package users import ( "encoding/json" "fmt" "io" "net/http" "net/http/httptest" "net/url" "testing" "time" portainer "github.com/portainer/portainer/api" "github.com/portainer/portainer/api/apikey" "github.com/portainer/portainer/api/datastore" "github.com/portainer/portainer/api/demo" "github.com/portainer/portainer/api/http/security" "github.com/portainer/portainer/api/internal/authorization" "github.com/portainer/portainer/api/jwt" "github.com/stretchr/testify/assert" ) func Test_userList(t *testing.T) { is := assert.New(t) _, store := datastore.MustNewTestStore(t, true, true) // create admin and standard user(s) adminUser := &portainer.User{ID: 1, Username: "admin", Role: portainer.AdministratorRole} err := store.User().Create(adminUser) is.NoError(err, "error creating admin user") // setup services jwtService, err := jwt.NewService("1h", store) is.NoError(err, "Error initiating jwt service") apiKeyService := apikey.NewAPIKeyService(store.APIKeyRepository(), store.User()) requestBouncer := security.NewRequestBouncer(store, jwtService, apiKeyService) rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour) passwordChecker := security.NewPasswordStrengthChecker(store.SettingsService) h := NewHandler(requestBouncer, rateLimiter, apiKeyService, &demo.Service{}, passwordChecker) h.DataStore = store // generate admin user tokens adminJWT, _ := jwtService.GenerateToken(&portainer.TokenData{ID: adminUser.ID, Username: adminUser.Username, Role: adminUser.Role}) // Case 1: the user is given the endpoint access directly userWithEndpointAccess := &portainer.User{ID: 2, Username: "standard-user-with-endpoint-access", Role: portainer.StandardUserRole, PortainerAuthorizations: authorization.DefaultPortainerAuthorizations()} err = store.User().Create(userWithEndpointAccess) is.NoError(err, "error creating user") userWithoutEndpointAccess := &portainer.User{ID: 3, Username: "standard-user-without-endpoint-access", Role: portainer.StandardUserRole, PortainerAuthorizations: authorization.DefaultPortainerAuthorizations()} err = store.User().Create(userWithoutEndpointAccess) is.NoError(err, "error creating user") // create environment group endpointGroup := &portainer.EndpointGroup{ID: 1, Name: "default-endpoint-group"} err = store.EndpointGroup().Create(endpointGroup) is.NoError(err, "error creating endpoint group") // create endpoint and user access policies userAccessPolicies := make(portainer.UserAccessPolicies, 0) userAccessPolicies[userWithEndpointAccess.ID] = portainer.AccessPolicy{RoleID: portainer.RoleID(userWithEndpointAccess.Role)} endpointWithUserAccessPolicy := &portainer.Endpoint{ID: 1, UserAccessPolicies: userAccessPolicies, GroupID: endpointGroup.ID} err = store.Endpoint().Create(endpointWithUserAccessPolicy) is.NoError(err, "error creating endpoint") jwt, _ := jwtService.GenerateToken(&portainer.TokenData{ID: userWithEndpointAccess.ID, Username: userWithEndpointAccess.Username, Role: userWithEndpointAccess.Role}) t.Run("admin user can successfully list all users", func(t *testing.T) { req := httptest.NewRequest(http.MethodGet, "/users", nil) req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT)) rr := httptest.NewRecorder() h.ServeHTTP(rr, req) is.Equal(http.StatusOK, rr.Code) body, err := io.ReadAll(rr.Body) is.NoError(err, "ReadAll should not return error") var resp []portainer.User err = json.Unmarshal(body, &resp) is.NoError(err, "response should be list json") is.Len(resp, 3) }) t.Run("admin user can list users who are given the endpoint access directly", func(t *testing.T) { params := url.Values{} params.Add("environmentId", fmt.Sprintf("%d", endpointWithUserAccessPolicy.ID)) req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil) req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT)) rr := httptest.NewRecorder() h.ServeHTTP(rr, req) is.Equal(http.StatusOK, rr.Code) body, err := io.ReadAll(rr.Body) is.NoError(err, "ReadAll should not return error") var resp []portainer.User err = json.Unmarshal(body, &resp) is.NoError(err, "response should be list json") is.Len(resp, 1) if len(resp) == 1 { is.Equal(userWithEndpointAccess.ID, resp[0].ID) } }) t.Run("standard user cannot list users", func(t *testing.T) { req := httptest.NewRequest(http.MethodGet, "/users", nil) req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", jwt)) rr := httptest.NewRecorder() h.ServeHTTP(rr, req) is.Equal(http.StatusForbidden, rr.Code) }) // Case 2: the user is under an environment group and the environment group has endpoint access. // the user inherits the endpoint access from the environment group // create user userUnderGroup := &portainer.User{ID: 4, Username: "standard-user-under-environment-group", Role: portainer.StandardUserRole, PortainerAuthorizations: authorization.DefaultPortainerAuthorizations()} err = store.User().Create(userUnderGroup) is.NoError(err, "error creating user") // create environment group including a user userAccessPoliciesUnderGroup := make(portainer.UserAccessPolicies, 0) userAccessPoliciesUnderGroup[userUnderGroup.ID] = portainer.AccessPolicy{RoleID: portainer.RoleID(userUnderGroup.Role)} endpointGroupWithUser := &portainer.EndpointGroup{ID: 2, Name: "endpoint-group-with-user", UserAccessPolicies: userAccessPoliciesUnderGroup} err = store.EndpointGroup().Create(endpointGroupWithUser) is.NoError(err, "error creating endpoint group") // create endpoint endpointUnderGroupWithUser := &portainer.Endpoint{ID: 2, GroupID: endpointGroupWithUser.ID} err = store.Endpoint().Create(endpointUnderGroupWithUser) is.NoError(err, "error creating endpoint") t.Run("admin user can list users who inherit endpoint access from an environment group", func(t *testing.T) { params := url.Values{} params.Add("environmentId", fmt.Sprintf("%d", endpointUnderGroupWithUser.ID)) req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil) req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT)) rr := httptest.NewRecorder() h.ServeHTTP(rr, req) is.Equal(http.StatusOK, rr.Code) body, err := io.ReadAll(rr.Body) is.NoError(err, "ReadAll should not return error") var resp []portainer.User err = json.Unmarshal(body, &resp) is.NoError(err, "response should be list json") is.Len(resp, 1) if len(resp) == 1 { is.Equal(userUnderGroup.ID, resp[0].ID) } }) // Case 3: the user is under a team and the team is under an environment group. // the environment group is given the endpoint access. // both user and team should inherits the endpoint access from the environment group // create a team including a user teamUnderGroup := &portainer.Team{ID: 1, Name: "team-under-environment-group"} err = store.Team().Create(teamUnderGroup) is.NoError(err, "error creating team") userUnderTeam := &portainer.User{ID: 4, Username: "standard-user-under-team", Role: portainer.StandardUserRole, PortainerAuthorizations: authorization.DefaultPortainerAuthorizations()} err = store.User().Create(userUnderTeam) is.NoError(err, "error creating user") teamMembership := &portainer.TeamMembership{ID: 1, UserID: userUnderTeam.ID, TeamID: teamUnderGroup.ID} err = store.TeamMembership().Create(teamMembership) is.NoError(err, "error creating team membership") // create environment group including a team teamAccessPoliciesUnderGroup := make(portainer.TeamAccessPolicies, 0) teamAccessPoliciesUnderGroup[teamUnderGroup.ID] = portainer.AccessPolicy{RoleID: portainer.RoleID(userUnderTeam.Role)} endpointGroupWithTeam := &portainer.EndpointGroup{ID: 3, Name: "endpoint-group-with-team", TeamAccessPolicies: teamAccessPoliciesUnderGroup} err = store.EndpointGroup().Create(endpointGroupWithTeam) is.NoError(err, "error creating endpoint group") // create endpoint endpointUnderGroupWithTeam := &portainer.Endpoint{ID: 3, GroupID: endpointGroupWithTeam.ID} err = store.Endpoint().Create(endpointUnderGroupWithTeam) is.NoError(err, "error creating endpoint") t.Run("admin user can list users who inherit endpoint access from a team that inherit from an environment group", func(t *testing.T) { params := url.Values{} params.Add("environmentId", fmt.Sprintf("%d", endpointUnderGroupWithTeam.ID)) req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil) req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT)) rr := httptest.NewRecorder() h.ServeHTTP(rr, req) is.Equal(http.StatusOK, rr.Code) body, err := io.ReadAll(rr.Body) is.NoError(err, "ReadAll should not return error") var resp []portainer.User err = json.Unmarshal(body, &resp) is.NoError(err, "response should be list json") is.Len(resp, 1) if len(resp) == 1 { is.Equal(userUnderTeam.ID, resp[0].ID) } }) // Case 4: the user is under a team and the team is given the endpoint access // the user inherits the endpoint access from the team // create a team including a user teamWithEndpointAccess := &portainer.Team{ID: 2, Name: "team-with-endpoint-access"} err = store.Team().Create(teamWithEndpointAccess) is.NoError(err, "error creating team") userUnderTeamWithEndpointAccess := &portainer.User{ID: 5, Username: "standard-user-under-team-with-endpoint-access", Role: portainer.StandardUserRole, PortainerAuthorizations: authorization.DefaultPortainerAuthorizations()} err = store.User().Create(userUnderTeamWithEndpointAccess) is.NoError(err, "error creating user") teamMembershipWithEndpointAccess := &portainer.TeamMembership{ID: 2, UserID: userUnderTeamWithEndpointAccess.ID, TeamID: teamWithEndpointAccess.ID} err = store.TeamMembership().Create(teamMembershipWithEndpointAccess) is.NoError(err, "error creating team membership") // create environment group endpointGroupWithoutTeam := &portainer.EndpointGroup{ID: 4, Name: "endpoint-group-without-team"} err = store.EndpointGroup().Create(endpointGroupWithoutTeam) is.NoError(err, "error creating endpoint group") // create endpoint and team access policies teamAccessPolicies := make(portainer.TeamAccessPolicies, 0) teamAccessPolicies[teamWithEndpointAccess.ID] = portainer.AccessPolicy{RoleID: portainer.RoleID(userUnderTeamWithEndpointAccess.Role)} endpointWithTeamAccessPolicy := &portainer.Endpoint{ID: 4, TeamAccessPolicies: teamAccessPolicies, GroupID: endpointGroupWithoutTeam.ID} err = store.Endpoint().Create(endpointWithTeamAccessPolicy) is.NoError(err, "error creating endpoint") t.Run("admin user can list users who inherit endpoint access from a team", func(t *testing.T) { params := url.Values{} params.Add("environmentId", fmt.Sprintf("%d", endpointWithTeamAccessPolicy.ID)) req := httptest.NewRequest(http.MethodGet, "/users?"+params.Encode(), nil) req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", adminJWT)) rr := httptest.NewRecorder() h.ServeHTTP(rr, req) is.Equal(http.StatusOK, rr.Code) body, err := io.ReadAll(rr.Body) is.NoError(err, "ReadAll should not return error") var resp []portainer.User err = json.Unmarshal(body, &resp) is.NoError(err, "response should be list json") is.Len(resp, 1) if len(resp) == 1 { is.Equal(userUnderTeamWithEndpointAccess.ID, resp[0].ID) } }) }