IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

RBAC: Add tests on AddAppLinks (#58843)

Browse Source 
* RBAC: Add tests on AddAppLinks
This commit is contained in:
Gabriel MABILLE 2022-11-16 17:44:33 +01:00 committed by GitHub
parent f4d238cdbd
commit 8756c4d91f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 120 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
pkg/services/navtree/navtreeimpl/applinks_test.go
View File

@ -6,8 +6,10 @@ import (
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/models/roletype"
"github.com/grafana/grafana/pkg/plugins" "github.com/grafana/grafana/pkg/plugins"
ac "github.com/grafana/grafana/pkg/services/accesscontrol" ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock" accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
"github.com/grafana/grafana/pkg/services/featuremgmt" "github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/navtree" "github.com/grafana/grafana/pkg/services/navtree"
@ -349,3 +351,121 @@ func TestReadingNavigationSettings(t *testing.T) {
require.Equal(t, int64(30), service.navigationAppPathConfig["/a/grafana-k8s-app/foo"].SortWeight) require.Equal(t, int64(30), service.navigationAppPathConfig["/a/grafana-k8s-app/foo"].SortWeight)
}) })
} }
func TestAddAppLinksAccessControl(t *testing.T) {
httpReq, _ := http.NewRequest(http.MethodGet, "", nil)
user := &user.SignedInUser{OrgID: 1}
reqCtx := &models.ReqContext{SignedInUser: user, Context: &web.Context{Req: httpReq}}
catalogReadAction := "test-app1.catalog:read"
testApp1 := plugins.PluginDTO{
JSONData: plugins.JSONData{
ID: "test-app1", Name: "Test app1 name", Type: plugins.App,
Includes: []*plugins.Includes{
{
Name: "Catalog",
Path: "/a/test-app1/catalog",
Type: "page",
AddToNav: true,
DefaultNav: true,
Role: roletype.RoleEditor,
Action: catalogReadAction,
},
{
Name: "Page2",
Path: "/a/test-app1/page2",
Type: "page",
AddToNav: true,
Role: roletype.RoleViewer,
},
},
},
}
pluginSettings := pluginsettings.FakePluginSettings{Plugins: map[string]*pluginsettings.DTO{
testApp1.ID: {ID: 0, OrgID: 1, PluginID: testApp1.ID, PluginVersion: "1.0.0", Enabled: true},
}}
cfg := setting.NewCfg()
service := ServiceImpl{
log: log.New("navtree"),
cfg: cfg,
accessControl: acimpl.ProvideAccessControl(cfg),
pluginSettings: &pluginSettings,
features: featuremgmt.WithFeatures(),
pluginStore: plugins.FakePluginStore{
PluginList: []plugins.PluginDTO{testApp1},
},
}
t.Run("Should not add app links when the user cannot access app plugins", func(t *testing.T) {
treeRoot := navtree.NavTreeRoot{}
user.Permissions = map[int64]map[string][]string{}
user.OrgRole = roletype.RoleAdmin
err := service.addAppLinks(&treeRoot, reqCtx)
require.NoError(t, err)
require.Len(t, treeRoot.Children, 0)
})
t.Run("Should add both includes when the user is an editor", func(t *testing.T) {
treeRoot := navtree.NavTreeRoot{}
user.Permissions = map[int64]map[string][]string{
1: {plugins.ActionAppAccess: []string{"*"}},
}
user.OrgRole = roletype.RoleEditor
err := service.addAppLinks(&treeRoot, reqCtx)
require.NoError(t, err)
require.Len(t, treeRoot.Children, 1)
require.Equal(t, "Test app1 name", treeRoot.Children[0].Text)
require.Len(t, treeRoot.Children[0].Children, 2)
require.Equal(t, "/a/test-app1/catalog", treeRoot.Children[0].Children[0].Url)
require.Equal(t, "/a/test-app1/page2", treeRoot.Children[0].Children[1].Url)
})
t.Run("Should add one include when the user is a viewer", func(t *testing.T) {
treeRoot := navtree.NavTreeRoot{}
user.Permissions = map[int64]map[string][]string{
1: {plugins.ActionAppAccess: []string{"*"}},
}
user.OrgRole = roletype.RoleViewer
err := service.addAppLinks(&treeRoot, reqCtx)
require.NoError(t, err)
require.Len(t, treeRoot.Children, 1)
require.Equal(t, "Test app1 name", treeRoot.Children[0].Text)
require.Len(t, treeRoot.Children[0].Children, 1)
require.Equal(t, "/a/test-app1/page2", treeRoot.Children[0].Children[0].Url)
})
t.Run("Should add both includes when the user is a viewer with catalog read", func(t *testing.T) {
treeRoot := navtree.NavTreeRoot{}
user.Permissions = map[int64]map[string][]string{
1: {plugins.ActionAppAccess: []string{"*"}, catalogReadAction: []string{}},
}
user.OrgRole = roletype.RoleViewer
service.features = featuremgmt.WithFeatures(featuremgmt.FlagAccessControlOnCall)
err := service.addAppLinks(&treeRoot, reqCtx)
require.NoError(t, err)
require.Len(t, treeRoot.Children, 1)
require.Equal(t, "Test app1 name", treeRoot.Children[0].Text)
require.Len(t, treeRoot.Children[0].Children, 2)
require.Equal(t, "/a/test-app1/catalog", treeRoot.Children[0].Children[0].Url)
require.Equal(t, "/a/test-app1/page2", treeRoot.Children[0].Children[1].Url)
})
t.Run("Should add one include when the user is an editor without catalog read", func(t *testing.T) {
treeRoot := navtree.NavTreeRoot{}
user.Permissions = map[int64]map[string][]string{
1: {plugins.ActionAppAccess: []string{"*"}},
}
user.OrgRole = roletype.RoleEditor
service.features = featuremgmt.WithFeatures(featuremgmt.FlagAccessControlOnCall)
err := service.addAppLinks(&treeRoot, reqCtx)
require.NoError(t, err)
require.Len(t, treeRoot.Children, 1)
require.Equal(t, "Test app1 name", treeRoot.Children[0].Text)
require.Len(t, treeRoot.Children[0].Children, 1)
require.Equal(t, "/a/test-app1/page2", treeRoot.Children[0].Children[0].Url)
})
}