diff options
author | Gabe Van Engel <gabe@schizoid.net> | 2018-08-28 08:06:57 -0700 |
---|---|---|
committer | Harrison Healey <harrisonmhealey@gmail.com> | 2018-08-28 11:06:57 -0400 |
commit | 347ee1d205c95f5fd766e206cc65bfb9782a2623 (patch) | |
tree | 7ee22b4d399d0419d18f1e0d40ed35d17e45a4c6 /app/team_test.go | |
parent | 19e69681d73b0b2e30d6f2749c3e61da4eca5863 (diff) | |
download | chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.tar.gz chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.tar.bz2 chat-347ee1d205c95f5fd766e206cc65bfb9782a2623.zip |
MM-11327: Restrict Teams by Email (#9142)
* Check a team's AllowedDomains setting before adding users to the team.
* Updated AddUser tests to validate AllowedDomains restriction.
* Updated variable name to match convention.
* Removed AllowedDomains from team sanitization.
* Update AppError's Where to match the calling function.
* Added tests for user matching allowedDomains, and multi domain values of allowedDomains.
* Added test to make sure we block users who have a subdomain of a whitelisted domain.
* Revert "Removed AllowedDomains from team sanitization."
This reverts commit 17c2afea584da40c7d769787ae86408e9700510c.
* Update sanitization tests to include dockerhost, now that we enforce AllowedDomains.
* Added tests to verify the interplay between the global and per team domain restrictions.
* Validate AllowedDomains property against RestrictCreationToDomains before updating a team.
* Remove team.AllowedDomains from sanitization.
* Add i18n string for the team allowed domains restriction app error.
Diffstat (limited to 'app/team_test.go')
-rw-r--r-- | app/team_test.go | 173 |
1 files changed, 151 insertions, 22 deletions
diff --git a/app/team_test.go b/app/team_test.go index 429e07931..1f2dd5318 100644 --- a/app/team_test.go +++ b/app/team_test.go @@ -73,13 +73,99 @@ func TestAddUserToTeam(t *testing.T) { th := Setup().InitBasic() defer th.TearDown() - user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} - ruser, _ := th.App.CreateUser(&user) + t.Run("add user", func(t *testing.T) { + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser, _ := th.App.CreateUser(&user) + defer th.App.PermanentDeleteUser(&user) - if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err != nil { - t.Log(err) - t.Fatal("Should add user to the team") - } + if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err != nil { + t.Log(err) + t.Fatal("Should add user to the team") + } + }) + + t.Run("allow user by domain", func(t *testing.T) { + th.BasicTeam.AllowedDomains = "example.com" + if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil { + t.Log(err) + t.Fatal("Should update the team") + } + + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser, _ := th.App.CreateUser(&user) + defer th.App.PermanentDeleteUser(&user) + + if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err != nil { + t.Log(err) + t.Fatal("Should have allowed whitelisted user") + } + }) + + t.Run("block user by domain", func(t *testing.T) { + th.BasicTeam.AllowedDomains = "example.com" + if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil { + t.Log(err) + t.Fatal("Should update the team") + } + + user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser, _ := th.App.CreateUser(&user) + defer th.App.PermanentDeleteUser(&user) + + if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err == nil || err.Where != "JoinUserToTeam" { + t.Log(err) + t.Fatal("Should not add restricted user") + } + }) + + t.Run("block user with subdomain", func(t *testing.T) { + th.BasicTeam.AllowedDomains = "example.com" + if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil { + t.Log(err) + t.Fatal("Should update the team") + } + + user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser, _ := th.App.CreateUser(&user) + defer th.App.PermanentDeleteUser(&user) + + if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser.Id, ""); err == nil || err.Where != "JoinUserToTeam" { + t.Log(err) + t.Fatal("Should not add restricted user") + } + }) + + t.Run("allow users by multiple domains", func(t *testing.T) { + th.BasicTeam.AllowedDomains = "foo.com, bar.com" + if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil { + t.Log(err) + t.Fatal("Should update the team") + } + + user1 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@foo.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser1, _ := th.App.CreateUser(&user1) + user2 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@bar.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser2, _ := th.App.CreateUser(&user2) + user3 := model.User{Email: strings.ToLower(model.NewId()) + "success+test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser3, _ := th.App.CreateUser(&user3) + defer th.App.PermanentDeleteUser(&user1) + defer th.App.PermanentDeleteUser(&user2) + defer th.App.PermanentDeleteUser(&user3) + + if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser1.Id, ""); err != nil { + t.Log(err) + t.Fatal("Should have allowed whitelisted user1") + } + if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser2.Id, ""); err != nil { + t.Log(err) + t.Fatal("Should have allowed whitelisted user2") + } + if _, err := th.App.AddUserToTeam(th.BasicTeam.Id, ruser3.Id, ""); err == nil || err.Where != "JoinUserToTeam" { + t.Log(err) + t.Fatal("Should not have allowed restricted user3") + } + + }) } func TestAddUserToTeamByToken(t *testing.T) { @@ -158,19 +244,62 @@ func TestAddUserToTeamByToken(t *testing.T) { t.Fatal("The token must be deleted after be used") } }) + + t.Run("block user", func(t *testing.T) { + th.BasicTeam.AllowedDomains = "example.com" + if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil { + t.Log(err) + t.Fatal("Should update the team") + } + + user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser, _ := th.App.CreateUser(&user) + defer th.App.PermanentDeleteUser(&user) + + token := model.NewToken( + TOKEN_TYPE_TEAM_INVITATION, + model.MapToJson(map[string]string{"teamId": th.BasicTeam.Id}), + ) + <-th.App.Srv.Store.Token().Save(token) + + if _, err := th.App.AddUserToTeamByToken(ruser.Id, token.Token); err == nil || err.Where != "JoinUserToTeam" { + t.Log(err) + t.Fatal("Should not add restricted user") + } + }) } func TestAddUserToTeamByTeamId(t *testing.T) { th := Setup().InitBasic() defer th.TearDown() - user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} - ruser, _ := th.App.CreateUser(&user) + t.Run("add user", func(t *testing.T) { + user := model.User{Email: strings.ToLower(model.NewId()) + "success+test@example.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser, _ := th.App.CreateUser(&user) + + if err := th.App.AddUserToTeamByTeamId(th.BasicTeam.Id, ruser); err != nil { + t.Log(err) + t.Fatal("Should add user to the team") + } + }) + + t.Run("block user", func(t *testing.T) { + th.BasicTeam.AllowedDomains = "example.com" + if _, err := th.App.UpdateTeam(th.BasicTeam); err != nil { + t.Log(err) + t.Fatal("Should update the team") + } + + user := model.User{Email: strings.ToLower(model.NewId()) + "test@invalid.com", Nickname: "Darth Vader", Username: "vader" + model.NewId(), Password: "passwd1", AuthService: ""} + ruser, _ := th.App.CreateUser(&user) + defer th.App.PermanentDeleteUser(&user) + + if err := th.App.AddUserToTeamByTeamId(th.BasicTeam.Id, ruser); err == nil || err.Where != "JoinUserToTeam" { + t.Log(err) + t.Fatal("Should not add restricted user") + } + }) - if err := th.App.AddUserToTeamByTeamId(th.BasicTeam.Id, ruser); err != nil { - t.Log(err) - t.Fatal("Should add user to the team") - } } func TestPermanentDeleteTeam(t *testing.T) { @@ -264,7 +393,7 @@ func TestSanitizeTeam(t *testing.T) { } sanitized := th.App.SanitizeTeam(session, copyTeam()) - if sanitized.Email != "" && sanitized.AllowedDomains != "" { + if sanitized.Email != "" { t.Fatal("should've sanitized team") } }) @@ -283,7 +412,7 @@ func TestSanitizeTeam(t *testing.T) { } sanitized := th.App.SanitizeTeam(session, copyTeam()) - if sanitized.Email != "" && sanitized.AllowedDomains != "" { + if sanitized.Email != "" { t.Fatal("should've sanitized team") } }) @@ -302,7 +431,7 @@ func TestSanitizeTeam(t *testing.T) { } sanitized := th.App.SanitizeTeam(session, copyTeam()) - if sanitized.Email == "" && sanitized.AllowedDomains == "" { + if sanitized.Email == "" { t.Fatal("shouldn't have sanitized team") } }) @@ -321,7 +450,7 @@ func TestSanitizeTeam(t *testing.T) { } sanitized := th.App.SanitizeTeam(session, copyTeam()) - if sanitized.Email != "" && sanitized.AllowedDomains != "" { + if sanitized.Email != "" { t.Fatal("should've sanitized team") } }) @@ -340,7 +469,7 @@ func TestSanitizeTeam(t *testing.T) { } sanitized := th.App.SanitizeTeam(session, copyTeam()) - if sanitized.Email == "" && sanitized.AllowedDomains == "" { + if sanitized.Email == "" { t.Fatal("shouldn't have sanitized team") } }) @@ -359,7 +488,7 @@ func TestSanitizeTeam(t *testing.T) { } sanitized := th.App.SanitizeTeam(session, copyTeam()) - if sanitized.Email == "" && sanitized.AllowedDomains == "" { + if sanitized.Email == "" { t.Fatal("shouldn't have sanitized team") } }) @@ -402,11 +531,11 @@ func TestSanitizeTeams(t *testing.T) { sanitized := th.App.SanitizeTeams(session, teams) - if sanitized[0].Email != "" && sanitized[0].AllowedDomains != "" { + if sanitized[0].Email != "" { t.Fatal("should've sanitized first team") } - if sanitized[1].Email == "" && sanitized[1].AllowedDomains == "" { + if sanitized[1].Email == "" { t.Fatal("shouldn't have sanitized second team") } }) @@ -439,11 +568,11 @@ func TestSanitizeTeams(t *testing.T) { sanitized := th.App.SanitizeTeams(session, teams) - if sanitized[0].Email == "" && sanitized[0].AllowedDomains == "" { + if sanitized[0].Email == "" { t.Fatal("shouldn't have sanitized first team") } - if sanitized[1].Email == "" && sanitized[1].AllowedDomains == "" { + if sanitized[1].Email == "" { t.Fatal("shouldn't have sanitized second team") } }) |