grafana/pkg/services/accesscontrol/scope_test.go

package accesscontrol

import (
	"context"
	"testing"

	"github.com/grafana/grafana/pkg/models"
	"github.com/stretchr/testify/assert"
)

var testUser = &models.SignedInUser{
	UserId:  2,
	OrgId:   3,
	OrgName: "TestOrg",
	OrgRole: models.ROLE_VIEWER,
	Login:   "testUser",
	Name:    "Test User",
	Email:   "testuser@example.org",
}

func TestResolveKeywordedScope(t *testing.T) {
	tests := []struct {
		name       string
		user       *models.SignedInUser
		permission Permission
		want       Permission
		wantErr    bool
	}{
		{
			name:       "no scope",
			user:       testUser,
			permission: Permission{Action: "users:read"},
			want:       Permission{Action: "users:read"},
			wantErr:    false,
		},
		{
			name:       "user if resolution",
			user:       testUser,
			permission: Permission{Action: "users:read", Scope: "users:self"},
			want:       Permission{Action: "users:read", Scope: "users:id:2"},
			wantErr:    false,
		},
	}
	for _, tt := range tests {
		var err error
		t.Run(tt.name, func(t *testing.T) {
			resolver := NewScopeResolver()
			scopeModifier := resolver.GetResolveKeywordScopeMutator(tt.user)
			tt.permission.Scope, err = scopeModifier(context.TODO(), tt.permission.Scope)
			if tt.wantErr {
				assert.Error(t, err, "expected an error during the resolution of the scope")
				return
			}
			assert.NoError(t, err)
			assert.EqualValues(t, tt.want, tt.permission, "permission did not match expected resolution")
		})
	}
}

func TestScopeResolver_ResolveAttribute(t *testing.T) {
	// Calls allow us to see how many times the fakeDataSourceResolution has been called
	calls := 0
	fakeDataSourceResolution := func(ctx context.Context, orgID int64, initialScope string) (string, error) {
		calls++
		if initialScope == "datasources:name:testds" {
			return Scope("datasources", "id", "1"), nil
		} else if initialScope == "datasources:name:testds2" {
			return Scope("datasources", "id", "2"), nil
		} else if initialScope == "datasources:name:test:ds4" {
			return Scope("datasources", "id", "4"), nil
		} else if initialScope == "datasources:name:testds5*" {
			return Scope("datasources", "id", "5"), nil
		} else {
			return "", models.ErrDataSourceNotFound
		}
	}

	tests := []struct {
		name          string
		orgID         int64
		evaluator     Evaluator
		wantEvaluator Evaluator
		wantCalls     int
		wantErr       error
	}{
		{
			name:          "should work with scope less permissions",
			evaluator:     EvalPermission("datasources:read"),
			wantEvaluator: EvalPermission("datasources:read"),
			wantCalls:     0,
		},
		{
			name:      "should handle an error",
			orgID:     1,
			evaluator: EvalPermission("datasources:read", Scope("datasources", "name", "testds3")),
			wantErr:   models.ErrDataSourceNotFound,
			wantCalls: 1,
		},
		{
			name:          "should resolve a scope",
			orgID:         1,
			evaluator:     EvalPermission("datasources:read", Scope("datasources", "name", "testds")),
			wantEvaluator: EvalPermission("datasources:read", Scope("datasources", "id", "1")),
			wantCalls:     1,
		},
		{
			name:  "should resolve nested scopes with cache",
			orgID: 1,
			evaluator: EvalAll(
				EvalPermission("datasources:read", Scope("datasources", "name", "testds")),
				EvalAny(
					EvalPermission("datasources:read", Scope("datasources", "name", "testds")),
					EvalPermission("datasources:read", Scope("datasources", "name", "testds2")),
				),
			),
			wantEvaluator: EvalAll(
				EvalPermission("datasources:read", Scope("datasources", "id", "1")),
				EvalAny(
					EvalPermission("datasources:read", Scope("datasources", "id", "1")),
					EvalPermission("datasources:read", Scope("datasources", "id", "2")),
				),
			),
			wantCalls: 2,
		},
		{
			name:          "should resolve name with colon",
			orgID:         1,
			evaluator:     EvalPermission("datasources:read", Scope("datasources", "name", "test:ds4")),
			wantEvaluator: EvalPermission("datasources:read", Scope("datasources", "id", "4")),
			wantCalls:     1,
		},
		{
			name:          "should resolve names with '*'",
			orgID:         1,
			evaluator:     EvalPermission("datasources:read", Scope("datasources", "name", "testds5*")),
			wantEvaluator: EvalPermission("datasources:read", Scope("datasources", "id", "5")),
			wantCalls:     1,
		},
	}
	for _, tt := range tests {
		resolver := NewScopeResolver()

		// Reset calls counter
		calls = 0
		// Register a resolution method
		resolver.AddAttributeResolver("datasources:name:", fakeDataSourceResolution)

		// Test
		scopeModifier := resolver.GetResolveAttributeScopeMutator(tt.orgID)
		resolvedEvaluator, err := tt.evaluator.MutateScopes(context.TODO(), scopeModifier)
		if tt.wantErr != nil {
			assert.ErrorAs(t, err, &tt.wantErr, "expected an error during the resolution of the scope")
			return
		}
		assert.NoError(t, err)
		assert.EqualValues(t, tt.wantEvaluator, resolvedEvaluator, "permission did not match expected resolution")

		assert.Equal(t, tt.wantCalls, calls, "cache has not been used")
	}
}

func Test_scopePrefix(t *testing.T) {
	tests := []struct {
		name  string
		scope string
		want  string
	}{
		{
			name:  "empty",
			scope: "",
			want:  "",
		},
		{
			name:  "minimal",
			scope: ":",
			want:  ":",
		},
		{
			name:  "datasources",
			scope: "datasources:",
			want:  "datasources:",
		},
		{
			name:  "datasources name",
			scope: "datasources:name:testds",
			want:  "datasources:name:",
		},
		{
			name:  "datasources with colons in name",
			scope: "datasources:name:test:a::ds",
			want:  "datasources:name:",
		},
		{
			name:  "prefix",
			scope: "datasources:name:",
			want:  "datasources:name:",
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			prefix := ScopePrefix(tt.scope)

			assert.Equal(t, tt.want, prefix)
		})
	}
}
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`package accesscontrol`

			`import (`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`"context"`
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`"testing"`

			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/stretchr/testify/assert"`
			`)`

			`var testUser = &models.SignedInUser{`
			`UserId: 2,`
			`OrgId: 3,`
			`OrgName: "TestOrg",`
			`OrgRole: models.ROLE_VIEWER,`
			`Login: "testUser",`
			`Name: "Test User",`
			`Email: "testuser@example.org",`
			`}`

			`func TestResolveKeywordedScope(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`user *models.SignedInUser`
			`permission Permission`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`want Permission`
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`wantErr bool`
			`}{`
			`{`
			`name: "no scope",`
			`user: testUser,`
			`permission: Permission{Action: "users:read"},`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`want: Permission{Action: "users:read"},`
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`wantErr: false,`
			`},`
			`{`
			`name: "user if resolution",`
			`user: testUser,`
			`permission: Permission{Action: "users:read", Scope: "users:self"},`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`want: Permission{Action: "users:read", Scope: "users:id:2"},`
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`wantErr: false,`
			`},`
			`}`
			`for _, tt := range tests {`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`var err error`
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`t.Run(tt.name, func(t *testing.T) {`
			`resolver := NewScopeResolver()`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`scopeModifier := resolver.GetResolveKeywordScopeMutator(tt.user)`
			`tt.permission.Scope, err = scopeModifier(context.TODO(), tt.permission.Scope)`
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`if tt.wantErr {`
			`assert.Error(t, err, "expected an error during the resolution of the scope")`
			`return`
			`}`
			`assert.NoError(t, err)`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`assert.EqualValues(t, tt.want, tt.permission, "permission did not match expected resolution")`
			`})`
			`}`
			`}`

			`func TestScopeResolver_ResolveAttribute(t *testing.T) {`
			`// Calls allow us to see how many times the fakeDataSourceResolution has been called`
			`calls := 0`
			`fakeDataSourceResolution := func(ctx context.Context, orgID int64, initialScope string) (string, error) {`
			`calls++`
			`if initialScope == "datasources:name:testds" {`
			`return Scope("datasources", "id", "1"), nil`
			`} else if initialScope == "datasources:name:testds2" {`
			`return Scope("datasources", "id", "2"), nil`
AccessControl: Handle ':' in attribute resolution (#46742) * AccessControl: Handle ':' in attribute resolution * Simplify based on assumption that prefixes will have maximum 2 parts 2022-03-23 02:48:32 -05:00			`} else if initialScope == "datasources:name:test:ds4" {`
			`return Scope("datasources", "id", "4"), nil`
			`} else if initialScope == "datasources:name:testds5*" {`
			`return Scope("datasources", "id", "5"), nil`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`} else {`
			`return "", models.ErrDataSourceNotFound`
			`}`
			`}`

			`tests := []struct {`
			`name string`
			`orgID int64`
			`evaluator Evaluator`
			`wantEvaluator Evaluator`
			`wantCalls int`
			`wantErr error`
			`}{`
			`{`
			`name: "should work with scope less permissions",`
			`evaluator: EvalPermission("datasources:read"),`
			`wantEvaluator: EvalPermission("datasources:read"),`
			`wantCalls: 0,`
			`},`
			`{`
			`name: "should handle an error",`
			`orgID: 1,`
			`evaluator: EvalPermission("datasources:read", Scope("datasources", "name", "testds3")),`
			`wantErr: models.ErrDataSourceNotFound,`
			`wantCalls: 1,`
			`},`
			`{`
			`name: "should resolve a scope",`
			`orgID: 1,`
			`evaluator: EvalPermission("datasources:read", Scope("datasources", "name", "testds")),`
			`wantEvaluator: EvalPermission("datasources:read", Scope("datasources", "id", "1")),`
			`wantCalls: 1,`
			`},`
			`{`
			`name: "should resolve nested scopes with cache",`
			`orgID: 1,`
			`evaluator: EvalAll(`
			`EvalPermission("datasources:read", Scope("datasources", "name", "testds")),`
			`EvalAny(`
			`EvalPermission("datasources:read", Scope("datasources", "name", "testds")),`
			`EvalPermission("datasources:read", Scope("datasources", "name", "testds2")),`
			`),`
			`),`
			`wantEvaluator: EvalAll(`
			`EvalPermission("datasources:read", Scope("datasources", "id", "1")),`
			`EvalAny(`
			`EvalPermission("datasources:read", Scope("datasources", "id", "1")),`
			`EvalPermission("datasources:read", Scope("datasources", "id", "2")),`
			`),`
			`),`
			`wantCalls: 2,`
			`},`
AccessControl: Handle ':' in attribute resolution (#46742) * AccessControl: Handle ':' in attribute resolution * Simplify based on assumption that prefixes will have maximum 2 parts 2022-03-23 02:48:32 -05:00			`{`
			`name: "should resolve name with colon",`
			`orgID: 1,`
			`evaluator: EvalPermission("datasources:read", Scope("datasources", "name", "test:ds4")),`
			`wantEvaluator: EvalPermission("datasources:read", Scope("datasources", "id", "4")),`
			`wantCalls: 1,`
			`},`
			`{`
			`name: "should resolve names with '*'",`
			`orgID: 1,`
			`evaluator: EvalPermission("datasources:read", Scope("datasources", "name", "testds5*")),`
			`wantEvaluator: EvalPermission("datasources:read", Scope("datasources", "id", "5")),`
			`wantCalls: 1,`
			`},`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`}`
			`for _, tt := range tests {`
			`resolver := NewScopeResolver()`

			`// Reset calls counter`
			`calls = 0`
			`// Register a resolution method`
			`resolver.AddAttributeResolver("datasources:name:", fakeDataSourceResolution)`

			`// Test`
			`scopeModifier := resolver.GetResolveAttributeScopeMutator(tt.orgID)`
			`resolvedEvaluator, err := tt.evaluator.MutateScopes(context.TODO(), scopeModifier)`
			`if tt.wantErr != nil {`
			`assert.ErrorAs(t, err, &tt.wantErr, "expected an error during the resolution of the scope")`
			`return`
			`}`
			`assert.NoError(t, err)`
			`assert.EqualValues(t, tt.wantEvaluator, resolvedEvaluator, "permission did not match expected resolution")`

			`assert.Equal(t, tt.wantCalls, calls, "cache has not been used")`
			`}`
			`}`

			`func Test_scopePrefix(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`scope string`
			`want string`
			`}{`
			`{`
			`name: "empty",`
			`scope: "",`
			`want: "",`
			`},`
			`{`
			`name: "minimal",`
			`scope: ":",`
			`want: ":",`
			`},`
			`{`
			`name: "datasources",`
			`scope: "datasources:",`
			`want: "datasources:",`
			`},`
			`{`
			`name: "datasources name",`
			`scope: "datasources:name:testds",`
			`want: "datasources:name:",`
			`},`
AccessControl: Handle ':' in attribute resolution (#46742) * AccessControl: Handle ':' in attribute resolution * Simplify based on assumption that prefixes will have maximum 2 parts 2022-03-23 02:48:32 -05:00			`{`
			`name: "datasources with colons in name",`
			`scope: "datasources:name:test:a::ds",`
			`want: "datasources:name:",`
			`},`
			`{`
			`name: "prefix",`
			`scope: "datasources:name:",`
			`want: "datasources:name:",`
			`},`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`}`
			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
Dashboard/Folder permission fix session (#47174) * Fix inherited scopes for dashboard to use folder uid * Add inherited evaluators * Slight modification of the commments * Add test for inheritance * Nit. * extract shared function from tests * Nit. Extra line * Remove unused comment Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com> 2022-04-05 07:28:23 -05:00			`prefix := ScopePrefix(tt.scope)`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00
			`assert.Equal(t, tt.want, prefix)`
AccessControl: keyword scope resolution (#40229) 2021-10-19 07:40:21 -05:00			`})`
			`}`
			`}`