2017-05-08 08:35:34 -05:00
package api
import (
"testing"
2018-01-18 07:30:04 -06:00
"github.com/grafana/grafana/pkg/api/dtos"
2017-05-08 08:35:34 -05:00
"github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/components/simplejson"
2020-03-04 05:57:20 -06:00
"github.com/grafana/grafana/pkg/models"
2018-02-26 13:15:57 -06:00
"github.com/grafana/grafana/pkg/services/guardian"
2017-05-08 08:35:34 -05:00
. "github.com/smartystreets/goconvey/convey"
)
2018-02-21 04:42:54 -06:00
func TestDashboardPermissionApiEndpoint ( t * testing . T ) {
2018-02-26 13:15:57 -06:00
Convey ( "Dashboard permissions test" , t , func ( ) {
Convey ( "Given dashboard not exists" , func ( ) {
2020-03-04 05:57:20 -06:00
bus . AddHandler ( "test" , func ( query * models . GetDashboardQuery ) error {
return models . ErrDashboardNotFound
2018-02-26 13:15:57 -06:00
} )
2018-02-12 02:26:09 -06:00
2020-03-04 05:57:20 -06:00
loggedInUserScenarioWithRole ( "When calling GET on" , "GET" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , models . ROLE_EDITOR , func ( sc * scenarioContext ) {
2018-02-26 13:15:57 -06:00
callGetDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 404 )
} )
2017-06-19 14:22:42 -05:00
2018-02-26 13:15:57 -06:00
cmd := dtos . UpdateDashboardAclCommand {
Items : [ ] dtos . DashboardAclUpdateItem {
2020-03-04 05:57:20 -06:00
{ UserId : 1000 , Permission : models . PERMISSION_ADMIN } ,
2018-02-26 13:15:57 -06:00
} ,
}
2017-05-08 08:35:34 -05:00
2018-02-26 13:15:57 -06:00
updateDashboardPermissionScenario ( "When calling POST on" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , cmd , func ( sc * scenarioContext ) {
callUpdateDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 404 )
} )
2017-06-12 08:48:55 -05:00
} )
2018-02-26 13:15:57 -06:00
Convey ( "Given user has no admin permissions" , func ( ) {
origNewGuardian := guardian . New
guardian . MockDashboardGuardian ( & guardian . FakeDashboardGuardian { CanAdminValue : false } )
2018-01-30 06:28:00 -06:00
2020-03-04 05:57:20 -06:00
getDashboardQueryResult := models . NewDashboard ( "Dash" )
bus . AddHandler ( "test" , func ( query * models . GetDashboardQuery ) error {
2018-02-26 13:15:57 -06:00
query . Result = getDashboardQueryResult
return nil
} )
2017-05-08 08:35:34 -05:00
2020-03-04 05:57:20 -06:00
loggedInUserScenarioWithRole ( "When calling GET on" , "GET" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , models . ROLE_EDITOR , func ( sc * scenarioContext ) {
2018-02-26 13:15:57 -06:00
callGetDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 403 )
2017-05-08 08:35:34 -05:00
} )
2018-02-12 02:26:09 -06:00
2018-02-26 13:15:57 -06:00
cmd := dtos . UpdateDashboardAclCommand {
Items : [ ] dtos . DashboardAclUpdateItem {
2020-03-04 05:57:20 -06:00
{ UserId : 1000 , Permission : models . PERMISSION_ADMIN } ,
2018-02-26 13:15:57 -06:00
} ,
}
2018-02-12 02:26:09 -06:00
2018-02-26 13:15:57 -06:00
updateDashboardPermissionScenario ( "When calling POST on" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , cmd , func ( sc * scenarioContext ) {
callUpdateDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 403 )
2018-02-12 02:26:09 -06:00
} )
2018-02-26 13:15:57 -06:00
Reset ( func ( ) {
guardian . New = origNewGuardian
2018-02-12 02:26:09 -06:00
} )
2017-05-08 08:35:34 -05:00
} )
2018-02-26 13:15:57 -06:00
Convey ( "Given user has admin permissions and permissions to update" , func ( ) {
origNewGuardian := guardian . New
guardian . MockDashboardGuardian ( & guardian . FakeDashboardGuardian {
CanAdminValue : true ,
CheckPermissionBeforeUpdateValue : true ,
2020-03-04 05:57:20 -06:00
GetAclValue : [ ] * models . DashboardAclInfoDTO {
{ OrgId : 1 , DashboardId : 1 , UserId : 2 , Permission : models . PERMISSION_VIEW } ,
{ OrgId : 1 , DashboardId : 1 , UserId : 3 , Permission : models . PERMISSION_EDIT } ,
{ OrgId : 1 , DashboardId : 1 , UserId : 4 , Permission : models . PERMISSION_ADMIN } ,
{ OrgId : 1 , DashboardId : 1 , TeamId : 1 , Permission : models . PERMISSION_VIEW } ,
{ OrgId : 1 , DashboardId : 1 , TeamId : 2 , Permission : models . PERMISSION_ADMIN } ,
2018-02-26 13:15:57 -06:00
} ,
} )
2017-05-22 03:36:47 -05:00
2020-03-04 05:57:20 -06:00
getDashboardQueryResult := models . NewDashboard ( "Dash" )
bus . AddHandler ( "test" , func ( query * models . GetDashboardQuery ) error {
2018-02-26 13:15:57 -06:00
query . Result = getDashboardQueryResult
return nil
2017-05-22 03:36:47 -05:00
} )
2020-03-04 05:57:20 -06:00
loggedInUserScenarioWithRole ( "When calling GET on" , "GET" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , models . ROLE_ADMIN , func ( sc * scenarioContext ) {
2018-02-26 13:15:57 -06:00
callGetDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 200 )
respJSON , err := simplejson . NewJson ( sc . resp . Body . Bytes ( ) )
So ( err , ShouldBeNil )
So ( len ( respJSON . MustArray ( ) ) , ShouldEqual , 5 )
So ( respJSON . GetIndex ( 0 ) . Get ( "userId" ) . MustInt ( ) , ShouldEqual , 2 )
2020-03-04 05:57:20 -06:00
So ( respJSON . GetIndex ( 0 ) . Get ( "permission" ) . MustInt ( ) , ShouldEqual , models . PERMISSION_VIEW )
2018-02-26 13:15:57 -06:00
} )
2018-01-18 07:30:04 -06:00
2018-02-26 13:15:57 -06:00
cmd := dtos . UpdateDashboardAclCommand {
Items : [ ] dtos . DashboardAclUpdateItem {
2020-03-04 05:57:20 -06:00
{ UserId : 1000 , Permission : models . PERMISSION_ADMIN } ,
2018-02-26 13:15:57 -06:00
} ,
}
2018-01-18 07:30:04 -06:00
2018-02-26 13:15:57 -06:00
updateDashboardPermissionScenario ( "When calling POST on" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , cmd , func ( sc * scenarioContext ) {
callUpdateDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 200 )
2018-01-18 07:30:04 -06:00
} )
2018-02-26 13:15:57 -06:00
Reset ( func ( ) {
guardian . New = origNewGuardian
} )
} )
2018-01-18 07:30:04 -06:00
2018-02-26 13:15:57 -06:00
Convey ( "When trying to update permissions with duplicate permissions" , func ( ) {
origNewGuardian := guardian . New
guardian . MockDashboardGuardian ( & guardian . FakeDashboardGuardian {
CanAdminValue : true ,
CheckPermissionBeforeUpdateValue : false ,
2018-02-27 09:03:11 -06:00
CheckPermissionBeforeUpdateError : guardian . ErrGuardianPermissionExists ,
2018-01-18 07:30:04 -06:00
} )
2020-03-04 05:57:20 -06:00
getDashboardQueryResult := models . NewDashboard ( "Dash" )
bus . AddHandler ( "test" , func ( query * models . GetDashboardQuery ) error {
2018-02-26 13:15:57 -06:00
query . Result = getDashboardQueryResult
return nil
} )
2017-05-22 03:36:47 -05:00
2018-02-26 13:15:57 -06:00
cmd := dtos . UpdateDashboardAclCommand {
Items : [ ] dtos . DashboardAclUpdateItem {
2020-03-04 05:57:20 -06:00
{ UserId : 1000 , Permission : models . PERMISSION_ADMIN } ,
2018-02-26 13:15:57 -06:00
} ,
}
2017-06-22 16:01:04 -05:00
2018-02-26 13:15:57 -06:00
updateDashboardPermissionScenario ( "When calling POST on" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , cmd , func ( sc * scenarioContext ) {
callUpdateDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 400 )
} )
2017-06-22 16:01:04 -05:00
2018-02-26 13:15:57 -06:00
Reset ( func ( ) {
guardian . New = origNewGuardian
2017-06-22 16:01:04 -05:00
} )
} )
2018-03-29 04:32:24 -05:00
Convey ( "When trying to override inherited permissions with lower precedence" , func ( ) {
2018-02-26 13:15:57 -06:00
origNewGuardian := guardian . New
guardian . MockDashboardGuardian ( & guardian . FakeDashboardGuardian {
CanAdminValue : true ,
CheckPermissionBeforeUpdateValue : false ,
2018-02-27 09:03:11 -06:00
CheckPermissionBeforeUpdateError : guardian . ErrGuardianOverride } ,
2018-02-26 13:15:57 -06:00
)
2020-03-04 05:57:20 -06:00
getDashboardQueryResult := models . NewDashboard ( "Dash" )
bus . AddHandler ( "test" , func ( query * models . GetDashboardQuery ) error {
2018-02-26 13:15:57 -06:00
query . Result = getDashboardQueryResult
return nil
} )
cmd := dtos . UpdateDashboardAclCommand {
Items : [ ] dtos . DashboardAclUpdateItem {
2020-03-04 05:57:20 -06:00
{ UserId : 1000 , Permission : models . PERMISSION_ADMIN } ,
2018-02-26 13:15:57 -06:00
} ,
}
2017-05-22 03:36:47 -05:00
2018-02-26 13:15:57 -06:00
updateDashboardPermissionScenario ( "When calling POST on" , "/api/dashboards/id/1/permissions" , "/api/dashboards/id/:id/permissions" , cmd , func ( sc * scenarioContext ) {
callUpdateDashboardPermissions ( sc )
So ( sc . resp . Code , ShouldEqual , 400 )
} )
2017-05-08 08:35:34 -05:00
2018-02-26 13:15:57 -06:00
Reset ( func ( ) {
guardian . New = origNewGuardian
2017-05-08 08:35:34 -05:00
} )
} )
} )
}
2017-06-22 16:01:04 -05:00
2018-02-26 13:15:57 -06:00
func callGetDashboardPermissions ( sc * scenarioContext ) {
sc . handlerFunc = GetDashboardPermissionList
sc . fakeReqWithParams ( "GET" , sc . url , map [ string ] string { } ) . exec ( )
2017-06-22 16:01:04 -05:00
}
2018-01-18 07:30:04 -06:00
2018-02-26 13:15:57 -06:00
func callUpdateDashboardPermissions ( sc * scenarioContext ) {
2020-03-04 05:57:20 -06:00
bus . AddHandler ( "test" , func ( cmd * models . UpdateDashboardAclCommand ) error {
2018-01-18 07:30:04 -06:00
return nil
} )
sc . fakeReqWithParams ( "POST" , sc . url , map [ string ] string { } ) . exec ( )
}
2018-02-26 13:15:57 -06:00
func updateDashboardPermissionScenario ( desc string , url string , routePattern string , cmd dtos . UpdateDashboardAclCommand , fn scenarioFunc ) {
2018-01-18 07:30:04 -06:00
Convey ( desc + " " + url , func ( ) {
defer bus . ClearBusHandlers ( )
2018-01-30 06:17:48 -06:00
sc := setupScenarioContext ( url )
2018-01-18 07:30:04 -06:00
2020-03-04 05:57:20 -06:00
sc . defaultHandler = Wrap ( func ( c * models . ReqContext ) Response {
2018-01-18 07:30:04 -06:00
sc . context = c
sc . context . OrgId = TestOrgID
2018-02-26 13:15:57 -06:00
sc . context . UserId = TestUserID
2018-01-18 07:30:04 -06:00
2018-02-21 04:42:54 -06:00
return UpdateDashboardPermissions ( c , cmd )
2018-01-18 07:30:04 -06:00
} )
sc . m . Post ( routePattern , sc . defaultHandler )
fn ( sc )
} )
}
