gitea/integrations/api_admin_test.go

// Copyright 2017 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.

package integrations

import (
	"fmt"
	"net/http"
	"testing"

	"code.gitea.io/gitea/models"
	api "code.gitea.io/sdk/gitea"

	"github.com/stretchr/testify/assert"
)

func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
	prepareTestEnv(t)
	// user1 is an admin user
	session := loginUser(t, "user1")
	keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)

	token := getTokenForLoggedInUser(t, session)
	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
		"title": "test-key",
	})
	resp := session.MakeRequest(t, req, http.StatusCreated)

	var newPublicKey api.PublicKey
	DecodeJSON(t, resp, &newPublicKey)
	models.AssertExistsAndLoadBean(t, &models.PublicKey{
		ID:          newPublicKey.ID,
		Name:        newPublicKey.Title,
		Content:     newPublicKey.Key,
		Fingerprint: newPublicKey.Fingerprint,
		OwnerID:     keyOwner.ID,
	})

	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
		keyOwner.Name, newPublicKey.ID, token)
	session.MakeRequest(t, req, http.StatusNoContent)
	models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})
}

func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
	prepareTestEnv(t)
	// user1 is an admin user
	session := loginUser(t, "user1")

	token := getTokenForLoggedInUser(t, session)
	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token)
	session.MakeRequest(t, req, http.StatusNotFound)
}

func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
	prepareTestEnv(t)
	adminUsername := "user1"
	normalUsername := "user2"
	session := loginUser(t, adminUsername)

	token := getTokenForLoggedInUser(t, session)
	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)
	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",
		"title": "test-key",
	})
	resp := session.MakeRequest(t, req, http.StatusCreated)
	var newPublicKey api.PublicKey
	DecodeJSON(t, resp, &newPublicKey)

	session = loginUser(t, normalUsername)
	token = getTokenForLoggedInUser(t, session)
	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
		adminUsername, newPublicKey.ID, token)
	session.MakeRequest(t, req, http.StatusForbidden)
}

func TestAPISudoUser(t *testing.T) {
	prepareTestEnv(t)
	adminUsername := "user1"
	normalUsername := "user2"
	session := loginUser(t, adminUsername)
	token := getTokenForLoggedInUser(t, session)

	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)
	req := NewRequest(t, "GET", urlStr)
	resp := session.MakeRequest(t, req, http.StatusOK)
	var user api.User
	DecodeJSON(t, resp, &user)

	assert.Equal(t, normalUsername, user.UserName)
}

func TestAPISudoUserForbidden(t *testing.T) {
	prepareTestEnv(t)
	adminUsername := "user1"
	normalUsername := "user2"

	session := loginUser(t, normalUsername)
	token := getTokenForLoggedInUser(t, session)

	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)
	req := NewRequest(t, "GET", urlStr)
	session.MakeRequest(t, req, http.StatusForbidden)
}
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 13:27:10 +03:00			`// Copyright 2017 The Gitea Authors. All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`

			`package integrations`

			`import (`
			`"fmt"`
			`"net/http"`
			`"testing"`

			`"code.gitea.io/gitea/models"`
			`api "code.gitea.io/sdk/gitea"`
feat(repo): support search repository by topic name (#4505) * feat(repo): support search repository by topic name 2018-09-13 05:33:48 +03:00
			`"github.com/stretchr/testify/assert"`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 13:27:10 +03:00			`)`

			`func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {`
			`prepareTestEnv(t)`
			`// user1 is an admin user`
			`session := loginUser(t, "user1")`
			`keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)`

Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`token := getTokenForLoggedInUser(t, session)`
			`urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 13:27:10 +03:00			`req := NewRequestWithValues(t, "POST", urlStr, map[string]string{`
			`"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",`
			`"title": "test-key",`
			`})`
			`resp := session.MakeRequest(t, req, http.StatusCreated)`

			`var newPublicKey api.PublicKey`
			`DecodeJSON(t, resp, &newPublicKey)`
			`models.AssertExistsAndLoadBean(t, &models.PublicKey{`
			`ID: newPublicKey.ID,`
			`Name: newPublicKey.Title,`
			`Content: newPublicKey.Key,`
			`Fingerprint: newPublicKey.Fingerprint,`
			`OwnerID: keyOwner.ID,`
			`})`

Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250) * Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware 2018-11-04 04:15:55 +03:00			`req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",`
			`keyOwner.Name, newPublicKey.ID, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 13:27:10 +03:00			`session.MakeRequest(t, req, http.StatusNoContent)`
			`models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})`
			`}`

			`func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {`
			`prepareTestEnv(t)`
			`// user1 is an admin user`
			`session := loginUser(t, "user1")`

Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`token := getTokenForLoggedInUser(t, session)`
Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250) * Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware 2018-11-04 04:15:55 +03:00			`req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 13:27:10 +03:00			`session.MakeRequest(t, req, http.StatusNotFound)`
			`}`

			`func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {`
			`prepareTestEnv(t)`
			`adminUsername := "user1"`
			`normalUsername := "user2"`
			`session := loginUser(t, adminUsername)`

Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`token := getTokenForLoggedInUser(t, session)`
			`urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 13:27:10 +03:00			`req := NewRequestWithValues(t, "POST", urlStr, map[string]string{`
			`"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAu7tvIvX6ZHrRXuZNfkR3XLHSsuCK9Zn3X58lxBcQzuo5xZgB6vRwwm/QtJuF+zZPtY5hsQILBLmF+BZ5WpKZp1jBeSjH2G7lxet9kbcH+kIVj0tPFEoyKI9wvWqIwC4prx/WVk2wLTJjzBAhyNxfEq7C9CeiX9pQEbEqJfkKCQ== nocomment\n",`
			`"title": "test-key",`
			`})`
			`resp := session.MakeRequest(t, req, http.StatusCreated)`
			`var newPublicKey api.PublicKey`
			`DecodeJSON(t, resp, &newPublicKey)`

			`session = loginUser(t, normalUsername)`
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`token = getTokenForLoggedInUser(t, session)`
Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250) * Add CSRF checking to reqToken and place CSRF in the post for deadline creation Fixes #5226, #5249 * /api/v1/admin/users routes should have reqToken middleware 2018-11-04 04:15:55 +03:00			`req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",`
			`adminUsername, newPublicKey.ID, token)`
Delete a user's public key via admin api (closes #3014) (#3059) * Delete a user's public key via admin api * Test admin ssh endpoint for creating a new ssh key * Adapt public ssh key test to also test the delete operation * Test that deleting a missing key will result in a 404 * Test that a normal user can't delete another user's ssh key * Make DeletePublicKey return err * Update swagger doc 2017-12-06 13:27:10 +03:00			`session.MakeRequest(t, req, http.StatusForbidden)`
			`}`
Add sudo functionality to the API (#4809) 2018-09-07 06:31:29 +03:00
			`func TestAPISudoUser(t *testing.T) {`
			`prepareTestEnv(t)`
			`adminUsername := "user1"`
			`normalUsername := "user2"`
			`session := loginUser(t, adminUsername)`
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`token := getTokenForLoggedInUser(t, session)`
Add sudo functionality to the API (#4809) 2018-09-07 06:31:29 +03:00
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)`
Add sudo functionality to the API (#4809) 2018-09-07 06:31:29 +03:00			`req := NewRequest(t, "GET", urlStr)`
			`resp := session.MakeRequest(t, req, http.StatusOK)`
			`var user api.User`
			`DecodeJSON(t, resp, &user)`

			`assert.Equal(t, normalUsername, user.UserName)`
			`}`

			`func TestAPISudoUserForbidden(t *testing.T) {`
			`prepareTestEnv(t)`
			`adminUsername := "user1"`
			`normalUsername := "user2"`

			`session := loginUser(t, normalUsername)`
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`token := getTokenForLoggedInUser(t, session)`
Add sudo functionality to the API (#4809) 2018-09-07 06:31:29 +03:00
Enforce token on api routes [fixed critical security issue #4357] (#4840) 2018-09-10 19:15:52 +03:00			`urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)`
Add sudo functionality to the API (#4809) 2018-09-07 06:31:29 +03:00			`req := NewRequest(t, "GET", urlStr)`
			`session.MakeRequest(t, req, http.StatusForbidden)`
			`}`