src/routes/test/groups-test.js

/* jslint node:true */
/* global it:false */
/* global describe:false */
/* global before:false */
/* global after:false */

'use strict';

var accesscontrol = require('../../accesscontrol.js'),
    async = require('async'),
    config = require('../../config.js'),
    constants = require('../../constants.js'),
    database = require('../../database.js'),
    expect = require('expect.js'),
    hat = require('../../hat.js'),
    server = require('../../server.js'),
    superagent = require('superagent'),
    tokendb = require('../../tokendb.js');

var SERVER_URL = 'http://localhost:' + constants.PORT;

var USERNAME = 'superadmin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';
var USERNAME_1 = 'user', PASSWORD_1 = 'Foobar?1337', EMAIL_1 ='happy@me.com';
var token, token_1 = null;
var userId, userId_1 = null;

var GROUP_NAME = 'externals';
var groupObject, group1Object;

function setup(done) {
    config._reset();
    config.setFqdn('example-groups-test.com');

    async.series([
        server.start.bind(server),

        database._clear,

        function createAdmin(callback) {
            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
                .query({ setupToken: 'somesetuptoken' })
                .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                .end(function (error, result) {
                    expect(result).to.be.ok();
                    expect(result.statusCode).to.eql(201);

                    // stash token for further use
                    token = result.body.token;

                    superagent.get(SERVER_URL + '/api/v1/profile')
                        .query({ access_token: token })
                        .end(function (error, result) {
                            expect(result).to.be.ok();
                            expect(result.statusCode).to.eql(200);

                            userId = result.body.id;

                            callback();
                        });
                });
        },
        function (callback) {
            superagent.post(SERVER_URL + '/api/v1/users')
                .query({ access_token: token })
                .send({ username: USERNAME_1, email: EMAIL_1, invite: false })
                .end(function (error, result) {
                    expect(result).to.be.ok();
                    expect(result.statusCode).to.eql(201);

                    token_1 = hat(8 * 32);
                    userId_1 = result.body.id;

                    // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
                    tokendb.add({ id: 'tid-1', accessToken: token_1, identifier: userId_1, clientId: 'test-client-id', expires: Date.now() + 100000, scope: accesscontrol.SCOPE_PROFILE, name: '' }, callback);
                });
        }
    ], done);
}

function cleanup(done) {
    database._clear(function (error) {
        expect(!error).to.be.ok();

        server.stop(done);
    });
}

describe('Groups API', function () {
    before(setup);
    after(cleanup);

    it('create fails due to mising token', function (done) {
        superagent.post(SERVER_URL + '/api/v1/groups')
            .send({ name: GROUP_NAME})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(401);
                done();
            });
    });

    it('create succeeds', function (done) {
        superagent.post(SERVER_URL + '/api/v1/groups')
            .query({ access_token: token })
            .send({ name: GROUP_NAME})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(201);
                groupObject = result.body;
                done();
            });
    });

    it('create fails for already exists', function (done) {
        superagent.post(SERVER_URL + '/api/v1/groups')
            .query({ access_token: token })
            .send({ name: GROUP_NAME})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(409);
                done();
            });
    });

    it('can create another group', function (done) {
        superagent.post(SERVER_URL + '/api/v1/groups')
            .query({ access_token: token })
            .send({ name: 'group1'})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(201);
                group1Object = result.body;
                done();
            });
    })

    it('cannot add user to invalid group', function (done) {
        superagent.put(SERVER_URL + '/api/v1/users/' + userId + '/groups')
            .query({ access_token: token })
            .send({ groupIds: [ groupObject.id, 'something' ]})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(404);
                done();
            });
    });

    it('can set groups of a user', function (done) {
        superagent.put(SERVER_URL + '/api/v1/users/' + userId + '/groups')
            .query({ access_token: token })
            .send({ groupIds: [ groupObject.id, group1Object.id ]})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(204);
                done();
            });
    });

    it('can set users of a group', function (done) {
        superagent.put(SERVER_URL + '/api/v1/groups/' + groupObject.id + '/members')
            .query({ access_token: token })
            .send({ userIds: [ userId, userId_1 ]})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(200);
                done();
            });
    });

    it('cannot get non-existing group', function (done) {
        superagent.get(SERVER_URL + '/api/v1/groups/nope')
            .query({ access_token: token })
            .end(function (error, result) {
                expect(result.statusCode).to.equal(404);
                done();
            });
    });

    it('cannot get existing group with normal user', function (done) {
        superagent.get(SERVER_URL + '/api/v1/groups/' + groupObject.id)
            .query({ access_token: token_1 })
            .end(function (error, result) {
                expect(result.statusCode).to.equal(403);
                done();
            });
    });

    it('can get existing group', function (done) {
        superagent.get(SERVER_URL + '/api/v1/groups/' + groupObject.id)
            .query({ access_token: token })
            .end(function (error, result) {
                expect(result.statusCode).to.equal(200);
                expect(result.body.name).to.be(groupObject.name);
                expect(result.body.userIds.length).to.be(2);
                expect(result.body.userIds[0]).to.be(userId);
                expect(result.body.userIds[1]).to.be(userId_1);
                done();
            });
    });

    it('cannot list groups without token', function (done) {
        superagent.get(SERVER_URL + '/api/v1/groups')
            .end(function (err, res) {
                expect(res.statusCode).to.equal(401);
                done();
            });
    });

    it('cannot list groups as normal user', function (done) {
        superagent.get(SERVER_URL + '/api/v1/groups')
            .query({ access_token: token_1 })
            .end(function (err, res) {
                expect(res.statusCode).to.equal(403);
                done();
            });
    });

    it('can list groups', function (done) {
        superagent.get(SERVER_URL + '/api/v1/groups')
            .query({ access_token: token })
            .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
                expect(res.body.groups).to.be.an(Array);
                expect(res.body.groups.length).to.be(2);
                expect(res.body.groups[0].name).to.eql(groupObject.name);
                expect(res.body.groups[1].name).to.eql(group1Object.name);
                done();
            });
    });

    it('remove user from group', function (done) {
        superagent.put(SERVER_URL + '/api/v1/users/' + userId + '/groups')
            .query({ access_token: token })
            .send({ groupIds: [ groupObject.id ]})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(204);
                done();
            });
    });

    it('cannot remove without token', function (done) {
        superagent.del(SERVER_URL + '/api/v1/groups/externals')
            .end(function (error, result) {
                expect(result.statusCode).to.equal(401);
                done();
            });
    });

    it('can clear users of a group', function (done) {
        superagent.put(SERVER_URL + '/api/v1/groups/' + group1Object.id + '/members')
            .query({ access_token: token })
            .send({ userIds: [ ]})
            .end(function (error, result) {
                expect(result.statusCode).to.equal(200);
                done();
            });
    });

    it('can remove empty group', function (done) {
        superagent.del(SERVER_URL + '/api/v1/groups/' + group1Object.id)
            .query({ access_token: token })
            .end(function (error, result) {
                expect(result.statusCode).to.equal(204);
                done();
            });
    });

    it('can remove non-empty group', function (done) {
        superagent.del(SERVER_URL + '/api/v1/groups/' + groupObject.id)
            .query({ access_token: token })
            .end(function (error, result) {
                expect(result.statusCode).to.equal(204);
                done();
            });
    });
});
Add groups route tests 2016-02-09 15:26:34 -08:00			`/* jslint node:true */`
			`/* global it:false */`
			`/* global describe:false */`
			`/* global before:false */`
			`/* global after:false */`

			`'use strict';`

Remove redundant requireAdmin 2018-04-27 21:47:11 -07:00			`var accesscontrol = require('../../accesscontrol.js'),`
			`async = require('async'),`
Add groups route tests 2016-02-09 15:26:34 -08:00			`config = require('../../config.js'),`
Make port a constant 2019-07-25 15:43:51 -07:00			`constants = require('../../constants.js'),`
Add groups route tests 2016-02-09 15:26:34 -08:00			`database = require('../../database.js'),`
			`expect = require('expect.js'),`
Fix tests 2019-02-15 14:40:15 -08:00			`hat = require('../../hat.js'),`
Add groups route tests 2016-02-09 15:26:34 -08:00			`server = require('../../server.js'),`
Fix tests 2019-02-15 14:40:15 -08:00			`superagent = require('superagent'),`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`tokendb = require('../../tokendb.js');`
Add groups route tests 2016-02-09 15:26:34 -08:00
Make port a constant 2019-07-25 15:43:51 -07:00			`var SERVER_URL = 'http://localhost:' + constants.PORT;`
Add groups route tests 2016-02-09 15:26:34 -08:00
reserve the "admin" username 2016-04-13 16:50:20 -07:00			`var USERNAME = 'superadmin', PASSWORD = 'Foobar?1337', EMAIL ='silly@me.com';`
Do not allow normal users to get group listings or details 2016-02-25 13:34:01 +01:00			`var USERNAME_1 = 'user', PASSWORD_1 = 'Foobar?1337', EMAIL_1 ='happy@me.com';`
			`var token, token_1 = null;`
Fixup group rest api tests 2016-04-04 15:35:25 +02:00			`var userId, userId_1 = null;`
Add groups route tests 2016-02-09 15:26:34 -08:00
Fix more of the group tests 2016-09-30 10:17:50 -07:00			`var GROUP_NAME = 'externals';`
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`var groupObject, group1Object;`
Fix more of the group tests 2016-09-30 10:17:50 -07:00
Add groups route tests 2016-02-09 15:26:34 -08:00			`function setup(done) {`
Fix route/ tests 2017-11-27 15:30:55 -08:00			`config._reset();`
			`config.setFqdn('example-groups-test.com');`
More test cleanups to support domains api 2017-11-21 01:56:24 +01:00
Add groups route tests 2016-02-09 15:26:34 -08:00			`async.series([`
			`server.start.bind(server),`

			`database._clear,`

			`function createAdmin(callback) {`
			`superagent.post(SERVER_URL + '/api/v1/cloudron/activate')`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`.query({ setupToken: 'somesetuptoken' })`
			`.send({ username: USERNAME, password: PASSWORD, email: EMAIL })`
			`.end(function (error, result) {`
Fixup group rest api tests 2016-04-04 15:35:25 +02:00			`expect(result).to.be.ok();`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`expect(result.statusCode).to.eql(201);`

			`// stash token for further use`
			`token = result.body.token;`

remove /user from profile route 2018-05-13 21:52:48 -07:00			`superagent.get(SERVER_URL + '/api/v1/profile')`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`.query({ access_token: token })`
			`.end(function (error, result) {`
			`expect(result).to.be.ok();`
			`expect(result.statusCode).to.eql(200);`
Fixup group rest api tests 2016-04-04 15:35:25 +02:00
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`userId = result.body.id;`
Fixup group rest api tests 2016-04-04 15:35:25 +02:00
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`callback();`
			`});`
Fixup group rest api tests 2016-04-04 15:35:25 +02:00			`});`
Do not allow normal users to get group listings or details 2016-02-25 13:34:01 +01:00			`},`
			`function (callback) {`
			`superagent.post(SERVER_URL + '/api/v1/users')`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`.query({ access_token: token })`
			`.send({ username: USERNAME_1, email: EMAIL_1, invite: false })`
			`.end(function (error, result) {`
			`expect(result).to.be.ok();`
			`expect(result.statusCode).to.eql(201);`
Do not allow normal users to get group listings or details 2016-02-25 13:34:01 +01:00
Fix tests 2019-02-15 14:40:15 -08:00			`token_1 = hat(8 * 32);`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`userId_1 = result.body.id;`
Do not allow normal users to get group listings or details 2016-02-25 13:34:01 +01:00
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`// HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)`
Fix tests 2019-02-15 14:40:15 -08:00			`tokendb.add({ id: 'tid-1', accessToken: token_1, identifier: userId_1, clientId: 'test-client-id', expires: Date.now() + 100000, scope: accesscontrol.SCOPE_PROFILE, name: '' }, callback);`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00			`}`
remove caas dep from tests 2018-01-18 13:41:10 -08:00			`], done);`
Add groups route tests 2016-02-09 15:26:34 -08:00			`}`

			`function cleanup(done) {`
			`database._clear(function (error) {`
			`expect(!error).to.be.ok();`

			`server.stop(done);`
			`});`
			`}`

			`describe('Groups API', function () {`
			`before(setup);`
			`after(cleanup);`

Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('create fails due to mising token', function (done) {`
			`superagent.post(SERVER_URL + '/api/v1/groups')`
			`.send({ name: GROUP_NAME})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(401);`
			`done();`
			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00			`});`

Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('create succeeds', function (done) {`
			`superagent.post(SERVER_URL + '/api/v1/groups')`
			`.query({ access_token: token })`
			`.send({ name: GROUP_NAME})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(201);`
			`groupObject = result.body;`
			`done();`
			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00			`});`

Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('create fails for already exists', function (done) {`
			`superagent.post(SERVER_URL + '/api/v1/groups')`
			`.query({ access_token: token })`
			`.send({ name: GROUP_NAME})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(409);`
			`done();`
			`});`
			`});`
Do not allow normal users to get group listings or details 2016-02-25 13:34:01 +01:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can create another group', function (done) {`
			`superagent.post(SERVER_URL + '/api/v1/groups')`
			`.query({ access_token: token })`
			`.send({ name: 'group1'})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(201);`
			`group1Object = result.body;`
			`done();`
			`});`
			`})`

			`it('cannot add user to invalid group', function (done) {`
			`superagent.put(SERVER_URL + '/api/v1/users/' + userId + '/groups')`
			`.query({ access_token: token })`
			`.send({ groupIds: [ groupObject.id, 'something' ]})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(404);`
			`done();`
			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00			`});`

Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can set groups of a user', function (done) {`
			`superagent.put(SERVER_URL + '/api/v1/users/' + userId + '/groups')`
			`.query({ access_token: token })`
			`.send({ groupIds: [ groupObject.id, group1Object.id ]})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(204);`
			`done();`
			`});`
			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can set users of a group', function (done) {`
			`superagent.put(SERVER_URL + '/api/v1/groups/' + groupObject.id + '/members')`
			`.query({ access_token: token })`
			`.send({ userIds: [ userId, userId_1 ]})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(200);`
			`done();`
			`});`
			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('cannot get non-existing group', function (done) {`
			`superagent.get(SERVER_URL + '/api/v1/groups/nope')`
			`.query({ access_token: token })`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(404);`
			`done();`
			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00			`});`
Add route to set the users groups 2016-02-09 15:47:02 -08:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('cannot get existing group with normal user', function (done) {`
			`superagent.get(SERVER_URL + '/api/v1/groups/' + groupObject.id)`
			`.query({ access_token: token_1 })`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(403);`
			`done();`
Fix more of the group tests 2016-09-30 10:17:50 -07:00			`});`
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`});`
Add route to set the users groups 2016-02-09 15:47:02 -08:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can get existing group', function (done) {`
			`superagent.get(SERVER_URL + '/api/v1/groups/' + groupObject.id)`
			`.query({ access_token: token })`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(200);`
			`expect(result.body.name).to.be(groupObject.name);`
			`expect(result.body.userIds.length).to.be(2);`
			`expect(result.body.userIds[0]).to.be(userId);`
			`expect(result.body.userIds[1]).to.be(userId_1);`
			`done();`
			`});`
			`});`
Add route to set the users groups 2016-02-09 15:47:02 -08:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('cannot list groups without token', function (done) {`
			`superagent.get(SERVER_URL + '/api/v1/groups')`
			`.end(function (err, res) {`
			`expect(res.statusCode).to.equal(401);`
			`done();`
			`});`
			`});`
Add route to set the users groups 2016-02-09 15:47:02 -08:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('cannot list groups as normal user', function (done) {`
			`superagent.get(SERVER_URL + '/api/v1/groups')`
			`.query({ access_token: token_1 })`
			`.end(function (err, res) {`
			`expect(res.statusCode).to.equal(403);`
			`done();`
			`});`
			`});`
make group listing API return member userIds 2016-06-02 21:07:33 -07:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can list groups', function (done) {`
			`superagent.get(SERVER_URL + '/api/v1/groups')`
			`.query({ access_token: token })`
			`.end(function (err, res) {`
			`expect(res.statusCode).to.equal(200);`
			`expect(res.body.groups).to.be.an(Array);`
			`expect(res.body.groups.length).to.be(2);`
			`expect(res.body.groups[0].name).to.eql(groupObject.name);`
			`expect(res.body.groups[1].name).to.eql(group1Object.name);`
			`done();`
			`});`
			`});`
make group listing API return member userIds 2016-06-02 21:07:33 -07:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('remove user from group', function (done) {`
			`superagent.put(SERVER_URL + '/api/v1/users/' + userId + '/groups')`
			`.query({ access_token: token })`
			`.send({ groupIds: [ groupObject.id ]})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(204);`
			`done();`
			`});`
			`});`
make group listing API return member userIds 2016-06-02 21:07:33 -07:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('cannot remove without token', function (done) {`
			`superagent.del(SERVER_URL + '/api/v1/groups/externals')`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(401);`
			`done();`
			`});`
			`});`
Remove redundant requireAdmin 2018-04-27 21:47:11 -07:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can clear users of a group', function (done) {`
			`superagent.put(SERVER_URL + '/api/v1/groups/' + group1Object.id + '/members')`
			`.query({ access_token: token })`
			`.send({ userIds: [ ]})`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(200);`
			`done();`
			`});`
			`});`
Remove redundant requireAdmin 2018-04-27 21:47:11 -07:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can remove empty group', function (done) {`
			`superagent.del(SERVER_URL + '/api/v1/groups/' + group1Object.id)`
			`.query({ access_token: token })`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(204);`
			`done();`
			`});`
			`});`
Remove redundant requireAdmin 2018-04-27 21:47:11 -07:00
Make admin simply a boolean instead of group 2018-07-26 17:17:52 -07:00			`it('can remove non-empty group', function (done) {`
			`superagent.del(SERVER_URL + '/api/v1/groups/' + groupObject.id)`
			`.query({ access_token: token })`
			`.end(function (error, result) {`
			`expect(result.statusCode).to.equal(204);`
			`done();`
			`});`
Add route to set the users groups 2016-02-09 15:47:02 -08:00			`});`
Add groups route tests 2016-02-09 15:26:34 -08:00			`});`