zitadel/internal/command/iam_policy_login_test.go

package command

import (
	"context"
	"github.com/caos/zitadel/internal/domain"
	caos_errs "github.com/caos/zitadel/internal/errors"
	"github.com/caos/zitadel/internal/eventstore"
	"github.com/caos/zitadel/internal/eventstore/repository"
	"github.com/caos/zitadel/internal/eventstore/v1/models"
	"github.com/caos/zitadel/internal/repository/iam"
	"github.com/caos/zitadel/internal/repository/policy"
	"github.com/stretchr/testify/assert"
	"testing"
)

func TestCommandSide_AddDefaultLoginPolicy(t *testing.T) {
	type fields struct {
		eventstore *eventstore.Eventstore
	}
	type args struct {
		ctx    context.Context
		policy *domain.LoginPolicy
	}
	type res struct {
		want *domain.LoginPolicy
		err  func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "loginpolicy already existing, already exists error",
			fields: fields{
				eventstore: eventstoreExpect(
					t,
					expectFilter(
						eventFromEventPusher(
							iam.NewLoginPolicyAddedEvent(context.Background(),
								&iam.NewAggregate().Aggregate,
								true,
								true,
								false,
								false,
								domain.PasswordlessTypeAllowed,
							),
						),
					),
				),
			},
			args: args{
				ctx: context.Background(),
				policy: &domain.LoginPolicy{
					AllowRegister:         true,
					AllowUsernamePassword: true,
					PasswordlessType:      domain.PasswordlessTypeAllowed,
				},
			},
			res: res{
				err: caos_errs.IsErrorAlreadyExists,
			},
		},
		{
			name: "add policy,ok",
			fields: fields{
				eventstore: eventstoreExpect(
					t,
					expectFilter(),
					expectPush(
						[]*repository.Event{
							eventFromEventPusher(
								iam.NewLoginPolicyAddedEvent(context.Background(),
									&iam.NewAggregate().Aggregate,
									true,
									true,
									true,
									true,
									domain.PasswordlessTypeAllowed,
								),
							),
						},
					),
				),
			},
			args: args{
				ctx: context.Background(),
				policy: &domain.LoginPolicy{
					AllowRegister:         true,
					AllowUsernamePassword: true,
					AllowExternalIDP:      true,
					ForceMFA:              true,
					PasswordlessType:      domain.PasswordlessTypeAllowed,
				},
			},
			res: res{
				want: &domain.LoginPolicy{
					ObjectRoot: models.ObjectRoot{
						AggregateID:   "IAM",
						ResourceOwner: "IAM",
					},
					AllowRegister:         true,
					AllowUsernamePassword: true,
					AllowExternalIDP:      true,
					ForceMFA:              true,
					PasswordlessType:      domain.PasswordlessTypeAllowed,
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore: tt.fields.eventstore,
			}
			got, err := r.AddDefaultLoginPolicy(tt.args.ctx, tt.args.policy)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
			if tt.res.err == nil {
				assert.Equal(t, tt.res.want, got)
			}
		})
	}
}

func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {
	type fields struct {
		eventstore *eventstore.Eventstore
	}
	type args struct {
		ctx    context.Context
		policy *domain.LoginPolicy
	}
	type res struct {
		want *domain.LoginPolicy
		err  func(error) bool
	}
	tests := []struct {
		name   string
		fields fields
		args   args
		res    res
	}{
		{
			name: "loginpolicy not existing, not found error",
			fields: fields{
				eventstore: eventstoreExpect(
					t,
					expectFilter(),
				),
			},
			args: args{
				ctx: context.Background(),
				policy: &domain.LoginPolicy{
					AllowRegister:    true,
					AllowExternalIDP: true,
				},
			},
			res: res{
				err: caos_errs.IsNotFound,
			},
		},
		{
			name: "no changes, precondition error",
			fields: fields{
				eventstore: eventstoreExpect(
					t,
					expectFilter(
						eventFromEventPusher(
							iam.NewLoginPolicyAddedEvent(context.Background(),
								&iam.NewAggregate().Aggregate,
								true,
								true,
								true,
								true,
								domain.PasswordlessTypeAllowed,
							),
						),
					),
				),
			},
			args: args{
				ctx: context.Background(),
				policy: &domain.LoginPolicy{
					AllowRegister:         true,
					AllowUsernamePassword: true,
					AllowExternalIDP:      true,
					ForceMFA:              true,
					PasswordlessType:      domain.PasswordlessTypeAllowed,
				},
			},
			res: res{
				err: caos_errs.IsPreconditionFailed,
			},
		},
		{
			name: "change, ok",
			fields: fields{
				eventstore: eventstoreExpect(
					t,
					expectFilter(
						eventFromEventPusher(
							iam.NewLoginPolicyAddedEvent(context.Background(),
								&iam.NewAggregate().Aggregate,
								true,
								true,
								true,
								true,
								domain.PasswordlessTypeAllowed,
							),
						),
					),
					expectPush(
						[]*repository.Event{
							eventFromEventPusher(
								newDefaultLoginPolicyChangedEvent(context.Background(), false, false, false, false, domain.PasswordlessTypeNotAllowed),
							),
						},
					),
				),
			},
			args: args{
				ctx: context.Background(),
				policy: &domain.LoginPolicy{
					AllowRegister:         false,
					AllowUsernamePassword: false,
					AllowExternalIDP:      false,
					ForceMFA:              false,
					PasswordlessType:      domain.PasswordlessTypeNotAllowed,
				},
			},
			res: res{
				want: &domain.LoginPolicy{
					ObjectRoot: models.ObjectRoot{
						AggregateID:   "IAM",
						ResourceOwner: "IAM",
					},
					AllowRegister:         false,
					AllowUsernamePassword: false,
					AllowExternalIDP:      false,
					ForceMFA:              false,
					PasswordlessType:      domain.PasswordlessTypeNotAllowed,
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			r := &Commands{
				eventstore: tt.fields.eventstore,
			}
			got, err := r.ChangeDefaultLoginPolicy(tt.args.ctx, tt.args.policy)
			if tt.res.err == nil {
				assert.NoError(t, err)
			}
			if tt.res.err != nil && !tt.res.err(err) {
				t.Errorf("got wrong err: %v ", err)
			}
			if tt.res.err == nil {
				assert.Equal(t, tt.res.want, got)
			}
		})
	}
}

func newDefaultLoginPolicyChangedEvent(ctx context.Context, allowRegister, allowUsernamePassword, allowExternalIDP, forceMFA bool, passwordlessType domain.PasswordlessType) *iam.LoginPolicyChangedEvent {
	event, _ := iam.NewLoginPolicyChangedEvent(ctx,
		&iam.NewAggregate().Aggregate,
		[]policy.LoginPolicyChanges{
			policy.ChangeAllowRegister(allowRegister),
			policy.ChangeAllowExternalIDP(allowExternalIDP),
			policy.ChangeForceMFA(forceMFA),
			policy.ChangeAllowUserNamePassword(allowUsernamePassword),
			policy.ChangePasswordlessType(passwordlessType),
		},
	)
	return event
}
fix: new es testing (#1411) * fix: org tests * fix: org tests * fix: user grant test * fix: user grant test * fix: project and project role test * fix: project grant test * fix: project grant test * fix: project member, grant member, app changed tests * fix: application tests * fix: application tests * fix: add oidc app test * fix: add oidc app test * fix: add api keys test * fix: iam policies * fix: iam and org member tests * fix: clock skew validation * revert crypto changes * fix: tests * fix project grant member commands Co-authored-by: Livio Amstutz <livio.a@gmail.com> 2021-03-15 12:51:15 +01:00			`package command`

			`import (`
			`"context"`
			`"github.com/caos/zitadel/internal/domain"`
			`caos_errs "github.com/caos/zitadel/internal/errors"`
			`"github.com/caos/zitadel/internal/eventstore"`
			`"github.com/caos/zitadel/internal/eventstore/repository"`
			`"github.com/caos/zitadel/internal/eventstore/v1/models"`
			`"github.com/caos/zitadel/internal/repository/iam"`
			`"github.com/caos/zitadel/internal/repository/policy"`
			`"github.com/stretchr/testify/assert"`
			`"testing"`
			`)`

			`func TestCommandSide_AddDefaultLoginPolicy(t *testing.T) {`
			`type fields struct {`
			`eventstore *eventstore.Eventstore`
			`}`
			`type args struct {`
			`ctx context.Context`
			`policy *domain.LoginPolicy`
			`}`
			`type res struct {`
			`want *domain.LoginPolicy`
			`err func(error) bool`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`res res`
			`}{`
			`{`
			`name: "loginpolicy already existing, already exists error",`
			`fields: fields{`
			`eventstore: eventstoreExpect(`
			`t,`
			`expectFilter(`
			`eventFromEventPusher(`
			`iam.NewLoginPolicyAddedEvent(context.Background(),`
			`&iam.NewAggregate().Aggregate,`
			`true,`
			`true,`
			`false,`
			`false,`
			`domain.PasswordlessTypeAllowed,`
			`),`
			`),`
			`),`
			`),`
			`},`
			`args: args{`
			`ctx: context.Background(),`
			`policy: &domain.LoginPolicy{`
			`AllowRegister: true,`
			`AllowUsernamePassword: true,`
			`PasswordlessType: domain.PasswordlessTypeAllowed,`
			`},`
			`},`
			`res: res{`
			`err: caos_errs.IsErrorAlreadyExists,`
			`},`
			`},`
			`{`
			`name: "add policy,ok",`
			`fields: fields{`
			`eventstore: eventstoreExpect(`
			`t,`
			`expectFilter(),`
			`expectPush(`
			`[]*repository.Event{`
			`eventFromEventPusher(`
			`iam.NewLoginPolicyAddedEvent(context.Background(),`
			`&iam.NewAggregate().Aggregate,`
			`true,`
			`true,`
			`true,`
			`true,`
			`domain.PasswordlessTypeAllowed,`
			`),`
			`),`
			`},`
			`),`
			`),`
			`},`
			`args: args{`
			`ctx: context.Background(),`
			`policy: &domain.LoginPolicy{`
			`AllowRegister: true,`
			`AllowUsernamePassword: true,`
			`AllowExternalIDP: true,`
			`ForceMFA: true,`
			`PasswordlessType: domain.PasswordlessTypeAllowed,`
			`},`
			`},`
			`res: res{`
			`want: &domain.LoginPolicy{`
			`ObjectRoot: models.ObjectRoot{`
			`AggregateID: "IAM",`
			`ResourceOwner: "IAM",`
			`},`
			`AllowRegister: true,`
			`AllowUsernamePassword: true,`
			`AllowExternalIDP: true,`
			`ForceMFA: true,`
			`PasswordlessType: domain.PasswordlessTypeAllowed,`
			`},`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`r := &Commands{`
			`eventstore: tt.fields.eventstore,`
			`}`
			`got, err := r.AddDefaultLoginPolicy(tt.args.ctx, tt.args.policy)`
			`if tt.res.err == nil {`
			`assert.NoError(t, err)`
			`}`
			`if tt.res.err != nil && !tt.res.err(err) {`
			`t.Errorf("got wrong err: %v ", err)`
			`}`
			`if tt.res.err == nil {`
			`assert.Equal(t, tt.res.want, got)`
			`}`
			`})`
			`}`
			`}`

			`func TestCommandSide_ChangeDefaultLoginPolicy(t *testing.T) {`
			`type fields struct {`
			`eventstore *eventstore.Eventstore`
			`}`
			`type args struct {`
			`ctx context.Context`
			`policy *domain.LoginPolicy`
			`}`
			`type res struct {`
			`want *domain.LoginPolicy`
			`err func(error) bool`
			`}`
			`tests := []struct {`
			`name string`
			`fields fields`
			`args args`
			`res res`
			`}{`
			`{`
			`name: "loginpolicy not existing, not found error",`
			`fields: fields{`
			`eventstore: eventstoreExpect(`
			`t,`
			`expectFilter(),`
			`),`
			`},`
			`args: args{`
			`ctx: context.Background(),`
			`policy: &domain.LoginPolicy{`
			`AllowRegister: true,`
			`AllowExternalIDP: true,`
			`},`
			`},`
			`res: res{`
			`err: caos_errs.IsNotFound,`
			`},`
			`},`
			`{`
			`name: "no changes, precondition error",`
			`fields: fields{`
			`eventstore: eventstoreExpect(`
			`t,`
			`expectFilter(`
			`eventFromEventPusher(`
			`iam.NewLoginPolicyAddedEvent(context.Background(),`
			`&iam.NewAggregate().Aggregate,`
			`true,`
			`true,`
			`true,`
			`true,`
			`domain.PasswordlessTypeAllowed,`
			`),`
			`),`
			`),`
			`),`
			`},`
			`args: args{`
			`ctx: context.Background(),`
			`policy: &domain.LoginPolicy{`
			`AllowRegister: true,`
			`AllowUsernamePassword: true,`
			`AllowExternalIDP: true,`
			`ForceMFA: true,`
			`PasswordlessType: domain.PasswordlessTypeAllowed,`
			`},`
			`},`
			`res: res{`
			`err: caos_errs.IsPreconditionFailed,`
			`},`
			`},`
			`{`
			`name: "change, ok",`
			`fields: fields{`
			`eventstore: eventstoreExpect(`
			`t,`
			`expectFilter(`
			`eventFromEventPusher(`
			`iam.NewLoginPolicyAddedEvent(context.Background(),`
			`&iam.NewAggregate().Aggregate,`
			`true,`
			`true,`
			`true,`
			`true,`
			`domain.PasswordlessTypeAllowed,`
			`),`
			`),`
			`),`
			`expectPush(`
			`[]*repository.Event{`
			`eventFromEventPusher(`
			`newDefaultLoginPolicyChangedEvent(context.Background(), false, false, false, false, domain.PasswordlessTypeNotAllowed),`
			`),`
			`},`
			`),`
			`),`
			`},`
			`args: args{`
			`ctx: context.Background(),`
			`policy: &domain.LoginPolicy{`
			`AllowRegister: false,`
			`AllowUsernamePassword: false,`
			`AllowExternalIDP: false,`
			`ForceMFA: false,`
			`PasswordlessType: domain.PasswordlessTypeNotAllowed,`
			`},`
			`},`
			`res: res{`
			`want: &domain.LoginPolicy{`
			`ObjectRoot: models.ObjectRoot{`
			`AggregateID: "IAM",`
			`ResourceOwner: "IAM",`
			`},`
			`AllowRegister: false,`
			`AllowUsernamePassword: false,`
			`AllowExternalIDP: false,`
			`ForceMFA: false,`
			`PasswordlessType: domain.PasswordlessTypeNotAllowed,`
			`},`
			`},`
			`},`
			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`r := &Commands{`
			`eventstore: tt.fields.eventstore,`
			`}`
			`got, err := r.ChangeDefaultLoginPolicy(tt.args.ctx, tt.args.policy)`
			`if tt.res.err == nil {`
			`assert.NoError(t, err)`
			`}`
			`if tt.res.err != nil && !tt.res.err(err) {`
			`t.Errorf("got wrong err: %v ", err)`
			`}`
			`if tt.res.err == nil {`
			`assert.Equal(t, tt.res.want, got)`
			`}`
			`})`
			`}`
			`}`

			`func newDefaultLoginPolicyChangedEvent(ctx context.Context, allowRegister, allowUsernamePassword, allowExternalIDP, forceMFA bool, passwordlessType domain.PasswordlessType) *iam.LoginPolicyChangedEvent {`
			`event, _ := iam.NewLoginPolicyChangedEvent(ctx,`
			`&iam.NewAggregate().Aggregate,`
			`[]policy.LoginPolicyChanges{`
			`policy.ChangeAllowRegister(allowRegister),`
			`policy.ChangeAllowExternalIDP(allowExternalIDP),`
			`policy.ChangeForceMFA(forceMFA),`
			`policy.ChangeAllowUserNamePassword(allowUsernamePassword),`
			`policy.ChangePasswordlessType(passwordlessType),`
			`},`
			`)`
			`return event`
			`}`