Serviceaccounts: Do not display service accounts assigned to team (#48995)

* Add IsServiceAccount to query * test for excluding service accounts in query * align test * test update * added logging * should fix tests * moved test to bottom * add back setup function * Remove IsServiceAccount from query Instead use false for is_service_account and when the time comes to implement service accounts for team. we deal with it * missed teamtest * formatting
2025-02-25 18:55:37 -06:00 · 2022-05-24 16:52:39 +10:00 · 2022-05-24 16:52:39 +10:00 · cbf71fbd7f
commit cbf71fbd7f
parent 69e2ab3d0f
2 changed files with 40 additions and 2 deletions
--- a/pkg/services/sqlstore/team.go
+++ b/pkg/services/sqlstore/team.go
@ -535,6 +535,9 @@ func (ss *SQLStore) getTeamMembers(ctx context.Context, query *models.GetTeamMem
 			fmt.Sprintf("team_member.user_id=%s.%s", ss.Dialect.Quote("user"), ss.Dialect.Quote("id")),
 		)

+		// explicitly check for serviceaccounts
+		sess.Where(fmt.Sprintf("%s.is_service_account=?", ss.Dialect.Quote("user")), ss.Dialect.BooleanStr(false))
+
 		if acUserFilter != nil {
 			sess.Where(acUserFilter.Where, acUserFilter.Args...)
 		}
--- a/pkg/services/sqlstore/team_test.go
+++ b/pkg/services/sqlstore/team_test.go
@ -13,6 +13,7 @@ import (

 	"github.com/grafana/grafana/pkg/models"
 	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/serviceaccounts"
 )

 func TestTeamCommandsAndQueries(t *testing.T) {
@ -22,8 +23,9 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 			OrgId: 1,
 			Permissions: map[int64]map[string][]string{
 				1: {
-					ac.ActionTeamsRead:    []string{ac.ScopeTeamsAll},
-					ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
+					ac.ActionTeamsRead:         []string{ac.ScopeTeamsAll},
+					ac.ActionOrgUsersRead:      []string{ac.ScopeUsersAll},
+					serviceaccounts.ActionRead: []string{serviceaccounts.ScopeAll},
 				},
 			},
 		}
@ -362,6 +364,39 @@ func TestTeamCommandsAndQueries(t *testing.T) {
 				require.NoError(t, err)
 				require.EqualValues(t, getTeamQuery.Result.MemberCount, 2)
 			})
+
+			t.Run("Should be able to exclude service accounts from teamembers", func(t *testing.T) {
+				sqlStore = InitTestDB(t)
+				setup()
+				userCmd = models.CreateUserCommand{
+					Email:            fmt.Sprint("sa", 1, "@test.com"),
+					Name:             fmt.Sprint("sa", 1),
+					Login:            fmt.Sprint("login-sa", 1),
+					IsServiceAccount: true,
+				}
+				serviceAccount, err := sqlStore.CreateUser(context.Background(), userCmd)
+				require.NoError(t, err)
+
+				groupId := team2.Id
+				// add service account to team
+				err = sqlStore.AddTeamMember(serviceAccount.Id, testOrgID, groupId, false, 0)
+				require.NoError(t, err)
+
+				// add user to team
+				err = sqlStore.AddTeamMember(userIds[0], testOrgID, groupId, false, 0)
+				require.NoError(t, err)
+
+				teamMembersQuery := &models.GetTeamMembersQuery{
+					OrgId:        testOrgID,
+					SignedInUser: testUser,
+					TeamId:       groupId,
+				}
+				err = sqlStore.GetTeamMembers(context.Background(), teamMembersQuery)
+				require.NoError(t, err)
+				// should not receive service account from query
+				require.Equal(t, len(teamMembersQuery.Result), 1)
+			})
+
 		})
 	})
 }