IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
64aa5465ac
grafana/pkg/services/accesscontrol/middleware_test.go

132 lines
3.6 KiB
Go
Raw Normal View History

Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 03:46:18 -05:00
package accesscontrol_test
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/stretchr/testify/assert"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/accesscontrol"
AccessControl: Add a mock (#38515)
2021-08-24 13:12:48 -05:00
"github.com/grafana/grafana/pkg/services/accesscontrol/mock"
pkg/web: restrict handler types (#48495) Makes `pkg/web` only accept handles from the following set: ```go handlerStd = func(http.ResponseWriter, *http.Request) handlerStdCtx = func(http.ResponseWriter, *http.Request, *web.Context) handlerStdReqCtx = func(http.ResponseWriter, *http.Request, *models.ReqContext) handlerReqCtx = func(*models.ReqContext) handlerReqCtxRes = func(*models.ReqContext) Response handlerCtx = func(*web.Context) ``` This is a first step to reducing above set to only `http.Handler`. --- Due to a cyclic import situation between `pkg/models` and `pkg/web`, parts of this PR were put into `pkg/api/response`, even though they definitely do not belong there. This however is _temporary_ until we untangle `models.ReqContext`.
2022-05-20 11:45:18 -05:00
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 01:50:36 -06:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
"github.com/grafana/grafana/pkg/services/user"
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 03:46:18 -05:00
"github.com/grafana/grafana/pkg/web"
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
)
type middlewareTestCase struct {
desc string
expectEndpoint bool
evaluator accesscontrol.Evaluator
ac accesscontrol.AccessControl
}
func TestMiddleware(t *testing.T) {
tests := []middlewareTestCase{
{
desc: "should pass middleware for correct permissions",
AccessControl: Add a mock (#38515)
2021-08-24 13:12:48 -05:00
ac: mock.New().WithPermissions(
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
[]accesscontrol.Permission{{Action: "users:read", Scope: "users:*"}},
AccessControl: Add a mock (#38515)
2021-08-24 13:12:48 -05:00
),
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
expectEndpoint: true,
},
{
desc: "should not reach endpoint when missing permissions",
AccessControl: Add a mock (#38515)
2021-08-24 13:12:48 -05:00
ac: mock.New().WithPermissions(
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
[]accesscontrol.Permission{{Action: "users:read", Scope: "users:1"}},
AccessControl: Add a mock (#38515)
2021-08-24 13:12:48 -05:00
),
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
expectEndpoint: false,
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 07:30:59 -05:00
server := web.New()
server.UseMiddleware(web.Renderer("../../public/views", "[[", "]]"))
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
server.Use(contextProvider())
RBAC: Remove legacy ac from authorization middleware (#68898) remove legacy AC fallback from RBAC middleware, and some unused auth logic
2023-05-24 03:49:42 -05:00
server.Use(accesscontrol.Middleware(test.ac)(test.evaluator))
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
endpointCalled := false
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 01:50:36 -06:00
server.Get("/", func(c *contextmodel.ReqContext) {
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
endpointCalled = true
pkg/web: closure-style middlewares (#51238) * pkg/web: closure-style middlewares Switches the middleware execution model from web.Handlers in a slice to web.Middleware. Middlewares are temporarily kept in a slice to preserve ordering, but prior to execution they are applied, forming a giant call-stack, giving granular control over the execution flow. * pkg/middleware: adapt to web.Middleware * pkg/middleware/recovery: use c.Req over req c.Req gets updated by future handlers, while req stays static. The current recovery implementation needs this newer information * pkg/web: correct middleware ordering * pkg/webtest: adapt middleware * pkg/web/hack: set w and r onto web.Context By adopting std middlewares, it may happen they invoke next(w,r) without putting their modified w,r into the web.Context, leading old-style handlers to operate on outdated fields. pkg/web now takes care of this * pkg/middleware: selectively use future context * pkg/web: accept closure-style on Use() * webtest: Middleware testing adds a utility function to web/webtest to obtain a http.ResponseWriter, http.Request and http.Handler the same as a middleware that runs would receive * *: cleanup * pkg/web: don't wrap Middleware from Router * pkg/web: require chain to write response * *: remove temp files * webtest: don't require chain write * *: cleanup
2022-08-09 07:58:50 -05:00
c.Resp.WriteHeader(http.StatusOK)
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
})
request, err := http.NewRequest(http.MethodGet, "/", nil)
assert.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, request)
assert.Equal(t, test.expectEndpoint, endpointCalled)
})
}
}
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 01:18:56 -05:00
func TestMiddleware_forceLogin(t *testing.T) {
tests := []struct {
url string
redirectToLogin bool
}{
{url: "/endpoint?forceLogin=true", redirectToLogin: true},
{url: "/endpoint?forceLogin=false"},
{url: "/endpoint"},
}
for _, tc := range tests {
var endpointCalled bool
server := web.New()
server.UseMiddleware(web.Renderer("../../public/views", "[[", "]]"))
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 01:50:36 -06:00
server.Get("/endpoint", func(c *contextmodel.ReqContext) {
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 01:18:56 -05:00
endpointCalled = true
c.Resp.WriteHeader(http.StatusOK)
})
ac := mock.New().WithPermissions([]accesscontrol.Permission{{Action: "endpoint:read", Scope: "endpoint:1"}})
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 01:50:36 -06:00
server.Use(contextProvider(func(c *contextmodel.ReqContext) {
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 01:18:56 -05:00
c.AllowAnonymous = true
c.SignedInUser.IsAnonymous = true
c.IsSignedIn = false
}))
server.Use(
RBAC: Remove legacy ac from authorization middleware (#68898) remove legacy AC fallback from RBAC middleware, and some unused auth logic
2023-05-24 03:49:42 -05:00
accesscontrol.Middleware(ac)(accesscontrol.EvalPermission("endpoint:read", "endpoint:1")),
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 01:18:56 -05:00
)
request, err := http.NewRequest(http.MethodGet, tc.url, nil)
assert.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, request)
expectedCode := http.StatusOK
if tc.redirectToLogin {
expectedCode = http.StatusFound
}
assert.Equal(t, expectedCode, recorder.Code)
assert.Equal(t, !tc.redirectToLogin, endpointCalled, "/endpoint should be called?")
}
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 01:50:36 -06:00
func contextProvider(modifiers ...func(c *contextmodel.ReqContext)) web.Handler {
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 07:30:59 -05:00
return func(c *web.Context) {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 01:50:36 -06:00
reqCtx := &contextmodel.ReqContext{
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
Context: c,
Logger: log.New(""),
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
SignedInUser: &user.SignedInUser{},
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
IsSignedIn: true,
Caching: Refactor enterprise query caching middleware to a wire service (#65616) * define initial service and add to wire * update caching service interface * add skipQueryCache header handler and update metrics query function to use it * add caching service as a dependency to query service * working caching impl * propagate cache status to frontend in response * beginning of improvements suggested by Lean - separate caching logic from query logic. * more changes to simplify query function * Decided to revert renaming of function * Remove error status from cache request * add extra documentation * Move query caching duration metric to query package * add a little bit of documentation * wip: convert resource caching * Change return type of query service QueryData to a QueryDataResponse with Headers * update codeowners * change X-Cache value to const * use resource caching in endpoint handlers * write resource headers to response even if it's not a cache hit * fix panic caused by lack of nil check * update unit test * remove NONE header - shouldn't show up in OSS * Convert everything to use the plugin middleware * revert a few more things * clean up unused vars * start reverting resource caching, start to implement in plugin middleware * revert more, fix typo * Update caching interfaces - resource caching now has a separate cache method * continue wiring up new resource caching conventions - still in progress * add more safety to implementation * remove some unused objects * remove some code that I left in by accident * add some comments, fix codeowners, fix duplicate registration * fix source of panic in resource middleware * Update client decorator test to provide an empty response object * create tests for caching middleware * fix unit test * Update pkg/services/caching/service.go Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com> * improve error message in error log * quick docs update * Remove use of mockery. Update return signature to return an explicit hit/miss bool * create unit test for empty request context * rename caching metrics to make it clear they pertain to caching * Update pkg/services/pluginsintegration/clientmiddleware/caching_middleware.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Add clarifying comments to cache skip middleware func * Add comment pointing to the resource cache update call * fix unit tests (missing dependency) * try to fix mystery syntax error * fix a panic * Caching: Introduce feature toggle to caching service refactor (#66323) * introduce new feature toggle * hide calls to new service behind a feature flag * remove licensing flag from toggle (misunderstood what it was for) * fix unit tests * rerun toggle gen --------- Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
2023-04-12 11:30:33 -05:00
SkipDSCache: true,
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
}
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 01:18:56 -05:00
for _, modifier := range modifiers {
modifier(reqCtx)
}
pkg/web: restrict handler types (#48495) Makes `pkg/web` only accept handles from the following set: ```go handlerStd = func(http.ResponseWriter, *http.Request) handlerStdCtx = func(http.ResponseWriter, *http.Request, *web.Context) handlerStdReqCtx = func(http.ResponseWriter, *http.Request, *models.ReqContext) handlerReqCtx = func(*models.ReqContext) handlerReqCtxRes = func(*models.ReqContext) Response handlerCtx = func(*web.Context) ``` This is a first step to reducing above set to only `http.Handler`. --- Due to a cyclic import situation between `pkg/models` and `pkg/web`, parts of this PR were put into `pkg/api/response`, even though they definitely do not belong there. This however is _temporary_ until we untangle `models.ReqContext`.
2022-05-20 11:45:18 -05:00
c.Req = c.Req.WithContext(ctxkey.Set(c.Req.Context(), reqCtx))
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 04:36:28 -05:00
}
}
Reference in New Issue Copy Permalink