IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
f8cf67347f069310b8cc6a2d9ff83345a81e3247
grafana/pkg/services/accesscontrol/database/externalservices_test.go
Gabriel MABILLE 8c6b5a4319 RBAC: Add a function to save external service roles (#66299) 
* AuthN: Save external services RBAC roles

* Add missing test

* Placing roles in the same group

* Split function to gen role and assignment

* add test case and comments

* Ensure we check external service roles are assigned once only

* Update pkg/services/accesscontrol/models_test.go

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>

---------

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
2023-05-09 13:19:38 +02:00

192 lines
5.2 KiB
Go
Raw Blame History

package database
import (
"context"
"fmt"
"testing"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/stretchr/testify/require"
)
func TestAccessControlStore_SaveExternalServiceRole(t *testing.T) {
type run struct {
cmd accesscontrol.SaveExternalServiceRoleCommand
wantErr bool
}
tests := []struct {
name string
runs []run
}{
{
name: "create app role",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
wantErr: false,
},
},
},
{
name: "update app role",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:write", Scope: "users:id:1"},
{Action: "users:write", Scope: "users:id:2"},
},
},
},
},
},
{
name: "allow switching role from local to global and back",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
OrgID: 1,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
OrgID: 1,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
},
},
},
{
name: "edge case - remove all permissions",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{},
},
},
},
},
{
name: "edge case - reassign to another service account",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 1,
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
Global: true,
ServiceAccountID: 2,
},
wantErr: true,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ctx := context.Background()
s := &AccessControlStore{
sql: db.InitTestDB(t),
}
for i := range tt.runs {
err := s.SaveExternalServiceRole(ctx, tt.runs[i].cmd)
if tt.runs[i].wantErr {
require.Error(t, err)
continue
}
require.NoError(t, err)
errDBSession := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
storedRole, err := getRoleByUID(ctx, sess, fmt.Sprintf("externalservice_%s_permissions", tt.runs[i].cmd.ExternalServiceID))
require.NoError(t, err)
require.NotNil(t, storedRole)
require.Equal(t, tt.runs[i].cmd.Global, storedRole.Global(), "Incorrect global state of the role")
require.Equal(t, tt.runs[i].cmd.OrgID, storedRole.OrgID, "Incorrect OrgID of the role")
storedPerm, err := getRolePermissions(ctx, sess, storedRole.ID)
require.NoError(t, err)
for i := range storedPerm {
storedPerm[i] = accesscontrol.Permission{Action: storedPerm[i].Action, Scope: storedPerm[i].Scope}
}
require.ElementsMatch(t, tt.runs[i].cmd.Permissions, storedPerm)
var assignment accesscontrol.UserRole
has, err := sess.Where("role_id = ? AND user_id = ?", storedRole.ID, tt.runs[i].cmd.ServiceAccountID).Get(&assignment)
require.NoError(t, err)
require.True(t, has)
require.Equal(t, tt.runs[i].cmd.Global, assignment.OrgID == accesscontrol.GlobalOrgID, "Incorrect global state of the assignment")
require.Equal(t, tt.runs[i].cmd.OrgID, assignment.OrgID, "Incorrect OrgID for the role assignment")
return nil
})
require.NoError(t, errDBSession)
}
})
}
}
Reference in New Issue View Git Blame Copy Permalink