mirror of
https://github.com/grafana/grafana.git
synced 2025-02-20 11:48:34 -06:00
6da850a2f2
* RBAC: Add function to reduce permissions * Make names readable Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove copy pasted comment * Nit. Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
104 lines
2.6 KiB
Go
104 lines
2.6 KiB
Go
package accesscontrol
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestReduce(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
ps []Permission
|
|
want map[string][]string
|
|
}{
|
|
{
|
|
name: "no permission",
|
|
ps: []Permission{},
|
|
want: map[string][]string{},
|
|
},
|
|
{
|
|
name: "scopeless permissions",
|
|
ps: []Permission{{Action: "orgs:read"}},
|
|
want: map[string][]string{"orgs:read": nil},
|
|
},
|
|
{ // edge case that should not exist
|
|
name: "mixed scope and scopeless permissions",
|
|
ps: []Permission{
|
|
{Action: "resources:read", Scope: "resources:id:1"},
|
|
{Action: "resources:read"},
|
|
},
|
|
want: map[string][]string{"resources:read": {"resources:id:1"}},
|
|
},
|
|
{
|
|
name: "specific permission",
|
|
ps: []Permission{
|
|
{Action: "teams:read", Scope: "teams:id:1"},
|
|
{Action: "teams:read", Scope: "teams:id:2"},
|
|
{Action: "teams:write", Scope: "teams:id:1"},
|
|
},
|
|
want: map[string][]string{
|
|
"teams:read": {"teams:id:1", "teams:id:2"},
|
|
"teams:write": {"teams:id:1"},
|
|
},
|
|
},
|
|
{
|
|
name: "wildcard permission",
|
|
ps: []Permission{
|
|
{Action: "teams:read", Scope: "teams:id:1"},
|
|
{Action: "teams:read", Scope: "teams:id:2"},
|
|
{Action: "teams:read", Scope: "teams:id:*"},
|
|
{Action: "teams:write", Scope: "teams:id:1"},
|
|
},
|
|
want: map[string][]string{
|
|
"teams:read": {"teams:id:*"},
|
|
"teams:write": {"teams:id:1"},
|
|
},
|
|
},
|
|
{
|
|
name: "mixed wildcard and scoped permission",
|
|
ps: []Permission{
|
|
{Action: "dashboards:read", Scope: "dashboards:*"},
|
|
{Action: "dashboards:read", Scope: "folders:uid:1"},
|
|
},
|
|
want: map[string][]string{
|
|
"dashboards:read": {"dashboards:*", "folders:uid:1"},
|
|
},
|
|
},
|
|
{
|
|
name: "different wildcard permission",
|
|
ps: []Permission{
|
|
{Action: "dashboards:read", Scope: "dashboards:uid:*"},
|
|
{Action: "dashboards:read", Scope: "dashboards:*"},
|
|
{Action: "dashboards:read", Scope: "folders:uid:*"},
|
|
{Action: "dashboards:read", Scope: "folders:*"},
|
|
},
|
|
want: map[string][]string{
|
|
"dashboards:read": {"dashboards:*", "folders:*"},
|
|
},
|
|
},
|
|
{
|
|
name: "root wildcard permission",
|
|
ps: []Permission{
|
|
{Action: "dashboards:read", Scope: "*"},
|
|
{Action: "dashboards:read", Scope: "dashboards:*"},
|
|
{Action: "dashboards:read", Scope: "folders:*"},
|
|
},
|
|
want: map[string][]string{
|
|
"dashboards:read": {"*"},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := Reduce(tt.ps)
|
|
require.Len(t, got, len(tt.want))
|
|
for action, scopes := range got {
|
|
want, ok := tt.want[action]
|
|
require.True(t, ok)
|
|
require.ElementsMatch(t, scopes, want)
|
|
}
|
|
})
|
|
}
|
|
}
|