gitea/integrations/api_admin_test.go

// Copyright 2017 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package integrations

import (
	"fmt"
	"net/http"
	"testing"

	"code.gitea.io/gitea/models"
	api "code.gitea.io/gitea/modules/structs"

	"github.com/stretchr/testify/assert"
)

func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
	defer prepareTestEnv(t)()
	// user1 is an admin user
	session := loginUser(t, "user1")
	keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)

	token := getTokenForLoggedInUser(t, session)
	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
		"title": "test-key",
	})
	resp := session.MakeRequest(t, req, http.StatusCreated)

	var newPublicKey api.PublicKey
	DecodeJSON(t, resp, &newPublicKey)
	models.AssertExistsAndLoadBean(t, &models.PublicKey{
		ID:          newPublicKey.ID,
		Name:        newPublicKey.Title,
		Content:     newPublicKey.Key,
		Fingerprint: newPublicKey.Fingerprint,
		OwnerID:     keyOwner.ID,
	})

	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
		keyOwner.Name, newPublicKey.ID, token)
	session.MakeRequest(t, req, http.StatusNoContent)
	models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})
}

func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
	defer prepareTestEnv(t)()
	// user1 is an admin user
	session := loginUser(t, "user1")

	token := getTokenForLoggedInUser(t, session)
	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token)
	session.MakeRequest(t, req, http.StatusNotFound)
}

func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
	defer prepareTestEnv(t)()
	adminUsername := "user1"
	normalUsername := "user2"
	session := loginUser(t, adminUsername)

	token := getTokenForLoggedInUser(t, session)
	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)
	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
		"title": "test-key",
	})
	resp := session.MakeRequest(t, req, http.StatusCreated)
	var newPublicKey api.PublicKey
	DecodeJSON(t, resp, &newPublicKey)

	session = loginUser(t, normalUsername)
	token = getTokenForLoggedInUser(t, session)
	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
		adminUsername, newPublicKey.ID, token)
	session.MakeRequest(t, req, http.StatusForbidden)
}

func TestAPISudoUser(t *testing.T) {
	defer prepareTestEnv(t)()
	adminUsername := "user1"
	normalUsername := "user2"
	session := loginUser(t, adminUsername)
	token := getTokenForLoggedInUser(t, session)

	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)
	req := NewRequest(t, "GET", urlStr)
	resp := session.MakeRequest(t, req, http.StatusOK)
	var user api.User
	DecodeJSON(t, resp, &user)

	assert.Equal(t, normalUsername, user.UserName)
}

func TestAPISudoUserForbidden(t *testing.T) {
	defer prepareTestEnv(t)()
	adminUsername := "user1"
	normalUsername := "user2"

	session := loginUser(t, normalUsername)
	token := getTokenForLoggedInUser(t, session)

	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)
	req := NewRequest(t, "GET", urlStr)
	session.MakeRequest(t, req, http.StatusForbidden)
}

func TestAPIListUsers(t *testing.T) {
	defer prepareTestEnv(t)()
	adminUsername := "user1"
	session := loginUser(t, adminUsername)
	token := getTokenForLoggedInUser(t, session)

	urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)
	req := NewRequest(t, "GET", urlStr)
	resp := session.MakeRequest(t, req, http.StatusOK)
	var users []api.User
	DecodeJSON(t, resp, &users)

	found := false
	for _, user := range users {
		if user.UserName == adminUsername {
			found = true
		}
	}
	assert.True(t, found)
	numberOfUsers := models.GetCount(t, &models.User{}, "type = 0")
	assert.Equal(t, numberOfUsers, len(users))
}

func TestAPIListUsersNotLoggedIn(t *testing.T) {
	defer prepareTestEnv(t)()
	req := NewRequest(t, "GET", "/api/v1/admin/users")
	MakeRequest(t, req, http.StatusUnauthorized)
}

func TestAPIListUsersNonAdmin(t *testing.T) {
	defer prepareTestEnv(t)()
	nonAdminUsername := "user2"
	session := loginUser(t, nonAdminUsername)
	token := getTokenForLoggedInUser(t, session)
	req := NewRequestf(t, "GET", "/api/v1/admin/users?token=%s", token)
	session.MakeRequest(t, req, http.StatusForbidden)
}
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`// Copyright 2017 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package integrations`

			`import (`
			`"fmt"`
			`"net/http"`
			`"testing"`

			`"code.gitea.io/gitea/models"`
Move sdk structs to modules/structs (#6905) * move sdk structs to moduels/structs * fix tests * fix fmt * fix swagger * fix vendor 2019-05-11 06:21:34 -04:00			`api "code.gitea.io/gitea/modules/structs"`
feat(repo): support search repository by topic name (#4505) * feat(repo): support search repository by topic name 2018-09-12 22:33:48 -04:00
			`"github.com/stretchr/testify/assert"`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`)`

			`func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`// user1 is an admin user`
			`session := loginUser(t, "user1")`
			`keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)`

Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`token := getTokenForLoggedInUser(t, session)`
			`urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`req := NewRequestWithValues(t, "POST", urlStr, map[string]string{`
			`"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",`
			`"title": "test-key",`
			`})`
			`resp := session.MakeRequest(t, req, http.StatusCreated)`

			`var newPublicKey api.PublicKey`
			`DecodeJSON(t, resp, &newPublicKey)`
			`models.AssertExistsAndLoadBean(t, &models.PublicKey{`
			`ID: newPublicKey.ID,`
			`Name: newPublicKey.Title,`
			`Content: newPublicKey.Key,`
			`Fingerprint: newPublicKey.Fingerprint,`
			`OwnerID: keyOwner.ID,`
			`})`

Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250) * Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware 2018-11-03 21:15:55 -04:00			`req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",`
			`keyOwner.Name, newPublicKey.ID, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`session.MakeRequest(t, req, http.StatusNoContent)`
			`models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})`
			`}`

			`func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`// user1 is an admin user`
			`session := loginUser(t, "user1")`

Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`token := getTokenForLoggedInUser(t, session)`
Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250) * Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware 2018-11-03 21:15:55 -04:00			`req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`session.MakeRequest(t, req, http.StatusNotFound)`
			`}`

			`func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`adminUsername := "user1"`
			`normalUsername := "user2"`
			`session := loginUser(t, adminUsername)`

Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`token := getTokenForLoggedInUser(t, session)`
			`urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`req := NewRequestWithValues(t, "POST", urlStr, map[string]string{`
			`"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",`
			`"title": "test-key",`
			`})`
			`resp := session.MakeRequest(t, req, http.StatusCreated)`
			`var newPublicKey api.PublicKey`
			`DecodeJSON(t, resp, &newPublicKey)`

			`session = loginUser(t, normalUsername)`
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`token = getTokenForLoggedInUser(t, session)`
Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250) * Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware 2018-11-03 21:15:55 -04:00			`req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",`
			`adminUsername, newPublicKey.ID, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 05:27:10 -05:00			`session.MakeRequest(t, req, http.StatusForbidden)`
			`}`
Add sudo functionality to the API (#4809) 2018-09-06 23:31:29 -04:00
			`func TestAPISudoUser(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Add sudo functionality to the API (#4809) 2018-09-06 23:31:29 -04:00			`adminUsername := "user1"`
			`normalUsername := "user2"`
			`session := loginUser(t, adminUsername)`
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`token := getTokenForLoggedInUser(t, session)`
Add sudo functionality to the API (#4809) 2018-09-06 23:31:29 -04:00
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)`
Add sudo functionality to the API (#4809) 2018-09-06 23:31:29 -04:00			`req := NewRequest(t, "GET", urlStr)`
			`resp := session.MakeRequest(t, req, http.StatusOK)`
			`var user api.User`
			`DecodeJSON(t, resp, &user)`

			`assert.Equal(t, normalUsername, user.UserName)`
			`}`

			`func TestAPISudoUserForbidden(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Add sudo functionality to the API (#4809) 2018-09-06 23:31:29 -04:00			`adminUsername := "user1"`
			`normalUsername := "user2"`

			`session := loginUser(t, normalUsername)`
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`token := getTokenForLoggedInUser(t, session)`
Add sudo functionality to the API (#4809) 2018-09-06 23:31:29 -04:00
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 12:15:52 -04:00			`urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)`
Add sudo functionality to the API (#4809) 2018-09-06 23:31:29 -04:00			`req := NewRequest(t, "GET", urlStr)`
			`session.MakeRequest(t, req, http.StatusForbidden)`
			`}`
Return a UserList from /api/v1/admin/users (#6629) 2019-04-15 12:36:59 -04:00
			`func TestAPIListUsers(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Return a UserList from /api/v1/admin/users (#6629) 2019-04-15 12:36:59 -04:00			`adminUsername := "user1"`
			`session := loginUser(t, adminUsername)`
			`token := getTokenForLoggedInUser(t, session)`

			`urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)`
			`req := NewRequest(t, "GET", urlStr)`
			`resp := session.MakeRequest(t, req, http.StatusOK)`
			`var users []api.User`
			`DecodeJSON(t, resp, &users)`

			`found := false`
			`for _, user := range users {`
			`if user.UserName == adminUsername {`
			`found = true`
			`}`
			`}`
			`assert.True(t, found)`
			`numberOfUsers := models.GetCount(t, &models.User{}, "type = 0")`
			`assert.Equal(t, numberOfUsers, len(users))`
			`}`
Fixes #6881 - API users search fix (#6882) 2019-05-08 15:17:32 -04:00
			`func TestAPIListUsersNotLoggedIn(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Fixes #6881 - API users search fix (#6882) 2019-05-08 15:17:32 -04:00			`req := NewRequest(t, "GET", "/api/v1/admin/users")`
			`MakeRequest(t, req, http.StatusUnauthorized)`
			`}`

			`func TestAPIListUsersNonAdmin(t *testing.T) {`
Fix "data race" in testlogger (#9159) * Fix data race in testlogger * Update git_helper_for_declarative_test.go 2019-11-25 18:21:37 -05:00			`defer prepareTestEnv(t)()`
Fixes #6881 - API users search fix (#6882) 2019-05-08 15:17:32 -04:00			`nonAdminUsername := "user2"`
			`session := loginUser(t, nonAdminUsername)`
			`token := getTokenForLoggedInUser(t, session)`
			`req := NewRequestf(t, "GET", "/api/v1/admin/users?token=%s", token)`
			`session.MakeRequest(t, req, http.StatusForbidden)`
			`}`