mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
120 lines
3.7 KiB
Go
120 lines
3.7 KiB
Go
package oasimpl
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/mock"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/extsvcauth/oauthserver"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
)
|
|
|
|
var cachedExternalService = func() *oauthserver.OAuthExternalService {
|
|
return &oauthserver.OAuthExternalService{
|
|
Name: "my-ext-service",
|
|
ClientID: "RANDOMID",
|
|
Secret: "RANDOMSECRET",
|
|
GrantTypes: "client_credentials",
|
|
PublicPem: []byte("-----BEGIN PUBLIC KEY-----"),
|
|
ServiceAccountID: 1,
|
|
SelfPermissions: []ac.Permission{{Action: "users:impersonate", Scope: "users:*"}},
|
|
SignedInUser: &user.SignedInUser{
|
|
UserID: 2,
|
|
OrgID: 1,
|
|
Permissions: map[int64]map[string][]string{
|
|
1: {
|
|
"users:impersonate": {"users:*"},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func TestOAuth2ServiceImpl_GetPublicKeyScopes(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
initTestEnv func(*TestEnv)
|
|
impersonatePermissions []ac.Permission
|
|
userID string
|
|
expectedScopes []string
|
|
wantErr bool
|
|
}{
|
|
{
|
|
name: "should error out when GetExternalService returns error",
|
|
initTestEnv: func(env *TestEnv) {
|
|
env.OAuthStore.On("GetExternalService", mock.Anything, mock.Anything).Return(nil, oauthserver.ErrClientNotFoundFn("my-ext-service"))
|
|
},
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "should error out when the user id cannot be parsed",
|
|
initTestEnv: func(env *TestEnv) {
|
|
env.S.cache.Set("my-ext-service", *cachedExternalService(), time.Minute)
|
|
},
|
|
userID: "user:3",
|
|
wantErr: true,
|
|
},
|
|
{
|
|
name: "should return no scope when the external service is not allowed to impersonate the user",
|
|
initTestEnv: func(env *TestEnv) {
|
|
client := cachedExternalService()
|
|
client.SignedInUser.Permissions = map[int64]map[string][]string{}
|
|
env.S.cache.Set("my-ext-service", *client, time.Minute)
|
|
},
|
|
userID: "user:id:3",
|
|
expectedScopes: nil,
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "should return no scope when the external service has an no impersonate permission",
|
|
initTestEnv: func(env *TestEnv) {
|
|
client := cachedExternalService()
|
|
client.ImpersonatePermissions = []ac.Permission{}
|
|
env.S.cache.Set("my-ext-service", *client, time.Minute)
|
|
},
|
|
userID: "user:id:3",
|
|
expectedScopes: []string{},
|
|
wantErr: false,
|
|
},
|
|
{
|
|
name: "should return the scopes when the external service has impersonate permissions",
|
|
initTestEnv: func(env *TestEnv) {
|
|
env.S.cache.Set("my-ext-service", *cachedExternalService(), time.Minute)
|
|
client := cachedExternalService()
|
|
client.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionUsersImpersonate, Scope: ac.ScopeUsersAll},
|
|
{Action: ac.ActionUsersRead, Scope: oauthserver.ScopeGlobalUsersSelf},
|
|
{Action: ac.ActionUsersPermissionsRead, Scope: oauthserver.ScopeUsersSelf},
|
|
{Action: ac.ActionTeamsRead, Scope: oauthserver.ScopeTeamsSelf}}
|
|
env.S.cache.Set("my-ext-service", *client, time.Minute)
|
|
},
|
|
userID: "user:id:3",
|
|
expectedScopes: []string{"users:impersonate",
|
|
"profile", "email", ac.ActionUsersRead,
|
|
"entitlements", ac.ActionUsersPermissionsRead,
|
|
"groups", ac.ActionTeamsRead},
|
|
wantErr: false,
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
env := setupTestEnv(t)
|
|
if tc.initTestEnv != nil {
|
|
tc.initTestEnv(env)
|
|
}
|
|
|
|
scopes, err := env.S.GetPublicKeyScopes(context.Background(), "my-ext-service", tc.userID, "")
|
|
if tc.wantErr {
|
|
require.Error(t, err)
|
|
return
|
|
}
|
|
|
|
require.ElementsMatch(t, tc.expectedScopes, scopes)
|
|
})
|
|
}
|
|
}
|