Override email privacy using notification service token (#252)

* if service ac then override privacy * use the same variable * add test * simple secrets for default SA
fabric8-services · Jan 9, 2018 · ffb7c61 · ffb7c61
1 parent cacddba
commit ffb7c61
Show file tree

Hide file tree

Showing 6 changed files with 78 additions and 14 deletions.
diff --git a/configuration/conf-files/service-account-secrets.conf b/configuration/conf-files/service-account-secrets.conf
@@ -13,17 +13,22 @@
         {
             "name":"fabric8-jenkins-idler",
             "id":"341c283f-0cd7-48a8-9281-4583aceb3617",
-            "secrets":["$2a$04$hbGHAVKohpeDgHzafnLwdO4ZzhEn9ukVP/6CaOtf5o3Btp.r6tXTG"]
+            "secrets":["$2a$10$GLPH8.d3V4vJ.M9l7BLmw.ExTyHJR.6J4W1B2rttQNr8xfzZC.eO."]
         },
         {
             "name":"fabric8-oso-proxy",
             "id":"96ee3f91-f980-429f-a4e8-060c3258031d",
-            "secrets":["$2a$04$hbGHAVKohpeDgHzafnLwdO4ZzhEn9ukVP/6CaOtf5o3Btp.r6tXTG"]
+            "secrets":["$2a$10$GLPH8.d3V4vJ.M9l7BLmw.ExTyHJR.6J4W1B2rttQNr8xfzZC.eO."]
         },
         {
             "name":"online-registration",
             "id":"f867ec72-3171-4b8f-8eec-90a32eab6e0b",
-            "secrets":["jIR5FpYq0QUUzMEKqiAIVloNBCL3v1nOPxq9Wm07vTsJhKGNBRWWsdknK4x4el3"]
+            "secrets":["$2a$10$GLPH8.d3V4vJ.M9l7BLmw.ExTyHJR.6J4W1B2rttQNr8xfzZC.eO."]
+        },
+        {
+            "name":"fabric8-notification",
+            "id":"4c34f6d4-f00b-487b-9a1f-e7d1adba6866",
+            "secrets":["$2a$10$GLPH8.d3V4vJ.M9l7BLmw.ExTyHJR.6J4W1B2rttQNr8xfzZC.eO."]
         }
     ]
 }
diff --git a/configuration/configuration.go b/configuration/configuration.go
@@ -326,6 +326,13 @@ func (c *ConfigurationData) DefaultConfigurationError() error {
 }
 
 // GetServiceAccounts returns a map of service account configurations by service account ID
+// Default Service Account names and secrets used in Dev mode:
+// "fabric8-wit" : "witsecret"
+// "fabric8-tenant : ["tenantsecretOld", "tenantsecretNew"]
+// "fabric8-jenkins-idler : "secret"
+// "fabric8-oso-proxy : "secret"
+// "online-registration : "secret"
+// "fabric8-notification : "secret"
 func (c *ConfigurationData) GetServiceAccounts() map[string]ServiceAccount {
 	return c.sa
 }

diff --git a/configuration/configuration_blackbox_test.go b/configuration/configuration_blackbox_test.go
@@ -373,16 +373,6 @@ func checkServiceAccountConfiguration(t *testing.T, accounts map[string]configur
 		ID:      "c211f1bd-17a7-4f8c-9f80-0917d167889d",
 		Name:    "fabric8-tenant",
 		Secrets: []string{"$2a$04$ynqM/syKMYowMIn5cyqHuevWnfzIQqtyY4m.61B02qltY5SOyGIOe", "$2a$04$sbC/AfW2c33hv8orGA.1D.LXa/.IY76VWhsfqxCVhrhFkDfL0/XGK"}})
-
-	checkServiceAccount(t, accounts, configuration.ServiceAccount{
-		ID:      "341c283f-0cd7-48a8-9281-4583aceb3617",
-		Name:    "fabric8-jenkins-idler",
-		Secrets: []string{"$2a$04$hbGHAVKohpeDgHzafnLwdO4ZzhEn9ukVP/6CaOtf5o3Btp.r6tXTG"}})
-
-	checkServiceAccount(t, accounts, configuration.ServiceAccount{
-		ID:      "f867ec72-3171-4b8f-8eec-90a32eab6e0b",
-		Name:    "online-registration",
-		Secrets: []string{"jIR5FpYq0QUUzMEKqiAIVloNBCL3v1nOPxq9Wm07vTsJhKGNBRWWsdknK4x4el3"}})
 }
 
 func checkServiceAccount(t *testing.T, accounts map[string]configuration.ServiceAccount, expected configuration.ServiceAccount) {

diff --git a/controller/users.go b/controller/users.go
@@ -67,6 +67,8 @@ func NewUsersController(service *goa.Service, db application.DB, config UsersCon
 
 // Show runs the show action.
 func (c *UsersController) Show(ctx *app.ShowUsersContext) error {
+	isServiceAccount := token.IsSpecificServiceAccount(ctx, "fabric8-notification")
+
 	return application.Transactional(c.db, func(appl application.Application) error {
 		identityID, err := uuid.FromString(ctx.ID)
 		if err != nil {
@@ -86,7 +88,7 @@ func (c *UsersController) Show(ctx *app.ShowUsersContext) error {
 			}
 		}
 		return ctx.ConditionalRequest(*user, c.config.GetCacheControlUser, func() error {
-			return ctx.OK(ConvertToAppUser(ctx.RequestData, user, identity, false))
+			return ctx.OK(ConvertToAppUser(ctx.RequestData, user, identity, isServiceAccount))
 		})
 	})
 }

diff --git a/controller/users_blackbox_test.go b/controller/users_blackbox_test.go
@@ -535,6 +535,60 @@ func (s *UsersControllerTestSuite) TestUpdateUser() {
 			assert.Equal(t, patchedContextInformation["count"], int(countValue))
 		})
 
+		t.Run("view hidden email address", func(t *testing.T) {
+			// given user1
+			user1 := s.createRandomUser("TestListUsersOK1")
+			identity, err := testsupport.CreateTestUser(s.DB, &user1)
+			require.NoError(s.T(), err)
+
+			secureService, secureController := s.SecuredController(identity)
+
+			// when
+			email := user1.Email
+
+			// by default, email is public.
+			_, result := test.ListUsersOK(s.T(), nil, nil, s.controller, &email, nil, nil, nil)
+			returnedUser := result.Data[0].Attributes
+			require.Equal(s.T(), email, *returnedUser.Email)
+			require.False(s.T(), *returnedUser.EmailPrivate)
+
+			// check for /api/users/<ID>
+			// should show public email when not made private.
+			_, singleResult := test.ShowUsersOK(s.T(), secureService.Context, secureService, s.controller, identity.ID.String(), nil, nil)
+			returnedUser = singleResult.Data.Attributes
+			require.Equal(s.T(), email, *returnedUser.Email)
+			require.False(s.T(), *returnedUser.EmailPrivate)
+
+			contextInformation := map[string]interface{}{
+				"last_visited": "yesterday",
+				"space":        "3d6dab8d-f204-42e8-ab29-cdb1c93130ad",
+				"rate":         100.00,
+				"count":        3,
+			}
+			updateUsersPayload := newUpdateUsersPayload(WithUpdatedContextInformation(contextInformation), WithUpdatedEmailPrivate(true))
+			test.UpdateUsersOK(s.T(), secureService.Context, secureService, secureController, updateUsersPayload)
+
+			// the /api/users/<ID> endpoint should hide out the email.
+			_, showUserResponse := test.ShowUsersOK(s.T(), secureService.Context, secureService, s.controller, identity.ID.String(), nil, nil)
+			require.NotEqual(s.T(), user1.Email, *showUserResponse.Data.Attributes.Email)
+			require.Equal(s.T(), "", *showUserResponse.Data.Attributes.Email)
+			require.True(s.T(), *showUserResponse.Data.Attributes.EmailPrivate)
+
+			// On using the notification service account token, email would magically show up.
+			secureService, secureController = s.SecuredServiceAccountController(testsupport.TestNotificationIdentity)
+			_, showUserResponse = test.ShowUsersOK(s.T(), secureService.Context, secureService, s.controller, identity.ID.String(), nil, nil)
+			require.Equal(s.T(), user1.Email, *showUserResponse.Data.Attributes.Email)
+			require.True(s.T(), *showUserResponse.Data.Attributes.EmailPrivate)
+
+			// On using the online-registration service account token, email would NOT show up.
+			secureService, secureController = s.SecuredServiceAccountController(testsupport.TestOnlineRegistrationAppIdentity)
+			_, showUserResponse = test.ShowUsersOK(s.T(), secureService.Context, secureService, s.controller, identity.ID.String(), nil, nil)
+			require.NotEqual(s.T(), user1.Email, *showUserResponse.Data.Attributes.Email)
+			require.Equal(s.T(), "", *showUserResponse.Data.Attributes.Email)
+			require.True(s.T(), *showUserResponse.Data.Attributes.EmailPrivate)
+
+		})
+
 		t.Run("hide email address", func(t *testing.T) {
 			// given user1
 			user1 := s.createRandomUser("TestListUsersOK1")

diff --git a/test/account.go b/test/account.go
@@ -63,6 +63,12 @@ var TestOnlineRegistrationAppIdentity = account.Identity{
 	User:     TestUser,
 }
 
+var TestNotificationIdentity = account.Identity{
+	ID:       uuid.NewV4(),
+	Username: "fabric8-notification",
+	User:     TestUser,
+}
+
 // CreateTestIdentity creates an identity with the given `username` in the database. For testing purpose only.
 func CreateTestIdentity(db *gorm.DB, username, providerType string) (account.Identity, error) {
 	testIdentity := account.Identity{