Bump provisioning to admin-only in lieu of dedicated RBAC permissions (#50366)

2025-02-25 18:55:37 -06:00 · 2022-06-07 17:26:48 -05:00 · 2022-06-07 17:26:48 -05:00 · 28a47b56d2
commit 28a47b56d2
parent 0cde283505
2 changed files with 22 additions and 22 deletions
--- a/pkg/services/ngalert/api/authorization.go
+++ b/pkg/services/ngalert/api/authorization.go
@ -186,7 +186,7 @@ func (api *API) authorize(method, path string) web.Handler {
 		http.MethodGet + "/api/v1/provisioning/mute-timings",
 		http.MethodGet + "/api/v1/provisioning/mute-timings/{name}",
 		http.MethodGet + "/api/v1/provisioning/alert-rules/{UID}":
-		return middleware.ReqSignedIn
+		return middleware.ReqOrgAdmin
 	case http.MethodPut + "/api/v1/provisioning/policies",
 		http.MethodPost + "/api/v1/provisioning/contact-points",
@ -201,7 +201,7 @@ func (api *API) authorize(method, path string) web.Handler {
 		http.MethodPut + "/api/v1/provisioning/alert-rules/{UID}",
 		http.MethodDelete + "/api/v1/provisioning/alert-rules/{UID}",
 		http.MethodPut + "/api/v1/provisioning/folder/{FolderUID}/rule-groups/{Group}":
-		return middleware.ReqEditorRole
+		return middleware.ReqOrgAdmin
 	}
 	if eval != nil {
--- a/pkg/tests/api/alerting/api_provisioning_test.go
+++ b/pkg/tests/api/alerting/api_provisioning_test.go
@ -64,24 +64,24 @@ func TestProvisioning(t *testing.T) {
 			require.Equal(t, 401, resp.StatusCode)
 		})
-		t.Run("viewer GET should succeed", func(t *testing.T) {
+		t.Run("viewer GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "viewer", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
-		t.Run("editor GET should succeed", func(t *testing.T) {
+		t.Run("editor GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "editor", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
 		t.Run("admin GET should succeed", func(t *testing.T) {
@ -114,14 +114,14 @@ func TestProvisioning(t *testing.T) {
 			require.Equal(t, 403, resp.StatusCode)
 		})
-		t.Run("editor PUT should succeed", func(t *testing.T) {
+		t.Run("editor PUT should 403", func(t *testing.T) {
 			req := createTestRequest("PUT", url, "editor", body)
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 202, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
 		t.Run("admin PUT should succeed", func(t *testing.T) {
@ -157,24 +157,24 @@ func TestProvisioning(t *testing.T) {
 			require.Equal(t, 401, resp.StatusCode)
 		})
-		t.Run("viewer GET should succeed", func(t *testing.T) {
+		t.Run("viewer GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "viewer", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
-		t.Run("editor GET should succeed", func(t *testing.T) {
+		t.Run("editor GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "editor", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
 		t.Run("admin GET should succeed", func(t *testing.T) {
@ -207,14 +207,14 @@ func TestProvisioning(t *testing.T) {
 			require.Equal(t, 403, resp.StatusCode)
 		})
-		t.Run("editor POST should succeed", func(t *testing.T) {
+		t.Run("editor POST should 403", func(t *testing.T) {
 			req := createTestRequest("POST", url, "editor", body)
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 202, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
 		t.Run("admin POST should succeed", func(t *testing.T) {
@ -241,24 +241,24 @@ func TestProvisioning(t *testing.T) {
 			require.Equal(t, 401, resp.StatusCode)
 		})
-		t.Run("viewer GET should succeed", func(t *testing.T) {
+		t.Run("viewer GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "viewer", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
-		t.Run("editor GET should succeed", func(t *testing.T) {
+		t.Run("editor GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "editor", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
 		t.Run("admin GET should succeed", func(t *testing.T) {
@ -285,24 +285,24 @@ func TestProvisioning(t *testing.T) {
 			require.Equal(t, 401, resp.StatusCode)
 		})
-		t.Run("viewer GET should succeed", func(t *testing.T) {
+		t.Run("viewer GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "viewer", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
-		t.Run("editor GET should succeed", func(t *testing.T) {
+		t.Run("editor GET should 403", func(t *testing.T) {
 			req := createTestRequest("GET", url, "editor", "")
 			resp, err := http.DefaultClient.Do(req)
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
-			require.Equal(t, 200, resp.StatusCode)
+			require.Equal(t, 403, resp.StatusCode)
 		})
 		t.Run("admin GET should succeed", func(t *testing.T) {