mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 211 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16782 Commits
17 Branches
Tree: f4923854f6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f4923854f6'
${ noResults }
gitea/tests/integration/api_admin_test.go

api_admin_test.go 12KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // SPDX-License-Identifier: MIT

  3. 

  4. package integration

  5. 

  6. import (

  7. 	"fmt"

  8. 	"net/http"

  9. 	"testing"

  10. 	"time"

  11. 

  12. 	asymkey_model "code.gitea.io/gitea/models/asymkey"

  13. 	auth_model "code.gitea.io/gitea/models/auth"

  14. 	"code.gitea.io/gitea/models/unittest"

  15. 	user_model "code.gitea.io/gitea/models/user"

  16. 	"code.gitea.io/gitea/modules/json"

  17. 	api "code.gitea.io/gitea/modules/structs"

  18. 	"code.gitea.io/gitea/tests"

  19. 

  20. 	"github.com/stretchr/testify/assert"

  21. )

  22. 

  23. func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {

  24. 	defer tests.PrepareTestEnv(t)()

  25. 	// user1 is an admin user

  26. 	session := loginUser(t, "user1")

  27. 	keyOwner := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user2"})

  28. 

  29. 	token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteAdmin)

  30. 	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)

  31. 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{

  32. 		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",

  33. 		"title": "test-key",

  34. 	})

  35. 	resp := MakeRequest(t, req, http.StatusCreated)

  36. 

  37. 	var newPublicKey api.PublicKey

  38. 	DecodeJSON(t, resp, &newPublicKey)

  39. 	unittest.AssertExistsAndLoadBean(t, &asymkey_model.PublicKey{

  40. 		ID:          newPublicKey.ID,

  41. 		Name:        newPublicKey.Title,

  42. 		Fingerprint: newPublicKey.Fingerprint,

  43. 		OwnerID:     keyOwner.ID,

  44. 	})

  45. 

  46. 	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",

  47. 		keyOwner.Name, newPublicKey.ID, token)

  48. 	MakeRequest(t, req, http.StatusNoContent)

  49. 	unittest.AssertNotExistsBean(t, &asymkey_model.PublicKey{ID: newPublicKey.ID})

  50. }

  51. 

  52. func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {

  53. 	defer tests.PrepareTestEnv(t)()

  54. 

  55. 	// user1 is an admin user

  56. 	token := getUserToken(t, "user1", auth_model.AccessTokenScopeWriteAdmin)

  57. 	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", unittest.NonexistentID, token)

  58. 	MakeRequest(t, req, http.StatusNotFound)

  59. }

  60. 

  61. func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {

  62. 	defer tests.PrepareTestEnv(t)()

  63. 	adminUsername := "user1"

  64. 	normalUsername := "user2"

  65. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)

  66. 

  67. 	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", adminUsername, token)

  68. 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{

  69. 		"key":   "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4cn+iXnA4KvcQYSV88vGn0Yi91vG47t1P7okprVmhNTkipNRIHWr6WdCO4VDr/cvsRkuVJAsLO2enwjGWWueOO6BodiBgyAOZ/5t5nJNMCNuLGT5UIo/RI1b0WRQwxEZTRjt6mFNw6lH14wRd8ulsr9toSWBPMOGWoYs1PDeDL0JuTjL+tr1SZi/EyxCngpYszKdXllJEHyI79KQgeD0Vt3pTrkbNVTOEcCNqZePSVmUH8X8Vhugz3bnE0/iE9Pb5fkWO9c4AnM1FgI/8Bvp27Fw2ShryIXuR6kKvUqhVMTuOSDHwu6A8jLE5Owt3GAYugDpDYuwTVNGrHLXKpPzrGGPE/jPmaLCMZcsdkec95dYeU3zKODEm8UQZFhmJmDeWVJ36nGrGZHL4J5aTTaeFUJmmXDaJYiJ+K2/ioKgXqnXvltu0A9R8/LGy4nrTJRr4JMLuJFoUXvGm1gXQ70w2LSpk6yl71RNC0hCtsBe8BP8IhYCM0EP5jh7eCMQZNvM= nocomment\n",

  70. 		"title": "test-key",

  71. 	})

  72. 	resp := MakeRequest(t, req, http.StatusCreated)

  73. 	var newPublicKey api.PublicKey

  74. 	DecodeJSON(t, resp, &newPublicKey)

  75. 

  76. 	token = getUserToken(t, normalUsername)

  77. 	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",

  78. 		adminUsername, newPublicKey.ID, token)

  79. 	MakeRequest(t, req, http.StatusForbidden)

  80. }

  81. 

  82. func TestAPISudoUser(t *testing.T) {

  83. 	defer tests.PrepareTestEnv(t)()

  84. 	adminUsername := "user1"

  85. 	normalUsername := "user2"

  86. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadUser)

  87. 

  88. 	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", normalUsername, token)

  89. 	req := NewRequest(t, "GET", urlStr)

  90. 	resp := MakeRequest(t, req, http.StatusOK)

  91. 	var user api.User

  92. 	DecodeJSON(t, resp, &user)

  93. 

  94. 	assert.Equal(t, normalUsername, user.UserName)

  95. }

  96. 

  97. func TestAPISudoUserForbidden(t *testing.T) {

  98. 	defer tests.PrepareTestEnv(t)()

  99. 	adminUsername := "user1"

  100. 	normalUsername := "user2"

  101. 

  102. 	token := getUserToken(t, normalUsername, auth_model.AccessTokenScopeReadAdmin)

  103. 	urlStr := fmt.Sprintf("/api/v1/user?sudo=%s&token=%s", adminUsername, token)

  104. 	req := NewRequest(t, "GET", urlStr)

  105. 	MakeRequest(t, req, http.StatusForbidden)

  106. }

  107. 

  108. func TestAPIListUsers(t *testing.T) {

  109. 	defer tests.PrepareTestEnv(t)()

  110. 	adminUsername := "user1"

  111. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeReadAdmin)

  112. 

  113. 	urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)

  114. 	req := NewRequest(t, "GET", urlStr)

  115. 	resp := MakeRequest(t, req, http.StatusOK)

  116. 	var users []api.User

  117. 	DecodeJSON(t, resp, &users)

  118. 

  119. 	found := false

  120. 	for _, user := range users {

  121. 		if user.UserName == adminUsername {

  122. 			found = true

  123. 		}

  124. 	}

  125. 	assert.True(t, found)

  126. 	numberOfUsers := unittest.GetCount(t, &user_model.User{}, "type = 0")

  127. 	assert.Len(t, users, numberOfUsers)

  128. }

  129. 

  130. func TestAPIListUsersNotLoggedIn(t *testing.T) {

  131. 	defer tests.PrepareTestEnv(t)()

  132. 	req := NewRequest(t, "GET", "/api/v1/admin/users")

  133. 	MakeRequest(t, req, http.StatusUnauthorized)

  134. }

  135. 

  136. func TestAPIListUsersNonAdmin(t *testing.T) {

  137. 	defer tests.PrepareTestEnv(t)()

  138. 	nonAdminUsername := "user2"

  139. 	token := getUserToken(t, nonAdminUsername)

  140. 	req := NewRequestf(t, "GET", "/api/v1/admin/users?token=%s", token)

  141. 	MakeRequest(t, req, http.StatusForbidden)

  142. }

  143. 

  144. func TestAPICreateUserInvalidEmail(t *testing.T) {

  145. 	defer tests.PrepareTestEnv(t)()

  146. 	adminUsername := "user1"

  147. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)

  148. 	urlStr := fmt.Sprintf("/api/v1/admin/users?token=%s", token)

  149. 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{

  150. 		"email":                "invalid_email@domain.com\r\n",

  151. 		"full_name":            "invalid user",

  152. 		"login_name":           "invalidUser",

  153. 		"must_change_password": "true",

  154. 		"password":             "password",

  155. 		"send_notify":          "true",

  156. 		"source_id":            "0",

  157. 		"username":             "invalidUser",

  158. 	})

  159. 	MakeRequest(t, req, http.StatusUnprocessableEntity)

  160. }

  161. 

  162. func TestAPICreateAndDeleteUser(t *testing.T) {

  163. 	defer tests.PrepareTestEnv(t)()

  164. 	adminUsername := "user1"

  165. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)

  166. 

  167. 	req := NewRequestWithValues(

  168. 		t,

  169. 		"POST",

  170. 		fmt.Sprintf("/api/v1/admin/users?token=%s", token),

  171. 		map[string]string{

  172. 			"email":                "deleteme@domain.com",

  173. 			"full_name":            "delete me",

  174. 			"login_name":           "deleteme",

  175. 			"must_change_password": "true",

  176. 			"password":             "password",

  177. 			"send_notify":          "true",

  178. 			"source_id":            "0",

  179. 			"username":             "deleteme",

  180. 		},

  181. 	)

  182. 	MakeRequest(t, req, http.StatusCreated)

  183. 

  184. 	req = NewRequest(t, "DELETE", fmt.Sprintf("/api/v1/admin/users/deleteme?token=%s", token))

  185. 	MakeRequest(t, req, http.StatusNoContent)

  186. }

  187. 

  188. func TestAPIEditUser(t *testing.T) {

  189. 	defer tests.PrepareTestEnv(t)()

  190. 	adminUsername := "user1"

  191. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)

  192. 	urlStr := fmt.Sprintf("/api/v1/admin/users/%s?token=%s", "user2", token)

  193. 

  194. 	req := NewRequestWithValues(t, "PATCH", urlStr, map[string]string{

  195. 		// required

  196. 		"login_name": "user2",

  197. 		"source_id":  "0",

  198. 		// to change

  199. 		"full_name": "Full Name User 2",

  200. 	})

  201. 	MakeRequest(t, req, http.StatusOK)

  202. 

  203. 	empty := ""

  204. 	req = NewRequestWithJSON(t, "PATCH", urlStr, api.EditUserOption{

  205. 		LoginName: "user2",

  206. 		SourceID:  0,

  207. 		Email:     &empty,

  208. 	})

  209. 	resp := MakeRequest(t, req, http.StatusUnprocessableEntity)

  210. 

  211. 	errMap := make(map[string]any)

  212. 	json.Unmarshal(resp.Body.Bytes(), &errMap)

  213. 	assert.EqualValues(t, "email is not allowed to be empty string", errMap["message"].(string))

  214. 

  215. 	user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{LoginName: "user2"})

  216. 	assert.False(t, user2.IsRestricted)

  217. 	bTrue := true

  218. 	req = NewRequestWithJSON(t, "PATCH", urlStr, api.EditUserOption{

  219. 		// required

  220. 		LoginName: "user2",

  221. 		SourceID:  0,

  222. 		// to change

  223. 		Restricted: &bTrue,

  224. 	})

  225. 	MakeRequest(t, req, http.StatusOK)

  226. 	user2 = unittest.AssertExistsAndLoadBean(t, &user_model.User{LoginName: "user2"})

  227. 	assert.True(t, user2.IsRestricted)

  228. }

  229. 

  230. func TestAPICreateRepoForUser(t *testing.T) {

  231. 	defer tests.PrepareTestEnv(t)()

  232. 	adminUsername := "user1"

  233. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)

  234. 

  235. 	req := NewRequestWithJSON(

  236. 		t,

  237. 		"POST",

  238. 		fmt.Sprintf("/api/v1/admin/users/%s/repos?token=%s", adminUsername, token),

  239. 		&api.CreateRepoOption{

  240. 			Name: "admincreatedrepo",

  241. 		},

  242. 	)

  243. 	MakeRequest(t, req, http.StatusCreated)

  244. }

  245. 

  246. func TestAPIRenameUser(t *testing.T) {

  247. 	defer tests.PrepareTestEnv(t)()

  248. 	adminUsername := "user1"

  249. 	token := getUserToken(t, adminUsername, auth_model.AccessTokenScopeWriteAdmin)

  250. 	urlStr := fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "user2", token)

  251. 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{

  252. 		// required

  253. 		"new_name": "User2",

  254. 	})

  255. 	MakeRequest(t, req, http.StatusOK)

  256. 

  257. 	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2", token)

  258. 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{

  259. 		// required

  260. 		"new_name": "User2-2-2",

  261. 	})

  262. 	MakeRequest(t, req, http.StatusOK)

  263. 

  264. 	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2", token)

  265. 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{

  266. 		// required

  267. 		"new_name": "user1",

  268. 	})

  269. 	// the old user name still be used by with a redirect

  270. 	MakeRequest(t, req, http.StatusTemporaryRedirect)

  271. 

  272. 	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2-2-2", token)

  273. 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{

  274. 		// required

  275. 		"new_name": "user1",

  276. 	})

  277. 	MakeRequest(t, req, http.StatusUnprocessableEntity)

  278. 

  279. 	urlStr = fmt.Sprintf("/api/v1/admin/users/%s/rename?token=%s", "User2-2-2", token)

  280. 	req = NewRequestWithValues(t, "POST", urlStr, map[string]string{

  281. 		// required

  282. 		"new_name": "user2",

  283. 	})

  284. 	MakeRequest(t, req, http.StatusOK)

  285. }

  286. 

  287. func TestAPICron(t *testing.T) {

  288. 	defer tests.PrepareTestEnv(t)()

  289. 

  290. 	// user1 is an admin user

  291. 	session := loginUser(t, "user1")

  292. 

  293. 	t.Run("List", func(t *testing.T) {

  294. 		defer tests.PrintCurrentTest(t)()

  295. 

  296. 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadAdmin)

  297. 		urlStr := fmt.Sprintf("/api/v1/admin/cron?token=%s", token)

  298. 		req := NewRequest(t, "GET", urlStr)

  299. 		resp := MakeRequest(t, req, http.StatusOK)

  300. 

  301. 		assert.Equal(t, "28", resp.Header().Get("X-Total-Count"))

  302. 

  303. 		var crons []api.Cron

  304. 		DecodeJSON(t, resp, &crons)

  305. 		assert.Len(t, crons, 28)

  306. 	})

  307. 

  308. 	t.Run("Execute", func(t *testing.T) {

  309. 		defer tests.PrintCurrentTest(t)()

  310. 

  311. 		now := time.Now()

  312. 		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteAdmin)

  313. 		// Archive cleanup is harmless, because in the test environment there are none

  314. 		// and is thus an NOOP operation and therefore doesn't interfere with any other

  315. 		// tests.

  316. 		urlStr := fmt.Sprintf("/api/v1/admin/cron/archive_cleanup?token=%s", token)

  317. 		req := NewRequest(t, "POST", urlStr)

  318. 		MakeRequest(t, req, http.StatusNoContent)

  319. 

  320. 		// Check for the latest run time for this cron, to ensure it has been run.

  321. 		urlStr = fmt.Sprintf("/api/v1/admin/cron?token=%s", token)

  322. 		req = NewRequest(t, "GET", urlStr)

  323. 		resp := MakeRequest(t, req, http.StatusOK)

  324. 

  325. 		var crons []api.Cron

  326. 		DecodeJSON(t, resp, &crons)

  327. 

  328. 		for _, cron := range crons {

  329. 			if cron.Name == "archive_cleanup" {

  330. 				assert.True(t, now.Before(cron.Prev))

  331. 			}

  332. 		}

  333. 	})

  334. }