1// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
2// See LICENSE.txt for license information.
3
4package api4
5
6import (
7	"context"
8	"strings"
9	"testing"
10
11	"github.com/stretchr/testify/assert"
12	"github.com/stretchr/testify/require"
13
14	"github.com/mattermost/mattermost-server/v6/model"
15)
16
17func TestCreateScheme(t *testing.T) {
18	th := Setup(t)
19	defer th.TearDown()
20
21	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
22
23	th.App.SetPhase2PermissionsMigrationStatus(true)
24
25	// Basic test of creating a team scheme.
26	scheme1 := &model.Scheme{
27		DisplayName: model.NewId(),
28		Name:        model.NewId(),
29		Description: model.NewId(),
30		Scope:       model.SchemeScopeTeam,
31	}
32
33	s1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
34	require.NoError(t, err)
35
36	assert.Equal(t, s1.DisplayName, scheme1.DisplayName)
37	assert.Equal(t, s1.Name, scheme1.Name)
38	assert.Equal(t, s1.Description, scheme1.Description)
39	assert.NotZero(t, s1.CreateAt)
40	assert.Equal(t, s1.CreateAt, s1.UpdateAt)
41	assert.Zero(t, s1.DeleteAt)
42	assert.Equal(t, s1.Scope, scheme1.Scope)
43	assert.NotZero(t, len(s1.DefaultTeamAdminRole))
44	assert.NotZero(t, len(s1.DefaultTeamUserRole))
45	assert.NotZero(t, len(s1.DefaultTeamGuestRole))
46	assert.NotZero(t, len(s1.DefaultChannelAdminRole))
47	assert.NotZero(t, len(s1.DefaultChannelUserRole))
48	assert.NotZero(t, len(s1.DefaultChannelGuestRole))
49
50	// Check the default roles have been created.
51	_, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultTeamAdminRole)
52	require.NoError(t, err)
53	_, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultTeamUserRole)
54	require.NoError(t, err)
55	_, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelAdminRole)
56	require.NoError(t, err)
57	_, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelUserRole)
58	require.NoError(t, err)
59
60	_, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultTeamGuestRole)
61	require.NoError(t, err)
62	_, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultTeamGuestRole)
63	require.NoError(t, err)
64	_, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelGuestRole)
65	require.NoError(t, err)
66
67	// Basic Test of a Channel scheme.
68	scheme2 := &model.Scheme{
69		DisplayName: model.NewId(),
70		Name:        model.NewId(),
71		Description: model.NewId(),
72		Scope:       model.SchemeScopeChannel,
73	}
74
75	s2, _, err := th.SystemAdminClient.CreateScheme(scheme2)
76	require.NoError(t, err)
77
78	assert.Equal(t, s2.DisplayName, scheme2.DisplayName)
79	assert.Equal(t, s2.Name, scheme2.Name)
80	assert.Equal(t, s2.Description, scheme2.Description)
81	assert.NotZero(t, s2.CreateAt)
82	assert.Equal(t, s2.CreateAt, s2.UpdateAt)
83	assert.Zero(t, s2.DeleteAt)
84	assert.Equal(t, s2.Scope, scheme2.Scope)
85	assert.Zero(t, len(s2.DefaultTeamAdminRole))
86	assert.Zero(t, len(s2.DefaultTeamUserRole))
87	assert.Zero(t, len(s2.DefaultTeamGuestRole))
88	assert.NotZero(t, len(s2.DefaultChannelAdminRole))
89	assert.NotZero(t, len(s2.DefaultChannelUserRole))
90	assert.NotZero(t, len(s2.DefaultChannelGuestRole))
91
92	// Check the default roles have been created.
93	_, _, err = th.SystemAdminClient.GetRoleByName(s2.DefaultChannelAdminRole)
94	require.NoError(t, err)
95	_, _, err = th.SystemAdminClient.GetRoleByName(s2.DefaultChannelUserRole)
96	require.NoError(t, err)
97	_, _, err = th.SystemAdminClient.GetRoleByName(s2.DefaultChannelGuestRole)
98	require.NoError(t, err)
99
100	// Try and create a scheme with an invalid scope.
101	scheme3 := &model.Scheme{
102		DisplayName: model.NewId(),
103		Name:        model.NewId(),
104		Description: model.NewId(),
105		Scope:       model.NewId(),
106	}
107
108	_, r3, _ := th.SystemAdminClient.CreateScheme(scheme3)
109	CheckBadRequestStatus(t, r3)
110
111	// Try and create a scheme with an invalid display name.
112	scheme4 := &model.Scheme{
113		DisplayName: strings.Repeat(model.NewId(), 100),
114		Name:        "Name",
115		Description: model.NewId(),
116		Scope:       model.NewId(),
117	}
118	_, r4, _ := th.SystemAdminClient.CreateScheme(scheme4)
119	CheckBadRequestStatus(t, r4)
120
121	// Try and create a scheme with an invalid name.
122	scheme8 := &model.Scheme{
123		DisplayName: "DisplayName",
124		Name:        strings.Repeat(model.NewId(), 100),
125		Description: model.NewId(),
126		Scope:       model.NewId(),
127	}
128	_, r8, _ := th.SystemAdminClient.CreateScheme(scheme8)
129	CheckBadRequestStatus(t, r8)
130
131	// Try and create a scheme without the appropriate permissions.
132	scheme5 := &model.Scheme{
133		DisplayName: model.NewId(),
134		Name:        model.NewId(),
135		Description: model.NewId(),
136		Scope:       model.SchemeScopeTeam,
137	}
138	_, r5, err := th.Client.CreateScheme(scheme5)
139	require.Error(t, err)
140	CheckForbiddenStatus(t, r5)
141
142	// Try and create a scheme without a license.
143	th.App.Srv().SetLicense(nil)
144	scheme6 := &model.Scheme{
145		DisplayName: model.NewId(),
146		Name:        model.NewId(),
147		Description: model.NewId(),
148		Scope:       model.SchemeScopeTeam,
149	}
150	_, r6, _ := th.SystemAdminClient.CreateScheme(scheme6)
151	CheckNotImplementedStatus(t, r6)
152
153	th.App.SetPhase2PermissionsMigrationStatus(false)
154
155	th.LoginSystemAdmin()
156	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
157
158	scheme7 := &model.Scheme{
159		DisplayName: model.NewId(),
160		Name:        model.NewId(),
161		Description: model.NewId(),
162		Scope:       model.SchemeScopeTeam,
163	}
164	_, r7, _ := th.SystemAdminClient.CreateScheme(scheme7)
165	CheckNotImplementedStatus(t, r7)
166}
167
168func TestGetScheme(t *testing.T) {
169	th := Setup(t).InitBasic()
170	defer th.TearDown()
171
172	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
173
174	// Basic test of creating a team scheme.
175	scheme1 := &model.Scheme{
176		DisplayName: model.NewId(),
177		Name:        model.NewId(),
178		Description: model.NewId(),
179		Scope:       model.SchemeScopeTeam,
180	}
181
182	th.App.SetPhase2PermissionsMigrationStatus(true)
183
184	s1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
185	require.NoError(t, err)
186
187	assert.Equal(t, s1.DisplayName, scheme1.DisplayName)
188	assert.Equal(t, s1.Name, scheme1.Name)
189	assert.Equal(t, s1.Description, scheme1.Description)
190	assert.NotZero(t, s1.CreateAt)
191	assert.Equal(t, s1.CreateAt, s1.UpdateAt)
192	assert.Zero(t, s1.DeleteAt)
193	assert.Equal(t, s1.Scope, scheme1.Scope)
194	assert.NotZero(t, len(s1.DefaultTeamAdminRole))
195	assert.NotZero(t, len(s1.DefaultTeamUserRole))
196	assert.NotZero(t, len(s1.DefaultTeamGuestRole))
197	assert.NotZero(t, len(s1.DefaultChannelAdminRole))
198	assert.NotZero(t, len(s1.DefaultChannelUserRole))
199	assert.NotZero(t, len(s1.DefaultChannelGuestRole))
200
201	s2, _, err := th.SystemAdminClient.GetScheme(s1.Id)
202	require.NoError(t, err)
203
204	assert.Equal(t, s1, s2)
205
206	_, r3, _ := th.SystemAdminClient.GetScheme(model.NewId())
207	CheckNotFoundStatus(t, r3)
208
209	_, r4, _ := th.SystemAdminClient.GetScheme("12345")
210	CheckBadRequestStatus(t, r4)
211
212	th.SystemAdminClient.Logout()
213	_, r5, _ := th.SystemAdminClient.GetScheme(s1.Id)
214	CheckUnauthorizedStatus(t, r5)
215
216	th.SystemAdminClient.Login(th.SystemAdminUser.Username, th.SystemAdminUser.Password)
217	th.App.Srv().SetLicense(nil)
218	_, _, err = th.SystemAdminClient.GetScheme(s1.Id)
219	require.NoError(t, err)
220
221	_, r7, err := th.Client.GetScheme(s1.Id)
222	require.Error(t, err)
223	CheckForbiddenStatus(t, r7)
224
225	th.App.SetPhase2PermissionsMigrationStatus(false)
226
227	_, r8, _ := th.SystemAdminClient.GetScheme(s1.Id)
228	CheckNotImplementedStatus(t, r8)
229}
230
231func TestGetSchemes(t *testing.T) {
232	th := Setup(t).InitBasic()
233	defer th.TearDown()
234
235	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
236
237	scheme1 := &model.Scheme{
238		DisplayName: model.NewId(),
239		Name:        model.NewId(),
240		Description: model.NewId(),
241		Scope:       model.SchemeScopeTeam,
242	}
243
244	scheme2 := &model.Scheme{
245		DisplayName: model.NewId(),
246		Name:        model.NewId(),
247		Description: model.NewId(),
248		Scope:       model.SchemeScopeChannel,
249	}
250
251	th.App.SetPhase2PermissionsMigrationStatus(true)
252
253	_, _, err := th.SystemAdminClient.CreateScheme(scheme1)
254	require.NoError(t, err)
255	_, _, err = th.SystemAdminClient.CreateScheme(scheme2)
256	require.NoError(t, err)
257
258	l3, _, err := th.SystemAdminClient.GetSchemes("", 0, 100)
259	require.NoError(t, err)
260
261	assert.NotZero(t, len(l3))
262
263	l4, _, err := th.SystemAdminClient.GetSchemes("team", 0, 100)
264	require.NoError(t, err)
265
266	for _, s := range l4 {
267		assert.Equal(t, "team", s.Scope)
268	}
269
270	l5, _, err := th.SystemAdminClient.GetSchemes("channel", 0, 100)
271	require.NoError(t, err)
272
273	for _, s := range l5 {
274		assert.Equal(t, "channel", s.Scope)
275	}
276
277	_, r6, _ := th.SystemAdminClient.GetSchemes("asdf", 0, 100)
278	CheckBadRequestStatus(t, r6)
279
280	th.Client.Logout()
281	_, r7, _ := th.Client.GetSchemes("", 0, 100)
282	CheckUnauthorizedStatus(t, r7)
283
284	th.Client.Login(th.BasicUser.Username, th.BasicUser.Password)
285	_, r8, err := th.Client.GetSchemes("", 0, 100)
286	require.Error(t, err)
287	CheckForbiddenStatus(t, r8)
288
289	th.App.SetPhase2PermissionsMigrationStatus(false)
290
291	_, r9, _ := th.SystemAdminClient.GetSchemes("", 0, 100)
292	CheckNotImplementedStatus(t, r9)
293}
294
295func TestGetTeamsForScheme(t *testing.T) {
296	th := Setup(t).InitBasic()
297	defer th.TearDown()
298
299	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
300
301	th.App.SetPhase2PermissionsMigrationStatus(true)
302
303	scheme1 := &model.Scheme{
304		DisplayName: model.NewId(),
305		Name:        model.NewId(),
306		Description: model.NewId(),
307		Scope:       model.SchemeScopeTeam,
308	}
309	scheme1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
310	require.NoError(t, err)
311
312	team1 := &model.Team{
313		Name:        GenerateTestUsername(),
314		DisplayName: "A Test Team",
315		Type:        model.TeamOpen,
316	}
317
318	team1, err = th.App.Srv().Store.Team().Save(team1)
319	require.NoError(t, err)
320
321	l2, _, err := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 0, 100)
322	require.NoError(t, err)
323	assert.Zero(t, len(l2))
324
325	team1.SchemeId = &scheme1.Id
326	team1, err = th.App.Srv().Store.Team().Update(team1)
327	assert.NoError(t, err)
328
329	l3, _, err := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 0, 100)
330	require.NoError(t, err)
331	assert.Len(t, l3, 1)
332	assert.Equal(t, team1.Id, l3[0].Id)
333
334	team2 := &model.Team{
335		Name:        GenerateTestUsername(),
336		DisplayName: "B Test Team",
337		Type:        model.TeamOpen,
338		SchemeId:    &scheme1.Id,
339	}
340	team2, err = th.App.Srv().Store.Team().Save(team2)
341	require.NoError(t, err)
342
343	l4, _, err := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 0, 100)
344	require.NoError(t, err)
345	assert.Len(t, l4, 2)
346	assert.Equal(t, team1.Id, l4[0].Id)
347	assert.Equal(t, team2.Id, l4[1].Id)
348
349	l5, _, err := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 1, 1)
350	require.NoError(t, err)
351	assert.Len(t, l5, 1)
352	assert.Equal(t, team2.Id, l5[0].Id)
353
354	// Check various error cases.
355	_, ri1, _ := th.SystemAdminClient.GetTeamsForScheme(model.NewId(), 0, 100)
356	CheckNotFoundStatus(t, ri1)
357
358	_, ri2, _ := th.SystemAdminClient.GetTeamsForScheme("", 0, 100)
359	CheckBadRequestStatus(t, ri2)
360
361	th.Client.Logout()
362	_, ri3, _ := th.Client.GetTeamsForScheme(model.NewId(), 0, 100)
363	CheckUnauthorizedStatus(t, ri3)
364
365	th.Client.Login(th.BasicUser.Username, th.BasicUser.Password)
366	_, ri4, err := th.Client.GetTeamsForScheme(model.NewId(), 0, 100)
367	require.Error(t, err)
368	CheckForbiddenStatus(t, ri4)
369
370	scheme2 := &model.Scheme{
371		DisplayName: model.NewId(),
372		Name:        model.NewId(),
373		Description: model.NewId(),
374		Scope:       model.SchemeScopeChannel,
375	}
376	scheme2, _, err = th.SystemAdminClient.CreateScheme(scheme2)
377	require.NoError(t, err)
378
379	_, ri5, _ := th.SystemAdminClient.GetTeamsForScheme(scheme2.Id, 0, 100)
380	CheckBadRequestStatus(t, ri5)
381
382	th.App.SetPhase2PermissionsMigrationStatus(false)
383
384	_, ri6, _ := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 0, 100)
385	CheckNotImplementedStatus(t, ri6)
386}
387
388func TestGetChannelsForScheme(t *testing.T) {
389	th := Setup(t).InitBasic()
390	defer th.TearDown()
391
392	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
393
394	th.App.SetPhase2PermissionsMigrationStatus(true)
395
396	scheme1 := &model.Scheme{
397		DisplayName: model.NewId(),
398		Name:        model.NewId(),
399		Description: model.NewId(),
400		Scope:       model.SchemeScopeChannel,
401	}
402	scheme1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
403	require.NoError(t, err)
404
405	channel1 := &model.Channel{
406		TeamId:      model.NewId(),
407		DisplayName: "A Name",
408		Name:        model.NewId(),
409		Type:        model.ChannelTypeOpen,
410	}
411
412	channel1, errCh := th.App.Srv().Store.Channel().Save(channel1, 1000000)
413	assert.NoError(t, errCh)
414
415	l2, _, err := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 0, 100)
416	require.NoError(t, err)
417	assert.Zero(t, len(l2))
418
419	channel1.SchemeId = &scheme1.Id
420	channel1, err = th.App.Srv().Store.Channel().Update(channel1)
421	assert.NoError(t, err)
422
423	l3, _, err := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 0, 100)
424	require.NoError(t, err)
425	assert.Len(t, l3, 1)
426	assert.Equal(t, channel1.Id, l3[0].Id)
427
428	channel2 := &model.Channel{
429		TeamId:      model.NewId(),
430		DisplayName: "B Name",
431		Name:        model.NewId(),
432		Type:        model.ChannelTypeOpen,
433		SchemeId:    &scheme1.Id,
434	}
435	channel2, err = th.App.Srv().Store.Channel().Save(channel2, 1000000)
436	assert.NoError(t, err)
437
438	l4, _, err := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 0, 100)
439	require.NoError(t, err)
440	assert.Len(t, l4, 2)
441	assert.Equal(t, channel1.Id, l4[0].Id)
442	assert.Equal(t, channel2.Id, l4[1].Id)
443
444	l5, _, err := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 1, 1)
445	require.NoError(t, err)
446	assert.Len(t, l5, 1)
447	assert.Equal(t, channel2.Id, l5[0].Id)
448
449	// Check various error cases.
450	_, ri1, _ := th.SystemAdminClient.GetChannelsForScheme(model.NewId(), 0, 100)
451	CheckNotFoundStatus(t, ri1)
452
453	_, ri2, _ := th.SystemAdminClient.GetChannelsForScheme("", 0, 100)
454	CheckBadRequestStatus(t, ri2)
455
456	th.Client.Logout()
457	_, ri3, _ := th.Client.GetChannelsForScheme(model.NewId(), 0, 100)
458	CheckUnauthorizedStatus(t, ri3)
459
460	th.Client.Login(th.BasicUser.Username, th.BasicUser.Password)
461	_, ri4, err := th.Client.GetChannelsForScheme(model.NewId(), 0, 100)
462	require.Error(t, err)
463	CheckForbiddenStatus(t, ri4)
464
465	scheme2 := &model.Scheme{
466		DisplayName: model.NewId(),
467		Name:        model.NewId(),
468		Description: model.NewId(),
469		Scope:       model.SchemeScopeTeam,
470	}
471	scheme2, _, err = th.SystemAdminClient.CreateScheme(scheme2)
472	require.NoError(t, err)
473
474	_, ri5, _ := th.SystemAdminClient.GetChannelsForScheme(scheme2.Id, 0, 100)
475	CheckBadRequestStatus(t, ri5)
476
477	th.App.SetPhase2PermissionsMigrationStatus(false)
478
479	_, ri6, _ := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 0, 100)
480	CheckNotImplementedStatus(t, ri6)
481}
482
483func TestPatchScheme(t *testing.T) {
484	th := Setup(t)
485	defer th.TearDown()
486
487	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
488
489	th.App.SetPhase2PermissionsMigrationStatus(true)
490
491	// Basic test of creating a team scheme.
492	scheme1 := &model.Scheme{
493		DisplayName: model.NewId(),
494		Name:        model.NewId(),
495		Description: model.NewId(),
496		Scope:       model.SchemeScopeTeam,
497	}
498
499	s1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
500	require.NoError(t, err)
501
502	assert.Equal(t, s1.DisplayName, scheme1.DisplayName)
503	assert.Equal(t, s1.Name, scheme1.Name)
504	assert.Equal(t, s1.Description, scheme1.Description)
505	assert.NotZero(t, s1.CreateAt)
506	assert.Equal(t, s1.CreateAt, s1.UpdateAt)
507	assert.Zero(t, s1.DeleteAt)
508	assert.Equal(t, s1.Scope, scheme1.Scope)
509	assert.NotZero(t, len(s1.DefaultTeamAdminRole))
510	assert.NotZero(t, len(s1.DefaultTeamUserRole))
511	assert.NotZero(t, len(s1.DefaultTeamGuestRole))
512	assert.NotZero(t, len(s1.DefaultChannelAdminRole))
513	assert.NotZero(t, len(s1.DefaultChannelUserRole))
514	assert.NotZero(t, len(s1.DefaultChannelGuestRole))
515
516	s2, _, err := th.SystemAdminClient.GetScheme(s1.Id)
517	require.NoError(t, err)
518
519	assert.Equal(t, s1, s2)
520
521	// Test with a valid patch.
522	schemePatch := &model.SchemePatch{
523		DisplayName: new(string),
524		Name:        new(string),
525		Description: new(string),
526	}
527	*schemePatch.DisplayName = model.NewId()
528	*schemePatch.Name = model.NewId()
529	*schemePatch.Description = model.NewId()
530
531	s3, _, err := th.SystemAdminClient.PatchScheme(s2.Id, schemePatch)
532	require.NoError(t, err)
533	assert.Equal(t, s3.Id, s2.Id)
534	assert.Equal(t, s3.DisplayName, *schemePatch.DisplayName)
535	assert.Equal(t, s3.Name, *schemePatch.Name)
536	assert.Equal(t, s3.Description, *schemePatch.Description)
537
538	s4, _, err := th.SystemAdminClient.GetScheme(s3.Id)
539	require.NoError(t, err)
540	assert.Equal(t, s3, s4)
541
542	// Test with a partial patch.
543	*schemePatch.Name = model.NewId()
544	*schemePatch.DisplayName = model.NewId()
545	schemePatch.Description = nil
546
547	s5, _, err := th.SystemAdminClient.PatchScheme(s4.Id, schemePatch)
548	require.NoError(t, err)
549	assert.Equal(t, s5.Id, s4.Id)
550	assert.Equal(t, s5.DisplayName, *schemePatch.DisplayName)
551	assert.Equal(t, s5.Name, *schemePatch.Name)
552	assert.Equal(t, s5.Description, s4.Description)
553
554	s6, _, err := th.SystemAdminClient.GetScheme(s5.Id)
555	require.NoError(t, err)
556	assert.Equal(t, s5, s6)
557
558	// Test with invalid patch.
559	*schemePatch.Name = strings.Repeat(model.NewId(), 20)
560	_, r7, _ := th.SystemAdminClient.PatchScheme(s6.Id, schemePatch)
561	CheckBadRequestStatus(t, r7)
562
563	// Test with unknown ID.
564	*schemePatch.Name = model.NewId()
565	_, r8, _ := th.SystemAdminClient.PatchScheme(model.NewId(), schemePatch)
566	CheckNotFoundStatus(t, r8)
567
568	// Test with invalid ID.
569	_, r9, _ := th.SystemAdminClient.PatchScheme("12345", schemePatch)
570	CheckBadRequestStatus(t, r9)
571
572	// Test without required permissions.
573	_, r10, err := th.Client.PatchScheme(s6.Id, schemePatch)
574	require.Error(t, err)
575	CheckForbiddenStatus(t, r10)
576
577	// Test without license.
578	th.App.Srv().SetLicense(nil)
579	_, r11, _ := th.SystemAdminClient.PatchScheme(s6.Id, schemePatch)
580	CheckNotImplementedStatus(t, r11)
581
582	th.App.SetPhase2PermissionsMigrationStatus(false)
583
584	th.LoginSystemAdmin()
585	th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
586
587	_, r12, _ := th.SystemAdminClient.PatchScheme(s6.Id, schemePatch)
588	CheckNotImplementedStatus(t, r12)
589}
590
591func TestDeleteScheme(t *testing.T) {
592	th := Setup(t)
593	defer th.TearDown()
594
595	t.Run("ValidTeamScheme", func(t *testing.T) {
596		th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
597
598		th.App.SetPhase2PermissionsMigrationStatus(true)
599
600		// Create a team scheme.
601		scheme1 := &model.Scheme{
602			DisplayName: model.NewId(),
603			Name:        model.NewId(),
604			Description: model.NewId(),
605			Scope:       model.SchemeScopeTeam,
606		}
607
608		s1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
609		require.NoError(t, err)
610
611		// Retrieve the roles and check they are not deleted.
612		role1, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultTeamAdminRole)
613		require.NoError(t, err)
614		role2, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultTeamUserRole)
615		require.NoError(t, err)
616		role3, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultChannelAdminRole)
617		require.NoError(t, err)
618		role4, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultChannelUserRole)
619		require.NoError(t, err)
620		role5, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultTeamGuestRole)
621		require.NoError(t, err)
622		role6, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultChannelGuestRole)
623		require.NoError(t, err)
624
625		assert.Zero(t, role1.DeleteAt)
626		assert.Zero(t, role2.DeleteAt)
627		assert.Zero(t, role3.DeleteAt)
628		assert.Zero(t, role4.DeleteAt)
629		assert.Zero(t, role5.DeleteAt)
630		assert.Zero(t, role6.DeleteAt)
631
632		// Make sure this scheme is in use by a team.
633		team, err := th.App.Srv().Store.Team().Save(&model.Team{
634			Name:        "zz" + model.NewId(),
635			DisplayName: model.NewId(),
636			Email:       model.NewId() + "@nowhere.com",
637			Type:        model.TeamOpen,
638			SchemeId:    &s1.Id,
639		})
640		require.NoError(t, err)
641
642		// Delete the Scheme.
643		_, err = th.SystemAdminClient.DeleteScheme(s1.Id)
644		require.NoError(t, err)
645
646		// Check the roles were deleted.
647		role1, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultTeamAdminRole)
648		require.NoError(t, err)
649		role2, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultTeamUserRole)
650		require.NoError(t, err)
651		role3, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelAdminRole)
652		require.NoError(t, err)
653		role4, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelUserRole)
654		require.NoError(t, err)
655		role5, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultTeamGuestRole)
656		require.NoError(t, err)
657		role6, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelGuestRole)
658		require.NoError(t, err)
659
660		assert.NotZero(t, role1.DeleteAt)
661		assert.NotZero(t, role2.DeleteAt)
662		assert.NotZero(t, role3.DeleteAt)
663		assert.NotZero(t, role4.DeleteAt)
664		assert.NotZero(t, role5.DeleteAt)
665		assert.NotZero(t, role6.DeleteAt)
666
667		// Check the team now uses the default scheme
668		c2, _, err := th.SystemAdminClient.GetTeam(team.Id, "")
669		require.NoError(t, err)
670		assert.Equal(t, "", *c2.SchemeId)
671	})
672
673	t.Run("ValidChannelScheme", func(t *testing.T) {
674		th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
675
676		th.App.SetPhase2PermissionsMigrationStatus(true)
677
678		// Create a channel scheme.
679		scheme1 := &model.Scheme{
680			DisplayName: model.NewId(),
681			Name:        model.NewId(),
682			Description: model.NewId(),
683			Scope:       model.SchemeScopeChannel,
684		}
685
686		s1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
687		require.NoError(t, err)
688
689		// Retrieve the roles and check they are not deleted.
690		role3, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultChannelAdminRole)
691		require.NoError(t, err)
692		role4, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultChannelUserRole)
693		require.NoError(t, err)
694		role6, _, err := th.SystemAdminClient.GetRoleByName(s1.DefaultChannelGuestRole)
695		require.NoError(t, err)
696
697		assert.Zero(t, role3.DeleteAt)
698		assert.Zero(t, role4.DeleteAt)
699		assert.Zero(t, role6.DeleteAt)
700
701		// Make sure this scheme is in use by a team.
702		channel, err := th.App.Srv().Store.Channel().Save(&model.Channel{
703			TeamId:      model.NewId(),
704			DisplayName: model.NewId(),
705			Name:        model.NewId(),
706			Type:        model.ChannelTypeOpen,
707			SchemeId:    &s1.Id,
708		}, -1)
709		assert.NoError(t, err)
710
711		// Delete the Scheme.
712		_, err = th.SystemAdminClient.DeleteScheme(s1.Id)
713		require.NoError(t, err)
714
715		// Check the roles were deleted.
716		role3, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelAdminRole)
717		require.NoError(t, err)
718		role4, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelUserRole)
719		require.NoError(t, err)
720		role6, _, err = th.SystemAdminClient.GetRoleByName(s1.DefaultChannelGuestRole)
721		require.NoError(t, err)
722
723		assert.NotZero(t, role3.DeleteAt)
724		assert.NotZero(t, role4.DeleteAt)
725		assert.NotZero(t, role6.DeleteAt)
726
727		// Check the channel now uses the default scheme
728		c2, _, err := th.SystemAdminClient.GetChannelByName(channel.Name, channel.TeamId, "")
729		require.NoError(t, err)
730		assert.Equal(t, "", *c2.SchemeId)
731	})
732
733	t.Run("FailureCases", func(t *testing.T) {
734		th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
735
736		th.App.SetPhase2PermissionsMigrationStatus(true)
737
738		scheme1 := &model.Scheme{
739			DisplayName: model.NewId(),
740			Name:        model.NewId(),
741			Description: model.NewId(),
742			Scope:       model.SchemeScopeChannel,
743		}
744
745		s1, _, err := th.SystemAdminClient.CreateScheme(scheme1)
746		require.NoError(t, err)
747
748		// Test with unknown ID.
749		r2, err := th.SystemAdminClient.DeleteScheme(model.NewId())
750		require.Error(t, err)
751		CheckNotFoundStatus(t, r2)
752
753		// Test with invalid ID.
754		r3, err := th.SystemAdminClient.DeleteScheme("12345")
755		require.Error(t, err)
756		CheckBadRequestStatus(t, r3)
757
758		// Test without required permissions.
759		r4, err := th.Client.DeleteScheme(s1.Id)
760		require.Error(t, err)
761		CheckForbiddenStatus(t, r4)
762
763		// Test without license.
764		th.App.Srv().SetLicense(nil)
765		r5, err := th.SystemAdminClient.DeleteScheme(s1.Id)
766		require.Error(t, err)
767		CheckNotImplementedStatus(t, r5)
768
769		th.App.SetPhase2PermissionsMigrationStatus(false)
770
771		th.App.Srv().SetLicense(model.NewTestLicense("custom_permissions_schemes"))
772
773		r6, err := th.SystemAdminClient.DeleteScheme(s1.Id)
774		require.Error(t, err)
775		CheckNotImplementedStatus(t, r6)
776	})
777}
778
779func TestUpdateTeamSchemeWithTeamMembers(t *testing.T) {
780	th := Setup(t).InitBasic()
781	defer th.TearDown()
782
783	t.Run("Correctly invalidates team member cache", func(t *testing.T) {
784		th.App.SetPhase2PermissionsMigrationStatus(true)
785
786		team := th.CreateTeam()
787		_, _, appErr := th.App.AddUserToTeam(th.Context, team.Id, th.BasicUser.Id, th.SystemAdminUser.Id)
788		require.Nil(t, appErr)
789
790		teamScheme := th.SetupTeamScheme()
791
792		teamUserRole, appErr := th.App.GetRoleByName(context.Background(), teamScheme.DefaultTeamUserRole)
793		require.Nil(t, appErr)
794		teamUserRole.Permissions = []string{}
795		_, appErr = th.App.UpdateRole(teamUserRole)
796		require.Nil(t, appErr)
797
798		th.LoginBasic()
799
800		_, _, err := th.Client.CreateChannel(&model.Channel{DisplayName: "Test API Name", Name: GenerateTestChannelName(), Type: model.ChannelTypeOpen, TeamId: team.Id})
801		require.NoError(t, err)
802
803		team.SchemeId = &teamScheme.Id
804		team, appErr = th.App.UpdateTeamScheme(team)
805		require.Nil(t, appErr)
806
807		_, _, err = th.Client.CreateChannel(&model.Channel{DisplayName: "Test API Name", Name: GenerateTestChannelName(), Type: model.ChannelTypeOpen, TeamId: team.Id})
808		require.Error(t, err)
809	})
810}
811