.NoError(self.T(), err)
+	golden.Set("AdminO1 UserO2 is in O1", user_record)
+
+	// Lookup using O2's SERVER_ADMIN
+	user_record, err = users.GetUser(self.Ctx, "AdminO2", "UserO2")
+	assert.NoError(self.T(), err)
+	golden.Set("AdminO2 UserO2 is in O2", user_record)
 
 	// AdminO2 will remove the user from all orgs, but they remain in
 	// O1 because AdminO2 has no accesss to O1
 	err = users.DeleteUser(
 		self.Ctx, "AdminO2", "UserO2", users.LIST_ALL_ORGS)
 	assert.NoError(self.T(), err)
 
+	// GetUser returns PermissionDenied if the user requesting does
+	// not have OrgAdmin and does not belong to any of the same orgs
+	user_record, err = users.GetUser(self.Ctx, "AdminO2", "UserO2")
+	assert.ErrorContains(self.T(), err, "PermissionDenied")
+	golden.Set("AdminO2 UserO2 removed from O2", err.Error())
+
+	// If the user was added to O1 and removed from O2, it should
+	// still exist in O1
+	user_record, err = users.GetUser(self.Ctx, "AdminO1", "UserO2")
+	assert.NoError(self.T(), err)
+	golden.Set("AdminO1 UserO2 still in O1", user_record)
+
 	user_record, err = users.GetUser(self.Ctx, "OrgAdmin", "UserO2")
 	assert.NoError(self.T(), err)
-	golden.Set("UserO2 removed from O2", user_record)
+	golden.Set("OrgAdmin UserO2 removed from O2", user_record)
 
 	goldie.Assert(self.T(), "TestDeleteUser",
 		json.MustMarshalIndent(golden))

users/fixtures/TestDeleteUser.golden

@@ -8,7 +8,7 @@
    }
   ]
  },
- "UserO2 is in O1 and O2": {
+ "OrgAdmin UserO2 is in O1 and O2": {
   "name": "UserO2",
   "orgs": [
    {
@@ -21,7 +21,35 @@
    }
   ]
  },
- "UserO2 removed from O2": {
+ "AdminO1 UserO2 is in O1": {
+  "name": "UserO2",
+  "orgs": [
+   {
+    "name": "O1",
+    "id": "O1"
+   }
+  ]
+ },
+ "AdminO2 UserO2 is in O2": {
+  "name": "UserO2",
+  "orgs": [
+   {
+    "name": "O2",
+    "id": "O2"
+   }
+  ]
+ },
+ "AdminO2 UserO2 removed from O2": "PermissionDenied",
+ "AdminO1 UserO2 still in O1": {
+  "name": "UserO2",
+  "orgs": [
+   {
+    "name": "O1",
+    "id": "O1"
+   }
+  ]
+ },
+ "OrgAdmin UserO2 removed from O2": {
   "name": "UserO2",
   "orgs": [
    {

users/fixtures/TestMakeUsers.golden

@@ -5,6 +5,14 @@
    {
     "name": "\u003croot\u003e",
     "id": "root"
+   },
+   {
+    "name": "O1",
+    "id": "O1"
+   },
+   {
+    "name": "O2",
+    "id": "O2"
    }
   ]
  },

users/users_test.go

@@ -3,18 +3,30 @@ package users_test
 import (
 	"testing"
 
+	"github.com/Velocidex/ordereddict"
+	"github.com/sebdah/goldie"
 	"github.com/stretchr/testify/suite"
 	api_proto "www.velocidex.com/golang/velociraptor/api/proto"
 	"www.velocidex.com/golang/velociraptor/file_store/test_utils"
+	"www.velocidex.com/golang/velociraptor/json"
 	"www.velocidex.com/golang/velociraptor/services"
 	"www.velocidex.com/golang/velociraptor/services/orgs"
+	"www.velocidex.com/golang/velociraptor/users"
 	"www.velocidex.com/golang/velociraptor/vtesting/assert"
 )
 
 type UserManagerTestSuite struct {
 	test_utils.TestSuite
 }
 
+func (self *UserManagerTestSuite) SetupTest() {
+	self.TestSuite.SetupTest()
+
+	self.LoadArtifacts(`name: Server.Audit.Logs
+type: SERVER_EVENT
+`)
+}
+
 func (self *UserManagerTestSuite) makeUserWithRoles(username, org_id, role string) {
 	org_manager, err := services.GetOrgManager()
 	assert.NoError(self.T(), err)
@@ -53,6 +65,43 @@ func (self *UserManagerTestSuite) makeUsers() {
 	self.makeUserWithRoles("UserO2", "O2", "reader")
 }
 
+// The rest of the tests depend on this state being correct.  Make sure it is.
+func (self *UserManagerTestSuite) TestMakeUsers() {
+	self.makeUsers()
+
+	golden := ordereddict.NewDict()
+
+	user_record, err := users.GetUser(self.Ctx, "OrgAdmin", "OrgAdmin")
+	assert.NoError(self.T(), err)
+	golden.Set("OrgAdmin OrgAdmin", user_record)
+
+	user_record, err = users.GetUser(self.Ctx, "OrgAdmin", "UserO1")
+	assert.NoError(self.T(), err)
+	golden.Set("OrgAdmin UserO1", user_record)
+
+	user_record, err = users.GetUser(self.Ctx, "AdminO1", "UserO1")
+	assert.NoError(self.T(), err)
+	golden.Set("AdminO1 UserO1", user_record)
+
+	user_record, err = users.GetUser(self.Ctx, "AdminO2", "UserO1")
+	assert.ErrorContains(self.T(), err, "PermissionDenied")
+	golden.Set("AdminO2 UserO1", err.Error())
+
+	user_record, err = users.GetUser(self.Ctx, "OrgAdmin", "UserO2")
+	assert.NoError(self.T(), err)
+	golden.Set("OrgAdmin UserO2", user_record)
+
+	user_record, err = users.GetUser(self.Ctx, "AdminO2", "UserO2")
+	assert.NoError(self.T(), err)
+	golden.Set("AdminO2 UserO2", user_record)
+
+	user_record, err = users.GetUser(self.Ctx, "AdminO1", "UserO2")
+	assert.ErrorContains(self.T(), err, "PermissionDenied")
+	golden.Set("AdminO1 UserO2", err.Error())
+
+	goldie.Assert(self.T(), "TestMakeUsers", json.MustMarshalIndent(golden))
+}
+
 func TestUserManger(t *testing.T) {
 	orgs.NonceForTest = "Nonce"