Fix IdP tests (#516 )

Do not set wt_pending_invite when unnecessary (#515 )
wt_pending_invite property is set for every user on IdP. Avoid setting it when unnecessary.
2026-05-06 00:56:39 +00:00 · 2022-10-19 18:36:10 +02:00 · 2022-10-19 17:51:41 +02:00 · 2022-10-19 17:43:28 +02:00
17 changed files with 102 additions and 51 deletions
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -68,7 +68,7 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 	}
 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "")
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -761,7 +761,7 @@ func startManagement(port int, dataDir string) (*grpc.Server, error) {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}
 	peersUpdateManager := server.NewPeersUpdateManager()
-	accountManager, err := server.BuildManager(store, peersUpdateManager, nil)
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "")
 	if err != nil {
 		return nil, err
 	}
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -10,6 +10,8 @@ NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
 NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/fullchain.pem"
 # Management Certficate key file path.
 NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/privkey.pem"
 # By default Management single account mode is enabled and domain set to $NETBIRD_DOMAIN, you may want to set this to your user's email domain
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 # Turn credentials
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -48,7 +48,7 @@ services:
  #     # port and command for Let's Encrypt validation without dashboard container
  #   - 443:443
  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
-    command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS"]
+    command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS", "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN"]
  # Coturn
  coturn:
    image: coturn/coturn
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -55,7 +55,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 	}
 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "")
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -41,11 +41,12 @@ import (
 const ManagementLegacyPort = 33073
 var (
-	mgmtPort              int
+	mgmtPort                int
-	mgmtLetsencryptDomain string
+	mgmtLetsencryptDomain   string
-	certFile              string
+	mgmtSingleAccModeDomain string
-	certKey               string
+	certFile                string
-	config                *server.Config
+	certKey                 string
 	config                  *server.Config
 	kaep = keepalive.EnforcementPolicy{
 		MinTime:             15 * time.Second,
@@ -121,7 +122,10 @@ var (
 				}
 			}
-			accountManager, err := server.BuildManager(store, peersUpdateManager, idpManager)
+			if disableSingleAccMode {
 				mgmtSingleAccModeDomain = ""
 			}
 			accountManager, err := server.BuildManager(store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain)
 			if err != nil {
 				return fmt.Errorf("failed to build default manager: %v", err)
 			}
--- a/management/cmd/root.go
+++ b/management/cmd/root.go
@@ -13,21 +13,23 @@ const (
 )
 var (
-	defaultMgmtConfigDir    string
+	defaultMgmtConfigDir       string
-	defaultMgmtDataDir      string
+	defaultMgmtDataDir         string
-	defaultMgmtConfig       string
+	defaultMgmtConfig          string
-	defaultLogDir           string
+	defaultSingleAccModeDomain string
-	defaultLogFile          string
+	defaultLogDir              string
-	oldDefaultMgmtConfigDir string
+	defaultLogFile             string
-	oldDefaultMgmtDataDir   string
+	oldDefaultMgmtConfigDir    string
-	oldDefaultMgmtConfig    string
+	oldDefaultMgmtDataDir      string
-	oldDefaultLogDir        string
+	oldDefaultMgmtConfig       string
-	oldDefaultLogFile       string
+	oldDefaultLogDir           string
-	mgmtDataDir             string
+	oldDefaultLogFile          string
-	mgmtConfig              string
+	mgmtDataDir                string
-	logLevel                string
+	mgmtConfig                 string
-	logFile                 string
+	logLevel                   string
-	disableMetrics          bool
+	logFile                    string
 	disableMetrics             bool
 	disableSingleAccMode       bool
 	rootCmd = &cobra.Command{
 		Use:   "netbird-mgmt",
@@ -48,6 +50,7 @@ func init() {
 	stopCh = make(chan int)
 	defaultMgmtDataDir = "/var/lib/netbird/"
 	defaultSingleAccModeDomain = "netbird.selfhosted"
 	defaultMgmtConfigDir = "/etc/netbird"
 	defaultLogDir = "/var/log/netbird"
@@ -65,6 +68,8 @@ func init() {
 	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", defaultMgmtDataDir, "server data directory location")
 	mgmtCmd.Flags().StringVar(&mgmtConfig, "config", defaultMgmtConfig, "Netbird config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
 	mgmtCmd.Flags().StringVar(&mgmtLetsencryptDomain, "letsencrypt-domain", "", "a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS")
 	mgmtCmd.Flags().StringVar(&mgmtSingleAccModeDomain, "single-account-mode-domain", defaultSingleAccModeDomain, "Enables single account mode. This means that all the users will be under the same account grouped by the specified domain. If the installation has more than one account, the property is ineffective. Enabled by default with the default domain "+defaultSingleAccModeDomain)
 	mgmtCmd.Flags().BoolVar(&disableSingleAccMode, "disable-single-account-mode", false, "If set to true, disables single account mode. The --single-account-mode-domain property will be ignored and every new user will have a separate NetBird account.")
 	mgmtCmd.Flags().StringVar(&certFile, "cert-file", "", "Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
 	mgmtCmd.Flags().StringVar(&certKey, "cert-key", "", "Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
 	mgmtCmd.Flags().BoolVar(&disableMetrics, "disable-anonymous-metrics", false, "disables push of anonymous usage metrics to NetBird")
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -106,6 +106,13 @@ type DefaultAccountManager struct {
 	idpManager         idp.Manager
 	cacheManager       cache.CacheInterface[[]*idp.UserData]
 	ctx                context.Context
 	// singleAccountMode indicates whether the instance has a single account.
 	// If true, then every new user will end up under the same account.
 	// This value will be set to false if management service has more than one account.
 	singleAccountMode bool
 	// singleAccountModeDomain is a domain to use in singleAccountMode setup
 	singleAccountModeDomain string
 }
 // Account represents a unique account of the system
@@ -195,9 +202,8 @@ func (a *Account) GetGroupAll() (*Group, error) {
 }
 // BuildManager creates a new DefaultAccountManager with a provided Store
-func BuildManager(
+func BuildManager(store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager,
-	store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager,
+	singleAccountModeDomain string) (*DefaultAccountManager, error) {
 ) (*DefaultAccountManager, error) {
 	am := &DefaultAccountManager{
 		Store:              store,
 		mux:                sync.Mutex{},
@@ -207,11 +213,20 @@ func BuildManager(
 		cacheMux:           sync.Mutex{},
 		cacheLoading:       map[string]chan struct{}{},
 	}
 	allAccounts := store.GetAllAccounts()
 	// enable single account mode only if configured by user and number of existing accounts is not grater than 1
 	am.singleAccountMode = singleAccountModeDomain != "" && len(allAccounts) <= 1
 	if am.singleAccountMode {
 		am.singleAccountModeDomain = singleAccountModeDomain
 		log.Infof("single account mode enabled, accounts number %d", len(allAccounts))
 	} else {
 		log.Infof("single account mode disabled, accounts number %d", len(allAccounts))
 	}
-	// if account has not default group
+	// if account doesn't have a default group
 	// we create 'all' group and add all peers into it
 	// also we create default rule with source as destination
-	for _, account := range store.GetAllAccounts() {
+	for _, account := range allAccounts {
 		_, err := account.GetGroupAll()
 		if err != nil {
 			addAllGroup(account)
@@ -221,10 +236,10 @@ func BuildManager(
 		}
 	}
-	gocacheClient := gocache.New(CacheExpirationMax, 30*time.Minute)
+	goCacheClient := gocache.New(CacheExpirationMax, 30*time.Minute)
-	gocacheStore := cacheStore.NewGoCache(gocacheClient)
+	goCacheStore := cacheStore.NewGoCache(goCacheClient)
-	am.cacheManager = cache.NewLoadable[[]*idp.UserData](am.loadAccount, cache.New[[]*idp.UserData](gocacheStore))
+	am.cacheManager = cache.NewLoadable[[]*idp.UserData](am.loadAccount, cache.New[[]*idp.UserData](goCacheStore))
 	if !isNil(am.idpManager) {
 		go func() {
@@ -585,7 +600,7 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
 		return status.Errorf(codes.NotFound, "user %s not found in the IdP", userID)
 	}
-	if user.AppMetadata.WTPendingInvite {
+	if user.AppMetadata.WTPendingInvite != nil && *user.AppMetadata.WTPendingInvite {
 		log.Infof("redeeming invite for user %s account %s", userID, account.Id)
 		// User has already logged in, meaning that IdP should have set wt_pending_invite to false.
 		// Our job is to just reload cache.
@@ -604,6 +619,15 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
 // GetAccountFromToken returns an account associated with this token
 func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*Account, error) {
 	if am.singleAccountMode && am.singleAccountModeDomain != "" {
 		// This section is mostly related to self-hosted installations.
 		// We override incoming domain claims to group users under a single account.
 		claims.Domain = am.singleAccountModeDomain
 		claims.DomainCategory = PrivateCategory
 		log.Infof("overriding JWT Domain and DomainCategory claims since single account mode is enabled")
 	}
 	account, err := am.getAccountWithAuthorizationClaims(claims)
 	if err != nil {
 		return nil, err
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -962,7 +962,7 @@ func createManager(t *testing.T) (*DefaultAccountManager, error) {
 	if err != nil {
 		return nil, err
 	}
-	return BuildManager(store, NewPeersUpdateManager(), nil)
+	return BuildManager(store, NewPeersUpdateManager(), nil, "")
 }
 func createStore(t *testing.T) (Store, error) {
--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -416,12 +416,13 @@ func (am *Auth0Manager) UpdateUserAppMetadata(userID string, appMetadata AppMeta
 }
 func buildCreateUserRequestPayload(email string, name string, accountID string) (string, error) {
 	invite := true
 	req := &createUserRequest{
 		Email: email,
 		Name:  name,
 		AppMeta: AppMetadata{
 			WTAccountID:     accountID,
-			WTPendingInvite: true,
+			WTPendingInvite: &invite,
 		},
 		Connection:  "Username-Password-Authentication",
 		Password:    GeneratePassword(8, 1, 1, 1),
@@ -556,7 +557,7 @@ func (am *Auth0Manager) GetUserByEmail(email string) ([]*UserData, error) {
 	if err != nil {
 		return nil, err
 	}
-	reqURL := am.authIssuer + "/api/v2/users-by-email?email=" + email
+	reqURL := am.authIssuer + "/api/v2/users-by-email?email=" + url.QueryEscape(email)
 	body, err := doGetReq(am.httpClient, reqURL, jwtToken.AccessToken)
 	if err != nil {
 		return nil, err
@@ -698,7 +699,7 @@ func (am *Auth0Manager) downloadProfileExport(location string) (map[string][]*Us
 					Email: profile.Email,
 					AppMetadata: AppMetadata{
 						WTAccountID:     profile.AccountID,
-						WTPendingInvite: profile.PendingInvite,
+						WTPendingInvite: &profile.PendingInvite,
 					},
 				})
 		}
@@ -729,13 +730,12 @@ func doGetReq(client ManagerHTTPClient, url, accessToken string) ([]byte, error)
 			log.Errorf("error while closing body for url %s: %v", url, err)
 		}
 	}()
 	if res.StatusCode != 200 {
 		return nil, fmt.Errorf("unable to get %s, statusCode %d", url, res.StatusCode)
 	}
 	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}
 	if res.StatusCode != 200 {
 		return nil, fmt.Errorf("unable to get %s, statusCode %d", url, res.StatusCode)
 	}
 	return body, nil
 }
--- a/management/server/idp/auth0_test.go
+++ b/management/server/idp/auth0_test.go
@@ -340,7 +340,7 @@ func TestAuth0_UpdateUserAppMetadata(t *testing.T) {
 	updateUserAppMetadataTestCase2 := updateUserAppMetadataTest{
 		name:            "Bad Status Code",
 		inputReqBody:    fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
-		expectedReqBody: fmt.Sprintf("{\"app_metadata\":{\"wt_account_id\":\"%s\",\"wt_pending_invite\":false}}", appMetadata.WTAccountID),
+		expectedReqBody: fmt.Sprintf("{\"app_metadata\":{\"wt_account_id\":\"%s\",\"wt_pending_invite\":null}}", appMetadata.WTAccountID),
 		appMetadata:     appMetadata,
 		statusCode:      400,
 		helper:          JsonParser{},
@@ -363,7 +363,7 @@ func TestAuth0_UpdateUserAppMetadata(t *testing.T) {
 	updateUserAppMetadataTestCase4 := updateUserAppMetadataTest{
 		name:                 "Good request",
 		inputReqBody:         fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
-		expectedReqBody:      fmt.Sprintf("{\"app_metadata\":{\"wt_account_id\":\"%s\",\"wt_pending_invite\":false}}", appMetadata.WTAccountID),
+		expectedReqBody:      fmt.Sprintf("{\"app_metadata\":{\"wt_account_id\":\"%s\",\"wt_pending_invite\":null}}", appMetadata.WTAccountID),
 		appMetadata:          appMetadata,
 		statusCode:           200,
 		helper:               JsonParser{},
@@ -371,7 +371,23 @@ func TestAuth0_UpdateUserAppMetadata(t *testing.T) {
 		assertErrFuncMessage: "shouldn't return error",
 	}
-	for _, testCase := range []updateUserAppMetadataTest{updateUserAppMetadataTestCase1, updateUserAppMetadataTestCase2, updateUserAppMetadataTestCase3, updateUserAppMetadataTestCase4} {
+	invite := true
 	updateUserAppMetadataTestCase5 := updateUserAppMetadataTest{
 		name:            "Update Pending Invite",
 		inputReqBody:    fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		expectedReqBody: fmt.Sprintf("{\"app_metadata\":{\"wt_account_id\":\"%s\",\"wt_pending_invite\":true}}", appMetadata.WTAccountID),
 		appMetadata: AppMetadata{
 			WTAccountID:     "ok",
 			WTPendingInvite: &invite,
 		},
 		statusCode:           200,
 		helper:               JsonParser{},
 		assertErrFunc:        assert.NoError,
 		assertErrFuncMessage: "shouldn't return error",
 	}
 	for _, testCase := range []updateUserAppMetadataTest{updateUserAppMetadataTestCase1, updateUserAppMetadataTestCase2,
 		updateUserAppMetadataTestCase3, updateUserAppMetadataTestCase4, updateUserAppMetadataTestCase5} {
 		t.Run(testCase.name, func(t *testing.T) {
 			jwtReqClient := mockHTTPClient{
 				resBody: testCase.inputReqBody,
--- a/management/server/idp/idp.go
+++ b/management/server/idp/idp.go
@@ -51,7 +51,7 @@ type AppMetadata struct {
 	// WTAccountID is a NetBird (previously Wiretrustee) account id to update in the IDP
 	// maps to wt_account_id when json.marshal
 	WTAccountID     string `json:"wt_account_id,omitempty"`
-	WTPendingInvite bool   `json:"wt_pending_invite"`
+	WTPendingInvite *bool  `json:"wt_pending_invite"`
 }
 // JWTToken a JWT object that holds information of a token
--- a/management/server/management_proto_test.go
+++ b/management/server/management_proto_test.go
@@ -403,7 +403,7 @@ func startManagement(t *testing.T, port int, config *Config) (*grpc.Server, erro
 		return nil, err
 	}
 	peersUpdateManager := NewPeersUpdateManager()
-	accountManager, err := BuildManager(store, peersUpdateManager, nil)
+	accountManager, err := BuildManager(store, peersUpdateManager, nil, "")
 	if err != nil {
 		return nil, err
 	}
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -493,7 +493,7 @@ func startServer(config *server.Config) (*grpc.Server, net.Listener) {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}
 	peersUpdateManager := server.NewPeersUpdateManager()
-	accountManager, err := server.BuildManager(store, peersUpdateManager, nil)
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "")
 	if err != nil {
 		log.Fatalf("failed creating a manager: %v", err)
 	}
--- a/management/server/nameserver_test.go
+++ b/management/server/nameserver_test.go
@@ -865,7 +865,7 @@ func createNSManager(t *testing.T) (*DefaultAccountManager, error) {
 	if err != nil {
 		return nil, err
 	}
-	return BuildManager(store, NewPeersUpdateManager(), nil)
+	return BuildManager(store, NewPeersUpdateManager(), nil, "")
 }
 func createNSStore(t *testing.T) (Store, error) {
--- a/management/server/route_test.go
+++ b/management/server/route_test.go
@@ -778,7 +778,7 @@ func createRouterManager(t *testing.T) (*DefaultAccountManager, error) {
 	if err != nil {
 		return nil, err
 	}
-	return BuildManager(store, NewPeersUpdateManager(), nil)
+	return BuildManager(store, NewPeersUpdateManager(), nil, "")
 }
 func createRouterStore(t *testing.T) (Store, error) {
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -68,7 +68,7 @@ func (u *User) toUserInfo(userData *idp.UserData) (*UserInfo, error) {
 	}
 	userStatus := UserStatusActive
-	if userData.AppMetadata.WTPendingInvite {
+	if userData.AppMetadata.WTPendingInvite != nil && *userData.AppMetadata.WTPendingInvite {
 		userStatus = UserStatusInvited
 	}
Author	SHA1	Message	Date
Misha Bragin	08ddf04c5f	Fix IdP tests (#516 )	2022-10-19 18:36:10 +02:00
Misha Bragin	b5ee2174a8	Do not set wt_pending_invite when unnecessary (#515 ) wt_pending_invite property is set for every user on IdP. Avoid setting it when unnecessary.	2022-10-19 17:51:41 +02:00
Misha Bragin	7218a3d563	Management single account mode (#511 )	2022-10-19 17:43:28 +02:00