IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
4b439b7f52
grafana/pkg/services/accesscontrol/accesscontrol_test.go

336 lines
9.1 KiB
Go
Raw Normal View History

RBAC: Add function to reduce permissions (#58197) * RBAC: Add function to reduce permissions * Make names readable Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove copy pasted comment * Nit. Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
2023-01-05 10:32:13 -06:00
package accesscontrol
import (
AuthN: Embed an OAuth2 server for external service authentication (#68086) * Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user:id:<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from 526e48ad4550fed7e2b753b9d0a0cc6097155f58 * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
2023-05-25 08:38:30 -05:00
"fmt"
RBAC: Add function to reduce permissions (#58197) * RBAC: Add function to reduce permissions * Make names readable Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove copy pasted comment * Nit. Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
2023-01-05 10:32:13 -06:00
"testing"
"github.com/stretchr/testify/require"
Chore: remove unused feature flag showFeatureFlagsInUI (#62908)
2023-02-08 18:01:34 -06:00
// this import is needed for github.com/grafana/grafana/pkg/web hack_wrap to work
_ "github.com/grafana/grafana/pkg/api/response"
RBAC: Add function to reduce permissions (#58197) * RBAC: Add function to reduce permissions * Make names readable Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove copy pasted comment * Nit. Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
2023-01-05 10:32:13 -06:00
)
func TestReduce(t *testing.T) {
tests := []struct {
name string
ps []Permission
want map[string][]string
}{
{
name: "no permission",
ps: []Permission{},
want: map[string][]string{},
},
{
name: "scopeless permissions",
ps: []Permission{{Action: "orgs:read"}},
want: map[string][]string{"orgs:read": nil},
},
{ // edge case that should not exist
name: "mixed scope and scopeless permissions",
ps: []Permission{
{Action: "resources:read", Scope: "resources:id:1"},
{Action: "resources:read"},
},
want: map[string][]string{"resources:read": {"resources:id:1"}},
},
{
name: "specific permission",
ps: []Permission{
{Action: "teams:read", Scope: "teams:id:1"},
{Action: "teams:read", Scope: "teams:id:2"},
{Action: "teams:write", Scope: "teams:id:1"},
},
want: map[string][]string{
"teams:read": {"teams:id:1", "teams:id:2"},
"teams:write": {"teams:id:1"},
},
},
RBAC: use scope reduction for user permission listing (#61583) use scope reduction for user permission listing
2023-01-17 03:58:40 -06:00
{
name: "specific permissions with repeated scope",
ps: []Permission{
{Action: "teams:read", Scope: "teams:id:1"},
{Action: "teams:read", Scope: "teams:id:2"},
{Action: "teams:read", Scope: "teams:id:1"},
},
want: map[string][]string{
"teams:read": {"teams:id:1", "teams:id:2"},
},
},
RBAC: Add function to reduce permissions (#58197) * RBAC: Add function to reduce permissions * Make names readable Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove copy pasted comment * Nit. Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
2023-01-05 10:32:13 -06:00
{
name: "wildcard permission",
ps: []Permission{
{Action: "teams:read", Scope: "teams:id:1"},
{Action: "teams:read", Scope: "teams:id:2"},
{Action: "teams:read", Scope: "teams:id:*"},
{Action: "teams:write", Scope: "teams:id:1"},
},
want: map[string][]string{
"teams:read": {"teams:id:*"},
"teams:write": {"teams:id:1"},
},
},
{
name: "mixed wildcard and scoped permission",
ps: []Permission{
{Action: "dashboards:read", Scope: "dashboards:*"},
{Action: "dashboards:read", Scope: "folders:uid:1"},
},
want: map[string][]string{
"dashboards:read": {"dashboards:*", "folders:uid:1"},
},
},
{
name: "different wildcard permission",
ps: []Permission{
{Action: "dashboards:read", Scope: "dashboards:uid:*"},
{Action: "dashboards:read", Scope: "dashboards:*"},
{Action: "dashboards:read", Scope: "folders:uid:*"},
{Action: "dashboards:read", Scope: "folders:*"},
},
want: map[string][]string{
"dashboards:read": {"dashboards:*", "folders:*"},
},
},
{
name: "root wildcard permission",
ps: []Permission{
{Action: "dashboards:read", Scope: "*"},
{Action: "dashboards:read", Scope: "dashboards:*"},
{Action: "dashboards:read", Scope: "folders:*"},
},
want: map[string][]string{
"dashboards:read": {"*"},
},
},
RBAC: use scope reduction for user permission listing (#61583) use scope reduction for user permission listing
2023-01-17 03:58:40 -06:00
{
name: "non-wilcard scopes with * in them",
ps: []Permission{
{Action: "dashboards:read", Scope: "dashboards:uid:123"},
{Action: "dashboards:read", Scope: "dashboards:uid:1*"},
},
want: map[string][]string{
"dashboards:read": {"dashboards:uid:123", "dashboards:uid:1*"},
},
},
RBAC: Add function to reduce permissions (#58197) * RBAC: Add function to reduce permissions * Make names readable Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove copy pasted comment * Nit. Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
2023-01-05 10:32:13 -06:00
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := Reduce(tt.ps)
require.Len(t, got, len(tt.want))
for action, scopes := range got {
want, ok := tt.want[action]
require.True(t, ok)
require.ElementsMatch(t, scopes, want)
}
})
}
}
AuthN: Embed an OAuth2 server for external service authentication (#68086) * Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user:id:<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from 526e48ad4550fed7e2b753b9d0a0cc6097155f58 * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
2023-05-25 08:38:30 -05:00
func TestIntersect(t *testing.T) {
tests := []struct {
name string
p1 []Permission
p2 []Permission
want map[string][]string
}{
{
name: "no permission",
p1: []Permission{},
p2: []Permission{},
want: map[string][]string{},
},
{
name: "no intersection",
p1: []Permission{{Action: "orgs:read"}},
p2: []Permission{{Action: "orgs:write"}},
want: map[string][]string{},
},
{
name: "intersection no scopes",
p1: []Permission{{Action: "orgs:read"}},
p2: []Permission{{Action: "orgs:read"}},
want: map[string][]string{"orgs:read": {}},
},
{
name: "unbalanced intersection",
p1: []Permission{{Action: "teams:read", Scope: "teams:id:1"}},
p2: []Permission{{Action: "teams:read"}},
want: map[string][]string{"teams:read": {}},
},
{
name: "intersection",
p1: []Permission{
{Action: "teams:read", Scope: "teams:id:1"},
{Action: "teams:read", Scope: "teams:id:2"},
{Action: "teams:write", Scope: "teams:id:1"},
},
p2: []Permission{
{Action: "teams:read", Scope: "teams:id:1"},
{Action: "teams:read", Scope: "teams:id:3"},
{Action: "teams:write", Scope: "teams:id:1"},
},
want: map[string][]string{
"teams:read": {"teams:id:1"},
"teams:write": {"teams:id:1"},
},
},
{
name: "intersection with wildcards",
p1: []Permission{
{Action: "teams:read", Scope: "teams:id:1"},
{Action: "teams:read", Scope: "teams:id:2"},
{Action: "teams:write", Scope: "teams:id:1"},
},
p2: []Permission{
{Action: "teams:read", Scope: "*"},
{Action: "teams:write", Scope: "*"},
},
want: map[string][]string{
"teams:read": {"teams:id:1", "teams:id:2"},
"teams:write": {"teams:id:1"},
},
},
{
name: "intersection with wildcards on both sides",
p1: []Permission{
{Action: "dashboards:read", Scope: "dashboards:uid:1"},
{Action: "dashboards:read", Scope: "folders:uid:1"},
{Action: "dashboards:read", Scope: "dashboards:uid:*"},
{Action: "folders:read", Scope: "folders:uid:1"},
},
p2: []Permission{
{Action: "dashboards:read", Scope: "folders:uid:*"},
{Action: "dashboards:read", Scope: "dashboards:uid:*"},
{Action: "folders:read", Scope: "folders:uid:*"},
},
want: map[string][]string{
"dashboards:read": {"dashboards:uid:*", "folders:uid:1"},
"folders:read": {"folders:uid:1"},
},
},
{
name: "intersection with wildcards of different sizes",
p1: []Permission{
{Action: "dashboards:read", Scope: "folders:uid:1"},
{Action: "dashboards:read", Scope: "dashboards:*"},
{Action: "folders:read", Scope: "folders:*"},
{Action: "teams:read", Scope: "teams:id:1"},
},
p2: []Permission{
{Action: "dashboards:read", Scope: "folders:uid:*"},
{Action: "dashboards:read", Scope: "dashboards:uid:*"},
{Action: "folders:read", Scope: "folders:uid:*"},
{Action: "teams:read", Scope: "*"},
},
want: map[string][]string{
"dashboards:read": {"dashboards:uid:*", "folders:uid:1"},
"folders:read": {"folders:uid:*"},
"teams:read": {"teams:id:1"},
},
},
}
check := func(t *testing.T, want map[string][]string, p1, p2 []Permission) {
intersect := Intersect(p1, p2)
for action, scopes := range intersect {
want, ok := want[action]
require.True(t, ok)
require.ElementsMatch(t, scopes, want, fmt.Sprintf("scopes for %v differs from expected", action))
}
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Intersect is commutative
check(t, tt.want, tt.p1, tt.p2)
check(t, tt.want, tt.p2, tt.p1)
})
}
}
func Test_intersectScopes(t *testing.T) {
tests := []struct {
name string
s1 []string
s2 []string
want []string
}{
{
name: "no values",
s1: []string{},
s2: []string{},
want: []string{},
},
{
name: "no values on one side",
s1: []string{},
s2: []string{"teams:id:1"},
want: []string{},
},
{
name: "empty values on one side",
s1: []string{""},
s2: []string{"team:id:1"},
want: []string{},
},
{
name: "no intersection",
s1: []string{"teams:id:1"},
s2: []string{"teams:id:2"},
want: []string{},
},
{
name: "intersection",
s1: []string{"teams:id:1"},
s2: []string{"teams:id:1"},
want: []string{"teams:id:1"},
},
{
name: "intersection with wildcard",
s1: []string{"teams:id:1", "teams:id:2"},
s2: []string{"teams:id:*"},
want: []string{"teams:id:1", "teams:id:2"},
},
{
name: "intersection of wildcards",
s1: []string{"teams:id:*"},
s2: []string{"teams:id:*"},
want: []string{"teams:id:*"},
},
{
name: "intersection with a bigger wildcards",
s1: []string{"teams:id:*"},
s2: []string{"teams:*"},
want: []string{"teams:id:*"},
},
{
name: "intersection of different wildcards with a bigger one",
s1: []string{"dashboards:uid:*", "folders:uid:*"},
s2: []string{"*"},
want: []string{"dashboards:uid:*", "folders:uid:*"},
},
{
name: "intersection with wildcards and scopes on both sides",
s1: []string{"dashboards:uid:*", "folders:uid:1"},
s2: []string{"folders:uid:*", "dashboards:uid:1"},
want: []string{"dashboards:uid:1", "folders:uid:1"},
},
{
name: "intersection of non reduced list of scopes",
s1: []string{"dashboards:uid:*", "dashboards:*", "dashboards:uid:1"},
s2: []string{"dashboards:uid:*", "dashboards:*", "dashboards:uid:2"},
want: []string{"dashboards:uid:*", "dashboards:*", "dashboards:uid:1", "dashboards:uid:2"},
},
}
check := func(t *testing.T, want []string, s1, s2 []string) {
intersect := intersectScopes(s1, s2)
require.ElementsMatch(t, want, intersect)
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Intersect is commutative
check(t, tt.want, tt.s1, tt.s2)
check(t, tt.want, tt.s2, tt.s1)
})
}
}
Reference in New Issue Copy Permalink