Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow creating an admin user when registration #8917

Merged
merged 1 commit into from Sep 2, 2019
Merged
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Disallow creating an admin user when registration

This commit enhance the `POST /api/users` API to block request from non-admin to create
admin user.

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
  • Loading branch information...
reasonerjt committed Aug 27, 2019
commit b6db8a8a106259ec9a2c48be8a380cb3b37cf517
@@ -324,6 +324,14 @@ func (ua *UserAPI) Post() {
ua.RenderError(http.StatusBadRequest, "register error:"+err.Error())
return
}

if !ua.IsAdmin && user.HasAdminRole {
msg := "Non-admin cannot create an admin user."
log.Errorf(msg)
ua.SendForbiddenError(errors.New(msg))
return
}

userExist, err := dao.UserExists(user, "username")
if err != nil {
log.Errorf("Error occurred in Register: %v", err)
@@ -346,6 +354,7 @@ func (ua *UserAPI) Post() {
ua.SendConflictError(errors.New("email has already been used"))
return
}

userID, err := dao.Register(user)
if err != nil {
log.Errorf("Error occurred in Register: %v", err)
@@ -45,67 +45,67 @@ func TestUsersPost(t *testing.T) {
common.AUTHMode: "db_auth",
})
// case 1: register a new user without admin auth, expect 400, because self registration is on
fmt.Println("Register user without admin auth")
t.Log("case 1: Register user without admin auth")
code, err := apiTest.UsersPost(testUser0002)
if err != nil {
t.Error("Error occurred while add a test User", err.Error())
t.Log(err)
} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 1: Add user status should be 400")
}

// case 2: register a new user with admin auth, but username is empty, expect 400
fmt.Println("Register user with admin auth, but username is empty")
t.Log("case 2: Register user with admin auth, but username is empty")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 2: Add user status should be 400")
}

// case 3: register a new user with admin auth, but bad username format, expect 400
testUser0002.Username = "test@$"
fmt.Println("Register user with admin auth, but bad username format")
t.Log("case 3: Register user with admin auth, but bad username format")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 3: Add user status should be 400")
}

// case 4: register a new user with admin auth, but bad userpassword format, expect 400
testUser0002.Username = "testUser0002"
fmt.Println("Register user with admin auth, but empty password.")
t.Log("case 4: Register user with admin auth, but empty password.")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 4: Add user status should be 400")
}

// case 5: register a new user with admin auth, but email is empty, expect 400
testUser0002.Password = "testUser0002"
fmt.Println("Register user with admin auth, but email is empty")
t.Log("case 5: Register user with admin auth, but email is empty")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 5: Add user status should be 400")
}

// case 6: register a new user with admin auth, but bad email format, expect 400
testUser0002.Email = "test..."
fmt.Println("Register user with admin auth, but bad email format")
t.Log("case 6: Register user with admin auth, but bad email format")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 6: Add user status should be 400")
}

// case 7: register a new user with admin auth, but userrealname is empty, expect 400
@@ -123,59 +123,71 @@ func TestUsersPost(t *testing.T) {
// case 8: register a new user with admin auth, but bad userrealname format, expect 400
testUser0002.Email = "testUser0002@mydomain.com"
testUser0002.Realname = "test$com"
fmt.Println("Register user with admin auth, but bad user realname format")
t.Log("case 8: Register user with admin auth, but bad user realname format")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)

} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 8: Add user status should be 400")
}

// case 9: register a new user with admin auth, but bad user comment, expect 400
testUser0002.Realname = "testUser0002"
testUser0002.Comment = "vmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm"
fmt.Println("Register user with admin auth, but user comment length is illegal")
t.Log("case 9: Register user with admin auth, but user comment length is illegal")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(400, code, "Add user status should be 400")
assert.Equal(400, code, "case 9: Add user status should be 400")
}

// case 10: register a new user with admin auth, expect 201
fmt.Println("Register user with admin auth, right parameters")
testUser0002.Comment = "test user"

// case 10: register an admin using non-admin user, expect 403
t.Log("case 10: Register admin user with non admin auth")
testUser0002.HasAdminRole = true
code, err = apiTest.UsersPost(testUser0002)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(http.StatusForbidden, code, "case 10: Add user status should be 403")
}
testUser0002.HasAdminRole = false

// case 11: register a new user with admin auth, expect 201
t.Log("case 11: Register user with admin auth, right parameters")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(201, code, "Add user status should be 201")
assert.Equal(201, code, "case 11: Add user status should be 201")
}

// case 11: register duplicate user with admin auth, expect 409
fmt.Println("Register duplicate user with admin auth")
// case 12: register duplicate user with admin auth, expect 409
t.Log("case 12: Register duplicate user with admin auth")
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(409, code, "Add user status should be 409")
assert.Equal(409, code, "case 12: Add user status should be 409")
}

// case 12: register a new user with admin auth, but duplicate email, expect 409
fmt.Println("Register user with admin auth, but duplicate email")
// case 13: register a new user with admin auth, but duplicate email, expect 409
t.Log("case 13: Register user with admin auth, but duplicate email")
testUser0002.Username = "testUsertest"
testUser0002.Email = "testUser0002@mydomain.com"
code, err = apiTest.UsersPost(testUser0002, *admin)
if err != nil {
t.Error("Error occurred while add a user", err.Error())
t.Log(err)
} else {
assert.Equal(409, code, "Add user status should be 409")
assert.Equal(409, code, "case 13: Add user status should be 409")
}
}

ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.