grafana/pkg/services/accesscontrol/models_test.go

package accesscontrol

import (
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestSaveExternalServiceRoleCommand_Validate(t *testing.T) {
	tests := []struct {
		name            string
		cmd             SaveExternalServiceRoleCommand
		wantID          string
		wantPermissions []Permission
		wantErr         bool
	}{
		{
			name: "invalid no permissions",
			cmd: SaveExternalServiceRoleCommand{
				AssignmentOrgID:   1,
				ExternalServiceID: "app 1",
				ServiceAccountID:  2,
				Permissions:       []Permission{},
			},
			wantErr: true,
		},
		{
			name: "invalid service account id",
			cmd: SaveExternalServiceRoleCommand{
				AssignmentOrgID:   1,
				ExternalServiceID: "app 1",
				ServiceAccountID:  -1,
				Permissions:       []Permission{{Action: "users:read", Scope: "users:id:1"}},
			},
			wantErr: true,
		},
		{
			name: "invalid no Ext Service ID",
			cmd: SaveExternalServiceRoleCommand{
				AssignmentOrgID:  1,
				ServiceAccountID: 2,
				Permissions:      []Permission{{Action: "users:read", Scope: "users:id:1"}},
			},
			wantErr: true,
		},
		{
			name: "slugify the external service ID correctly",
			cmd: SaveExternalServiceRoleCommand{
				ExternalServiceID: "ThisIs a Very Strange ___ App Name?",
				AssignmentOrgID:   1,
				ServiceAccountID:  2,
				Permissions:       []Permission{{Action: "users:read", Scope: "users:id:1"}},
			},
			wantErr: false,
			wantID:  "thisis-a-very-strange-app-name",
		},
		{
			name: "invalid empty Action",
			cmd: SaveExternalServiceRoleCommand{
				AssignmentOrgID:   1,
				ExternalServiceID: "app 1",
				ServiceAccountID:  2,
				Permissions:       []Permission{{Action: "", Scope: "users:id:1"}},
			},
			wantID:  "app-1",
			wantErr: true,
		},
		{
			name: "permission deduplication",
			cmd: SaveExternalServiceRoleCommand{
				AssignmentOrgID:   1,
				ExternalServiceID: "app 1",
				ServiceAccountID:  2,
				Permissions: []Permission{
					{Action: "users:read", Scope: "users:id:1"},
					{Action: "users:read", Scope: "users:id:1"},
				},
			},
			wantErr:         false,
			wantID:          "app-1",
			wantPermissions: []Permission{{Action: "users:read", Scope: "users:id:1"}},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			err := tt.cmd.Validate()
			if tt.wantErr {
				require.Error(t, err)
				return
			}
			require.NoError(t, err)

			require.Equal(t, tt.wantID, tt.cmd.ExternalServiceID)
			if tt.wantPermissions != nil {
				require.ElementsMatch(t, tt.wantPermissions, tt.cmd.Permissions)
			}
		})
	}
}

func TestPermission_ScopeSplit(t *testing.T) {
	type testCase struct {
		desc       string
		scope      string
		kind       string
		attribute  string
		identifier string
	}

	tests := []testCase{
		{desc: "all fields should be empty for empty scope", scope: "", kind: "", attribute: "", identifier: ""},
		{desc: "all fields should be set to * for wildcard", scope: "*", kind: "*", attribute: "*", identifier: "*"},
		{desc: "kind should be specified and attribute and identifier should be * for a wildcard with kind prefix", scope: "dashboards:*", kind: "dashboards", attribute: "*", identifier: "*"},
		{desc: "all fields should be set correctly", scope: "dashboards:uid:123", kind: "dashboards", attribute: "uid", identifier: "123"},
		{desc: "can handle a case with : in the uid", scope: "datasources:uid:weird:name", kind: "datasources", attribute: "uid", identifier: "weird:name"},
	}

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			p := Permission{Scope: tt.scope}

			kind, attribute, identifier := p.SplitScope()
			assert.Equal(t, tt.kind, kind)
			assert.Equal(t, tt.attribute, attribute)
			assert.Equal(t, tt.identifier, identifier)
		})
	}
}
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`package accesscontrol`

			`import (`
			`"testing"`

RBAC: Split non-empty scopes into `kind`, `attribute` and `identifier` fields for better search performance (#71933) * add a feature toggle * add the fields for attribute, kind and identifier to permission Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * set the new fields when new permissions are stored * add migrations Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * remove comments * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split * PR feedback: add a comment and revert an accidentally changed file * PR feedback: handle the case with : in resource identifier * switch from checking feature toggle through cfg to checking it through featuremgmt * don't put the column migrations behind a feature toggle after all - this breaks permission queries from db --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2023-07-21 09:23:01 -05:00			`"github.com/stretchr/testify/assert"`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`"github.com/stretchr/testify/require"`
			`)`

			`func TestSaveExternalServiceRoleCommand_Validate(t *testing.T) {`
			`tests := []struct {`
RBAC: Refine validation of external services permissions (#68633) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id 2023-05-17 09:28:14 -05:00			`name string`
			`cmd SaveExternalServiceRoleCommand`
			`wantID string`
			`wantPermissions []Permission`
			`wantErr bool`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`}{`
			`{`
			`name: "invalid no permissions",`
			`cmd: SaveExternalServiceRoleCommand{`
ExtSvcAuth: Assign roles locally (#78669) * ExtSvcAuth: Assign roles locally * Fix test * HandlePluginStateChanged in the OrgID * Remove Global from command * Use AssignmentOrgID instead of OrgID * Remove unecessary test case 2023-11-29 05:12:30 -06:00			`AssignmentOrgID: 1,`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`ExternalServiceID: "app 1",`
			`ServiceAccountID: 2,`
			`Permissions: []Permission{},`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "invalid service account id",`
			`cmd: SaveExternalServiceRoleCommand{`
ExtSvcAuth: Assign roles locally (#78669) * ExtSvcAuth: Assign roles locally * Fix test * HandlePluginStateChanged in the OrgID * Remove Global from command * Use AssignmentOrgID instead of OrgID * Remove unecessary test case 2023-11-29 05:12:30 -06:00			`AssignmentOrgID: 1,`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`ExternalServiceID: "app 1",`
			`ServiceAccountID: -1,`
			`Permissions: []Permission{{Action: "users:read", Scope: "users:id:1"}},`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "invalid no Ext Service ID",`
			`cmd: SaveExternalServiceRoleCommand{`
ExtSvcAuth: Assign roles locally (#78669) * ExtSvcAuth: Assign roles locally * Fix test * HandlePluginStateChanged in the OrgID * Remove Global from command * Use AssignmentOrgID instead of OrgID * Remove unecessary test case 2023-11-29 05:12:30 -06:00			`AssignmentOrgID: 1,`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`ServiceAccountID: 2,`
			`Permissions: []Permission{{Action: "users:read", Scope: "users:id:1"}},`
			`},`
			`wantErr: true,`
			`},`
			`{`
			`name: "slugify the external service ID correctly",`
			`cmd: SaveExternalServiceRoleCommand{`
			`ExternalServiceID: "ThisIs a Very Strange ___ App Name?",`
ExtSvcAuth: Assign roles locally (#78669) * ExtSvcAuth: Assign roles locally * Fix test * HandlePluginStateChanged in the OrgID * Remove Global from command * Use AssignmentOrgID instead of OrgID * Remove unecessary test case 2023-11-29 05:12:30 -06:00			`AssignmentOrgID: 1,`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`ServiceAccountID: 2,`
			`Permissions: []Permission{{Action: "users:read", Scope: "users:id:1"}},`
			`},`
			`wantErr: false,`
Slug: Combine various slugify fixes for special character handling (#73164) * combine various slugify fixes for special character handling * a couple more test cases * update more tests * goimports 2023-08-10 15:12:50 -05:00			`wantID: "thisis-a-very-strange-app-name",`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`},`
RBAC: Refine validation of external services permissions (#68633) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id 2023-05-17 09:28:14 -05:00			`{`
			`name: "invalid empty Action",`
			`cmd: SaveExternalServiceRoleCommand{`
ExtSvcAuth: Assign roles locally (#78669) * ExtSvcAuth: Assign roles locally * Fix test * HandlePluginStateChanged in the OrgID * Remove Global from command * Use AssignmentOrgID instead of OrgID * Remove unecessary test case 2023-11-29 05:12:30 -06:00			`AssignmentOrgID: 1,`
RBAC: Refine validation of external services permissions (#68633) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id 2023-05-17 09:28:14 -05:00			`ExternalServiceID: "app 1",`
			`ServiceAccountID: 2,`
			`Permissions: []Permission{{Action: "", Scope: "users:id:1"}},`
			`},`
			`wantID: "app-1",`
			`wantErr: true,`
			`},`
			`{`
			`name: "permission deduplication",`
			`cmd: SaveExternalServiceRoleCommand{`
ExtSvcAuth: Assign roles locally (#78669) * ExtSvcAuth: Assign roles locally * Fix test * HandlePluginStateChanged in the OrgID * Remove Global from command * Use AssignmentOrgID instead of OrgID * Remove unecessary test case 2023-11-29 05:12:30 -06:00			`AssignmentOrgID: 1,`
RBAC: Refine validation of external services permissions (#68633) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id 2023-05-17 09:28:14 -05:00			`ExternalServiceID: "app 1",`
			`ServiceAccountID: 2,`
			`Permissions: []Permission{`
			`{Action: "users:read", Scope: "users:id:1"},`
			`{Action: "users:read", Scope: "users:id:1"},`
			`},`
			`},`
			`wantErr: false,`
			`wantID: "app-1",`
			`wantPermissions: []Permission{{Action: "users:read", Scope: "users:id:1"}},`
			`},`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`err := tt.cmd.Validate()`
			`if tt.wantErr {`
			`require.Error(t, err)`
			`return`
			`}`
			`require.NoError(t, err)`

			`require.Equal(t, tt.wantID, tt.cmd.ExternalServiceID)`
RBAC: Refine validation of external services permissions (#68633) * RBAC: Refine validation of external services permissions * Forgot to log the ext-id 2023-05-17 09:28:14 -05:00			`if tt.wantPermissions != nil {`
			`require.ElementsMatch(t, tt.wantPermissions, tt.cmd.Permissions)`
			`}`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 06:19:38 -05:00			`})`
			`}`
			`}`
RBAC: Split non-empty scopes into `kind`, `attribute` and `identifier` fields for better search performance (#71933) * add a feature toggle * add the fields for attribute, kind and identifier to permission Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * set the new fields when new permissions are stored * add migrations Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * remove comments * Update pkg/services/accesscontrol/migrator/migrator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * feedback: put column migrations behind the feature toggle, added an index, changed how wildcard scopes are split * PR feedback: add a comment and revert an accidentally changed file * PR feedback: handle the case with : in resource identifier * switch from checking feature toggle through cfg to checking it through featuremgmt * don't put the column migrations behind a feature toggle after all - this breaks permission queries from db --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2023-07-21 09:23:01 -05:00
			`func TestPermission_ScopeSplit(t *testing.T) {`
			`type testCase struct {`
			`desc string`
			`scope string`
			`kind string`
			`attribute string`
			`identifier string`
			`}`

			`tests := []testCase{`
			`{desc: "all fields should be empty for empty scope", scope: "", kind: "", attribute: "", identifier: ""},`
			`{desc: "all fields should be set to * for wildcard", scope: "", kind: "", attribute: "", identifier: ""},`
			`{desc: "kind should be specified and attribute and identifier should be * for a wildcard with kind prefix", scope: "dashboards:", kind: "dashboards", attribute: "", identifier: "*"},`
			`{desc: "all fields should be set correctly", scope: "dashboards:uid:123", kind: "dashboards", attribute: "uid", identifier: "123"},`
			`{desc: "can handle a case with : in the uid", scope: "datasources:uid:weird:name", kind: "datasources", attribute: "uid", identifier: "weird:name"},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`p := Permission{Scope: tt.scope}`

			`kind, attribute, identifier := p.SplitScope()`
			`assert.Equal(t, tt.kind, kind)`
			`assert.Equal(t, tt.attribute, attribute)`
			`assert.Equal(t, tt.identifier, identifier)`
			`})`
			`}`
			`}`