backend: 通常ユーザによるユーザ作成機能

Changes

2 changed files (+278/-2)

• packages/backend/services/workspace/create_user.go
  • @@ -6,6 +6,7 @@
    import ( "context" "crypto/rand" + "slices" "strings" "connectrpc.com/connect"
  • @@ -133,8 +134,13 @@ },
    }), nil } - // TODO: 通常ユーザでも権限次第で作成できるようにする - if !user.GetIsAdmin() { + requiredPerm := types.Permission_PERMISSION_ADD_REGULAR_USER + if req.Msg.GetIsAdmin() { + requiredPerm = types.Permission_PERMISSION_ADD_ADMIN_USER + } + + // TODO: 認可エラーもしくは権限エラーを作成する + if !slices.Contains(user.Permissions, requiredPerm) { return createUserAuthError() }
  • @@ -179,14 +185,30 @@ permissions := make([]types.Permission, 0, 32)
    if req.Msg.Permissions != nil { if req.Msg.Permissions.GetCanAddUser() { + // ユーザ追加権限はここに来ている時点で持っているためチェックは不要。 permissions = append(permissions, types.Permission_PERMISSION_ADD_REGULAR_USER) } if req.Msg.Permissions.GetCanDeleteRegularUser() { + if !slices.Contains(user.Permissions, types.Permission_PERMISSION_DELETE_REGULAR_USER) { + // TODO: 認可エラーもしくは権限エラーを作成する + return createUserAuthError() + } + permissions = append(permissions, types.Permission_PERMISSION_DELETE_REGULAR_USER) } if req.Msg.Permissions.GetCanReadOtherUserProfile() { + if !slices.Contains(user.Permissions, types.Permission_PERMISSION_READ_REGULAR_USER_PROFILE) { + // TODO: 認可エラーもしくは権限エラーを作成する + return createUserAuthError() + } + + if !slices.Contains(user.Permissions, types.Permission_PERMISSION_READ_ADMIN_USER_PROFILE) { + // TODO: 認可エラーもしくは権限エラーを作成する + return createUserAuthError() + } + permissions = append( permissions, types.Permission_PERMISSION_READ_REGULAR_USER_PROFILE,
  • @@ -195,14 +217,29 @@ )
    } if req.Msg.Permissions.GetCanUpdateOtherRegularUserProfile() { + if !slices.Contains(user.Permissions, types.Permission_PERMISSION_UPDATE_REGULAR_USER_PROFILE) { + // TODO: 認可エラーもしくは権限エラーを作成する + return createUserAuthError() + } + permissions = append(permissions, types.Permission_PERMISSION_UPDATE_REGULAR_USER_PROFILE) } if req.Msg.Permissions.GetCanUpdateSelfProfile() { + if !slices.Contains(user.Permissions, types.Permission_PERMISSION_UPDATE_SELF_PROFILE) { + // TODO: 認可エラーもしくは権限エラーを作成する + return createUserAuthError() + } + permissions = append(permissions, types.Permission_PERMISSION_UPDATE_SELF_PROFILE) } if req.Msg.Permissions.GetCanUpdateOtherRegularUserLoginMethod() { + if !slices.Contains(user.Permissions, types.Permission_PERMISSION_UPDATE_REGULAR_USER_LOGIN_METHOD) { + // TODO: 認可エラーもしくは権限エラーを作成する + return createUserAuthError() + } + permissions = append( permissions, types.Permission_PERMISSION_UPDATE_REGULAR_USER_LOGIN_METHOD,
  • @@ -210,6 +247,11 @@ )
    } if req.Msg.Permissions.GetCanUpdateWorkspace() { + if !slices.Contains(user.Permissions, types.Permission_PERMISSION_EDIT_WORKSPACE_PROFILE) { + // TODO: 認可エラーもしくは権限エラーを作成する + return createUserAuthError() + } + permissions = append(permissions, types.Permission_PERMISSION_EDIT_WORKSPACE_PROFILE) } }
• packages/backend/tests/workspace/v2/create_user_test.go
  • @@ -91,3 +91,237 @@ typeName := reflect.Indirect(reflect.ValueOf(res.Msg.Result))
    t.Errorf("Expected authentication_error, got %s", typeName.Type().Name()) } } + + func TestCreateByRegularUser(t *testing.T) { + server, jar := setupLogin(t) + + httpClient := server.Client() + httpClient.Jar = jar + + client := v2connect.NewWorkspaceServiceClient(httpClient, server.URL()) + + bob, err := client.CreateUser( + context.Background(), + connect.NewRequest(&workspaceV2.CreateUserRequest{ + Name: proto.String("bob"), + DisplayName: proto.String("Bob"), + Password: proto.String("bob_password"), + Permissions: &workspaceV2.UserPermissions{ + CanAddUser: proto.Bool(true), + CanDeleteRegularUser: proto.Bool(true), + }, + }), + ) + if err != nil { + t.Fatal(err) + } + + v, ok := bob.Msg.Result.(*workspaceV2.CreateUserResponse_Ok) + if !ok { + typeName := reflect.Indirect(reflect.ValueOf(bob.Msg.Result)) + t.Errorf("Expected ok, got %s", typeName.Type().Name()) + } + + if v.Ok.GetName() != "bob" { + t.Errorf("Expected bob, got %s", v.Ok.GetName()) + } + + bobLogin, err := client.Login( + context.Background(), + connect.NewRequest(&workspaceV2.LoginRequest{ + Name: proto.String("bob"), + Password: proto.String("bob_password"), + }), + ) + if err != nil { + t.Fatal(err) + } + + if _, ok := bobLogin.Msg.Result.(*workspaceV2.LoginResponse_Ok); !ok { + typeName := reflect.Indirect(reflect.ValueOf(bobLogin.Msg.Result)) + t.Errorf("Expected ok, got %s", typeName.Type().Name()) + } + + carol, err := client.CreateUser( + context.Background(), + connect.NewRequest(&workspaceV2.CreateUserRequest{ + Name: proto.String("carol"), + DisplayName: proto.String("Carol"), + Password: proto.String("carol_password"), + Permissions: &workspaceV2.UserPermissions{ + CanAddUser: proto.Bool(true), + CanDeleteRegularUser: proto.Bool(true), + // bob にはない権限 + CanReadOtherUserProfile: proto.Bool(true), + }, + }), + ) + if err != nil { + t.Fatal(err) + } + + // TODO: 認可エラーもしくは権限エラーを作成する + if _, ok := carol.Msg.Result.(*workspaceV2.CreateUserResponse_AuthenticationError); !ok { + typeName := reflect.Indirect(reflect.ValueOf(carol.Msg.Result)) + t.Errorf("Expected authentication_error, got %s", typeName.Type().Name()) + } + + dave, err := client.CreateUser( + context.Background(), + connect.NewRequest(&workspaceV2.CreateUserRequest{ + Name: proto.String("dave"), + DisplayName: proto.String("Dave"), + Password: proto.String("dave_password"), + Permissions: &workspaceV2.UserPermissions{ + // bob の権限と同じ + CanAddUser: proto.Bool(true), + CanDeleteRegularUser: proto.Bool(true), + }, + }), + ) + if err != nil { + t.Fatal(err) + } + + if _, ok := dave.Msg.Result.(*workspaceV2.CreateUserResponse_Ok); !ok { + typeName := reflect.Indirect(reflect.ValueOf(bobLogin.Msg.Result)) + t.Errorf("Expected ok, got %s", typeName.Type().Name()) + } + } + + func TestCreateUserRejectWithoutPermission(t *testing.T) { + server, jar := setupLogin(t) + + httpClient := server.Client() + httpClient.Jar = jar + + client := v2connect.NewWorkspaceServiceClient(httpClient, server.URL()) + + bob, err := client.CreateUser( + context.Background(), + connect.NewRequest(&workspaceV2.CreateUserRequest{ + Name: proto.String("bob"), + DisplayName: proto.String("Bob"), + Password: proto.String("bob_password"), + Permissions: &workspaceV2.UserPermissions{}, + }), + ) + if err != nil { + t.Fatal(err) + } + + v, ok := bob.Msg.Result.(*workspaceV2.CreateUserResponse_Ok) + if !ok { + typeName := reflect.Indirect(reflect.ValueOf(bob.Msg.Result)) + t.Errorf("Expected ok, got %s", typeName.Type().Name()) + } + + if v.Ok.GetName() != "bob" { + t.Errorf("Expected bob, got %s", v.Ok.GetName()) + } + + bobLogin, err := client.Login( + context.Background(), + connect.NewRequest(&workspaceV2.LoginRequest{ + Name: proto.String("bob"), + Password: proto.String("bob_password"), + }), + ) + if err != nil { + t.Fatal(err) + } + + if _, ok := bobLogin.Msg.Result.(*workspaceV2.LoginResponse_Ok); !ok { + typeName := reflect.Indirect(reflect.ValueOf(bobLogin.Msg.Result)) + t.Errorf("Expected ok, got %s", typeName.Type().Name()) + } + + carol, err := client.CreateUser( + context.Background(), + connect.NewRequest(&workspaceV2.CreateUserRequest{ + Name: proto.String("carol"), + DisplayName: proto.String("Carol"), + Password: proto.String("carol_password"), + Permissions: &workspaceV2.UserPermissions{}, + }), + ) + if err != nil { + t.Fatal(err) + } + + // TODO: 認可エラーもしくは権限エラーを作成する + if _, ok := carol.Msg.Result.(*workspaceV2.CreateUserResponse_AuthenticationError); !ok { + typeName := reflect.Indirect(reflect.ValueOf(carol.Msg.Result)) + t.Errorf("Expected authentication_error, got %s", typeName.Type().Name()) + } + } + + func TestCreateUserRejectRegularUserCreatesAdminUser(t *testing.T) { + server, jar := setupLogin(t) + + httpClient := server.Client() + httpClient.Jar = jar + + client := v2connect.NewWorkspaceServiceClient(httpClient, server.URL()) + + bob, err := client.CreateUser( + context.Background(), + connect.NewRequest(&workspaceV2.CreateUserRequest{ + Name: proto.String("bob"), + DisplayName: proto.String("Bob"), + Password: proto.String("bob_password"), + Permissions: &workspaceV2.UserPermissions{ + CanAddUser: proto.Bool(true), + }, + }), + ) + if err != nil { + t.Fatal(err) + } + + v, ok := bob.Msg.Result.(*workspaceV2.CreateUserResponse_Ok) + if !ok { + typeName := reflect.Indirect(reflect.ValueOf(bob.Msg.Result)) + t.Errorf("Expected ok, got %s", typeName.Type().Name()) + } + + if v.Ok.GetName() != "bob" { + t.Errorf("Expected bob, got %s", v.Ok.GetName()) + } + + bobLogin, err := client.Login( + context.Background(), + connect.NewRequest(&workspaceV2.LoginRequest{ + Name: proto.String("bob"), + Password: proto.String("bob_password"), + }), + ) + if err != nil { + t.Fatal(err) + } + + if _, ok := bobLogin.Msg.Result.(*workspaceV2.LoginResponse_Ok); !ok { + typeName := reflect.Indirect(reflect.ValueOf(bobLogin.Msg.Result)) + t.Errorf("Expected ok, got %s", typeName.Type().Name()) + } + + carol, err := client.CreateUser( + context.Background(), + connect.NewRequest(&workspaceV2.CreateUserRequest{ + Name: proto.String("carol"), + DisplayName: proto.String("Carol"), + Password: proto.String("carol_password"), + IsAdmin: proto.Bool(true), + Permissions: &workspaceV2.UserPermissions{}, + }), + ) + if err != nil { + t.Fatal(err) + } + + // TODO: 認可エラーもしくは権限エラーを作成する + if _, ok := carol.Msg.Result.(*workspaceV2.CreateUserResponse_AuthenticationError); !ok { + typeName := reflect.Indirect(reflect.ValueOf(carol.Msg.Result)) + t.Errorf("Expected authentication_error, got %s", typeName.Type().Name()) + } + }