2022-07-08 06:07:00 -05:00
|
|
|
package api
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
2023-01-09 05:23:24 -06:00
|
|
|
"github.com/stretchr/testify/require"
|
2022-07-08 06:07:00 -05:00
|
|
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
2023-01-30 02:18:26 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/org/orgtest"
|
2022-08-04 06:22:43 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
|
|
"github.com/grafana/grafana/pkg/services/user/usertest"
|
2023-01-30 02:18:26 -06:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
|
|
"github.com/grafana/grafana/pkg/web/webtest"
|
2022-07-08 06:07:00 -05:00
|
|
|
)
|
|
|
|
|
2023-01-09 05:23:24 -06:00
|
|
|
func TestOrgInvitesAPIEndpoint_RBAC(t *testing.T) {
|
|
|
|
type testCase struct {
|
2022-07-08 06:07:00 -05:00
|
|
|
desc string
|
2023-01-09 05:23:24 -06:00
|
|
|
body string
|
2022-07-08 06:07:00 -05:00
|
|
|
permissions []accesscontrol.Permission
|
2023-01-09 05:23:24 -06:00
|
|
|
expectedCode int
|
2022-07-08 06:07:00 -05:00
|
|
|
}
|
2023-01-09 05:23:24 -06:00
|
|
|
|
|
|
|
tests := []testCase{
|
2022-07-08 06:07:00 -05:00
|
|
|
{
|
2023-01-09 05:23:24 -06:00
|
|
|
desc: "should be able to invite user to org with correct permissions",
|
|
|
|
body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
|
|
|
|
permissions: []accesscontrol.Permission{
|
|
|
|
{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:1"},
|
|
|
|
},
|
2022-07-08 06:07:00 -05:00
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
},
|
|
|
|
{
|
2023-01-09 05:23:24 -06:00
|
|
|
desc: "should not be able to invite user to org without correct permissions",
|
|
|
|
body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
|
2022-07-08 06:07:00 -05:00
|
|
|
permissions: []accesscontrol.Permission{},
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
},
|
|
|
|
{
|
2023-01-09 05:23:24 -06:00
|
|
|
desc: "should not be able to invite user to org with wrong scope",
|
|
|
|
body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
|
|
|
|
permissions: []accesscontrol.Permission{
|
|
|
|
{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:2"},
|
|
|
|
},
|
|
|
|
expectedCode: http.StatusForbidden,
|
2022-07-08 06:07:00 -05:00
|
|
|
},
|
|
|
|
{
|
2023-01-09 05:23:24 -06:00
|
|
|
desc: "should not be able to invite user to org with higher role then requester",
|
|
|
|
body: `{"loginOrEmail": "new user", "role": "Admin"}`,
|
|
|
|
permissions: []accesscontrol.Permission{
|
|
|
|
{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:1"},
|
|
|
|
},
|
2022-07-08 06:07:00 -05:00
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2023-01-09 05:23:24 -06:00
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
hs.Cfg = setting.NewCfg()
|
|
|
|
hs.orgService = orgtest.NewOrgServiceFake()
|
|
|
|
hs.userService = &usertest.FakeUserService{
|
|
|
|
ExpectedUser: &user.User{ID: 1},
|
|
|
|
}
|
|
|
|
})
|
2022-07-08 06:07:00 -05:00
|
|
|
|
2023-01-09 05:23:24 -06:00
|
|
|
req := webtest.RequestWithSignedInUser(server.NewPostRequest("/api/org/invites", strings.NewReader(tt.body)), userWithPermissions(1, tt.permissions))
|
|
|
|
res, err := server.SendJSON(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
|
|
require.NoError(t, res.Body.Close())
|
2022-07-08 06:07:00 -05:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|