Merge pull request #3730 from esl/domain-admin-tests

Domain admin tests
esl · Aug 12, 2022 · 79c8a87 · 79c8a87
2 parents b9b7836 + f3b74ef
commit 79c8a87
Show file tree

Hide file tree

Showing 5 changed files with 124 additions and 14 deletions.
diff --git a/big_tests/tests/domain_helper.erl b/big_tests/tests/domain_helper.erl
@@ -13,6 +13,7 @@
          host_type/1,
          domain_to_host_type/2,
          domain/0,
+         secondary_domain/0,
          domain/1,
          secondary_host_type/0,
          secondary_host_type/1]).
@@ -31,6 +32,9 @@ host_type() ->
 domain() ->
     domain(mim).
 
+secondary_domain() ->
+    get_or_fail({hosts, mim, secondary_domain}).
+
 host_type(NodeKey) ->
     get_or_fail({hosts, NodeKey, host_type}).
 

diff --git a/big_tests/tests/graphql_helper.erl b/big_tests/tests/graphql_helper.erl
@@ -29,6 +29,10 @@ execute_command(Category, Command, Args, Config) ->
     Protocol = ?config(protocol, Config),
     execute_command(Category, Command, Args, Config, Protocol).
 
+execute_domain_admin_command(Category, Command, Args, Config) ->
+    #{Category := #{Command := #{doc := Doc}}} = get_specs(),
+    execute_domain_auth(#{query => Doc, variables => Args}, Config).
+
 %% Admin commands can be executed as GraphQL over HTTP or with CLI (mongooseimctl)
 execute_command(Category, Command, Args, Config, http) ->
     #{Category := #{Command := #{doc := Doc}}} = get_specs(),
@@ -84,10 +88,14 @@ init_user(Config) ->
 
 init_domain_admin_handler(Config) ->
     Domain = domain_helper:domain(),
-    Password = base16:encode(crypto:strong_rand_bytes(8)),
-    Creds = {<<"admin@", Domain/binary>>, Password},
-    ok = domain_helper:set_domain_password(mim(), Domain, Password),
-    add_specs([{domain_admin, Creds}, {schema_endpoint, domain_admin} | Config]).
+    case mongoose_helper:is_rdbms_enabled(Domain) of
+        true ->
+            Password = base16:encode(crypto:strong_rand_bytes(8)),
+            Creds = {<<"admin@", Domain/binary>>, Password},
+            ok = domain_helper:set_domain_password(mim(), Domain, Password),
+            add_specs([{domain_admin, Creds}, {schema_endpoint, domain_admin} | Config]);
+        false -> {skip, require_rdbms}
+    end.
 
 add_specs(Config) ->
     EpName = ?config(schema_endpoint, Config),
@@ -116,6 +124,11 @@ get_err_code(Resp) ->
 get_err_msg(Resp) ->
     get_err_msg(1, Resp).
 
+get_unauthorized({Code, #{<<"errors">> := Errors}}) ->
+    [#{<<"extensions">> := #{<<"code">> := ErrorCode}}] = Errors,
+    assert_response_code(unauthorized, Code),
+    ?assertEqual(<<"no_permissions">>, ErrorCode).
+
 get_coercion_err_msg({Code, #{<<"errors">> := [Error]}}) ->
     assert_response_code(bad_request, Code),
     ?assertEqual(<<"input_coercion">>, get_value([extensions, code], Error)),
@@ -138,6 +151,7 @@ get_ok_value(Path, {Code, Data}) ->
     get_value(Path, Data).
 
 assert_response_code(bad_request, {<<"400">>, <<"Bad Request">>}) -> ok;
+assert_response_code(unauthorized, {<<"401">>, <<"Unauthorized">>}) -> ok;
 assert_response_code(error, {<<"200">>, <<"OK">>}) -> ok;
 assert_response_code(ok, {<<"200">>, <<"OK">>}) -> ok;
 assert_response_code(bad_request, {exit_status, 1}) -> ok;

diff --git a/big_tests/tests/graphql_roster_SUITE.erl b/big_tests/tests/graphql_roster_SUITE.erl
@@ -5,7 +5,8 @@
 -import(distributed_helper, [mim/0, require_rpc_nodes/1, rpc/4]).
 -import(graphql_helper, [execute_user_command/5, execute_command/4, get_listener_port/1,
                          get_listener_config/1, get_ok_value/2, get_err_value/2, get_err_msg/1,
-                         get_err_msg/2, user_to_jid/1, user_to_bin/1]).
+                         get_err_msg/2, user_to_jid/1, user_to_bin/1,
+                         execute_domain_admin_command/4, get_unauthorized/1]).
 
 -include_lib("eunit/include/eunit.hrl").
 -include_lib("../../include/mod_roster.hrl").
@@ -16,12 +17,14 @@ suite() ->
 all() ->
     [{group, user_roster},
      {group, admin_roster_http},
-     {group, admin_roster_cli}].
+     {group, admin_roster_cli},
+     {group, domain_admin_roster}].
 
 groups() ->
     [{user_roster, [], user_roster_tests()},
      {admin_roster_http, [], admin_roster_tests()},
-     {admin_roster_cli, [], admin_roster_tests()}].
+     {admin_roster_cli, [], admin_roster_tests()},
+     {domain_admin_roster, [], domain_admin_tests()}].
 
 user_roster_tests() ->
     [user_add_and_delete_contact,
@@ -61,6 +64,12 @@ admin_roster_tests() ->
      admin_get_contact_wrong_user
     ].
 
+domain_admin_tests() ->
+    [domain_admin_subscribe_to_all_no_permission,
+     domain_admin_subscribe_to_all,
+     domain_admin_subscribe_all_to_all_no_permission,
+     domain_admin_subscribe_all_to_all].
+
 init_per_suite(Config) ->
     Config1 = ejabberd_node_utils:init(mim(), Config),
     Config2 = escalus:init_per_suite(Config1),
@@ -74,6 +83,8 @@ init_per_group(admin_roster_http, Config) ->
     graphql_helper:init_admin_handler(Config);
 init_per_group(admin_roster_cli, Config) ->
     graphql_helper:init_admin_cli(Config);
+init_per_group(domain_admin_roster, Config) ->
+    graphql_helper:init_domain_admin_handler(Config);
 init_per_group(user_roster, Config) ->
     graphql_helper:init_user(Config).
 
@@ -486,6 +497,47 @@ user_get_nonexistent_contact_story(Config, Alice) ->
     Res = user_get_contact(Alice, ?NONEXISTENT_DOMAIN_USER, Config),
     ?assertNotEqual(nomatch, binary:match(get_err_msg(Res), <<"does not exist">>)).
 
+% Domain admin test cases
+
+domain_admin_subscribe_to_all_no_permission(Config) ->
+    escalus:fresh_story_with_config(Config, [{alice_bis, 1}],
+                                    fun domain_admin_subscribe_to_all_no_permission/2).
+
+domain_admin_subscribe_to_all_no_permission(Config, Alice) ->
+    get_unauthorized(domain_admin_subscribe_to_all(make_contact(Alice), [], Config)).
+
+domain_admin_subscribe_to_all(Config) ->
+    escalus:fresh_story_with_config(Config, [{alice, 1}, {bob, 1}, {kate, 1}],
+                                    fun domain_admin_subscribe_to_all_story/4).
+
+domain_admin_subscribe_to_all_story(Config, Alice, Bob, Kate) ->
+    Res = domain_admin_subscribe_to_all(make_contact(Alice), [Bob, Kate], Config),
+    check_if_created_succ(?SUBSCRIBE_TO_ALL_PATH, Res),
+
+    check_contacts([Bob, Kate], Alice),
+    check_contacts([Alice], Bob),
+    check_contacts([Alice], Kate).
+
+domain_admin_subscribe_all_to_all_no_permission(Config) ->
+    escalus:fresh_story_with_config(Config, [{alice_bis, 1}, {bob, 1}, {kate, 1}],
+        fun domain_admin_subscribe_all_to_all_no_permission/4).
+
+domain_admin_subscribe_all_to_all_no_permission(Config, Alice, Bob, Kate) ->
+    Res = domain_admin_subscribe_all_to_all(make_contacts([Alice, Bob, Kate]), Config),
+    get_unauthorized(Res).
+
+domain_admin_subscribe_all_to_all(Config) ->
+    escalus:fresh_story_with_config(Config, [{alice, 1}, {bob, 1}, {kate, 1}],
+                                    fun domain_admin_subscribe_all_to_all_story/4).
+
+domain_admin_subscribe_all_to_all_story(Config, Alice, Bob, Kate) ->
+    Res = domain_admin_subscribe_all_to_all(make_contacts([Alice, Bob, Kate]), Config),
+    check_if_created_succ(?SUBSCRIBE_ALL_TO_ALL_PATH, Res),
+
+    check_contacts([Bob, Kate], Alice),
+    check_contacts([Alice, Kate], Bob),
+    check_contacts([Alice, Bob], Kate).
+
 % Helpers
 
 admin_add_contact(User, Contact, Config) ->
@@ -570,10 +622,18 @@ admin_subscribe_to_all(User, Contacts, Config) ->
     Vars = #{user => make_contact(User), contacts => make_contacts(Contacts)},
     execute_command(<<"roster">>, <<"subscribeToAll">>, Vars, Config).
 
+domain_admin_subscribe_to_all(User, Contacts, Config) ->
+    Vars = #{user => User, contacts => make_contacts(Contacts)},
+    execute_domain_admin_command(<<"roster">>, <<"subscribeToAll">>, Vars, Config).
+
 admin_subscribe_all_to_all(Users, Config) ->
     Vars = #{contacts => make_contacts(Users)},
     execute_command(<<"roster">>, <<"subscribeAllToAll">>, Vars, Config).
 
+domain_admin_subscribe_all_to_all(Users, Config) ->
+    Vars = #{contacts => Users},
+    execute_domain_admin_command(<<"roster">>, <<"subscribeAllToAll">>, Vars, Config).
+
 admin_list_contacts(User, Config) ->
     Vars = #{user => user_to_bin(User)},
     execute_command(<<"roster">>, <<"listContacts">>, Vars, Config).

diff --git a/big_tests/tests/graphql_stats_SUITE.erl b/big_tests/tests/graphql_stats_SUITE.erl
@@ -3,8 +3,9 @@
 -compile([export_all, nowarn_export_all]).
 
 -import(distributed_helper, [mim/0, require_rpc_nodes/1]).
--import(domain_helper, [host_type/0, domain/0]).
--import(graphql_helper, [execute_command/4, get_ok_value/2]).
+-import(domain_helper, [host_type/0, domain/0, secondary_domain/0]).
+-import(graphql_helper, [execute_command/4, get_ok_value/2,
+                         execute_domain_admin_command/4, get_unauthorized/1]).
 -import(mongooseimctl_helper, [mongooseimctl/3, rpc_call/3]).
 
 -include_lib("eunit/include/eunit.hrl").
@@ -14,18 +15,25 @@ suite() ->
 
 all() ->
     [{group, admin_stats_http},
-     {group, admin_stats_cli}].
+     {group, admin_stats_cli},
+     {group, domain_admin_stats}].
 
 groups() ->
     [{admin_stats_http, [], admin_stats_tests()},
-     {admin_stats_cli, [], admin_stats_tests()}].
+     {admin_stats_cli, [], admin_stats_tests()},
+     {domain_admin_stats, [], domain_admin_tests()}].
 
 admin_stats_tests() ->
     [admin_stats_global_test,
      admin_stats_global_with_users_test,
      admin_stats_domain_test,
      admin_stats_domain_with_users_test].
 
+domain_admin_tests() ->
+    [domain_admin_stats_global_test,
+     domain_admin_stats_domain_test,
+     domain_admin_stats_domain_no_permission_test].
+
 init_per_suite(Config) ->
     Config1 = ejabberd_node_utils:init(mim(), Config),
     escalus:init_per_suite(Config1).
@@ -36,7 +44,9 @@ end_per_suite(Config) ->
 init_per_group(admin_stats_http, Config) ->
     graphql_helper:init_admin_handler(Config);
 init_per_group(admin_stats_cli, Config) ->
-    graphql_helper:init_admin_cli(Config).
+    graphql_helper:init_admin_cli(Config);
+init_per_group(domain_admin_stats, Config) ->
+    graphql_helper:init_domain_admin_handler(Config).
 
 end_per_group(_, _Config) ->
     graphql_helper:clean(),
@@ -93,15 +103,37 @@ admin_stats_domain_with_users_test(Config, _Alice) ->
     ?assertEqual(1, RegisteredUsers),
     ?assertEqual(1, OnlineUsers).
 
+% Domain admin test cases
+
+domain_admin_stats_global_test(Config) ->
+    get_unauthorized(domain_admin_get_stats(Config)).
+
+domain_admin_stats_domain_test(Config) ->
+    Result = get_ok_value([data, stat, domainStats],
+                          domain_admin_get_domain_stats(domain(), Config)),
+    #{<<"registeredUsers">> := RegisteredUsers, <<"onlineUsers">> := OnlineUsers} = Result,
+    ?assertEqual(0, RegisteredUsers),
+    ?assertEqual(0, OnlineUsers).
+
+domain_admin_stats_domain_no_permission_test(Config) ->
+    get_unauthorized(domain_admin_get_domain_stats(secondary_domain(), Config)).
+
 % Commands
 
 get_stats(Config) ->
     execute_command(<<"stat">>, <<"globalStats">>, #{}, Config).
 
+domain_admin_get_stats(Config) ->
+    execute_domain_admin_command(<<"stat">>, <<"globalStats">>, #{}, Config).
+
 get_domain_stats(Domain, Config) ->
     Vars = #{domain => Domain},
     execute_command(<<"stat">>, <<"domainStats">>, Vars, Config).
 
+domain_admin_get_domain_stats(Domain, Config) ->
+    Vars = #{domain => Domain},
+    execute_domain_admin_command(<<"stat">>, <<"domainStats">>, Vars, Config).
+
 % Helpers
 
 is_not_negative_integer(Number) when is_integer(Number), Number >= 0 ->

diff --git a/priv/graphql/schemas/admin/roster.gql b/priv/graphql/schemas/admin/roster.gql
@@ -22,7 +22,7 @@ type RosterAdminMutation @protected{
     @protected(type: DOMAIN, args: ["userA", "userB"])
   "Set mutual subscriptions between the user and each of the given contacts"
   subscribeToAll(user: ContactInput!, contacts: [ContactInput!]!): [String]!
-    @protected(type: DOMAIN, args: ["user"])
+    @protected(type: DOMAIN, args: ["user.jid"])
   "Set mutual subscriptions between all of the given contacts"
   subscribeAllToAll(contacts: [ContactInput!]): [String]!
     @protected(type: DOMAIN, args: ["contacts.jid"])
@@ -33,7 +33,7 @@ Allow admin to get information about user roster/contacts.
 """
 type RosterAdminQuery @protected{
   "Get the user's roster/contacts"
-  listContacts(user: JID!): [Contact!] 
+  listContacts(user: JID!): [Contact!]
     @protected(type: DOMAIN, args: ["user"])
   "Get the user's contact"
   getContact(user: JID!, contact: JID!): Contact