mirror of
https://github.com/grafana/grafana.git
synced 2024-12-01 21:19:28 -06:00
edae5fc791
Fix for username assertion - Allow setting username assertion in INI - Correctly set the azsettings value - Update tests
330 lines
10 KiB
Go
330 lines
10 KiB
Go
package setting
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/grafana/grafana-azure-sdk-go/v2/azsettings"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestAzureSettings(t *testing.T) {
|
|
t.Run("cloud name", func(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
configuredValue string
|
|
resolvedValue string
|
|
}{
|
|
{
|
|
name: "should be Public if not set",
|
|
configuredValue: "",
|
|
resolvedValue: azsettings.AzurePublic,
|
|
},
|
|
{
|
|
name: "should be Public if set to Public",
|
|
configuredValue: azsettings.AzurePublic,
|
|
resolvedValue: azsettings.AzurePublic,
|
|
},
|
|
{
|
|
name: "should be Public if set to Public using alternative name",
|
|
configuredValue: "AzurePublicCloud",
|
|
resolvedValue: azsettings.AzurePublic,
|
|
},
|
|
{
|
|
name: "should be China if set to China",
|
|
configuredValue: azsettings.AzureChina,
|
|
resolvedValue: azsettings.AzureChina,
|
|
},
|
|
{
|
|
name: "should be US Government if set to US Government using alternative name",
|
|
configuredValue: "usgov",
|
|
resolvedValue: azsettings.AzureUSGovernment,
|
|
},
|
|
{
|
|
name: "should be same as set if not known",
|
|
configuredValue: "Custom123",
|
|
resolvedValue: "Custom123",
|
|
},
|
|
}
|
|
|
|
for _, c := range testCases {
|
|
t.Run(c.name, func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("cloud", c.configuredValue)
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
|
|
assert.Equal(t, c.resolvedValue, cfg.Azure.Cloud)
|
|
})
|
|
}
|
|
})
|
|
|
|
t.Run("prometheus", func(t *testing.T) {
|
|
t.Run("should enable azure auth", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
authSection, err := cfg.Raw.NewSection("auth")
|
|
require.NoError(t, err)
|
|
_, err = authSection.NewKey("azure_auth_enabled", "true")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure.AzureAuthEnabled)
|
|
assert.True(t, cfg.Azure.AzureAuthEnabled)
|
|
})
|
|
t.Run("should default to disabled", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure.AzureAuthEnabled)
|
|
assert.False(t, cfg.Azure.AzureAuthEnabled)
|
|
})
|
|
})
|
|
t.Run("User Identity", func(t *testing.T) {
|
|
t.Run("should be disabled by default", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
|
|
assert.False(t, cfg.Azure.UserIdentityEnabled)
|
|
})
|
|
|
|
t.Run("should be enabled", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
|
})
|
|
t.Run("enables service credentials by default", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityFallbackCredentialsEnabled)
|
|
})
|
|
t.Run("disables service credentials", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_fallback_credentials_enabled", "false")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
|
|
assert.False(t, cfg.Azure.UserIdentityFallbackCredentialsEnabled)
|
|
})
|
|
|
|
t.Run("should use token endpoint from Azure AD if enabled", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("enabled", "true")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("token_url", "URL_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_id", "ID_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
|
|
require.NoError(t, err)
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
|
assert.Equal(t, "URL_1", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
|
|
assert.Equal(t, "ID_1", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
|
|
assert.Equal(t, "SECRET_1", cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
|
|
})
|
|
|
|
t.Run("should not use token endpoint from Azure AD if not enabled", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("enabled", "false")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("token_url", "URL_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_id", "ID_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
|
|
require.NoError(t, err)
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
|
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
|
|
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientId)
|
|
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
|
|
})
|
|
|
|
t.Run("should override Azure AD settings", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("enabled", "true")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("token_url", "URL_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_id", "ID_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
|
|
require.NoError(t, err)
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_token_url", "URL_2")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_client_id", "ID_2")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_client_secret", "SECRET_2")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
|
assert.Equal(t, "URL_2", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
|
|
assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
|
|
assert.Equal(t, "SECRET_2", cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
|
|
})
|
|
|
|
t.Run("should not use secret from Azure AD if client ID overridden", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("enabled", "true")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("token_url", "URL_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_id", "ID_1")
|
|
require.NoError(t, err)
|
|
_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
|
|
require.NoError(t, err)
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_token_url", "URL_2")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_client_id", "ID_2")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
|
assert.Equal(t, "URL_2", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
|
|
assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
|
|
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
|
|
})
|
|
|
|
t.Run("does not enable username assertion by default", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
|
assert.False(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
|
|
})
|
|
|
|
t.Run("should appropriately set username assertion", func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("username_assertion", "username")
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
|
|
|
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
|
assert.True(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
|
|
})
|
|
})
|
|
|
|
t.Run("forward settings to plugins", func(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
configuredValue string
|
|
resolvedValue []string
|
|
}{
|
|
{
|
|
name: "should be set to user plugins if set",
|
|
configuredValue: "test-datasource",
|
|
resolvedValue: []string{"test-datasource"},
|
|
},
|
|
}
|
|
|
|
for _, c := range testCases {
|
|
t.Run(c.name, func(t *testing.T) {
|
|
cfg := NewCfg()
|
|
|
|
azureSection, err := cfg.Raw.NewSection("azure")
|
|
require.NoError(t, err)
|
|
_, err = azureSection.NewKey("forward_settings_to_plugins", c.configuredValue)
|
|
require.NoError(t, err)
|
|
|
|
cfg.readAzureSettings()
|
|
require.NotNil(t, cfg.Azure)
|
|
|
|
assert.Equal(t, c.resolvedValue, cfg.Azure.ForwardSettingsPlugins)
|
|
})
|
|
}
|
|
})
|
|
}
|