IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-29 20:24:18 -06:00
Code Issues Packages Projects Releases Wiki Activity
d83818f8cc
grafana/pkg/services/accesscontrol/acimpl/accesscontrol_test.go
Ieva bd2b248f0e
RBAC: Clean up action set code (#88147) 
* remove unused action set code, refactor the existing code

* fix import ordering

* use a separate interface for permission expansion after all, to avoid circular dependencies

* add comments, fix a test
2024-05-23 12:14:01 +01:00

84 lines
2.4 KiB
Go
Raw Blame History

package acimpl_test
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/user"
)
func TestAccessControl_Evaluate(t *testing.T) {
type testCase struct {
desc string
user user.SignedInUser
evaluator accesscontrol.Evaluator
resolverPrefix string
expected bool
expectedErr error
scopeResolver accesscontrol.ScopeAttributeResolver
}
tests := []testCase{
{
desc: "expect user to have access when correct permission is stored on user",
user: user.SignedInUser{
OrgID: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionTeamsWrite: {"teams:*"}},
},
},
evaluator: accesscontrol.EvalPermission(accesscontrol.ActionTeamsWrite, "teams:id:1"),
expected: true,
},
{
desc: "expect user to not have access without required permissions",
user: user.SignedInUser{
OrgID: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionTeamsWrite: {"teams:*"}},
},
},
evaluator: accesscontrol.EvalPermission(accesscontrol.ActionOrgUsersWrite, "users:id:1"),
expected: false,
},
{
desc: "expect user to have access when resolver translate scope",
user: user.SignedInUser{
OrgID: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionTeamsWrite: {"another:scope"}},
},
},
evaluator: accesscontrol.EvalPermission(accesscontrol.ActionTeamsWrite, "teams:id:1"),
resolverPrefix: "teams:id:",
scopeResolver: accesscontrol.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
return []string{"another:scope"}, nil
}),
expected: true,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
ac := acimpl.ProvideAccessControl(featuremgmt.WithFeatures(featuremgmt.FlagAccessActionSets))
if tt.scopeResolver != nil {
ac.RegisterScopeAttributeResolver(tt.resolverPrefix, tt.scopeResolver)
}
hasAccess, err := ac.Evaluate(context.Background(), &tt.user, tt.evaluator)
assert.Equal(t, tt.expected, hasAccess)
if tt.expectedErr != nil {
assert.Equal(t, tt.expectedErr, err)
} else {
assert.NoError(t, err)
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink