From 4369c9d708963204dfe2551a72116267a2ff0e48 Mon Sep 17 00:00:00 2001
From: Michael Desa <mjdesa@gmail.com>
Date: Wed, 13 Dec 2017 17:38:57 -0800
Subject: [PATCH] Add SuperAdmin to default org, even if private

Add user to default org if org is public
---
 server/me.go      | 33 ++++++++++++------------
 server/me_test.go | 66 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 16 deletions(-)

diff --git a/server/me.go b/server/me.go
index f6ea7fe37c..5dcdb726eb 100644
--- a/server/me.go
+++ b/server/me.go
@@ -206,6 +206,23 @@ func (s *Service) Me(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if usr != nil {
+
+		if defaultOrg.Public || usr.SuperAdmin == true {
+			// If the default organization is public, or the user is a super admin
+			// they will always have a role in the default organization
+			defaultOrgID := fmt.Sprintf("%d", defaultOrg.ID)
+			if !hasRoleInDefaultOrganization(usr, defaultOrgID) {
+				usr.Roles = append(usr.Roles, chronograf.Role{
+					Organization: defaultOrgID,
+					Name:         defaultOrg.DefaultRole,
+				})
+				if err := s.Store.Users(serverCtx).Update(serverCtx, usr); err != nil {
+					unknownErrorWithMessage(w, err, s.Logger)
+					return
+				}
+			}
+		}
+
 		// If the default org is private and the user has no roles, they should not have access
 		if !defaultOrg.Public && len(usr.Roles) == 0 {
 			Error(w, http.StatusForbidden, "This organization is private. To gain access, you must be explicitly added by an administrator.", s.Logger)
@@ -227,22 +244,6 @@ func (s *Service) Me(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		if defaultOrg.Public {
-			defaultOrgID := fmt.Sprintf("%d", defaultOrg.ID)
-			// If a user was added via the API, they might not yet be a member of the default organization
-			// Here we check to verify that they are a user in the default organization
-			if !hasRoleInDefaultOrganization(usr, defaultOrgID) {
-				usr.Roles = append(usr.Roles, chronograf.Role{
-					Organization: defaultOrgID,
-					Name:         defaultOrg.DefaultRole,
-				})
-				if err := s.Store.Users(serverCtx).Update(serverCtx, usr); err != nil {
-					unknownErrorWithMessage(w, err, s.Logger)
-					return
-				}
-			}
-		}
-
 		orgs, err := s.usersOrganizations(serverCtx, usr)
 		if err != nil {
 			unknownErrorWithMessage(w, err, s.Logger)
diff --git a/server/me_test.go b/server/me_test.go
index c118baccbe..3db1b4844e 100644
--- a/server/me_test.go
+++ b/server/me_test.go
@@ -106,6 +106,72 @@ func TestService_Me(t *testing.T) {
 			wantContentType: "application/json",
 			wantBody:        `{"code":403,"message":"This organization is private. To gain access, you must be explicitly added by an administrator."}`,
 		},
+		{
+			name: "Existing user - private default org and user is a super admin",
+			args: args{
+				w: httptest.NewRecorder(),
+				r: httptest.NewRequest("GET", "http://example.com/foo", nil),
+			},
+			fields: fields{
+				UseAuth: true,
+				Logger:  log.New(log.DebugLevel),
+				OrganizationsStore: &mocks.OrganizationsStore{
+					DefaultOrganizationF: func(ctx context.Context) (*chronograf.Organization, error) {
+						return &chronograf.Organization{
+							ID:          0,
+							Name:        "Default",
+							DefaultRole: roles.ViewerRoleName,
+							Public:      false,
+						}, nil
+					},
+					GetF: func(ctx context.Context, q chronograf.OrganizationQuery) (*chronograf.Organization, error) {
+						switch *q.ID {
+						case 0:
+							return &chronograf.Organization{
+								ID:          0,
+								Name:        "Default",
+								DefaultRole: roles.ViewerRoleName,
+								Public:      true,
+							}, nil
+						case 1:
+							return &chronograf.Organization{
+								ID:     1,
+								Name:   "The Bad Place",
+								Public: true,
+							}, nil
+						}
+						return nil, nil
+					},
+				},
+				UsersStore: &mocks.UsersStore{
+					NumF: func(ctx context.Context) (int, error) {
+						// This function gets to verify that there is at least one first user
+						return 1, nil
+					},
+					GetF: func(ctx context.Context, q chronograf.UserQuery) (*chronograf.User, error) {
+						if q.Name == nil || q.Provider == nil || q.Scheme == nil {
+							return nil, fmt.Errorf("Invalid user query: missing Name, Provider, and/or Scheme")
+						}
+						return &chronograf.User{
+							Name:       "me",
+							Provider:   "github",
+							Scheme:     "oauth2",
+							SuperAdmin: true,
+						}, nil
+					},
+					UpdateF: func(ctx context.Context, u *chronograf.User) error {
+						return nil
+					},
+				},
+			},
+			principal: oauth2.Principal{
+				Subject: "me",
+				Issuer:  "github",
+			},
+			wantStatus:      http.StatusOK,
+			wantContentType: "application/json",
+			wantBody:        `{"name":"me","roles":[{"name":"viewer","organization":"0"}],"provider":"github","scheme":"oauth2","superAdmin":true,"links":{"self":"/chronograf/v1/users/0"},"organizations":[{"id":"0","name":"Default","defaultRole":"viewer","public":true}],"currentOrganization":{"id":"0","name":"Default","defaultRole":"viewer","public":true}}`,
+		},
 		{
 			name: "Existing user - private default org",
 			args: args{