mirror of
https://github.com/grafana/grafana.git
synced 2025-02-12 00:25:46 -06:00
5efc3386d3
* Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
160 lines
4.7 KiB
Go
160 lines
4.7 KiB
Go
package clients
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/grafana/grafana/pkg/services/authn"
|
|
"github.com/grafana/grafana/pkg/services/ldap"
|
|
"github.com/grafana/grafana/pkg/services/ldap/multildap"
|
|
"github.com/grafana/grafana/pkg/services/ldap/service"
|
|
"github.com/grafana/grafana/pkg/services/login"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
func TestLDAP_AuthenticateProxy(t *testing.T) {
|
|
type testCase struct {
|
|
desc string
|
|
username string
|
|
expectedLDAPErr error
|
|
expectedLDAPInfo *login.ExternalUserInfo
|
|
expectedErr error
|
|
expectedIdentity *authn.Identity
|
|
}
|
|
|
|
tests := []testCase{
|
|
{
|
|
desc: "should return valid identity when found by ldap service",
|
|
username: "test",
|
|
expectedLDAPInfo: &login.ExternalUserInfo{
|
|
AuthModule: login.LDAPAuthModule,
|
|
AuthId: "123",
|
|
Email: "test@test.com",
|
|
Login: "test",
|
|
Name: "test test",
|
|
Groups: []string{"1", "2"},
|
|
OrgRoles: map[int64]org.RoleType{1: org.RoleViewer},
|
|
},
|
|
expectedIdentity: &authn.Identity{
|
|
OrgID: 1,
|
|
OrgRoles: map[int64]org.RoleType{1: org.RoleViewer},
|
|
Login: "test",
|
|
Name: "test test",
|
|
Email: "test@test.com",
|
|
AuthenticatedBy: login.LDAPAuthModule,
|
|
AuthID: "123",
|
|
Groups: []string{"1", "2"},
|
|
ClientParams: authn.ClientParams{
|
|
SyncUser: true,
|
|
SyncTeams: true,
|
|
EnableDisabledUsers: true,
|
|
FetchSyncedUser: true,
|
|
SyncOrgRoles: true,
|
|
SyncPermissions: true,
|
|
LookUpParams: login.UserLookupParams{
|
|
Email: strPtr("test@test.com"),
|
|
Login: strPtr("test"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
desc: "should return error when user is not found",
|
|
username: "test",
|
|
expectedLDAPErr: multildap.ErrDidNotFindUser,
|
|
expectedErr: errIdentityNotFound,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
c := &LDAP{cfg: setting.NewCfg(), service: &service.LDAPFakeService{ExpectedUser: tt.expectedLDAPInfo, ExpectedError: tt.expectedLDAPErr}}
|
|
identity, err := c.AuthenticateProxy(context.Background(), &authn.Request{OrgID: 1}, tt.username, nil)
|
|
assert.ErrorIs(t, err, tt.expectedErr)
|
|
assert.EqualValues(t, tt.expectedIdentity, identity)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestLDAP_AuthenticatePassword(t *testing.T) {
|
|
type testCase struct {
|
|
desc string
|
|
username string
|
|
password string
|
|
expectedErr error
|
|
expectedLDAPErr error
|
|
expectedLDAPInfo *login.ExternalUserInfo
|
|
expectedIdentity *authn.Identity
|
|
}
|
|
|
|
tests := []testCase{
|
|
{
|
|
desc: "should successfully authenticate with correct username and password",
|
|
username: "test",
|
|
password: "test123",
|
|
expectedLDAPInfo: &login.ExternalUserInfo{
|
|
AuthModule: login.LDAPAuthModule,
|
|
AuthId: "123",
|
|
Email: "test@test.com",
|
|
Login: "test",
|
|
Name: "test test",
|
|
Groups: []string{"1", "2"},
|
|
OrgRoles: map[int64]org.RoleType{1: org.RoleViewer},
|
|
},
|
|
expectedIdentity: &authn.Identity{
|
|
OrgID: 1,
|
|
OrgRoles: map[int64]org.RoleType{1: org.RoleViewer},
|
|
Login: "test",
|
|
Name: "test test",
|
|
Email: "test@test.com",
|
|
AuthenticatedBy: login.LDAPAuthModule,
|
|
AuthID: "123",
|
|
Groups: []string{"1", "2"},
|
|
ClientParams: authn.ClientParams{
|
|
SyncUser: true,
|
|
SyncTeams: true,
|
|
EnableDisabledUsers: true,
|
|
FetchSyncedUser: true,
|
|
SyncOrgRoles: true,
|
|
SyncPermissions: true,
|
|
LookUpParams: login.UserLookupParams{
|
|
Email: strPtr("test@test.com"),
|
|
Login: strPtr("test"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
desc: "should fail if provided password was incorrect",
|
|
username: "test",
|
|
password: "wrong",
|
|
expectedErr: errInvalidPassword,
|
|
expectedLDAPErr: ldap.ErrInvalidCredentials,
|
|
},
|
|
{
|
|
desc: "should fail if not found",
|
|
username: "test",
|
|
password: "wrong",
|
|
expectedErr: errIdentityNotFound,
|
|
expectedLDAPErr: ldap.ErrCouldNotFindUser,
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
c := &LDAP{cfg: setting.NewCfg(), service: &service.LDAPFakeService{ExpectedUser: tt.expectedLDAPInfo, ExpectedError: tt.expectedLDAPErr}}
|
|
|
|
identity, err := c.AuthenticatePassword(context.Background(), &authn.Request{OrgID: 1}, tt.username, tt.password)
|
|
assert.ErrorIs(t, err, tt.expectedErr)
|
|
assert.EqualValues(t, tt.expectedIdentity, identity)
|
|
})
|
|
}
|
|
}
|
|
|
|
func strPtr(s string) *string {
|
|
return &s
|
|
}
|