IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
edf1775d4963d8f62a8c4ab2b2e56d40d0b2b804
grafana/pkg/services/oauthserver/external_service_test.go

211 lines
6.6 KiB
Go
Raw Normal View History

AuthN: Embed an OAuth2 server for external service authentication (#68086) * Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user:id:<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from 526e48ad4550fed7e2b753b9d0a0cc6097155f58 * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
2023-05-25 15:38:30 +02:00
package oauthserver
import (
"context"
"testing"
"github.com/stretchr/testify/require"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
)
func setupTestEnv(t *testing.T) *ExternalService {
t.Helper()
client := &ExternalService{
Name: "my-ext-service",
ClientID: "RANDOMID",
Secret: "RANDOMSECRET",
GrantTypes: "client_credentials,urn:ietf:params:oauth:grant-type:jwt-bearer",
ServiceAccountID: 2,
SelfPermissions: []ac.Permission{
{Action: ac.ActionUsersImpersonate, Scope: ac.ScopeUsersAll},
},
SignedInUser: &user.SignedInUser{
UserID: 2,
OrgID: 1,
},
}
return client
}
func TestExternalService_GetScopesOnUser(t *testing.T) {
testCases := []struct {
name string
impersonatePermissions []ac.Permission
initTestEnv func(*ExternalService)
expectedScopes []string
}{
{
name: "should return nil when the service account has no impersonate permissions",
expectedScopes: nil,
},
{
name: "should return the 'profile', 'email' and associated RBAC action",
initTestEnv: func(c *ExternalService) {
c.SignedInUser.Permissions = map[int64]map[string][]string{
1: {
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
},
}
c.ImpersonatePermissions = []ac.Permission{
{Action: ac.ActionUsersRead, Scope: ScopeGlobalUsersSelf},
}
},
expectedScopes: []string{"profile", "email", ac.ActionUsersRead},
},
{
name: "should return 'entitlements' and associated RBAC action scopes",
initTestEnv: func(c *ExternalService) {
c.SignedInUser.Permissions = map[int64]map[string][]string{
1: {
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
},
}
c.ImpersonatePermissions = []ac.Permission{
{Action: ac.ActionUsersPermissionsRead, Scope: ScopeUsersSelf},
}
},
expectedScopes: []string{"entitlements", ac.ActionUsersPermissionsRead},
},
{
name: "should return 'groups' and associated RBAC action scopes",
initTestEnv: func(c *ExternalService) {
c.SignedInUser.Permissions = map[int64]map[string][]string{
1: {
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
},
}
c.ImpersonatePermissions = []ac.Permission{
{Action: ac.ActionTeamsRead, Scope: ScopeTeamsSelf},
}
},
expectedScopes: []string{"groups", ac.ActionTeamsRead},
},
{
name: "should return all scopes",
initTestEnv: func(c *ExternalService) {
c.SignedInUser.Permissions = map[int64]map[string][]string{
1: {
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
},
}
c.ImpersonatePermissions = []ac.Permission{
{Action: ac.ActionUsersRead, Scope: ScopeGlobalUsersSelf},
{Action: ac.ActionUsersPermissionsRead, Scope: ScopeUsersSelf},
{Action: ac.ActionTeamsRead, Scope: ScopeTeamsSelf},
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
}
},
expectedScopes: []string{"profile", "email", ac.ActionUsersRead,
"entitlements", ac.ActionUsersPermissionsRead,
"groups", ac.ActionTeamsRead,
"dashboards:read"},
},
{
name: "should return stored scopes when the client's impersonate scopes has already been set",
initTestEnv: func(c *ExternalService) {
c.SignedInUser.Permissions = map[int64]map[string][]string{
1: {
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
},
}
c.ImpersonateScopes = []string{"dashboard:create", "profile", "email", "entitlements", "groups"}
},
expectedScopes: []string{"profile", "email", "entitlements", "groups", "dashboard:create"},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
c := setupTestEnv(t)
if tc.initTestEnv != nil {
tc.initTestEnv(c)
}
scopes := c.GetScopesOnUser(context.Background(), acimpl.ProvideAccessControl(setting.NewCfg()), 3)
require.ElementsMatch(t, tc.expectedScopes, scopes)
})
}
}
func TestExternalService_GetScopes(t *testing.T) {
testCases := []struct {
name string
impersonatePermissions []ac.Permission
initTestEnv func(*ExternalService)
expectedScopes []string
}{
{
name: "should return default scopes when the signed in user is nil",
initTestEnv: func(c *ExternalService) {
c.SignedInUser = nil
},
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
},
{
name: "should return default scopes when the signed in user has no permissions",
initTestEnv: func(c *ExternalService) {
c.SignedInUser.Permissions = map[int64]map[string][]string{}
},
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
},
{
name: "should return additional scopes from signed in user's permissions",
initTestEnv: func(c *ExternalService) {
c.SignedInUser.Permissions = map[int64]map[string][]string{
1: {
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
}
},
expectedScopes: []string{"profile", "email", "entitlements", "groups", "dashboards:read"},
},
{
name: "should return stored scopes when the client's scopes has already been set",
initTestEnv: func(c *ExternalService) {
c.Scopes = []string{"profile", "email", "entitlements", "groups"}
},
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
c := setupTestEnv(t)
if tc.initTestEnv != nil {
tc.initTestEnv(c)
}
scopes := c.GetScopes()
require.ElementsMatch(t, tc.expectedScopes, scopes)
})
}
}
func TestExternalService_ToDTO(t *testing.T) {
client := &ExternalService{
ID: 1,
Name: "my-ext-service",
ClientID: "test",
Secret: "testsecret",
RedirectURI: "http://localhost:3000",
GrantTypes: "client_credentials,urn:ietf:params:oauth:grant-type:jwt-bearer",
Audiences: "https://example.org,https://second.example.org",
PublicPem: []byte("pem_encoded_public_key"),
}
dto := client.ToDTO()
require.Equal(t, client.ClientID, dto.ID)
require.Equal(t, client.Name, dto.Name)
require.Equal(t, client.RedirectURI, dto.RedirectURI)
require.Equal(t, client.GrantTypes, dto.GrantTypes)
require.Equal(t, client.Audiences, dto.Audiences)
require.Equal(t, client.PublicPem, []byte(dto.KeyResult.PublicPem))
require.Empty(t, dto.KeyResult.PrivatePem)
require.Empty(t, dto.KeyResult.URL)
require.False(t, dto.KeyResult.Generated)
require.Equal(t, client.Secret, dto.Secret)
}
Reference in New Issue Copy Permalink