mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Authz: fix snapshot tests legacy guardian (#73823)
* Guardian: remove unused dependencies * API: rewrite tests to use access control guardian
This commit is contained in:
Karl Persson
GitHub
@@ -4,7 +4,6 @@ import (
|
||||
"context"
|
||||
"errors"
|
||||
|
||||
"github.com/grafana/grafana/pkg/infra/db"
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
@@ -18,10 +17,7 @@ var _ DashboardGuardian = new(accessControlDashboardGuardian)
|
||||
// NewAccessControlDashboardGuardianByDashboard creates a dashboard guardian by the provided dashboardId.
|
||||
func NewAccessControlDashboardGuardian(
|
||||
ctx context.Context, cfg *setting.Cfg, dashboardId int64, user *user.SignedInUser,
|
||||
store db.DB, ac accesscontrol.AccessControl,
|
||||
folderPermissionsService accesscontrol.FolderPermissionsService,
|
||||
dashboardPermissionsService accesscontrol.DashboardPermissionsService,
|
||||
dashboardService dashboards.DashboardService,
|
||||
ac accesscontrol.AccessControl, dashboardService dashboards.DashboardService,
|
||||
) (DashboardGuardian, error) {
|
||||
var dashboard *dashboards.Dashboard
|
||||
if dashboardId != 0 {
|
||||
@@ -47,12 +43,10 @@ func NewAccessControlDashboardGuardian(
|
||||
cfg: cfg,
|
||||
log: log.New("folder.permissions"),
|
||||
user: user,
|
||||
store: store,
|
||||
ac: ac,
|
||||
dashboardService: dashboardService,
|
||||
},
|
||||
folder: dashboards.FromDashboard(dashboard),
|
||||
folderPermissionsService: folderPermissionsService,
|
||||
folder: dashboards.FromDashboard(dashboard),
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -62,22 +56,17 @@ func NewAccessControlDashboardGuardian(
|
||||
cfg: cfg,
|
||||
log: log.New("dashboard.permissions"),
|
||||
user: user,
|
||||
store: store,
|
||||
ac: ac,
|
||||
dashboardService: dashboardService,
|
||||
},
|
||||
dashboard: dashboard,
|
||||
dashboardPermissionsService: dashboardPermissionsService,
|
||||
dashboard: dashboard,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// NewAccessControlDashboardGuardianByDashboard creates a dashboard guardian by the provided dashboardUID.
|
||||
func NewAccessControlDashboardGuardianByUID(
|
||||
ctx context.Context, cfg *setting.Cfg, dashboardUID string, user *user.SignedInUser,
|
||||
store db.DB, ac accesscontrol.AccessControl,
|
||||
folderPermissionsService accesscontrol.FolderPermissionsService,
|
||||
dashboardPermissionsService accesscontrol.DashboardPermissionsService,
|
||||
dashboardService dashboards.DashboardService,
|
||||
ac accesscontrol.AccessControl, dashboardService dashboards.DashboardService,
|
||||
) (DashboardGuardian, error) {
|
||||
var dashboard *dashboards.Dashboard
|
||||
if dashboardUID != "" {
|
||||
@@ -103,12 +92,10 @@ func NewAccessControlDashboardGuardianByUID(
|
||||
cfg: cfg,
|
||||
log: log.New("folder.permissions"),
|
||||
user: user,
|
||||
store: store,
|
||||
ac: ac,
|
||||
dashboardService: dashboardService,
|
||||
},
|
||||
folder: dashboards.FromDashboard(dashboard),
|
||||
folderPermissionsService: folderPermissionsService,
|
||||
folder: dashboards.FromDashboard(dashboard),
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -118,12 +105,10 @@ func NewAccessControlDashboardGuardianByUID(
|
||||
ctx: ctx,
|
||||
log: log.New("dashboard.permissions"),
|
||||
user: user,
|
||||
store: store,
|
||||
ac: ac,
|
||||
dashboardService: dashboardService,
|
||||
},
|
||||
dashboard: dashboard,
|
||||
dashboardPermissionsService: dashboardPermissionsService,
|
||||
dashboard: dashboard,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -132,10 +117,7 @@ func NewAccessControlDashboardGuardianByUID(
|
||||
// since it avoids querying the database for fetching the dashboard.
|
||||
func NewAccessControlDashboardGuardianByDashboard(
|
||||
ctx context.Context, cfg *setting.Cfg, dashboard *dashboards.Dashboard, user *user.SignedInUser,
|
||||
store db.DB, ac accesscontrol.AccessControl,
|
||||
folderPermissionsService accesscontrol.FolderPermissionsService,
|
||||
dashboardPermissionsService accesscontrol.DashboardPermissionsService,
|
||||
dashboardService dashboards.DashboardService,
|
||||
ac accesscontrol.AccessControl, dashboardService dashboards.DashboardService,
|
||||
) (DashboardGuardian, error) {
|
||||
if dashboard != nil && dashboard.IsFolder {
|
||||
return &accessControlFolderGuardian{
|
||||
@@ -144,12 +126,10 @@ func NewAccessControlDashboardGuardianByDashboard(
|
||||
cfg: cfg,
|
||||
log: log.New("folder.permissions"),
|
||||
user: user,
|
||||
store: store,
|
||||
ac: ac,
|
||||
dashboardService: dashboardService,
|
||||
},
|
||||
folder: dashboards.FromDashboard(dashboard),
|
||||
folderPermissionsService: folderPermissionsService,
|
||||
folder: dashboards.FromDashboard(dashboard),
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -159,22 +139,17 @@ func NewAccessControlDashboardGuardianByDashboard(
|
||||
ctx: ctx,
|
||||
log: log.New("dashboard.permissions"),
|
||||
user: user,
|
||||
store: store,
|
||||
ac: ac,
|
||||
dashboardService: dashboardService,
|
||||
},
|
||||
dashboard: dashboard,
|
||||
dashboardPermissionsService: dashboardPermissionsService,
|
||||
dashboard: dashboard,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// NewAccessControlFolderGuardian creates a folder guardian by the provided folder.
|
||||
func NewAccessControlFolderGuardian(
|
||||
ctx context.Context, cfg *setting.Cfg, f *folder.Folder, user *user.SignedInUser,
|
||||
store db.DB, ac accesscontrol.AccessControl,
|
||||
folderPermissionsService accesscontrol.FolderPermissionsService,
|
||||
dashboardPermissionsService accesscontrol.DashboardPermissionsService,
|
||||
dashboardService dashboards.DashboardService,
|
||||
ac accesscontrol.AccessControl, dashboardService dashboards.DashboardService,
|
||||
) (DashboardGuardian, error) {
|
||||
return &accessControlFolderGuardian{
|
||||
accessControlBaseGuardian: accessControlBaseGuardian{
|
||||
@@ -182,12 +157,10 @@ func NewAccessControlFolderGuardian(
|
||||
cfg: cfg,
|
||||
log: log.New("folder.permissions"),
|
||||
user: user,
|
||||
store: store,
|
||||
ac: ac,
|
||||
dashboardService: dashboardService,
|
||||
},
|
||||
folder: f,
|
||||
folderPermissionsService: folderPermissionsService,
|
||||
folder: f,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -197,20 +170,17 @@ type accessControlBaseGuardian struct {
|
||||
log log.Logger
|
||||
user *user.SignedInUser
|
||||
ac accesscontrol.AccessControl
|
||||
store db.DB
|
||||
dashboardService dashboards.DashboardService
|
||||
}
|
||||
|
||||
type accessControlDashboardGuardian struct {
|
||||
accessControlBaseGuardian
|
||||
dashboard *dashboards.Dashboard
|
||||
dashboardPermissionsService accesscontrol.DashboardPermissionsService
|
||||
dashboard *dashboards.Dashboard
|
||||
}
|
||||
|
||||
type accessControlFolderGuardian struct {
|
||||
accessControlBaseGuardian
|
||||
folder *folder.Folder
|
||||
folderPermissionsService accesscontrol.FolderPermissionsService
|
||||
folder *folder.Folder
|
||||
}
|
||||
|
||||
func (a *accessControlDashboardGuardian) CanSave() (bool, error) {
|
||||
|
||||
@@ -9,23 +9,13 @@ import (
|
||||
"github.com/stretchr/testify/mock"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/grafana/grafana/pkg/api/routing"
|
||||
"github.com/grafana/grafana/pkg/infra/db"
|
||||
"github.com/grafana/grafana/pkg/infra/localcache"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
||||
acdb "github.com/grafana/grafana/pkg/services/accesscontrol/database"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/ossaccesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/folder"
|
||||
"github.com/grafana/grafana/pkg/services/folder/foldertest"
|
||||
"github.com/grafana/grafana/pkg/services/licensing/licensingtest"
|
||||
"github.com/grafana/grafana/pkg/services/quota/quotatest"
|
||||
"github.com/grafana/grafana/pkg/services/supportbundles/supportbundlestest"
|
||||
"github.com/grafana/grafana/pkg/services/team/teamimpl"
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
"github.com/grafana/grafana/pkg/services/user/userimpl"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
@@ -201,7 +191,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil, nil, nil)
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil)
|
||||
can, err := guardian.CanSave()
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, tt.expected, can)
|
||||
@@ -373,7 +363,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
cfg := setting.NewCfg()
|
||||
cfg.ViewersCanEdit = tt.viewersCanEdit
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, cfg, nil, nil)
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, cfg)
|
||||
|
||||
can, err := guardian.CanEdit()
|
||||
require.NoError(t, err)
|
||||
@@ -531,7 +521,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil, nil, nil)
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil)
|
||||
|
||||
can, err := guardian.CanView()
|
||||
require.NoError(t, err)
|
||||
@@ -784,7 +774,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil, nil, nil)
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil)
|
||||
|
||||
can, err := guardian.CanAdmin()
|
||||
require.NoError(t, err)
|
||||
@@ -942,7 +932,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil, nil, nil)
|
||||
guardian := setupAccessControlGuardianTest(t, tt.dashboard, tt.permissions, nil)
|
||||
|
||||
can, err := guardian.CanDelete()
|
||||
require.NoError(t, err)
|
||||
@@ -1006,7 +996,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
guardian := setupAccessControlGuardianTest(t, &dashboards.Dashboard{OrgID: orgID, UID: "0", IsFolder: tt.isFolder}, tt.permissions, nil, nil, nil)
|
||||
guardian := setupAccessControlGuardianTest(t, &dashboards.Dashboard{OrgID: orgID, UID: "0", IsFolder: tt.isFolder}, tt.permissions, nil)
|
||||
|
||||
can, err := guardian.CanCreate(tt.folderID, tt.isFolder)
|
||||
require.NoError(t, err)
|
||||
@@ -1015,12 +1005,11 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func setupAccessControlGuardianTest(t *testing.T, d *dashboards.Dashboard,
|
||||
permissions []accesscontrol.Permission,
|
||||
cfg *setting.Cfg,
|
||||
dashboardPermissions accesscontrol.DashboardPermissionsService, folderPermissions accesscontrol.FolderPermissionsService) DashboardGuardian {
|
||||
func setupAccessControlGuardianTest(
|
||||
t *testing.T, d *dashboards.Dashboard,
|
||||
permissions []accesscontrol.Permission, cfg *setting.Cfg,
|
||||
) DashboardGuardian {
|
||||
t.Helper()
|
||||
store := db.InitTestDB(t)
|
||||
|
||||
fakeDashboardService := dashboards.NewFakeDashboardService(t)
|
||||
fakeDashboardService.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Maybe().Return(d, nil)
|
||||
@@ -1037,21 +1026,6 @@ func setupAccessControlGuardianTest(t *testing.T, d *dashboards.Dashboard,
|
||||
|
||||
license := licensingtest.NewFakeLicensing()
|
||||
license.On("FeatureEnabled", "accesscontrol.enforcement").Return(true).Maybe()
|
||||
teamSvc := teamimpl.ProvideService(store, store.Cfg)
|
||||
userSvc, err := userimpl.ProvideService(store, nil, store.Cfg, nil, nil, quotatest.New(false, nil), supportbundlestest.NewFakeBundleService())
|
||||
require.NoError(t, err)
|
||||
|
||||
acSvc := acimpl.ProvideOSSService(cfg, acdb.ProvideService(store), localcache.ProvideService(), featuremgmt.WithFeatures())
|
||||
if folderPermissions == nil {
|
||||
folderPermissions, err = ossaccesscontrol.ProvideFolderPermissions(
|
||||
featuremgmt.WithFeatures(), routing.NewRouteRegister(), store, ac, license, &dashboards.FakeDashboardStore{}, folderSvc, acSvc, teamSvc, userSvc)
|
||||
require.NoError(t, err)
|
||||
}
|
||||
if dashboardPermissions == nil {
|
||||
dashboardPermissions, err = ossaccesscontrol.ProvideDashboardPermissions(
|
||||
featuremgmt.WithFeatures(), routing.NewRouteRegister(), store, ac, license, &dashboards.FakeDashboardStore{}, folderSvc, acSvc, teamSvc, userSvc)
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
||||
userPermissions := map[int64]map[string][]string{}
|
||||
for _, p := range permissions {
|
||||
@@ -1061,7 +1035,7 @@ func setupAccessControlGuardianTest(t *testing.T, d *dashboards.Dashboard,
|
||||
userPermissions[orgID][p.Action] = append(userPermissions[orgID][p.Action], p.Scope)
|
||||
}
|
||||
|
||||
g, err := NewAccessControlDashboardGuardianByDashboard(context.Background(), cfg, d, &user.SignedInUser{OrgID: orgID, Permissions: userPermissions}, store, ac, folderPermissions, dashboardPermissions, fakeDashboardService)
|
||||
g, err := NewAccessControlDashboardGuardianByDashboard(context.Background(), cfg, d, &user.SignedInUser{OrgID: orgID, Permissions: userPermissions}, ac, fakeDashboardService)
|
||||
require.NoError(t, err)
|
||||
return g
|
||||
}
|
||||
|
||||
@@ -19,7 +19,6 @@ var (
|
||||
ErrGuardianPermissionExists = errors.New("permission already exists")
|
||||
ErrGuardianOverride = errors.New("you can only override a permission to be higher")
|
||||
ErrGuardianGetDashboardFailure = errutil.Internal("guardian.getDashboardFailure", errutil.WithPublicMessage("Failed to get dashboard"))
|
||||
ErrGuardianGetFolderFailure = errutil.Internal("guardian.getFolderFailure", errutil.WithPublicMessage("Failed to get folder"))
|
||||
ErrGuardianDashboardNotFound = errutil.NotFound("guardian.dashboardNotFound")
|
||||
ErrGuardianFolderNotFound = errutil.NotFound("guardian.folderNotFound")
|
||||
)
|
||||
|
||||
@@ -16,12 +16,11 @@ type Provider struct{}
|
||||
|
||||
func ProvideService(
|
||||
cfg *setting.Cfg, store db.DB, ac accesscontrol.AccessControl,
|
||||
folderPermissionsService accesscontrol.FolderPermissionsService, dashboardPermissionsService accesscontrol.DashboardPermissionsService,
|
||||
dashboardService dashboards.DashboardService, teamService team.Service,
|
||||
) *Provider {
|
||||
if !ac.IsDisabled() {
|
||||
// TODO: Fix this hack, see https://github.com/grafana/grafana-enterprise/issues/2935
|
||||
InitAccessControlGuardian(cfg, store, ac, folderPermissionsService, dashboardPermissionsService, dashboardService)
|
||||
InitAccessControlGuardian(cfg, ac, dashboardService)
|
||||
} else {
|
||||
InitLegacyGuardian(cfg, store, dashboardService, teamService)
|
||||
}
|
||||
@@ -47,22 +46,21 @@ func InitLegacyGuardian(cfg *setting.Cfg, store db.DB, dashSvc dashboards.Dashbo
|
||||
}
|
||||
|
||||
func InitAccessControlGuardian(
|
||||
cfg *setting.Cfg, store db.DB, ac accesscontrol.AccessControl, folderPermissionsService accesscontrol.FolderPermissionsService,
|
||||
dashboardPermissionsService accesscontrol.DashboardPermissionsService, dashboardService dashboards.DashboardService,
|
||||
cfg *setting.Cfg, ac accesscontrol.AccessControl, dashboardService dashboards.DashboardService,
|
||||
) {
|
||||
New = func(ctx context.Context, dashId int64, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
|
||||
return NewAccessControlDashboardGuardian(ctx, cfg, dashId, user, store, ac, folderPermissionsService, dashboardPermissionsService, dashboardService)
|
||||
return NewAccessControlDashboardGuardian(ctx, cfg, dashId, user, ac, dashboardService)
|
||||
}
|
||||
|
||||
NewByUID = func(ctx context.Context, dashUID string, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
|
||||
return NewAccessControlDashboardGuardianByUID(ctx, cfg, dashUID, user, store, ac, folderPermissionsService, dashboardPermissionsService, dashboardService)
|
||||
return NewAccessControlDashboardGuardianByUID(ctx, cfg, dashUID, user, ac, dashboardService)
|
||||
}
|
||||
|
||||
NewByDashboard = func(ctx context.Context, dash *dashboards.Dashboard, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
|
||||
return NewAccessControlDashboardGuardianByDashboard(ctx, cfg, dash, user, store, ac, folderPermissionsService, dashboardPermissionsService, dashboardService)
|
||||
return NewAccessControlDashboardGuardianByDashboard(ctx, cfg, dash, user, ac, dashboardService)
|
||||
}
|
||||
|
||||
NewByFolder = func(ctx context.Context, f *folder.Folder, orgId int64, user *user.SignedInUser) (DashboardGuardian, error) {
|
||||
return NewAccessControlFolderGuardian(ctx, cfg, f, user, store, ac, folderPermissionsService, dashboardPermissionsService, dashboardService)
|
||||
return NewAccessControlFolderGuardian(ctx, cfg, f, user, ac, dashboardService)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user