Merge 16af3ec into c10396e

cloudtrust · Feb 28, 2020 · ec8e19a · ec8e19a
2 parents c10396e + 16af3ec
commit ec8e19a
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 17 deletions.
diff --git a/internal/messages/errormessages.go b/internal/messages/errormessages.go
@@ -41,6 +41,7 @@ const (
 	Name                              = "name"
 	GroupIDs                          = "groupIds"
 	RoleID                            = "roleId"
+	CredentialID                      = "credentialID"
 	Locale                            = "locale"
 	Description                       = "description"
 	ContainerID                       = "containerId"

diff --git a/pkg/management/component.go b/pkg/management/component.go
@@ -769,6 +769,20 @@ func (c *component) DeleteCredentialsForUser(ctx context.Context, realmName stri
 		return err
 	}
 
+	// Ensure the credential is owned by user
+	var ownedByUser = false
+	for _, credKc := range credsKc {
+		if *credKc.Id == credentialID {
+			ownedByUser = true
+			break
+		}
+	}
+
+	if !ownedByUser {
+		c.logger.Warn(ctx, "msg", "Try to delete credential of another user", "credId", credentialID, "userId", userID)
+		return errorhandler.CreateNotFoundError(msg.MsgErrInvalidParam + "." + msg.CredentialID)
+	}
+
 	err = c.keycloakClient.DeleteCredential(accessToken, realmName, userID, credentialID)
 	if err != nil {
 		c.logger.Warn(ctx, "err", err.Error())

diff --git a/pkg/management/component_test.go b/pkg/management/component_test.go
@@ -1999,21 +1999,28 @@ func TestDeleteCredentialsForUser(t *testing.T) {
 	var realmName = "master"
 	var userID = "1245-7854-8963"
 	var credential = "987-654-321"
+	var typeCred = "otp-push"
 
-	// Delete credentials for user
-	{
-		mockKeycloakClient.EXPECT().GetCredentials(accessToken, realmName, userID).Return([]kc.CredentialRepresentation{}, nil).Times(1)
+	t.Run("Delete credentials for user", func(t *testing.T) {
+		mockKeycloakClient.EXPECT().GetCredentials(accessToken, realmName, userID).Return([]kc.CredentialRepresentation{
+			kc.CredentialRepresentation{
+				Id:   &credential,
+				Type: &typeCred,
+			},
+		}, nil).Times(1)
 		mockKeycloakClient.EXPECT().DeleteCredential(accessToken, realmName, userID, credential).Return(nil).Times(1)
 
 		var ctx = context.WithValue(context.Background(), cs.CtContextAccessToken, accessToken)
 		ctx = context.WithValue(ctx, cs.CtContextRealm, realmReq)
 
+		mockEventDBModule.EXPECT().ReportEvent(ctx, "2ND_FACTOR_REMOVED", "back-office", database.CtEventRealmName, realmName, database.CtEventUserID, userID)
+
 		err := managementComponent.DeleteCredentialsForUser(ctx, realmName, userID, credential)
 
 		assert.Nil(t, err)
-	}
-	// Delete credentials for user - error at obtaining the list of credentials
-	{
+	})
+
+	t.Run("Delete credentials for user - error at obtaining the list of credentials", func(t *testing.T) {
 		mockKeycloakClient.EXPECT().GetCredentials(accessToken, realmName, userID).Return([]kc.CredentialRepresentation{}, errors.New("error")).Times(1)
 		mockLogger.EXPECT().Warn(gomock.Any(), "msg", "Could not obtain list of credentials", "err", "error")
 
@@ -2022,23 +2029,37 @@ func TestDeleteCredentialsForUser(t *testing.T) {
 
 		err := managementComponent.DeleteCredentialsForUser(ctx, realmName, userID, credential)
 		assert.NotNil(t, err)
+	})
 
-	}
-	// Delete credentials for user - error at deleting the credential
-	{
+	t.Run("Delete credentials for user - try to delete credential of another user", func(t *testing.T) {
 		mockKeycloakClient.EXPECT().GetCredentials(accessToken, realmName, userID).Return([]kc.CredentialRepresentation{}, nil).Times(1)
+
+		var ctx = context.WithValue(context.Background(), cs.CtContextAccessToken, accessToken)
+		ctx = context.WithValue(ctx, cs.CtContextRealm, realmReq)
+
+		mockLogger.EXPECT().Warn(ctx, "msg", "Try to delete credential of another user", "credId", credential, "userId", userID)
+
+		err := managementComponent.DeleteCredentialsForUser(ctx, realmName, userID, credential)
+		assert.NotNil(t, err)
+	})
+
+	t.Run("Delete credentials for user - error at deleting the credential", func(t *testing.T) {
+		mockKeycloakClient.EXPECT().GetCredentials(accessToken, realmName, userID).Return([]kc.CredentialRepresentation{
+			kc.CredentialRepresentation{
+				Id:   &credential,
+				Type: &typeCred,
+			},
+		}, nil).Times(1)
 		mockKeycloakClient.EXPECT().DeleteCredential(accessToken, realmName, userID, credential).Return(errors.New("error")).Times(1)
 		mockLogger.EXPECT().Warn(gomock.Any(), "err", "error")
 		var ctx = context.WithValue(context.Background(), cs.CtContextAccessToken, accessToken)
 		ctx = context.WithValue(ctx, cs.CtContextRealm, realmReq)
 
 		err := managementComponent.DeleteCredentialsForUser(ctx, realmName, userID, credential)
 		assert.NotNil(t, err)
+	})
 
-	}
-	// Delete credentials for user
-	{
-
+	t.Run("Delete credentials for user", func(t *testing.T) {
 		pwdId := "51389847-08f4-4a0f-9f9c-694554e626f2"
 		pwd := "password"
 		var credKcPwd = kc.CredentialRepresentation{
@@ -2067,10 +2088,9 @@ func TestDeleteCredentialsForUser(t *testing.T) {
 		err := managementComponent.DeleteCredentialsForUser(ctx, realmName, userID, otpId)
 
 		assert.Nil(t, err)
-	}
-	// Delete credentials for user - error at storing the event
-	{
+	})
 
+	t.Run("Delete credentials for user - error at storing the event", func(t *testing.T) {
 		pwdId := "51389847-08f4-4a0f-9f9c-694554e626f2"
 		pwd := "password"
 		var credKcPwd = kc.CredentialRepresentation{
@@ -2101,7 +2121,7 @@ func TestDeleteCredentialsForUser(t *testing.T) {
 		err := managementComponent.DeleteCredentialsForUser(ctx, realmName, userID, otpId)
 
 		assert.Nil(t, err)
-	}
+	})
 
 }