Missing domain admin tests

esl · Sep 5, 2022 · 687cd1e · 687cd1e
1 parent 6b39a79
commit 687cd1e
Show file tree

Hide file tree

Showing 17 changed files with 1,132 additions and 66 deletions.
diff --git a/big_tests/tests/domain_helper.erl b/big_tests/tests/domain_helper.erl
@@ -3,7 +3,9 @@
 -export([insert_configured_domains/0,
          delete_configured_domains/0,
          insert_domain/3,
+         insert_persistent_domain/3,
          delete_domain/2,
+         delete_persistent_domain/3,
          set_domain_password/3,
          delete_domain_password/2,
          make_metrics_prefix/1,

diff --git a/big_tests/tests/graphql_account_SUITE.erl b/big_tests/tests/graphql_account_SUITE.erl
@@ -6,7 +6,8 @@
 
 -import(distributed_helper, [mim/0, require_rpc_nodes/1, rpc/4]).
 -import(graphql_helper, [execute_command/4, execute_user_command/5, get_listener_port/1,
-                         get_listener_config/1, get_ok_value/2, get_err_msg/1]).
+                         get_listener_config/1, get_ok_value/2, get_err_msg/1,
+                         execute_domain_admin_command/4, get_unauthorized/1]).
 
 -define(NOT_EXISTING_JID, <<"unknown987@unknown">>).
 
@@ -16,12 +17,14 @@ suite() ->
 all() ->
     [{group, user_account},
      {group, admin_account_http},
-     {group, admin_account_cli}].
+     {group, admin_account_cli},
+     {group, domain_admin_account}].
 
 groups() ->
     [{user_account, [parallel], user_account_tests()},
      {admin_account_http, [], admin_account_tests()},
-     {admin_account_cli, [], admin_account_tests()}].
+     {admin_account_cli, [], admin_account_tests()},
+     {domain_admin_account, [], domain_admin_tests()}].
 
 user_account_tests() ->
     [user_unregister,
@@ -41,6 +44,22 @@ admin_account_tests() ->
      admin_ban_user,
      admin_change_user_password].
 
+domain_admin_tests() ->
+    [domain_admin_list_users,
+     domain_admin_count_users,
+     domain_admin_check_password,
+     domain_admin_check_password_hash,
+     domain_admin_check_plain_password_hash,
+     domain_admin_check_user,
+     admin_register_user,
+     domain_admin_register_user_no_permission,
+     admin_register_random_user,
+     domain_admin_remove_non_existing_user,
+     admin_remove_existing_user,
+     domain_admin_remove_user_no_permission,
+     domain_admin_ban_user,
+     domain_admin_change_user_password].
+
 init_per_suite(Config) ->
     Config1 = [{ctl_auth_mods, mongoose_helper:auth_modules()} | Config],
     Config2 = escalus:init_per_suite(Config1),
@@ -55,23 +74,35 @@ init_per_group(admin_account_http, Config) ->
     graphql_helper:init_admin_handler(init_users(Config));
 init_per_group(admin_account_cli, Config) ->
     graphql_helper:init_admin_cli(init_users(Config));
+init_per_group(domain_admin_account, Config) ->
+    graphql_helper:init_domain_admin_handler(domain_admin_init_users(Config));
 init_per_group(user_account, Config) ->
     graphql_helper:init_user(Config).
 
 end_per_group(user_account, _Config) ->
     graphql_helper:clean(),
     escalus_fresh:clean();
+end_per_group(domain_admin_account, Config) ->
+    graphql_helper:clean(),
+    domain_admin_clean_users(Config);
 end_per_group(_GroupName, Config) ->
     graphql_helper:clean(),
     clean_users(Config).
 
 init_users(Config) ->
     escalus:create_users(Config, escalus:get_users([alice])).
 
+domain_admin_init_users(Config) ->
+    escalus:create_users(Config, escalus:get_users([alice, alice_bis])).
+
 clean_users(Config) ->
     escalus_fresh:clean(),
     escalus:delete_users(Config, escalus:get_users([alice])).
 
+domain_admin_clean_users(Config) ->
+    escalus_fresh:clean(),
+    escalus:delete_users(Config, escalus:get_users([alice, alice_bis])).
+
 init_per_testcase(admin_register_user = C, Config) ->
     Config1 = [{user, {<<"gql_admin_registration_test">>, domain_helper:domain()}} | Config],
     escalus:init_per_testcase(C, Config1);
@@ -87,6 +118,21 @@ init_per_testcase(admin_check_plain_password_hash = C, Config) ->
             Config2 = escalus:create_users(Config1, escalus:get_users([carol])),
             escalus:init_per_testcase(C, Config2)
     end;
+init_per_testcase(domain_admin_check_plain_password_hash = C, Config) ->
+    {_, AuthMods} = lists:keyfind(ctl_auth_mods, 1, Config),
+    case lists:member(ejabberd_auth_ldap, AuthMods) of
+        true ->
+            {skip, not_fully_supported_with_ldap};
+        false ->
+            AuthOpts = mongoose_helper:auth_opts_with_password_format(plain),
+            Config1 = mongoose_helper:backup_and_set_config_option(
+                        Config, {auth, domain_helper:host_type()}, AuthOpts),
+            Config2 = escalus:create_users(Config1, escalus:get_users([alice_bis])),
+            escalus:init_per_testcase(C, Config2)
+    end;
+init_per_testcase(domain_admin_register_user = C, Config) ->
+    Config1 = [{user, {<<"gql_domain_admin_registration_test">>, domain_helper:domain()}} | Config],
+    escalus:init_per_testcase(C, Config1);
 init_per_testcase(CaseName, Config) ->
     escalus:init_per_testcase(CaseName, Config).
 
@@ -97,6 +143,13 @@ end_per_testcase(admin_register_user = C, Config) ->
 end_per_testcase(admin_check_plain_password_hash, Config) ->
     mongoose_helper:restore_config(Config),
     escalus:delete_users(Config, escalus:get_users([carol]));
+end_per_testcase(domain_admin_check_plain_password_hash, Config) ->
+    mongoose_helper:restore_config(Config),
+    escalus:delete_users(Config, escalus:get_users([carol, alice_bis]));
+end_per_testcase(domain_admin_register_user = C, Config) ->
+    {Username, Domain} = proplists:get_value(user, Config),
+    rpc(mim(), mongoose_account_api, unregister_user, [Username, Domain]),
+    escalus:end_per_testcase(C, Config);
 end_per_testcase(CaseName, Config) ->
     escalus:end_per_testcase(CaseName, Config).
 
@@ -262,6 +315,122 @@ admin_change_user_password(Config) ->
         ?assertNotEqual(nomatch, binary:match(get_ok_value(Path, Resp3), <<"Password changed">>))
     end).
 
+domain_admin_list_users(Config) ->
+    % An unknown domain
+    Resp = list_users(<<"unknown-domain">>, Config),
+    get_unauthorized(Resp),
+    % A domain with users
+    Domain = domain_helper:domain(),
+    Username = jid:nameprep(escalus_users:get_username(Config, alice)),
+    JID = <<Username/binary, "@", Domain/binary>>,
+    Resp2 = list_users(Domain, Config),
+    Users = get_ok_value([data, account, listUsers], Resp2),
+    ?assert(lists:member(JID, Users)).
+
+domain_admin_count_users(Config) ->
+    % An unknown domain
+    Resp = count_users(<<"unknown-domain">>, Config),
+    get_unauthorized(Resp),
+    % A domain with at least one user
+    Domain = domain_helper:domain(),
+    Resp2 = count_users(Domain, Config),
+    ?assert(0 < get_ok_value([data, account, countUsers], Resp2)).
+
+domain_admin_check_password(Config) ->
+    Password = lists:last(escalus_users:get_usp(Config, alice)),
+    BinJID = escalus_users:get_jid(Config, alice),
+    Path = [data, account, checkPassword],
+    % A correct password
+    Resp1 = check_password(BinJID, Password, Config),
+    ?assertMatch(#{<<"correct">> := true, <<"message">> := _}, get_ok_value(Path, Resp1)),
+    % An incorrect password
+    Resp2 = check_password(BinJID, <<"incorrect_pw">>, Config),
+    ?assertMatch(#{<<"correct">> := false, <<"message">> := _}, get_ok_value(Path, Resp2)),
+    % An external domain
+    PasswordOutside = lists:last(escalus_users:get_usp(Config, alice_bis)),
+    BinOutsideJID = escalus_users:get_jid(Config, alice_bis),
+    Resp3 = check_password(BinOutsideJID, PasswordOutside, Config),
+    get_unauthorized(Resp3),
+    % A non-existing user
+    Resp4 = check_password(?NOT_EXISTING_JID, Password, Config),
+    get_unauthorized(Resp4).    
+
+domain_admin_check_password_hash(Config) ->
+    UserSCRAM = escalus_users:get_jid(Config, alice),
+    ExternalUserSCRAM = escalus_users:get_jid(Config, alice_bis),
+    EmptyHash = list_to_binary(get_md5(<<>>)),
+    Method = <<"md5">>,
+    % SCRAM password user
+    Resp1 = check_password_hash(UserSCRAM, EmptyHash, Method, Config),
+    ?assertNotEqual(nomatch, binary:match(get_err_msg(Resp1), <<"SCRAM password">>)),
+    % An external domain user
+    Resp2 = check_password_hash(ExternalUserSCRAM, EmptyHash, Method, Config),
+    get_unauthorized(Resp2).
+
+domain_admin_check_plain_password_hash(Config) ->
+    Method = <<"md5">>,
+    ExternalUserJID = escalus_users:get_jid(Config, alice_bis),
+    ExternalPassword = lists:last(escalus_users:get_usp(Config, alice_bis)),
+    ExternalHash = list_to_binary(get_md5(ExternalPassword)),
+    get_unauthorized(check_password_hash(ExternalUserJID, ExternalHash, Method, Config)).
+
+domain_admin_check_user(Config) ->
+    BinJID = escalus_users:get_jid(Config, alice),
+    ExternalBinJID = escalus_users:get_jid(Config, alice_bis),
+    Path = [data, account, checkUser],
+    % An existing user
+    Resp1 = check_user(BinJID, Config),
+    ?assertMatch(#{<<"exist">> := true, <<"message">> := _}, get_ok_value(Path, Resp1)),
+    % An external domain user
+    Resp2 = check_user(ExternalBinJID, Config),
+    get_unauthorized(Resp2).
+
+domain_admin_register_user_no_permission(Config) ->
+    Password = <<"my_password">>,
+    Domain = <<"unknown-domain">>,
+    get_unauthorized(register_user(Domain, external_user, Password, Config)).
+
+domain_admin_remove_non_existing_user(Config) ->
+    get_unauthorized(remove_user(?NOT_EXISTING_JID, Config)).
+
+domain_admin_remove_user_no_permission(Config) ->
+    escalus:fresh_story(Config, [{alice_bis, 1}], fun(AliceBis) ->
+        BinJID = escalus_client:full_jid(AliceBis),
+        get_unauthorized(remove_user(BinJID, Config))
+    end).
+
+domain_admin_ban_user(Config) ->
+    Path = [data, account, banUser, message],
+    Reason = <<"annoying">>,
+    % Ban not existing user
+    Resp1 = ban_user(?NOT_EXISTING_JID, Reason, Config),
+    get_unauthorized(Resp1),
+    % Ban an existing user
+    escalus:fresh_story(Config, [{alice, 1}], fun(Alice) ->
+        BinJID = escalus_client:full_jid(Alice),
+        Resp2 = ban_user(BinJID, Reason, Config),
+        ?assertNotEqual(nomatch, binary:match(get_ok_value(Path, Resp2), <<"successfully banned">>))
+    end).
+
+domain_admin_change_user_password(Config) ->
+    Path = [data, account, changeUserPassword, message],
+    NewPassword = <<"new password">>,
+    % Change password of not existing user
+    Resp1 = change_user_password(?NOT_EXISTING_JID, NewPassword, Config),
+    get_unauthorized(Resp1),
+    % Set an empty password
+    escalus:fresh_story(Config, [{alice, 1}], fun(Alice1) ->
+        BinJID = escalus_client:full_jid(Alice1),
+        Resp2 = change_user_password(BinJID, <<>>, Config),
+        ?assertNotEqual(nomatch, binary:match(get_err_msg(Resp2), <<"Empty password">>))
+    end),
+    % Change password of an existing user
+    escalus:fresh_story(Config, [{alice, 1}], fun(Alice2) ->
+        BinJID = escalus_client:full_jid(Alice2),
+        Resp3 = change_user_password(BinJID, NewPassword, Config),
+        ?assertNotEqual(nomatch, binary:match(get_ok_value(Path, Resp3), <<"Password changed">>))
+    end).
+
 %% Helpers
 
 get_md5(AccountPass) ->