server_admin_test.go 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181
  1. package server
  2. import (
  3. "github.com/stretchr/testify/require"
  4. "heckel.io/ntfy/user"
  5. "heckel.io/ntfy/util"
  6. "sync/atomic"
  7. "testing"
  8. "time"
  9. )
  10. func TestUser_AddRemove(t *testing.T) {
  11. s := newTestServer(t, newTestConfigWithAuthFile(t))
  12. defer s.closeDatabases()
  13. // Create admin, tier
  14. require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
  15. require.Nil(t, s.userManager.AddTier(&user.Tier{
  16. Code: "tier1",
  17. }))
  18. // Create user via API
  19. rr := request(t, s, "PUT", "/v1/users", `{"username": "ben", "password":"ben"}`, map[string]string{
  20. "Authorization": util.BasicAuth("phil", "phil"),
  21. })
  22. require.Equal(t, 200, rr.Code)
  23. // Create user with tier via API
  24. rr = request(t, s, "PUT", "/v1/users", `{"username": "emma", "password":"emma", "tier": "tier1"}`, map[string]string{
  25. "Authorization": util.BasicAuth("phil", "phil"),
  26. })
  27. require.Equal(t, 200, rr.Code)
  28. // Check users
  29. users, err := s.userManager.Users()
  30. require.Nil(t, err)
  31. require.Equal(t, 4, len(users))
  32. require.Equal(t, "phil", users[0].Name)
  33. require.Equal(t, "ben", users[1].Name)
  34. require.Equal(t, user.RoleUser, users[1].Role)
  35. require.Nil(t, users[1].Tier)
  36. require.Equal(t, "emma", users[2].Name)
  37. require.Equal(t, user.RoleUser, users[2].Role)
  38. require.Equal(t, "tier1", users[2].Tier.Code)
  39. require.Equal(t, user.Everyone, users[3].Name)
  40. // Delete user via API
  41. rr = request(t, s, "DELETE", "/v1/users", `{"username": "ben"}`, map[string]string{
  42. "Authorization": util.BasicAuth("phil", "phil"),
  43. })
  44. require.Equal(t, 200, rr.Code)
  45. }
  46. func TestUser_AddRemove_Failures(t *testing.T) {
  47. s := newTestServer(t, newTestConfigWithAuthFile(t))
  48. defer s.closeDatabases()
  49. // Create admin
  50. require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
  51. require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
  52. // Cannot create user with invalid username
  53. rr := request(t, s, "PUT", "/v1/users", `{"username": "not valid", "password":"ben"}`, map[string]string{
  54. "Authorization": util.BasicAuth("phil", "phil"),
  55. })
  56. require.Equal(t, 400, rr.Code)
  57. // Cannot create user if user already exists
  58. rr = request(t, s, "PUT", "/v1/users", `{"username": "phil", "password":"phil"}`, map[string]string{
  59. "Authorization": util.BasicAuth("phil", "phil"),
  60. })
  61. require.Equal(t, 40901, toHTTPError(t, rr.Body.String()).Code)
  62. // Cannot create user with invalid tier
  63. rr = request(t, s, "PUT", "/v1/users", `{"username": "emma", "password":"emma", "tier": "invalid"}`, map[string]string{
  64. "Authorization": util.BasicAuth("phil", "phil"),
  65. })
  66. require.Equal(t, 40030, toHTTPError(t, rr.Body.String()).Code)
  67. // Cannot delete user as non-admin
  68. rr = request(t, s, "DELETE", "/v1/users", `{"username": "ben"}`, map[string]string{
  69. "Authorization": util.BasicAuth("ben", "ben"),
  70. })
  71. require.Equal(t, 401, rr.Code)
  72. // Delete user via API
  73. rr = request(t, s, "DELETE", "/v1/users", `{"username": "ben"}`, map[string]string{
  74. "Authorization": util.BasicAuth("phil", "phil"),
  75. })
  76. require.Equal(t, 200, rr.Code)
  77. }
  78. func TestAccess_AllowReset(t *testing.T) {
  79. c := newTestConfigWithAuthFile(t)
  80. c.AuthDefault = user.PermissionDenyAll
  81. s := newTestServer(t, c)
  82. defer s.closeDatabases()
  83. // User and admin
  84. require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
  85. require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
  86. // Subscribing not allowed
  87. rr := request(t, s, "GET", "/gold/json?poll=1", "", map[string]string{
  88. "Authorization": util.BasicAuth("ben", "ben"),
  89. })
  90. require.Equal(t, 403, rr.Code)
  91. // Grant access
  92. rr = request(t, s, "POST", "/v1/users/access", `{"username": "ben", "topic":"gold", "permission":"ro"}`, map[string]string{
  93. "Authorization": util.BasicAuth("phil", "phil"),
  94. })
  95. require.Equal(t, 200, rr.Code)
  96. // Now subscribing is allowed
  97. rr = request(t, s, "GET", "/gold/json?poll=1", "", map[string]string{
  98. "Authorization": util.BasicAuth("ben", "ben"),
  99. })
  100. require.Equal(t, 200, rr.Code)
  101. // Reset access
  102. rr = request(t, s, "DELETE", "/v1/users/access", `{"username": "ben", "topic":"gold"}`, map[string]string{
  103. "Authorization": util.BasicAuth("phil", "phil"),
  104. })
  105. require.Equal(t, 200, rr.Code)
  106. // Subscribing not allowed (again)
  107. rr = request(t, s, "GET", "/gold/json?poll=1", "", map[string]string{
  108. "Authorization": util.BasicAuth("ben", "ben"),
  109. })
  110. require.Equal(t, 403, rr.Code)
  111. }
  112. func TestAccess_AllowReset_NonAdminAttempt(t *testing.T) {
  113. c := newTestConfigWithAuthFile(t)
  114. c.AuthDefault = user.PermissionDenyAll
  115. s := newTestServer(t, c)
  116. defer s.closeDatabases()
  117. // User
  118. require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
  119. // Grant access fails, because non-admin
  120. rr := request(t, s, "POST", "/v1/users/access", `{"username": "ben", "topic":"gold", "permission":"ro"}`, map[string]string{
  121. "Authorization": util.BasicAuth("ben", "ben"),
  122. })
  123. require.Equal(t, 401, rr.Code)
  124. }
  125. func TestAccess_AllowReset_KillConnection(t *testing.T) {
  126. c := newTestConfigWithAuthFile(t)
  127. c.AuthDefault = user.PermissionDenyAll
  128. s := newTestServer(t, c)
  129. defer s.closeDatabases()
  130. // User and admin, grant access to "gol*" topics
  131. require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleAdmin))
  132. require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
  133. require.Nil(t, s.userManager.AllowAccess("ben", "gol*", user.PermissionRead)) // Wildcard!
  134. start, timeTaken := time.Now(), atomic.Int64{}
  135. go func() {
  136. rr := request(t, s, "GET", "/gold/json", "", map[string]string{
  137. "Authorization": util.BasicAuth("ben", "ben"),
  138. })
  139. require.Equal(t, 200, rr.Code)
  140. timeTaken.Store(time.Since(start).Milliseconds())
  141. }()
  142. time.Sleep(500 * time.Millisecond)
  143. // Reset access
  144. rr := request(t, s, "DELETE", "/v1/users/access", `{"username": "ben", "topic":"gol*"}`, map[string]string{
  145. "Authorization": util.BasicAuth("phil", "phil"),
  146. })
  147. require.Equal(t, 200, rr.Code)
  148. // Wait for connection to be killed; this will fail if the connection is never killed
  149. waitFor(t, func() bool {
  150. return timeTaken.Load() >= 500
  151. })
  152. }