mirror of https://github.com/go-gitea/gitea.git
121 lines
5.6 KiB
Go
121 lines
5.6 KiB
Go
// Copyright 2023 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package cmd
|
|
|
|
import (
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
|
|
auth_model "code.gitea.io/gitea/models/auth"
|
|
"code.gitea.io/gitea/models/db"
|
|
"code.gitea.io/gitea/models/unittest"
|
|
user_model "code.gitea.io/gitea/models/user"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestAdminUserCreate(t *testing.T) {
|
|
app := NewMainApp(AppVersion{})
|
|
|
|
reset := func() {
|
|
require.NoError(t, db.TruncateBeans(db.DefaultContext, &user_model.User{}))
|
|
require.NoError(t, db.TruncateBeans(db.DefaultContext, &user_model.EmailAddress{}))
|
|
require.NoError(t, db.TruncateBeans(db.DefaultContext, &auth_model.AccessToken{}))
|
|
}
|
|
|
|
t.Run("MustChangePassword", func(t *testing.T) {
|
|
type check struct {
|
|
IsAdmin bool
|
|
MustChangePassword bool
|
|
}
|
|
createCheck := func(name, args string) check {
|
|
require.NoError(t, app.Run(strings.Fields(fmt.Sprintf("./gitea admin user create --username %s --email %s@gitea.local %s --password foobar", name, name, args))))
|
|
u := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: name})
|
|
return check{IsAdmin: u.IsAdmin, MustChangePassword: u.MustChangePassword}
|
|
}
|
|
reset()
|
|
assert.Equal(t, check{IsAdmin: false, MustChangePassword: false}, createCheck("u", ""), "first non-admin user doesn't need to change password")
|
|
|
|
reset()
|
|
assert.Equal(t, check{IsAdmin: true, MustChangePassword: false}, createCheck("u", "--admin"), "first admin user doesn't need to change password")
|
|
|
|
reset()
|
|
assert.Equal(t, check{IsAdmin: true, MustChangePassword: true}, createCheck("u", "--admin --must-change-password"))
|
|
assert.Equal(t, check{IsAdmin: true, MustChangePassword: true}, createCheck("u2", "--admin"))
|
|
assert.Equal(t, check{IsAdmin: true, MustChangePassword: false}, createCheck("u3", "--admin --must-change-password=false"))
|
|
assert.Equal(t, check{IsAdmin: false, MustChangePassword: true}, createCheck("u4", ""))
|
|
assert.Equal(t, check{IsAdmin: false, MustChangePassword: false}, createCheck("u5", "--must-change-password=false"))
|
|
})
|
|
|
|
createUser := func(name, args string) error {
|
|
return app.Run(strings.Fields(fmt.Sprintf("./gitea admin user create --username %s --email %s@gitea.local %s", name, name, args)))
|
|
}
|
|
|
|
t.Run("UserType", func(t *testing.T) {
|
|
reset()
|
|
assert.ErrorContains(t, createUser("u", "--user-type invalid"), "invalid user type")
|
|
assert.ErrorContains(t, createUser("u", "--user-type bot --password 123"), "can only be set for individual users")
|
|
assert.ErrorContains(t, createUser("u", "--user-type bot --must-change-password"), "can only be set for individual users")
|
|
|
|
assert.NoError(t, createUser("u", "--user-type bot"))
|
|
u := unittest.AssertExistsAndLoadBean(t, &user_model.User{LowerName: "u"})
|
|
assert.Equal(t, user_model.UserTypeBot, u.Type)
|
|
assert.Empty(t, u.Passwd)
|
|
})
|
|
|
|
t.Run("AccessToken", func(t *testing.T) {
|
|
// no generated access token
|
|
reset()
|
|
assert.NoError(t, createUser("u", "--random-password"))
|
|
assert.Equal(t, 1, unittest.GetCount(t, &user_model.User{}))
|
|
assert.Equal(t, 0, unittest.GetCount(t, &auth_model.AccessToken{}))
|
|
|
|
// using "--access-token" only means "all" access
|
|
reset()
|
|
assert.NoError(t, createUser("u", "--random-password --access-token"))
|
|
assert.Equal(t, 1, unittest.GetCount(t, &user_model.User{}))
|
|
assert.Equal(t, 1, unittest.GetCount(t, &auth_model.AccessToken{}))
|
|
accessToken := unittest.AssertExistsAndLoadBean(t, &auth_model.AccessToken{Name: "gitea-admin"})
|
|
hasScopes, err := accessToken.Scope.HasScope(auth_model.AccessTokenScopeWriteAdmin, auth_model.AccessTokenScopeWriteRepository)
|
|
assert.NoError(t, err)
|
|
assert.True(t, hasScopes)
|
|
|
|
// using "--access-token" with name & scopes
|
|
reset()
|
|
assert.NoError(t, createUser("u", "--random-password --access-token --access-token-name new-token-name --access-token-scopes read:issue,read:user"))
|
|
assert.Equal(t, 1, unittest.GetCount(t, &user_model.User{}))
|
|
assert.Equal(t, 1, unittest.GetCount(t, &auth_model.AccessToken{}))
|
|
accessToken = unittest.AssertExistsAndLoadBean(t, &auth_model.AccessToken{Name: "new-token-name"})
|
|
hasScopes, err = accessToken.Scope.HasScope(auth_model.AccessTokenScopeReadIssue, auth_model.AccessTokenScopeReadUser)
|
|
assert.NoError(t, err)
|
|
assert.True(t, hasScopes)
|
|
hasScopes, err = accessToken.Scope.HasScope(auth_model.AccessTokenScopeWriteAdmin, auth_model.AccessTokenScopeWriteRepository)
|
|
assert.NoError(t, err)
|
|
assert.False(t, hasScopes)
|
|
|
|
// using "--access-token-name" without "--access-token"
|
|
reset()
|
|
err = createUser("u", "--random-password --access-token-name new-token-name")
|
|
assert.Equal(t, 0, unittest.GetCount(t, &user_model.User{}))
|
|
assert.Equal(t, 0, unittest.GetCount(t, &auth_model.AccessToken{}))
|
|
assert.ErrorContains(t, err, "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
|
|
|
|
// using "--access-token-scopes" without "--access-token"
|
|
reset()
|
|
err = createUser("u", "--random-password --access-token-scopes read:issue")
|
|
assert.Equal(t, 0, unittest.GetCount(t, &user_model.User{}))
|
|
assert.Equal(t, 0, unittest.GetCount(t, &auth_model.AccessToken{}))
|
|
assert.ErrorContains(t, err, "access-token-name and access-token-scopes flags are only valid when access-token flag is set")
|
|
|
|
// empty permission
|
|
reset()
|
|
err = createUser("u", "--random-password --access-token --access-token-scopes public-only")
|
|
assert.Equal(t, 0, unittest.GetCount(t, &user_model.User{}))
|
|
assert.Equal(t, 0, unittest.GetCount(t, &auth_model.AccessToken{}))
|
|
assert.ErrorContains(t, err, "access token does not have any permission")
|
|
})
|
|
}
|