2017-12-20 17:52:21 -06:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
2021-12-01 08:43:31 -06:00
|
|
|
"context"
|
2020-11-13 02:52:38 -06:00
|
|
|
"fmt"
|
2022-02-11 12:43:29 -06:00
|
|
|
"io"
|
|
|
|
|
"net/http"
|
2023-01-09 02:59:14 -06:00
|
|
|
"strings"
|
2017-12-20 17:52:21 -06:00
|
|
|
"testing"
|
|
|
|
|
|
2022-03-18 11:33:21 -05:00
|
|
|
"github.com/stretchr/testify/assert"
|
2022-05-23 10:14:27 -05:00
|
|
|
"github.com/stretchr/testify/mock"
|
2022-03-18 11:33:21 -05:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
|
2017-12-20 17:52:21 -06:00
|
|
|
"github.com/grafana/grafana/pkg/api/dtos"
|
2021-01-15 07:43:20 -06:00
|
|
|
"github.com/grafana/grafana/pkg/api/response"
|
|
|
|
|
"github.com/grafana/grafana/pkg/api/routing"
|
2022-10-19 08:02:15 -05:00
|
|
|
"github.com/grafana/grafana/pkg/infra/db"
|
2023-01-18 09:01:25 -06:00
|
|
|
"github.com/grafana/grafana/pkg/infra/db/dbtest"
|
2022-02-11 12:43:29 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
2023-01-09 02:59:14 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
2017-12-20 17:52:21 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/annotations"
|
2022-09-19 02:54:37 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/annotations/annotationstest"
|
2023-01-27 01:50:36 -06:00
|
|
|
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
2022-05-17 13:52:22 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
2022-03-21 04:49:49 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/guardian"
|
2022-08-10 04:56:48 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2022-09-20 11:58:04 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/team/teamtest"
|
2023-01-09 02:59:14 -06:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
|
|
|
"github.com/grafana/grafana/pkg/web/webtest"
|
2017-12-20 17:52:21 -06:00
|
|
|
)
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
func TestAnnotationsAPIEndpoint(t *testing.T) {
|
2022-03-18 11:33:21 -05:00
|
|
|
hs := setupSimpleHTTPServer(nil)
|
2022-10-19 08:02:15 -05:00
|
|
|
store := db.InitTestDB(t)
|
2022-03-18 11:33:21 -05:00
|
|
|
store.Cfg = hs.Cfg
|
|
|
|
|
hs.SQLStore = store
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("Given an annotation without a dashboard ID", func(t *testing.T) {
|
2017-12-20 17:52:21 -06:00
|
|
|
cmd := dtos.PostAnnotationsCmd{
|
2019-08-16 03:49:30 -05:00
|
|
|
Time: 1000,
|
|
|
|
|
Text: "annotation text",
|
|
|
|
|
Tags: []string{"tag1", "tag2"},
|
2017-12-20 17:52:21 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
updateCmd := dtos.UpdateAnnotationsCmd{
|
2019-08-16 03:49:30 -05:00
|
|
|
Time: 1000,
|
|
|
|
|
Text: "annotation text",
|
|
|
|
|
Tags: []string{"tag1", "tag2"},
|
2017-12-20 17:52:21 -06:00
|
|
|
}
|
|
|
|
|
|
2019-01-27 05:49:22 -06:00
|
|
|
patchCmd := dtos.PatchAnnotationsCmd{
|
|
|
|
|
Time: 1000,
|
|
|
|
|
Text: "annotation text",
|
|
|
|
|
Tags: []string{"tag1", "tag2"},
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("When user is an Org Viewer", func(t *testing.T) {
|
2022-08-10 04:56:48 -05:00
|
|
|
role := org.RoleViewer
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("Should not be allowed to save an annotation", func(t *testing.T) {
|
|
|
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role,
|
2022-05-23 10:14:27 -05:00
|
|
|
cmd, store, nil, func(sc *scenarioContext) {
|
2020-11-13 02:52:38 -06:00
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId",
|
|
|
|
|
role, updateCmd, func(sc *scenarioContext) {
|
|
|
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1",
|
|
|
|
|
"/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
|
|
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
|
|
|
})
|
|
|
|
|
|
2023-01-18 09:01:25 -06:00
|
|
|
mock := dbtest.NewFakeDB()
|
2020-11-13 02:52:38 -06:00
|
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
|
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
2022-03-18 11:33:21 -05:00
|
|
|
sc.handlerFunc = hs.DeleteAnnotationByID
|
2020-11-13 02:52:38 -06:00
|
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
2022-02-03 02:20:20 -06:00
|
|
|
}, mock)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("When user is an Org Editor", func(t *testing.T) {
|
2022-08-10 04:56:48 -05:00
|
|
|
role := org.RoleEditor
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("Should be able to save an annotation", func(t *testing.T) {
|
|
|
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role,
|
2022-05-23 10:14:27 -05:00
|
|
|
cmd, store, nil, func(sc *scenarioContext) {
|
2020-11-13 02:52:38 -06:00
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
2019-01-27 05:49:22 -06:00
|
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2019-01-27 05:49:22 -06:00
|
|
|
})
|
2023-01-18 09:01:25 -06:00
|
|
|
mock := dbtest.NewFakeDB()
|
2020-11-13 02:52:38 -06:00
|
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
|
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
2022-03-18 11:33:21 -05:00
|
|
|
sc.handlerFunc = hs.DeleteAnnotationByID
|
2020-11-13 02:52:38 -06:00
|
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2022-02-03 02:20:20 -06:00
|
|
|
}, mock)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("Given an annotation with a dashboard ID and the dashboard does not have an ACL", func(t *testing.T) {
|
2017-12-20 17:52:21 -06:00
|
|
|
cmd := dtos.PostAnnotationsCmd{
|
|
|
|
|
Time: 1000,
|
|
|
|
|
Text: "annotation text",
|
|
|
|
|
Tags: []string{"tag1", "tag2"},
|
|
|
|
|
DashboardId: 1,
|
|
|
|
|
PanelId: 1,
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-02 04:35:36 -05:00
|
|
|
dashboardUIDCmd := dtos.PostAnnotationsCmd{
|
|
|
|
|
Time: 1000,
|
|
|
|
|
Text: "annotation text",
|
|
|
|
|
Tags: []string{"tag1", "tag2"},
|
|
|
|
|
DashboardUID: "home",
|
|
|
|
|
PanelId: 1,
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-20 17:52:21 -06:00
|
|
|
updateCmd := dtos.UpdateAnnotationsCmd{
|
2019-08-16 03:49:30 -05:00
|
|
|
Time: 1000,
|
|
|
|
|
Text: "annotation text",
|
|
|
|
|
Tags: []string{"tag1", "tag2"},
|
|
|
|
|
Id: 1,
|
2017-12-20 17:52:21 -06:00
|
|
|
}
|
|
|
|
|
|
2019-01-27 05:49:22 -06:00
|
|
|
patchCmd := dtos.PatchAnnotationsCmd{
|
|
|
|
|
Time: 8000,
|
|
|
|
|
Text: "annotation text 50",
|
|
|
|
|
Tags: []string{"foo", "bar"},
|
|
|
|
|
Id: 1,
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-23 16:39:00 -05:00
|
|
|
deleteCmd := dtos.MassDeleteAnnotationsCmd{
|
2018-06-25 06:58:49 -05:00
|
|
|
DashboardId: 1,
|
|
|
|
|
PanelId: 1,
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-02 04:35:36 -05:00
|
|
|
deleteWithDashboardUIDCmd := dtos.MassDeleteAnnotationsCmd{
|
|
|
|
|
DashboardUID: "home",
|
|
|
|
|
PanelId: 1,
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("When user is an Org Viewer", func(t *testing.T) {
|
2022-08-10 04:56:48 -05:00
|
|
|
role := org.RoleViewer
|
2022-12-15 08:34:17 -06:00
|
|
|
dashSvc := dashboards.NewFakeDashboardService(t)
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("Should not be allowed to save an annotation", func(t *testing.T) {
|
2022-12-15 08:34:17 -06:00
|
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role, cmd, store, dashSvc, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2019-01-27 05:49:22 -06:00
|
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
2019-01-27 05:49:22 -06:00
|
|
|
})
|
2023-01-18 09:01:25 -06:00
|
|
|
mock := dbtest.NewFakeDB()
|
2020-11-13 02:52:38 -06:00
|
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
|
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2022-03-18 11:33:21 -05:00
|
|
|
sc.handlerFunc = hs.DeleteAnnotationByID
|
2020-11-13 02:52:38 -06:00
|
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 403, sc.resp.Code)
|
2022-02-03 02:20:20 -06:00
|
|
|
}, mock)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("When user is an Org Editor", func(t *testing.T) {
|
2022-08-10 04:56:48 -05:00
|
|
|
role := org.RoleEditor
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("Should be able to save an annotation", func(t *testing.T) {
|
2022-12-15 08:34:17 -06:00
|
|
|
dashSvc := dashboards.NewFakeDashboardService(t)
|
|
|
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role, cmd, store, dashSvc, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2019-01-27 05:49:22 -06:00
|
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2019-01-27 05:49:22 -06:00
|
|
|
})
|
2023-01-18 09:01:25 -06:00
|
|
|
mock := dbtest.NewFakeDB()
|
2020-11-13 02:52:38 -06:00
|
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
|
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2022-03-18 11:33:21 -05:00
|
|
|
sc.handlerFunc = hs.DeleteAnnotationByID
|
2020-11-13 02:52:38 -06:00
|
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2022-02-03 02:20:20 -06:00
|
|
|
}, mock)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
})
|
2018-06-25 06:58:49 -05:00
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("When user is an Admin", func(t *testing.T) {
|
2022-08-10 04:56:48 -05:00
|
|
|
role := org.RoleAdmin
|
2022-05-02 04:35:36 -05:00
|
|
|
|
2023-01-18 09:01:25 -06:00
|
|
|
mockStore := dbtest.NewFakeDB()
|
2022-05-02 04:35:36 -05:00
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run("Should be able to do anything", func(t *testing.T) {
|
2022-05-23 10:14:27 -05:00
|
|
|
dashSvc := dashboards.NewFakeDashboardService(t)
|
2023-01-25 03:36:26 -06:00
|
|
|
result := &dashboards.Dashboard{}
|
|
|
|
|
dashSvc.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Return(result, nil)
|
2022-12-15 08:34:17 -06:00
|
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role, cmd, store, dashSvc, func(sc *scenarioContext) {
|
|
|
|
|
setUpACL()
|
|
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
|
|
|
})
|
|
|
|
|
|
2022-05-23 10:14:27 -05:00
|
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role, dashboardUIDCmd, mockStore, dashSvc, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2018-06-25 06:58:49 -05:00
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2023-01-25 03:36:26 -06:00
|
|
|
|
2023-01-16 09:33:55 -06:00
|
|
|
dashSvc.AssertCalled(t, "GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery"))
|
2018-06-25 06:58:49 -05:00
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2018-06-25 06:58:49 -05:00
|
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2018-06-25 06:58:49 -05:00
|
|
|
})
|
2019-01-27 05:49:22 -06:00
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2019-01-27 05:49:22 -06:00
|
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
2020-11-13 02:52:38 -06:00
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2019-01-27 05:49:22 -06:00
|
|
|
})
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
deleteAnnotationsScenario(t, "When calling POST on", "/api/annotations/mass-delete",
|
2022-05-23 10:14:27 -05:00
|
|
|
"/api/annotations/mass-delete", role, deleteCmd, store, nil, func(sc *scenarioContext) {
|
2022-05-02 04:35:36 -05:00
|
|
|
setUpACL()
|
|
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
|
|
|
})
|
|
|
|
|
|
2022-05-23 10:14:27 -05:00
|
|
|
dashSvc = dashboards.NewFakeDashboardService(t)
|
2023-01-25 03:36:26 -06:00
|
|
|
result = &dashboards.Dashboard{
|
|
|
|
|
ID: 1,
|
|
|
|
|
UID: deleteWithDashboardUIDCmd.DashboardUID,
|
|
|
|
|
}
|
2023-01-16 09:33:55 -06:00
|
|
|
dashSvc.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Run(func(args mock.Arguments) {
|
|
|
|
|
q := args.Get(1).(*dashboards.GetDashboardQuery)
|
2023-01-25 03:36:26 -06:00
|
|
|
result = &dashboards.Dashboard{
|
|
|
|
|
ID: q.ID,
|
2023-01-16 09:33:55 -06:00
|
|
|
UID: deleteWithDashboardUIDCmd.DashboardUID,
|
2022-05-23 10:14:27 -05:00
|
|
|
}
|
2023-01-25 03:36:26 -06:00
|
|
|
}).Return(result, nil)
|
2022-05-02 04:35:36 -05:00
|
|
|
deleteAnnotationsScenario(t, "When calling POST with dashboardUID on", "/api/annotations/mass-delete",
|
2022-05-23 10:14:27 -05:00
|
|
|
"/api/annotations/mass-delete", role, deleteWithDashboardUIDCmd, mockStore, dashSvc, func(sc *scenarioContext) {
|
2022-02-11 12:43:29 -06:00
|
|
|
setUpACL()
|
2020-11-13 02:52:38 -06:00
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
|
|
|
assert.Equal(t, 200, sc.resp.Code)
|
2023-01-16 09:33:55 -06:00
|
|
|
dashSvc.AssertCalled(t, "GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery"))
|
2020-11-13 02:52:38 -06:00
|
|
|
})
|
2018-06-25 06:58:49 -05:00
|
|
|
})
|
|
|
|
|
})
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-10 04:56:48 -05:00
|
|
|
func postAnnotationScenario(t *testing.T, desc string, url string, routePattern string, role org.RoleType,
|
2023-01-25 03:36:26 -06:00
|
|
|
cmd dtos.PostAnnotationsCmd, store db.DB, dashSvc *dashboards.FakeDashboardService, fn scenarioFunc) {
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
2022-03-18 11:33:21 -05:00
|
|
|
hs := setupSimpleHTTPServer(nil)
|
|
|
|
|
hs.SQLStore = store
|
2022-07-06 13:42:39 -05:00
|
|
|
hs.DashboardService = dashSvc
|
2022-03-18 11:33:21 -05:00
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
sc := setupScenarioContext(t, url)
|
2023-01-25 03:36:26 -06:00
|
|
|
sc.dashboardService = dashSvc
|
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
|
2021-11-29 03:18:01 -06:00
|
|
|
c.Req.Body = mockRequestBody(cmd)
|
2022-02-09 06:44:38 -06:00
|
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.context = c
|
2022-08-11 06:28:55 -05:00
|
|
|
sc.context.UserID = testUserID
|
|
|
|
|
sc.context.OrgID = testOrgID
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.context.OrgRole = role
|
2022-03-18 11:33:21 -05:00
|
|
|
return hs.PostAnnotation(c)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
sc.m.Post(routePattern, sc.defaultHandler)
|
|
|
|
|
fn(sc)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-10 04:56:48 -05:00
|
|
|
func putAnnotationScenario(t *testing.T, desc string, url string, routePattern string, role org.RoleType,
|
2020-11-13 02:52:38 -06:00
|
|
|
cmd dtos.UpdateAnnotationsCmd, fn scenarioFunc) {
|
|
|
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
2022-03-18 11:33:21 -05:00
|
|
|
hs := setupSimpleHTTPServer(nil)
|
2022-10-19 08:02:15 -05:00
|
|
|
store := db.InitTestDB(t)
|
2022-03-18 11:33:21 -05:00
|
|
|
store.Cfg = hs.Cfg
|
|
|
|
|
hs.SQLStore = store
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
sc := setupScenarioContext(t, url)
|
2023-01-27 01:50:36 -06:00
|
|
|
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
|
2021-11-29 03:18:01 -06:00
|
|
|
c.Req.Body = mockRequestBody(cmd)
|
2022-02-09 06:44:38 -06:00
|
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.context = c
|
2022-08-11 06:28:55 -05:00
|
|
|
sc.context.UserID = testUserID
|
|
|
|
|
sc.context.OrgID = testOrgID
|
2017-12-20 17:52:21 -06:00
|
|
|
sc.context.OrgRole = role
|
|
|
|
|
|
2022-03-18 11:33:21 -05:00
|
|
|
return hs.UpdateAnnotation(c)
|
2017-12-20 17:52:21 -06:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
sc.m.Put(routePattern, sc.defaultHandler)
|
|
|
|
|
|
|
|
|
|
fn(sc)
|
|
|
|
|
})
|
|
|
|
|
}
|
2018-06-25 06:58:49 -05:00
|
|
|
|
2022-08-10 04:56:48 -05:00
|
|
|
func patchAnnotationScenario(t *testing.T, desc string, url string, routePattern string, role org.RoleType, cmd dtos.PatchAnnotationsCmd, fn scenarioFunc) {
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
2022-03-18 11:33:21 -05:00
|
|
|
hs := setupSimpleHTTPServer(nil)
|
2022-10-19 08:02:15 -05:00
|
|
|
store := db.InitTestDB(t)
|
2022-03-18 11:33:21 -05:00
|
|
|
store.Cfg = hs.Cfg
|
|
|
|
|
hs.SQLStore = store
|
|
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
sc := setupScenarioContext(t, url)
|
2023-01-27 01:50:36 -06:00
|
|
|
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
|
2021-11-29 03:18:01 -06:00
|
|
|
c.Req.Body = mockRequestBody(cmd)
|
2022-02-09 06:44:38 -06:00
|
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
2019-01-27 05:49:22 -06:00
|
|
|
sc.context = c
|
2022-08-11 06:28:55 -05:00
|
|
|
sc.context.UserID = testUserID
|
|
|
|
|
sc.context.OrgID = testOrgID
|
2019-01-27 05:49:22 -06:00
|
|
|
sc.context.OrgRole = role
|
|
|
|
|
|
2022-03-18 11:33:21 -05:00
|
|
|
return hs.PatchAnnotation(c)
|
2019-01-27 05:49:22 -06:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
sc.m.Patch(routePattern, sc.defaultHandler)
|
|
|
|
|
|
|
|
|
|
fn(sc)
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-10 04:56:48 -05:00
|
|
|
func deleteAnnotationsScenario(t *testing.T, desc string, url string, routePattern string, role org.RoleType,
|
2022-12-13 04:03:36 -06:00
|
|
|
cmd dtos.MassDeleteAnnotationsCmd, store db.DB, dashSvc dashboards.DashboardService, fn scenarioFunc) {
|
2020-11-13 02:52:38 -06:00
|
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
2022-03-18 11:33:21 -05:00
|
|
|
hs := setupSimpleHTTPServer(nil)
|
|
|
|
|
hs.SQLStore = store
|
2022-07-06 13:42:39 -05:00
|
|
|
hs.DashboardService = dashSvc
|
2022-03-18 11:33:21 -05:00
|
|
|
|
2020-11-13 02:52:38 -06:00
|
|
|
sc := setupScenarioContext(t, url)
|
2023-01-27 01:50:36 -06:00
|
|
|
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
|
2021-11-29 03:18:01 -06:00
|
|
|
c.Req.Body = mockRequestBody(cmd)
|
2022-02-09 06:44:38 -06:00
|
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
2018-06-25 06:58:49 -05:00
|
|
|
sc.context = c
|
2022-08-11 06:28:55 -05:00
|
|
|
sc.context.UserID = testUserID
|
|
|
|
|
sc.context.OrgID = testOrgID
|
2018-06-25 06:58:49 -05:00
|
|
|
sc.context.OrgRole = role
|
|
|
|
|
|
2022-03-23 16:39:00 -05:00
|
|
|
return hs.MassDeleteAnnotations(c)
|
2018-06-25 06:58:49 -05:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
sc.m.Post(routePattern, sc.defaultHandler)
|
|
|
|
|
|
|
|
|
|
fn(sc)
|
|
|
|
|
})
|
|
|
|
|
}
|
2022-02-11 12:43:29 -06:00
|
|
|
|
|
|
|
|
func TestAPI_Annotations_AccessControl(t *testing.T) {
|
2023-01-09 02:59:14 -06:00
|
|
|
type testCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
path string
|
|
|
|
|
method string
|
|
|
|
|
body string
|
|
|
|
|
expectedCode int
|
|
|
|
|
permissions []accesscontrol.Permission
|
2022-03-21 12:28:39 -05:00
|
|
|
}
|
2022-03-18 11:33:21 -05:00
|
|
|
|
2023-01-09 02:59:14 -06:00
|
|
|
tests := []testCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to fetch annotations with correct permission",
|
|
|
|
|
path: "/api/annotations",
|
|
|
|
|
method: http.MethodGet,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
|
|
|
|
|
},
|
2022-02-11 12:43:29 -06:00
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to fetch annotations without correct permission",
|
|
|
|
|
path: "/api/annotations",
|
|
|
|
|
method: http.MethodGet,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{},
|
2022-02-11 12:43:29 -06:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to fetch annotation by id with correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodGet,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
|
2022-02-11 12:43:29 -06:00
|
|
|
},
|
2022-05-16 10:16:36 -05:00
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to fetch annotation by id without correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodGet,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{},
|
2022-05-16 10:16:36 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to fetch annotation tags with correct permission",
|
|
|
|
|
path: "/api/annotations/tags",
|
|
|
|
|
method: http.MethodGet,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead}},
|
2022-05-16 10:16:36 -05:00
|
|
|
},
|
2022-02-11 12:43:29 -06:00
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to fetch annotation tags without correct permission",
|
|
|
|
|
path: "/api/annotations/tags",
|
|
|
|
|
method: http.MethodGet,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{},
|
2022-02-11 12:43:29 -06:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to update dashboard annotation with correct permission",
|
|
|
|
|
path: "/api/annotations/2",
|
|
|
|
|
method: http.MethodPut,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-02-11 12:43:29 -06:00
|
|
|
},
|
2022-03-21 12:28:39 -05:00
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to update dashboard annotation without correct permission",
|
|
|
|
|
path: "/api/annotations/2",
|
|
|
|
|
method: http.MethodPut,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to update organization annotation with correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodPut,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to update organization annotation without correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodPut,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to patch dashboard annotation with correct permission",
|
|
|
|
|
path: "/api/annotations/2",
|
|
|
|
|
method: http.MethodPatch,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to patch dashboard annotation without correct permission",
|
|
|
|
|
path: "/api/annotations/2",
|
|
|
|
|
method: http.MethodPatch,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to patch organization annotation with correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodPatch,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to patch organization annotation without correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodPatch,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to create dashboard annotation with correct permission",
|
|
|
|
|
path: "/api/annotations",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to create dashboard annotation without correct permission",
|
|
|
|
|
path: "/api/annotations",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to create organization annotation with correct permission",
|
|
|
|
|
path: "/api/annotations",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
body: "{\"text\": \"test\"}",
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
2022-04-20 02:43:42 -05:00
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to create organization annotation without correct permission",
|
|
|
|
|
path: "/api/annotations",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
body: "{\"text\": \"test\"}",
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-04-20 02:43:42 -05:00
|
|
|
},
|
2022-03-21 12:28:39 -05:00
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to delete dashboard annotation with correct permission",
|
|
|
|
|
path: "/api/annotations/2",
|
|
|
|
|
method: http.MethodDelete,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to delete dashboard annotation without correct permission",
|
|
|
|
|
path: "/api/annotations/2",
|
|
|
|
|
method: http.MethodDelete,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to delete organization annotation with correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodDelete,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to delete organization annotation without correct permission",
|
|
|
|
|
path: "/api/annotations/1",
|
|
|
|
|
method: http.MethodDelete,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to create graphite annotation with correct permission",
|
|
|
|
|
path: "/api/annotations/graphite",
|
|
|
|
|
body: "{\"what\": \"test\", \"tags\": []}",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to create graphite annotation without correct permission",
|
|
|
|
|
path: "/api/annotations/graphite",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should be able to mass delete dashboard annotations with correct permission",
|
|
|
|
|
path: "/api/annotations/mass-delete",
|
|
|
|
|
body: "{\"dashboardId\": 2, \"panelId\": 1}",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
|
|
|
|
{
|
2023-01-09 02:59:14 -06:00
|
|
|
desc: "should not be able to mass delete dashboard annotations without correct permission",
|
|
|
|
|
path: "/api/annotations/mass-delete",
|
|
|
|
|
body: "{\"dashboardId\": 2, \"panelId\": 1}",
|
|
|
|
|
method: http.MethodPost,
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
2022-03-21 12:28:39 -05:00
|
|
|
},
|
2022-02-11 12:43:29 -06:00
|
|
|
}
|
2023-01-09 02:59:14 -06:00
|
|
|
|
2022-02-11 12:43:29 -06:00
|
|
|
for _, tt := range tests {
|
2023-01-09 02:59:14 -06:00
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
2022-04-21 07:31:02 -05:00
|
|
|
setUpRBACGuardian(t)
|
2023-01-09 02:59:14 -06:00
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
|
hs.Cfg = setting.NewCfg()
|
|
|
|
|
repo := annotationstest.NewFakeAnnotationsRepo()
|
2023-02-03 10:23:09 -06:00
|
|
|
_ = repo.Save(context.Background(), &annotations.Item{ID: 1, DashboardID: 0})
|
|
|
|
|
_ = repo.Save(context.Background(), &annotations.Item{ID: 2, DashboardID: 1})
|
2023-01-09 02:59:14 -06:00
|
|
|
hs.annotationsRepo = repo
|
|
|
|
|
hs.AccessControl = acimpl.ProvideAccessControl(hs.Cfg)
|
|
|
|
|
hs.AccessControl.RegisterScopeAttributeResolver(AnnotationTypeScopeResolver(hs.annotationsRepo))
|
|
|
|
|
})
|
|
|
|
|
var body io.Reader
|
|
|
|
|
if tt.body != "" {
|
|
|
|
|
body = strings.NewReader(tt.body)
|
|
|
|
|
}
|
2022-03-21 12:28:39 -05:00
|
|
|
|
2023-01-09 02:59:14 -06:00
|
|
|
req := webtest.RequestWithSignedInUser(server.NewRequest(tt.method, tt.path, body), userWithPermissions(1, tt.permissions))
|
|
|
|
|
res, err := server.SendJSON(req)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2022-02-11 12:43:29 -06:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-03-18 11:33:21 -05:00
|
|
|
func TestService_AnnotationTypeScopeResolver(t *testing.T) {
|
|
|
|
|
type testCaseResolver struct {
|
|
|
|
|
desc string
|
|
|
|
|
given string
|
|
|
|
|
want string
|
|
|
|
|
wantErr error
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
testCases := []testCaseResolver{
|
|
|
|
|
{
|
2022-03-21 12:28:39 -05:00
|
|
|
desc: "correctly resolves dashboard annotations",
|
2022-03-18 11:33:21 -05:00
|
|
|
given: "annotations:id:1",
|
2022-03-21 12:28:39 -05:00
|
|
|
want: accesscontrol.ScopeAnnotationsTypeDashboard,
|
2022-03-18 11:33:21 -05:00
|
|
|
wantErr: nil,
|
|
|
|
|
},
|
|
|
|
|
{
|
2022-03-21 12:28:39 -05:00
|
|
|
desc: "correctly resolves organization annotations",
|
2022-03-18 11:33:21 -05:00
|
|
|
given: "annotations:id:2",
|
2022-03-21 12:28:39 -05:00
|
|
|
want: accesscontrol.ScopeAnnotationsTypeOrganization,
|
2022-03-18 11:33:21 -05:00
|
|
|
wantErr: nil,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "invalid annotation ID",
|
|
|
|
|
given: "annotations:id:123abc",
|
|
|
|
|
want: "",
|
|
|
|
|
wantErr: accesscontrol.ErrInvalidScope,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "malformed scope",
|
|
|
|
|
given: "annotations:1",
|
|
|
|
|
want: "",
|
|
|
|
|
wantErr: accesscontrol.ErrInvalidScope,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-03 10:23:09 -06:00
|
|
|
dashboardAnnotation := annotations.Item{ID: 1, DashboardID: 1}
|
|
|
|
|
organizationAnnotation := annotations.Item{ID: 2}
|
2022-03-23 16:39:00 -05:00
|
|
|
|
2022-09-19 02:54:37 -05:00
|
|
|
fakeAnnoRepo := annotationstest.NewFakeAnnotationsRepo()
|
|
|
|
|
_ = fakeAnnoRepo.Save(context.Background(), &dashboardAnnotation)
|
|
|
|
|
_ = fakeAnnoRepo.Save(context.Background(), &organizationAnnotation)
|
2022-03-18 11:33:21 -05:00
|
|
|
|
2022-09-19 02:54:37 -05:00
|
|
|
prefix, resolver := AnnotationTypeScopeResolver(fakeAnnoRepo)
|
2022-03-18 11:33:21 -05:00
|
|
|
require.Equal(t, "annotations:id:", prefix)
|
|
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
|
t.Run(tc.desc, func(t *testing.T) {
|
2022-05-02 02:29:30 -05:00
|
|
|
resolved, err := resolver.Resolve(context.Background(), 1, tc.given)
|
2022-03-18 11:33:21 -05:00
|
|
|
if tc.wantErr != nil {
|
|
|
|
|
require.Error(t, err)
|
|
|
|
|
require.Equal(t, tc.wantErr, err)
|
|
|
|
|
} else {
|
|
|
|
|
require.NoError(t, err)
|
2022-05-02 02:29:30 -05:00
|
|
|
require.Len(t, resolved, 1)
|
|
|
|
|
require.Equal(t, tc.want, resolved[0])
|
2022-03-18 11:33:21 -05:00
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-11 12:43:29 -06:00
|
|
|
func setUpACL() {
|
2022-08-10 04:56:48 -05:00
|
|
|
viewerRole := org.RoleViewer
|
|
|
|
|
editorRole := org.RoleEditor
|
2023-01-18 09:01:25 -06:00
|
|
|
store := dbtest.NewFakeDB()
|
2022-09-20 11:58:04 -05:00
|
|
|
teamSvc := &teamtest.FakeService{}
|
2022-06-01 13:16:26 -05:00
|
|
|
dashSvc := &dashboards.FakeDashboardService{}
|
2023-01-25 03:36:26 -06:00
|
|
|
qResult := []*dashboards.DashboardACLInfoDTO{
|
2023-01-26 07:46:30 -06:00
|
|
|
{Role: &viewerRole, Permission: dashboards.PERMISSION_VIEW},
|
|
|
|
|
{Role: &editorRole, Permission: dashboards.PERMISSION_EDIT},
|
2023-01-25 03:36:26 -06:00
|
|
|
}
|
2023-01-20 07:58:47 -06:00
|
|
|
dashSvc.On("GetDashboardACLInfoList", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardACLInfoListQuery")).Run(func(args mock.Arguments) {
|
2023-01-25 03:36:26 -06:00
|
|
|
// q := args.Get(1).(*dashboards.GetDashboardACLInfoListQuery)
|
|
|
|
|
|
|
|
|
|
}).Return(qResult, nil)
|
|
|
|
|
var result *dashboards.Dashboard
|
2023-01-16 09:33:55 -06:00
|
|
|
dashSvc.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Run(func(args mock.Arguments) {
|
|
|
|
|
q := args.Get(1).(*dashboards.GetDashboardQuery)
|
2023-01-25 03:36:26 -06:00
|
|
|
result = &dashboards.Dashboard{
|
2023-01-16 09:33:55 -06:00
|
|
|
ID: q.ID,
|
|
|
|
|
UID: q.UID,
|
2022-12-15 08:34:17 -06:00
|
|
|
}
|
2023-01-25 03:36:26 -06:00
|
|
|
}).Return(result, nil)
|
2022-06-01 13:16:26 -05:00
|
|
|
|
2023-03-16 04:54:01 -05:00
|
|
|
guardian.InitLegacyGuardian(setting.NewCfg(), store, dashSvc, teamSvc)
|
2022-02-11 12:43:29 -06:00
|
|
|
}
|
2022-03-23 16:39:00 -05:00
|
|
|
|
2022-04-21 07:31:02 -05:00
|
|
|
func setUpRBACGuardian(t *testing.T) {
|
2022-03-23 16:39:00 -05:00
|
|
|
origNewGuardian := guardian.New
|
|
|
|
|
t.Cleanup(func() {
|
|
|
|
|
guardian.New = origNewGuardian
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{CanEditValue: true})
|
|
|
|
|
}
|
