grafana/pkg/api/org_invite_test.go

package api

import (
	"net/http"
	"strings"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/org"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/services/user/usertest"
)

func TestOrgInvitesAPIEndpointAccess(t *testing.T) {
	type accessControlTestCase2 struct {
		expectedCode int
		desc         string
		url          string
		method       string
		permissions  []accesscontrol.Permission
		input        string
	}
	tests := []accessControlTestCase2{
		{
			expectedCode: http.StatusOK,
			desc:         "org viewer with the correct permissions can invite an existing user to his org",
			url:          "/api/org/invites",
			method:       http.MethodPost,
			permissions:  []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersAdd, Scope: accesscontrol.ScopeUsersAll}},
			input:        `{"loginOrEmail": "` + testAdminOrg2.Login + `", "role": "` + string(org.RoleViewer) + `"}`,
		},
		{
			expectedCode: http.StatusForbidden,
			desc:         "org viewer with missing permissions cannot invite an existing user to his org",
			url:          "/api/org/invites",
			method:       http.MethodPost,
			permissions:  []accesscontrol.Permission{},
			input:        `{"loginOrEmail": "` + testAdminOrg2.Login + `", "role": "` + string(org.RoleViewer) + `"}`,
		},
		{
			expectedCode: http.StatusForbidden,
			desc:         "org viewer with the wrong scope cannot invite an existing user to his org",
			url:          "/api/org/invites",
			method:       http.MethodPost,
			permissions:  []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:100"}},
			input:        `{"loginOrEmail": "` + testAdminOrg2.Login + `", "role": "` + string(org.RoleViewer) + `"}`,
		},
		{
			expectedCode: http.StatusOK,
			desc:         "org viewer with the correct permissions can invite a new user to his org",
			url:          "/api/org/invites",
			method:       http.MethodPost,
			permissions:  []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersAdd, Scope: accesscontrol.ScopeUsersAll}},
			input:        `{"loginOrEmail": "new user", "role": "` + string(org.RoleViewer) + `"}`,
		},
		{
			expectedCode: http.StatusForbidden,
			desc:         "org viewer with missing permissions cannot invite a new user to his org",
			url:          "/api/org/invites",
			method:       http.MethodPost,
			permissions:  []accesscontrol.Permission{},
			input:        `{"loginOrEmail": "new user", "role": "` + string(org.RoleViewer) + `"}`,
		},
	}

	for _, test := range tests {
		t.Run(test.desc, func(t *testing.T) {
			sc := setupHTTPServer(t, true)
			userService := usertest.NewUserServiceFake()
			userService.ExpectedUser = &user.User{ID: 2}
			sc.hs.userService = userService
			setInitCtxSignedInViewer(sc.initCtx)
			setupOrgUsersDBForAccessControlTests(t, sc.db)
			setAccessControlPermissions(sc.acmock, test.permissions, sc.initCtx.OrgID)

			input := strings.NewReader(test.input)
			response := callAPI(sc.server, test.method, test.url, input, t)
			assert.Equal(t, test.expectedCode, response.Code)
		})
	}
}
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`package api`

			`import (`
			`"net/http"`
			`"strings"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`

			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`"github.com/grafana/grafana/pkg/services/org"`
Chore: Add user service method GetByLogin (#53204) * Add wrapper around sqlstore method GetUserByLogin * Use new method from user service * Fix lint * Fix lint 2 * fix middleware basic auth test * Fix grafana login returning a user by login * Remove GetUserByLogin from store interface * Merge commit 2022-08-04 06:22:43 -05:00			`"github.com/grafana/grafana/pkg/services/user"`
			`"github.com/grafana/grafana/pkg/services/user/usertest"`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`)`

			`func TestOrgInvitesAPIEndpointAccess(t *testing.T) {`
			`type accessControlTestCase2 struct {`
			`expectedCode int`
			`desc string`
			`url string`
			`method string`
			`permissions []accesscontrol.Permission`
			`input string`
			`}`
			`tests := []accessControlTestCase2{`
			`{`
			`expectedCode: http.StatusOK,`
Access Control: Allow org admins to invite new users (#52894) * allow org admins to invite new users to Grafana * doc updates * fix test 2022-07-27 11:37:27 -05:00			`desc: "org viewer with the correct permissions can invite an existing user to his org",`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`url: "/api/org/invites",`
			`method: http.MethodPost,`
			`permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersAdd, Scope: accesscontrol.ScopeUsersAll}},`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			input: `{"loginOrEmail": "` + testAdminOrg2.Login + `", "role": "` + string(org.RoleViewer) + `"}`,
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`},`
			`{`
			`expectedCode: http.StatusForbidden,`
Access Control: Allow org admins to invite new users (#52894) * allow org admins to invite new users to Grafana * doc updates * fix test 2022-07-27 11:37:27 -05:00			`desc: "org viewer with missing permissions cannot invite an existing user to his org",`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`url: "/api/org/invites",`
			`method: http.MethodPost,`
			`permissions: []accesscontrol.Permission{},`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			input: `{"loginOrEmail": "` + testAdminOrg2.Login + `", "role": "` + string(org.RoleViewer) + `"}`,
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`},`
			`{`
			`expectedCode: http.StatusForbidden,`
Access Control: Allow org admins to invite new users (#52894) * allow org admins to invite new users to Grafana * doc updates * fix test 2022-07-27 11:37:27 -05:00			`desc: "org viewer with the wrong scope cannot invite an existing user to his org",`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`url: "/api/org/invites",`
			`method: http.MethodPost,`
			`permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:100"}},`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			input: `{"loginOrEmail": "` + testAdminOrg2.Login + `", "role": "` + string(org.RoleViewer) + `"}`,
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`},`
			`{`
			`expectedCode: http.StatusOK,`
			`desc: "org viewer with the correct permissions can invite a new user to his org",`
			`url: "/api/org/invites",`
			`method: http.MethodPost,`
Access Control: Allow org admins to invite new users (#52894) * allow org admins to invite new users to Grafana * doc updates * fix test 2022-07-27 11:37:27 -05:00			`permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersAdd, Scope: accesscontrol.ScopeUsersAll}},`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			input: `{"loginOrEmail": "new user", "role": "` + string(org.RoleViewer) + `"}`,
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`},`
			`{`
			`expectedCode: http.StatusForbidden,`
			`desc: "org viewer with missing permissions cannot invite a new user to his org",`
			`url: "/api/org/invites",`
			`method: http.MethodPost,`
			`permissions: []accesscontrol.Permission{},`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			input: `{"loginOrEmail": "new user", "role": "` + string(org.RoleViewer) + `"}`,
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`},`
			`}`

			`for _, test := range tests {`
			`t.Run(test.desc, func(t *testing.T) {`
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests 2022-08-11 08:37:31 -05:00			`sc := setupHTTPServer(t, true)`
Chore: Add user service method GetByLogin (#53204) * Add wrapper around sqlstore method GetUserByLogin * Use new method from user service * Fix lint * Fix lint 2 * fix middleware basic auth test * Fix grafana login returning a user by login * Remove GetUserByLogin from store interface * Merge commit 2022-08-04 06:22:43 -05:00			`userService := usertest.NewUserServiceFake()`
			`userService.ExpectedUser = &user.User{ID: 2}`
			`sc.hs.userService = userService`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00			`setInitCtxSignedInViewer(sc.initCtx)`
			`setupOrgUsersDBForAccessControlTests(t, sc.db)`
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields 2022-08-11 06:28:55 -05:00			`setAccessControlPermissions(sc.acmock, test.permissions, sc.initCtx.OrgID)`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 06:07:00 -05:00
			`input := strings.NewReader(test.input)`
			`response := callAPI(sc.server, test.method, test.url, input, t)`
			`assert.Equal(t, test.expectedCode, response.Code)`
			`})`
			`}`
			`}`