Commit 9937ee52 authored by Alexis POYEN's avatar Alexis POYEN
Browse files

Feat : Admin role to manipulate users

Refactor : tests for access authorization are splited
parent fe392b71
Pipeline #4793 failed with stages
in 1 minute and 7 seconds
......@@ -24,7 +24,7 @@
"id": 4,
"idOAuth": "",
"login": "admin",
"role": "ADMINS",
"role": "ADMIN",
"passwordHash": "$2a$10$PgiAoLxZhgNtr7kRK/DH5ezwT./7vRkWqFNEtJD1670z3Zf60HqgG"
},
{
......@@ -32,7 +32,7 @@
"idOAuth": "1",
"login": "ADMIN",
"displayName": "Ad MIN",
"role": "ADMINS"
"role": "ADMIN"
},
{
"id": 6,
......
......@@ -15,6 +15,18 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
case "GET":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
if id != 0 {
var o BankAccount
if err := d.db.Preload("Operations").First(&o, id).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
json.NewEncoder(w).Encode(o)
} else {
var o []BankAccount
d.db.Preload("Operations").Find(&o)
json.NewEncoder(w).Encode(o)
}
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
......@@ -55,6 +67,16 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
case "POST":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
var o BankAccount
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
if o.UserClientID != 0 {
d.db.Create(&o)
} else {
http.Error(w, "id of UserClient is missing", http.StatusNotFound)
}
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
var o BankAccount
......@@ -82,6 +104,16 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
case "DELETE":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
if id != 0 {
var o BankAccount
if err := d.db.First(&o, id).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
d.db.Delete(&o)
} else {
http.Error(w, "id is missing", http.StatusNotFound)
}
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
......@@ -90,20 +122,17 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
if o.UserClientID != 0 {
var userClient UserClient
if err := d.db.Where("id = ? and user_banker_id = ?", o.UserClientID, user.ID).First(&userClient).Error; err != nil {
http.Error(w, "You can not access this ressource", http.StatusForbidden)
return
}
d.db.Delete(&o)
} else {
http.Error(w, "id of UserClient is missing", http.StatusNotFound)
var userClient UserClient
if err := d.db.Where("id = ? and user_banker_id = ?", o.UserClientID, user.ID).First(&userClient).Error; err != nil {
http.Error(w, "You can not access this ressource", http.StatusForbidden)
return
}
d.db.Delete(&o)
} else {
http.Error(w, "id is missing", http.StatusNotFound)
}
case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
......
......@@ -10,12 +10,11 @@ import (
)
func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/"))
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserBankers/"))
switch method := r.Method; method {
case "GET":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
if id != 0 {
var o UserBanker
if err := d.db.Preload("UserClients").Where("id = ?", id).First(&o).Error; err != nil {
......@@ -28,6 +27,22 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
d.db.Preload("UserClients").Find(&o)
json.NewEncoder(w).Encode(o)
}
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
var o UserBanker
if err := d.db.Preload("UserClients").Where("id = ?", id).First(&o).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
if o.ID != user.ID {
http.Error(w, "You can not access this ressource", http.StatusForbidden)
return
}
json.NewEncoder(w).Encode(o)
} else {
http.Error(w, "You can not access this ressource", http.StatusForbidden)
}
case "CLIENT":
user := d.getLoggedUser(w, r).(UserClient)
if id != 0 && int(user.ID) == id {
......@@ -51,31 +66,36 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
case "POST":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
case "CLIENT":
var o UserBanker
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
d.db.Create(&o)
case "BANKER", "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
// var o UserBanker
// err := json.NewDecoder(r.Body).Decode(&o)
// if err != nil {
// http.Error(w, err.Error(), http.StatusInternalServerError)
// }
// d.db.Create(&o)
case "DELETE":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
case "CLIENT":
if id != 0 {
var o UserBanker
if err := d.db.First(&o, id).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
d.db.Delete(&o)
} else {
http.Error(w, "id is missing", http.StatusNotFound)
}
case "BANKER", "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
// if id != 0 {
// var o UserClient
// d.db.Delete(&o)
// } else {
// http.Error(w, "id is missing", http.StatusNotFound)
// }
default:
http.Error(w, "method not allowed", 400)
......
......@@ -17,6 +17,18 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
if id != 0 {
var o UserClient
if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
json.NewEncoder(w).Encode(o)
} else {
var o []UserClient
d.db.Preload("BankAccounts").Find(&o)
json.NewEncoder(w).Encode(o)
}
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
......@@ -58,6 +70,12 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
case "POST":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
var o UserClient
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
d.db.Create(&o)
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
var o UserClient
......@@ -75,6 +93,19 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
case "DELETE":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
if id != 0 {
var o UserClient
if err := d.db.Where("id = ?", id).First(&o).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
// Delete bank accounts of user
d.db.Where("user_client_id = ?", o.ID).Delete(&BankAccount{})
d.db.Delete(&o)
} else {
http.Error(w, "id is missing", http.StatusNotFound)
}
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
......@@ -84,7 +115,7 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
return
}
if o.UserBankerID != user.ID {
http.Error(w, "You can not access this ressource", http.StatusForbidden)
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
return
}
// Delete bank accounts of user
......
......@@ -45,7 +45,7 @@ func (d *DataHandler) ProcessAPI(w http.ResponseWriter, r *http.Request) {
switch api {
case "UserClients":
d.HandleClients(w, r)
case "UserBanker":
case "UserBankers":
d.HandleBankers(w, r)
case "BankAccounts":
d.HandleBankAccounts(w, r)
......
......@@ -15,8 +15,7 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
switch method := r.Method; method {
case "GET":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
case "ADMIN", "BANKER", "CLIENT":
if id != 0 {
var o Operation
if err := d.db.First(&o, id).Error; err != nil {
......@@ -29,14 +28,12 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
d.db.Find(&o)
json.NewEncoder(w).Encode(o)
}
case "CLIENT":
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "POST":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
case "ADMIN", "BANKER", "CLIENT":
var o Operation
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
......@@ -45,41 +42,44 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
var debtor BankAccount
var creditor BankAccount
if err := d.db.First(&debtor, o.Debtor).Error; err == nil {
if (debtor.Amount + o.Amount) >= debtor.BankOverdraft {
if err := d.db.First(&creditor, o.Creditor).Error; err == nil {
// Update BankAccounts
debtor.Amount += o.Amount
creditor.Amount -= o.Amount
d.db.Save(&debtor)
d.db.Save(&creditor)
if err := d.db.Where("id = ?", o.Debtor).First(&debtor).Error; err != nil {
http.Error(w, "Can not find debtor account", http.StatusInternalServerError)
return
}
if err := d.db.First(&creditor, o.Creditor).Error; err != nil {
http.Error(w, "Can not find creditor account", http.StatusInternalServerError)
return
}
if (debtor.Amount + o.Amount) <= debtor.BankOverdraft {
http.Error(w, "Not enough money", http.StatusExpectationFailed)
return
}
// Update BankAccounts
debtor.Amount += o.Amount
creditor.Amount -= o.Amount
d.db.Save(&debtor)
d.db.Save(&creditor)
now := time.Now()
o.Date = now
d.db.Create(&o)
now := time.Now()
o.Date = now
d.db.Create(&o)
// Add the operation to creditor
op := Operation{
Debtor: o.Creditor,
Amount: -o.Amount,
Date: now,
Creditor: o.Debtor,
}
d.db.Create(&op)
}
} else {
http.Error(w, "Not enough money", http.StatusExpectationFailed)
}
// Add the operation to creditor
op := Operation{
Debtor: o.Creditor,
Amount: -o.Amount,
Date: now,
Creditor: o.Debtor,
}
case "CLIENT":
d.db.Create(&op)
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "DELETE":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
case "ADMIN", "BANKER":
if id != 0 {
var o Operation
if err := d.db.First(&o, id).Error; err != nil {
......
package rootmux
import (
"encoding/json"
"testing"
"forge.grandlyon.com/apoyen/sdk-go/pkg/auth"
"forge.grandlyon.com/apoyen/sdk-go/pkg/tester"
)
/**
ADMIN TESTS (those tests are to check the admins authorization)
**/
func AdminTests(t *testing.T) {
// Create the tester
ts, do, _ := createTester(t)
defer ts.Close() // Close the tester
tests := func() {
// Get the XSRF Token
response := do("GET", "/api/common/WhoAmI", noH, "", 200, "")
token := auth.TokenData{}
json.Unmarshal([]byte(response), &token)
xsrfHeader := tester.Header{Key: "XSRF-TOKEN", Value: token.XSRFToken}
// Create a banker
do("POST", "/api/UserBankers", xsrfHeader, `{"UserID":8,"Name":"Banker 2"}`, 200, ``)
// Get a banker
do("GET", "/api/UserBankers/1", xsrfHeader, "", 200, `{"ID":1,"UserID":3,"Name":"Banker","UserClients":[{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":null}]}`)
// Try to gel all bankers
do("GET", "/api/UserBankers/", xsrfHeader, "", 200, `[{"ID":1,"UserID":3,"Name":"Banker","UserClients":[{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":null}]},{"ID":2,"UserID":6,"Name":"Banker 2","UserClients":[{"ID":2,"UserID":2,"Name":"Boulangerie","UserBankerID":2,"BankAccounts":null}]},{"ID":3,"UserID":8,"Name":"Banker 2","UserClients":[]}]`)
// Try to delete a banker
do("DELETE", "/api/UserBankers/3", xsrfHeader, ``, 200, ``)
// Try to create a client
do("POST", "/api/UserClients", xsrfHeader, `{"UserID":7,"Name":"Dupond","UserBankerID":1}`, 200, "")
// Try to get one of the banker's client
do("GET", "/api/UserClients/1", xsrfHeader, "", 200, `{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":null}]}`)
// Try to get all the clients of the banker
do("GET", "/api/UserClients", xsrfHeader, "", 200, `[{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":null}]},{"ID":2,"UserID":2,"Name":"Boulangerie","UserBankerID":2,"BankAccounts":[{"ID":2,"Number":"02-01","UserClientID":2,"Type":"checking-account","Amount":4745,"BankOverdraft":-500,"Operations":null}]},{"ID":3,"UserID":7,"Name":"Dupond","UserBankerID":1,"BankAccounts":[]}]`)
// Try to delete a client
do("DELETE", "/api/UserClients/3", xsrfHeader, ``, 200, ``)
// Add an other bank account to client
do("POST", "/api/BankAccounts", xsrfHeader, `{"Number":"01-02","UserClientID":1,"Type":"saving-account","Amount":1287,"BankOverdraft":0}`, 200, ``)
// Get account where id=1
do("GET", "/api/BankAccounts/1", xsrfHeader, "", 200, `{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":[]}`)
// Get all Bank accounts
do("GET", "/api/BankAccounts/", xsrfHeader, "", 200, `[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":[]},{"ID":2,"Number":"02-01","UserClientID":2,"Type":"checking-account","Amount":4745,"BankOverdraft":-500,"Operations":[]},{"ID":3,"Number":"01-02","UserClientID":1,"Type":"saving-account","Amount":1287,"BankOverdraft":0,"Operations":[]}]`)
// Try to delete the saving account of Dupond
do("DELETE", "/api/BankAccounts/3", xsrfHeader, ``, 200, "")
// Add operation between client and Bakery
do("POST", "/api/Operations", xsrfHeader, `{"Debtor":1,"Amount":-100,"Creditor":2}`, 200, "")
// Get operation where id=1
do("GET", "/api/Operations/1", xsrfHeader, "", 200, `{"ID":1,"Debtor":1,"Amount":-100`)
// Try to delete the first operation
do("DELETE", "/api/Operations/1", xsrfHeader, ``, 200, "")
}
userTests := func() {
response := do("GET", "/api/common/WhoAmI", noH, "", 200, "")
token := auth.TokenData{}
json.Unmarshal([]byte(response), &token)
xsrfHeader := tester.Header{Key: "XSRF-TOKEN", Value: token.XSRFToken}
// Create a Client
do("POST", "/api/admin/users/", xsrfHeader, `{"login":"UserTest","password": "password","role":"CLIENT"}`, 200, `[{"id":1,"idOAuth":"","login":"Dupond"`)
// Create a Banker
do("POST", "/api/admin/users/", xsrfHeader, `{"login":"BankerTest","password": "password","role":"BANKER"}`, 200, `[{"id":1,"idOAuth":"","login":"Dupond"`)
// Get all users
do("GET", "/api/admin/users/", xsrfHeader, ``, 200, `[{"id":1,"idOAuth":"","login":"Dupond"`)
// Delete created users
do("DELETE", "/api/admin/users/7", xsrfHeader, ``, 200, ``)
do("DELETE", "/api/admin/users/8", xsrfHeader, ``, 200, ``)
}
// Do an OAuth2 login with an known admin
do("GET", "/OAuth2Login", noH, "", 200, "<!DOCTYPE html>")
tests()
userTests()
// Try to logout (must pass)
do("GET", "/Logout", noH, "", 200, "Logout OK")
}
package rootmux
import (
"encoding/json"
"testing"
"forge.grandlyon.com/apoyen/sdk-go/pkg/auth"
"forge.grandlyon.com/apoyen/sdk-go/pkg/tester"
)
/**
Banker TESTS (those tests are to check the bankers rights)
**/
func BankerTests(t *testing.T) {
// Create the tester
ts, do, _ := createTester(t)
defer ts.Close() // Close the tester
tests := func() {
// Get the XSRF Token
response := do("GET", "/api/common/WhoAmI", noH, "", 200, "")
token := auth.TokenData{}
json.Unmarshal([]byte(response), &token)
xsrfHeader := tester.Header{Key: "XSRF-TOKEN", Value: token.XSRFToken}
// Create a banker should fail with 405
do("POST", "/api/UserBankers", xsrfHeader, `{"UserID":8,"Name":"Banker 2"}`, 405, `You're not authorize to execute this method on this ressource.`)
// Get the banker connected
do("GET", "/api/UserBankers/1", xsrfHeader, "", 200, `{"ID":1,"UserID":3,"Name":"Banker","UserClients":[{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":null}]}`)
// Try to get an other banker
do("GET", "/api/UserBankers/2", xsrfHeader, "", 403, `You can not access this ressource`)
// Try to gel all bankers
do("GET", "/api/UserBankers/", xsrfHeader, "", 403, `You can not access this ressource`)
// Try to delete an other banker should fail with 405
do("DELETE", "/api/UserBankers/2", xsrfHeader, ``, 405, `You're not authorize to execute this method on this ressource.`)
// Try to create a client
do("POST", "/api/UserClients", xsrfHeader, `{"UserID":7,"Name":"Dupond","UserBankerID":1}`, 200, "")
// Try to get one of the banker's client
do("GET", "/api/UserClients/1", xsrfHeader, "", 200, `{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":null}]}`)
// Try to get another banker's client should fail with 405
do("GET", "/api/UserClients/2", xsrfHeader, "", 403, `You can not access this ressource`)
// Try to get all the clients of the banker
do("GET", "/api/UserClients", xsrfHeader, "", 200, `[{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":null}]},{"ID":2,"UserID":2,"Name":"Boulangerie","UserBankerID":2,"BankAccounts":[{"ID":2,"Number":"02-01","UserClientID":2,"Type":"checking-account","Amount":4745,"BankOverdraft":-500,"Operations":null}]},{"ID":3,"UserID":7,"Name":"Dupond","UserBankerID":1,"BankAccounts":[]}]`)
// Try to delete a banker client
do("DELETE", "/api/UserClients/3", xsrfHeader, ``, 200, ``)
// Try to delete the bakery client should fail with 405
do("DELETE", "/api/UserClients/2", xsrfHeader, ``, 405, `You're not authorize to execute this method on this ressource.`)
// Add an other bank account to client
do("POST", "/api/BankAccounts", xsrfHeader, `{"Number":"01-02","UserClientID":1,"Type":"saving-account","Amount":1287,"BankOverdraft":0}`, 200, ``)
// Add a bank account to another banker's client should fail with 405
do("POST", "/api/BankAccounts", xsrfHeader, `{"Number":"02-02","UserClientID":2,"Type":"saving-account","Amount":3978,"BankOverdraft":0}`, 403, `You can not access this ressource`)
// Get account where id=1
do("GET", "/api/BankAccounts/1", xsrfHeader, "", 200, `{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":[]}`)
// Get account where id=2 should fail as it is another banker's client's account
do("GET", "/api/BankAccounts/2", xsrfHeader, "", 403, `You can not access this ressource`)
// Get all Bank account should return only the bank accounts of the bankers'client
do("GET", "/api/BankAccounts/", xsrfHeader, "", 200, `[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":458,"BankOverdraft":-100,"Operations":[]},{"ID":3,"Number":"01-02","UserClientID":1,"Type":"saving-account","Amount":1287,"BankOverdraft":0,"Operations":[]}]`)
// Try to delete the saving account of Dupond
do("DELETE", "/api/BankAccounts/3", xsrfHeader, ``, 200, "")
// Try to delete the saving account of Bakery should fail with 405
do("DELETE", "/api/BankAccounts/2", xsrfHeader, ``, 403, "You can not access this ressource")
// Add operation between client and Bakery
do("POST", "/api/Operations", xsrfHeader, `{"Debtor":1,"Amount":-100,"Creditor":2}`, 200, "")
// Get operation where id=1
do("GET", "/api/Operations/1", xsrfHeader, "", 200, `{"ID":1,"Debtor":1,"Amount":-100`)
// Try to delete the first operation
do("DELETE", "/api/Operations/1", xsrfHeader, ``, 200, "")
}
// Do a in memory login with an known admin
do("POST", "/Login", noH, `{"login": "banker","password": "password"}`, 200, "")
tests()
// Try to logout (must pass)
do("GET", "/Logout", noH, "", 200, "Logout OK")
}
package rootmux
import (
"encoding/json"
"testing"
"forge.grandlyon.com/apoyen/sdk-go/pkg/auth"
"forge.grandlyon.com/apoyen/sdk-go/pkg/tester"
)
/**
CLIENT TESTS (this tests are to check that a normally logged user can access the apps that is allowed to and only that)
**/
func ClientTests(t *testing.T) {
// Create the tester
ts, do, _ := createTester(t)
defer ts.Close() // Close the tester
tests := func() {
// Get the XSRF Token
response := do("GET", "/api/common/WhoAmI", noH, "", 200, "")
token := auth.TokenData{}
json.Unmarshal([]byte(response), &token)
xsrfHeader := tester.Header{Key: "XSRF-TOKEN", Value: token.XSRFToken}
// Try to create a client should fail with 405
do("POST", "/api/UserClients", xsrfHeader, `{"ID":11,"UserID":"11","Name":"Dupont"}`, 405, "You're not authorize to execute this method on this ressource.")
// Try to create a banker should fail with 405
do("POST", "/api/UserBankers", xsrfHeader, `{"ID":11,"UserID":"11","Name":"Banker"}`, 405, "You're not authorize to execute this method on this ressource.")
// Try to create a BankAccount should fail with 405
do("POST", "/api/BankAccounts", xsrfHeader, `{"Number":"01-02","UserClientID":1,"Type":"saving-account","Amount":1287,"BankOverdraft":0}`, 405, "You're not authorize to execute this method on this ressource.")
// Client should be able to create an operation
do("POST", "/api/Operations", xsrfHeader, `{"Debtor":1,"Amount":-100,"Creditor":2}`, 200, ``)
// Get the previous operation between Dupond and Bakery
do("GET", "/api/Operations/1", xsrfHeader, "", 200, `{"ID":1,"Debtor":1,"Amount":-100`)
// Get all operations
do("GET", "/api/Operations/", xsrfHeader, "", 200, `[{"ID":1,"Debtor":1,"Amount":-100`)
// Get Dupond Bank account
do("GET", "/api/BankAccounts/1", xsrfHeader, "", 200, `{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":358,"BankOverdraft":-100,"Operations":[{"ID":1,"Debtor":1,"Amount":-100`)
// Get all accounts of the user client and only those ones
do("GET", "/api/BankAccounts/", xsrfHeader, "", 200, `[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":358,"BankOverdraft":-100,"Operations":[{"ID":1,"Debtor":1,"Amount":-100`)
// Get client Dupond by id
do("GET", "/api/UserClients/1", xsrfHeader, "", 200, `{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":358,"BankOverdraft":-100,"Operations":null}]}`)
// Get client Bakery should fail with 403
do("GET", "/api/UserClients/2", xsrfHeader, "", 403, `You can not access this ressource`)
// Try to get all the clients return only Dupond
do("GET", "/api/UserClients", xsrfHeader, "", 200, `[{"ID":1,"UserID":1,"Name":"Dupond","UserBankerID":1,"BankAccounts":[{"ID":1,"Number":"01-01","UserClientID":1,"Type":"checking-account","Amount":358,"BankOverdraft":-100,"Operations":null}]}]`)
// Try to delete the first operation should fail
do("DELETE", "/api/Operations/1", xsrfHeader, ``, 405, "You're not authorize to execute this method on this ressource.")
// Try to delete the saving account of Dupond should fail
do("DELETE", "/api/BankAccounts/2", xsrfHeader, ``, 405, "You're not authorize to execute this method on this ressource.")
// Try to delete the client Dupond should fail
do("DELETE", "/api/UserClients/2", xsrfHeader, ``, 405, "You're not authorize to execute this method on this ressource.")
}
// Do a in memory login with an known user
do("POST", "/Login", noH, `{"login": "Dupond","password": "password"}`, 200, "")
// Run the tests
tests()
// Try to logout (must pass)
do("GET", "/Logout", noH, "", 200, "Logout OK")
}
......@@ -42,7 +42,7 @@ func CreateRootMux(port int, staticDir string) RootMux {
// ADMIN API ENDPOINTS
adminMux := http.NewServeMux()
adminMux.HandleFunc("/users/", auth.ProcessUsers)
mainMux.Handle("/api/admin/", http.StripPrefix("/api/admin", auth.ValidateAuthMiddleware(adminMux, []string{os.Getenv("ADMIN_GROUP")}, true)))
mainMux.Handle("/api/admin/", http.StripPrefix("/api/admin", auth.ValidateAuthMiddleware(adminMux, []string{"ADMIN"}, true)))
// Serve static files falling back to serving index.html
mainMux.Handle("/", middlewares.NoCache(http.FileServer(&common.FallBackWrapper{Assets: http.Dir(staticDir)})))
// Put it together into the main handler
......
......@@ -31,9 +31,10 @@ func init() {