mirror of
https://github.com/grafana/grafana.git
synced 2025-02-15 01:53:33 -06:00
edf1775d49
* Moving POC files from #64283 to a new branch
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
* Adding missing permission definition
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
* Force the service instantiation while client isn't merged
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
* Merge conf with main
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
* Leave go-sqlite3 version unchanged
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
* tidy
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
* User SearchUserPermissions instead of SearchUsersPermissions
* Replace DummyKeyService with signingkeys.Service
* Use user🆔<id> as subject
* Fix introspection endpoint issue
* Add X-Grafana-Org-Id to get_resources.bash script
* Regenerate toggles_gen.go
* Fix basic.go
* Add GetExternalService tests
* Add GetPublicKeyScopes tests
* Add GetScopesOnUser tests
* Add GetScopes tests
* Add ParsePublicKeyPem tests
* Add database test for GetByName
* re-add comments
* client tests added
* Add GetExternalServicePublicKey tests
* Add other test case to GetExternalServicePublicKey
* client_credentials grant test
* Add test to jwtbearer grant
* Test Comments
* Add handleKeyOptions tests
* Add RSA key generation test
* Add ECDSA by default to EmbeddedSigningKeysService
* Clean up org id scope and audiences
* Add audiences to the DB
* Fix check on Audience
* Fix double import
* Add AC Store mock and align oauthserver tests
* Fix test after rebase
* Adding missing store function to mock
* Fix double import
* Add CODEOWNER
* Fix some linting errors
* errors don't need type assertion
* Typo codeowners
* use mockery for oauthserver store
* Add feature toggle check
* Fix db tests to handle the feature flag
* Adding call to DeleteExternalServiceRole
* Fix flaky test
* Re-organize routes comments and plan futur work
* Add client_id check to Extended JWT client
* Clean up
* Fix
* Remove background service registry instantiation of the OAuth server
* Comment cleanup
* Remove unused client function
* Update go.mod to use the latest ory/fosite commit
* Remove oauth2_server related configs from defaults.ini
* Add audiences to DTO
* Fix flaky test
* Remove registration endpoint and demo scripts. Document code
* Rename packages
* Remove the OAuthService vs OAuthServer confusion
* fix incorrect import ext_jwt_test
* Comments and order
* Comment basic auth
* Remove unecessary todo
* Clean api
* Moving ParsePublicKeyPem to utils
* re ordering functions in service.go
* Fix comment
* comment on the redirect uri
* Add RBAC actions, not only scopes
* Fix tests
* re-import featuremgmt in migrations
* Fix wire
* Fix scopes in test
* Fix flaky test
* Remove todo, the intersection should always return the minimal set
* Remove unecessary check from intersection code
* Allow env overrides on settings
* remove the term app name
* Remove app keyword for client instead and use Name instead of ExternalServiceName
* LogID remove ExternalService ref
* Use Name instead of ExternalServiceName
* Imports order
* Inline
* Using ExternalService and ExternalServiceDTO
* Remove xorm tags
* comment
* Rename client files
* client -> external service
* comments
* Move test to correct package
* slimmer test
* cachedUser -> cachedExternalService
* Fix aggregate store test
* PluginAuthSession -> AuthSession
* Revert the nil cehcks
* Remove unecessary extra
* Removing custom session
* fix typo in test
* Use constants for tests
* Simplify HandleToken tests
* Refactor the HandleTokenRequest test
* test message
* Review test
* Prevent flacky test on client as well
* go imports
* Revert changes from 526e48ad45
* AuthN: Change the External Service registration form (#68649)
* AuthN: change the External Service registration form
* Gen default permissions
* Change demo script registration form
* Remove unecessary comment
* Nit.
* Reduce cyclomatic complexity
* Remove demo_scripts
* Handle case with no service account
* Comments
* Group key gen
* Nit.
* Check the SaveExternalService test
* Rename cachedUser to cachedClient in test
* One more test case to database test
* Comments
* Remove last org scope
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
* Update pkg/services/oauthserver/utils/utils_test.go
* Update pkg/services/sqlstore/migrations/oauthserver/migrations.go
Remove comment
* Update pkg/setting/setting.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
---------
Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
211 lines
6.6 KiB
Go
211 lines
6.6 KiB
Go
package oauthserver
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
func setupTestEnv(t *testing.T) *ExternalService {
|
|
t.Helper()
|
|
|
|
client := &ExternalService{
|
|
Name: "my-ext-service",
|
|
ClientID: "RANDOMID",
|
|
Secret: "RANDOMSECRET",
|
|
GrantTypes: "client_credentials,urn:ietf:params:oauth:grant-type:jwt-bearer",
|
|
ServiceAccountID: 2,
|
|
SelfPermissions: []ac.Permission{
|
|
{Action: ac.ActionUsersImpersonate, Scope: ac.ScopeUsersAll},
|
|
},
|
|
SignedInUser: &user.SignedInUser{
|
|
UserID: 2,
|
|
OrgID: 1,
|
|
},
|
|
}
|
|
return client
|
|
}
|
|
|
|
func TestExternalService_GetScopesOnUser(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
impersonatePermissions []ac.Permission
|
|
initTestEnv func(*ExternalService)
|
|
expectedScopes []string
|
|
}{
|
|
{
|
|
name: "should return nil when the service account has no impersonate permissions",
|
|
expectedScopes: nil,
|
|
},
|
|
{
|
|
name: "should return the 'profile', 'email' and associated RBAC action",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionUsersRead, Scope: ScopeGlobalUsersSelf},
|
|
}
|
|
},
|
|
expectedScopes: []string{"profile", "email", ac.ActionUsersRead},
|
|
},
|
|
{
|
|
name: "should return 'entitlements' and associated RBAC action scopes",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionUsersPermissionsRead, Scope: ScopeUsersSelf},
|
|
}
|
|
},
|
|
expectedScopes: []string{"entitlements", ac.ActionUsersPermissionsRead},
|
|
},
|
|
{
|
|
name: "should return 'groups' and associated RBAC action scopes",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionTeamsRead, Scope: ScopeTeamsSelf},
|
|
}
|
|
},
|
|
expectedScopes: []string{"groups", ac.ActionTeamsRead},
|
|
},
|
|
{
|
|
name: "should return all scopes",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionUsersRead, Scope: ScopeGlobalUsersSelf},
|
|
{Action: ac.ActionUsersPermissionsRead, Scope: ScopeUsersSelf},
|
|
{Action: ac.ActionTeamsRead, Scope: ScopeTeamsSelf},
|
|
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
|
|
}
|
|
},
|
|
expectedScopes: []string{"profile", "email", ac.ActionUsersRead,
|
|
"entitlements", ac.ActionUsersPermissionsRead,
|
|
"groups", ac.ActionTeamsRead,
|
|
"dashboards:read"},
|
|
},
|
|
{
|
|
name: "should return stored scopes when the client's impersonate scopes has already been set",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonateScopes = []string{"dashboard:create", "profile", "email", "entitlements", "groups"}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups", "dashboard:create"},
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
c := setupTestEnv(t)
|
|
if tc.initTestEnv != nil {
|
|
tc.initTestEnv(c)
|
|
}
|
|
scopes := c.GetScopesOnUser(context.Background(), acimpl.ProvideAccessControl(setting.NewCfg()), 3)
|
|
require.ElementsMatch(t, tc.expectedScopes, scopes)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestExternalService_GetScopes(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
impersonatePermissions []ac.Permission
|
|
initTestEnv func(*ExternalService)
|
|
expectedScopes []string
|
|
}{
|
|
{
|
|
name: "should return default scopes when the signed in user is nil",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser = nil
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
|
|
},
|
|
{
|
|
name: "should return default scopes when the signed in user has no permissions",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
|
|
},
|
|
{
|
|
name: "should return additional scopes from signed in user's permissions",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
|
|
},
|
|
}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups", "dashboards:read"},
|
|
},
|
|
{
|
|
name: "should return stored scopes when the client's scopes has already been set",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.Scopes = []string{"profile", "email", "entitlements", "groups"}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
c := setupTestEnv(t)
|
|
if tc.initTestEnv != nil {
|
|
tc.initTestEnv(c)
|
|
}
|
|
scopes := c.GetScopes()
|
|
require.ElementsMatch(t, tc.expectedScopes, scopes)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestExternalService_ToDTO(t *testing.T) {
|
|
client := &ExternalService{
|
|
ID: 1,
|
|
Name: "my-ext-service",
|
|
ClientID: "test",
|
|
Secret: "testsecret",
|
|
RedirectURI: "http://localhost:3000",
|
|
GrantTypes: "client_credentials,urn:ietf:params:oauth:grant-type:jwt-bearer",
|
|
Audiences: "https://example.org,https://second.example.org",
|
|
PublicPem: []byte("pem_encoded_public_key"),
|
|
}
|
|
|
|
dto := client.ToDTO()
|
|
|
|
require.Equal(t, client.ClientID, dto.ID)
|
|
require.Equal(t, client.Name, dto.Name)
|
|
require.Equal(t, client.RedirectURI, dto.RedirectURI)
|
|
require.Equal(t, client.GrantTypes, dto.GrantTypes)
|
|
require.Equal(t, client.Audiences, dto.Audiences)
|
|
require.Equal(t, client.PublicPem, []byte(dto.KeyResult.PublicPem))
|
|
require.Empty(t, dto.KeyResult.PrivatePem)
|
|
require.Empty(t, dto.KeyResult.URL)
|
|
require.False(t, dto.KeyResult.Generated)
|
|
require.Equal(t, client.Secret, dto.Secret)
|
|
}
|