Accueil Explorer Aide
Connexion
mirrors
/
ntfy
miroir de https://github.com/binwiederhier/ntfy
1
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: ff904a5ca6
Branches Tags
ntfy
/
user
/
manager_test.go

manager_test.go 47 KB
Historique Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342 
  1. package user
    2. 

  2. 

  3. import (
    4. 

  4. 	"database/sql"
    5. 

  5. 	"fmt"
    6. 

  6. 	"github.com/stretchr/testify/require"
    7. 

  7. 	"github.com/stripe/stripe-go/v74"
    8. 

  8. 	"golang.org/x/crypto/bcrypt"
    9. 

  9. 	"heckel.io/ntfy/v2/util"
    10. 

  10. 	"net/netip"
    11. 

  11. 	"path/filepath"
    12. 

  12. 	"strings"
    13. 

  13. 	"testing"
    14. 

  14. 	"time"
    15. 

  15. )
    16. 

  16. 

  17. const minBcryptTimingMillis = int64(40) // Ideally should be >100ms, but this should also run on a Raspberry Pi without massive resources
    18. 

  18. 

  19. func TestManager_FullScenario_Default_DenyAll(t *testing.T) {
    20. 

  20. 	a := newTestManagerFromFile(t, filepath.Join(t.TempDir(), "user.db"), "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
    21. 

  21. 	require.Nil(t, a.AddUser("phil", "phil", RoleAdmin, false))
    22. 

  22. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    23. 

  23. 	require.Nil(t, a.AddUser("john", "john", RoleUser, false))
    24. 

  24. 	require.Nil(t, a.AllowAccess("ben", "mytopic", PermissionReadWrite))
    25. 

  25. 	require.Nil(t, a.AllowAccess("ben", "readme", PermissionRead))
    26. 

  26. 	require.Nil(t, a.AllowAccess("ben", "writeme", PermissionWrite))
    27. 

  27. 	require.Nil(t, a.AllowAccess("ben", "everyonewrite", PermissionDenyAll)) // How unfair!
    28. 

  28. 	require.Nil(t, a.AllowAccess("john", "*", PermissionRead))
    29. 

  29. 	require.Nil(t, a.AllowAccess("john", "mytopic*", PermissionReadWrite))
    30. 

  30. 	require.Nil(t, a.AllowAccess("john", "mytopic_ro*", PermissionRead))
    31. 

  31. 	require.Nil(t, a.AllowAccess("john", "mytopic_deny*", PermissionDenyAll))
    32. 

  32. 	require.Nil(t, a.AllowAccess(Everyone, "announcements", PermissionRead))
    33. 

  33. 	require.Nil(t, a.AllowAccess(Everyone, "everyonewrite", PermissionReadWrite))
    34. 

  34. 	require.Nil(t, a.AllowAccess(Everyone, "up*", PermissionWrite)) // Everyone can write to /up*
    35. 

  35. 

  36. 	phil, err := a.Authenticate("phil", "phil")
    37. 

  37. 	require.Nil(t, err)
    38. 

  38. 	require.Equal(t, "phil", phil.Name)
    39. 

  39. 	require.True(t, strings.HasPrefix(phil.Hash, "$2a$10$"))
    40. 

  40. 	require.Equal(t, RoleAdmin, phil.Role)
    41. 

  41. 

  42. 	philGrants, err := a.Grants("phil")
    43. 

  43. 	require.Nil(t, err)
    44. 

  44. 	require.Equal(t, []Grant{}, philGrants)
    45. 

  45. 

  46. 	ben, err := a.Authenticate("ben", "ben")
    47. 

  47. 	require.Nil(t, err)
    48. 

  48. 	require.Equal(t, "ben", ben.Name)
    49. 

  49. 	require.True(t, strings.HasPrefix(ben.Hash, "$2a$10$"))
    50. 

  50. 	require.Equal(t, RoleUser, ben.Role)
    51. 

  51. 

  52. 	benGrants, err := a.Grants("ben")
    53. 

  53. 	require.Nil(t, err)
    54. 

  54. 	require.Equal(t, []Grant{
    55. 

  55. 		{"everyonewrite", PermissionDenyAll},
    56. 

  56. 		{"mytopic", PermissionReadWrite},
    57. 

  57. 		{"writeme", PermissionWrite},
    58. 

  58. 		{"readme", PermissionRead},
    59. 

  59. 	}, benGrants)
    60. 

  60. 

  61. 	john, err := a.Authenticate("john", "john")
    62. 

  62. 	require.Nil(t, err)
    63. 

  63. 	require.Equal(t, "john", john.Name)
    64. 

  64. 	require.True(t, strings.HasPrefix(john.Hash, "$2a$10$"))
    65. 

  65. 	require.Equal(t, RoleUser, john.Role)
    66. 

  66. 

  67. 	johnGrants, err := a.Grants("john")
    68. 

  68. 	require.Nil(t, err)
    69. 

  69. 	require.Equal(t, []Grant{
    70. 

  70. 		{"mytopic_deny*", PermissionDenyAll},
    71. 

  71. 		{"mytopic_ro*", PermissionRead},
    72. 

  72. 		{"mytopic*", PermissionReadWrite},
    73. 

  73. 		{"*", PermissionRead},
    74. 

  74. 	}, johnGrants)
    75. 

  75. 

  76. 	notben, err := a.Authenticate("ben", "this is wrong")
    77. 

  77. 	require.Nil(t, notben)
    78. 

  78. 	require.Equal(t, ErrUnauthenticated, err)
    79. 

  79. 

  80. 	// Admin can do everything
    81. 

  81. 	require.Nil(t, a.Authorize(phil, "sometopic", PermissionWrite))
    82. 

  82. 	require.Nil(t, a.Authorize(phil, "mytopic", PermissionRead))
    83. 

  83. 	require.Nil(t, a.Authorize(phil, "readme", PermissionWrite))
    84. 

  84. 	require.Nil(t, a.Authorize(phil, "writeme", PermissionWrite))
    85. 

  85. 	require.Nil(t, a.Authorize(phil, "announcements", PermissionWrite))
    86. 

  86. 	require.Nil(t, a.Authorize(phil, "everyonewrite", PermissionWrite))
    87. 

  87. 

  88. 	// User cannot do everything
    89. 

  89. 	require.Nil(t, a.Authorize(ben, "mytopic", PermissionWrite))
    90. 

  90. 	require.Nil(t, a.Authorize(ben, "mytopic", PermissionRead))
    91. 

  91. 	require.Nil(t, a.Authorize(ben, "readme", PermissionRead))
    92. 

  92. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "readme", PermissionWrite))
    93. 

  93. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "writeme", PermissionRead))
    94. 

  94. 	require.Nil(t, a.Authorize(ben, "writeme", PermissionWrite))
    95. 

  95. 	require.Nil(t, a.Authorize(ben, "writeme", PermissionWrite))
    96. 

  96. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "everyonewrite", PermissionRead))
    97. 

  97. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "everyonewrite", PermissionWrite))
    98. 

  98. 	require.Nil(t, a.Authorize(ben, "announcements", PermissionRead))
    99. 

  99. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "announcements", PermissionWrite))
    100. 

  100. 

  101. 	// User john should have
    102. 

  102. 	//  "deny" to mytopic_deny*,
    103. 

  103. 	//    "ro" to mytopic_ro*,
    104. 

  104. 	//    "rw" to mytopic*,
    105. 

  105. 	//    "ro" to the rest
    106. 

  106. 	require.Equal(t, ErrUnauthorized, a.Authorize(john, "mytopic_deny_case", PermissionRead))
    107. 

  107. 	require.Equal(t, ErrUnauthorized, a.Authorize(john, "mytopic_deny_case", PermissionWrite))
    108. 

  108. 	require.Nil(t, a.Authorize(john, "mytopic_ro_test_case", PermissionRead))
    109. 

  109. 	require.Equal(t, ErrUnauthorized, a.Authorize(john, "mytopic_ro_test_case", PermissionWrite))
    110. 

  110. 	require.Nil(t, a.Authorize(john, "mytopic_case1", PermissionRead))
    111. 

  111. 	require.Nil(t, a.Authorize(john, "mytopic_case1", PermissionWrite))
    112. 

  112. 	require.Nil(t, a.Authorize(john, "readme", PermissionRead))
    113. 

  113. 	require.Equal(t, ErrUnauthorized, a.Authorize(john, "writeme", PermissionWrite))
    114. 

  114. 

  115. 	// Everyone else can do barely anything
    116. 

  116. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "sometopicnotinthelist", PermissionRead))
    117. 

  117. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "sometopicnotinthelist", PermissionWrite))
    118. 

  118. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "mytopic", PermissionRead))
    119. 

  119. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "mytopic", PermissionWrite))
    120. 

  120. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "readme", PermissionRead))
    121. 

  121. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "readme", PermissionWrite))
    122. 

  122. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "writeme", PermissionRead))
    123. 

  123. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "writeme", PermissionWrite))
    124. 

  124. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "announcements", PermissionWrite))
    125. 

  125. 	require.Nil(t, a.Authorize(nil, "announcements", PermissionRead))
    126. 

  126. 	require.Nil(t, a.Authorize(nil, "everyonewrite", PermissionRead))
    127. 

  127. 	require.Nil(t, a.Authorize(nil, "everyonewrite", PermissionWrite))
    128. 

  128. 	require.Nil(t, a.Authorize(nil, "up1234", PermissionWrite)) // Wildcard permission
    129. 

  129. 	require.Nil(t, a.Authorize(nil, "up5678", PermissionWrite))
    130. 

  130. }
    131. 

  131. 

  132. func TestManager_Access_Order_LengthWriteRead(t *testing.T) {
    133. 

  133. 	// This test validates issue #914 / #917, i.e. that write permissions are prioritized over read permissions,
    134. 

  134. 	// and longer ACL rules are prioritized as well.
    135. 

  135. 

  136. 	a := newTestManagerFromFile(t, filepath.Join(t.TempDir(), "user.db"), "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
    137. 

  137. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    138. 

  138. 	require.Nil(t, a.AllowAccess("ben", "test*", PermissionReadWrite))
    139. 

  139. 	require.Nil(t, a.AllowAccess("ben", "*", PermissionRead))
    140. 

  140. 

  141. 	ben, err := a.Authenticate("ben", "ben")
    142. 

  142. 	require.Nil(t, err)
    143. 

  143. 	require.Nil(t, a.Authorize(ben, "any-topic-can-be-read", PermissionRead))
    144. 

  144. 	require.Nil(t, a.Authorize(ben, "this-too", PermissionRead))
    145. 

  145. 	require.Nil(t, a.Authorize(ben, "test123", PermissionWrite))
    146. 

  146. }
    147. 

  147. 

  148. func TestManager_AddUser_Invalid(t *testing.T) {
    149. 

  149. 	a := newTestManager(t, PermissionDenyAll)
    150. 

  150. 	require.Equal(t, ErrInvalidArgument, a.AddUser("  invalid  ", "pass", RoleAdmin, false))
    151. 

  151. 	require.Equal(t, ErrInvalidArgument, a.AddUser("validuser", "pass", "invalid-role", false))
    152. 

  152. }
    153. 

  153. 

  154. func TestManager_AddUser_Timing(t *testing.T) {
    155. 

  155. 	a := newTestManagerFromFile(t, filepath.Join(t.TempDir(), "user.db"), "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
    156. 

  156. 	start := time.Now().UnixMilli()
    157. 

  157. 	require.Nil(t, a.AddUser("user", "pass", RoleAdmin, false))
    158. 

  158. 	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
    159. 

  159. }
    160. 

  160. 

  161. func TestManager_AddUser_And_Query(t *testing.T) {
    162. 

  162. 	a := newTestManagerFromFile(t, filepath.Join(t.TempDir(), "user.db"), "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
    163. 

  163. 	require.Nil(t, a.AddUser("user", "pass", RoleAdmin, false))
    164. 

  164. 	require.Nil(t, a.ChangeBilling("user", &Billing{
    165. 

  165. 		StripeCustomerID:            "acct_123",
    166. 

  166. 		StripeSubscriptionID:        "sub_123",
    167. 

  167. 		StripeSubscriptionStatus:    stripe.SubscriptionStatusActive,
    168. 

  168. 		StripeSubscriptionInterval:  stripe.PriceRecurringIntervalMonth,
    169. 

  169. 		StripeSubscriptionPaidUntil: time.Now().Add(time.Hour),
    170. 

  170. 		StripeSubscriptionCancelAt:  time.Unix(0, 0),
    171. 

  171. 	}))
    172. 

  172. 

  173. 	u, err := a.User("user")
    174. 

  174. 	require.Nil(t, err)
    175. 

  175. 	require.Equal(t, "user", u.Name)
    176. 

  176. 

  177. 	u2, err := a.UserByID(u.ID)
    178. 

  178. 	require.Nil(t, err)
    179. 

  179. 	require.Equal(t, u.Name, u2.Name)
    180. 

  180. 

  181. 	u3, err := a.UserByStripeCustomer("acct_123")
    182. 

  182. 	require.Nil(t, err)
    183. 

  183. 	require.Equal(t, u.ID, u3.ID)
    184. 

  184. }
    185. 

  185. 

  186. func TestManager_MarkUserRemoved_RemoveDeletedUsers(t *testing.T) {
    187. 

  187. 	a := newTestManager(t, PermissionDenyAll)
    188. 

  188. 

  189. 	// Create user, add reservations and token
    190. 

  190. 	require.Nil(t, a.AddUser("user", "pass", RoleAdmin, false))
    191. 

  191. 	require.Nil(t, a.AddReservation("user", "mytopic", PermissionRead))
    192. 

  192. 

  193. 	u, err := a.User("user")
    194. 

  194. 	require.Nil(t, err)
    195. 

  195. 	require.False(t, u.Deleted)
    196. 

  196. 

  197. 	token, err := a.CreateToken(u.ID, "", time.Now().Add(time.Hour), netip.IPv4Unspecified())
    198. 

  198. 	require.Nil(t, err)
    199. 

  199. 

  200. 	u, err = a.Authenticate("user", "pass")
    201. 

  201. 	require.Nil(t, err)
    202. 

  202. 

  203. 	_, err = a.AuthenticateToken(token.Value)
    204. 

  204. 	require.Nil(t, err)
    205. 

  205. 

  206. 	reservations, err := a.Reservations("user")
    207. 

  207. 	require.Nil(t, err)
    208. 

  208. 	require.Equal(t, 1, len(reservations))
    209. 

  209. 

  210. 	// Mark deleted: cannot auth anymore, and all reservations are gone
    211. 

  211. 	require.Nil(t, a.MarkUserRemoved(u))
    212. 

  212. 

  213. 	_, err = a.Authenticate("user", "pass")
    214. 

  214. 	require.Equal(t, ErrUnauthenticated, err)
    215. 

  215. 

  216. 	_, err = a.AuthenticateToken(token.Value)
    217. 

  217. 	require.Equal(t, ErrUnauthenticated, err)
    218. 

  218. 

  219. 	reservations, err = a.Reservations("user")
    220. 

  220. 	require.Nil(t, err)
    221. 

  221. 	require.Equal(t, 0, len(reservations))
    222. 

  222. 

  223. 	// Make sure user is still there
    224. 

  224. 	u, err = a.User("user")
    225. 

  225. 	require.Nil(t, err)
    226. 

  226. 	require.True(t, u.Deleted)
    227. 

  227. 

  228. 	_, err = a.db.Exec("UPDATE user SET deleted = ? WHERE id = ?", time.Now().Add(-1*(userHardDeleteAfterDuration+time.Hour)).Unix(), u.ID)
    229. 

  229. 	require.Nil(t, err)
    230. 

  230. 	require.Nil(t, a.RemoveDeletedUsers())
    231. 

  231. 

  232. 	_, err = a.User("user")
    233. 

  233. 	require.Equal(t, ErrUserNotFound, err)
    234. 

  234. }
    235. 

  235. 

  236. func TestManager_CreateToken_Only_Lower(t *testing.T) {
    237. 

  237. 	a := newTestManager(t, PermissionDenyAll)
    238. 

  238. 

  239. 	// Create user, add reservations and token
    240. 

  240. 	require.Nil(t, a.AddUser("user", "pass", RoleAdmin, false))
    241. 

  241. 	u, err := a.User("user")
    242. 

  242. 	require.Nil(t, err)
    243. 

  243. 

  244. 	token, err := a.CreateToken(u.ID, "", time.Now().Add(time.Hour), netip.IPv4Unspecified())
    245. 

  245. 	require.Nil(t, err)
    246. 

  246. 	require.Equal(t, token.Value, strings.ToLower(token.Value))
    247. 

  247. }
    248. 

  248. 

  249. func TestManager_UserManagement(t *testing.T) {
    250. 

  250. 	a := newTestManager(t, PermissionDenyAll)
    251. 

  251. 	require.Nil(t, a.AddUser("phil", "phil", RoleAdmin, false))
    252. 

  252. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    253. 

  253. 	require.Nil(t, a.AllowAccess("ben", "mytopic", PermissionReadWrite))
    254. 

  254. 	require.Nil(t, a.AllowAccess("ben", "readme", PermissionRead))
    255. 

  255. 	require.Nil(t, a.AllowAccess("ben", "writeme", PermissionWrite))
    256. 

  256. 	require.Nil(t, a.AllowAccess("ben", "everyonewrite", PermissionDenyAll)) // How unfair!
    257. 

  257. 	require.Nil(t, a.AllowAccess(Everyone, "announcements", PermissionRead))
    258. 

  258. 	require.Nil(t, a.AllowAccess(Everyone, "everyonewrite", PermissionReadWrite))
    259. 

  259. 

  260. 	// Query user details
    261. 

  261. 	phil, err := a.User("phil")
    262. 

  262. 	require.Nil(t, err)
    263. 

  263. 	require.Equal(t, "phil", phil.Name)
    264. 

  264. 	require.True(t, strings.HasPrefix(phil.Hash, "$2a$04$")) // Min cost for testing
    265. 

  265. 	require.Equal(t, RoleAdmin, phil.Role)
    266. 

  266. 

  267. 	philGrants, err := a.Grants("phil")
    268. 

  268. 	require.Nil(t, err)
    269. 

  269. 	require.Equal(t, []Grant{}, philGrants)
    270. 

  270. 

  271. 	ben, err := a.User("ben")
    272. 

  272. 	require.Nil(t, err)
    273. 

  273. 	require.Equal(t, "ben", ben.Name)
    274. 

  274. 	require.True(t, strings.HasPrefix(ben.Hash, "$2a$04$")) // Min cost for testing
    275. 

  275. 	require.Equal(t, RoleUser, ben.Role)
    276. 

  276. 

  277. 	benGrants, err := a.Grants("ben")
    278. 

  278. 	require.Nil(t, err)
    279. 

  279. 	require.Equal(t, []Grant{
    280. 

  280. 		{"everyonewrite", PermissionDenyAll},
    281. 

  281. 		{"mytopic", PermissionReadWrite},
    282. 

  282. 		{"writeme", PermissionWrite},
    283. 

  283. 		{"readme", PermissionRead},
    284. 

  284. 	}, benGrants)
    285. 

  285. 

  286. 	everyone, err := a.User(Everyone)
    287. 

  287. 	require.Nil(t, err)
    288. 

  288. 	require.Equal(t, "*", everyone.Name)
    289. 

  289. 	require.Equal(t, "", everyone.Hash)
    290. 

  290. 	require.Equal(t, RoleAnonymous, everyone.Role)
    291. 

  291. 

  292. 	everyoneGrants, err := a.Grants(Everyone)
    293. 

  293. 	require.Nil(t, err)
    294. 

  294. 	require.Equal(t, []Grant{
    295. 

  295. 		{"everyonewrite", PermissionReadWrite},
    296. 

  296. 		{"announcements", PermissionRead},
    297. 

  297. 	}, everyoneGrants)
    298. 

  298. 

  299. 	// Ben: Before revoking
    300. 

  300. 	require.Nil(t, a.AllowAccess("ben", "mytopic", PermissionReadWrite)) // Overwrite!
    301. 

  301. 	require.Nil(t, a.AllowAccess("ben", "readme", PermissionRead))
    302. 

  302. 	require.Nil(t, a.AllowAccess("ben", "writeme", PermissionWrite))
    303. 

  303. 	require.Nil(t, a.Authorize(ben, "mytopic", PermissionRead))
    304. 

  304. 	require.Nil(t, a.Authorize(ben, "mytopic", PermissionWrite))
    305. 

  305. 	require.Nil(t, a.Authorize(ben, "readme", PermissionRead))
    306. 

  306. 	require.Nil(t, a.Authorize(ben, "writeme", PermissionWrite))
    307. 

  307. 

  308. 	// Revoke access for "ben" to "mytopic", then check again
    309. 

  309. 	require.Nil(t, a.ResetAccess("ben", "mytopic"))
    310. 

  310. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "mytopic", PermissionWrite)) // Revoked
    311. 

  311. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "mytopic", PermissionRead))  // Revoked
    312. 

  312. 	require.Nil(t, a.Authorize(ben, "readme", PermissionRead))                      // Unchanged
    313. 

  313. 	require.Nil(t, a.Authorize(ben, "writeme", PermissionWrite))                    // Unchanged
    314. 

  314. 

  315. 	// Revoke rest of the access
    316. 

  316. 	require.Nil(t, a.ResetAccess("ben", ""))
    317. 

  317. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "readme", PermissionRead))    // Revoked
    318. 

  318. 	require.Equal(t, ErrUnauthorized, a.Authorize(ben, "wrtiteme", PermissionWrite)) // Revoked
    319. 

  319. 

  320. 	// User list
    321. 

  321. 	users, err := a.Users()
    322. 

  322. 	require.Nil(t, err)
    323. 

  323. 	require.Equal(t, 3, len(users))
    324. 

  324. 	require.Equal(t, "phil", users[0].Name)
    325. 

  325. 	require.Equal(t, "ben", users[1].Name)
    326. 

  326. 	require.Equal(t, "*", users[2].Name)
    327. 

  327. 

  328. 	// Remove user
    329. 

  329. 	require.Nil(t, a.RemoveUser("ben"))
    330. 

  330. 	_, err = a.User("ben")
    331. 

  331. 	require.Equal(t, ErrUserNotFound, err)
    332. 

  332. 

  333. 	users, err = a.Users()
    334. 

  334. 	require.Nil(t, err)
    335. 

  335. 	require.Equal(t, 2, len(users))
    336. 

  336. 	require.Equal(t, "phil", users[0].Name)
    337. 

  337. 	require.Equal(t, "*", users[1].Name)
    338. 

  338. }
    339. 

  339. 

  340. func TestManager_ChangePassword(t *testing.T) {
    341. 

  341. 	a := newTestManager(t, PermissionDenyAll)
    342. 

  342. 	require.Nil(t, a.AddUser("phil", "phil", RoleAdmin, false))
    343. 

  343. 	require.Nil(t, a.AddUser("jane", "$2b$10$OyqU72muEy7VMd1SAU2Iru5IbeSMgrtCGHu/fWLmxL1MwlijQXWbG", RoleUser, true))
    344. 

  344. 

  345. 	_, err := a.Authenticate("phil", "phil")
    346. 

  346. 	require.Nil(t, err)
    347. 

  347. 

  348. 	_, err = a.Authenticate("jane", "jane")
    349. 

  349. 	require.Nil(t, err)
    350. 

  350. 

  351. 	require.Nil(t, a.ChangePassword("phil", "newpass", false))
    352. 

  352. 	_, err = a.Authenticate("phil", "phil")
    353. 

  353. 	require.Equal(t, ErrUnauthenticated, err)
    354. 

  354. 	_, err = a.Authenticate("phil", "newpass")
    355. 

  355. 	require.Nil(t, err)
    356. 

  356. 

  357. 	require.Nil(t, a.ChangePassword("jane", "$2b$10$CNaCW.q1R431urlbQ5Drh.zl48TiiOeJSmZgfcswkZiPbJGQ1ApSS", true))
    358. 

  358. 	_, err = a.Authenticate("jane", "jane")
    359. 

  359. 	require.Equal(t, ErrUnauthenticated, err)
    360. 

  360. 	_, err = a.Authenticate("jane", "newpass")
    361. 

  361. 	require.Nil(t, err)
    362. 

  362. }
    363. 

  363. 

  364. func TestManager_ChangeRole(t *testing.T) {
    365. 

  365. 	a := newTestManager(t, PermissionDenyAll)
    366. 

  366. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    367. 

  367. 	require.Nil(t, a.AllowAccess("ben", "mytopic", PermissionReadWrite))
    368. 

  368. 	require.Nil(t, a.AllowAccess("ben", "readme", PermissionRead))
    369. 

  369. 

  370. 	ben, err := a.User("ben")
    371. 

  371. 	require.Nil(t, err)
    372. 

  372. 	require.Equal(t, RoleUser, ben.Role)
    373. 

  373. 

  374. 	benGrants, err := a.Grants("ben")
    375. 

  375. 	require.Nil(t, err)
    376. 

  376. 	require.Equal(t, 2, len(benGrants))
    377. 

  377. 

  378. 	require.Nil(t, a.ChangeRole("ben", RoleAdmin))
    379. 

  379. 

  380. 	ben, err = a.User("ben")
    381. 

  381. 	require.Nil(t, err)
    382. 

  382. 	require.Equal(t, RoleAdmin, ben.Role)
    383. 

  383. 

  384. 	benGrants, err = a.Grants("ben")
    385. 

  385. 	require.Nil(t, err)
    386. 

  386. 	require.Equal(t, 0, len(benGrants))
    387. 

  387. }
    388. 

  388. 

  389. func TestManager_Reservations(t *testing.T) {
    390. 

  390. 	a := newTestManager(t, PermissionDenyAll)
    391. 

  391. 	require.Nil(t, a.AddUser("phil", "phil", RoleUser, false))
    392. 

  392. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    393. 

  393. 	require.Nil(t, a.AddReservation("ben", "ztopic_", PermissionDenyAll))
    394. 

  394. 	require.Nil(t, a.AddReservation("ben", "readme", PermissionRead))
    395. 

  395. 	require.Nil(t, a.AllowAccess("ben", "something-else", PermissionRead))
    396. 

  396. 

  397. 	reservations, err := a.Reservations("ben")
    398. 

  398. 	require.Nil(t, err)
    399. 

  399. 	require.Equal(t, 2, len(reservations))
    400. 

  400. 	require.Equal(t, Reservation{
    401. 

  401. 		Topic:    "readme",
    402. 

  402. 		Owner:    PermissionReadWrite,
    403. 

  403. 		Everyone: PermissionRead,
    404. 

  404. 	}, reservations[0])
    405. 

  405. 	require.Equal(t, Reservation{
    406. 

  406. 		Topic:    "ztopic_",
    407. 

  407. 		Owner:    PermissionReadWrite,
    408. 

  408. 		Everyone: PermissionDenyAll,
    409. 

  409. 	}, reservations[1])
    410. 

  410. 

  411. 	b, err := a.HasReservation("ben", "readme")
    412. 

  412. 	require.Nil(t, err)
    413. 

  413. 	require.True(t, b)
    414. 

  414. 

  415. 	b, err = a.HasReservation("ben", "ztopic_")
    416. 

  416. 	require.Nil(t, err)
    417. 

  417. 	require.True(t, b)
    418. 

  418. 

  419. 	b, err = a.HasReservation("ben", "ztopicX") // _ != X (used to be a SQL wildcard issue)
    420. 

  420. 	require.Nil(t, err)
    421. 

  421. 	require.False(t, b)
    422. 

  422. 

  423. 	b, err = a.HasReservation("notben", "readme")
    424. 

  424. 	require.Nil(t, err)
    425. 

  425. 	require.False(t, b)
    426. 

  426. 

  427. 	b, err = a.HasReservation("ben", "something-else")
    428. 

  428. 	require.Nil(t, err)
    429. 

  429. 	require.False(t, b)
    430. 

  430. 

  431. 	count, err := a.ReservationsCount("ben")
    432. 

  432. 	require.Nil(t, err)
    433. 

  433. 	require.Equal(t, int64(2), count)
    434. 

  434. 

  435. 	count, err = a.ReservationsCount("phil")
    436. 

  436. 	require.Nil(t, err)
    437. 

  437. 	require.Equal(t, int64(0), count)
    438. 

  438. 

  439. 	err = a.AllowReservation("phil", "readme")
    440. 

  440. 	require.Equal(t, errTopicOwnedByOthers, err)
    441. 

  441. 

  442. 	err = a.AllowReservation("phil", "ztopic_")
    443. 

  443. 	require.Equal(t, errTopicOwnedByOthers, err)
    444. 

  444. 

  445. 	err = a.AllowReservation("phil", "ztopicX")
    446. 

  446. 	require.Nil(t, err)
    447. 

  447. 

  448. 	err = a.AllowReservation("phil", "not-reserved")
    449. 

  449. 	require.Nil(t, err)
    450. 

  450. 

  451. 	// Now remove them again
    452. 

  452. 	require.Nil(t, a.RemoveReservations("ben", "ztopic_", "readme"))
    453. 

  453. 

  454. 	count, err = a.ReservationsCount("ben")
    455. 

  455. 	require.Nil(t, err)
    456. 

  456. 	require.Equal(t, int64(0), count)
    457. 

  457. }
    458. 

  458. 

  459. func TestManager_ChangeRoleFromTierUserToAdmin(t *testing.T) {
    460. 

  460. 	a := newTestManager(t, PermissionDenyAll)
    461. 

  461. 	require.Nil(t, a.AddTier(&Tier{
    462. 

  462. 		Code:                     "pro",
    463. 

  463. 		Name:                     "ntfy Pro",
    464. 

  464. 		StripeMonthlyPriceID:     "price123",
    465. 

  465. 		MessageLimit:             5_000,
    466. 

  466. 		MessageExpiryDuration:    3 * 24 * time.Hour,
    467. 

  467. 		EmailLimit:               50,
    468. 

  468. 		ReservationLimit:         5,
    469. 

  469. 		AttachmentFileSizeLimit:  52428800,
    470. 

  470. 		AttachmentTotalSizeLimit: 524288000,
    471. 

  471. 		AttachmentExpiryDuration: 24 * time.Hour,
    472. 

  472. 	}))
    473. 

  473. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    474. 

  474. 	require.Nil(t, a.ChangeTier("ben", "pro"))
    475. 

  475. 	require.Nil(t, a.AddReservation("ben", "mytopic", PermissionDenyAll))
    476. 

  476. 

  477. 	ben, err := a.User("ben")
    478. 

  478. 	require.Nil(t, err)
    479. 

  479. 	require.Equal(t, RoleUser, ben.Role)
    480. 

  480. 	require.Equal(t, "pro", ben.Tier.Code)
    481. 

  481. 	require.Equal(t, int64(5000), ben.Tier.MessageLimit)
    482. 

  482. 	require.Equal(t, 3*24*time.Hour, ben.Tier.MessageExpiryDuration)
    483. 

  483. 	require.Equal(t, int64(50), ben.Tier.EmailLimit)
    484. 

  484. 	require.Equal(t, int64(5), ben.Tier.ReservationLimit)
    485. 

  485. 	require.Equal(t, int64(52428800), ben.Tier.AttachmentFileSizeLimit)
    486. 

  486. 	require.Equal(t, int64(524288000), ben.Tier.AttachmentTotalSizeLimit)
    487. 

  487. 	require.Equal(t, 24*time.Hour, ben.Tier.AttachmentExpiryDuration)
    488. 

  488. 

  489. 	benGrants, err := a.Grants("ben")
    490. 

  490. 	require.Nil(t, err)
    491. 

  491. 	require.Equal(t, 1, len(benGrants))
    492. 

  492. 	require.Equal(t, PermissionReadWrite, benGrants[0].Allow)
    493. 

  493. 

  494. 	everyoneGrants, err := a.Grants(Everyone)
    495. 

  495. 	require.Nil(t, err)
    496. 

  496. 	require.Equal(t, 1, len(everyoneGrants))
    497. 

  497. 	require.Equal(t, PermissionDenyAll, everyoneGrants[0].Allow)
    498. 

  498. 

  499. 	benReservations, err := a.Reservations("ben")
    500. 

  500. 	require.Nil(t, err)
    501. 

  501. 	require.Equal(t, 1, len(benReservations))
    502. 

  502. 	require.Equal(t, "mytopic", benReservations[0].Topic)
    503. 

  503. 	require.Equal(t, PermissionReadWrite, benReservations[0].Owner)
    504. 

  504. 	require.Equal(t, PermissionDenyAll, benReservations[0].Everyone)
    505. 

  505. 

  506. 	// Switch to admin, this should remove all grants and owned ACL entries
    507. 

  507. 	require.Nil(t, a.ChangeRole("ben", RoleAdmin))
    508. 

  508. 

  509. 	benGrants, err = a.Grants("ben")
    510. 

  510. 	require.Nil(t, err)
    511. 

  511. 	require.Equal(t, 0, len(benGrants))
    512. 

  512. 

  513. 	everyoneGrants, err = a.Grants(Everyone)
    514. 

  514. 	require.Nil(t, err)
    515. 

  515. 	require.Equal(t, 0, len(everyoneGrants))
    516. 

  516. }
    517. 

  517. 

  518. func TestManager_Token_Valid(t *testing.T) {
    519. 

  519. 	a := newTestManager(t, PermissionDenyAll)
    520. 

  520. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    521. 

  521. 

  522. 	u, err := a.User("ben")
    523. 

  523. 	require.Nil(t, err)
    524. 

  524. 

  525. 	// Create token for user
    526. 

  526. 	token, err := a.CreateToken(u.ID, "some label", time.Now().Add(72*time.Hour), netip.IPv4Unspecified())
    527. 

  527. 	require.Nil(t, err)
    528. 

  528. 	require.NotEmpty(t, token.Value)
    529. 

  529. 	require.Equal(t, "some label", token.Label)
    530. 

  530. 	require.True(t, time.Now().Add(71*time.Hour).Unix() < token.Expires.Unix())
    531. 

  531. 

  532. 	u2, err := a.AuthenticateToken(token.Value)
    533. 

  533. 	require.Nil(t, err)
    534. 

  534. 	require.Equal(t, u.Name, u2.Name)
    535. 

  535. 	require.Equal(t, token.Value, u2.Token)
    536. 

  536. 

  537. 	token2, err := a.Token(u.ID, token.Value)
    538. 

  538. 	require.Nil(t, err)
    539. 

  539. 	require.Equal(t, token.Value, token2.Value)
    540. 

  540. 	require.Equal(t, "some label", token2.Label)
    541. 

  541. 

  542. 	tokens, err := a.Tokens(u.ID)
    543. 

  543. 	require.Nil(t, err)
    544. 

  544. 	require.Equal(t, 1, len(tokens))
    545. 

  545. 	require.Equal(t, "some label", tokens[0].Label)
    546. 

  546. 

  547. 	tokens, err = a.Tokens("u_notauser")
    548. 

  548. 	require.Nil(t, err)
    549. 

  549. 	require.Equal(t, 0, len(tokens))
    550. 

  550. 

  551. 	// Remove token and auth again
    552. 

  552. 	require.Nil(t, a.RemoveToken(u2.ID, u2.Token))
    553. 

  553. 	u3, err := a.AuthenticateToken(token.Value)
    554. 

  554. 	require.Equal(t, ErrUnauthenticated, err)
    555. 

  555. 	require.Nil(t, u3)
    556. 

  556. 

  557. 	tokens, err = a.Tokens(u.ID)
    558. 

  558. 	require.Nil(t, err)
    559. 

  559. 	require.Equal(t, 0, len(tokens))
    560. 

  560. }
    561. 

  561. 

  562. func TestManager_Token_Invalid(t *testing.T) {
    563. 

  563. 	a := newTestManager(t, PermissionDenyAll)
    564. 

  564. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    565. 

  565. 

  566. 	u, err := a.AuthenticateToken(strings.Repeat("x", 32)) // 32 == token length
    567. 

  567. 	require.Nil(t, u)
    568. 

  568. 	require.Equal(t, ErrUnauthenticated, err)
    569. 

  569. 

  570. 	u, err = a.AuthenticateToken("not long enough anyway")
    571. 

  571. 	require.Nil(t, u)
    572. 

  572. 	require.Equal(t, ErrUnauthenticated, err)
    573. 

  573. }
    574. 

  574. 

  575. func TestManager_Token_NotFound(t *testing.T) {
    576. 

  576. 	a := newTestManager(t, PermissionDenyAll)
    577. 

  577. 	_, err := a.Token("u_bla", "notfound")
    578. 

  578. 	require.Equal(t, ErrTokenNotFound, err)
    579. 

  579. }
    580. 

  580. 

  581. func TestManager_Token_Expire(t *testing.T) {
    582. 

  582. 	a := newTestManager(t, PermissionDenyAll)
    583. 

  583. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    584. 

  584. 

  585. 	u, err := a.User("ben")
    586. 

  586. 	require.Nil(t, err)
    587. 

  587. 

  588. 	// Create tokens for user
    589. 

  589. 	token1, err := a.CreateToken(u.ID, "", time.Now().Add(72*time.Hour), netip.IPv4Unspecified())
    590. 

  590. 	require.Nil(t, err)
    591. 

  591. 	require.NotEmpty(t, token1.Value)
    592. 

  592. 	require.True(t, time.Now().Add(71*time.Hour).Unix() < token1.Expires.Unix())
    593. 

  593. 

  594. 	token2, err := a.CreateToken(u.ID, "", time.Now().Add(72*time.Hour), netip.IPv4Unspecified())
    595. 

  595. 	require.Nil(t, err)
    596. 

  596. 	require.NotEmpty(t, token2.Value)
    597. 

  597. 	require.NotEqual(t, token1.Value, token2.Value)
    598. 

  598. 	require.True(t, time.Now().Add(71*time.Hour).Unix() < token2.Expires.Unix())
    599. 

  599. 

  600. 	// See that tokens work
    601. 

  601. 	_, err = a.AuthenticateToken(token1.Value)
    602. 

  602. 	require.Nil(t, err)
    603. 

  603. 

  604. 	_, err = a.AuthenticateToken(token2.Value)
    605. 

  605. 	require.Nil(t, err)
    606. 

  606. 

  607. 	// Modify token expiration in database
    608. 

  608. 	_, err = a.db.Exec("UPDATE user_token SET expires = 1 WHERE token = ?", token1.Value)
    609. 

  609. 	require.Nil(t, err)
    610. 

  610. 

  611. 	// Now token1 shouldn't work anymore
    612. 

  612. 	_, err = a.AuthenticateToken(token1.Value)
    613. 

  613. 	require.Equal(t, ErrUnauthenticated, err)
    614. 

  614. 

  615. 	result, err := a.db.Query("SELECT * from user_token WHERE token = ?", token1.Value)
    616. 

  616. 	require.Nil(t, err)
    617. 

  617. 	require.True(t, result.Next()) // Still a matching row
    618. 

  618. 	require.Nil(t, result.Close())
    619. 

  619. 

  620. 	// Expire tokens and check database rows
    621. 

  621. 	require.Nil(t, a.RemoveExpiredTokens())
    622. 

  622. 

  623. 	result, err = a.db.Query("SELECT * from user_token WHERE token = ?", token1.Value)
    624. 

  624. 	require.Nil(t, err)
    625. 

  625. 	require.False(t, result.Next()) // No matching row!
    626. 

  626. 	require.Nil(t, result.Close())
    627. 

  627. }
    628. 

  628. 

  629. func TestManager_Token_Extend(t *testing.T) {
    630. 

  630. 	a := newTestManager(t, PermissionDenyAll)
    631. 

  631. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    632. 

  632. 

  633. 	// Try to extend token for user without token
    634. 

  634. 	u, err := a.User("ben")
    635. 

  635. 	require.Nil(t, err)
    636. 

  636. 

  637. 	_, err = a.ChangeToken(u.ID, u.Token, util.String("some label"), util.Time(time.Now().Add(time.Hour)))
    638. 

  638. 	require.Equal(t, errNoTokenProvided, err)
    639. 

  639. 

  640. 	// Create token for user
    641. 

  641. 	token, err := a.CreateToken(u.ID, "", time.Now().Add(72*time.Hour), netip.IPv4Unspecified())
    642. 

  642. 	require.Nil(t, err)
    643. 

  643. 	require.NotEmpty(t, token.Value)
    644. 

  644. 

  645. 	userWithToken, err := a.AuthenticateToken(token.Value)
    646. 

  646. 	require.Nil(t, err)
    647. 

  647. 

  648. 	extendedToken, err := a.ChangeToken(userWithToken.ID, userWithToken.Token, util.String("changed label"), util.Time(time.Now().Add(100*time.Hour)))
    649. 

  649. 	require.Nil(t, err)
    650. 

  650. 	require.Equal(t, token.Value, extendedToken.Value)
    651. 

  651. 	require.Equal(t, "changed label", extendedToken.Label)
    652. 

  652. 	require.True(t, token.Expires.Unix() < extendedToken.Expires.Unix())
    653. 

  653. 	require.True(t, time.Now().Add(99*time.Hour).Unix() < extendedToken.Expires.Unix())
    654. 

  654. }
    655. 

  655. 

  656. func TestManager_Token_MaxCount_AutoDelete(t *testing.T) {
    657. 

  657. 	// Tests that tokens are automatically deleted when the maximum number of tokens is reached
    658. 

  658. 

  659. 	a := newTestManager(t, PermissionDenyAll)
    660. 

  660. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    661. 

  661. 	require.Nil(t, a.AddUser("phil", "phil", RoleUser, false))
    662. 

  662. 

  663. 	ben, err := a.User("ben")
    664. 

  664. 	require.Nil(t, err)
    665. 

  665. 

  666. 	phil, err := a.User("phil")
    667. 

  667. 	require.Nil(t, err)
    668. 

  668. 

  669. 	// Create 2 tokens for phil
    670. 

  670. 	philTokens := make([]string, 0)
    671. 

  671. 	token, err := a.CreateToken(phil.ID, "", time.Now().Add(72*time.Hour), netip.IPv4Unspecified())
    672. 

  672. 	require.Nil(t, err)
    673. 

  673. 	require.NotEmpty(t, token.Value)
    674. 

  674. 	philTokens = append(philTokens, token.Value)
    675. 

  675. 

  676. 	token, err = a.CreateToken(phil.ID, "", time.Unix(0, 0), netip.IPv4Unspecified())
    677. 

  677. 	require.Nil(t, err)
    678. 

  678. 	require.NotEmpty(t, token.Value)
    679. 

  679. 	philTokens = append(philTokens, token.Value)
    680. 

  680. 

  681. 	// Create 62 tokens for ben (only 60 allowed!)
    682. 

  682. 	baseTime := time.Now().Add(24 * time.Hour)
    683. 

  683. 	benTokens := make([]string, 0)
    684. 

  684. 	for i := 0; i < 62; i++ { //
    685. 

  685. 		token, err := a.CreateToken(ben.ID, "", time.Now().Add(72*time.Hour), netip.IPv4Unspecified())
    686. 

  686. 		require.Nil(t, err)
    687. 

  687. 		require.NotEmpty(t, token.Value)
    688. 

  688. 		benTokens = append(benTokens, token.Value)
    689. 

  689. 

  690. 		// Manually modify expiry date to avoid sorting issues (this is a hack)
    691. 

  691. 		_, err = a.db.Exec(`UPDATE user_token SET expires=? WHERE token=?`, baseTime.Add(time.Duration(i)*time.Minute).Unix(), token.Value)
    692. 

  692. 		require.Nil(t, err)
    693. 

  693. 	}
    694. 

  694. 

  695. 	// Ben: The first 2 tokens should have been wiped and should not work anymore!
    696. 

  696. 	_, err = a.AuthenticateToken(benTokens[0])
    697. 

  697. 	require.Equal(t, ErrUnauthenticated, err)
    698. 

  698. 

  699. 	_, err = a.AuthenticateToken(benTokens[1])
    700. 

  700. 	require.Equal(t, ErrUnauthenticated, err)
    701. 

  701. 

  702. 	// Ben: The other tokens should still work
    703. 

  703. 	for i := 2; i < 62; i++ {
    704. 

  704. 		userWithToken, err := a.AuthenticateToken(benTokens[i])
    705. 

  705. 		require.Nil(t, err, "token[%d]=%s failed", i, benTokens[i])
    706. 

  706. 		require.Equal(t, "ben", userWithToken.Name)
    707. 

  707. 		require.Equal(t, benTokens[i], userWithToken.Token)
    708. 

  708. 	}
    709. 

  709. 

  710. 	// Phil: All tokens should still work
    711. 

  711. 	for i := 0; i < 2; i++ {
    712. 

  712. 		userWithToken, err := a.AuthenticateToken(philTokens[i])
    713. 

  713. 		require.Nil(t, err, "token[%d]=%s failed", i, philTokens[i])
    714. 

  714. 		require.Equal(t, "phil", userWithToken.Name)
    715. 

  715. 		require.Equal(t, philTokens[i], userWithToken.Token)
    716. 

  716. 	}
    717. 

  717. 

  718. 	var benCount int
    719. 

  719. 	rows, err := a.db.Query(`SELECT COUNT(*) FROM user_token WHERE user_id=?`, ben.ID)
    720. 

  720. 	require.Nil(t, err)
    721. 

  721. 	require.True(t, rows.Next())
    722. 

  722. 	require.Nil(t, rows.Scan(&benCount))
    723. 

  723. 	require.Equal(t, 60, benCount)
    724. 

  724. 

  725. 	var philCount int
    726. 

  726. 	rows, err = a.db.Query(`SELECT COUNT(*) FROM user_token WHERE user_id=?`, phil.ID)
    727. 

  727. 	require.Nil(t, err)
    728. 

  728. 	require.True(t, rows.Next())
    729. 

  729. 	require.Nil(t, rows.Scan(&philCount))
    730. 

  730. 	require.Equal(t, 2, philCount)
    731. 

  731. }
    732. 

  732. 

  733. func TestManager_EnqueueStats_ResetStats(t *testing.T) {
    734. 

  734. 	a, err := NewManager(filepath.Join(t.TempDir(), "db"), "", PermissionReadWrite, bcrypt.MinCost, 1500*time.Millisecond)
    735. 

  735. 	require.Nil(t, err)
    736. 

  736. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    737. 

  737. 

  738. 	// Baseline: No messages or emails
    739. 

  739. 	u, err := a.User("ben")
    740. 

  740. 	require.Nil(t, err)
    741. 

  741. 	require.Equal(t, int64(0), u.Stats.Messages)
    742. 

  742. 	require.Equal(t, int64(0), u.Stats.Emails)
    743. 

  743. 	a.EnqueueUserStats(u.ID, &Stats{
    744. 

  744. 		Messages: 11,
    745. 

  745. 		Emails:   2,
    746. 

  746. 	})
    747. 

  747. 

  748. 	// Still no change, because it's queued asynchronously
    749. 

  749. 	u, err = a.User("ben")
    750. 

  750. 	require.Nil(t, err)
    751. 

  751. 	require.Equal(t, int64(0), u.Stats.Messages)
    752. 

  752. 	require.Equal(t, int64(0), u.Stats.Emails)
    753. 

  753. 

  754. 	// After 2 seconds they should be persisted
    755. 

  755. 	time.Sleep(2 * time.Second)
    756. 

  756. 

  757. 	u, err = a.User("ben")
    758. 

  758. 	require.Nil(t, err)
    759. 

  759. 	require.Equal(t, int64(11), u.Stats.Messages)
    760. 

  760. 	require.Equal(t, int64(2), u.Stats.Emails)
    761. 

  761. 

  762. 	// Now reset stats (enqueued stats will be thrown out)
    763. 

  763. 	a.EnqueueUserStats(u.ID, &Stats{
    764. 

  764. 		Messages: 99,
    765. 

  765. 		Emails:   23,
    766. 

  766. 	})
    767. 

  767. 	require.Nil(t, a.ResetStats())
    768. 

  768. 

  769. 	u, err = a.User("ben")
    770. 

  770. 	require.Nil(t, err)
    771. 

  771. 	require.Equal(t, int64(0), u.Stats.Messages)
    772. 

  772. 	require.Equal(t, int64(0), u.Stats.Emails)
    773. 

  773. }
    774. 

  774. 

  775. func TestManager_EnqueueTokenUpdate(t *testing.T) {
    776. 

  776. 	a, err := NewManager(filepath.Join(t.TempDir(), "db"), "", PermissionReadWrite, bcrypt.MinCost, 500*time.Millisecond)
    777. 

  777. 	require.Nil(t, err)
    778. 

  778. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    779. 

  779. 

  780. 	// Create user and token
    781. 

  781. 	u, err := a.User("ben")
    782. 

  782. 	require.Nil(t, err)
    783. 

  783. 

  784. 	token, err := a.CreateToken(u.ID, "", time.Now().Add(time.Hour), netip.IPv4Unspecified())
    785. 

  785. 	require.Nil(t, err)
    786. 

  786. 

  787. 	// Queue token update
    788. 

  788. 	a.EnqueueTokenUpdate(token.Value, &TokenUpdate{
    789. 

  789. 		LastAccess: time.Unix(111, 0).UTC(),
    790. 

  790. 		LastOrigin: netip.MustParseAddr("1.2.3.3"),
    791. 

  791. 	})
    792. 

  792. 

  793. 	// Token has not changed yet.
    794. 

  794. 	token2, err := a.Token(u.ID, token.Value)
    795. 

  795. 	require.Nil(t, err)
    796. 

  796. 	require.Equal(t, token.LastAccess.Unix(), token2.LastAccess.Unix())
    797. 

  797. 	require.Equal(t, token.LastOrigin, token2.LastOrigin)
    798. 

  798. 

  799. 	// After a second or so they should be persisted
    800. 

  800. 	time.Sleep(time.Second)
    801. 

  801. 

  802. 	token3, err := a.Token(u.ID, token.Value)
    803. 

  803. 	require.Nil(t, err)
    804. 

  804. 	require.Equal(t, time.Unix(111, 0).UTC().Unix(), token3.LastAccess.Unix())
    805. 

  805. 	require.Equal(t, netip.MustParseAddr("1.2.3.3"), token3.LastOrigin)
    806. 

  806. }
    807. 

  807. 

  808. func TestManager_ChangeSettings(t *testing.T) {
    809. 

  809. 	a, err := NewManager(filepath.Join(t.TempDir(), "db"), "", PermissionReadWrite, bcrypt.MinCost, 1500*time.Millisecond)
    810. 

  810. 	require.Nil(t, err)
    811. 

  811. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    812. 

  812. 

  813. 	// No settings
    814. 

  814. 	u, err := a.User("ben")
    815. 

  815. 	require.Nil(t, err)
    816. 

  816. 	require.Nil(t, u.Prefs.Subscriptions)
    817. 

  817. 	require.Nil(t, u.Prefs.Notification)
    818. 

  818. 	require.Nil(t, u.Prefs.Language)
    819. 

  819. 

  820. 	// Save with new settings
    821. 

  821. 	prefs := &Prefs{
    822. 

  822. 		Language: util.String("de"),
    823. 

  823. 		Notification: &NotificationPrefs{
    824. 

  824. 			Sound:       util.String("ding"),
    825. 

  825. 			MinPriority: util.Int(2),
    826. 

  826. 		},
    827. 

  827. 		Subscriptions: []*Subscription{
    828. 

  828. 			{
    829. 

  829. 				BaseURL:     "https://ntfy.sh",
    830. 

  830. 				Topic:       "mytopic",
    831. 

  831. 				DisplayName: util.String("My Topic"),
    832. 

  832. 			},
    833. 

  833. 		},
    834. 

  834. 	}
    835. 

  835. 	require.Nil(t, a.ChangeSettings(u.ID, prefs))
    836. 

  836. 

  837. 	// Read again
    838. 

  838. 	u, err = a.User("ben")
    839. 

  839. 	require.Nil(t, err)
    840. 

  840. 	require.Equal(t, util.String("de"), u.Prefs.Language)
    841. 

  841. 	require.Equal(t, util.String("ding"), u.Prefs.Notification.Sound)
    842. 

  842. 	require.Equal(t, util.Int(2), u.Prefs.Notification.MinPriority)
    843. 

  843. 	require.Nil(t, u.Prefs.Notification.DeleteAfter)
    844. 

  844. 	require.Equal(t, "https://ntfy.sh", u.Prefs.Subscriptions[0].BaseURL)
    845. 

  845. 	require.Equal(t, "mytopic", u.Prefs.Subscriptions[0].Topic)
    846. 

  846. 	require.Equal(t, util.String("My Topic"), u.Prefs.Subscriptions[0].DisplayName)
    847. 

  847. }
    848. 

  848. 

  849. func TestManager_Tier_Create_Update_List_Delete(t *testing.T) {
    850. 

  850. 	a := newTestManager(t, PermissionDenyAll)
    851. 

  851. 

  852. 	// Create tier and user
    853. 

  853. 	require.Nil(t, a.AddTier(&Tier{
    854. 

  854. 		Code:                     "supporter",
    855. 

  855. 		Name:                     "Supporter",
    856. 

  856. 		MessageLimit:             1,
    857. 

  857. 		MessageExpiryDuration:    time.Second,
    858. 

  858. 		EmailLimit:               1,
    859. 

  859. 		ReservationLimit:         1,
    860. 

  860. 		AttachmentFileSizeLimit:  1,
    861. 

  861. 		AttachmentTotalSizeLimit: 1,
    862. 

  862. 		AttachmentExpiryDuration: time.Second,
    863. 

  863. 		AttachmentBandwidthLimit: 1,
    864. 

  864. 		StripeMonthlyPriceID:     "price_1",
    865. 

  865. 	}))
    866. 

  866. 	require.Nil(t, a.AddTier(&Tier{
    867. 

  867. 		Code:                     "pro",
    868. 

  868. 		Name:                     "Pro",
    869. 

  869. 		MessageLimit:             123,
    870. 

  870. 		MessageExpiryDuration:    86400 * time.Second,
    871. 

  871. 		EmailLimit:               32,
    872. 

  872. 		ReservationLimit:         2,
    873. 

  873. 		AttachmentFileSizeLimit:  1231231,
    874. 

  874. 		AttachmentTotalSizeLimit: 123123,
    875. 

  875. 		AttachmentExpiryDuration: 10800 * time.Second,
    876. 

  876. 		AttachmentBandwidthLimit: 21474836480,
    877. 

  877. 		StripeMonthlyPriceID:     "price_2",
    878. 

  878. 	}))
    879. 

  879. 	require.Nil(t, a.AddUser("phil", "phil", RoleUser, false))
    880. 

  880. 	require.Nil(t, a.ChangeTier("phil", "pro"))
    881. 

  881. 

  882. 	ti, err := a.Tier("pro")
    883. 

  883. 	require.Nil(t, err)
    884. 

  884. 

  885. 	u, err := a.User("phil")
    886. 

  886. 	require.Nil(t, err)
    887. 

  887. 

  888. 	// These are populated by different SQL queries
    889. 

  889. 	require.Equal(t, ti, u.Tier)
    890. 

  890. 

  891. 	// Fields
    892. 

  892. 	require.True(t, strings.HasPrefix(ti.ID, "ti_"))
    893. 

  893. 	require.Equal(t, "pro", ti.Code)
    894. 

  894. 	require.Equal(t, "Pro", ti.Name)
    895. 

  895. 	require.Equal(t, int64(123), ti.MessageLimit)
    896. 

  896. 	require.Equal(t, 86400*time.Second, ti.MessageExpiryDuration)
    897. 

  897. 	require.Equal(t, int64(32), ti.EmailLimit)
    898. 

  898. 	require.Equal(t, int64(2), ti.ReservationLimit)
    899. 

  899. 	require.Equal(t, int64(1231231), ti.AttachmentFileSizeLimit)
    900. 

  900. 	require.Equal(t, int64(123123), ti.AttachmentTotalSizeLimit)
    901. 

  901. 	require.Equal(t, 10800*time.Second, ti.AttachmentExpiryDuration)
    902. 

  902. 	require.Equal(t, int64(21474836480), ti.AttachmentBandwidthLimit)
    903. 

  903. 	require.Equal(t, "price_2", ti.StripeMonthlyPriceID)
    904. 

  904. 

  905. 	// Update tier
    906. 

  906. 	ti.EmailLimit = 999999
    907. 

  907. 	require.Nil(t, a.UpdateTier(ti))
    908. 

  908. 

  909. 	// List tiers
    910. 

  910. 	tiers, err := a.Tiers()
    911. 

  911. 	require.Nil(t, err)
    912. 

  912. 	require.Equal(t, 2, len(tiers))
    913. 

  913. 

  914. 	ti = tiers[0]
    915. 

  915. 	require.Equal(t, "supporter", ti.Code)
    916. 

  916. 	require.Equal(t, "Supporter", ti.Name)
    917. 

  917. 	require.Equal(t, int64(1), ti.MessageLimit)
    918. 

  918. 	require.Equal(t, time.Second, ti.MessageExpiryDuration)
    919. 

  919. 	require.Equal(t, int64(1), ti.EmailLimit)
    920. 

  920. 	require.Equal(t, int64(1), ti.ReservationLimit)
    921. 

  921. 	require.Equal(t, int64(1), ti.AttachmentFileSizeLimit)
    922. 

  922. 	require.Equal(t, int64(1), ti.AttachmentTotalSizeLimit)
    923. 

  923. 	require.Equal(t, time.Second, ti.AttachmentExpiryDuration)
    924. 

  924. 	require.Equal(t, int64(1), ti.AttachmentBandwidthLimit)
    925. 

  925. 	require.Equal(t, "price_1", ti.StripeMonthlyPriceID)
    926. 

  926. 

  927. 	ti = tiers[1]
    928. 

  928. 	require.Equal(t, "pro", ti.Code)
    929. 

  929. 	require.Equal(t, "Pro", ti.Name)
    930. 

  930. 	require.Equal(t, int64(123), ti.MessageLimit)
    931. 

  931. 	require.Equal(t, 86400*time.Second, ti.MessageExpiryDuration)
    932. 

  932. 	require.Equal(t, int64(999999), ti.EmailLimit) // Updatedd!
    933. 

  933. 	require.Equal(t, int64(2), ti.ReservationLimit)
    934. 

  934. 	require.Equal(t, int64(1231231), ti.AttachmentFileSizeLimit)
    935. 

  935. 	require.Equal(t, int64(123123), ti.AttachmentTotalSizeLimit)
    936. 

  936. 	require.Equal(t, 10800*time.Second, ti.AttachmentExpiryDuration)
    937. 

  937. 	require.Equal(t, int64(21474836480), ti.AttachmentBandwidthLimit)
    938. 

  938. 	require.Equal(t, "price_2", ti.StripeMonthlyPriceID)
    939. 

  939. 

  940. 	ti, err = a.TierByStripePrice("price_1")
    941. 

  941. 	require.Nil(t, err)
    942. 

  942. 	require.Equal(t, "supporter", ti.Code)
    943. 

  943. 	require.Equal(t, "Supporter", ti.Name)
    944. 

  944. 	require.Equal(t, int64(1), ti.MessageLimit)
    945. 

  945. 	require.Equal(t, time.Second, ti.MessageExpiryDuration)
    946. 

  946. 	require.Equal(t, int64(1), ti.EmailLimit)
    947. 

  947. 	require.Equal(t, int64(1), ti.ReservationLimit)
    948. 

  948. 	require.Equal(t, int64(1), ti.AttachmentFileSizeLimit)
    949. 

  949. 	require.Equal(t, int64(1), ti.AttachmentTotalSizeLimit)
    950. 

  950. 	require.Equal(t, time.Second, ti.AttachmentExpiryDuration)
    951. 

  951. 	require.Equal(t, int64(1), ti.AttachmentBandwidthLimit)
    952. 

  952. 	require.Equal(t, "price_1", ti.StripeMonthlyPriceID)
    953. 

  953. 

  954. 	// Cannot remove tier, since user has this tier
    955. 

  955. 	require.Error(t, a.RemoveTier("pro"))
    956. 

  956. 

  957. 	// CAN remove this tier
    958. 

  958. 	require.Nil(t, a.RemoveTier("supporter"))
    959. 

  959. 

  960. 	tiers, err = a.Tiers()
    961. 

  961. 	require.Nil(t, err)
    962. 

  962. 	require.Equal(t, 1, len(tiers))
    963. 

  963. 	require.Equal(t, "pro", tiers[0].Code)
    964. 

  964. 	require.Equal(t, "pro", tiers[0].Code)
    965. 

  965. }
    966. 

  966. 

  967. func TestAccount_Tier_Create_With_ID(t *testing.T) {
    968. 

  968. 	a := newTestManager(t, PermissionDenyAll)
    969. 

  969. 

  970. 	require.Nil(t, a.AddTier(&Tier{
    971. 

  971. 		ID:   "ti_123",
    972. 

  972. 		Code: "pro",
    973. 

  973. 	}))
    974. 

  974. 

  975. 	ti, err := a.Tier("pro")
    976. 

  976. 	require.Nil(t, err)
    977. 

  977. 	require.Equal(t, "ti_123", ti.ID)
    978. 

  978. }
    979. 

  979. 

  980. func TestManager_Tier_Change_And_Reset(t *testing.T) {
    981. 

  981. 	a := newTestManager(t, PermissionDenyAll)
    982. 

  982. 

  983. 	// Create tier and user
    984. 

  984. 	require.Nil(t, a.AddTier(&Tier{
    985. 

  985. 		Code:             "supporter",
    986. 

  986. 		Name:             "Supporter",
    987. 

  987. 		ReservationLimit: 3,
    988. 

  988. 	}))
    989. 

  989. 	require.Nil(t, a.AddTier(&Tier{
    990. 

  990. 		Code:             "pro",
    991. 

  991. 		Name:             "Pro",
    992. 

  992. 		ReservationLimit: 4,
    993. 

  993. 	}))
    994. 

  994. 	require.Nil(t, a.AddUser("phil", "phil", RoleUser, false))
    995. 

  995. 	require.Nil(t, a.ChangeTier("phil", "pro"))
    996. 

  996. 

  997. 	// Add 10 reservations (pro tier allows that)
    998. 

  998. 	for i := 0; i < 4; i++ {
    999. 

  999. 		require.Nil(t, a.AddReservation("phil", fmt.Sprintf("topic%d", i), PermissionWrite))
    1000. 

  1000. 	}
    1001. 

  1001. 

  1002. 	// Downgrading will not work (too many reservations)
    1003. 

  1003. 	require.Equal(t, ErrTooManyReservations, a.ChangeTier("phil", "supporter"))
    1004. 

  1004. 

  1005. 	// Downgrade after removing a reservation
    1006. 

  1006. 	require.Nil(t, a.RemoveReservations("phil", "topic0"))
    1007. 

  1007. 	require.Nil(t, a.ChangeTier("phil", "supporter"))
    1008. 

  1008. 

  1009. 	// Resetting will not work (too many reservations)
    1010. 

  1010. 	require.Equal(t, ErrTooManyReservations, a.ResetTier("phil"))
    1011. 

  1011. 

  1012. 	// Resetting after removing all reservations
    1013. 

  1013. 	require.Nil(t, a.RemoveReservations("phil", "topic1", "topic2", "topic3"))
    1014. 

  1014. 	require.Nil(t, a.ResetTier("phil"))
    1015. 

  1015. }
    1016. 

  1016. 

  1017. func TestUser_PhoneNumberAddListRemove(t *testing.T) {
    1018. 

  1018. 	a := newTestManager(t, PermissionDenyAll)
    1019. 

  1019. 

  1020. 	require.Nil(t, a.AddUser("phil", "phil", RoleUser, false))
    1021. 

  1021. 	phil, err := a.User("phil")
    1022. 

  1022. 	require.Nil(t, err)
    1023. 

  1023. 	require.Nil(t, a.AddPhoneNumber(phil.ID, "+1234567890"))
    1024. 

  1024. 

  1025. 	phoneNumbers, err := a.PhoneNumbers(phil.ID)
    1026. 

  1026. 	require.Nil(t, err)
    1027. 

  1027. 	require.Equal(t, 1, len(phoneNumbers))
    1028. 

  1028. 	require.Equal(t, "+1234567890", phoneNumbers[0])
    1029. 

  1029. 

  1030. 	require.Nil(t, a.RemovePhoneNumber(phil.ID, "+1234567890"))
    1031. 

  1031. 	phoneNumbers, err = a.PhoneNumbers(phil.ID)
    1032. 

  1032. 	require.Nil(t, err)
    1033. 

  1033. 	require.Equal(t, 0, len(phoneNumbers))
    1034. 

  1034. 

  1035. 	// Paranoia check: We do NOT want to keep phone numbers in there
    1036. 

  1036. 	rows, err := a.db.Query(`SELECT * FROM user_phone`)
    1037. 

  1037. 	require.Nil(t, err)
    1038. 

  1038. 	require.False(t, rows.Next())
    1039. 

  1039. 	require.Nil(t, rows.Close())
    1040. 

  1040. }
    1041. 

  1041. 

  1042. func TestUser_PhoneNumberAdd_Multiple_Users_Same_Number(t *testing.T) {
    1043. 

  1043. 	a := newTestManager(t, PermissionDenyAll)
    1044. 

  1044. 

  1045. 	require.Nil(t, a.AddUser("phil", "phil", RoleUser, false))
    1046. 

  1046. 	require.Nil(t, a.AddUser("ben", "ben", RoleUser, false))
    1047. 

  1047. 	phil, err := a.User("phil")
    1048. 

  1048. 	require.Nil(t, err)
    1049. 

  1049. 	ben, err := a.User("ben")
    1050. 

  1050. 	require.Nil(t, err)
    1051. 

  1051. 	require.Nil(t, a.AddPhoneNumber(phil.ID, "+1234567890"))
    1052. 

  1052. 	require.Nil(t, a.AddPhoneNumber(ben.ID, "+1234567890"))
    1053. 

  1053. }
    1054. 

  1054. 

  1055. func TestManager_Topic_Wildcard_With_Asterisk_Underscore(t *testing.T) {
    1056. 

  1056. 	f := filepath.Join(t.TempDir(), "user.db")
    1057. 

  1057. 	a := newTestManagerFromFile(t, f, "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
    1058. 

  1058. 	require.Nil(t, a.AllowAccess(Everyone, "*_", PermissionRead))
    1059. 

  1059. 	require.Nil(t, a.AllowAccess(Everyone, "__*_", PermissionRead))
    1060. 

  1060. 	require.Nil(t, a.Authorize(nil, "allowed_", PermissionRead))
    1061. 

  1061. 	require.Nil(t, a.Authorize(nil, "__allowed_", PermissionRead))
    1062. 

  1062. 	require.Nil(t, a.Authorize(nil, "_allowed_", PermissionRead)) // The "%" in "%\_" matches the first "_"
    1063. 

  1063. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "notallowed", PermissionRead))
    1064. 

  1064. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "_notallowed", PermissionRead))
    1065. 

  1065. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "__notallowed", PermissionRead))
    1066. 

  1066. }
    1067. 

  1067. 

  1068. func TestManager_Topic_Wildcard_With_Underscore(t *testing.T) {
    1069. 

  1069. 	f := filepath.Join(t.TempDir(), "user.db")
    1070. 

  1070. 	a := newTestManagerFromFile(t, f, "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
    1071. 

  1071. 	require.Nil(t, a.AllowAccess(Everyone, "mytopic_", PermissionReadWrite))
    1072. 

  1072. 	require.Nil(t, a.Authorize(nil, "mytopic_", PermissionRead))
    1073. 

  1073. 	require.Nil(t, a.Authorize(nil, "mytopic_", PermissionWrite))
    1074. 

  1074. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "mytopicX", PermissionRead))
    1075. 

  1075. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "mytopicX", PermissionWrite))
    1076. 

  1076. }
    1077. 

  1077. 

  1078. func TestToFromSQLWildcard(t *testing.T) {
    1079. 

  1079. 	require.Equal(t, "up%", toSQLWildcard("up*"))
    1080. 

  1080. 	require.Equal(t, "up\\_%", toSQLWildcard("up_*"))
    1081. 

  1081. 	require.Equal(t, "foo", toSQLWildcard("foo"))
    1082. 

  1082. 

  1083. 	require.Equal(t, "up*", fromSQLWildcard("up%"))
    1084. 

  1084. 	require.Equal(t, "up_*", fromSQLWildcard("up\\_%"))
    1085. 

  1085. 	require.Equal(t, "foo", fromSQLWildcard("foo"))
    1086. 

  1086. 

  1087. 	require.Equal(t, "up*", fromSQLWildcard(toSQLWildcard("up*")))
    1088. 

  1088. 	require.Equal(t, "up_*", fromSQLWildcard(toSQLWildcard("up_*")))
    1089. 

  1089. 	require.Equal(t, "foo", fromSQLWildcard(toSQLWildcard("foo")))
    1090. 

  1090. }
    1091. 

  1091. 

  1092. func TestMigrationFrom1(t *testing.T) {
    1093. 

  1093. 	filename := filepath.Join(t.TempDir(), "user.db")
    1094. 

  1094. 	db, err := sql.Open("sqlite3", filename)
    1095. 

  1095. 	require.Nil(t, err)
    1096. 

  1096. 

  1097. 	// Create "version 1" schema
    1098. 

  1098. 	_, err = db.Exec(`
    1099. 

  1099. 		BEGIN;
    1100. 

  1100. 		CREATE TABLE IF NOT EXISTS user (
    1101. 

  1101. 			user TEXT NOT NULL PRIMARY KEY,
    1102. 

  1102. 			pass TEXT NOT NULL,
    1103. 

  1103. 			role TEXT NOT NULL
    1104. 

  1104. 		);
    1105. 

  1105. 		CREATE TABLE IF NOT EXISTS access (
    1106. 

  1106. 			user TEXT NOT NULL,		
    1107. 

  1107. 			topic TEXT NOT NULL,
    1108. 

  1108. 			read INT NOT NULL,
    1109. 

  1109. 			write INT NOT NULL,
    1110. 

  1110. 			PRIMARY KEY (topic, user)
    1111. 

  1111. 		);
    1112. 

  1112. 		CREATE TABLE IF NOT EXISTS schemaVersion (
    1113. 

  1113. 			id INT PRIMARY KEY,
    1114. 

  1114. 			version INT NOT NULL
    1115. 

  1115. 		);
    1116. 

  1116. 		INSERT INTO schemaVersion (id, version) VALUES (1, 1);
    1117. 

  1117. 		COMMIT;	
    1118. 

  1118. 	`)
    1119. 

  1119. 	require.Nil(t, err)
    1120. 

  1120. 

  1121. 	// Insert a bunch of users and ACL entries
    1122. 

  1122. 	_, err = db.Exec(`
    1123. 

  1123. 		BEGIN;
    1124. 

  1124. 		INSERT INTO user (user, pass, role) VALUES ('ben', '$2a$10$EEp6gBheOsqEFsXlo523E.gBVoeg1ytphXiEvTPlNzkenBlHZBPQy', 'user');
    1125. 

  1125. 		INSERT INTO user (user, pass, role) VALUES ('phil', '$2a$10$YLiO8U21sX1uhZamTLJXHuxgVC0Z/GKISibrKCLohPgtG7yIxSk4C', 'admin');
    1126. 

  1126. 		INSERT INTO access (user, topic, read, write) VALUES ('ben', 'stats', 1, 1);
    1127. 

  1127. 		INSERT INTO access (user, topic, read, write) VALUES ('ben', 'secret', 1, 0);
    1128. 

  1128. 		INSERT INTO access (user, topic, read, write) VALUES ('*', 'stats', 1, 0);
    1129. 

  1129. 		COMMIT;	
    1130. 

  1130. 	`)
    1131. 

  1131. 	require.Nil(t, err)
    1132. 

  1132. 

  1133. 	// Create manager to trigger migration
    1134. 

  1134. 	a := newTestManagerFromFile(t, filename, "", PermissionDenyAll, bcrypt.MinCost, DefaultUserStatsQueueWriterInterval)
    1135. 

  1135. 	checkSchemaVersion(t, a.db)
    1136. 

  1136. 

  1137. 	users, err := a.Users()
    1138. 

  1138. 	require.Nil(t, err)
    1139. 

  1139. 	require.Equal(t, 3, len(users))
    1140. 

  1140. 	phil, ben, everyone := users[0], users[1], users[2]
    1141. 

  1141. 

  1142. 	philGrants, err := a.Grants("phil")
    1143. 

  1143. 	require.Nil(t, err)
    1144. 

  1144. 

  1145. 	benGrants, err := a.Grants("ben")
    1146. 

  1146. 	require.Nil(t, err)
    1147. 

  1147. 

  1148. 	everyoneGrants, err := a.Grants(Everyone)
    1149. 

  1149. 	require.Nil(t, err)
    1150. 

  1150. 

  1151. 	require.True(t, strings.HasPrefix(phil.ID, "u_"))
    1152. 

  1152. 	require.Equal(t, "phil", phil.Name)
    1153. 

  1153. 	require.Equal(t, RoleAdmin, phil.Role)
    1154. 

  1154. 	require.Equal(t, syncTopicLength, len(phil.SyncTopic))
    1155. 

  1155. 	require.Equal(t, 0, len(philGrants))
    1156. 

  1156. 

  1157. 	require.True(t, strings.HasPrefix(ben.ID, "u_"))
    1158. 

  1158. 	require.NotEqual(t, phil.ID, ben.ID)
    1159. 

  1159. 	require.Equal(t, "ben", ben.Name)
    1160. 

  1160. 	require.Equal(t, RoleUser, ben.Role)
    1161. 

  1161. 	require.Equal(t, syncTopicLength, len(ben.SyncTopic))
    1162. 

  1162. 	require.NotEqual(t, ben.SyncTopic, phil.SyncTopic)
    1163. 

  1163. 	require.Equal(t, 2, len(benGrants))
    1164. 

  1164. 	require.Equal(t, "secret", benGrants[0].TopicPattern)
    1165. 

  1165. 	require.Equal(t, PermissionRead, benGrants[0].Allow)
    1166. 

  1166. 	require.Equal(t, "stats", benGrants[1].TopicPattern)
    1167. 

  1167. 	require.Equal(t, PermissionReadWrite, benGrants[1].Allow)
    1168. 

  1168. 

  1169. 	require.Equal(t, "u_everyone", everyone.ID)
    1170. 

  1170. 	require.Equal(t, Everyone, everyone.Name)
    1171. 

  1171. 	require.Equal(t, RoleAnonymous, everyone.Role)
    1172. 

  1172. 	require.Equal(t, 1, len(everyoneGrants))
    1173. 

  1173. 	require.Equal(t, "stats", everyoneGrants[0].TopicPattern)
    1174. 

  1174. 	require.Equal(t, PermissionRead, everyoneGrants[0].Allow)
    1175. 

  1175. }
    1176. 

  1176. 

  1177. func TestMigrationFrom4(t *testing.T) {
    1178. 

  1178. 	filename := filepath.Join(t.TempDir(), "user.db")
    1179. 

  1179. 	db, err := sql.Open("sqlite3", filename)
    1180. 

  1180. 	require.Nil(t, err)
    1181. 

  1181. 

  1182. 	// Create "version 4" schema
    1183. 

  1183. 	_, err = db.Exec(`
    1184. 

  1184. 		BEGIN;
    1185. 

  1185. 		CREATE TABLE IF NOT EXISTS tier (
    1186. 

  1186. 			id TEXT PRIMARY KEY,
    1187. 

  1187. 			code TEXT NOT NULL,
    1188. 

  1188. 			name TEXT NOT NULL,
    1189. 

  1189. 			messages_limit INT NOT NULL,
    1190. 

  1190. 			messages_expiry_duration INT NOT NULL,
    1191. 

  1191. 			emails_limit INT NOT NULL,
    1192. 

  1192. 			calls_limit INT NOT NULL,
    1193. 

  1193. 			reservations_limit INT NOT NULL,
    1194. 

  1194. 			attachment_file_size_limit INT NOT NULL,
    1195. 

  1195. 			attachment_total_size_limit INT NOT NULL,
    1196. 

  1196. 			attachment_expiry_duration INT NOT NULL,
    1197. 

  1197. 			attachment_bandwidth_limit INT NOT NULL,
    1198. 

  1198. 			stripe_monthly_price_id TEXT,
    1199. 

  1199. 			stripe_yearly_price_id TEXT
    1200. 

  1200. 		);
    1201. 

  1201. 		CREATE UNIQUE INDEX idx_tier_code ON tier (code);
    1202. 

  1202. 		CREATE UNIQUE INDEX idx_tier_stripe_monthly_price_id ON tier (stripe_monthly_price_id);
    1203. 

  1203. 		CREATE UNIQUE INDEX idx_tier_stripe_yearly_price_id ON tier (stripe_yearly_price_id);
    1204. 

  1204. 		CREATE TABLE IF NOT EXISTS user (
    1205. 

  1205. 		    id TEXT PRIMARY KEY,
    1206. 

  1206. 			tier_id TEXT,
    1207. 

  1207. 			user TEXT NOT NULL,
    1208. 

  1208. 			pass TEXT NOT NULL,
    1209. 

  1209. 			role TEXT CHECK (role IN ('anonymous', 'admin', 'user')) NOT NULL,
    1210. 

  1210. 			prefs JSON NOT NULL DEFAULT '{}',
    1211. 

  1211. 			sync_topic TEXT NOT NULL,
    1212. 

  1212. 			stats_messages INT NOT NULL DEFAULT (0),
    1213. 

  1213. 			stats_emails INT NOT NULL DEFAULT (0),
    1214. 

  1214. 			stats_calls INT NOT NULL DEFAULT (0),
    1215. 

  1215. 			stripe_customer_id TEXT,
    1216. 

  1216. 			stripe_subscription_id TEXT,
    1217. 

  1217. 			stripe_subscription_status TEXT,
    1218. 

  1218. 			stripe_subscription_interval TEXT,
    1219. 

  1219. 			stripe_subscription_paid_until INT,
    1220. 

  1220. 			stripe_subscription_cancel_at INT,
    1221. 

  1221. 			created INT NOT NULL,
    1222. 

  1222. 			deleted INT,
    1223. 

  1223. 		    FOREIGN KEY (tier_id) REFERENCES tier (id)
    1224. 

  1224. 		);
    1225. 

  1225. 		CREATE UNIQUE INDEX idx_user ON user (user);
    1226. 

  1226. 		CREATE UNIQUE INDEX idx_user_stripe_customer_id ON user (stripe_customer_id);
    1227. 

  1227. 		CREATE UNIQUE INDEX idx_user_stripe_subscription_id ON user (stripe_subscription_id);
    1228. 

  1228. 		CREATE TABLE IF NOT EXISTS user_access (
    1229. 

  1229. 			user_id TEXT NOT NULL,
    1230. 

  1230. 			topic TEXT NOT NULL,
    1231. 

  1231. 			read INT NOT NULL,
    1232. 

  1232. 			write INT NOT NULL,
    1233. 

  1233. 			owner_user_id INT,
    1234. 

  1234. 			PRIMARY KEY (user_id, topic),
    1235. 

  1235. 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE,
    1236. 

  1236. 		    FOREIGN KEY (owner_user_id) REFERENCES user (id) ON DELETE CASCADE
    1237. 

  1237. 		);
    1238. 

  1238. 		CREATE TABLE IF NOT EXISTS user_token (
    1239. 

  1239. 			user_id TEXT NOT NULL,
    1240. 

  1240. 			token TEXT NOT NULL,
    1241. 

  1241. 			label TEXT NOT NULL,
    1242. 

  1242. 			last_access INT NOT NULL,
    1243. 

  1243. 			last_origin TEXT NOT NULL,
    1244. 

  1244. 			expires INT NOT NULL,
    1245. 

  1245. 			PRIMARY KEY (user_id, token),
    1246. 

  1246. 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE
    1247. 

  1247. 		);
    1248. 

  1248. 		CREATE TABLE IF NOT EXISTS user_phone (
    1249. 

  1249. 			user_id TEXT NOT NULL,
    1250. 

  1250. 			phone_number TEXT NOT NULL,
    1251. 

  1251. 			PRIMARY KEY (user_id, phone_number),
    1252. 

  1252. 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE
    1253. 

  1253. 		);
    1254. 

  1254. 		CREATE TABLE IF NOT EXISTS schemaVersion (
    1255. 

  1255. 			id INT PRIMARY KEY,
    1256. 

  1256. 			version INT NOT NULL
    1257. 

  1257. 		);
    1258. 

  1258. 		INSERT INTO user (id, user, pass, role, sync_topic, created)
    1259. 

  1259. 		VALUES ('u_everyone', '*', '', 'anonymous', '', UNIXEPOCH())
    1260. 

  1260. 		ON CONFLICT (id) DO NOTHING;
    1261. 

  1261. 		INSERT INTO schemaVersion (id, version) VALUES (1, 4);		
    1262. 

  1262. 		COMMIT;
    1263. 

  1263. 	`)
    1264. 

  1264. 	require.Nil(t, err)
    1265. 

  1265. 

  1266. 	// Insert a few ACL entries
    1267. 

  1267. 	_, err = db.Exec(`
    1268. 

  1268. 		BEGIN;
    1269. 

  1269. 		INSERT INTO user_access (user_id, topic, read, write) values ('u_everyone', 'mytopic_', 1, 1);
    1270. 

  1270. 		INSERT INTO user_access (user_id, topic, read, write) values ('u_everyone', 'up%', 1, 1);
    1271. 

  1271. 		INSERT INTO user_access (user_id, topic, read, write) values ('u_everyone', 'down_%', 1, 1);
    1272. 

  1272. 		COMMIT;	
    1273. 

  1273. 	`)
    1274. 

  1274. 	require.Nil(t, err)
    1275. 

  1275. 

  1276. 	// Create manager to trigger migration
    1277. 

  1277. 	a := newTestManagerFromFile(t, filename, "", PermissionDenyAll, bcrypt.MinCost, DefaultUserStatsQueueWriterInterval)
    1278. 

  1278. 	checkSchemaVersion(t, a.db)
    1279. 

  1279. 

  1280. 	// Add another
    1281. 

  1281. 	require.Nil(t, a.AllowAccess(Everyone, "left_*", PermissionReadWrite))
    1282. 

  1282. 

  1283. 	// Check "external view" of grants
    1284. 

  1284. 	everyoneGrants, err := a.Grants(Everyone)
    1285. 

  1285. 	require.Nil(t, err)
    1286. 

  1286. 

  1287. 	require.Equal(t, 4, len(everyoneGrants))
    1288. 

  1288. 	require.Equal(t, "mytopic_", everyoneGrants[0].TopicPattern)
    1289. 

  1289. 	require.Equal(t, "down_*", everyoneGrants[1].TopicPattern)
    1290. 

  1290. 	require.Equal(t, "left_*", everyoneGrants[2].TopicPattern)
    1291. 

  1291. 	require.Equal(t, "up*", everyoneGrants[3].TopicPattern)
    1292. 

  1292. 

  1293. 	// Check they are stored correctly in the database
    1294. 

  1294. 	rows, err := db.Query(`SELECT topic FROM user_access WHERE user_id = 'u_everyone' ORDER BY topic`)
    1295. 

  1295. 	require.Nil(t, err)
    1296. 

  1296. 	topicPatterns := make([]string, 0)
    1297. 

  1297. 	for rows.Next() {
    1298. 

  1298. 		var topicPattern string
    1299. 

  1299. 		require.Nil(t, rows.Scan(&topicPattern))
    1300. 

  1300. 		topicPatterns = append(topicPatterns, topicPattern)
    1301. 

  1301. 	}
    1302. 

  1302. 	require.Nil(t, rows.Close())
    1303. 

  1303. 	require.Equal(t, 4, len(topicPatterns))
    1304. 

  1304. 	require.Equal(t, "down\\_%", topicPatterns[0])
    1305. 

  1305. 	require.Equal(t, "left\\_%", topicPatterns[1])
    1306. 

  1306. 	require.Equal(t, "mytopic\\_", topicPatterns[2])
    1307. 

  1307. 	require.Equal(t, "up%", topicPatterns[3])
    1308. 

  1308. 

  1309. 	// Check that ACL works as excepted
    1310. 

  1310. 	require.Nil(t, a.Authorize(nil, "down_123", PermissionRead))
    1311. 

  1311. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "downX123", PermissionRead))
    1312. 

  1312. 

  1313. 	require.Nil(t, a.Authorize(nil, "left_abc", PermissionRead))
    1314. 

  1314. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "leftX123", PermissionRead))
    1315. 

  1315. 

  1316. 	require.Nil(t, a.Authorize(nil, "mytopic_", PermissionRead))
    1317. 

  1317. 	require.Equal(t, ErrUnauthorized, a.Authorize(nil, "mytopicX", PermissionRead))
    1318. 

  1318. 

  1319. 	require.Nil(t, a.Authorize(nil, "up123", PermissionRead))
    1320. 

  1320. 	require.Nil(t, a.Authorize(nil, "up", PermissionRead)) // % matches 0 or more characters
    1321. 

  1321. }
    1322. 

  1322. 

  1323. func checkSchemaVersion(t *testing.T, db *sql.DB) {
    1324. 

  1324. 	rows, err := db.Query(`SELECT version FROM schemaVersion`)
    1325. 

  1325. 	require.Nil(t, err)
    1326. 

  1326. 	require.True(t, rows.Next())
    1327. 

  1327. 

  1328. 	var schemaVersion int
    1329. 

  1329. 	require.Nil(t, rows.Scan(&schemaVersion))
    1330. 

  1330. 	require.Equal(t, currentSchemaVersion, schemaVersion)
    1331. 

  1331. 	require.Nil(t, rows.Close())
    1332. 

  1332. }
    1333. 

  1333. 

  1334. func newTestManager(t *testing.T, defaultAccess Permission) *Manager {
    1335. 

  1335. 	return newTestManagerFromFile(t, filepath.Join(t.TempDir(), "user.db"), "", defaultAccess, bcrypt.MinCost, DefaultUserStatsQueueWriterInterval)
    1336. 

  1336. }
    1337. 

  1337. 

  1338. func newTestManagerFromFile(t *testing.T, filename, startupQueries string, defaultAccess Permission, bcryptCost int, statsWriterInterval time.Duration) *Manager {
    1339. 

  1339. 	a, err := NewManager(filename, startupQueries, defaultAccess, bcryptCost, statsWriterInterval)
    1340. 

  1340. 	require.Nil(t, err)
    1341. 

  1341. 	return a
    1342. 

  1342. }
    1343.