2018-02-26 12:12:01 -06:00
package guardian
import (
2020-11-19 07:47:17 -06:00
"errors"
2018-02-26 12:12:01 -06:00
"fmt"
2018-04-08 08:06:22 -05:00
"runtime"
2018-02-26 12:12:01 -06:00
"testing"
2020-02-29 06:35:15 -06:00
"github.com/grafana/grafana/pkg/models"
2018-02-26 12:12:01 -06:00
. "github.com/smartystreets/goconvey/convey"
)
2018-04-08 08:06:22 -05:00
var (
orgID = int64 ( 1 )
defaultDashboardID = int64 ( - 1 )
dashboardID = int64 ( 1 )
parentFolderID = int64 ( 2 )
childDashboardID = int64 ( 3 )
userID = int64 ( 1 )
otherUserID = int64 ( 2 )
teamID = int64 ( 1 )
otherTeamID = int64 ( 2 )
2020-02-29 06:35:15 -06:00
adminRole = models . ROLE_ADMIN
editorRole = models . ROLE_EDITOR
viewerRole = models . ROLE_VIEWER
2018-04-08 08:06:22 -05:00
)
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
func TestGuardianAdmin ( t * testing . T ) {
Convey ( "Guardian admin org role tests" , t , func ( ) {
2020-02-29 06:35:15 -06:00
orgRoleScenario ( "Given user has admin org role" , t , models . ROLE_ADMIN , func ( sc * scenarioContext ) {
2018-04-08 08:06:22 -05:00
// dashboard has default permissions
2018-06-19 05:34:34 -05:00
sc . defaultPermissionScenario ( USER , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has user with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( USER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( USER , models . PERMISSION_EDIT , FULL_ACCESS )
sc . dashboardPermissionScenario ( USER , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has team with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_EDIT , FULL_ACCESS )
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has editor role with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_EDIT , FULL_ACCESS )
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has viewer role with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_EDIT , FULL_ACCESS )
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has user with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_EDIT , FULL_ACCESS )
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has team with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_EDIT , FULL_ACCESS )
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has editor role with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_EDIT , FULL_ACCESS )
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
2020-06-01 10:11:25 -05:00
// parent folder has viewer role with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_EDIT , FULL_ACCESS )
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_VIEW , FULL_ACCESS )
2018-04-08 08:06:22 -05:00
} )
} )
}
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
func TestGuardianEditor ( t * testing . T ) {
Convey ( "Guardian editor org role tests" , t , func ( ) {
2020-02-29 06:35:15 -06:00
orgRoleScenario ( "Given user has editor org role" , t , models . ROLE_EDITOR , func ( sc * scenarioContext ) {
2018-06-19 05:34:34 -05:00
// dashboard has default permissions
sc . defaultPermissionScenario ( USER , EDITOR_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has user with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( USER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( USER , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . dashboardPermissionScenario ( USER , models . PERMISSION_VIEW , CAN_VIEW )
2018-04-08 08:06:22 -05:00
// dashboard has team with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_VIEW , CAN_VIEW )
2018-04-08 08:06:22 -05:00
// dashboard has editor role with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has viewer role with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_ADMIN , NO_ACCESS )
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_EDIT , NO_ACCESS )
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_VIEW , NO_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has user with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has team with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has editor role with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
2020-06-01 10:11:25 -05:00
// parent folder has viewer role with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_ADMIN , NO_ACCESS )
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_EDIT , NO_ACCESS )
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_VIEW , NO_ACCESS )
2018-04-08 08:06:22 -05:00
} )
} )
}
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
func TestGuardianViewer ( t * testing . T ) {
Convey ( "Guardian viewer org role tests" , t , func ( ) {
2020-02-29 06:35:15 -06:00
orgRoleScenario ( "Given user has viewer org role" , t , models . ROLE_VIEWER , func ( sc * scenarioContext ) {
2018-06-19 05:34:34 -05:00
// dashboard has default permissions
sc . defaultPermissionScenario ( USER , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has user with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( USER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( USER , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . dashboardPermissionScenario ( USER , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has team with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . dashboardPermissionScenario ( TEAM , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has editor role with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_ADMIN , NO_ACCESS )
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_EDIT , NO_ACCESS )
sc . dashboardPermissionScenario ( EDITOR , models . PERMISSION_VIEW , NO_ACCESS )
2018-04-08 08:06:22 -05:00
// dashboard has viewer role with permission
2020-02-29 06:35:15 -06:00
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . dashboardPermissionScenario ( VIEWER , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has user with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . parentFolderPermissionScenario ( USER , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has team with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . parentFolderPermissionScenario ( TEAM , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
// parent folder has editor role with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_ADMIN , NO_ACCESS )
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_EDIT , NO_ACCESS )
sc . parentFolderPermissionScenario ( EDITOR , models . PERMISSION_VIEW , NO_ACCESS )
2018-04-08 08:06:22 -05:00
2020-06-01 10:11:25 -05:00
// parent folder has viewer role with permission
2020-02-29 06:35:15 -06:00
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_ADMIN , FULL_ACCESS )
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_EDIT , EDITOR_ACCESS )
sc . parentFolderPermissionScenario ( VIEWER , models . PERMISSION_VIEW , VIEWER_ACCESS )
2018-04-08 08:06:22 -05:00
} )
2018-06-19 04:10:17 -05:00
2020-02-29 06:35:15 -06:00
apiKeyScenario ( "Given api key with viewer role" , t , models . ROLE_VIEWER , func ( sc * scenarioContext ) {
2018-06-19 04:10:17 -05:00
// dashboard has default permissions
2018-06-19 05:34:34 -05:00
sc . defaultPermissionScenario ( VIEWER , VIEWER_ACCESS )
2018-06-19 04:10:17 -05:00
} )
2018-04-08 08:06:22 -05:00
} )
}
2018-02-26 12:12:01 -06:00
2018-06-19 05:34:34 -05:00
func ( sc * scenarioContext ) defaultPermissionScenario ( pt permissionType , flag permissionFlags ) {
2018-04-08 08:06:22 -05:00
_ , callerFile , callerLine , _ := runtime . Caller ( 1 )
sc . callerFile = callerFile
sc . callerLine = callerLine
2020-02-29 06:35:15 -06:00
existingPermissions := [ ] * models . DashboardAclInfoDTO {
toDto ( newEditorRolePermission ( defaultDashboardID , models . PERMISSION_EDIT ) ) ,
toDto ( newViewerRolePermission ( defaultDashboardID , models . PERMISSION_VIEW ) ) ,
2018-04-08 08:06:22 -05:00
}
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
permissionScenario ( "and existing permissions is the default permissions (everyone with editor role can edit, everyone with viewer role can view)" , dashboardID , sc , existingPermissions , func ( sc * scenarioContext ) {
sc . expectedFlags = flag
sc . verifyExpectedPermissionsFlags ( )
sc . verifyDuplicatePermissionsShouldNotBeAllowed ( )
sc . verifyUpdateDashboardPermissionsShouldBeAllowed ( pt )
sc . verifyUpdateDashboardPermissionsShouldNotBeAllowed ( pt )
} )
}
2018-02-26 12:12:01 -06:00
2020-02-29 06:35:15 -06:00
func ( sc * scenarioContext ) dashboardPermissionScenario ( pt permissionType , permission models . PermissionType , flag permissionFlags ) {
2018-04-08 08:06:22 -05:00
_ , callerFile , callerLine , _ := runtime . Caller ( 1 )
sc . callerFile = callerFile
sc . callerLine = callerLine
2020-02-29 06:35:15 -06:00
var existingPermissions [ ] * models . DashboardAclInfoDTO
2018-04-08 08:06:22 -05:00
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
existingPermissions = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : dashboardID , UserId : userID , Permission : permission } }
2018-04-08 08:06:22 -05:00
case TEAM :
2020-02-29 06:35:15 -06:00
existingPermissions = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : dashboardID , TeamId : teamID , Permission : permission } }
2018-04-08 08:06:22 -05:00
case EDITOR :
2020-02-29 06:35:15 -06:00
existingPermissions = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : dashboardID , Role : & editorRole , Permission : permission } }
2018-04-08 08:06:22 -05:00
case VIEWER :
2020-02-29 06:35:15 -06:00
existingPermissions = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : dashboardID , Role : & viewerRole , Permission : permission } }
2018-04-08 08:06:22 -05:00
}
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
permissionScenario ( fmt . Sprintf ( "and %s has permission to %s dashboard" , pt . String ( ) , permission . String ( ) ) , dashboardID , sc , existingPermissions , func ( sc * scenarioContext ) {
sc . expectedFlags = flag
sc . verifyExpectedPermissionsFlags ( )
sc . verifyDuplicatePermissionsShouldNotBeAllowed ( )
sc . verifyUpdateDashboardPermissionsShouldBeAllowed ( pt )
sc . verifyUpdateDashboardPermissionsShouldNotBeAllowed ( pt )
} )
}
2018-02-26 12:12:01 -06:00
2020-02-29 06:35:15 -06:00
func ( sc * scenarioContext ) parentFolderPermissionScenario ( pt permissionType , permission models . PermissionType , flag permissionFlags ) {
2018-04-08 08:06:22 -05:00
_ , callerFile , callerLine , _ := runtime . Caller ( 1 )
sc . callerFile = callerFile
sc . callerLine = callerLine
2020-02-29 06:35:15 -06:00
var folderPermissionList [ ] * models . DashboardAclInfoDTO
2018-04-08 08:06:22 -05:00
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
folderPermissionList = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : parentFolderID , UserId : userID , Permission : permission , Inherited : true } }
2018-04-08 08:06:22 -05:00
case TEAM :
2020-02-29 06:35:15 -06:00
folderPermissionList = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : parentFolderID , TeamId : teamID , Permission : permission , Inherited : true } }
2018-04-08 08:06:22 -05:00
case EDITOR :
2020-02-29 06:35:15 -06:00
folderPermissionList = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : parentFolderID , Role : & editorRole , Permission : permission , Inherited : true } }
2018-04-08 08:06:22 -05:00
case VIEWER :
2020-02-29 06:35:15 -06:00
folderPermissionList = [ ] * models . DashboardAclInfoDTO { { OrgId : orgID , DashboardId : parentFolderID , Role : & viewerRole , Permission : permission , Inherited : true } }
2018-04-08 08:06:22 -05:00
}
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
permissionScenario ( fmt . Sprintf ( "and parent folder has %s with permission to %s" , pt . String ( ) , permission . String ( ) ) , childDashboardID , sc , folderPermissionList , func ( sc * scenarioContext ) {
sc . expectedFlags = flag
sc . verifyExpectedPermissionsFlags ( )
sc . verifyDuplicatePermissionsShouldNotBeAllowed ( )
sc . verifyUpdateChildDashboardPermissionsShouldBeAllowed ( pt , permission )
sc . verifyUpdateChildDashboardPermissionsShouldNotBeAllowed ( pt , permission )
sc . verifyUpdateChildDashboardPermissionsWithOverrideShouldBeAllowed ( pt , permission )
sc . verifyUpdateChildDashboardPermissionsWithOverrideShouldNotBeAllowed ( pt , permission )
2018-02-26 12:12:01 -06:00
} )
}
2018-04-08 08:06:22 -05:00
func ( sc * scenarioContext ) verifyExpectedPermissionsFlags ( ) {
canAdmin , _ := sc . g . CanAdmin ( )
canEdit , _ := sc . g . CanEdit ( )
canSave , _ := sc . g . CanSave ( )
canView , _ := sc . g . CanView ( )
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
tc := fmt . Sprintf ( "should have permissions to %s" , sc . expectedFlags . String ( ) )
Convey ( tc , func ( ) {
var actualFlag permissionFlags
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
if canAdmin {
actualFlag |= CAN_ADMIN
}
if canEdit {
actualFlag |= CAN_EDIT
}
if canSave {
actualFlag |= CAN_SAVE
}
if canView {
actualFlag |= CAN_VIEW
}
if actualFlag . noAccess ( ) {
actualFlag = NO_ACCESS
}
2018-06-19 04:10:17 -05:00
if actualFlag & sc . expectedFlags != actualFlag {
2018-04-08 08:06:22 -05:00
sc . reportFailure ( tc , sc . expectedFlags . String ( ) , actualFlag . String ( ) )
}
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
sc . reportSuccess ( )
2018-02-26 12:12:01 -06:00
} )
}
2018-04-08 08:06:22 -05:00
func ( sc * scenarioContext ) verifyDuplicatePermissionsShouldNotBeAllowed ( ) {
if ! sc . expectedFlags . canAdmin ( ) {
return
}
tc := "When updating dashboard permissions with duplicate permission for user should not be allowed"
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
p := [ ] * models . DashboardAcl {
newDefaultUserPermission ( dashboardID , models . PERMISSION_VIEW ) ,
newDefaultUserPermission ( dashboardID , models . PERMISSION_ADMIN ) ,
2018-04-08 08:06:22 -05:00
}
sc . updatePermissions = p
2020-02-29 06:35:15 -06:00
_ , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , p )
2018-02-26 12:12:01 -06:00
2020-11-19 07:47:17 -06:00
if ! errors . Is ( err , ErrGuardianPermissionExists ) {
2018-04-08 08:06:22 -05:00
sc . reportFailure ( tc , ErrGuardianPermissionExists , err )
}
sc . reportSuccess ( )
2018-02-26 12:12:01 -06:00
} )
2018-04-08 08:06:22 -05:00
tc = "When updating dashboard permissions with duplicate permission for team should not be allowed"
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
p := [ ] * models . DashboardAcl {
newDefaultTeamPermission ( dashboardID , models . PERMISSION_VIEW ) ,
newDefaultTeamPermission ( dashboardID , models . PERMISSION_ADMIN ) ,
2018-04-08 08:06:22 -05:00
}
sc . updatePermissions = p
2020-02-29 06:35:15 -06:00
_ , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , p )
2020-11-19 07:47:17 -06:00
if ! errors . Is ( err , ErrGuardianPermissionExists ) {
2018-04-08 08:06:22 -05:00
sc . reportFailure ( tc , ErrGuardianPermissionExists , err )
2018-02-26 12:12:01 -06:00
}
2018-04-08 08:06:22 -05:00
sc . reportSuccess ( )
} )
tc = "When updating dashboard permissions with duplicate permission for editor role should not be allowed"
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
p := [ ] * models . DashboardAcl {
newEditorRolePermission ( dashboardID , models . PERMISSION_VIEW ) ,
newEditorRolePermission ( dashboardID , models . PERMISSION_ADMIN ) ,
2018-04-08 08:06:22 -05:00
}
sc . updatePermissions = p
2020-02-29 06:35:15 -06:00
_ , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , p )
2018-04-08 08:06:22 -05:00
2020-11-19 07:47:17 -06:00
if ! errors . Is ( err , ErrGuardianPermissionExists ) {
2018-04-08 08:06:22 -05:00
sc . reportFailure ( tc , ErrGuardianPermissionExists , err )
}
sc . reportSuccess ( )
} )
2018-02-26 12:12:01 -06:00
2018-04-08 08:06:22 -05:00
tc = "When updating dashboard permissions with duplicate permission for viewer role should not be allowed"
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
p := [ ] * models . DashboardAcl {
newViewerRolePermission ( dashboardID , models . PERMISSION_VIEW ) ,
newViewerRolePermission ( dashboardID , models . PERMISSION_ADMIN ) ,
2018-04-08 08:06:22 -05:00
}
sc . updatePermissions = p
2020-02-29 06:35:15 -06:00
_ , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , p )
2020-11-19 07:47:17 -06:00
if ! errors . Is ( err , ErrGuardianPermissionExists ) {
2018-04-08 08:06:22 -05:00
sc . reportFailure ( tc , ErrGuardianPermissionExists , err )
}
sc . reportSuccess ( )
2018-02-26 12:12:01 -06:00
} )
2018-04-08 08:06:22 -05:00
tc = "When updating dashboard permissions with duplicate permission for admin role should not be allowed"
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
p := [ ] * models . DashboardAcl {
newAdminRolePermission ( dashboardID , models . PERMISSION_ADMIN ) ,
2018-04-08 08:06:22 -05:00
}
sc . updatePermissions = p
2020-02-29 06:35:15 -06:00
_ , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , p )
2020-11-19 07:47:17 -06:00
if ! errors . Is ( err , ErrGuardianPermissionExists ) {
2018-04-08 08:06:22 -05:00
sc . reportFailure ( tc , ErrGuardianPermissionExists , err )
}
sc . reportSuccess ( )
2018-02-26 12:12:01 -06:00
} )
}
2018-04-08 08:06:22 -05:00
func ( sc * scenarioContext ) verifyUpdateDashboardPermissionsShouldBeAllowed ( pt permissionType ) {
if ! sc . expectedFlags . canAdmin ( ) {
return
}
2020-02-29 06:35:15 -06:00
for _ , p := range [ ] models . PermissionType { models . PERMISSION_ADMIN , models . PERMISSION_EDIT , models . PERMISSION_VIEW } {
2018-04-08 08:06:22 -05:00
tc := fmt . Sprintf ( "When updating dashboard permissions with %s permissions should be allowed" , p . String ( ) )
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
permissionList := [ ] * models . DashboardAcl { }
2018-04-08 08:06:22 -05:00
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( dashboardID , p ) ,
newViewerRolePermission ( dashboardID , p ) ,
newCustomUserPermission ( dashboardID , otherUserID , p ) ,
newDefaultTeamPermission ( dashboardID , p ) ,
}
case TEAM :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( dashboardID , p ) ,
newViewerRolePermission ( dashboardID , p ) ,
newDefaultUserPermission ( dashboardID , p ) ,
newCustomTeamPermission ( dashboardID , otherTeamID , p ) ,
}
case EDITOR , VIEWER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( dashboardID , p ) ,
newViewerRolePermission ( dashboardID , p ) ,
newDefaultUserPermission ( dashboardID , p ) ,
newDefaultTeamPermission ( dashboardID , p ) ,
}
}
sc . updatePermissions = permissionList
2020-02-29 06:35:15 -06:00
ok , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , permissionList )
2018-04-08 08:06:22 -05:00
if err != nil {
sc . reportFailure ( tc , nil , err )
}
if ! ok {
sc . reportFailure ( tc , false , true )
}
sc . reportSuccess ( )
} )
}
}
func ( sc * scenarioContext ) verifyUpdateDashboardPermissionsShouldNotBeAllowed ( pt permissionType ) {
if sc . expectedFlags . canAdmin ( ) {
return
}
2020-02-29 06:35:15 -06:00
for _ , p := range [ ] models . PermissionType { models . PERMISSION_ADMIN , models . PERMISSION_EDIT , models . PERMISSION_VIEW } {
2018-04-08 08:06:22 -05:00
tc := fmt . Sprintf ( "When updating dashboard permissions with %s permissions should NOT be allowed" , p . String ( ) )
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
permissionList := [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( dashboardID , p ) ,
newViewerRolePermission ( dashboardID , p ) ,
}
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
permissionList = append ( permissionList , [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newCustomUserPermission ( dashboardID , otherUserID , p ) ,
newDefaultTeamPermission ( dashboardID , p ) ,
} ... )
case TEAM :
2020-02-29 06:35:15 -06:00
permissionList = append ( permissionList , [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newDefaultUserPermission ( dashboardID , p ) ,
newCustomTeamPermission ( dashboardID , otherTeamID , p ) ,
} ... )
}
sc . updatePermissions = permissionList
2020-02-29 06:35:15 -06:00
ok , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , permissionList )
2018-04-08 08:06:22 -05:00
if err != nil {
sc . reportFailure ( tc , nil , err )
}
if ok {
sc . reportFailure ( tc , true , false )
}
sc . reportSuccess ( )
} )
}
}
2020-02-29 06:35:15 -06:00
func ( sc * scenarioContext ) verifyUpdateChildDashboardPermissionsShouldBeAllowed ( pt permissionType , parentFolderPermission models . PermissionType ) {
2018-04-08 08:06:22 -05:00
if ! sc . expectedFlags . canAdmin ( ) {
return
}
2020-02-29 06:35:15 -06:00
for _ , p := range [ ] models . PermissionType { models . PERMISSION_ADMIN , models . PERMISSION_EDIT , models . PERMISSION_VIEW } {
2018-04-08 08:06:22 -05:00
tc := fmt . Sprintf ( "When updating child dashboard permissions with %s permissions should be allowed" , p . String ( ) )
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
permissionList := [ ] * models . DashboardAcl { }
2018-04-08 08:06:22 -05:00
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
newViewerRolePermission ( childDashboardID , p ) ,
newCustomUserPermission ( childDashboardID , otherUserID , p ) ,
newDefaultTeamPermission ( childDashboardID , p ) ,
}
case TEAM :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
newViewerRolePermission ( childDashboardID , p ) ,
newDefaultUserPermission ( childDashboardID , p ) ,
newCustomTeamPermission ( childDashboardID , otherTeamID , p ) ,
}
case EDITOR :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newViewerRolePermission ( childDashboardID , p ) ,
newDefaultUserPermission ( childDashboardID , p ) ,
newDefaultTeamPermission ( childDashboardID , p ) ,
}
// permission to update is higher than parent folder permission
if p > parentFolderPermission {
permissionList = append ( permissionList , newEditorRolePermission ( childDashboardID , p ) )
}
case VIEWER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
newDefaultUserPermission ( childDashboardID , p ) ,
newDefaultTeamPermission ( childDashboardID , p ) ,
}
// permission to update is higher than parent folder permission
if p > parentFolderPermission {
permissionList = append ( permissionList , newViewerRolePermission ( childDashboardID , p ) )
}
}
sc . updatePermissions = permissionList
2020-02-29 06:35:15 -06:00
ok , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , permissionList )
2018-04-08 08:06:22 -05:00
if err != nil {
sc . reportFailure ( tc , nil , err )
}
if ! ok {
sc . reportFailure ( tc , false , true )
}
sc . reportSuccess ( )
} )
}
}
2020-02-29 06:35:15 -06:00
func ( sc * scenarioContext ) verifyUpdateChildDashboardPermissionsShouldNotBeAllowed ( pt permissionType , parentFolderPermission models . PermissionType ) {
2018-04-08 08:06:22 -05:00
if sc . expectedFlags . canAdmin ( ) {
return
}
2020-02-29 06:35:15 -06:00
for _ , p := range [ ] models . PermissionType { models . PERMISSION_ADMIN , models . PERMISSION_EDIT , models . PERMISSION_VIEW } {
2018-04-08 08:06:22 -05:00
tc := fmt . Sprintf ( "When updating child dashboard permissions with %s permissions should NOT be allowed" , p . String ( ) )
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
permissionList := [ ] * models . DashboardAcl { }
2018-04-08 08:06:22 -05:00
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
newViewerRolePermission ( childDashboardID , p ) ,
newCustomUserPermission ( childDashboardID , otherUserID , p ) ,
newDefaultTeamPermission ( childDashboardID , p ) ,
}
case TEAM :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
newViewerRolePermission ( childDashboardID , p ) ,
newDefaultUserPermission ( childDashboardID , p ) ,
newCustomTeamPermission ( childDashboardID , otherTeamID , p ) ,
}
case EDITOR :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newViewerRolePermission ( childDashboardID , p ) ,
newDefaultUserPermission ( childDashboardID , p ) ,
newDefaultTeamPermission ( childDashboardID , p ) ,
}
2020-06-01 10:11:25 -05:00
// permission to update is higher than parent folder permission
2018-04-08 08:06:22 -05:00
if p > parentFolderPermission {
permissionList = append ( permissionList , newEditorRolePermission ( childDashboardID , p ) )
}
case VIEWER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
newDefaultUserPermission ( childDashboardID , p ) ,
newDefaultTeamPermission ( childDashboardID , p ) ,
}
2020-06-01 10:11:25 -05:00
// permission to update is higher than parent folder permission
2018-04-08 08:06:22 -05:00
if p > parentFolderPermission {
permissionList = append ( permissionList , newViewerRolePermission ( childDashboardID , p ) )
}
}
sc . updatePermissions = permissionList
2020-02-29 06:35:15 -06:00
ok , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , permissionList )
2018-04-08 08:06:22 -05:00
if err != nil {
sc . reportFailure ( tc , nil , err )
}
if ok {
sc . reportFailure ( tc , true , false )
}
sc . reportSuccess ( )
} )
2018-02-26 12:12:01 -06:00
}
}
2020-02-29 06:35:15 -06:00
func ( sc * scenarioContext ) verifyUpdateChildDashboardPermissionsWithOverrideShouldBeAllowed ( pt permissionType , parentFolderPermission models . PermissionType ) {
2018-04-08 08:06:22 -05:00
if ! sc . expectedFlags . canAdmin ( ) {
return
}
2020-02-29 06:35:15 -06:00
for _ , p := range [ ] models . PermissionType { models . PERMISSION_ADMIN , models . PERMISSION_EDIT , models . PERMISSION_VIEW } {
2020-06-01 10:11:25 -05:00
// permission to update is higher than parent folder permission
2018-04-08 08:06:22 -05:00
if p > parentFolderPermission {
continue
}
tc := fmt . Sprintf ( "When updating child dashboard permissions overriding parent %s permission with %s permission should NOT be allowed" , pt . String ( ) , p . String ( ) )
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
permissionList := [ ] * models . DashboardAcl { }
2018-04-08 08:06:22 -05:00
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newDefaultUserPermission ( childDashboardID , p ) ,
}
case TEAM :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newDefaultTeamPermission ( childDashboardID , p ) ,
}
case EDITOR :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
}
case VIEWER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newViewerRolePermission ( childDashboardID , p ) ,
}
}
sc . updatePermissions = permissionList
2020-02-29 06:35:15 -06:00
_ , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , permissionList )
2020-11-19 07:47:17 -06:00
if ! errors . Is ( err , ErrGuardianOverride ) {
2018-04-08 08:06:22 -05:00
sc . reportFailure ( tc , ErrGuardianOverride , err )
}
sc . reportSuccess ( )
} )
2018-02-26 12:12:01 -06:00
}
}
2020-02-29 06:35:15 -06:00
func ( sc * scenarioContext ) verifyUpdateChildDashboardPermissionsWithOverrideShouldNotBeAllowed ( pt permissionType , parentFolderPermission models . PermissionType ) {
2018-04-08 08:06:22 -05:00
if ! sc . expectedFlags . canAdmin ( ) {
return
}
2020-02-29 06:35:15 -06:00
for _ , p := range [ ] models . PermissionType { models . PERMISSION_ADMIN , models . PERMISSION_EDIT , models . PERMISSION_VIEW } {
2020-06-01 10:11:25 -05:00
// permission to update is lower than or equal to parent folder permission
2018-04-08 08:06:22 -05:00
if p <= parentFolderPermission {
continue
}
tc := fmt . Sprintf ( "When updating child dashboard permissions overriding parent %s permission with %s permission should be allowed" , pt . String ( ) , p . String ( ) )
Convey ( tc , func ( ) {
2020-02-29 06:35:15 -06:00
permissionList := [ ] * models . DashboardAcl { }
2018-04-08 08:06:22 -05:00
switch pt {
case USER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newDefaultUserPermission ( childDashboardID , p ) ,
}
case TEAM :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newDefaultTeamPermission ( childDashboardID , p ) ,
}
case EDITOR :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newEditorRolePermission ( childDashboardID , p ) ,
}
case VIEWER :
2020-02-29 06:35:15 -06:00
permissionList = [ ] * models . DashboardAcl {
2018-04-08 08:06:22 -05:00
newViewerRolePermission ( childDashboardID , p ) ,
}
}
2020-02-29 06:35:15 -06:00
_ , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , permissionList )
2018-04-23 12:28:54 -05:00
if err != nil {
sc . reportFailure ( tc , nil , err )
}
2018-04-08 08:06:22 -05:00
sc . updatePermissions = permissionList
2020-02-29 06:35:15 -06:00
ok , err := sc . g . CheckPermissionBeforeUpdate ( models . PERMISSION_ADMIN , permissionList )
2018-04-08 08:06:22 -05:00
if err != nil {
sc . reportFailure ( tc , nil , err )
}
if ! ok {
sc . reportFailure ( tc , false , true )
}
sc . reportSuccess ( )
} )
2018-02-26 12:12:01 -06:00
}
}
