grafana/pkg/services/accesscontrol/roles_test.go

package accesscontrol

import (
	"sort"
	"strings"
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestPredefinedRoles(t *testing.T) {
	for name, role := range FixedRoles {
		assert.Truef(t,
			strings.HasPrefix(name, "fixed:"),
			"expected all fixed roles to be prefixed by 'fixed:', found role '%s'", name,
		)
		assert.Equal(t, name, role.Name)
		assert.NotZero(t, role.Version)
	}
}

func TestPredefinedRoleGrants(t *testing.T) {
	for _, grants := range FixedRoleGrants {
		// Check grants list is sorted
		assert.True(t,
			sort.SliceIsSorted(grants, func(i, j int) bool {
				return grants[i] < grants[j]
			}),
			"require role grant lists to be sorted",
		)

		// Check all granted roles have been registered
		for _, r := range grants {
			assert.Contains(t, FixedRoles, r)
		}
	}
}

func TestConcatPermissions(t *testing.T) {
	perms1 := []Permission{
		{
			Action: "test",
			Scope:  "test:*",
		},
		{
			Action: "test1",
			Scope:  "test1:*",
		},
	}
	perms2 := []Permission{
		{
			Action: "test1",
			Scope:  "*",
		},
	}

	expected := []Permission{
		{
			Action: "test",
			Scope:  "test:*",
		},
		{
			Action: "test1",
			Scope:  "test1:*",
		},
		{
			Action: "test1",
			Scope:  "*",
		},
	}

	perms := ConcatPermissions(perms1, perms2)
	assert.ElementsMatch(t, perms, expected)
}
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`package accesscontrol`

			`import (`
			`"sort"`
			`"strings"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`)`

			`func TestPredefinedRoles(t *testing.T) {`
AccessControl: Implement a way to register fixed roles (#35641) * AccessControl: Implement a way to register fixed roles * Add context to register func * Use FixedRoleGrantsMap instead of FixedRoleGrants * Removed FixedRoles map to sync.map * Wrote test for accesscontrol and provisioning * Use mutexes+map instead of sync maps * Create a sync map struct out of a Map and a Mutex * Create a sync map struct for grants as well * Validate builtin roles * Make validation public to access control * Handle errors consistently with what seeder does * Keep errors consistant amongst accesscontrol impl * Handle registration error * Reverse the registration direction thanks to a RoleRegistrant interface * Removed sync map in favor for simple maps since registration now happens during init * Work on the Registrant interface * Remove the Register Role from the interface to have services returning their registrations instead * Adding context to RegisterRegistrantsRoles and update descriptions * little bit of cosmetics * Making sure provisioning is ran after role registration * test for role registration * Change the accesscontrol interface to use a variadic * check if accesscontrol is enabled * Add a new test for RegisterFixedRoles and fix assign which was buggy * Moved RegistrationList def to roles.go * Change provisioning role's description * Better comment on RegisterFixedRoles * Correct comment on ValidateFixedRole * Simplify helper func to removeRoleHelper * Add log to saveFixedRole and assignFixedRole Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Jeremy Price <Jeremy.price@grafana.com> 2021-07-30 02:52:09 -05:00			`for name, role := range FixedRoles {`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`assert.Truef(t,`
Access control: Rename predefined roles to fixed roles (code) (#34469) * s/grafana:roles:/fixed:/ * Update free text references to predefined roles 2021-05-25 08:36:01 -05:00			`strings.HasPrefix(name, "fixed:"),`
			`"expected all fixed roles to be prefixed by 'fixed:', found role '%s'", name,`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`)`
AccessControl: Implement a way to register fixed roles (#35641) * AccessControl: Implement a way to register fixed roles * Add context to register func * Use FixedRoleGrantsMap instead of FixedRoleGrants * Removed FixedRoles map to sync.map * Wrote test for accesscontrol and provisioning * Use mutexes+map instead of sync maps * Create a sync map struct out of a Map and a Mutex * Create a sync map struct for grants as well * Validate builtin roles * Make validation public to access control * Handle errors consistently with what seeder does * Keep errors consistant amongst accesscontrol impl * Handle registration error * Reverse the registration direction thanks to a RoleRegistrant interface * Removed sync map in favor for simple maps since registration now happens during init * Work on the Registrant interface * Remove the Register Role from the interface to have services returning their registrations instead * Adding context to RegisterRegistrantsRoles and update descriptions * little bit of cosmetics * Making sure provisioning is ran after role registration * test for role registration * Change the accesscontrol interface to use a variadic * check if accesscontrol is enabled * Add a new test for RegisterFixedRoles and fix assign which was buggy * Moved RegistrationList def to roles.go * Change provisioning role's description * Better comment on RegisterFixedRoles * Correct comment on ValidateFixedRole * Simplify helper func to removeRoleHelper * Add log to saveFixedRole and assignFixedRole Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Jeremy Price <Jeremy.price@grafana.com> 2021-07-30 02:52:09 -05:00			`assert.Equal(t, name, role.Name)`
			`assert.NotZero(t, role.Version)`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`}`
			`}`

			`func TestPredefinedRoleGrants(t *testing.T) {`
AccessControl: Implement a way to register fixed roles (#35641) * AccessControl: Implement a way to register fixed roles * Add context to register func * Use FixedRoleGrantsMap instead of FixedRoleGrants * Removed FixedRoles map to sync.map * Wrote test for accesscontrol and provisioning * Use mutexes+map instead of sync maps * Create a sync map struct out of a Map and a Mutex * Create a sync map struct for grants as well * Validate builtin roles * Make validation public to access control * Handle errors consistently with what seeder does * Keep errors consistant amongst accesscontrol impl * Handle registration error * Reverse the registration direction thanks to a RoleRegistrant interface * Removed sync map in favor for simple maps since registration now happens during init * Work on the Registrant interface * Remove the Register Role from the interface to have services returning their registrations instead * Adding context to RegisterRegistrantsRoles and update descriptions * little bit of cosmetics * Making sure provisioning is ran after role registration * test for role registration * Change the accesscontrol interface to use a variadic * check if accesscontrol is enabled * Add a new test for RegisterFixedRoles and fix assign which was buggy * Moved RegistrationList def to roles.go * Change provisioning role's description * Better comment on RegisterFixedRoles * Correct comment on ValidateFixedRole * Simplify helper func to removeRoleHelper * Add log to saveFixedRole and assignFixedRole Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Jeremy Price <Jeremy.price@grafana.com> 2021-07-30 02:52:09 -05:00			`for _, grants := range FixedRoleGrants {`
			`// Check grants list is sorted`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`assert.True(t,`
AccessControl: Implement a way to register fixed roles (#35641) * AccessControl: Implement a way to register fixed roles * Add context to register func * Use FixedRoleGrantsMap instead of FixedRoleGrants * Removed FixedRoles map to sync.map * Wrote test for accesscontrol and provisioning * Use mutexes+map instead of sync maps * Create a sync map struct out of a Map and a Mutex * Create a sync map struct for grants as well * Validate builtin roles * Make validation public to access control * Handle errors consistently with what seeder does * Keep errors consistant amongst accesscontrol impl * Handle registration error * Reverse the registration direction thanks to a RoleRegistrant interface * Removed sync map in favor for simple maps since registration now happens during init * Work on the Registrant interface * Remove the Register Role from the interface to have services returning their registrations instead * Adding context to RegisterRegistrantsRoles and update descriptions * little bit of cosmetics * Making sure provisioning is ran after role registration * test for role registration * Change the accesscontrol interface to use a variadic * check if accesscontrol is enabled * Add a new test for RegisterFixedRoles and fix assign which was buggy * Moved RegistrationList def to roles.go * Change provisioning role's description * Better comment on RegisterFixedRoles * Correct comment on ValidateFixedRole * Simplify helper func to removeRoleHelper * Add log to saveFixedRole and assignFixedRole Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Jeremy Price <Jeremy.price@grafana.com> 2021-07-30 02:52:09 -05:00			`sort.SliceIsSorted(grants, func(i, j int) bool {`
			`return grants[i] < grants[j]`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`}),`
			`"require role grant lists to be sorted",`
			`)`
AccessControl: Implement a way to register fixed roles (#35641) * AccessControl: Implement a way to register fixed roles * Add context to register func * Use FixedRoleGrantsMap instead of FixedRoleGrants * Removed FixedRoles map to sync.map * Wrote test for accesscontrol and provisioning * Use mutexes+map instead of sync maps * Create a sync map struct out of a Map and a Mutex * Create a sync map struct for grants as well * Validate builtin roles * Make validation public to access control * Handle errors consistently with what seeder does * Keep errors consistant amongst accesscontrol impl * Handle registration error * Reverse the registration direction thanks to a RoleRegistrant interface * Removed sync map in favor for simple maps since registration now happens during init * Work on the Registrant interface * Remove the Register Role from the interface to have services returning their registrations instead * Adding context to RegisterRegistrantsRoles and update descriptions * little bit of cosmetics * Making sure provisioning is ran after role registration * test for role registration * Change the accesscontrol interface to use a variadic * check if accesscontrol is enabled * Add a new test for RegisterFixedRoles and fix assign which was buggy * Moved RegistrationList def to roles.go * Change provisioning role's description * Better comment on RegisterFixedRoles * Correct comment on ValidateFixedRole * Simplify helper func to removeRoleHelper * Add log to saveFixedRole and assignFixedRole Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Jeremy Price <Jeremy.price@grafana.com> 2021-07-30 02:52:09 -05:00
			`// Check all granted roles have been registered`
			`for _, r := range grants {`
Access control: Rename predefined roles to fixed roles (code) (#34469) * s/grafana:roles:/fixed:/ * Update free text references to predefined roles 2021-05-25 08:36:01 -05:00			`assert.Contains(t, FixedRoles, r)`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 09:31:27 -05:00			`}`
			`}`
			`}`
Access control: Combine permissions through predefined roles (#33275) * Access control: Combine permissions through predefined roles When certain permission is required for built-in role, instead of adding those permissions to the existing predefined roles, we need to have granular predefined roles with those permissions. * Better copy... * Adding and fixing tests * Remove duplicated permission 2021-04-23 08:44:42 -05:00
Access control: Update evaluator to authorize when at least one of the scopes is a match (#33393) 2021-04-27 11:22:18 -05:00			`func TestConcatPermissions(t *testing.T) {`
Access control: Combine permissions through predefined roles (#33275) * Access control: Combine permissions through predefined roles When certain permission is required for built-in role, instead of adding those permissions to the existing predefined roles, we need to have granular predefined roles with those permissions. * Better copy... * Adding and fixing tests * Remove duplicated permission 2021-04-23 08:44:42 -05:00			`perms1 := []Permission{`
			`{`
			`Action: "test",`
			`Scope: "test:*",`
			`},`
			`{`
			`Action: "test1",`
			`Scope: "test1:*",`
			`},`
			`}`
			`perms2 := []Permission{`
			`{`
			`Action: "test1",`
			`Scope: "*",`
			`},`
			`}`

			`expected := []Permission{`
			`{`
			`Action: "test",`
			`Scope: "test:*",`
			`},`
			`{`
			`Action: "test1",`
			`Scope: "test1:*",`
			`},`
			`{`
			`Action: "test1",`
			`Scope: "*",`
			`},`
			`}`

Access control: Update evaluator to authorize when at least one of the scopes is a match (#33393) 2021-04-27 11:22:18 -05:00			`perms := ConcatPermissions(perms1, perms2)`
Access control: Combine permissions through predefined roles (#33275) * Access control: Combine permissions through predefined roles When certain permission is required for built-in role, instead of adding those permissions to the existing predefined roles, we need to have granular predefined roles with those permissions. * Better copy... * Adding and fixing tests * Remove duplicated permission 2021-04-23 08:44:42 -05:00			`assert.ElementsMatch(t, perms, expected)`
			`}`