IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-01-27 00:37:04 -06:00
Code Issues Packages Projects Releases Wiki Activity

AccessControl: Enable RBAC by default (#48813)

Browse Source 
* Add RBAC section to settings

* Default to RBAC enabled settings to true

* Update tests to respect RBAC

Co-authored-by: Karl Persson <kalle.persson@grafana.com>
This commit is contained in:
Ieva 2022-05-16 03:45:41 -07:00 committed by GitHub
parent 3106af9eec
commit f256f625d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
40 changed files with 540 additions and 282 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
conf/defaults.ini
View File

@ -643,6 +643,10 @@ managed_identity_enabled = false
# Should be set for user-assigned identity and should be empty for system-assigned identity
managed_identity_client_id =
#################################### Role-based Access Control ###########
[rbac]
enabled = true
#################################### SMTP / Emailing #####################
[smtp]
enabled = false

4
conf/sample.ini
View File

@ -623,6 +623,10 @@
# Should be set for user-assigned identity and should be empty for system-assigned identity
;managed_identity_client_id =
#################################### Role-based Access Control ###########
[rbac]
;enabled = true
#################################### SMTP / Emailing ##########################
[smtp]
;enabled = false

1
packages/grafana-data/src/types/config.ts
View File

@ -162,6 +162,7 @@ export interface GrafanaConfig {
autoAssignOrg: boolean;
verifyEmailEnabled: boolean;
oauth: OAuthSettings;
rbacEnabled: boolean;
disableUserSignUp: boolean;
loginHint: string;
passwordHint: string;

1
packages/grafana-data/src/types/featureToggles.gen.ts
View File

@ -32,7 +32,6 @@ export interface FeatureToggles {
tempoBackendSearch?: boolean;
tempoServiceGraph?: boolean;
lokiBackendMode?: boolean;
accesscontrol?: boolean;
['accesscontrol-builtins']?: boolean;
prometheus_azure_auth?: boolean;
influxdbBackendMigration?: boolean;

1
packages/grafana-runtime/src/config.ts
View File

@ -57,6 +57,7 @@ export class GrafanaBootConfig implements GrafanaConfig {
autoAssignOrg = true;
verifyEmailEnabled = false;
oauth: OAuthSettings = {};
rbacEnabled = true;
disableUserSignUp = false;
loginHint = '';
passwordHint = '';

19
pkg/api/common_test.go
View File

@ -340,20 +340,21 @@ func setupHTTPServerWithMockDb(t *testing.T, useFakeAccessControl bool, enableAc
}
func setupHTTPServerWithCfg(t *testing.T, useFakeAccessControl, enableAccessControl bool, cfg *setting.Cfg) accessControlScenarioContext {
var db *sqlstore.SQLStore
if useFakeAccessControl && enableAccessControl {
db = sqlstore.InitTestDB(t, sqlstore.InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
} else {
db = sqlstore.InitTestDB(t, sqlstore.InitTestDBOpt{})
}
db := sqlstore.InitTestDB(t, sqlstore.InitTestDBOpt{})
return setupHTTPServerWithCfgDb(t, useFakeAccessControl, enableAccessControl, cfg, db, db)
}
func setupHTTPServerWithCfgDb(t *testing.T, useFakeAccessControl, enableAccessControl bool, cfg *setting.Cfg, db *sqlstore.SQLStore, store sqlstore.Store) accessControlScenarioContext {
t.Helper()
features := featuremgmt.WithFeatures(featuremgmt.FlagAccesscontrol, enableAccessControl)
cfg.IsFeatureToggleEnabled = features.IsEnabled
if enableAccessControl {
cfg.RBACEnabled = true
db.Cfg.RBACEnabled = true
} else {
cfg.RBACEnabled = false
db.Cfg.RBACEnabled = false
}
features := featuremgmt.WithFeatures()
var acmock *accesscontrolmock.Mock
@ -388,7 +389,7 @@ func setupHTTPServerWithCfgDb(t *testing.T, useFakeAccessControl, enableAccessCo
require.NoError(t, err)
hs.teamPermissionsService = teamPermissionService
} else {
ac, errInitAc := ossaccesscontrol.ProvideService(hs.Features, database.ProvideService(db), routing.NewRouteRegister())
ac, errInitAc := ossaccesscontrol.ProvideService(hs.Features, hs.Cfg, database.ProvideService(db), routing.NewRouteRegister())
require.NoError(t, errInitAc)
hs.AccessControl = ac
// Perform role registration

1
pkg/api/frontendsettings.go
View File

@ -105,6 +105,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
"autoAssignOrg": setting.AutoAssignOrg,
"verifyEmailEnabled": setting.VerifyEmailEnabled,
"sigV4AuthEnabled": setting.SigV4AuthEnabled,
"rbacEnabled": hs.Cfg.RBACEnabled,
"exploreEnabled": setting.ExploreEnabled,
"helpEnabled": setting.HelpEnabled,
"profileEnabled": setting.ProfileEnabled,

3
pkg/services/accesscontrol/accesscontrol.go
View File

@ -7,7 +7,6 @@ import (
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/registry"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/setting"
)
@ -237,5 +236,5 @@ func extractPrefixes(prefix string) (string, string, bool) {
}
func IsDisabled(cfg *setting.Cfg) bool {
return !cfg.IsFeatureToggleEnabled(featuremgmt.FlagAccesscontrol)
return !cfg.RBACEnabled
}

13
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
View File

@ -11,13 +11,14 @@ import (
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/api"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/setting"
"github.com/prometheus/client_golang/prometheus"
)
func ProvideService(features featuremgmt.FeatureToggles,
func ProvideService(features featuremgmt.FeatureToggles, cfg *setting.Cfg,
provider accesscontrol.PermissionsProvider, routeRegister routing.RouteRegister) (*OSSAccessControlService, error) {
var errDeclareRoles error
s := ProvideOSSAccessControl(features, provider)
s := ProvideOSSAccessControl(features, cfg, provider)
if !s.IsDisabled() {
api := api.AccessControlAPI{
RouteRegister: routeRegister,
@ -31,9 +32,10 @@ func ProvideService(features featuremgmt.FeatureToggles,
return s, errDeclareRoles
}
func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, provider accesscontrol.PermissionsProvider) *OSSAccessControlService {
func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, cfg *setting.Cfg, provider accesscontrol.PermissionsProvider) *OSSAccessControlService {
s := &OSSAccessControlService{
features: features,
cfg: cfg,
provider: provider,
log: log.New("accesscontrol"),
scopeResolvers: accesscontrol.NewScopeResolvers(),
@ -47,6 +49,7 @@ func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, provider acces
type OSSAccessControlService struct {
log log.Logger
features featuremgmt.FeatureToggles
cfg *setting.Cfg
scopeResolvers accesscontrol.ScopeResolvers
provider accesscontrol.PermissionsProvider
registrations accesscontrol.RegistrationList
@ -54,10 +57,10 @@ type OSSAccessControlService struct {
}
func (ac *OSSAccessControlService) IsDisabled() bool {
if ac.features == nil {
if ac.cfg == nil {
return true
}
return !ac.features.IsEnabled(featuremgmt.FlagAccesscontrol)
return !ac.cfg.RBACEnabled
}
func (ac *OSSAccessControlService) GetUsageStats(_ context.Context) map[string]interface{} {

13
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
View File

@ -14,13 +14,17 @@ import (
"github.com/grafana/grafana/pkg/services/accesscontrol/database"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/setting"
)
func setupTestEnv(t testing.TB) *OSSAccessControlService {
t.Helper()
cfg := setting.NewCfg()
cfg.RBACEnabled = true
ac := &OSSAccessControlService{
features: featuremgmt.WithFeatures(featuremgmt.FlagAccesscontrol),
cfg: cfg,
features: featuremgmt.WithFeatures(),
log: log.New("accesscontrol"),
registrations: accesscontrol.RegistrationList{},
scopeResolvers: accesscontrol.NewScopeResolvers(),
@ -133,8 +137,13 @@ func TestUsageMetrics(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cfg := setting.NewCfg()
if tt.enabled {
cfg.RBACEnabled = true
}
s, errInitAc := ProvideService(
featuremgmt.WithFeatures("accesscontrol", tt.enabled),
featuremgmt.WithFeatures(),
cfg,
database.ProvideService(sqlstore.InitTestDB(t)),
routing.NewRouteRegister(),
)

149
pkg/services/dashboards/database/database_dashboard_test.go
View File

@ -16,6 +16,7 @@ import (
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"
"github.com/grafana/grafana/pkg/setting"
@ -278,9 +279,15 @@ func TestDashboardDataAccess(t *testing.T) {
t.Run("Should be able to search for dashboard folder", func(t *testing.T) {
setup()
query := models.FindPersistedDashboardsQuery{
Title: "1 test dash folder",
OrgId: 1,
SignedInUser: &models.SignedInUser{OrgId: 1, OrgRole: models.ROLE_EDITOR},
Title: "1 test dash folder",
OrgId: 1,
SignedInUser: &models.SignedInUser{
OrgId: 1,
OrgRole: models.ROLE_EDITOR,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionFoldersRead: []string{dashboards.ScopeFoldersAll}},
},
},
}
err := sqlStore.SearchDashboards(context.Background(), &query)
@ -296,9 +303,15 @@ func TestDashboardDataAccess(t *testing.T) {
t.Run("Should be able to limit search", func(t *testing.T) {
setup()
query := models.FindPersistedDashboardsQuery{
OrgId: 1,
Limit: 1,
SignedInUser: &models.SignedInUser{OrgId: 1, OrgRole: models.ROLE_EDITOR},
OrgId: 1,
Limit: 1,
SignedInUser: &models.SignedInUser{
OrgId: 1,
OrgRole: models.ROLE_EDITOR,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionFoldersRead: []string{dashboards.ScopeFoldersAll}},
},
},
}
err := sqlStore.SearchDashboards(context.Background(), &query)
@ -311,10 +324,19 @@ func TestDashboardDataAccess(t *testing.T) {
t.Run("Should be able to search beyond limit using paging", func(t *testing.T) {
setup()
query := models.FindPersistedDashboardsQuery{
OrgId: 1,
Limit: 1,
Page: 2,
SignedInUser: &models.SignedInUser{OrgId: 1, OrgRole: models.ROLE_EDITOR},
OrgId: 1,
Limit: 1,
Page: 2,
SignedInUser: &models.SignedInUser{
OrgId: 1,
OrgRole: models.ROLE_EDITOR,
Permissions: map[int64]map[string][]string{
1: {
dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll},
dashboards.ActionFoldersRead: []string{dashboards.ScopeFoldersAll},
},
},
},
}
err := sqlStore.SearchDashboards(context.Background(), &query)
@ -327,10 +349,16 @@ func TestDashboardDataAccess(t *testing.T) {
t.Run("Should be able to filter by tag and type", func(t *testing.T) {
setup()
query := models.FindPersistedDashboardsQuery{
OrgId: 1,
Type: "dash-db",
Tags: []string{"prod"},
SignedInUser: &models.SignedInUser{OrgId: 1, OrgRole: models.ROLE_EDITOR},
OrgId: 1,
Type: "dash-db",
Tags: []string{"prod"},
SignedInUser: &models.SignedInUser{
OrgId: 1,
OrgRole: models.ROLE_EDITOR,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
}
err := sqlStore.SearchDashboards(context.Background(), &query)
@ -343,9 +371,15 @@ func TestDashboardDataAccess(t *testing.T) {
t.Run("Should be able to search for a dashboard folder's children", func(t *testing.T) {
setup()
query := models.FindPersistedDashboardsQuery{
OrgId: 1,
FolderIds: []int64{savedFolder.Id},
SignedInUser: &models.SignedInUser{OrgId: 1, OrgRole: models.ROLE_EDITOR},
OrgId: 1,
FolderIds: []int64{savedFolder.Id},
SignedInUser: &models.SignedInUser{
OrgId: 1,
OrgRole: models.ROLE_EDITOR,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
}
err := sqlStore.SearchDashboards(context.Background(), &query)
@ -365,7 +399,13 @@ func TestDashboardDataAccess(t *testing.T) {
setup()
query := models.FindPersistedDashboardsQuery{
DashboardIds: []int64{savedDash.Id, savedDash2.Id},
SignedInUser: &models.SignedInUser{OrgId: 1, OrgRole: models.ROLE_EDITOR},
SignedInUser: &models.SignedInUser{
OrgId: 1,
OrgRole: models.ROLE_EDITOR,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
}
err := sqlStore.SearchDashboards(context.Background(), &query)
@ -396,8 +436,15 @@ func TestDashboardDataAccess(t *testing.T) {
require.NoError(t, err)
query := models.FindPersistedDashboardsQuery{
SignedInUser: &models.SignedInUser{UserId: 10, OrgId: 1, OrgRole: models.ROLE_EDITOR},
IsStarred: true,
SignedInUser: &models.SignedInUser{
UserId: 10,
OrgId: 1,
OrgRole: models.ROLE_EDITOR,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
IsStarred: true,
}
err = sqlStore.SearchDashboards(context.Background(), &query)
@ -435,27 +482,41 @@ func TestDashboard_SortingOptions(t *testing.T) {
assert.NotZero(t, dashA.Id)
assert.Less(t, dashB.Id, dashA.Id)
qNoSort := &models.FindPersistedDashboardsQuery{
SignedInUser: &models.SignedInUser{OrgId: 1, UserId: 1, OrgRole: models.ROLE_ADMIN},
SignedInUser: &models.SignedInUser{
OrgId: 1,
UserId: 1,
OrgRole: models.ROLE_ADMIN,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
}
dashboards, err := sqlStore.FindDashboards(context.Background(), qNoSort)
results, err := sqlStore.FindDashboards(context.Background(), qNoSort)
require.NoError(t, err)
require.Len(t, dashboards, 2)
assert.Equal(t, dashA.Id, dashboards[0].ID)
assert.Equal(t, dashB.Id, dashboards[1].ID)
require.Len(t, results, 2)
assert.Equal(t, dashA.Id, results[0].ID)
assert.Equal(t, dashB.Id, results[1].ID)
qSort := &models.FindPersistedDashboardsQuery{
SignedInUser: &models.SignedInUser{OrgId: 1, UserId: 1, OrgRole: models.ROLE_ADMIN},
SignedInUser: &models.SignedInUser{
OrgId: 1,
UserId: 1,
OrgRole: models.ROLE_ADMIN,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
Sort: models.SortOption{
Filter: []models.SortOptionFilter{
searchstore.TitleSorter{Descending: true},
},
},
}
dashboards, err = sqlStore.FindDashboards(context.Background(), qSort)
results, err = sqlStore.FindDashboards(context.Background(), qSort)
require.NoError(t, err)
require.Len(t, dashboards, 2)
assert.Equal(t, dashB.Id, dashboards[0].ID)
assert.Equal(t, dashA.Id, dashboards[1].ID)
require.Len(t, results, 2)
assert.Equal(t, dashB.Id, results[0].ID)
assert.Equal(t, dashA.Id, results[1].ID)
}
@ -465,14 +526,28 @@ func TestDashboard_Filter(t *testing.T) {
insertTestDashboard(t, dashboardStore, "Alfa", 1, 0, false)
dashB := insertTestDashboard(t, dashboardStore, "Beta", 1, 0, false)
qNoFilter := &models.FindPersistedDashboardsQuery{
SignedInUser: &models.SignedInUser{OrgId: 1, UserId: 1, OrgRole: models.ROLE_ADMIN},
SignedInUser: &models.SignedInUser{
OrgId: 1,
UserId: 1,
OrgRole: models.ROLE_ADMIN,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
}
dashboards, err := sqlStore.FindDashboards(context.Background(), qNoFilter)
results, err := sqlStore.FindDashboards(context.Background(), qNoFilter)
require.NoError(t, err)
require.Len(t, dashboards, 2)
require.Len(t, results, 2)
qFilter := &models.FindPersistedDashboardsQuery{
SignedInUser: &models.SignedInUser{OrgId: 1, UserId: 1, OrgRole: models.ROLE_ADMIN},
SignedInUser: &models.SignedInUser{
OrgId: 1,
UserId: 1,
OrgRole: models.ROLE_ADMIN,
Permissions: map[int64]map[string][]string{
1: {dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll}},
},
},
Filters: []interface{}{
searchstore.TitleFilter{
Dialect: sqlStore.Dialect,
@ -480,10 +555,10 @@ func TestDashboard_Filter(t *testing.T) {
},
},
}
dashboards, err = sqlStore.FindDashboards(context.Background(), qFilter)
results, err = sqlStore.FindDashboards(context.Background(), qFilter)
require.NoError(t, err)
require.Len(t, dashboards, 1)
assert.Equal(t, dashB.Id, dashboards[0].ID)
require.Len(t, results, 1)
assert.Equal(t, dashB.Id, results[0].ID)
}

1
pkg/services/dashboards/database/database_folder_test.go
View File

@ -23,6 +23,7 @@ func TestDashboardFolderDataAccess(t *testing.T) {
setup := func() {
sqlStore = sqlstore.InitTestDB(t)
sqlStore.Cfg.RBACEnabled = false
dashboardStore = ProvideDashboardStore(sqlStore)
folder = insertTestDashboard(t, dashboardStore, "1 test dash folder", 1, 0, true, "prod", "webapp")
dashInRoot = insertTestDashboard(t, dashboardStore, "test dash 67", 1, 0, false, "prod", "webapp")

5
pkg/services/featuremgmt/registry.go
View File

@ -94,11 +94,6 @@ var (
State: FeatureStateAlpha,
FrontendOnly: true,
},
{
Name: "accesscontrol",
Description: "Support robust access control",
State: FeatureStateBeta,
},
{
Name: "accesscontrol-builtins",
Description: "Simplify access control builtin roles",

4
pkg/services/featuremgmt/toggles_gen.go
View File

@ -71,10 +71,6 @@ const (
// Loki datasource works as backend datasource
FlagLokiBackendMode = "lokiBackendMode"
// FlagAccesscontrol
// Support robust access control
FlagAccesscontrol = "accesscontrol"
// FlagAccesscontrolBuiltins
// Simplify access control builtin roles
FlagAccesscontrolBuiltins = "accesscontrol-builtins"

146
pkg/services/sqlstore/annotation_test.go
View File

@ -17,7 +17,6 @@ import (
"github.com/grafana/grafana/pkg/services/annotations"
"github.com/grafana/grafana/pkg/services/dashboards"
dashboardstore "github.com/grafana/grafana/pkg/services/dashboards/database"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/sqlstore"
)
@ -25,6 +24,16 @@ func TestAnnotations(t *testing.T) {
sql := sqlstore.InitTestDB(t)
repo := sqlstore.NewSQLAnnotationRepo(sql)
testUser := &models.SignedInUser{
OrgId: 1,
Permissions: map[int64]map[string][]string{
1: {
accesscontrol.ActionAnnotationsRead: []string{accesscontrol.ScopeAnnotationsAll},
dashboards.ActionDashboardsRead: []string{dashboards.ScopeDashboardsAll},
},
},
}
t.Run("Testing annotation create, read, update and delete", func(t *testing.T) {
t.Cleanup(func() {
err := sql.WithDbSession(context.Background(), func(dbSession *sqlstore.DBSession) error {
@ -38,16 +47,38 @@ func TestAnnotations(t *testing.T) {
assert.NoError(t, err)
})
dashboardStore := dashboardstore.ProvideDashboardStore(sql)
testDashboard1 := models.SaveDashboardCommand{
UserId: 1,
OrgId: 1,
Dashboard: simplejson.NewFromAny(map[string]interface{}{
"title": "Dashboard 1",
}),
}
dashboard, err := dashboardStore.SaveDashboard(testDashboard1)
require.NoError(t, err)
testDashboard2 := models.SaveDashboardCommand{
UserId: 1,
OrgId: 1,
Dashboard: simplejson.NewFromAny(map[string]interface{}{
"title": "Dashboard 2",
}),
}
dashboard2, err := dashboardStore.SaveDashboard(testDashboard2)
require.NoError(t, err)
annotation := &annotations.Item{
OrgId: 1,
UserId: 1,
DashboardId: 1,
DashboardId: dashboard.Id,
Text: "hello",
Type: "alert",
Epoch: 10,
Tags: []string{"outage", "error", "type:outage", "server:server-1"},
}
err := repo.Save(annotation)
err = repo.Save(annotation)
require.NoError(t, err)
assert.Greater(t, annotation.Id, int64(0))
assert.Equal(t, annotation.Epoch, annotation.EpochEnd)
@ -55,7 +86,7 @@ func TestAnnotations(t *testing.T) {
annotation2 := &annotations.Item{
OrgId: 1,
UserId: 1,
DashboardId: 2,
DashboardId: dashboard2.Id,
Text: "hello",
Type: "alert",
Epoch: 21, // Should swap epoch & epochEnd
@ -93,10 +124,11 @@ func TestAnnotations(t *testing.T) {
assert.Greater(t, globalAnnotation2.Id, int64(0))
t.Run("Can query for annotation by dashboard id", func(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 0,
To: 15,
OrgId: 1,
DashboardId: dashboard.Id,
From: 0,
To: 15,
SignedInUser: testUser,
})
require.NoError(t, err)
@ -113,6 +145,7 @@ func TestAnnotations(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
AnnotationId: annotation2.Id,
SignedInUser: testUser,
})
require.NoError(t, err)
assert.Len(t, items, 1)
@ -121,10 +154,11 @@ func TestAnnotations(t *testing.T) {
t.Run("Should not find any when item is outside time range", func(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 12,
To: 15,
OrgId: 1,
DashboardId: 1,
From: 12,
To: 15,
SignedInUser: testUser,
})
require.NoError(t, err)
assert.Empty(t, items)
@ -132,11 +166,12 @@ func TestAnnotations(t *testing.T) {
t.Run("Should not find one when tag filter does not match", func(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15,
Tags: []string{"asd"},
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15,
Tags: []string{"asd"},
SignedInUser: testUser,
})
require.NoError(t, err)
assert.Empty(t, items)
@ -144,11 +179,12 @@ func TestAnnotations(t *testing.T) {
t.Run("Should not find one when type filter does not match", func(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15,
Type: "alert",
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15,
Type: "alert",
SignedInUser: testUser,
})
require.NoError(t, err)
assert.Empty(t, items)
@ -156,11 +192,12 @@ func TestAnnotations(t *testing.T) {
t.Run("Should find one when all tag filters does match", func(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15, // this will exclude the second test annotation
Tags: []string{"outage", "error"},
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15, // this will exclude the second test annotation
Tags: []string{"outage", "error"},
SignedInUser: testUser,
})
require.NoError(t, err)
assert.Len(t, items, 1)
@ -168,11 +205,12 @@ func TestAnnotations(t *testing.T) {
t.Run("Should find two annotations using partial match", func(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
From: 1,
To: 25,
MatchAny: true,
Tags: []string{"rollback", "deploy"},
OrgId: 1,
From: 1,
To: 25,
MatchAny: true,
Tags: []string{"rollback", "deploy"},
SignedInUser: testUser,
})
require.NoError(t, err)
assert.Len(t, items, 2)
@ -180,11 +218,12 @@ func TestAnnotations(t *testing.T) {
t.Run("Should find one when all key value tag filters does match", func(t *testing.T) {
items, err := repo.Find(context.Background(), &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15,
Tags: []string{"type:outage", "server:server-1"},
OrgId: 1,
DashboardId: 1,
From: 1,
To: 15,
Tags: []string{"type:outage", "server:server-1"},
SignedInUser: testUser,
})
require.NoError(t, err)
assert.Len(t, items, 1)
@ -192,10 +231,11 @@ func TestAnnotations(t *testing.T) {
t.Run("Can update annotation and remove all tags", func(t *testing.T) {
query := &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 0,
To: 15,
OrgId: 1,
DashboardId: 1,
From: 0,
To: 15,
SignedInUser: testUser,
}
items, err := repo.Find(context.Background(), query)
require.NoError(t, err)
@ -219,10 +259,11 @@ func TestAnnotations(t *testing.T) {
t.Run("Can update annotation with new tags", func(t *testing.T) {
query := &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 0,
To: 15,
OrgId: 1,
DashboardId: 1,
From: 0,
To: 15,
SignedInUser: testUser,
}
items, err := repo.Find(context.Background(), query)
require.NoError(t, err)
@ -247,10 +288,11 @@ func TestAnnotations(t *testing.T) {
t.Run("Can delete annotation", func(t *testing.T) {
query := &annotations.ItemQuery{
OrgId: 1,
DashboardId: 1,
From: 0,
To: 15,
OrgId: 1,
DashboardId: 1,
From: 0,
To: 15,
SignedInUser: testUser,
}
items, err := repo.Find(context.Background(), query)
require.NoError(t, err)
@ -268,11 +310,12 @@ func TestAnnotations(t *testing.T) {
annotation3 := &annotations.Item{
OrgId: 1,
UserId: 1,
DashboardId: 3,
DashboardId: dashboard2.Id,
Text: "toBeDeletedWithPanelId",
Type: "alert",
Epoch: 11,
Tags: []string{"test"},
PanelId: 20,
}
err = repo.Save(annotation3)
require.NoError(t, err)
@ -280,6 +323,7 @@ func TestAnnotations(t *testing.T) {
query := &annotations.ItemQuery{
OrgId: 1,
AnnotationId: annotation3.Id,
SignedInUser: testUser,
}
items, err := repo.Find(context.Background(), query)
require.NoError(t, err)
@ -339,7 +383,7 @@ func TestAnnotations(t *testing.T) {
}
func TestAnnotationListingWithRBAC(t *testing.T) {
sql := sqlstore.InitTestDB(t, sqlstore.InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
sql := sqlstore.InitTestDB(t, sqlstore.InitTestDBOpt{})
repo := sqlstore.NewSQLAnnotationRepo(sql)
dashboardStore := dashboardstore.ProvideDashboardStore(sql)

16
pkg/services/sqlstore/apikey_test.go
View File

@ -9,11 +9,11 @@ import (
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/stretchr/testify/assert"
"github.com/grafana/grafana/pkg/services/accesscontrol"
)
func TestApiKeyDataAccess(t *testing.T) {
@ -99,7 +99,13 @@ func TestApiKeyDataAccess(t *testing.T) {
// advance mocked getTime by 1s
timeNow()
query := models.GetApiKeysQuery{OrgId: 1, IncludeExpired: false}
testUser := &models.SignedInUser{
OrgId: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionAPIKeyRead: []string{accesscontrol.ScopeAPIKeysAll}},
},
}
query := models.GetApiKeysQuery{OrgId: 1, IncludeExpired: false, User: testUser}
err = ss.GetAPIKeys(context.Background(), &query)
assert.Nil(t, err)
@ -109,7 +115,7 @@ func TestApiKeyDataAccess(t *testing.T) {
}
}
query = models.GetApiKeysQuery{OrgId: 1, IncludeExpired: true}
query = models.GetApiKeysQuery{OrgId: 1, IncludeExpired: true, User: testUser}
err = ss.GetAPIKeys(context.Background(), &query)
assert.Nil(t, err)
@ -187,7 +193,7 @@ func TestSQLStore_GetAPIKeys(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
store := InitTestDB(t, InitTestDBOpt{})
seedApiKeys(t, store, 10)
query := &models.GetApiKeysQuery{OrgId: 1, User: tt.user}

2
pkg/services/sqlstore/migrations/migrations.go
View File

@ -77,7 +77,7 @@ func (*OSSMigrations) AddMigration(mg *Migrator) {
addQueryHistoryMigrations(mg)
if mg.Cfg != nil && mg.Cfg.IsFeatureToggleEnabled != nil {
if mg.Cfg.IsFeatureToggleEnabled(featuremgmt.FlagAccesscontrol) {
if mg.Cfg.RBACEnabled {
accesscontrol.AddTeamMembershipMigrations(mg)
accesscontrol.AddDashboardPermissionsMigrator(mg)
}

16
pkg/services/sqlstore/org_test.go
View File

@ -11,6 +11,7 @@ import (
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util"
"github.com/stretchr/testify/require"
@ -19,6 +20,11 @@ import (
func TestAccountDataAccess(t *testing.T) {
t.Run("Testing Account DB Access", func(t *testing.T) {
sqlStore := InitTestDB(t)
testUser := &models.SignedInUser{
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionOrgUsersRead: []string{accesscontrol.ScopeUsersAll}},
},
}
t.Run("Given we have organizations, we can query them by IDs", func(t *testing.T) {
var err error
@ -109,6 +115,7 @@ func TestAccountDataAccess(t *testing.T) {
ac2cmd := models.CreateUserCommand{Login: "ac2", Email: "ac2@test.com", Name: "ac2 name"}
ac1, err := sqlStore.CreateUser(context.Background(), ac1cmd)
testUser.OrgId = ac1.OrgId
require.NoError(t, err)
_, err = sqlStore.CreateUser(context.Background(), ac2cmd)
require.NoError(t, err)
@ -117,6 +124,7 @@ func TestAccountDataAccess(t *testing.T) {
query := models.SearchOrgUsersQuery{
OrgID: ac1.OrgId,
Page: 1,
User: testUser,
}
err = sqlStore.SearchOrgUsers(context.Background(), &query)
@ -129,6 +137,7 @@ func TestAccountDataAccess(t *testing.T) {
OrgID: ac1.OrgId,
Limit: 1,
Page: 1,
User: testUser,
}
err = sqlStore.SearchOrgUsers(context.Background(), &query)
@ -163,7 +172,12 @@ func TestAccountDataAccess(t *testing.T) {
})
t.Run("Can search users", func(t *testing.T) {
query := models.SearchUsersQuery{Query: ""}
query := models.SearchUsersQuery{Query: "", SignedInUser: &models.SignedInUser{
OrgId: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionUsersRead: {accesscontrol.ScopeGlobalUsersAll}},
},
}}
err := sqlStore.SearchUsers(context.Background(), &query)
require.NoError(t, err)

5
pkg/services/sqlstore/org_users_test.go
View File

@ -11,7 +11,6 @@ import (
"github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/featuremgmt"
)
type getOrgUsersTestCase struct {
@ -61,7 +60,7 @@ func TestSQLStore_GetOrgUsers(t *testing.T) {
},
}
store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
store := InitTestDB(t, InitTestDBOpt{})
store.Cfg.IsEnterprise = true
defer func() {
store.Cfg.IsEnterprise = false
@ -130,7 +129,7 @@ func TestSQLStore_SearchOrgUsers(t *testing.T) {
},
}
store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
store := InitTestDB(t, InitTestDBOpt{})
seedOrgUsers(t, store, 10)
for _, tt := range tests {

1
pkg/services/sqlstore/sqlstore.go
View File

@ -487,6 +487,7 @@ func initTestDB(migration registry.DatabaseMigrator, opts ...InitTestDBOpt) (*SQ
// set test db config
cfg := setting.NewCfg()
cfg.RBACEnabled = true
cfg.IsFeatureToggleEnabled = func(key string) bool {
for _, enabledFeature := range features {
if enabledFeature == key {

51
pkg/services/sqlstore/team_test.go
View File

@ -13,12 +13,20 @@ import (
"github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/featuremgmt"
)
func TestTeamCommandsAndQueries(t *testing.T) {
t.Run("Testing Team commands & queries", func(t *testing.T) {
sqlStore := InitTestDB(t)
testUser := &models.SignedInUser{
OrgId: 1,
Permissions: map[int64]map[string][]string{
1: {
ac.ActionTeamsRead: []string{ac.ScopeTeamsAll},
ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
},
},
}
t.Run("Given saved users and two teams", func(t *testing.T) {
var userIds []int64
@ -47,7 +55,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
setup()
t.Run("Should be able to create teams and add users", func(t *testing.T) {
query := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10}
query := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10, SignedInUser: testUser}
err = sqlStore.SearchTeams(context.Background(), query)
require.NoError(t, err)
require.Equal(t, query.Page, 1)
@ -63,7 +71,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
err = sqlStore.AddTeamMember(userIds[1], testOrgID, team1.Id, true, 0)
require.NoError(t, err)
q1 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id}
q1 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), q1)
require.NoError(t, err)
require.Equal(t, len(q1.Result), 2)
@ -75,7 +83,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
require.Equal(t, q1.Result[1].OrgId, testOrgID)
require.Equal(t, q1.Result[1].External, true)
q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true}
q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), q2)
require.NoError(t, err)
require.Equal(t, len(q2.Result), 1)
@ -89,7 +97,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
team1 = query.Result.Teams[0]
require.EqualValues(t, team1.MemberCount, 2)
getTeamQuery := &models.GetTeamByIdQuery{OrgId: testOrgID, Id: team1.Id}
getTeamQuery := &models.GetTeamByIdQuery{OrgId: testOrgID, Id: team1.Id, SignedInUser: testUser}
err = sqlStore.GetTeamById(context.Background(), getTeamQuery)
require.NoError(t, err)
team1 = getTeamQuery.Result
@ -104,7 +112,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
setup()
userId := userIds[1]
teamQuery := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10}
teamQuery := &models.SearchTeamsQuery{OrgId: testOrgID, Name: "group1 name", Page: 1, Limit: 10, SignedInUser: testUser}
err = sqlStore.SearchTeams(context.Background(), teamQuery)
require.NoError(t, err)
require.Equal(t, teamQuery.Page, 1)
@ -114,7 +122,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
err = sqlStore.AddTeamMember(userId, testOrgID, team1.Id, true, 0)
require.NoError(t, err)
memberQuery := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true}
memberQuery := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, External: true, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), memberQuery)
require.NoError(t, err)
require.Equal(t, len(memberQuery.Result), 1)
@ -130,7 +138,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
err = sqlStore.AddTeamMember(userId, testOrgID, team.Id, false, 0)
require.NoError(t, err)
qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), qBeforeUpdate)
require.NoError(t, err)
require.EqualValues(t, qBeforeUpdate.Result[0].Permission, 0)
@ -144,7 +152,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
require.NoError(t, err)
qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), qAfterUpdate)
require.NoError(t, err)
require.Equal(t, qAfterUpdate.Result[0].Permission, models.PERMISSION_ADMIN)
@ -158,7 +166,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
err = sqlStore.AddTeamMember(userID, testOrgID, team.Id, false, 0)
require.NoError(t, err)
qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
qBeforeUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), qBeforeUpdate)
require.NoError(t, err)
require.EqualValues(t, qBeforeUpdate.Result[0].Permission, 0)
@ -173,7 +181,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
require.NoError(t, err)
qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id}
qAfterUpdate := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team.Id, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), qAfterUpdate)
require.NoError(t, err)
require.EqualValues(t, qAfterUpdate.Result[0].Permission, 0)
@ -193,13 +201,13 @@ func TestTeamCommandsAndQueries(t *testing.T) {
})
t.Run("Should be able to search for teams", func(t *testing.T) {
query := &models.SearchTeamsQuery{OrgId: testOrgID, Query: "group", Page: 1}
query := &models.SearchTeamsQuery{OrgId: testOrgID, Query: "group", Page: 1, SignedInUser: testUser}
err = sqlStore.SearchTeams(context.Background(), query)
require.NoError(t, err)
require.Equal(t, len(query.Result.Teams), 2)
require.EqualValues(t, query.Result.TotalCount, 2)
query2 := &models.SearchTeamsQuery{OrgId: testOrgID, Query: ""}
query2 := &models.SearchTeamsQuery{OrgId: testOrgID, Query: "", SignedInUser: testUser}
err = sqlStore.SearchTeams(context.Background(), query2)
require.NoError(t, err)
require.Equal(t, len(query2.Result.Teams), 2)
@ -227,7 +235,7 @@ func TestTeamCommandsAndQueries(t *testing.T) {
err = sqlStore.RemoveTeamMember(context.Background(), &models.RemoveTeamMemberCommand{OrgId: testOrgID, TeamId: team1.Id, UserId: userIds[0]})
require.NoError(t, err)
q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id}
q2 := &models.GetTeamMembersQuery{OrgId: testOrgID, TeamId: team1.Id, SignedInUser: testUser}
err = sqlStore.GetTeamMembers(context.Background(), q2)
require.NoError(t, err)
require.Equal(t, len(q2.Result), 0)
@ -315,7 +323,16 @@ func TestTeamCommandsAndQueries(t *testing.T) {
t.Run("Should not return hidden users in team member count", func(t *testing.T) {
sqlStore = InitTestDB(t)
setup()
signedInUser := &models.SignedInUser{Login: "loginuser0"}
signedInUser := &models.SignedInUser{
Login: "loginuser0",
OrgId: testOrgID,
Permissions: map[int64]map[string][]string{
testOrgID: {
ac.ActionTeamsRead: []string{ac.ScopeTeamsAll},
ac.ActionOrgUsersRead: []string{ac.ScopeUsersAll},
},
},
}
hiddenUsers := map[string]struct{}{"loginuser0": {}, "loginuser1": {}}
teamId := team1.Id
@ -396,7 +413,7 @@ func TestSQLStore_SearchTeams(t *testing.T) {
},
}
store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
store := InitTestDB(t, InitTestDBOpt{})
// Seed 10 teams
for i := 1; i <= 10; i++ {
@ -455,7 +472,7 @@ func TestSQLStore_GetTeamMembers_ACFilter(t *testing.T) {
require.NoError(t, errAddMember)
}
store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
store := InitTestDB(t, InitTestDBOpt{})
setup(store)
type getTeamMembersTestCase struct {

33
pkg/services/sqlstore/user_test.go
View File

@ -9,7 +9,6 @@ import (
"testing"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/setting"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@ -18,6 +17,10 @@ import (
func TestUserDataAccess(t *testing.T) {
ss := InitTestDB(t)
user := &models.SignedInUser{
OrgId: 1,
Permissions: map[int64]map[string][]string{1: {"users:read": {"global.users:*"}}},
}
t.Run("Testing DB - creates and loads user", func(t *testing.T) {
cmd := models.CreateUserCommand{
@ -131,7 +134,7 @@ func TestUserDataAccess(t *testing.T) {
})
// Return the first page of users and a total count
query := models.SearchUsersQuery{Query: "", Page: 1, Limit: 3}
query := models.SearchUsersQuery{Query: "", Page: 1, Limit: 3, SignedInUser: user}
err := ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
@ -139,7 +142,7 @@ func TestUserDataAccess(t *testing.T) {
require.EqualValues(t, query.Result.TotalCount, 5)
// Return the second page of users and a total count
query = models.SearchUsersQuery{Query: "", Page: 2, Limit: 3}
query = models.SearchUsersQuery{Query: "", Page: 2, Limit: 3, SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
@ -147,28 +150,28 @@ func TestUserDataAccess(t *testing.T) {
require.EqualValues(t, query.Result.TotalCount, 5)
// Return list of users matching query on user name
query = models.SearchUsersQuery{Query: "use", Page: 1, Limit: 3}
query = models.SearchUsersQuery{Query: "use", Page: 1, Limit: 3, SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
require.Len(t, query.Result.Users, 3)
require.EqualValues(t, query.Result.TotalCount, 5)
query = models.SearchUsersQuery{Query: "ser1", Page: 1, Limit: 3}
query = models.SearchUsersQuery{Query: "ser1", Page: 1, Limit: 3, SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
require.Len(t, query.Result.Users, 1)
require.EqualValues(t, query.Result.TotalCount, 1)
query = models.SearchUsersQuery{Query: "USER1", Page: 1, Limit: 3}
query = models.SearchUsersQuery{Query: "USER1", Page: 1, Limit: 3, SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
require.Len(t, query.Result.Users, 1)
require.EqualValues(t, query.Result.TotalCount, 1)
query = models.SearchUsersQuery{Query: "idontexist", Page: 1, Limit: 3}
query = models.SearchUsersQuery{Query: "idontexist", Page: 1, Limit: 3, SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
@ -176,7 +179,7 @@ func TestUserDataAccess(t *testing.T) {
require.EqualValues(t, query.Result.TotalCount, 0)
// Return list of users matching query on email
query = models.SearchUsersQuery{Query: "ser1@test.com", Page: 1, Limit: 3}
query = models.SearchUsersQuery{Query: "ser1@test.com", Page: 1, Limit: 3, SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
@ -184,7 +187,7 @@ func TestUserDataAccess(t *testing.T) {
require.EqualValues(t, query.Result.TotalCount, 1)
// Return list of users matching query on login name
query = models.SearchUsersQuery{Query: "loginuser1", Page: 1, Limit: 3}
query = models.SearchUsersQuery{Query: "loginuser1", Page: 1, Limit: 3, SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
@ -204,7 +207,7 @@ func TestUserDataAccess(t *testing.T) {
})
isDisabled := false
query := models.SearchUsersQuery{IsDisabled: &isDisabled}
query := models.SearchUsersQuery{IsDisabled: &isDisabled, SignedInUser: user}
err := ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)
@ -251,7 +254,7 @@ func TestUserDataAccess(t *testing.T) {
err = ss.DeleteUser(context.Background(), &models.DeleteUserCommand{UserId: users[1].Id})
require.Nil(t, err)
query1 := &models.GetOrgUsersQuery{OrgId: users[0].OrgId}
query1 := &models.GetOrgUsersQuery{OrgId: users[0].OrgId, User: user}
err = ss.GetOrgUsersForTest(context.Background(), query1)
require.Nil(t, err)
@ -314,7 +317,7 @@ func TestUserDataAccess(t *testing.T) {
require.Nil(t, err)
isDisabled = true
query5 := &models.SearchUsersQuery{IsDisabled: &isDisabled}
query5 := &models.SearchUsersQuery{IsDisabled: &isDisabled, SignedInUser: user}
err = ss.SearchUsers(context.Background(), query5)
require.Nil(t, err)
@ -339,7 +342,7 @@ func TestUserDataAccess(t *testing.T) {
})
t.Run("Testing DB - return list of users that the SignedInUser has permission to read", func(t *testing.T) {
ss := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
ss := InitTestDB(t)
createFiveTestUsers(t, ss, func(i int) *models.CreateUserCommand {
return &models.CreateUserCommand{
Email: fmt.Sprint("user", i, "@test.com"),
@ -380,7 +383,7 @@ func TestUserDataAccess(t *testing.T) {
require.Nil(t, err)
isDisabled := false
query := &models.SearchUsersQuery{IsDisabled: &isDisabled}
query := &models.SearchUsersQuery{IsDisabled: &isDisabled, SignedInUser: user}
err = ss.SearchUsers(context.Background(), query)
require.Nil(t, err)
@ -411,7 +414,7 @@ func TestUserDataAccess(t *testing.T) {
err := ss.BatchDisableUsers(context.Background(), &disableCmd)
require.Nil(t, err)
query := models.SearchUsersQuery{}
query := models.SearchUsersQuery{SignedInUser: user}
err = ss.SearchUsers(context.Background(), &query)
require.Nil(t, err)

9
pkg/setting/setting.go
View File

@ -443,6 +443,9 @@ type Cfg struct {
QueryHistoryEnabled bool
DashboardPreviews DashboardPreviewsSettings
// Access Control
RBACEnabled bool
}
type CommandLineArgs struct {
@ -925,6 +928,7 @@ func (cfg *Cfg) Load(args CommandLineArgs) error {
if err := readAuthSettings(iniFile, cfg); err != nil {
return err
}
readAccessControlSettings(iniFile, cfg)
if err := cfg.readRenderingSettings(iniFile); err != nil {
return err
}
@ -1351,6 +1355,11 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
return nil
}
func readAccessControlSettings(iniFile *ini.File, cfg *Cfg) {
rbac := iniFile.Section("rbac")
cfg.RBACEnabled = rbac.Key("enabled").MustBool(true)
}
func readUserSettings(iniFile *ini.File, cfg *Cfg) error {
users := iniFile.Section("users")
AllowUserSignUp = users.Key("allow_sign_up").MustBool(true)

4
pkg/tests/api/alerting/api_admin_configuration_test.go
View File

@ -152,8 +152,8 @@ func TestAdminConfiguration_SendingToExternalAlertmanagers(t *testing.T) {
// Now, let's set an alert that should fire as quickly as possible.
{
// create the namespace we'll save our alerts to
_, err := createFolder(t, s, 0, "default")
// Create the namespace we'll save our alerts to
err := createFolder(t, "default", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
interval, err := model.ParseDuration("10s")
require.NoError(t, err)

152
pkg/tests/api/alerting/api_alertmanager_test.go
View File

@ -16,10 +16,8 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/dashboards/database"
apimodels "github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions"
ngmodels "github.com/grafana/grafana/pkg/services/ngalert/models"
ngstore "github.com/grafana/grafana/pkg/services/ngalert/store"
@ -97,13 +95,13 @@ func TestAMConfigAccess(t *testing.T) {
desc: "un-authenticated request should fail",
url: "http://%s/api/alertmanager/grafana/config/api/v1/alerts",
expStatus: http.StatusUnauthorized,
expBody: `{"message": "Unauthorized"}`,
expBody: `{"message":"Unauthorized"}`,
},
{
desc: "viewer request should fail",
url: "http://viewer:viewer@%s/api/alertmanager/grafana/config/api/v1/alerts",
expStatus: http.StatusForbidden,
expBody: `{"message": "Permission denied"}`,
expBody: `"title":"Access denied"`,
},
{
desc: "editor request should succeed",
@ -132,7 +130,7 @@ func TestAMConfigAccess(t *testing.T) {
require.Equal(t, tc.expStatus, resp.StatusCode)
b, err := ioutil.ReadAll(resp.Body)
require.NoError(t, err)
require.JSONEq(t, tc.expBody, string(b))
require.Contains(t, string(b), tc.expBody)
})
}
})
@ -170,10 +168,10 @@ func TestAMConfigAccess(t *testing.T) {
expBody: `{"message": "Unauthorized"}`,
},
{
desc: "viewer request should fail",
desc: "viewer request should succeed",
url: "http://viewer:viewer@%s/api/alertmanager/grafana/config/api/v1/alerts",
expStatus: http.StatusForbidden,
expBody: `{"message": "Permission denied"}`,
expStatus: http.StatusOK,
expBody: cfgBody,
},
{
desc: "editor request should succeed",
@ -230,25 +228,25 @@ func TestAMConfigAccess(t *testing.T) {
desc: "un-authenticated request should fail",
url: "http://%s/api/alertmanager/grafana/config/api/v2/silences",
expStatus: http.StatusUnauthorized,
expBody: `{"message": "Unauthorized"}`,
expBody: `{"message":"Unauthorized"}`,
},
{
desc: "viewer request should fail",
url: "http://viewer:viewer@%s/api/alertmanager/grafana/api/v2/silences",
expStatus: http.StatusForbidden,
expBody: `{"message": "Permission denied"}`,
expBody: `"title":"Access denied"`,
},
{
desc: "editor request should succeed",
url: "http://editor:editor@%s/api/alertmanager/grafana/api/v2/silences",
expStatus: http.StatusAccepted,
expBody: `{"id": "0", "message":"silence created"}`,
expBody: `{"id":"0","message":"silence created"}`,
},
{
desc: "admin request should succeed",
url: "http://admin:admin@%s/api/alertmanager/grafana/api/v2/silences",
expStatus: http.StatusAccepted,
expBody: `{"id": "0", "message":"silence created"}`,
expBody: `{"id":"0","message":"silence created"}`,
},
}
@ -269,7 +267,7 @@ func TestAMConfigAccess(t *testing.T) {
re := regexp.MustCompile(`"id":"([\w|-]+)"`)
b = re.ReplaceAll(b, []byte(`"id":"0"`))
}
require.JSONEq(t, tc.expBody, string(b))
require.Contains(t, string(b), tc.expBody)
})
}
})
@ -336,25 +334,25 @@ func TestAMConfigAccess(t *testing.T) {
desc: "un-authenticated request should fail",
url: "http://%s/api/alertmanager/grafana/api/v2/silence/%s",
expStatus: http.StatusUnauthorized,
expBody: `{"message": "Unauthorized"}`,
expBody: `{"message":"Unauthorized"}`,
},
{
desc: "viewer request should fail",
url: "http://viewer:viewer@%s/api/alertmanager/grafana/api/v2/silence/%s",
expStatus: http.StatusForbidden,
expBody: `{"message": "Permission denied"}`,
expBody: `"title":"Access denied"`,
},
{
desc: "editor request should succeed",
url: "http://editor:editor@%s/api/alertmanager/grafana/api/v2/silence/%s",
expStatus: http.StatusOK,
expBody: `{"message": "silence deleted"}`,
expBody: `{"message":"silence deleted"}`,
},
{
desc: "admin request should succeed",
url: "http://admin:admin@%s/api/alertmanager/grafana/api/v2/silence/%s",
expStatus: http.StatusOK,
expBody: `{"message": "silence deleted"}`,
expBody: `{"message":"silence deleted"}`,
},
}
@ -387,7 +385,7 @@ func TestAMConfigAccess(t *testing.T) {
if tc.expStatus == http.StatusOK {
unconsumedSilenceIdx++
}
require.JSONEq(t, tc.expBody, string(b))
require.Contains(t, string(b), tc.expBody)
})
}
})
@ -484,7 +482,8 @@ func TestAlertAndGroupsQuery(t *testing.T) {
// Now, let's test the endpoint with some alerts.
{
// Create the namespace we'll save our alerts to.
_, err := createFolder(t, store, 0, "default")
err := createFolder(t, "default", grafanaListedAddr, "grafana", "password")
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
}
@ -578,10 +577,6 @@ func TestRulerAccess(t *testing.T) {
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
// Create the namespace we'll save our alerts to.
_, err = createFolder(t, store, 0, "default")
require.NoError(t, err)
// Create a users to make authenticated requests
createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_VIEWER),
@ -599,36 +594,41 @@ func TestRulerAccess(t *testing.T) {
Login: "admin",
})
// Create the namespace we'll save our alerts to.
err = createFolder(t, "default", grafanaListedAddr, "editor", "editor")
reloadCachedPermissions(t, grafanaListedAddr, "editor", "editor")
require.NoError(t, err)
// Now, let's test the access policies.
testCases := []struct {
desc string
url string
expStatus int
expectedResponse string
desc string
url string
expStatus int
expectedMessage string
}{
{
desc: "un-authenticated request should fail",
url: "http://%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusUnauthorized,
expectedResponse: `{"message": "Unauthorized"}`,
desc: "un-authenticated request should fail",
url: "http://%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusUnauthorized,
expectedMessage: `Unauthorized`,
},
{
desc: "viewer request should fail",
url: "http://viewer:viewer@%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusForbidden,
expectedResponse: `{"message": "Permission denied"}`,
desc: "viewer request should fail",
url: "http://viewer:viewer@%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusForbidden,
expectedMessage: `You'll need additional permissions to perform this action. Permissions needed: any of alert.rules:update, alert.rules:create, alert.rules:delete`,
},
{
desc: "editor request should succeed",
url: "http://editor:editor@%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusAccepted,
expectedResponse: `{"message":"rule group updated successfully"}`,
desc: "editor request should succeed",
url: "http://editor:editor@%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusAccepted,
expectedMessage: `rule group updated successfully`,
},
{
desc: "admin request should succeed",
url: "http://admin:admin@%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusAccepted,
expectedResponse: `{"message":"rule group updated successfully"}`,
desc: "admin request should succeed",
url: "http://admin:admin@%s/api/ruler/grafana/api/v1/rules/default",
expStatus: http.StatusAccepted,
expectedMessage: `rule group updated successfully`,
},
}
@ -686,7 +686,10 @@ func TestRulerAccess(t *testing.T) {
require.NoError(t, err)
assert.Equal(t, tc.expStatus, resp.StatusCode)
require.JSONEq(t, tc.expectedResponse, string(b))
res := &Response{}
err = json.Unmarshal(b, &res)
require.NoError(t, err)
require.Equal(t, tc.expectedMessage, res.Message)
})
}
}
@ -706,10 +709,6 @@ func TestDeleteFolderWithRules(t *testing.T) {
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
// Create the namespace we'll save our alerts to.
namespaceUID, err := createFolder(t, store, 0, "default")
require.NoError(t, err)
createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_VIEWER),
Password: "viewer",
@ -721,6 +720,12 @@ func TestDeleteFolderWithRules(t *testing.T) {
Login: "editor",
})
// Create the namespace we'll save our alerts to.
namespaceUID := "default"
err = createFolder(t, namespaceUID, grafanaListedAddr, "editor", "editor")
reloadCachedPermissions(t, grafanaListedAddr, "editor", "editor")
require.NoError(t, err)
createRule(t, grafanaListedAddr, "default", "editor", "editor")
// First, let's have an editor create a rule within the folder/namespace.
@ -873,8 +878,9 @@ func TestAlertRuleCRUD(t *testing.T) {
})
// Create the namespace we'll save our alerts to.
_, err = createFolder(t, store, 0, "default")
err = createFolder(t, "default", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
interval, err := model.ParseDuration("1m")
require.NoError(t, err)
@ -2011,10 +2017,6 @@ func TestQuota(t *testing.T) {
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
// Create the namespace we'll save our alerts to.
_, err = createFolder(t, store, 0, "default")
require.NoError(t, err)
// Create a user to make authenticated requests
createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_EDITOR),
@ -2022,6 +2024,11 @@ func TestQuota(t *testing.T) {
Login: "grafana",
})
// Create the namespace we'll save our alerts to.
err = createFolder(t, "default", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
interval, err := model.ParseDuration("1m")
require.NoError(t, err)
@ -2265,7 +2272,7 @@ func TestEval(t *testing.T) {
})
// Create the namespace we'll save our alerts to.
_, err = createFolder(t, store, 0, "default")
err = createFolder(t, "default", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
// test eval conditions
@ -2447,8 +2454,8 @@ func TestEval(t *testing.T) {
}
}
`,
expectedStatusCode: http.StatusBadRequest,
expectedMessage: "invalid condition: invalid query A: data source not found: unknown",
expectedStatusCode: http.StatusUnauthorized,
expectedMessage: "user is not authorized to query one or many data sources used by the rule",
},
}
@ -2613,8 +2620,8 @@ func TestEval(t *testing.T) {
"now": "2021-04-11T14:38:14Z"
}
`,
expectedStatusCode: http.StatusBadRequest,
expectedMessage: "invalid queries or expressions: invalid query A: data source not found: unknown",
expectedStatusCode: http.StatusUnauthorized,
expectedMessage: "user is not authorized to query one or many data sources used by the rule",
},
}
@ -2650,25 +2657,20 @@ func TestEval(t *testing.T) {
// createFolder creates a folder for storing our alerts under. Grafana uses folders as a replacement for alert namespaces to match its permission model.
// We use the dashboard command using IsFolder = true to tell it's a folder, it takes the dashboard as the name of the folder.
func createFolder(t *testing.T, store *sqlstore.SQLStore, folderID int64, folderName string) (string, error) {
func createFolder(t *testing.T, folderUID, grafanaListedAddr, login, password string) error {
t.Helper()
cmd := models.SaveDashboardCommand{
OrgId: 1, // default organisation
FolderId: folderID,
IsFolder: true,
Dashboard: simplejson.NewFromAny(map[string]interface{}{
"title": folderName,
}),
}
dashboardsStore := database.ProvideDashboardStore(store)
f, err := dashboardsStore.SaveDashboard(cmd)
if err != nil {
return "", err
}
return f.Uid, nil
payload := fmt.Sprintf(`{"uid": "%s","title": "%s"}`, folderUID, folderUID)
u := fmt.Sprintf("http://%s:%s@%s/api/folders", login, password, grafanaListedAddr)
r := strings.NewReader(payload)
// nolint:gosec
resp, err := http.Post(u, "application/json", r)
t.Cleanup(func() {
require.NoError(t, resp.Body.Close())
})
require.NoError(t, err)
assert.Equal(t, http.StatusOK, resp.StatusCode)
return err
}
// rulesNamespaceWithoutVariableValues takes a apimodels.NamespaceConfigResponse JSON-based input and makes the dynamic fields static e.g. uid, dates, etc.

3
pkg/tests/api/alerting/api_notification_channel_test.go
View File

@ -775,8 +775,9 @@ func TestNotificationChannels(t *testing.T) {
{
// Create the namespace we'll save our alerts to.
_, err := createFolder(t, env.SQLStore, 0, "default")
err = createFolder(t, "default", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
// Post the alertmanager config.
u := fmt.Sprintf("http://grafana:password@%s/api/alertmanager/grafana/config/api/v1/alerts", grafanaListedAddr)

86
pkg/tests/api/alerting/api_prometheus_test.go
View File

@ -16,7 +16,9 @@ import (
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/models"
dashboardsstore "github.com/grafana/grafana/pkg/services/dashboards/database"
"github.com/grafana/grafana/pkg/services/accesscontrol"
acdb "github.com/grafana/grafana/pkg/services/accesscontrol/database"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions/types"
apimodels "github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions"
ngmodels "github.com/grafana/grafana/pkg/services/ngalert/models"
"github.com/grafana/grafana/pkg/tests/testinfra"
@ -35,10 +37,6 @@ func TestPrometheusRules(t *testing.T) {
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
// Create the namespace under default organisation (orgID = 1) where we'll save our alerts to.
_, err = createFolder(t, store, 0, "default")
require.NoError(t, err)
// Create a user to make authenticated requests
createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_EDITOR),
@ -46,6 +44,11 @@ func TestPrometheusRules(t *testing.T) {
Login: "grafana",
})
// Create the namespace we'll save our alerts to.
err = createFolder(t, "default", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
interval, err := model.ParseDuration("10s")
require.NoError(t, err)
@ -330,10 +333,6 @@ func TestPrometheusRulesFilterByDashboard(t *testing.T) {
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
// Create the namespace under default organisation (orgID = 1) where we'll save our alerts to.
dashboardUID, err := createFolder(t, store, 0, "default")
require.NoError(t, err)
// Create a user to make authenticated requests
createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_EDITOR),
@ -341,6 +340,12 @@ func TestPrometheusRulesFilterByDashboard(t *testing.T) {
Login: "grafana",
})
// Create the namespace we'll save our alerts to.
dashboardUID := "default"
err = createFolder(t, dashboardUID, grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
interval, err := model.ParseDuration("10s")
require.NoError(t, err)
@ -625,23 +630,27 @@ func TestPrometheusRulesPermissions(t *testing.T) {
})
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
dashboardsStore := dashboardsstore.ProvideDashboardStore(store)
// Create a user to make authenticated requests
createUser(t, store, models.CreateUserCommand{
userID := createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_EDITOR),
Password: "password",
Login: "grafana",
})
// Create a namespace under default organisation (orgID = 1) where we'll save some alerts.
_, err = createFolder(t, store, 0, "folder1")
// access control permissions store
permissionsStore := acdb.ProvideService(store)
// Create the namespace we'll save our alerts to.
err = createFolder(t, "folder1", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
// Create another namespace under default organisation (orgID = 1) where we'll save some alerts.
_, err = createFolder(t, store, 0, "folder2")
// Create the namespace we'll save our alerts to.
err = createFolder(t, "folder2", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
// Create rule under folder1
createRule(t, grafanaListedAddr, "folder1", "grafana", "password")
@ -717,7 +726,8 @@ func TestPrometheusRulesPermissions(t *testing.T) {
}
// remove permissions from folder2
require.NoError(t, dashboardsStore.UpdateDashboardACL(context.Background(), 2, nil))
removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder2")
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
// make sure that folder2 is not included in the response
{
@ -764,8 +774,9 @@ func TestPrometheusRulesPermissions(t *testing.T) {
}`, string(b))
}
// remove permissions from _ALL_ folders
require.NoError(t, dashboardsStore.UpdateDashboardACL(context.Background(), 1, nil))
// remove permissions from folder1
removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder1")
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
// make sure that no folders are included in the response
{
@ -790,3 +801,42 @@ func TestPrometheusRulesPermissions(t *testing.T) {
}`, string(b))
}
}
func reloadCachedPermissions(t *testing.T, addr, login, password string) {
t.Helper()
u := fmt.Sprintf("http://%s:%s@%s/api/access-control/user/permissions?reloadcache=true", login, password, addr)
// nolint:gosec
resp, err := http.Get(u)
t.Cleanup(func() {
require.NoError(t, resp.Body.Close())
})
require.NoError(t, err)
require.Equal(t, http.StatusOK, resp.StatusCode)
}
func removeFolderPermission(t *testing.T, store *acdb.AccessControlStore, orgID, userID int64, role models.RoleType, uid string) {
t.Helper()
// remove user permissions on folder
_, _ = store.SetUserResourcePermission(context.Background(), orgID, accesscontrol.User{ID: userID}, types.SetResourcePermissionCommand{
Resource: "folders",
ResourceID: uid,
ResourceAttribute: "uid",
}, nil)
// remove org role permissions from folder
_, _ = store.SetBuiltInResourcePermission(context.Background(), orgID, string(role), types.SetResourcePermissionCommand{
Resource: "folders",
ResourceID: uid,
ResourceAttribute: "uid",
}, nil)
// remove org role children permissions from folder
for _, c := range role.Children() {
_, _ = store.SetBuiltInResourcePermission(context.Background(), orgID, string(c), types.SetResourcePermissionCommand{
Resource: "folders",
ResourceID: uid,
ResourceAttribute: "uid",
}, nil)
}
}

44
pkg/tests/api/alerting/api_ruler_test.go
View File

@ -2,7 +2,6 @@ package alerting
import (
"bytes"
"context"
"encoding/json"
"fmt"
"io/ioutil"
@ -16,7 +15,7 @@ import (
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/models"
dashboardsstore "github.com/grafana/grafana/pkg/services/dashboards/database"
acdb "github.com/grafana/grafana/pkg/services/accesscontrol/database"
apimodels "github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions"
ngmodels "github.com/grafana/grafana/pkg/services/ngalert/models"
"github.com/grafana/grafana/pkg/tests/testinfra"
@ -35,23 +34,25 @@ func TestAlertRulePermissions(t *testing.T) {
})
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
dashboardsStore := dashboardsstore.ProvideDashboardStore(store)
permissionsStore := acdb.ProvideService(store)
// Create a user to make authenticated requests
createUser(t, store, models.CreateUserCommand{
userID := createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_EDITOR),
Password: "password",
Login: "grafana",
})
// Create the namespace we'll save our alerts to.
_, err = createFolder(t, store, 0, "folder1")
err = createFolder(t, "folder1", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
_, err = createFolder(t, store, 0, "folder2")
err = createFolder(t, "folder2", grafanaListedAddr, "grafana", "password")
// Create the namespace we'll save our alerts to.
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
// Create rule under folder1
createRule(t, grafanaListedAddr, "folder1", "grafana", "password")
@ -180,7 +181,8 @@ func TestAlertRulePermissions(t *testing.T) {
assert.JSONEq(t, expectedGetNamespaceResponseBody, body)
// remove permissions from folder2
require.NoError(t, dashboardsStore.UpdateDashboardACL(context.Background(), 2, nil))
removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder2")
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
// make sure that folder2 is not included in the response
// nolint:gosec
@ -252,8 +254,9 @@ func TestAlertRulePermissions(t *testing.T) {
assert.JSONEq(t, expectedGetNamespaceResponseBody, body)
}
// Remove permissions from ALL folders.
require.NoError(t, dashboardsStore.UpdateDashboardACL(context.Background(), 1, nil))
// Remove permissions from folder1.
removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder1")
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
{
u := fmt.Sprintf("http://grafana:password@%s/api/ruler/grafana/api/v1/rules", grafanaListedAddr)
// nolint:gosec
@ -343,12 +346,6 @@ func TestAlertRuleConflictingTitle(t *testing.T) {
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
// Create the namespace we'll save our alerts to.
_, err = createFolder(t, store, 0, "folder1")
require.NoError(t, err)
_, err = createFolder(t, store, 0, "folder2")
require.NoError(t, err)
// Create user
createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_ADMIN),
@ -356,6 +353,13 @@ func TestAlertRuleConflictingTitle(t *testing.T) {
Login: "admin",
})
// Create the namespace we'll save our alerts to.
err = createFolder(t, "folder1", grafanaListedAddr, "admin", "admin")
require.NoError(t, err)
// Create the namespace we'll save our alerts to.
err = createFolder(t, "folder2", grafanaListedAddr, "admin", "admin")
require.NoError(t, err)
rules := newTestingRuleConfig(t)
buf := bytes.Buffer{}
@ -479,10 +483,6 @@ func TestRulerRulesFilterByDashboard(t *testing.T) {
grafanaListedAddr, store := testinfra.StartGrafana(t, dir, path)
// Create the namespace under default organisation (orgID = 1) where we'll save our alerts to.
dashboardUID, err := createFolder(t, store, 0, "default")
require.NoError(t, err)
// Create a user to make authenticated requests
createUser(t, store, models.CreateUserCommand{
DefaultOrgRole: string(models.ROLE_EDITOR),
@ -490,6 +490,12 @@ func TestRulerRulesFilterByDashboard(t *testing.T) {
Login: "grafana",
})
dashboardUID := "default"
// Create the namespace under default organisation (orgID = 1) where we'll save our alerts to.
err = createFolder(t, "default", grafanaListedAddr, "grafana", "password")
require.NoError(t, err)
reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
interval, err := model.ParseDuration("10s")
require.NoError(t, err)

6
public/app/core/services/context_srv.ts
View File

@ -109,7 +109,7 @@ export class ContextSrv {
}
accessControlEnabled(): boolean {
return Boolean(config.featureToggles['accesscontrol']);
return config.rbacEnabled;
}
accessControlBuiltinRefactorEnabled(): boolean {
@ -117,7 +117,7 @@ export class ContextSrv {
}
licensedAccessControlEnabled(): boolean {
return featureEnabled('accesscontrol') && Boolean(config.featureToggles['accesscontrol']);
return featureEnabled('accesscontrol') && config.rbacEnabled;
}
// Checks whether user has required permission
@ -174,7 +174,7 @@ export class ContextSrv {
}
hasAccessInMetadata(action: string, object: WithAccessControlMetadata, fallBack: boolean) {
if (!config.featureToggles['accesscontrol']) {
if (!config.rbacEnabled) {
return fallBack;
}
return this.hasPermissionInMetadata(action, object);

2
public/app/core/utils/accessControl.ts
View File

@ -2,7 +2,7 @@ import config from '../../core/config';
// accessControlQueryParam adds an additional accesscontrol=true param to params when accesscontrol is enabled
export function accessControlQueryParam(params = {}) {
if (!config.featureToggles.accesscontrol) {
if (!config.rbacEnabled) {
return params;
}
return { ...params, accesscontrol: true };

3
public/app/features/alerting/unified/MuteTimings.test.tsx
View File

@ -11,7 +11,7 @@ import { configureStore } from 'app/store/configureStore';
import MuteTimings from './MuteTimings';
import { fetchAlertManagerConfig, updateAlertManagerConfig } from './api/alertmanager';
import { mockDataSource, MockDataSourceSrv } from './mocks';
import { disableRBAC, mockDataSource, MockDataSourceSrv } from './mocks';
import { DataSourceType } from './utils/datasource';
jest.mock('./api/alertmanager');
@ -113,6 +113,7 @@ describe('Mute timings', () => {
});
it('creates a new mute timing', async () => {
disableRBAC();
await renderMuteTimings();
await waitFor(() => expect(mocks.api.fetchAlertManagerConfig).toHaveBeenCalled());

2
public/app/features/alerting/unified/PanelAlertTabContent.test.tsx
View File

@ -17,6 +17,7 @@ import { PanelAlertTabContent } from './PanelAlertTabContent';
import { fetchRules } from './api/prometheus';
import { fetchRulerRules } from './api/ruler';
import {
disableRBAC,
mockDataSource,
MockDataSourceSrv,
mockPromAlertingRule,
@ -184,6 +185,7 @@ describe('PanelAlertTabContent', () => {
any
>;
setDataSourceSrv(dsService);
disableRBAC();
});
it('Will take into account panel maxDataPoints', async () => {

4
public/app/features/alerting/unified/RuleEditor.test.tsx
View File

@ -19,7 +19,7 @@ import RuleEditor from './RuleEditor';
import { fetchBuildInfo } from './api/buildInfo';
import { fetchRulerRules, fetchRulerRulesGroup, fetchRulerRulesNamespace, setRulerRuleGroup } from './api/ruler';
import { ExpressionEditorProps } from './components/rule-editor/ExpressionEditor';
import { mockDataSource, MockDataSourceSrv } from './mocks';
import { disableRBAC, mockDataSource, MockDataSourceSrv } from './mocks';
import { getAllDataSources } from './utils/config';
import { DataSourceType, GRAFANA_RULES_SOURCE_NAME } from './utils/datasource';
import { getDefaultQueries } from './utils/rule-form';
@ -100,6 +100,8 @@ describe('RuleEditor', () => {
contextSrv.isEditor = true;
});
disableRBAC();
it('can create a new cloud alert', async () => {
const dataSources = {
default: mockDataSource(

2
public/app/features/alerting/unified/RuleList.test.tsx
View File

@ -16,6 +16,7 @@ import { fetchBuildInfo } from './api/buildInfo';
import { fetchRules } from './api/prometheus';
import { deleteNamespace, deleteRulerRulesGroup, fetchRulerRules, setRulerRuleGroup } from './api/ruler';
import {
disableRBAC,
enableRBAC,
grantUserPermissions,
mockDataSource,
@ -121,6 +122,7 @@ describe('RuleList', () => {
});
it('load & show rule groups from multiple cloud data sources', async () => {
disableRBAC();
mocks.getAllDataSourcesMock.mockReturnValue(Object.values(dataSources));
setDataSourceSrv(new MockDataSourceSrv(dataSources));

2
public/app/features/alerting/unified/components/admin/AlertmanagerConfig.test.tsx
View File

@ -22,6 +22,7 @@ import {
fetchStatus,
} from '../../api/alertmanager';
import {
disableRBAC,
mockDataSource,
MockDataSourceSrv,
someCloudAlertManagerConfig,
@ -94,6 +95,7 @@ describe('Admin config', () => {
setDataSourceSrv(new MockDataSourceSrv(dataSources));
contextSrv.isGrafanaAdmin = true;
store.delete(ALERTMANAGER_NAME_LOCAL_STORAGE_KEY);
disableRBAC();
});
it('Reset alertmanager config', async () => {

4
public/app/features/alerting/unified/components/rules/RulesGroup.test.tsx
View File

@ -7,7 +7,7 @@ import { byTestId, byText } from 'testing-library-selector';
import { configureStore } from 'app/store/configureStore';
import { CombinedRuleGroup, CombinedRuleNamespace } from 'app/types/unified-alerting';
import { mockCombinedRule, mockDataSource } from '../../mocks';
import { disableRBAC, mockCombinedRule, mockDataSource } from '../../mocks';
import { RulesGroup } from './RulesGroup';
@ -72,6 +72,8 @@ describe('Rules group tests', () => {
groups: [group],
};
disableRBAC();
it('When ruler enabled should display delete and edit group buttons', () => {
// Arrange
hasRulerMock.mockReturnValue(true);

4
public/app/features/alerting/unified/mocks.ts
View File

@ -471,6 +471,10 @@ export const enableRBAC = () => {
jest.spyOn(contextSrv, 'accessControlEnabled').mockReturnValue(true);
};
export const disableRBAC = () => {
jest.spyOn(contextSrv, 'accessControlEnabled').mockReturnValue(false);
};
export const grantUserPermissions = (permissions: AccessControlAction[]) => {
jest
.spyOn(contextSrv, 'hasPermission')

2
public/app/features/dashboard/components/DashboardSettings/DashboardSettings.tsx
View File

@ -117,7 +117,7 @@ export function DashboardSettings({ dashboard, editview }: Props) {
}
if (dashboard.id && dashboard.meta.canAdmin) {
if (!config.featureToggles['accesscontrol']) {
if (!config.rbacEnabled) {
pages.push({
title: 'Permissions',
id: 'permissions',

2
public/app/plugins/panel/graph/specs/graph.test.ts
View File

@ -1297,6 +1297,7 @@ describe('grafanaGraph', () => {
describe('when called and user can edit the dashboard', () => {
it('then the correct menu items should be returned', () => {
const element = getGraphElement({ canEdit: true, canMakeEditable: false });
jest.spyOn(element.dashboard, 'canAddAnnotations').mockReturnValue(true);
const result = element.getContextMenuItemsSupplier({ x: 1, y: 1 })();
@ -1311,6 +1312,7 @@ describe('grafanaGraph', () => {
describe('when called and user can make the dashboard editable', () => {
it('then the correct menu items should be returned', () => {
const element = getGraphElement({ canEdit: false, canMakeEditable: true });
jest.spyOn(element.dashboard, 'canAddAnnotations').mockReturnValue(true);
const result = element.getContextMenuItemsSupplier({ x: 1, y: 1 })();

2
public/app/routes/routes.tsx
View File

@ -128,7 +128,7 @@ export function getAppRoutes(): RouteDescriptor[] {
{
path: '/dashboards/f/:uid/:slug/permissions',
component:
config.featureToggles['accesscontrol'] && contextSrv.hasPermission(AccessControlAction.FoldersPermissionsRead)
config.rbacEnabled && contextSrv.hasPermission(AccessControlAction.FoldersPermissionsRead)
? SafeDynamicImport(
() =>
import(/* webpackChunkName: "FolderPermissions"*/ 'app/features/folders/AccessControlFolderPermissions')