zitadel/internal/api/grpc/user/v2/integration_test/secret_test.go

//go:build integration

package user_test

import (
	"context"
	"fmt"
	"testing"
	"time"

	"github.com/brianvoe/gofakeit/v6"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/zitadel/zitadel/pkg/grpc/user/v2"
)

func TestServer_AddSecret(t *testing.T) {
	type args struct {
		ctx     context.Context
		req     *user.AddSecretRequest
		prepare func(request *user.AddSecretRequest) error
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "add secret, user not existing",
			args: args{
				CTX,
				&user.AddSecretRequest{
					UserId: "notexisting",
				},
				func(request *user.AddSecretRequest) error { return nil },
			},
			wantErr: true,
		},
		{
			name: "add secret, ok",
			args: args{
				CTX,
				&user.AddSecretRequest{},
				func(request *user.AddSecretRequest) error {
					resp := Instance.CreateUserTypeMachine(CTX)
					request.UserId = resp.GetId()
					return nil
				},
			},
		},
		{
			name: "add secret human, not ok",
			args: args{
				CTX,
				&user.AddSecretRequest{},
				func(request *user.AddSecretRequest) error {
					resp := Instance.CreateUserTypeMachine(CTX)
					request.UserId = resp.GetId()
					return nil
				},
			},
		},
		{
			name: "overwrite secret, ok",
			args: args{
				CTX,
				&user.AddSecretRequest{},
				func(request *user.AddSecretRequest) error {
					resp := Instance.CreateUserTypeMachine(CTX)
					request.UserId = resp.GetId()
					_, err := Client.AddSecret(CTX, &user.AddSecretRequest{
						UserId: resp.GetId(),
					})
					return err
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			now := time.Now()
			err := tt.args.prepare(tt.args.req)
			require.NoError(t, err)
			got, err := Client.AddSecret(tt.args.ctx, tt.args.req)
			if tt.wantErr {
				require.Error(t, err)
				return
			}
			require.NoError(t, err)
			assert.NotEmpty(t, got.ClientSecret, "client secret is empty")
			creationDate := got.CreationDate.AsTime()
			assert.Greater(t, creationDate, now, "creation date is before the test started")
			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
		})
	}
}

func TestServer_AddSecret_Permission(t *testing.T) {
	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddSecret-%s", gofakeit.AppName()), gofakeit.Email())
	otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{
		OrganizationId: otherOrg.OrganizationId,
		UserType: &user.CreateUserRequest_Machine_{
			Machine: &user.CreateUserRequest_Machine{
				Name: gofakeit.Name(),
			},
		},
	})
	require.NoError(t, err)

	type args struct {
		ctx context.Context
		req *user.AddSecretRequest
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "system, ok",
			args: args{
				SystemCTX,
				&user.AddSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
			},
		},
		{
			name: "instance, ok",
			args: args{
				IamCTX,
				&user.AddSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
			},
		},
		{
			name: "org, error",
			args: args{
				CTX,
				&user.AddSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
			},
			wantErr: true,
		},
		{
			name: "user, error",
			args: args{
				UserCTX,
				&user.AddSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
			},
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			now := time.Now()
			require.NoError(t, err)
			got, err := Client.AddSecret(tt.args.ctx, tt.args.req)
			if tt.wantErr {
				require.Error(t, err)
				return
			}
			require.NoError(t, err)
			assert.NotEmpty(t, got.ClientSecret, "client secret is empty")
			creationDate := got.CreationDate.AsTime()
			assert.Greater(t, creationDate, now, "creation date is before the test started")
			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
		})
	}
}

func TestServer_RemoveSecret(t *testing.T) {
	type args struct {
		ctx     context.Context
		req     *user.RemoveSecretRequest
		prepare func(request *user.RemoveSecretRequest) error
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "remove secret, user not existing",
			args: args{
				CTX,
				&user.RemoveSecretRequest{
					UserId: "notexisting",
				},
				func(request *user.RemoveSecretRequest) error { return nil },
			},
			wantErr: true,
		},
		{
			name: "remove secret, not existing",
			args: args{
				CTX,
				&user.RemoveSecretRequest{},
				func(request *user.RemoveSecretRequest) error {
					resp := Instance.CreateUserTypeMachine(CTX)
					request.UserId = resp.GetId()
					return nil
				},
			},
			wantErr: true,
		},
		{
			name: "remove secret, ok",
			args: args{
				CTX,
				&user.RemoveSecretRequest{},
				func(request *user.RemoveSecretRequest) error {
					resp := Instance.CreateUserTypeMachine(CTX)
					request.UserId = resp.GetId()
					_, err := Instance.Client.UserV2.AddSecret(CTX, &user.AddSecretRequest{
						UserId: resp.GetId(),
					})
					return err
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			now := time.Now()
			err := tt.args.prepare(tt.args.req)
			require.NoError(t, err)
			got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)
			if tt.wantErr {
				require.Error(t, err)
				return
			}
			require.NoError(t, err)
			deletionDate := got.DeletionDate.AsTime()
			assert.Greater(t, deletionDate, now, "creation date is before the test started")
			assert.Less(t, deletionDate, time.Now(), "creation date is in the future")
		})
	}
}

func TestServer_RemoveSecret_Permission(t *testing.T) {
	otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemoveSecret-%s", gofakeit.AppName()), gofakeit.Email())
	otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{
		OrganizationId: otherOrg.OrganizationId,
		UserType: &user.CreateUserRequest_Machine_{
			Machine: &user.CreateUserRequest_Machine{
				Name: gofakeit.Name(),
			},
		},
	})
	require.NoError(t, err)

	type args struct {
		ctx     context.Context
		req     *user.RemoveSecretRequest
		prepare func(request *user.RemoveSecretRequest) error
	}
	tests := []struct {
		name    string
		args    args
		wantErr bool
	}{
		{
			name: "system, ok",
			args: args{
				SystemCTX,
				&user.RemoveSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
				func(request *user.RemoveSecretRequest) error {
					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
						UserId: otherOrgUser.GetId(),
					})
					return err
				},
			},
		},
		{
			name: "instance, ok",
			args: args{
				IamCTX,
				&user.RemoveSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
				func(request *user.RemoveSecretRequest) error {
					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
						UserId: otherOrgUser.GetId(),
					})
					return err
				},
			},
		},
		{
			name: "org, error",
			args: args{
				CTX,
				&user.RemoveSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
				func(request *user.RemoveSecretRequest) error {
					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
						UserId: otherOrgUser.GetId(),
					})
					return err
				},
			},
			wantErr: true,
		},
		{
			name: "user, error",
			args: args{
				UserCTX,
				&user.RemoveSecretRequest{
					UserId: otherOrgUser.GetId(),
				},
				func(request *user.RemoveSecretRequest) error {
					_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{
						UserId: otherOrgUser.GetId(),
					})
					return err
				},
			},
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			now := time.Now()
			require.NoError(t, tt.args.prepare(tt.args.req))
			got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)
			if tt.wantErr {
				require.Error(t, err)
				return
			}
			require.NoError(t, err)
			assert.NotEmpty(t, got.DeletionDate, "client secret is empty")
			creationDate := got.DeletionDate.AsTime()
			assert.Greater(t, creationDate, now, "creation date is before the test started")
			assert.Less(t, creationDate, time.Now(), "creation date is in the future")
		})
	}
}
feat: user api requests to resource API (#9794) # Which Problems Are Solved This pull request addresses a significant gap in the user service v2 API, which currently lacks methods for managing machine users. # How the Problems Are Solved This PR adds new API endpoints to the user service v2 to manage machine users including their secret, keys and personal access tokens. Additionally, there's now a CreateUser and UpdateUser endpoints which allow to create either a human or machine user and update them. The existing `CreateHumanUser` endpoint has been deprecated along the corresponding management service endpoints. For details check the additional context section. # Additional Context - Closes https://github.com/zitadel/zitadel/issues/9349 ## More details - API changes: https://github.com/zitadel/zitadel/pull/9680 - Implementation: https://github.com/zitadel/zitadel/pull/9763 - Tests: https://github.com/zitadel/zitadel/pull/9771 ## Follow-ups - Metadata: support managing user metadata using resource API https://github.com/zitadel/zitadel/pull/10005 - Machine token type: support managing the machine token type (migrate to new enum with zero value unspecified?) --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com> 2025-06-04 09:17:23 +02:00			`//go:build integration`

			`package user_test`

			`import (`
			`"context"`
			`"fmt"`
			`"testing"`
			`"time"`

			`"github.com/brianvoe/gofakeit/v6"`
			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

			`"github.com/zitadel/zitadel/pkg/grpc/user/v2"`
			`)`

			`func TestServer_AddSecret(t *testing.T) {`
			`type args struct {`
			`ctx context.Context`
			`req *user.AddSecretRequest`
			`prepare func(request *user.AddSecretRequest) error`
			`}`
			`tests := []struct {`
			`name string`
			`args args`
			`wantErr bool`
			`}{`
			`{`
			`name: "add secret, user not existing",`
			`args: args{`
			`CTX,`
			`&user.AddSecretRequest{`
			`UserId: "notexisting",`
			`},`
			`func(request *user.AddSecretRequest) error { return nil },`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "add secret, ok",`
			`args: args{`
			`CTX,`
			`&user.AddSecretRequest{},`
			`func(request *user.AddSecretRequest) error {`
			`resp := Instance.CreateUserTypeMachine(CTX)`
			`request.UserId = resp.GetId()`
			`return nil`
			`},`
			`},`
			`},`
			`{`
			`name: "add secret human, not ok",`
			`args: args{`
			`CTX,`
			`&user.AddSecretRequest{},`
			`func(request *user.AddSecretRequest) error {`
			`resp := Instance.CreateUserTypeMachine(CTX)`
			`request.UserId = resp.GetId()`
			`return nil`
			`},`
			`},`
			`},`
			`{`
			`name: "overwrite secret, ok",`
			`args: args{`
			`CTX,`
			`&user.AddSecretRequest{},`
			`func(request *user.AddSecretRequest) error {`
			`resp := Instance.CreateUserTypeMachine(CTX)`
			`request.UserId = resp.GetId()`
			`_, err := Client.AddSecret(CTX, &user.AddSecretRequest{`
			`UserId: resp.GetId(),`
			`})`
			`return err`
			`},`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`now := time.Now()`
			`err := tt.args.prepare(tt.args.req)`
			`require.NoError(t, err)`
			`got, err := Client.AddSecret(tt.args.ctx, tt.args.req)`
			`if tt.wantErr {`
			`require.Error(t, err)`
			`return`
			`}`
			`require.NoError(t, err)`
			`assert.NotEmpty(t, got.ClientSecret, "client secret is empty")`
			`creationDate := got.CreationDate.AsTime()`
			`assert.Greater(t, creationDate, now, "creation date is before the test started")`
			`assert.Less(t, creationDate, time.Now(), "creation date is in the future")`
			`})`
			`}`
			`}`

			`func TestServer_AddSecret_Permission(t *testing.T) {`
			`otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("AddSecret-%s", gofakeit.AppName()), gofakeit.Email())`
			`otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{`
			`OrganizationId: otherOrg.OrganizationId,`
			`UserType: &user.CreateUserRequest_Machine_{`
			`Machine: &user.CreateUserRequest_Machine{`
			`Name: gofakeit.Name(),`
			`},`
			`},`
			`})`
			`require.NoError(t, err)`

			`type args struct {`
			`ctx context.Context`
			`req *user.AddSecretRequest`
			`}`
			`tests := []struct {`
			`name string`
			`args args`
			`wantErr bool`
			`}{`
			`{`
			`name: "system, ok",`
			`args: args{`
			`SystemCTX,`
			`&user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`},`
			`},`
			`{`
			`name: "instance, ok",`
			`args: args{`
			`IamCTX,`
			`&user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`},`
			`},`
			`{`
			`name: "org, error",`
			`args: args{`
			`CTX,`
			`&user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "user, error",`
			`args: args{`
			`UserCTX,`
			`&user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`},`
			`wantErr: true,`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`now := time.Now()`
			`require.NoError(t, err)`
			`got, err := Client.AddSecret(tt.args.ctx, tt.args.req)`
			`if tt.wantErr {`
			`require.Error(t, err)`
			`return`
			`}`
			`require.NoError(t, err)`
			`assert.NotEmpty(t, got.ClientSecret, "client secret is empty")`
			`creationDate := got.CreationDate.AsTime()`
			`assert.Greater(t, creationDate, now, "creation date is before the test started")`
			`assert.Less(t, creationDate, time.Now(), "creation date is in the future")`
			`})`
			`}`
			`}`

			`func TestServer_RemoveSecret(t *testing.T) {`
			`type args struct {`
			`ctx context.Context`
			`req *user.RemoveSecretRequest`
			`prepare func(request *user.RemoveSecretRequest) error`
			`}`
			`tests := []struct {`
			`name string`
			`args args`
			`wantErr bool`
			`}{`
			`{`
			`name: "remove secret, user not existing",`
			`args: args{`
			`CTX,`
			`&user.RemoveSecretRequest{`
			`UserId: "notexisting",`
			`},`
			`func(request *user.RemoveSecretRequest) error { return nil },`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "remove secret, not existing",`
			`args: args{`
			`CTX,`
			`&user.RemoveSecretRequest{},`
			`func(request *user.RemoveSecretRequest) error {`
			`resp := Instance.CreateUserTypeMachine(CTX)`
			`request.UserId = resp.GetId()`
			`return nil`
			`},`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "remove secret, ok",`
			`args: args{`
			`CTX,`
			`&user.RemoveSecretRequest{},`
			`func(request *user.RemoveSecretRequest) error {`
			`resp := Instance.CreateUserTypeMachine(CTX)`
			`request.UserId = resp.GetId()`
			`_, err := Instance.Client.UserV2.AddSecret(CTX, &user.AddSecretRequest{`
			`UserId: resp.GetId(),`
			`})`
			`return err`
			`},`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`now := time.Now()`
			`err := tt.args.prepare(tt.args.req)`
			`require.NoError(t, err)`
			`got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)`
			`if tt.wantErr {`
			`require.Error(t, err)`
			`return`
			`}`
			`require.NoError(t, err)`
			`deletionDate := got.DeletionDate.AsTime()`
			`assert.Greater(t, deletionDate, now, "creation date is before the test started")`
			`assert.Less(t, deletionDate, time.Now(), "creation date is in the future")`
			`})`
			`}`
			`}`

			`func TestServer_RemoveSecret_Permission(t *testing.T) {`
			`otherOrg := Instance.CreateOrganization(IamCTX, fmt.Sprintf("RemoveSecret-%s", gofakeit.AppName()), gofakeit.Email())`
			`otherOrgUser, err := Instance.Client.UserV2.CreateUser(IamCTX, &user.CreateUserRequest{`
			`OrganizationId: otherOrg.OrganizationId,`
			`UserType: &user.CreateUserRequest_Machine_{`
			`Machine: &user.CreateUserRequest_Machine{`
			`Name: gofakeit.Name(),`
			`},`
			`},`
			`})`
			`require.NoError(t, err)`

			`type args struct {`
			`ctx context.Context`
			`req *user.RemoveSecretRequest`
			`prepare func(request *user.RemoveSecretRequest) error`
			`}`
			`tests := []struct {`
			`name string`
			`args args`
			`wantErr bool`
			`}{`
			`{`
			`name: "system, ok",`
			`args: args{`
			`SystemCTX,`
			`&user.RemoveSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`func(request *user.RemoveSecretRequest) error {`
			`_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`})`
			`return err`
			`},`
			`},`
			`},`
			`{`
			`name: "instance, ok",`
			`args: args{`
			`IamCTX,`
			`&user.RemoveSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`func(request *user.RemoveSecretRequest) error {`
			`_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`})`
			`return err`
			`},`
			`},`
			`},`
			`{`
			`name: "org, error",`
			`args: args{`
			`CTX,`
			`&user.RemoveSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`func(request *user.RemoveSecretRequest) error {`
			`_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`})`
			`return err`
			`},`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "user, error",`
			`args: args{`
			`UserCTX,`
			`&user.RemoveSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`},`
			`func(request *user.RemoveSecretRequest) error {`
			`_, err := Instance.Client.UserV2.AddSecret(IamCTX, &user.AddSecretRequest{`
			`UserId: otherOrgUser.GetId(),`
			`})`
			`return err`
			`},`
			`},`
			`wantErr: true,`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`now := time.Now()`
			`require.NoError(t, tt.args.prepare(tt.args.req))`
			`got, err := Client.RemoveSecret(tt.args.ctx, tt.args.req)`
			`if tt.wantErr {`
			`require.Error(t, err)`
			`return`
			`}`
			`require.NoError(t, err)`
			`assert.NotEmpty(t, got.DeletionDate, "client secret is empty")`
			`creationDate := got.DeletionDate.AsTime()`
			`assert.Greater(t, creationDate, now, "creation date is before the test started")`
			`assert.Less(t, creationDate, time.Now(), "creation date is in the future")`
			`})`
			`}`
			`}`