From b2807c4b3277f17b1d6acc4bdc08185f274bc555 Mon Sep 17 00:00:00 2001
From: Jonathan Cobb <jonathan@kyuss.org>
Date: Mon, 3 Feb 2020 22:40:33 -0500
Subject: [PATCH] fix tests, change password working properly in API

---
 .../src/main/java/bubble/dao/account/AccountDAO.java |  3 ++-
 .../bubble/resources/account/AccountsResource.java   |  6 +++++-
 .../java/bubble/resources/account/AuthResource.java  |  2 +-
 .../bubble/service/boot/StandardSelfNodeService.java | 12 +++++++++---
 .../test/resources/models/include/new_account.json   |  2 ++
 .../resources/models/tests/auth/change_password.json | 10 +++++++++-
 bubble-web                                           |  2 +-
 7 files changed, 29 insertions(+), 8 deletions(-)

diff --git a/bubble-server/src/main/java/bubble/dao/account/AccountDAO.java b/bubble-server/src/main/java/bubble/dao/account/AccountDAO.java
index 01a00f31..9f22eb2b 100644
--- a/bubble-server/src/main/java/bubble/dao/account/AccountDAO.java
+++ b/bubble-server/src/main/java/bubble/dao/account/AccountDAO.java
@@ -63,8 +63,9 @@ public class AccountDAO extends AbstractCRUDDAO<Account> implements SqlViewSearc
     @Autowired private BillDAO billDAO;
     @Autowired private SearchService searchService;
 
-    public Account newAccount(Request req, AccountRegistration request, Account parent) {
+    public Account newAccount(Request req, Account caller, AccountRegistration request, Account parent) {
         return create(new Account(request)
+                .setAdmin(caller != null && caller.admin() && request.admin())   // only admins can create other admins
                 .setRemoteHost(getRemoteHost(req))
                 .setParent(parent.getUuid())
                 .setPolicy(new AccountPolicy().setContact(request.getContact())));
diff --git a/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java b/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java
index 65ff2842..df817955 100644
--- a/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java
+++ b/bubble-server/src/main/java/bubble/resources/account/AccountsResource.java
@@ -86,6 +86,10 @@ public class AccountsResource {
 
         final AccountContext c = new AccountContext(ctx, request.getName(), true);
 
+        // only admins can use this endpoint
+        // regular users must use AuthResource.register
+        if (!c.caller.admin()) return forbidden();
+
         final ValidationResult errors = new ValidationResult();
         if (c.account != null) return invalid("err.user.exists", "User with name "+request.getName()+" already exists", request.getName());
 
@@ -117,7 +121,7 @@ public class AccountsResource {
         final AccountRegistration reg = (AccountRegistration) request
                 .setRemoteHost(getRemoteHost(req))
                 .setVerifyContact(true);
-        final Account created = accountDAO.newAccount(req, reg, parent);
+        final Account created = accountDAO.newAccount(req, c.caller, reg, parent);
         return ok(created.waitForAccountInit());
     }
 
diff --git a/bubble-server/src/main/java/bubble/resources/account/AuthResource.java b/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
index 6507bd95..6b35ba35 100644
--- a/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
+++ b/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
@@ -199,7 +199,7 @@ public class AuthResource {
         final Account parent = accountDAO.findByUuid(parentUuid);
         if (parent == null) return invalid("err.parent.notFound", "Parent account does not exist: "+parentUuid);
 
-        final Account account = accountDAO.newAccount(req, request, parent);
+        final Account account = accountDAO.newAccount(req, null, request, parent);
         return ok(account.waitForAccountInit().setToken(newLoginSession(account)));
     }
 
diff --git a/bubble-server/src/main/java/bubble/service/boot/StandardSelfNodeService.java b/bubble-server/src/main/java/bubble/service/boot/StandardSelfNodeService.java
index cbc52ab9..b2be728b 100644
--- a/bubble-server/src/main/java/bubble/service/boot/StandardSelfNodeService.java
+++ b/bubble-server/src/main/java/bubble/service/boot/StandardSelfNodeService.java
@@ -277,7 +277,8 @@ public class StandardSelfNodeService implements SelfNodeService {
         log.debug("initSelf: starting with selfNode="+selfNode.id());
         final BubbleNode foundByUuid = nodeDAO.findByUuid(selfNode.getUuid());
         final BubbleNode foundByFqdn = nodeDAO.findByFqdn(selfNode.getFqdn());
-        if (foundByUuid == null && foundByFqdn == null) {
+        final BubbleNode foundByIp4 = nodeDAO.findByIp4(selfNode.getIp4());
+        if (foundByUuid == null && foundByFqdn == null && foundByIp4 == null) {
             // node exists in JSON but not in DB: write it to DB
             return ensureRunning(nodeDAO.create(selfNode));
 
@@ -293,10 +294,15 @@ public class StandardSelfNodeService implements SelfNodeService {
             nodeDAO.delete(foundByFqdn.getUuid());
             return ensureRunning(nodeDAO.create(selfNode));
 
-        } else if (foundByUuid == null) {
-            // found by fqdn but not uuid, remove fqdn and add
+        } else if (foundByUuid == null && foundByIp4 == null) {
+            // found by fqdn but not uuid or ip4, remove fqdn and add
             nodeDAO.delete(foundByFqdn.getUuid());
             return ensureRunning(nodeDAO.create(selfNode));
+
+        } else if (foundByIp4 != null) {
+            // OK, use the one we found by ip4
+            return foundByIp4;
+
         } else {
             // found by uuid but not fqdn, error
             return die("initSelf: wrong FQDN (expected "+selfNode.getFqdn()+") in foundByUuid="+foundByUuid.id());
diff --git a/bubble-server/src/test/resources/models/include/new_account.json b/bubble-server/src/test/resources/models/include/new_account.json
index bce4e0b1..8d1317ba 100644
--- a/bubble-server/src/test/resources/models/include/new_account.json
+++ b/bubble-server/src/test/resources/models/include/new_account.json
@@ -6,6 +6,7 @@
       "username": "user-{{rand 10}}",
       "password": "foobar1!",
       "email": "user-{{rand 5}}@example.com",
+      "rootSessionName": "rootSession",
       "userSessionName": "userSession",
       "userVar": "userAccount",
       "verifyEmail": "false",
@@ -16,6 +17,7 @@
   {
     "comment": "as root, create a new account",
     "request": {
+      "session": "<<rootSessionName>>",
       "uri": "users",
       "method": "put",
       "entity": {
diff --git a/bubble-server/src/test/resources/models/tests/auth/change_password.json b/bubble-server/src/test/resources/models/tests/auth/change_password.json
index 1e400c8b..223dc632 100644
--- a/bubble-server/src/test/resources/models/tests/auth/change_password.json
+++ b/bubble-server/src/test/resources/models/tests/auth/change_password.json
@@ -427,6 +427,14 @@
     }
   },
 
+  {
+    "comment": "as second admin, read self-profile, succeeds. verify we are admin",
+    "request": { "uri": "me" },
+    "response": {
+      "check": [ {"condition": "json.admin() == true"} ]
+    }
+  },
+
   {
     "comment": "as root user, try to change admin user password without sending current password, fails",
     "request": {
@@ -438,7 +446,7 @@
     },
     "response": {
       "status": 422,
-      "check": [ {"condition": "json.has('err.password.invalid')"} ]
+      "check": [ {"condition": "json.has('err.currentPassword.invalid')"} ]
     }
   },
 
diff --git a/bubble-web b/bubble-web
index 689734e6..194dbc00 160000
--- a/bubble-web
+++ b/bubble-web
@@ -1 +1 @@
-Subproject commit 689734e6c9fa7a51cbe19b47105520d0801c47f0
+Subproject commit 194dbc005456a36dc8bbebff2fa7726fa03281a5