IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-20 11:48:34 -06:00
Code Issues Packages Projects Releases Wiki Activity
857649e30b
grafana/pkg/services/accesscontrol/resourcepermissions/api_test.go

530 lines
18 KiB
Go
Raw Normal View History

Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
package resourcepermissions
import (
"context"
"encoding/json"
"fmt"
"net/http"
"net/http/httptest"
"path"
"strconv"
"strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
pkg/web: restrict handler types (#48495) Makes `pkg/web` only accept handles from the following set: ```go handlerStd = func(http.ResponseWriter, *http.Request) handlerStdCtx = func(http.ResponseWriter, *http.Request, *web.Context) handlerStdReqCtx = func(http.ResponseWriter, *http.Request, *models.ReqContext) handlerReqCtx = func(*models.ReqContext) handlerReqCtxRes = func(*models.ReqContext) Response handlerCtx = func(*web.Context) ``` This is a first step to reducing above set to only `http.Handler`. --- Due to a cyclic import situation between `pkg/models` and `pkg/web`, parts of this PR were put into `pkg/api/response`, even though they definitely do not belong there. This however is _temporary_ until we untangle `models.ReqContext`.
2022-05-20 11:45:18 -05:00
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
chore: remove CreateUser from sqlstore & replace with userService.CreateUserForTests (#59910)
2022-12-07 10:03:22 -06:00
"github.com/grafana/grafana/pkg/services/org/orgimpl"
"github.com/grafana/grafana/pkg/services/quota/quotatest"
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
"github.com/grafana/grafana/pkg/services/sqlstore"
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
"github.com/grafana/grafana/pkg/services/team/teamimpl"
Split Create User (#50502) * Split Create User * Use new create user and User from package user * Add service to wire * Making create user work * Replace user from user pkg * One more * Move Insert to orguser Service/Store * Remove unnecessary conversion * Cleaunp * Fix Get User and add fakes * Fixing get org id for user logic, adding fakes and other adjustments * Add some tests for ourguser service and store * Fix insert org logic * Add comment about deprecation * Fix after merge with main * Move orguser service/store to org service/store * Remove orguser from wire * Unimplement new Create user and use User from pkg user * Fix wire generation * Fix lint * Fix lint - use only User and CrateUserCommand from user pkg * Remove User and CreateUserCommand from models * Fix lint 2
2022-06-28 07:32:25 -05:00
"github.com/grafana/grafana/pkg/services/user"
chore: remove CreateUser from sqlstore & replace with userService.CreateUserForTests (#59910)
2022-12-07 10:03:22 -06:00
"github.com/grafana/grafana/pkg/services/user/userimpl"
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/web"
)
type getDescriptionTestCase struct {
desc string
options Options
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions []accesscontrol.Permission
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
expected Description
expectedStatus int
}
func TestApi_getDescription(t *testing.T) {
tests := []getDescriptionTestCase{
{
desc: "should return description",
options: Options{
Access Control: Support other attributes than id for resource permissions (#46727) * Add option to set ResourceAttribute for a permissions service * Use prefix in access control sql filter to parse scopes * Use prefix in access control metadata to check access
2022-03-21 11:58:18 -05:00
Resource: "dashboards",
ResourceAttribute: "uid",
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Assignments: Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
},
PermissionsToActions: map[string][]string{
"View": {"dashboards:read"},
"Edit": {"dashboards:read", "dashboards:write", "dashboards:delete"},
"Admin": {"dashboards:read", "dashboards:write", "dashboards:delete", "dashboards.permissions:read", "dashboards:permissions:write"},
},
},
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read"},
},
expected: Description{
Assignments: Assignments{
Users: true,
Teams: true,
BuiltInRoles: true,
},
Permissions: []string{"View", "Edit", "Admin"},
},
expectedStatus: http.StatusOK,
},
{
desc: "should only return user assignment",
options: Options{
Access Control: Support other attributes than id for resource permissions (#46727) * Add option to set ResourceAttribute for a permissions service * Use prefix in access control sql filter to parse scopes * Use prefix in access control metadata to check access
2022-03-21 11:58:18 -05:00
Resource: "dashboards",
ResourceAttribute: "uid",
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Assignments: Assignments{
Users: true,
Teams: false,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"View": {"dashboards:read"},
},
},
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read"},
},
expected: Description{
Assignments: Assignments{
Users: true,
Teams: false,
BuiltInRoles: false,
},
Permissions: []string{"View"},
},
expectedStatus: http.StatusOK,
},
{
desc: "should return 403 when missing read permission",
options: Options{
Access Control: Support other attributes than id for resource permissions (#46727) * Add option to set ResourceAttribute for a permissions service * Use prefix in access control sql filter to parse scopes * Use prefix in access control metadata to check access
2022-03-21 11:58:18 -05:00
Resource: "dashboards",
ResourceAttribute: "uid",
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Assignments: Assignments{
Users: true,
Teams: false,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"View": {"dashboards:read"},
},
},
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
expected: Description{},
expectedStatus: http.StatusForbidden,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
service, _, _ := setupTestEnvironment(t, tt.permissions, tt.options)
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 06:28:55 -05:00
server := setupTestServer(t, &user.SignedInUser{OrgID: 1}, service)
Access control: Add optional hooks (#43372) * Add optional OnSet hooks
2021-12-23 03:10:06 -06:00
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("/api/access-control/%s/description", tt.options.Resource), nil)
require.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, req)
got := Description{}
require.NoError(t, json.NewDecoder(recorder.Body).Decode(&got))
assert.Equal(t, tt.expected, got)
if tt.expectedStatus == http.StatusOK {
assert.Equal(t, tt.expectedStatus, recorder.Code)
}
})
}
}
type getPermissionsTestCase struct {
desc string
resourceID string
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions []accesscontrol.Permission
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
expectedStatus int
}
func TestApi_getPermissions(t *testing.T) {
tests := []getPermissionsTestCase{
{
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
desc: "expect permissions for resource with id 1",
resourceID: "1",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
expectedStatus: 200,
},
{
desc: "expect http status 403 when missing permission",
resourceID: "1",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
expectedStatus: 403,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
service, sql, _ := setupTestEnvironment(t, tt.permissions, testOptions)
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 06:28:55 -05:00
server := setupTestServer(t, &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
seedPermissions(t, tt.resourceID, sql, service)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
permissions, recorder := getPermission(t, server, testOptions.Resource, tt.resourceID)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
Dashboard/Folder permission fix session (#47174) * Fix inherited scopes for dashboard to use folder uid * Add inherited evaluators * Slight modification of the commments * Add test for inheritance * Nit. * extract shared function from tests * Nit. Extra line * Remove unused comment Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-04-05 07:28:23 -05:00
checkSeededPermissions(t, permissions)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
}
})
}
}
type setBuiltinPermissionTestCase struct {
desc string
resourceID string
builtInRole string
expectedStatus int
permission string
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions []accesscontrol.Permission
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
}
func TestApi_setBuiltinRolePermission(t *testing.T) {
tests := []setBuiltinPermissionTestCase{
{
desc: "should set Edit permission for Viewer",
resourceID: "1",
builtInRole: "Viewer",
expectedStatus: 200,
permission: "Edit",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
},
},
{
desc: "should set View permission for Admin",
resourceID: "1",
builtInRole: "Admin",
expectedStatus: 200,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
},
},
{
desc: "should return http 400 for invalid built in role",
resourceID: "1",
builtInRole: "Invalid",
expectedStatus: http.StatusBadRequest,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
},
},
{
desc: "should set return http 403 when missing permissions",
resourceID: "1",
builtInRole: "Invalid",
expectedStatus: http.StatusForbidden,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
},
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
service, _, _ := setupTestEnvironment(t, tt.permissions, testOptions)
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 06:28:55 -05:00
server := setupTestServer(t, &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
recorder := setPermission(t, server, testOptions.Resource, tt.resourceID, tt.permission, "builtInRoles", tt.builtInRole)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
permissions, _ := getPermission(t, server, testOptions.Resource, tt.resourceID)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
require.Len(t, permissions, 1)
assert.Equal(t, tt.permission, permissions[0].Permission)
assert.Equal(t, tt.builtInRole, permissions[0].BuiltInRole)
}
})
}
}
type setTeamPermissionTestCase struct {
desc string
teamID int64
resourceID string
expectedStatus int
permission string
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions []accesscontrol.Permission
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
}
func TestApi_setTeamPermission(t *testing.T) {
tests := []setTeamPermissionTestCase{
{
desc: "should set Edit permission for team 1",
teamID: 1,
resourceID: "1",
expectedStatus: 200,
permission: "Edit",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
},
},
{
desc: "should set View permission for team 1",
teamID: 1,
resourceID: "1",
expectedStatus: 200,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
},
},
{
desc: "should set return http 400 when team does not exist",
teamID: 2,
resourceID: "1",
expectedStatus: http.StatusBadRequest,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
},
},
{
desc: "should set return http 403 when missing permissions",
teamID: 2,
resourceID: "1",
expectedStatus: http.StatusForbidden,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
},
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
service, _, teamSvc := setupTestEnvironment(t, tt.permissions, testOptions)
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 06:28:55 -05:00
server := setupTestServer(t, &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}, service)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
// seed team
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
_, err := teamSvc.CreateTeam("test", "test@test.com", 1)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
require.NoError(t, err)
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
recorder := setPermission(t, server, testOptions.Resource, tt.resourceID, tt.permission, "teams", strconv.Itoa(int(tt.teamID)))
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
assert.Equal(t, tt.expectedStatus, recorder.Code)
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
permissions, _ := getPermission(t, server, testOptions.Resource, tt.resourceID)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
require.Len(t, permissions, 1)
assert.Equal(t, tt.permission, permissions[0].Permission)
assert.Equal(t, tt.teamID, permissions[0].TeamID)
}
})
}
}
type setUserPermissionTestCase struct {
desc string
userID int64
resourceID string
expectedStatus int
permission string
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions []accesscontrol.Permission
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
}
func TestApi_setUserPermission(t *testing.T) {
tests := []setUserPermissionTestCase{
{
desc: "should set Edit permission for user 1",
userID: 1,
resourceID: "1",
expectedStatus: 200,
permission: "Edit",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
},
},
{
desc: "should set View permission for user 1",
userID: 1,
resourceID: "1",
expectedStatus: 200,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
Access control: Filter users and teams by read permissions (#45968) * pass signed in user and filter based on permissions
2022-03-01 03:58:41 -06:00
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
},
},
{
desc: "should set return http 400 when user does not exist",
userID: 2,
resourceID: "1",
expectedStatus: http.StatusBadRequest,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
},
},
{
desc: "should set return http 403 when missing permissions",
userID: 2,
resourceID: "1",
expectedStatus: http.StatusForbidden,
permission: "View",
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 03:17:48 -05:00
permissions: []accesscontrol.Permission{
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
},
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
service, sql, _ := setupTestEnvironment(t, tt.permissions, testOptions)
chore: remove CreateUser from sqlstore & replace with userService.CreateUserForTests (#59910)
2022-12-07 10:03:22 -06:00
server := setupTestServer(t, &user.SignedInUser{
OrgID: 1,
Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)},
}, service)
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Access control: Add optional hooks (#43372) * Add optional OnSet hooks
2021-12-23 03:10:06 -06:00
// seed user
chore: remove CreateUser from sqlstore & replace with userService.CreateUserForTests (#59910)
2022-12-07 10:03:22 -06:00
orgSvc, err := orgimpl.ProvideService(sql, sql.Cfg, quotatest.New(false, nil))
require.NoError(t, err)
usrSvc, err := userimpl.ProvideService(sql, orgSvc, sql.Cfg, nil, nil, &quotatest.FakeQuotaService{})
require.NoError(t, err)
_, err = usrSvc.Create(context.Background(), &user.CreateUserCommand{Login: "test", OrgID: 1})
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
require.NoError(t, err)
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
recorder := setPermission(t, server, testOptions.Resource, tt.resourceID, tt.permission, "users", strconv.Itoa(int(tt.userID)))
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
assert.Equal(t, tt.expectedStatus, recorder.Code)
Service accounts: Add service account to teams (#51536) * Revert "Serviceaccounts: #48995 Do not display service accounts assigned to team (#48995)" This reverts commit cbf71fbd7fc444cf298ff39e5777ba24fe5a4210. * fix: test to not include more actions than necessary * adding service accounts to teams - backend and frontend changes * also support SA addition through the old team membership endpoints * fix tests * tests * serviceaccounts permission tests * serviceaccounts permission service tests run * added back test that was removed by accident * lint * refactor: add testoptionsTeams * fix a bug * service account picker change * explicitly set SA managed permissions to false for dash and folders * lint * allow team creator to list service accounts Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-07-06 04:34:36 -05:00
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
permissions, _ := getPermission(t, server, testOptions.Resource, tt.resourceID)
Service accounts: Add service account to teams (#51536) * Revert "Serviceaccounts: #48995 Do not display service accounts assigned to team (#48995)" This reverts commit cbf71fbd7fc444cf298ff39e5777ba24fe5a4210. * fix: test to not include more actions than necessary * adding service accounts to teams - backend and frontend changes * also support SA addition through the old team membership endpoints * fix tests * tests * serviceaccounts permission tests * serviceaccounts permission service tests run * added back test that was removed by accident * lint * refactor: add testoptionsTeams * fix a bug * service account picker change * explicitly set SA managed permissions to false for dash and folders * lint * allow team creator to list service accounts Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-07-06 04:34:36 -05:00
require.Len(t, permissions, 1)
assert.Equal(t, tt.permission, permissions[0].Permission)
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
assert.Equal(t, tt.userID, permissions[0].UserID)
Service accounts: Add service account to teams (#51536) * Revert "Serviceaccounts: #48995 Do not display service accounts assigned to team (#48995)" This reverts commit cbf71fbd7fc444cf298ff39e5777ba24fe5a4210. * fix: test to not include more actions than necessary * adding service accounts to teams - backend and frontend changes * also support SA addition through the old team membership endpoints * fix tests * tests * serviceaccounts permission tests * serviceaccounts permission service tests run * added back test that was removed by accident * lint * refactor: add testoptionsTeams * fix a bug * service account picker change * explicitly set SA managed permissions to false for dash and folders * lint * allow team creator to list service accounts Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-07-06 04:34:36 -05:00
}
})
}
}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
func setupTestServer(t *testing.T, user *user.SignedInUser, service *Service) *web.Mux {
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
server := web.New()
server.UseMiddleware(web.Renderer(path.Join(setting.StaticRootPath, "views"), "[[", "]]"))
server.Use(contextProvider(&testContext{user}))
service.api.router.Register(server)
Access control: Add optional hooks (#43372) * Add optional OnSet hooks
2021-12-23 03:10:06 -06:00
return server
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
}
type testContext struct {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 04:56:48 -05:00
user *user.SignedInUser
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
}
func contextProvider(tc *testContext) web.Handler {
return func(c *web.Context) {
signedIn := tc.user != nil
reqCtx := &models.ReqContext{
Context: c,
SignedInUser: tc.user,
IsSignedIn: signedIn,
SkipCache: true,
Logger: log.New("test"),
}
pkg/web: restrict handler types (#48495) Makes `pkg/web` only accept handles from the following set: ```go handlerStd = func(http.ResponseWriter, *http.Request) handlerStdCtx = func(http.ResponseWriter, *http.Request, *web.Context) handlerStdReqCtx = func(http.ResponseWriter, *http.Request, *models.ReqContext) handlerReqCtx = func(*models.ReqContext) handlerReqCtxRes = func(*models.ReqContext) Response handlerCtx = func(*web.Context) ``` This is a first step to reducing above set to only `http.Handler`. --- Due to a cyclic import situation between `pkg/models` and `pkg/web`, parts of this PR were put into `pkg/api/response`, even though they definitely do not belong there. This however is _temporary_ until we untangle `models.ReqContext`.
2022-05-20 11:45:18 -05:00
c.Req = c.Req.WithContext(ctxkey.Set(c.Req.Context(), reqCtx))
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
}
}
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
var testOptions = Options{
Access Control: Support other attributes than id for resource permissions (#46727) * Add option to set ResourceAttribute for a permissions service * Use prefix in access control sql filter to parse scopes * Use prefix in access control metadata to check access
2022-03-21 11:58:18 -05:00
Resource: "dashboards",
ResourceAttribute: "id",
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
Assignments: Assignments{
Revert "Service accounts: Add service account to teams" (#52710) * Revert "Service accounts: Add service account to teams (#51536)" This reverts commit 0f919671e79f5130f8d63a52361beef4b0ae3609. * remove unneeded line * fix test
2022-07-26 03:43:29 -05:00
Users: true,
Teams: true,
BuiltInRoles: true,
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 02:52:24 -06:00
},
PermissionsToActions: map[string][]string{
"View": {"dashboards:read"},
"Edit": {"dashboards:read", "dashboards:write", "dashboards:delete"},
},
}
func getPermission(t *testing.T, server *web.Mux, resource, resourceID string) ([]resourcePermissionDTO, *httptest.ResponseRecorder) {
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("/api/access-control/%s/%s", resource, resourceID), nil)
require.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, req)
var permissions []resourcePermissionDTO
if recorder.Code == http.StatusOK {
require.NoError(t, json.NewDecoder(recorder.Body).Decode(&permissions))
}
return permissions, recorder
}
func setPermission(t *testing.T, server *web.Mux, resource, resourceID, permission, assignment, assignTo string) *httptest.ResponseRecorder {
body := strings.NewReader(fmt.Sprintf(`{"permission": "%s"}`, permission))
req, err := http.NewRequest(http.MethodPost, fmt.Sprintf("/api/access-control/%s/%s/%s/%s", resource, resourceID, assignment, assignTo), body)
require.NoError(t, err)
req.Header.Set("Content-Type", "application/json")
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, req)
return recorder
}
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
Dashboard/Folder permission fix session (#47174) * Fix inherited scopes for dashboard to use folder uid * Add inherited evaluators * Slight modification of the commments * Add test for inheritance * Nit. * extract shared function from tests * Nit. Extra line * Remove unused comment Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-04-05 07:28:23 -05:00
func checkSeededPermissions(t *testing.T, permissions []resourcePermissionDTO) {
assert.Len(t, permissions, 3, "expected three assignments: user, team, builtin")
for _, p := range permissions {
if p.UserID != 0 {
assert.Equal(t, "View", p.Permission)
} else if p.TeamID != 0 {
assert.Equal(t, "Edit", p.Permission)
} else {
assert.Equal(t, "Edit", p.Permission)
}
}
}
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
func seedPermissions(t *testing.T, resourceID string, sql *sqlstore.SQLStore, service *Service) {
t.Helper()
// seed team 1 with "Edit" permission on dashboard 1
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-22 12:16:21 -05:00
teamSvc := teamimpl.ProvideService(sql, sql.Cfg)
team, err := teamSvc.CreateTeam("test", "test@test.com", 1)
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
require.NoError(t, err)
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 07:20:09 -06:00
_, err = service.SetTeamPermission(context.Background(), team.OrgID, team.ID, resourceID, "Edit")
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
require.NoError(t, err)
// seed user 1 with "View" permission on dashboard 1
chore: remove CreateUser from sqlstore & replace with userService.CreateUserForTests (#59910)
2022-12-07 10:03:22 -06:00
orgSvc, err := orgimpl.ProvideService(sql, sql.Cfg, quotatest.New(false, nil))
require.NoError(t, err)
usrSvc, err := userimpl.ProvideService(sql, orgSvc, sql.Cfg, nil, nil, &quotatest.FakeQuotaService{})
require.NoError(t, err)
u, err := usrSvc.Create(context.Background(), &user.CreateUserCommand{Login: "test", OrgID: 1})
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
require.NoError(t, err)
Split Create User (#50502) * Split Create User * Use new create user and User from package user * Add service to wire * Making create user work * Replace user from user pkg * One more * Move Insert to orguser Service/Store * Remove unnecessary conversion * Cleaunp * Fix Get User and add fakes * Fixing get org id for user logic, adding fakes and other adjustments * Add some tests for ourguser service and store * Fix insert org logic * Add comment about deprecation * Fix after merge with main * Move orguser service/store to org service/store * Remove orguser from wire * Unimplement new Create user and use User from pkg user * Fix wire generation * Fix lint * Fix lint - use only User and CrateUserCommand from user pkg * Remove User and CreateUserCommand from models * Fix lint 2
2022-06-28 07:32:25 -05:00
_, err = service.SetUserPermission(context.Background(), u.OrgID, accesscontrol.User{ID: u.ID}, resourceID, "View")
Access control: Support uids for resource permissions (#45226) * add middleware to solve uid -> id for requests
2022-02-10 10:47:48 -06:00
require.NoError(t, err)
// seed built in role Admin with "Edit" permission on dashboard 1
_, err = service.SetBuiltInRolePermission(context.Background(), 1, "Admin", resourceID, "Edit")
require.NoError(t, err)
}
Reference in New Issue Copy Permalink