extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2024-11-07 08:44:07 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix tests

Browse Source 
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
This commit is contained in:
bcmmbaga 2024-11-07 00:19:32 +03:00
parent df6c9a528a
commit 2dfcf42d71
No known key found for this signature in database
GPG Key ID: 511EED5C928AD547
21 changed files with 232 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
dns/nameserver.go
View File

@ -136,6 +136,7 @@ func ParseNameServerURL(nsURL string) (NameServer, error) {
func (g *NameServerGroup) Copy() *NameServerGroup {
nsGroup := &NameServerGroup{
ID: g.ID,
AccountID: g.AccountID,
Name: g.Name,
Description: g.Description,
NameServers: make([]NameServer, len(g.NameServers)),
@ -156,6 +157,7 @@ func (g *NameServerGroup) Copy() *NameServerGroup {
// IsEqual compares one nameserver group with the other
func (g *NameServerGroup) IsEqual(other *NameServerGroup) bool {
return other.ID == g.ID &&
other.AccountID == g.AccountID &&
other.Name == g.Name &&
other.Description == g.Description &&
other.Primary == g.Primary &&

11
management/server/account_test.go
View File

@ -1808,10 +1808,13 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
LoginExpirationEnabled: true,
})
require.NoError(t, err, "unable to add peer")
_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &Settings{
PeerLoginExpiration: time.Hour,
PeerLoginExpirationEnabled: true,
})
settings, err := manager.GetAccountSettings(context.Background(), accountID, userID)
require.NoError(t, err, "failed to get account settings")
settings.PeerLoginExpirationEnabled = true
settings.PeerLoginExpiration = time.Hour
_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, settings)
require.NoError(t, err, "expecting to update account settings successfully but got error")
wg := &sync.WaitGroup{}

4
management/server/dns.go
View File

@ -91,7 +91,7 @@ func (am *DefaultAccountManager) GetDNSSettings(ctx context.Context, accountID s
}
if user.IsRegularUser() {
return nil, status.NewUnauthorizedToViewDNSSettingsError()
return nil, status.NewAdminPermissionError()
}
return am.Store.GetAccountDNSSettings(ctx, LockingStrengthShare, accountID)
@ -113,7 +113,7 @@ func (am *DefaultAccountManager) SaveDNSSettings(ctx context.Context, accountID
}
if !user.HasAdminPower() {
return status.NewUnauthorizedToViewDNSSettingsError()
return status.NewAdminPermissionError()
}
oldSettings, err := am.Store.GetAccountDNSSettings(ctx, LockingStrengthUpdate, accountID)

26
management/server/ephemeral_test.go
View File

@ -15,20 +15,6 @@ type MockStore struct {
accountID string
}
//func (s *MockStore) GetAllAccounts(_ context.Context) []*Account {
// return []*Account{s.account}
//}
//func (s *MockStore) GetAccountByPeerID(_ context.Context, peerId string) (*Account, error) {
//
// _, ok := s.account.Peers[peerId]
// if ok {
// return s.account, nil
// }
//
// return nil, status.NewPeerNotFoundError(peerId)
//}
type MocAccountManager struct {
AccountManager
store *MockStore
@ -72,7 +58,9 @@ func TestNewManagerPeerConnected(t *testing.T) {
return startTime
}
store := &MockStore{}
store := &MockStore{
Store: newStore(t),
}
am := MocAccountManager{
store: store,
}
@ -104,7 +92,9 @@ func TestNewManagerPeerDisconnected(t *testing.T) {
return startTime
}
store := &MockStore{}
store := &MockStore{
Store: newStore(t),
}
am := MocAccountManager{
store: store,
}
@ -151,7 +141,7 @@ func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int)
AccountID: accountID,
Ephemeral: false,
}
err = store.SavePeer(context.Background(), LockingStrengthUpdate, accountID, p)
err = store.AddPeerToAccount(context.Background(), p)
if err != nil {
return err
}
@ -164,7 +154,7 @@ func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int)
AccountID: accountID,
Ephemeral: true,
}
err = store.SavePeer(context.Background(), LockingStrengthUpdate, accountID, p)
err = store.AddPeerToAccount(context.Background(), p)
if err != nil {
return err
}

2
management/server/group.go
View File

@ -42,7 +42,7 @@ func (am *DefaultAccountManager) CheckGroupPermissions(ctx context.Context, acco
}
if user.IsRegularUser() && settings.RegularUsersViewBlocked {
return status.NewUnauthorizedToViewGroupsError()
return status.NewAdminPermissionError()
}
return nil

13
management/server/group_test.go
View File

@ -425,21 +425,25 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
err := manager.SaveGroups(context.Background(), account.Id, userID, []*nbgroup.Group{
{
ID: "groupA",
AccountID: account.Id,
Name: "GroupA",
Peers: []string{peer1.ID, peer2.ID},
},
{
ID: "groupB",
AccountID: account.Id,
Name: "GroupB",
Peers: []string{},
},
{
ID: "groupC",
AccountID: account.Id,
Name: "GroupC",
Peers: []string{peer1.ID, peer3.ID},
},
{
ID: "groupD",
AccountID: account.Id,
Name: "GroupD",
Peers: []string{},
},
@ -461,6 +465,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
err := manager.SaveGroup(context.Background(), account.Id, userID, &nbgroup.Group{
ID: "groupB",
AccountID: account.Id,
Name: "GroupB",
Peers: []string{peer1.ID, peer2.ID},
})
@ -532,9 +537,12 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
// adding a group to policy
err = manager.SavePolicy(context.Background(), account.Id, userID, &Policy{
ID: "policy",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: "rule",
PolicyID: "policy",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupA"},
@ -555,6 +563,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
err := manager.SaveGroup(context.Background(), account.Id, userID, &nbgroup.Group{
ID: "groupA",
AccountID: account.Id,
Name: "GroupA",
Peers: []string{peer1.ID, peer2.ID},
})
@ -624,6 +633,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
err := manager.SaveGroup(context.Background(), account.Id, userID, &nbgroup.Group{
ID: "groupC",
AccountID: account.Id,
Name: "GroupC",
Peers: []string{peer1.ID, peer3.ID},
})
@ -640,6 +650,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
t.Run("saving group linked to route", func(t *testing.T) {
newRoute := route.Route{
ID: "route",
AccountID: account.Id,
Network: netip.MustParsePrefix("192.168.0.0/16"),
NetID: "superNet",
NetworkType: route.IPv4Network,
@ -665,6 +676,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
err = manager.SaveGroup(context.Background(), account.Id, userID, &nbgroup.Group{
ID: "groupA",
AccountID: account.Id,
Name: "GroupA",
Peers: []string{peer1.ID, peer2.ID, peer3.ID},
})
@ -692,6 +704,7 @@ func TestGroupAccountPeersUpdate(t *testing.T) {
err = manager.SaveGroup(context.Background(), account.Id, userID, &nbgroup.Group{
ID: "groupD",
AccountID: account.Id,
Name: "GroupD",
Peers: []string{peer1.ID},
})

2
management/server/management_proto_test.go
View File

@ -461,7 +461,7 @@ func createRawClient(addr string) (mgmtProto.ManagementServiceClient, *grpc.Clie
grpc.WithBlock(),
grpc.WithKeepaliveParams(keepalive.ClientParameters{
Time: 10 * time.Second,
Timeout: 2 * time.Second,
Timeout: 200 * time.Second,
}))
if err != nil {
return nil, nil, err

1
management/server/nameserver.go
View File

@ -114,6 +114,7 @@ func (am *DefaultAccountManager) SaveNameServerGroup(ctx context.Context, accoun
if err != nil {
return err
}
nsGroupToSave.AccountID = accountID
if err = am.validateNameServerGroup(ctx, accountID, nsGroupToSave); err != nil {
return err

4
management/server/nameserver_test.go
View File

@ -409,7 +409,7 @@ func TestCreateNameServerGroup(t *testing.T) {
// assign generated ID
testCase.expectedNSGroup.ID = outNSGroup.ID
testCase.expectedNSGroup.AccountID = accountID
if !testCase.expectedNSGroup.IsEqual(outNSGroup) {
t.Errorf("new nameserver group didn't match expected ns group:\nGot %#v\nExpected:%#v\n", outNSGroup, testCase.expectedNSGroup)
}
@ -649,7 +649,6 @@ func TestSaveNameServerGroup(t *testing.T) {
}
err = am.SaveNameServerGroup(context.Background(), accountID, userID, nsGroupToSave)
testCase.errFunc(t, err)
if !testCase.shouldCreate {
@ -659,6 +658,7 @@ func TestSaveNameServerGroup(t *testing.T) {
savedNSGroup, err := am.Store.GetNameServerGroupByID(context.Background(), LockingStrengthShare, accountID, testCase.expectedNSGroup.ID)
require.NoError(t, err, "failed to get saved nameserver group")
testCase.expectedNSGroup.AccountID = accountID
if !testCase.expectedNSGroup.IsEqual(savedNSGroup) {
t.Errorf("new nameserver group didn't match expected group:\nGot %#v\nExpected:%#v\n", savedNSGroup, testCase.expectedNSGroup)
}

3
management/server/peer_test.go
View File

@ -1439,9 +1439,12 @@ func TestPeerAccountPeersUpdate(t *testing.T) {
t.Run("adding peer to group linked with policy", func(t *testing.T) {
err = manager.SavePolicy(context.Background(), account.Id, userID, &Policy{
ID: "policy",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: "rule",
PolicyID: "policy",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupA"},

7
management/server/policy.go
View File

@ -171,6 +171,7 @@ type Policy struct {
func (p *Policy) Copy() *Policy {
c := &Policy{
ID: p.ID,
AccountID: p.AccountID,
Name: p.Name,
Description: p.Description,
Enabled: p.Enabled,
@ -347,7 +348,7 @@ func (am *DefaultAccountManager) GetPolicy(ctx context.Context, accountID, polic
}
if user.IsRegularUser() {
return nil, status.NewUnauthorizedToViewPoliciesError()
return nil, status.NewAdminPermissionError()
}
return am.Store.GetPolicyByID(ctx, LockingStrengthShare, accountID, policyID)
@ -365,7 +366,7 @@ func (am *DefaultAccountManager) SavePolicy(ctx context.Context, accountID, user
}
if user.IsRegularUser() {
return status.NewUnauthorizedToViewPoliciesError()
return status.NewAdminPermissionError()
}
groups, err := am.Store.GetAccountGroups(ctx, LockingStrengthShare, accountID)
@ -476,7 +477,7 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us
}
if user.IsRegularUser() {
return nil, status.NewUnauthorizedToViewPoliciesError()
return nil, status.NewAdminPermissionError()
}
return am.Store.GetAccountPolicies(ctx, LockingStrengthShare, accountID)

18
management/server/policy_test.go
View File

@ -833,21 +833,25 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
err := manager.SaveGroups(context.Background(), account.Id, userID, []*nbgroup.Group{
{
ID: "groupA",
AccountID: account.Id,
Name: "GroupA",
Peers: []string{peer1.ID, peer3.ID},
},
{
ID: "groupB",
AccountID: account.Id,
Name: "GroupB",
Peers: []string{},
},
{
ID: "groupC",
AccountID: account.Id,
Name: "GroupC",
Peers: []string{},
},
{
ID: "groupD",
AccountID: account.Id,
Name: "GroupD",
Peers: []string{peer1.ID, peer2.ID},
},
@ -863,10 +867,12 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
t.Run("saving policy with rule groups with no peers", func(t *testing.T) {
policy := Policy{
ID: "policy-rule-groups-no-peers",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
PolicyID: "policy-rule-groups-no-peers",
Enabled: true,
Sources: []string{"groupB"},
Destinations: []string{"groupC"},
@ -897,10 +903,12 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
t.Run("saving policy where source has peers but destination does not", func(t *testing.T) {
policy := Policy{
ID: "policy-source-has-peers-destination-none",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
PolicyID: "policy-source-has-peers-destination-none",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupB"},
@ -932,10 +940,12 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
t.Run("saving policy where destination has peers but source does not", func(t *testing.T) {
policy := Policy{
ID: "policy-destination-has-peers-source-none",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
PolicyID: "policy-destination-has-peers-source-none",
Enabled: false,
Sources: []string{"groupC"},
Destinations: []string{"groupD"},
@ -967,10 +977,12 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
t.Run("saving policy with source and destination groups with peers", func(t *testing.T) {
policy := Policy{
ID: "policy-source-destination-peers",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
PolicyID: "policy-source-destination-peers",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupD"},
@ -1001,10 +1013,12 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
t.Run("disabling policy with source and destination groups with peers", func(t *testing.T) {
policy := Policy{
ID: "policy-source-destination-peers",
AccountID: account.Id,
Enabled: false,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
PolicyID: "policy-source-destination-peers",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupD"},
@ -1035,11 +1049,13 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
t.Run("updating disabled policy with source and destination groups with peers", func(t *testing.T) {
policy := Policy{
ID: "policy-source-destination-peers",
AccountID: account.Id,
Description: "updated description",
Enabled: false,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
PolicyID: "policy-source-destination-peers",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupA"},
@ -1070,10 +1086,12 @@ func TestPolicyAccountPeersUpdate(t *testing.T) {
t.Run("enabling policy with source and destination groups with peers", func(t *testing.T) {
policy := Policy{
ID: "policy-source-destination-peers",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
PolicyID: "policy-source-destination-peers",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupD"},

2
management/server/posture/checks.go
View File

@ -41,7 +41,7 @@ type Checks struct {
ID string `gorm:"primaryKey"`
// Name of the posture checks
Name string `gorm:"unique"`
Name string
// Description of the posture checks visible in the UI
Description string

8
management/server/posture_checks.go
View File

@ -23,7 +23,7 @@ func (am *DefaultAccountManager) GetPostureChecks(ctx context.Context, accountID
}
if !user.HasAdminPower() {
return nil, status.NewUnauthorizedToViewPostureChecksError()
return nil, status.NewAdminPermissionError()
}
return am.Store.GetPostureChecksByID(ctx, LockingStrengthShare, accountID, postureChecksID)
@ -41,7 +41,7 @@ func (am *DefaultAccountManager) SavePostureChecks(ctx context.Context, accountI
}
if !user.HasAdminPower() {
return status.NewUnauthorizedToViewPostureChecksError()
return status.NewAdminPermissionError()
}
if err = am.validatePostureChecks(ctx, accountID, postureChecks); err != nil {
@ -116,7 +116,7 @@ func (am *DefaultAccountManager) DeletePostureChecks(ctx context.Context, accoun
}
if !user.HasAdminPower() {
return status.NewUnauthorizedToViewPostureChecksError()
return status.NewAdminPermissionError()
}
postureChecks, err := am.Store.GetPostureChecksByID(ctx, LockingStrengthShare, accountID, postureChecksID)
@ -159,7 +159,7 @@ func (am *DefaultAccountManager) ListPostureChecks(ctx context.Context, accountI
}
if !user.HasAdminPower() {
return nil, status.NewUnauthorizedToViewPostureChecksError()
return nil, status.NewAdminPermissionError()
}
return am.Store.GetAccountPostureChecks(ctx, LockingStrengthShare, accountID)

64
management/server/posture_checks_test.go
View File

@ -5,7 +5,7 @@ import (
"testing"
"time"
"github.com/rs/xid"
"github.com/netbirdio/netbird/management/server/status"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@ -44,6 +44,7 @@ func TestDefaultAccountManager_PostureCheck(t *testing.T) {
// should be possible to create posture check with uniq name
err = am.SavePostureChecks(context.Background(), accountID, adminUserID, &posture.Checks{
ID: postureCheckID,
AccountID: accountID,
Name: postureCheckName,
Checks: posture.ChecksDefinition{
NBVersionCheck: &posture.NBVersionCheck{
@ -61,6 +62,7 @@ func TestDefaultAccountManager_PostureCheck(t *testing.T) {
// should not be possible to create posture check with non uniq name
err = am.SavePostureChecks(context.Background(), accountID, adminUserID, &posture.Checks{
ID: "new-id",
AccountID: accountID,
Name: postureCheckName,
Checks: posture.ChecksDefinition{
GeoLocationCheck: &posture.GeoLocationCheck{
@ -77,6 +79,7 @@ func TestDefaultAccountManager_PostureCheck(t *testing.T) {
// admins can update posture checks
err = am.SavePostureChecks(context.Background(), accountID, adminUserID, &posture.Checks{
ID: postureCheckID,
AccountID: accountID,
Name: postureCheckName,
Checks: posture.ChecksDefinition{
NBVersionCheck: &posture.NBVersionCheck{
@ -133,16 +136,19 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
err := manager.SaveGroups(context.Background(), account.Id, userID, []*group.Group{
{
ID: "groupA",
AccountID: account.Id,
Name: "GroupA",
Peers: []string{peer1.ID, peer2.ID, peer3.ID},
},
{
ID: "groupB",
AccountID: account.Id,
Name: "GroupB",
Peers: []string{},
},
{
ID: "groupC",
AccountID: account.Id,
Name: "GroupC",
Peers: []string{},
},
@ -208,10 +214,12 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
policy := Policy{
ID: "policyA",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
ID: "ruleA",
PolicyID: "policyA",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupA"},
@ -314,10 +322,12 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
t.Run("updating linked posture check to policy with no peers", func(t *testing.T) {
policy = Policy{
ID: "policyB",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
ID: "ruleB",
PolicyID: "policyB",
Enabled: true,
Sources: []string{"groupB"},
Destinations: []string{"groupC"},
@ -360,10 +370,12 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
})
policy = Policy{
ID: "policyB",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: xid.New().String(),
ID: "ruleB",
PolicyID: "policyB",
Enabled: true,
Sources: []string{"groupB"},
Destinations: []string{"groupA"},
@ -403,9 +415,12 @@ func TestPostureCheckAccountPeersUpdate(t *testing.T) {
t.Run("updating linked posture check to policy where source has peers but destination does not", func(t *testing.T) {
policy = Policy{
ID: "policyB",
AccountID: account.Id,
Enabled: true,
Rules: []*PolicyRule{
{
ID: "ruleB",
PolicyID: "policyB",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupB"},
@ -458,7 +473,7 @@ func TestArePostureCheckChangesAffectingPeers(t *testing.T) {
}
groupB := &group.Group{
ID: "groupA",
ID: "groupB",
AccountID: accountID,
Peers: []string{},
}
@ -470,6 +485,8 @@ func TestArePostureCheckChangesAffectingPeers(t *testing.T) {
AccountID: accountID,
Rules: []*PolicyRule{
{
ID: "ruleA",
PolicyID: "policyA",
Enabled: true,
Sources: []string{"groupA"},
Destinations: []string{"groupA"},
@ -482,16 +499,24 @@ func TestArePostureCheckChangesAffectingPeers(t *testing.T) {
postureCheckA := &posture.Checks{
ID: "checkA",
Name: "checkA",
AccountID: accountID,
Checks: posture.ChecksDefinition{
NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.33.1"},
},
}
err = manager.Store.SavePostureChecks(context.Background(), LockingStrengthUpdate, postureCheckA)
err = manager.SavePostureChecks(context.Background(), accountID, adminUserID, postureCheckA, false)
require.NoError(t, err, "failed to save postureCheckA")
postureCheckB := &posture.Checks{
ID: "checkB",
Name: "checkB",
AccountID: accountID,
Checks: posture.ChecksDefinition{
NBVersionCheck: &posture.NBVersionCheck{MinVersion: "0.33.1"},
},
}
err = manager.Store.SavePostureChecks(context.Background(), LockingStrengthUpdate, postureCheckB)
err = manager.SavePostureChecks(context.Background(), accountID, adminUserID, postureCheckB, false)
require.NoError(t, err, "failed to save postureCheckB")
t.Run("posture check exists and is linked to policy with peers", func(t *testing.T) {
@ -534,17 +559,6 @@ func TestArePostureCheckChangesAffectingPeers(t *testing.T) {
assert.True(t, result)
})
t.Run("posture check is linked to policy with non-existent group", func(t *testing.T) {
policy.Rules[0].Sources = []string{"nonExistentGroup"}
policy.Rules[0].Destinations = []string{"nonExistentGroup"}
err = manager.Store.SavePolicy(context.Background(), LockingStrengthUpdate, policy)
require.NoError(t, err, "failed to update policy")
result, err := manager.arePostureCheckChangesAffectPeers(context.Background(), accountID, "checkA", true)
require.NoError(t, err)
assert.False(t, result)
})
t.Run("posture check is linked to policy but no peers in groups", func(t *testing.T) {
groupA.Peers = []string{}
err = manager.Store.SaveGroup(context.Background(), LockingStrengthUpdate, groupA)
@ -554,4 +568,18 @@ func TestArePostureCheckChangesAffectingPeers(t *testing.T) {
require.NoError(t, err)
assert.False(t, result)
})
t.Run("posture check is linked to policy with non-existent group", func(t *testing.T) {
policy.Rules[0].Sources = []string{"nonExistentGroup"}
policy.Rules[0].Destinations = []string{"nonExistentGroup"}
err = manager.Store.SavePolicy(context.Background(), LockingStrengthUpdate, policy)
require.NoError(t, err, "failed to update policy")
result, err := manager.arePostureCheckChangesAffectPeers(context.Background(), accountID, "checkA", true)
require.Error(t, err)
sErr, ok := status.FromError(err)
require.True(t, ok)
require.Equal(t, status.NotFound, sErr.Type())
assert.False(t, result)
})
}

10
management/server/route.go
View File

@ -57,7 +57,7 @@ func (am *DefaultAccountManager) GetRoute(ctx context.Context, accountID string,
}
if user.IsRegularUser() {
return nil, status.NewUnauthorizedToViewRoutesError()
return nil, status.NewAdminPermissionError()
}
return am.Store.GetRouteByID(ctx, LockingStrengthShare, accountID, string(routeID))
@ -137,7 +137,7 @@ func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(ctx cont
// check that peerGroupIDs are not in any route peerGroups list
for _, groupID := range peerGroupIDs {
// we validated the group existence before entering this function, no need to check again.
group, err := am.Store.GetGroupByID(context.Background(), LockingStrengthShare, groupID, accountID)
group, err := am.Store.GetGroupByID(context.Background(), LockingStrengthShare, accountID, groupID)
if err != nil || group == nil {
return status.Errorf(status.InvalidArgument, "group with ID %s not found", peerID)
}
@ -151,7 +151,7 @@ func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(ctx cont
// check that the peers from peerGroupIDs groups are not the same peers we saw in routesWithPrefix
for _, id := range group.Peers {
if _, ok := seenPeers[id]; ok {
peer, err := am.Store.GetPeerByID(context.Background(), LockingStrengthShare, peerID, accountID)
peer, err := am.Store.GetPeerByID(context.Background(), LockingStrengthShare, accountID, peerID)
if err != nil {
return status.Errorf(status.InvalidArgument, "peer with ID %s not found", peerID)
}
@ -217,6 +217,7 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
var newRoute route.Route
newRoute.ID = route.ID(xid.New().String())
newRoute.AccountID = accountID
accountGroups, err := am.Store.GetAccountGroups(ctx, LockingStrengthShare, accountID)
if err != nil {
@ -393,6 +394,7 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
if err != nil {
return err
}
routeToSave.AccountID = accountID
err = am.Store.ExecuteInTransaction(ctx, func(transaction Store) error {
if err = transaction.IncrementNetworkSerial(ctx, LockingStrengthUpdate, accountID); err != nil {
@ -472,7 +474,7 @@ func (am *DefaultAccountManager) ListRoutes(ctx context.Context, accountID, user
}
if user.IsRegularUser() {
return nil, status.NewUnauthorizedToViewRoutesError()
return nil, status.NewAdminPermissionError()
}
return am.Store.GetAccountRoutes(ctx, LockingStrengthShare, accountID)

6
management/server/setupkey.go
View File

@ -366,7 +366,7 @@ func (am *DefaultAccountManager) ListSetupKeys(ctx context.Context, accountID, u
}
if user.IsRegularUser() {
return nil, status.NewUnauthorizedToViewSetupKeysError()
return nil, status.NewAdminPermissionError()
}
setupKeys, err := am.Store.GetAccountSetupKeys(ctx, LockingStrengthShare, accountID)
@ -389,7 +389,7 @@ func (am *DefaultAccountManager) GetSetupKey(ctx context.Context, accountID, use
}
if user.IsRegularUser() {
return nil, status.NewUnauthorizedToViewSetupKeysError()
return nil, status.NewAdminPermissionError()
}
setupKey, err := am.Store.GetSetupKeyByID(ctx, LockingStrengthShare, keyID, accountID)
@ -417,7 +417,7 @@ func (am *DefaultAccountManager) DeleteSetupKey(ctx context.Context, accountID,
}
if user.IsRegularUser() {
return status.NewUnauthorizedToViewSetupKeysError()
return status.NewAdminPermissionError()
}
deletedSetupKey, err := am.Store.GetSetupKeyByID(ctx, LockingStrengthShare, keyID, accountID)

33
management/server/status/error.go
View File

@ -131,10 +131,6 @@ func NewOwnerDeletePermissionError() error {
return Errorf(PermissionDenied, "can't delete a user with the owner role")
}
func NewUnauthorizedToViewServiceUsersError() error {
return Errorf(PermissionDenied, "only users with admin power can view service users")
}
// NewServiceUserRoleInvalidError creates a new Error with InvalidArgument type for creating a service user with owner role
func NewServiceUserRoleInvalidError() error {
return Errorf(InvalidArgument, "can't create a service user with owner role")
@ -150,19 +146,6 @@ func NewSetupKeyNotFoundError(err error) error {
return Errorf(NotFound, "setup key not found: %s", err)
}
// NewUnauthorizedToViewSetupKeysError creates a new Error with Unauthorized type for an issue getting a setup key
func NewUnauthorizedToViewSetupKeysError() error {
return Errorf(PermissionDenied, "only users with admin power can view setup keys")
}
func NewGroupNotFoundError() error {
return Errorf(NotFound, "group not found")
}
func NewUnauthorizedToViewGroupsError() error {
return Errorf(PermissionDenied, "only users with admin power can view groups")
}
func NewPATNotFoundError() error {
return Errorf(NotFound, "PAT not found")
}
@ -171,26 +154,10 @@ func NewGetPATFromStoreError() error {
return Errorf(Internal, "issue getting pat from store")
}
func NewUnauthorizedToViewPoliciesError() error {
return Errorf(PermissionDenied, "only users with admin power can view policies")
}
func NewUnauthorizedToViewPostureChecksError() error {
return Errorf(PermissionDenied, "only users with admin power can view posture checks")
}
func NewUnauthorizedToViewDNSSettingsError() error {
return Errorf(PermissionDenied, "only users with admin power can view dns settings")
}
func NewUnauthorizedToViewNSGroupsError() error {
return Errorf(PermissionDenied, "only users with admin power can view name server groups")
}
func NewUnauthorizedToViewRoutesError() error {
return Errorf(PermissionDenied, "only users with admin power can view network routes")
}
// NewStoreContextCanceledError creates a new Error with Internal type for a canceled store context
func NewStoreContextCanceledError(duration time.Duration) error {
return Errorf(Internal, "store access: context canceled after %v", duration)

3
management/server/testdata/store_with_expired_peers.sql vendored
View File

@ -32,4 +32,7 @@ INSERT INTO peers VALUES('cg05lnblo1hkg2j514p0','bf1c8084-ba50-4ce7-9439-3465300
INSERT INTO peers VALUES('cg3161rlo1hs9cq94gdg','bf1c8084-ba50-4ce7-9439-34653001fc3b','mVABSKj28gv+JRsf7e0NEGKgSOGTfU/nPB2cpuG56HU=','','"100.64.117.96"','testhost','linux','Linux','22.04','x86_64','Ubuntu','','development','','',NULL,'','','','{"Cloud":"","Platform":""}',NULL,'testhost','testhost','2023-03-06 18:21:27.252010027+01:00',0,0,0,'edafee4e-63fb-11ec-90d6-0242ac120003','ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWvvUkFFcrj48CWTkNUb/do/n52i1L5dH4DhGu+4ZuM',0,0,'2023-03-07 09:02:47.442857106+01:00','2024-10-02 17:00:32.527947+02:00',0,'""','','',0);
INSERT INTO users VALUES('f4f6d672-63fb-11ec-90d6-0242ac120003','bf1c8084-ba50-4ce7-9439-34653001fc3b','user',0,0,'','[]',0,'0001-01-01 00:00:00+00:00','2024-10-02 17:00:32.528196+02:00','api',0,'');
INSERT INTO users VALUES('edafee4e-63fb-11ec-90d6-0242ac120003','bf1c8084-ba50-4ce7-9439-34653001fc3b','admin',0,0,'','[]',0,'0001-01-01 00:00:00+00:00','2024-10-02 17:00:32.528196+02:00','api',0,'');
INSERT INTO "groups" VALUES('cs1tnh0hhcjnqoiuebeg','bf1c8084-ba50-4ce7-9439-34653001fc3b','All','api','["cfvprsrlo1hqoo49ohog", "cg3161rlo1hs9cq94gdg", "cg05lnblo1hkg2j514p0"]',0,'');
INSERT INTO policies VALUES('cs1tnh0hhcjnqoiuebf0','bf1c8084-ba50-4ce7-9439-34653001fc3b','Default','This is a default rule that allows connections between all the resources',1,'[]');
INSERT INTO policy_rules VALUES('cs387mkv2d4bgq41b6n0','cs1tnh0hhcjnqoiuebf0','Default','This is a default rule that allows connections between all the resources',1,'accept','["cs1tnh0hhcjnqoiuebeg"]','["cs1tnh0hhcjnqoiuebeg"]',1,'all',NULL,NULL);
INSERT INTO installations VALUES(1,'');

2
management/server/user.go
View File

@ -231,7 +231,7 @@ func (am *DefaultAccountManager) createServiceUser(ctx context.Context, accountI
}
if !initiatorUser.HasAdminPower() {
return nil, status.NewUnauthorizedToViewServiceUsersError()
return nil, status.NewAdminPermissionError()
}
if role == UserRoleOwner {

2
route/route.go
View File

@ -112,6 +112,7 @@ func (r *Route) EventMeta() map[string]any {
func (r *Route) Copy() *Route {
route := &Route{
ID: r.ID,
AccountID: r.AccountID,
Description: r.Description,
NetID: r.NetID,
Network: r.Network,
@ -138,6 +139,7 @@ func (r *Route) IsEqual(other *Route) bool {
}
return other.ID == r.ID &&
other.AccountID == r.AccountID &&
other.Description == r.Description &&
other.NetID == r.NetID &&
other.Network == r.Network &&