mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
RBAC: Cleaup team api rbac tests (#57265)
* RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
This commit is contained in:
Karl Persson
GitHub
parent
0dd721d4ce
commit
764d5b9929
@ -46,6 +46,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/org/orgtest"
|
||||
"github.com/grafana/grafana/pkg/services/preference/preftest"
|
||||
"github.com/grafana/grafana/pkg/services/quota/quotaimpl"
|
||||
"github.com/grafana/grafana/pkg/services/quota/quotatest"
|
||||
"github.com/grafana/grafana/pkg/services/rendering"
|
||||
"github.com/grafana/grafana/pkg/services/search"
|
||||
"github.com/grafana/grafana/pkg/services/searchusers"
|
||||
@ -315,6 +316,10 @@ func setAccessControlPermissions(acmock *accesscontrolmock.Mock, perms []accessc
|
||||
}
|
||||
}
|
||||
|
||||
func userWithPermissions(orgID int64, permissions []accesscontrol.Permission) *user.SignedInUser {
|
||||
return &user.SignedInUser{OrgID: orgID, Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByAction(permissions)}}
|
||||
}
|
||||
|
||||
// setInitCtxSignedInUser sets a copy of the user in initCtx
|
||||
func setInitCtxSignedInUser(initCtx *models.ReqContext, user user.SignedInUser) {
|
||||
initCtx.IsSignedIn = true
|
||||
@ -348,7 +353,7 @@ func setupSimpleHTTPServer(features *featuremgmt.FeatureManager) *HTTPServer {
|
||||
Cfg: cfg,
|
||||
Features: features,
|
||||
License: &licensing.OSSLicensingService{},
|
||||
AccessControl: accesscontrolmock.New().WithDisabled(),
|
||||
AccessControl: acimpl.ProvideAccessControl(cfg),
|
||||
annotationsRepo: annotationstest.NewFakeAnnotationsRepo(),
|
||||
}
|
||||
}
|
||||
@ -367,7 +372,6 @@ func setupHTTPServerWithCfgDb(
|
||||
store sqlstore.Store, features *featuremgmt.FeatureManager, options ...APITestServerOption,
|
||||
) accessControlScenarioContext {
|
||||
t.Helper()
|
||||
|
||||
license := &licensing.OSSLicensingService{}
|
||||
routeRegister := routing.NewRouteRegister()
|
||||
teamService := teamimpl.ProvideService(db, cfg)
|
||||
@ -491,10 +495,9 @@ func SetupAPITestServer(t *testing.T, opts ...APITestServerOption) *webtest.Serv
|
||||
|
||||
hs := &HTTPServer{
|
||||
RouteRegister: routing.NewRouteRegister(),
|
||||
Cfg: setting.NewCfg(),
|
||||
License: &licensing.OSSLicensingService{},
|
||||
AccessControl: accesscontrolmock.New().WithDisabled(),
|
||||
Features: featuremgmt.WithFeatures(),
|
||||
QuotaService: quotatest.NewQuotaServiceFake(),
|
||||
searchUsersService: &searchusers.OSSService{},
|
||||
}
|
||||
|
||||
@ -502,6 +505,15 @@ func SetupAPITestServer(t *testing.T, opts ...APITestServerOption) *webtest.Serv
|
||||
opt(hs)
|
||||
}
|
||||
|
||||
if hs.Cfg == nil {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.Cfg.RBACEnabled = false
|
||||
}
|
||||
|
||||
if hs.AccessControl == nil {
|
||||
hs.AccessControl = acimpl.ProvideAccessControl(hs.Cfg)
|
||||
}
|
||||
|
||||
hs.registerRoutes()
|
||||
s := webtest.NewServer(t, hs.RouteRegister)
|
||||
return s
|
||||
|
||||
@ -24,6 +24,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
"github.com/grafana/grafana/pkg/web/webtest"
|
||||
)
|
||||
|
||||
func TestTeamAPIEndpoint(t *testing.T) {
|
||||
@ -163,127 +164,142 @@ const (
|
||||
)
|
||||
|
||||
func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl(t *testing.T) {
|
||||
cfg := setting.NewCfg()
|
||||
cfg.RBACEnabled = false
|
||||
sc := setupHTTPServerWithCfg(t, true, cfg)
|
||||
setInitCtxSignedInOrgAdmin(sc.initCtx)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.teamService = teamtest.NewFakeService()
|
||||
})
|
||||
|
||||
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
|
||||
t.Run("Organisation admin can create a team", func(t *testing.T) {
|
||||
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
req := server.NewPostRequest(createTeamURL, input)
|
||||
req = webtest.RequestWithSignedInUser(req, &user.SignedInUser{OrgRole: org.RoleAdmin})
|
||||
res, err := server.SendJSON(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
setInitCtxSignedInEditor(sc.initCtx)
|
||||
sc.initCtx.IsGrafanaAdmin = true
|
||||
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
|
||||
t.Run("Org editor and server admin cannot create a team", func(t *testing.T) {
|
||||
response := callAPI(sc.server, http.MethodPost, createTeamURL, strings.NewReader(teamCmd), t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
req := server.NewPostRequest(createTeamURL, input)
|
||||
req = webtest.RequestWithSignedInUser(req, &user.SignedInUser{OrgRole: org.RoleEditor, IsGrafanaAdmin: true})
|
||||
res, err := server.SendJSON(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl_EditorsCanAdmin(t *testing.T) {
|
||||
cfg := setting.NewCfg()
|
||||
cfg.RBACEnabled = false
|
||||
cfg.EditorsCanAdmin = true
|
||||
sc := setupHTTPServerWithCfg(t, true, cfg)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
cfg := setting.NewCfg()
|
||||
cfg.RBACEnabled = false
|
||||
cfg.EditorsCanAdmin = true
|
||||
hs.Cfg = cfg
|
||||
hs.teamService = teamtest.NewFakeService()
|
||||
})
|
||||
|
||||
setInitCtxSignedInEditor(sc.initCtx)
|
||||
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
|
||||
t.Run("Editors can create a team if editorsCanAdmin is set to true", func(t *testing.T) {
|
||||
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
|
||||
req := server.NewPostRequest(createTeamURL, input)
|
||||
req = webtest.RequestWithSignedInUser(req, &user.SignedInUser{OrgRole: org.RoleAdmin})
|
||||
res, err := server.SendJSON(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
func TestTeamAPIEndpoint_CreateTeam_RBAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.teamService = teamtest.NewFakeService()
|
||||
})
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
|
||||
t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
req := server.NewPostRequest(createTeamURL, input)
|
||||
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}))
|
||||
res, err := server.SendJSON(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
|
||||
t.Run("Access control prevents creating teams with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "teams:invalid"}}, accesscontrol.GlobalOrgID)
|
||||
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
req := server.NewPostRequest(createTeamURL, input)
|
||||
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{}))
|
||||
res, err := server.SendJSON(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
func TestTeamAPIEndpoint_SearchTeams_RBAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
// Seed three teams
|
||||
for i := 1; i <= 3; i++ {
|
||||
_, err := sc.teamService.CreateTeam(fmt.Sprintf("team%d", i), fmt.Sprintf("team%d@example.org", i), 1)
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.teamService = teamtest.NewFakeService()
|
||||
})
|
||||
|
||||
t.Run("Access control prevents searching for teams with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:*"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
req := server.NewGetRequest(searchTeamsURL)
|
||||
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{}))
|
||||
res, err := server.Send(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("Access control allows searching for teams with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
res := &models.SearchTeamQueryResult{}
|
||||
err := json.Unmarshal(response.Body.Bytes(), res)
|
||||
req := server.NewGetRequest(searchTeamsURL)
|
||||
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
|
||||
}))
|
||||
res, err := server.Send(req)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, res.Teams, 3, "expected all teams to have been returned")
|
||||
require.Equal(t, res.TotalCount, int64(3), "expected count to match teams length")
|
||||
})
|
||||
|
||||
t.Run("Access control filters teams based on user permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:3"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
res := &models.SearchTeamQueryResult{}
|
||||
err := json.Unmarshal(response.Body.Bytes(), res)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, res.Teams, 2, "expected a subset of teams to have been returned")
|
||||
require.Equal(t, res.TotalCount, int64(2), "expected count to match teams length")
|
||||
for _, team := range res.Teams {
|
||||
require.NotEqual(t, team.Name, "team2", "expected team2 to have been filtered")
|
||||
}
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
func TestTeamAPIEndpoint_GetTeamByID_RBAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
sc.db = db.InitTestDB(t)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.teamService = &teamtest.FakeService{ExpectedTeamDTO: &models.TeamDTO{}}
|
||||
})
|
||||
|
||||
_, err := sc.teamService.CreateTeam("team1", "team1@example.org", 1)
|
||||
require.NoError(t, err)
|
||||
url := fmt.Sprintf(detailTeamURL, 1)
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
t.Run("Access control prevents getting a team with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
t.Run("Access control prevents getting a team when missing permissions", func(t *testing.T) {
|
||||
req := server.NewGetRequest(url)
|
||||
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{}))
|
||||
res, err := server.Send(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("Access control allows getting a team with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
res := &models.TeamDTO{}
|
||||
err := json.Unmarshal(response.Body.Bytes(), res)
|
||||
req := server.NewGetRequest(url)
|
||||
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"},
|
||||
}))
|
||||
res, err := server.Send(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "team1", res.Name)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("Access control allows getting a team with wildcard scope", func(t *testing.T) {
|
||||
req := server.NewGetRequest(url)
|
||||
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"},
|
||||
}))
|
||||
res, err := server.Send(req)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
@ -291,48 +307,42 @@ func TestTeamAPIEndpoint_GetTeamByID_RBAC(t *testing.T) {
|
||||
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
|
||||
// else return 403
|
||||
func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
sc.db = db.InitTestDB(t)
|
||||
_, err := sc.teamService.CreateTeam("team1", "", 1)
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
|
||||
t.Run("Access control allows updating teams with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
|
||||
err := sc.teamService.GetTeamById(context.Background(), teamQuery)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "MyTestTeam1", teamQuery.Result.Name)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.teamService = &teamtest.FakeService{ExpectedTeamDTO: &models.TeamDTO{}}
|
||||
})
|
||||
|
||||
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
|
||||
t.Run("Access control allows updating teams with the correct global permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:*"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
|
||||
req := server.NewRequest(http.MethodPut, fmt.Sprintf(detailTeamURL, teamID), strings.NewReader(teamCmd))
|
||||
req = webtest.RequestWithSignedInUser(req, user)
|
||||
return server.SendJSON(req)
|
||||
}
|
||||
|
||||
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
|
||||
err := sc.teamService.GetTeamById(context.Background(), teamQuery)
|
||||
t.Run("Access control allows updating team with the correct permissions", func(t *testing.T) {
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "MyTestTeam2", teamQuery.Result.Name)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
input = strings.NewReader(fmt.Sprintf(teamCmd, 3))
|
||||
t.Run("Access control prevents updating teams with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
t.Run("Access control allows updating teams with the wildcard scope", func(t *testing.T) {
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:*"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
|
||||
err := sc.teamService.GetTeamById(context.Background(), teamQuery)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, "MyTestTeam2", teamQuery.Result.Name)
|
||||
t.Run("Access control prevent updating a team with wrong scope", func(t *testing.T) {
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
@ -340,31 +350,33 @@ func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
|
||||
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsDelete with teams:id:1 scope
|
||||
// else return 403
|
||||
func TestTeamAPIEndpoint_DeleteTeam_RBAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
sc.db = db.InitTestDB(t)
|
||||
_, err := sc.teamService.CreateTeam("team1", "", 1)
|
||||
require.NoError(t, err)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.teamService = &teamtest.FakeService{ExpectedTeamDTO: &models.TeamDTO{}}
|
||||
})
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
|
||||
req := server.NewRequest(http.MethodDelete, fmt.Sprintf(detailTeamURL, teamID), http.NoBody)
|
||||
req = webtest.RequestWithSignedInUser(req, user)
|
||||
return server.Send(req)
|
||||
}
|
||||
|
||||
t.Run("Access control prevents deleting teams with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:7"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
|
||||
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
|
||||
err := sc.teamService.GetTeamById(context.Background(), teamQuery)
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:2"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("Access control allows deleting teams with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
|
||||
err := sc.teamService.GetTeamById(context.Background(), teamQuery)
|
||||
require.ErrorIs(t, err, models.ErrTeamNotFound)
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
@ -372,32 +384,33 @@ func TestTeamAPIEndpoint_DeleteTeam_RBAC(t *testing.T) {
|
||||
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsRead with teams:id:1 scope
|
||||
// else return 403
|
||||
func TestTeamAPIEndpoint_GetTeamPreferences_RBAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
sc.db = db.InitTestDB(t)
|
||||
_, err := sc.teamService.CreateTeam("team1", "", 1)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.preferenceService = &preftest.FakePreferenceService{ExpectedPreference: &pref.Preference{}}
|
||||
})
|
||||
|
||||
sqlstore := mockstore.NewSQLStoreMock()
|
||||
sc.hs.SQLStore = sqlstore
|
||||
|
||||
prefService := preftest.NewPreferenceServiceFake()
|
||||
prefService.ExpectedPreference = &pref.Preference{}
|
||||
sc.hs.preferenceService = prefService
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
|
||||
req := server.NewGetRequest(fmt.Sprintf(detailTeamPreferenceURL, teamID))
|
||||
req = webtest.RequestWithSignedInUser(req, user)
|
||||
return server.Send(req)
|
||||
}
|
||||
|
||||
t.Run("Access control allows getting team preferences with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock,
|
||||
[]accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("Access control prevents getting team preferences with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
@ -405,41 +418,32 @@ func TestTeamAPIEndpoint_GetTeamPreferences_RBAC(t *testing.T) {
|
||||
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
|
||||
// else return 403
|
||||
func TestTeamAPIEndpoint_UpdateTeamPreferences_RBAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
sqlStore := db.InitTestDB(t)
|
||||
sc.db = sqlStore
|
||||
|
||||
prefService := preftest.NewPreferenceServiceFake()
|
||||
prefService.ExpectedPreference = &pref.Preference{Theme: "dark"}
|
||||
sc.hs.preferenceService = prefService
|
||||
|
||||
_, err := sc.teamService.CreateTeam("team1", "", 1)
|
||||
|
||||
require.NoError(t, err)
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
input := strings.NewReader(teamPreferenceCmd)
|
||||
t.Run("Access control allows updating team preferences with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
prefQuery := &pref.GetPreferenceQuery{OrgID: 1, TeamID: 1}
|
||||
preference, err := prefService.Get(context.Background(), prefQuery)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "dark", preference.Theme)
|
||||
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
hs.Cfg = setting.NewCfg()
|
||||
hs.preferenceService = &preftest.FakePreferenceService{ExpectedPreference: &pref.Preference{}}
|
||||
})
|
||||
|
||||
input = strings.NewReader(teamPreferenceCmdLight)
|
||||
t.Run("Access control prevents updating team preferences with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
|
||||
req := server.NewRequest(http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, teamID), strings.NewReader(teamPreferenceCmd))
|
||||
req = webtest.RequestWithSignedInUser(req, user)
|
||||
return server.SendJSON(req)
|
||||
}
|
||||
|
||||
prefQuery := &pref.GetPreferenceQuery{OrgID: 1, TeamID: 1}
|
||||
preference, err := prefService.Get(context.Background(), prefQuery)
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, "dark", preference.Theme)
|
||||
t.Run("Access control allows updating team preferences with the correct permissions", func(t *testing.T) {
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("Access control prevents updating team preferences with the incorrect permissions", func(t *testing.T) {
|
||||
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"},
|
||||
}))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
@ -53,6 +53,7 @@ type Mock struct {
|
||||
// Ensure the mock stays in line with the interface
|
||||
var _ fullAccessControl = New()
|
||||
|
||||
// Deprecated: use fake service and real access control evaluator instead
|
||||
func New() *Mock {
|
||||
mock := &Mock{
|
||||
Calls: Calls{},
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
|
||||
type FakeService struct {
|
||||
ExpectedTeam models.Team
|
||||
ExpectedTeamDTO *models.TeamDTO
|
||||
ExpectedTeamsByUser []*models.TeamDTO
|
||||
ExpectedMembers []*models.TeamMemberDTO
|
||||
ExpectedError error
|
||||
@ -34,6 +35,7 @@ func (s *FakeService) SearchTeams(ctx context.Context, query *models.SearchTeams
|
||||
}
|
||||
|
||||
func (s *FakeService) GetTeamById(ctx context.Context, query *models.GetTeamByIdQuery) error {
|
||||
query.Result = s.ExpectedTeamDTO
|
||||
return s.ExpectedError
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user