From c42bcc547ab9c7261d14dd5ca2e4ccd7ab7cf19e Mon Sep 17 00:00:00 2001
From: Fabian Seidl <fabian.seidl@h-da.de>
Date: Thu, 14 Dec 2023 16:55:53 +0100
Subject: [PATCH] changed visibility of function in utility, added test for
 user permission checking, fails currently

---
 .../integrationTestUtils.go                   |   4 +-
 integration-tests/rbac_tests/rbac_test.go     | 124 +++++++++++++++++-
 2 files changed, 125 insertions(+), 3 deletions(-)

diff --git a/integration-tests/integrationTestUtils/integrationTestUtils.go b/integration-tests/integrationTestUtils/integrationTestUtils.go
index 2d88c1a13..4c523f5f3 100644
--- a/integration-tests/integrationTestUtils/integrationTestUtils.go
+++ b/integration-tests/integrationTestUtils/integrationTestUtils.go
@@ -16,7 +16,7 @@ import (
 	"google.golang.org/grpc/metadata"
 )
 
-func createContextWithAuthorization(loginResponse *rbac.LoginResponse) context.Context {
+func CreateContextWithAuthorization(loginResponse *rbac.LoginResponse) context.Context {
 	md := metadata.Pairs("authorize", loginResponse.Token)
 	return metadata.NewOutgoingContext(context.Background(), md)
 }
@@ -35,7 +35,7 @@ func CreateSecureConnection() (*grpc.ClientConn, context.Context, error) {
 		return nil, nil, err
 	}
 
-	sessionContext := createContextWithAuthorization(loginResp)
+	sessionContext := CreateContextWithAuthorization(loginResp)
 
 	dialOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	conn, err := grpc.Dial(controllerUrl, dialOption, grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(100*1024*1024)))
diff --git a/integration-tests/rbac_tests/rbac_test.go b/integration-tests/rbac_tests/rbac_test.go
index e3d1736c0..25da0782e 100644
--- a/integration-tests/rbac_tests/rbac_test.go
+++ b/integration-tests/rbac_tests/rbac_test.go
@@ -7,7 +7,10 @@ import (
 	"time"
 
 	"code.fbi.h-da.de/danet/gosdn/api/go/gosdn/conflict"
+	mnepb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/networkelement"
 	apb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/rbac"
+	"github.com/sirupsen/logrus"
+
 	integration_test_utils "code.fbi.h-da.de/danet/gosdn/integration-tests/integrationTestUtils"
 	"google.golang.org/grpc"
 )
@@ -141,4 +144,123 @@ func TestUserCreationAndModification(t *testing.T) {
 	}
 }
 
-// TODO(faseid): wrong user permission test for devices
+// TODO(faseid): role creation and modification test!
+
+func TestUserWithoutPermission(t *testing.T) {
+	defer integration_test_utils.ApplySDNConfig(conn, ctx, defaultSDNConfig)
+
+	// setup required parameters
+	const roleName = "peter"
+
+	createUserRequestPreparation := &apb.CreateUsersRequest{
+		Timestamp: time.Now().UnixNano(),
+		User: []*apb.User{
+			{
+				Id:       userUUID,
+				Name:     user1NameAndPW,
+				Roles:    map[string]string{pndID: roleName},
+				Password: user1NameAndPW,
+				Metadata: &conflict.Metadata{
+					ResourceVersion: 0,
+				},
+			},
+		},
+	}
+
+	createUserRequestTestCase := &apb.CreateUsersRequest{
+		Timestamp: time.Now().UnixNano(),
+		User: []*apb.User{
+			{
+				Id:       "b22c4e46-fa54-4226-8e61-134c895bef5b",
+				Name:     "test",
+				Roles:    map[string]string{pndID: "admin"},
+				Password: user1NameAndPW,
+				Metadata: &conflict.Metadata{
+					ResourceVersion: 0,
+				},
+			},
+		},
+	}
+
+	createRoleRequest := &apb.CreateRolesRequest{
+		Timestamp: time.Now().UnixNano(),
+		Roles: []*apb.Role{
+			{
+				Name:        roleName,
+				Description: "Something that only a peter can do.",
+				Permissions: []string{
+					"/gosdn.rbac.UserService/CreateUsers",
+					"/gosdn.networkelement.NetworkElementService/GetAllFlattened",
+				},
+			},
+		},
+	}
+
+	loginRequest := &apb.LoginRequest{
+		Timestamp: time.Now().UnixNano(),
+		Username:  user1NameAndPW,
+		Pwd:       user1NameAndPW,
+	}
+
+	// setup gRPC services
+	userService := apb.NewUserServiceClient(conn)
+	roleService := apb.NewRoleServiceClient(conn)
+	authService := apb.NewAuthServiceClient(conn)
+	mneService := mnepb.NewNetworkElementServiceClient(conn)
+
+	// create a user and its role
+	_, err := userService.CreateUsers(ctx, createUserRequestPreparation)
+	if err != nil {
+		t.Error(err)
+	}
+
+	_, err = roleService.CreateRoles(ctx, createRoleRequest)
+	if err != nil {
+		t.Error(err)
+	}
+
+	// login new user
+	loginResponse, err := authService.Login(context.Background(), loginRequest)
+	if err != nil {
+		t.Error(err)
+	}
+
+	sessionToken := integration_test_utils.CreateContextWithAuthorization(loginResponse)
+
+	// test if user can get all MNE, should fail
+	_, err = mneService.GetAll(sessionToken, &mnepb.GetAllRequest{
+		Timestamp: time.Now().UnixNano(),
+		Pid:       pndID,
+	},
+	)
+	if err == nil {
+		t.Errorf("Error in Test: TestUserWithoutPermission, expected err: sth about permission, got:%v", err)
+	}
+
+	// test if user can get all flattened MNE, should work
+	_, err = mneService.GetAllFlattened(sessionToken, &mnepb.GetAllFlattenedRequest{
+		Timestamp: time.Now().UnixNano(),
+		Pid:       pndID,
+	},
+	)
+	if err != nil {
+		t.Errorf("Error in Test: TestUserWithoutPermission, expected: nil, got:%v", err)
+	}
+
+	// test if user1 can create user with admin role, should fail
+	_, _ = userService.CreateUsers(sessionToken, createUserRequestTestCase)
+	//TODO(faseid): implement mechanism to stop random user from creating admin user,
+	// then uncomment test case
+	// if err == nil {
+	// 	t.Errorf("Error in Test: TestUserWithoutPermission, expected err: sth about permission, got:%v", err)
+	// }
+
+	// test if user1 can create user with random role, should work
+	createUserRequestTestCase.User[0].Roles[pndID] = "peter 2"
+	_, err = userService.CreateUsers(sessionToken, createUserRequestTestCase)
+	if err != nil {
+		t.Errorf("Error in Test: TestUserWithoutPermission, expected: nil, got:%v", err)
+	}
+
+	logrus.Info("asf")
+}
-- 
GitLab