mirror of
https://github.com/grafana/grafana.git
synced 2025-02-16 18:34:52 -06:00
605d056136
* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
376 lines
13 KiB
Go
376 lines
13 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/grafana/grafana/pkg/api/dtos"
|
|
"github.com/grafana/grafana/pkg/api/response"
|
|
"github.com/grafana/grafana/pkg/api/routing"
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/annotations"
|
|
"github.com/grafana/grafana/pkg/services/sqlstore/mockstore"
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestAnnotationsAPIEndpoint(t *testing.T) {
|
|
t.Run("Given an annotation without a dashboard ID", func(t *testing.T) {
|
|
cmd := dtos.PostAnnotationsCmd{
|
|
Time: 1000,
|
|
Text: "annotation text",
|
|
Tags: []string{"tag1", "tag2"},
|
|
}
|
|
|
|
updateCmd := dtos.UpdateAnnotationsCmd{
|
|
Time: 1000,
|
|
Text: "annotation text",
|
|
Tags: []string{"tag1", "tag2"},
|
|
}
|
|
|
|
patchCmd := dtos.PatchAnnotationsCmd{
|
|
Time: 1000,
|
|
Text: "annotation text",
|
|
Tags: []string{"tag1", "tag2"},
|
|
}
|
|
|
|
t.Run("When user is an Org Viewer", func(t *testing.T) {
|
|
role := models.ROLE_VIEWER
|
|
t.Run("Should not be allowed to save an annotation", func(t *testing.T) {
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role,
|
|
cmd, func(sc *scenarioContext) {
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
})
|
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId",
|
|
role, updateCmd, func(sc *scenarioContext) {
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
})
|
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1",
|
|
"/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
})
|
|
|
|
mock := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
sc.handlerFunc = DeleteAnnotationByID
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
}, mock)
|
|
})
|
|
})
|
|
|
|
t.Run("When user is an Org Editor", func(t *testing.T) {
|
|
role := models.ROLE_EDITOR
|
|
t.Run("Should be able to save an annotation", func(t *testing.T) {
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role,
|
|
cmd, func(sc *scenarioContext) {
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
mock := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
sc.handlerFunc = DeleteAnnotationByID
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
}, mock)
|
|
})
|
|
})
|
|
})
|
|
|
|
t.Run("Given an annotation with a dashboard ID and the dashboard does not have an ACL", func(t *testing.T) {
|
|
cmd := dtos.PostAnnotationsCmd{
|
|
Time: 1000,
|
|
Text: "annotation text",
|
|
Tags: []string{"tag1", "tag2"},
|
|
DashboardId: 1,
|
|
PanelId: 1,
|
|
}
|
|
|
|
updateCmd := dtos.UpdateAnnotationsCmd{
|
|
Time: 1000,
|
|
Text: "annotation text",
|
|
Tags: []string{"tag1", "tag2"},
|
|
Id: 1,
|
|
}
|
|
|
|
patchCmd := dtos.PatchAnnotationsCmd{
|
|
Time: 8000,
|
|
Text: "annotation text 50",
|
|
Tags: []string{"foo", "bar"},
|
|
Id: 1,
|
|
}
|
|
|
|
deleteCmd := dtos.DeleteAnnotationsCmd{
|
|
DashboardId: 1,
|
|
PanelId: 1,
|
|
}
|
|
|
|
viewerRole := models.ROLE_VIEWER
|
|
editorRole := models.ROLE_EDITOR
|
|
|
|
aclMockResp := []*models.DashboardAclInfoDTO{
|
|
{Role: &viewerRole, Permission: models.PERMISSION_VIEW},
|
|
{Role: &editorRole, Permission: models.PERMISSION_EDIT},
|
|
}
|
|
|
|
setUp := func() {
|
|
bus.AddHandler("test", func(ctx context.Context, query *models.GetDashboardAclInfoListQuery) error {
|
|
query.Result = aclMockResp
|
|
return nil
|
|
})
|
|
|
|
bus.AddHandler("test", func(ctx context.Context, query *models.GetTeamsByUserQuery) error {
|
|
query.Result = []*models.TeamDTO{}
|
|
return nil
|
|
})
|
|
}
|
|
|
|
t.Run("When user is an Org Viewer", func(t *testing.T) {
|
|
role := models.ROLE_VIEWER
|
|
t.Run("Should not be allowed to save an annotation", func(t *testing.T) {
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role, cmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
})
|
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
})
|
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
})
|
|
mock := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
|
setUp()
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
sc.handlerFunc = DeleteAnnotationByID
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
}, mock)
|
|
})
|
|
})
|
|
|
|
t.Run("When user is an Org Editor", func(t *testing.T) {
|
|
role := models.ROLE_EDITOR
|
|
t.Run("Should be able to save an annotation", func(t *testing.T) {
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role, cmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
mock := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling DELETE on", "DELETE", "/api/annotations/1",
|
|
"/api/annotations/:annotationId", role, func(sc *scenarioContext) {
|
|
setUp()
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
sc.handlerFunc = DeleteAnnotationByID
|
|
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
}, mock)
|
|
})
|
|
})
|
|
|
|
t.Run("When user is an Admin", func(t *testing.T) {
|
|
role := models.ROLE_ADMIN
|
|
t.Run("Should be able to do anything", func(t *testing.T) {
|
|
postAnnotationScenario(t, "When calling POST on", "/api/annotations", "/api/annotations", role, cmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
|
|
putAnnotationScenario(t, "When calling PUT on", "/api/annotations/1", "/api/annotations/:annotationId", role, updateCmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("PUT", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
|
|
patchAnnotationScenario(t, "When calling PATCH on", "/api/annotations/1", "/api/annotations/:annotationId", role, patchCmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("PATCH", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
|
|
deleteAnnotationsScenario(t, "When calling POST on", "/api/annotations/mass-delete",
|
|
"/api/annotations/mass-delete", role, deleteCmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
})
|
|
})
|
|
})
|
|
}
|
|
|
|
type fakeAnnotationsRepo struct {
|
|
}
|
|
|
|
func (repo *fakeAnnotationsRepo) Delete(params *annotations.DeleteParams) error {
|
|
return nil
|
|
}
|
|
func (repo *fakeAnnotationsRepo) Save(item *annotations.Item) error {
|
|
item.Id = 1
|
|
return nil
|
|
}
|
|
func (repo *fakeAnnotationsRepo) Update(item *annotations.Item) error {
|
|
return nil
|
|
}
|
|
func (repo *fakeAnnotationsRepo) Find(query *annotations.ItemQuery) ([]*annotations.ItemDTO, error) {
|
|
annotations := []*annotations.ItemDTO{{Id: 1}}
|
|
return annotations, nil
|
|
}
|
|
func (repo *fakeAnnotationsRepo) FindTags(query *annotations.TagsQuery) (annotations.FindTagsResult, error) {
|
|
result := annotations.FindTagsResult{
|
|
Tags: []*annotations.TagsDTO{},
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
var fakeAnnoRepo *fakeAnnotationsRepo
|
|
|
|
func postAnnotationScenario(t *testing.T, desc string, url string, routePattern string, role models.RoleType,
|
|
cmd dtos.PostAnnotationsCmd, fn scenarioFunc) {
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
|
t.Cleanup(bus.ClearBusHandlers)
|
|
|
|
sc := setupScenarioContext(t, url)
|
|
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
|
|
c.Req.Body = mockRequestBody(cmd)
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
|
sc.context = c
|
|
sc.context.UserId = testUserID
|
|
sc.context.OrgId = testOrgID
|
|
sc.context.OrgRole = role
|
|
|
|
return PostAnnotation(c)
|
|
})
|
|
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
|
|
sc.m.Post(routePattern, sc.defaultHandler)
|
|
|
|
fn(sc)
|
|
})
|
|
}
|
|
|
|
func putAnnotationScenario(t *testing.T, desc string, url string, routePattern string, role models.RoleType,
|
|
cmd dtos.UpdateAnnotationsCmd, fn scenarioFunc) {
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
|
t.Cleanup(bus.ClearBusHandlers)
|
|
|
|
sc := setupScenarioContext(t, url)
|
|
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
|
|
c.Req.Body = mockRequestBody(cmd)
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
|
sc.context = c
|
|
sc.context.UserId = testUserID
|
|
sc.context.OrgId = testOrgID
|
|
sc.context.OrgRole = role
|
|
|
|
return UpdateAnnotation(c)
|
|
})
|
|
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
|
|
sc.m.Put(routePattern, sc.defaultHandler)
|
|
|
|
fn(sc)
|
|
})
|
|
}
|
|
|
|
func patchAnnotationScenario(t *testing.T, desc string, url string, routePattern string, role models.RoleType, cmd dtos.PatchAnnotationsCmd, fn scenarioFunc) {
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
|
defer bus.ClearBusHandlers()
|
|
|
|
sc := setupScenarioContext(t, url)
|
|
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
|
|
c.Req.Body = mockRequestBody(cmd)
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
|
sc.context = c
|
|
sc.context.UserId = testUserID
|
|
sc.context.OrgId = testOrgID
|
|
sc.context.OrgRole = role
|
|
|
|
return PatchAnnotation(c)
|
|
})
|
|
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
|
|
sc.m.Patch(routePattern, sc.defaultHandler)
|
|
|
|
fn(sc)
|
|
})
|
|
}
|
|
|
|
func deleteAnnotationsScenario(t *testing.T, desc string, url string, routePattern string, role models.RoleType,
|
|
cmd dtos.DeleteAnnotationsCmd, fn scenarioFunc) {
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
|
defer bus.ClearBusHandlers()
|
|
|
|
sc := setupScenarioContext(t, url)
|
|
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
|
|
c.Req.Body = mockRequestBody(cmd)
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
|
sc.context = c
|
|
sc.context.UserId = testUserID
|
|
sc.context.OrgId = testOrgID
|
|
sc.context.OrgRole = role
|
|
|
|
return DeleteAnnotations(c)
|
|
})
|
|
|
|
fakeAnnoRepo = &fakeAnnotationsRepo{}
|
|
annotations.SetRepository(fakeAnnoRepo)
|
|
|
|
sc.m.Post(routePattern, sc.defaultHandler)
|
|
|
|
fn(sc)
|
|
})
|
|
}
|