fix: do not label signup user grant as created by system

anything labelled "created by system" is pruned on startup by config loading. since the admin user/grant is not part of the config, it will be pruned.
infrahq · Apr 29, 2022 · 5b900f4 · 5b900f4
1 parent cb6589c
commit 5b900f4
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 1 deletion.
diff --git a/internal/access/signup.go b/internal/access/signup.go
@@ -76,7 +76,7 @@ func Signup(c *gin.Context, name, password string) (*models.Identity, error) {
 		Subject:   uid.NewIdentityPolymorphicID(identity.ID),
 		Privilege: models.InfraAdminRole,
 		Resource:  "infra",
-		CreatedBy: models.CreatedBySystem,
+		CreatedBy: identity.ID,
 	}
 
 	if err := data.CreateGrant(db, grant); err != nil {

diff --git a/internal/server/server_test.go b/internal/server/server_test.go
@@ -1,6 +1,7 @@
 package server
 
 import (
+	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/json"
@@ -10,6 +11,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"testing"
+	"time"
 
 	"github.com/infrahq/secrets"
 	"github.com/prometheus/client_golang/prometheus"
@@ -346,3 +348,61 @@ func TestServer_GenerateRoutes_UI(t *testing.T) {
 		})
 	}
 }
+
+func TestServer_PersistSignupUser(t *testing.T) {
+	s := setupServer(t, func(_ *testing.T, opts *Options) {
+		opts.EnableSignup = true
+		opts.SessionDuration = time.Minute
+	})
+	routes := s.GenerateRoutes(prometheus.NewRegistry())
+
+	var buf bytes.Buffer
+	email := "admin@email.com"
+	passwd := "supersecretpassword"
+
+	// run signup for "admin@email.com"
+	signupReq := api.SignupRequest{Email: email, Password: passwd}
+	err := json.NewEncoder(&buf).Encode(signupReq)
+	assert.NilError(t, err)
+
+	req := httptest.NewRequest(http.MethodPost, "/v1/signup", &buf)
+	resp := httptest.NewRecorder()
+	routes.ServeHTTP(resp, req)
+	assert.Equal(t, resp.Code, http.StatusCreated, resp.Body.String())
+
+	signupResp := &api.CreateIdentityResponse{}
+	err = json.Unmarshal(resp.Body.Bytes(), signupResp)
+	assert.NilError(t, err)
+
+	// login with "admin@email.com" to get an access key
+	loginReq := api.LoginRequest{PasswordCredentials: &api.LoginRequestPasswordCredentials{Email: email, Password: passwd}}
+	err = json.NewEncoder(&buf).Encode(loginReq)
+	assert.NilError(t, err)
+
+	req = httptest.NewRequest(http.MethodPost, "/v1/login", &buf)
+	resp = httptest.NewRecorder()
+	routes.ServeHTTP(resp, req)
+	assert.Equal(t, resp.Code, http.StatusCreated, resp.Body.String())
+
+	loginResp := &api.LoginResponse{}
+	err = json.Unmarshal(resp.Body.Bytes(), loginResp)
+	assert.NilError(t, err)
+
+	checkAuthenticated := func() {
+		req = httptest.NewRequest(http.MethodGet, "/v1/identities", nil)
+		req.Header.Set("Authorization", "Bearer "+loginResp.AccessKey)
+		resp = httptest.NewRecorder()
+		routes.ServeHTTP(resp, req)
+		assert.Equal(t, resp.Code, http.StatusOK)
+	}
+
+	// try an authenticated endpoint with the access key
+	checkAuthenticated()
+
+	// reload server config
+	err = s.loadConfig(s.options.Config)
+	assert.NilError(t, err)
+
+	// retry the authenticated endpoint
+	checkAuthenticated()
+}