extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-05-29 22:31:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Handle category change with provided Acc Id (#252)

Browse Source 
When account id supplied via claim, we should
handle change of the domain classification.

If category of domain change to private, we
should re-evaluate the private account
This commit is contained in:
Maycon Santos 2022-03-09 13:31:42 +01:00 committed by GitHub
parent 347a668bd5
commit ff62fec956
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 64 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
management/server/account.go
View File

@ -316,8 +316,16 @@ func (am *DefaultAccountManager) handleNewUserAccount(domainAcc *Account, claims
func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error) { func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error) {
// if Account ID is part of the claims // if Account ID is part of the claims
// it means that we've already classified the domain and user has an account // it means that we've already classified the domain and user has an account
if claims.DomainCategory != PrivateCategory || claims.AccountId != "" { if claims.DomainCategory != PrivateCategory {
return am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain) return am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain)
} else if claims.AccountId != "" {
accountFromID, err := am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain)
if err != nil {
return nil, err
}
if accountFromID.DomainCategory == PrivateCategory || claims.DomainCategory != PrivateCategory {
return accountFromID, nil
}
} }
am.mux.Lock() am.mux.Lock()

84
management/server/account_test.go
View File

@ -39,13 +39,15 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
type initUserParams jwtclaims.AuthorizationClaims type initUserParams jwtclaims.AuthorizationClaims
type test struct { type test struct {
name string name string
inputClaims jwtclaims.AuthorizationClaims inputClaims jwtclaims.AuthorizationClaims
inputInitUserParams initUserParams inputInitUserParams initUserParams
inputUpdateAttrs bool inputUpdateAttrs bool
testingFunc require.ComparisonAssertionFunc inputUpdateClaimAccount bool
expectedMSG string testingFunc require.ComparisonAssertionFunc
expectedUserRole UserRole expectedMSG string
expectedUserRole UserRole
expectedDomainCategory string
} }
var ( var (
@ -66,10 +68,11 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
UserId: "pub-domain-user", UserId: "pub-domain-user",
DomainCategory: PublicCategory, DomainCategory: PublicCategory,
}, },
inputInitUserParams: defaultInitAccount, inputInitUserParams: defaultInitAccount,
testingFunc: require.NotEqual, testingFunc: require.NotEqual,
expectedMSG: "account IDs shouldn't match", expectedMSG: "account IDs shouldn't match",
expectedUserRole: UserRoleAdmin, expectedUserRole: UserRoleAdmin,
expectedDomainCategory: "",
} }
initUnknown := defaultInitAccount initUnknown := defaultInitAccount
@ -83,10 +86,11 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
UserId: "unknown-domain-user", UserId: "unknown-domain-user",
DomainCategory: UnknownCategory, DomainCategory: UnknownCategory,
}, },
inputInitUserParams: initUnknown, inputInitUserParams: initUnknown,
testingFunc: require.NotEqual, testingFunc: require.NotEqual,
expectedMSG: "account IDs shouldn't match", expectedMSG: "account IDs shouldn't match",
expectedUserRole: UserRoleAdmin, expectedUserRole: UserRoleAdmin,
expectedDomainCategory: "",
} }
testCase3 := test{ testCase3 := test{
@ -96,10 +100,11 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
UserId: "pvt-domain-user", UserId: "pvt-domain-user",
DomainCategory: PrivateCategory, DomainCategory: PrivateCategory,
}, },
inputInitUserParams: defaultInitAccount, inputInitUserParams: defaultInitAccount,
testingFunc: require.NotEqual, testingFunc: require.NotEqual,
expectedMSG: "account IDs shouldn't match", expectedMSG: "account IDs shouldn't match",
expectedUserRole: UserRoleAdmin, expectedUserRole: UserRoleAdmin,
expectedDomainCategory: PrivateCategory,
} }
privateInitAccount := defaultInitAccount privateInitAccount := defaultInitAccount
@ -113,11 +118,12 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
UserId: "pvt-domain-user", UserId: "pvt-domain-user",
DomainCategory: PrivateCategory, DomainCategory: PrivateCategory,
}, },
inputUpdateAttrs: true, inputUpdateAttrs: true,
inputInitUserParams: privateInitAccount, inputInitUserParams: privateInitAccount,
testingFunc: require.Equal, testingFunc: require.Equal,
expectedMSG: "account IDs should match", expectedMSG: "account IDs should match",
expectedUserRole: UserRoleUser, expectedUserRole: UserRoleUser,
expectedDomainCategory: PrivateCategory,
} }
testCase5 := test{ testCase5 := test{
@ -127,13 +133,28 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
UserId: defaultInitAccount.UserId, UserId: defaultInitAccount.UserId,
DomainCategory: PrivateCategory, DomainCategory: PrivateCategory,
}, },
inputInitUserParams: defaultInitAccount, inputInitUserParams: defaultInitAccount,
testingFunc: require.Equal, testingFunc: require.Equal,
expectedMSG: "account IDs should match", expectedMSG: "account IDs should match",
expectedUserRole: UserRoleAdmin, expectedUserRole: UserRoleAdmin,
expectedDomainCategory: PrivateCategory,
} }
for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5} { testCase6 := test{
name: "Existing Account Id With Existing Reclassified Private Domain",
inputClaims: jwtclaims.AuthorizationClaims{
Domain: defaultInitAccount.Domain,
UserId: defaultInitAccount.UserId,
DomainCategory: PrivateCategory,
},
inputUpdateClaimAccount: true,
inputInitUserParams: defaultInitAccount,
testingFunc: require.Equal,
expectedMSG: "account IDs should match",
expectedUserRole: UserRoleAdmin,
expectedDomainCategory: PrivateCategory,
}
for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5, testCase6} {
t.Run(testCase.name, func(t *testing.T) { t.Run(testCase.name, func(t *testing.T) {
manager, err := createManager(t) manager, err := createManager(t)
@ -147,12 +168,17 @@ func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
require.NoError(t, err, "update init user failed") require.NoError(t, err, "update init user failed")
} }
if testCase.inputUpdateClaimAccount {
testCase.inputClaims.AccountId = initAccount.Id
}
account, err := manager.GetAccountWithAuthorizationClaims(testCase.inputClaims) account, err := manager.GetAccountWithAuthorizationClaims(testCase.inputClaims)
require.NoError(t, err, "support function failed") require.NoError(t, err, "support function failed")
testCase.testingFunc(t, initAccount.Id, account.Id, testCase.expectedMSG) testCase.testingFunc(t, initAccount.Id, account.Id, testCase.expectedMSG)
require.EqualValues(t, testCase.expectedUserRole, account.Users[testCase.inputClaims.UserId].Role, "user role should match") require.EqualValues(t, testCase.expectedUserRole, account.Users[testCase.inputClaims.UserId].Role, "user role should match")
require.EqualValues(t, testCase.expectedDomainCategory, account.DomainCategory, "account domain category should match")
}) })
} }
} }