IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
2c47d246fc
grafana/pkg/services/accesscontrol/cacheutils_test.go
Alexander Zobnin 88259da745
RBAC: Optimize permissions caching (#92673) 
* Access control: Use composite cache key for team permissions

* use composite key for teams

* use cache for hotpath (getCachedUserPermissions)

* don't cache empty teams set

* don't pass permissions as argument

* early return if no teams found

* reload cache correctly

* optimize allocations

* Clear user's teams cache

* remove composite cache for teams

* fix linter

* don't clear teams permissions

* pre-allocate memory for basic roles permissions
2024-09-03 15:46:56 +02:00

146 lines
3.5 KiB
Go
Raw Blame History

package accesscontrol
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/grafana/authlib/claims"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/user"
)
func TestPermissionCacheKey(t *testing.T) {
testcases := []struct {
name string
signedInUser *user.SignedInUser
expected string
}{
{
name: "should return correct key for user",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-user-1",
},
{
name: "should return correct key for api key",
signedInUser: &user.SignedInUser{
OrgID: 1,
ApiKeyID: 1,
IsServiceAccount: false,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-api-key-1",
},
{
name: "should return correct key for service account",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
IsServiceAccount: true,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-service-account-1",
},
{
name: "should return correct key for matching a service account with userId -1",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: -1,
IsServiceAccount: true,
FallbackType: claims.TypeUser, // NOTE, this is still a service account!
},
expected: "rbac-permissions-1-service-account--1",
},
{
name: "should use org role if no unique id",
signedInUser: &user.SignedInUser{
OrgID: 1,
OrgRole: org.RoleNone,
FallbackType: claims.TypeUser,
},
expected: "rbac-permissions-1-user-None",
},
}
for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
assert.Equal(t, tc.expected, GetUserPermissionCacheKey(tc.signedInUser))
})
}
}
func TestGetSearchPermissionCacheKey(t *testing.T) {
testcases := []struct {
name string
signedInUser *user.SignedInUser
searchOptions SearchOptions
expected string
}{
{
name: "should return correct key for user with no options",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
},
searchOptions: SearchOptions{},
expected: "rbac-permissions-1-user-1",
},
{
name: "should return correct key for user with action",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
},
searchOptions: SearchOptions{
Action: "datasources:read",
},
expected: "rbac-permissions-1-user-1-datasources:read",
},
{
name: "should return correct key for user with scope",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
},
searchOptions: SearchOptions{
Scope: "datasources:*",
},
expected: "rbac-permissions-1-user-1-datasources:*",
},
{
name: "should return correct key for user with action and scope",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
},
searchOptions: SearchOptions{
Action: "datasources:read",
Scope: "datasources:*",
},
expected: "rbac-permissions-1-user-1-datasources:read-datasources:*",
},
{
name: "should return correct key for user with role prefixes",
signedInUser: &user.SignedInUser{
OrgID: 1,
UserID: 1,
},
searchOptions: SearchOptions{
RolePrefixes: []string{"foo", "bar"},
},
expected: "rbac-permissions-1-user-1-foo-bar",
},
}
for _, tc := range testcases {
t.Run(tc.name, func(t *testing.T) {
assert.Equal(t, tc.expected, GetSearchPermissionCacheKey(tc.signedInUser, tc.searchOptions))
})
}
}
Reference in New Issue View Git Blame Copy Permalink