apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47494 Commits
2179 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: 1caaa56de0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1caaa56de0'
${ noResults }
grafana/pkg/services/sqlstore/permissions/dashboard_test.go

930 lines
36 KiB
Raw Normal View History Unescape

RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
package permissions_test
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
import (
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
"context"
"strconv"
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
"strings"
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
"testing"
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
"time"
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
chore: move dashboard_acl models into dashboard service (#62151)
2 years ago
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"github.com/grafana/grafana/pkg/bus"
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/db"
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"github.com/grafana/grafana/pkg/infra/tracing"
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
"github.com/grafana/grafana/pkg/services/accesscontrol"
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"github.com/grafana/grafana/pkg/services/accesscontrol/mock"
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
"github.com/grafana/grafana/pkg/services/dashboards"
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
"github.com/grafana/grafana/pkg/services/dashboards/dashboardaccess"
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"github.com/grafana/grafana/pkg/services/dashboards/database"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/folder"
"github.com/grafana/grafana/pkg/services/folder/folderimpl"
"github.com/grafana/grafana/pkg/services/guardian"
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
"github.com/grafana/grafana/pkg/services/login"
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
"github.com/grafana/grafana/pkg/services/org"
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"github.com/grafana/grafana/pkg/services/quota/quotatest"
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/services/sqlstore/permissions"
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"github.com/grafana/grafana/pkg/services/tag/tagimpl"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
3 years ago
"github.com/grafana/grafana/pkg/services/user"
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
)
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
func TestIntegration_DashboardPermissionFilter(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test")
}
type testCase struct {
desc string
queryType string
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission dashboardaccess.PermissionType
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions []accesscontrol.Permission
expectedResult int
}
tests := []testCase{
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
{
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
desc: "Should be able to view all dashboards with wildcard scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: 110,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
{
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
desc: "Should be able to view all dashboards with folder wildcard scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: 110,
},
{
desc: "Should be able to view dashboards under the root with folders:uid:general scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
},
expectedResult: 10,
},
{
desc: "Should not be able to view editable dashboards under the root with folders:uid:general scope if missing write action",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
},
expectedResult: 0,
},
{
desc: "Should be able to view editable dashboards under the root with folders:uid:general scope if has write action",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
},
expectedResult: 10,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
{
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
desc: "Should be able to view a subset of dashboards with dashboard scopes",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:110"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:40"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:22"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:13"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:55"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:99"},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
expectedResult: 6,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
{
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
desc: "Should be able to view a subset of dashboards with dashboard action and folder scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:8"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:10"},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
expectedResult: 20,
},
{
desc: "Should be able to view all folders with folder wildcard",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:*"},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
expectedResult: 10,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
{
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
desc: "Should be able to view a subset folders",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:6"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:9"},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
expectedResult: 3,
},
{
desc: "Should return folders and dashboard with 'edit' permission",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:33"},
{Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:33"},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
expectedResult: 2,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
{
desc: "Should return the dashboards that the User has dashboards:write permission on in case of 'edit' permission",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:31"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:32"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:33"},
{Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:33"},
},
expectedResult: 1,
},
{
desc: "Should return the folders that the User has dashboards:create permission on in case of 'edit' permission",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:4"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:32"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:33"},
},
expectedResult: 1,
},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
{
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
desc: "Should return folders that users can read alerts from",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
queryType: searchstore.TypeAlertFolder,
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:8"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:8"},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
expectedResult: 2,
},
{
desc: "Should return folders that users can read alerts when user has read wildcard",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
queryType: searchstore.TypeAlertFolder,
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "*"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:3"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:8"},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
expectedResult: 2,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
}
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
for _, tt := range tests {
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
store := setupTest(t, 10, 110, tt.permissions)
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
recursiveQueriesAreSupported, err := store.RecursiveQueriesAreSupported()
require.NoError(t, err)
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
usr := &user.SignedInUser{OrgID: 1, OrgRole: org.RoleViewer, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.permissions)}}
FeatureFlags: Use interface rather than manager (#80000)
1 year ago
for _, features := range []featuremgmt.FeatureToggles{featuremgmt.WithFeatures(), featuremgmt.WithFeatures(featuremgmt.FlagPermissionsFilterRemoveSubquery)} {
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
m := features.GetEnabled(context.Background())
keys := make([]string, 0, len(m))
for k := range m {
keys = append(keys, k)
}
t.Run(tt.desc+" with features "+strings.Join(keys, ","), func(t *testing.T) {
filter := permissions.NewAccessControlDashboardPermissionFilter(usr, tt.permission, tt.queryType, features, recursiveQueriesAreSupported)
var result int
err = store.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
q, params := filter.Where()
recQry, recQryParams := filter.With()
params = append(recQryParams, params...)
leftJoin := filter.LeftJoin()
s := recQry + "\nSELECT COUNT(*) FROM dashboard WHERE " + q
if leftJoin != "" {
s = recQry + "\nSELECT COUNT(*) FROM dashboard LEFT OUTER JOIN " + leftJoin + " WHERE " + q
}
_, err := sess.SQL(s, params...).Get(&result)
return err
})
require.NoError(t, err)
assert.Equal(t, tt.expectedResult, result)
})
}
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
}
}
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
func TestIntegration_DashboardPermissionFilter_WithSelfContainedPermissions(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test")
}
type testCase struct {
desc string
queryType string
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission dashboardaccess.PermissionType
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions []accesscontrol.Permission
expectedResult int
}
tests := []testCase{
{
desc: "Should be able to view all dashboards with wildcard scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
},
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: 110,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
},
{
desc: "Should be able to view all dashboards with folder wildcard scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
},
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: 110,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
},
{
desc: "Should not be able to view any dashboards or folders without any permissions",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{},
expectedResult: 0,
},
{
desc: "Should be able to view a subset of dashboards with dashboard scopes",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:110"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:40"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:22"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:13"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:55"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:99"},
},
expectedResult: 6,
},
{
desc: "Should be able to view a subset of dashboards with dashboard action and folder scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:8"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:10"},
},
expectedResult: 20,
},
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
{
desc: "Should be able to view dashboards under the root with folders:uid:general scope",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
},
expectedResult: 10,
},
{
desc: "Should not be able to view editable dashboards under the root with folders:uid:general scope if missing write action",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
},
expectedResult: 0,
},
{
desc: "Should be able to view editable dashboards under the root with folders:uid:general scope if has write action",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
{Action: dashboards.ActionDashboardsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.GeneralFolderUID)},
},
expectedResult: 10,
},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
{
desc: "Should be able to view all folders with folder wildcard",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:*"},
},
expectedResult: 10,
},
{
desc: "Should be able to view a subset folders",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:6"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:9"},
},
expectedResult: 3,
},
{
desc: "Should return folders and dashboard with 'edit' permission",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:33"},
{Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:33"},
},
expectedResult: 2,
},
{
desc: "Should return the dashboards that the User has dashboards:write permission on in case of 'edit' permission",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:31"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:32"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:33"},
{Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:33"},
},
expectedResult: 1,
},
{
desc: "Should return the folders that the User has dashboards:create permission on in case of 'edit' permission",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:3"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:4"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:32"},
{Action: dashboards.ActionDashboardsRead, Scope: "dashboards:uid:33"},
},
expectedResult: 1,
},
{
desc: "Should return folders that users can read alerts from",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
queryType: searchstore.TypeAlertFolder,
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:3"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:3"},
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:8"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:8"},
},
expectedResult: 2,
},
{
desc: "Should return folders that users can read alerts when user has read wildcard",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
queryType: searchstore.TypeAlertFolder,
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "*"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:3"},
{Action: accesscontrol.ActionAlertingRuleRead, Scope: "folders:uid:8"},
},
expectedResult: 2,
},
}
for _, tt := range tests {
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
store := setupTest(t, 10, 110, []accesscontrol.Permission{})
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
recursiveQueriesAreSupported, err := store.RecursiveQueriesAreSupported()
require.NoError(t, err)
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
usr := &user.SignedInUser{OrgID: 1, OrgRole: org.RoleViewer, AuthenticatedBy: login.ExtendedJWTModule, Permissions: map[int64]map[string][]string{1: accesscontrol.GroupScopesByAction(tt.signedInUserPermissions)}}
FeatureFlags: Use interface rather than manager (#80000)
1 year ago
for _, features := range []featuremgmt.FeatureToggles{featuremgmt.WithFeatures(), featuremgmt.WithFeatures(featuremgmt.FlagPermissionsFilterRemoveSubquery)} {
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
m := features.GetEnabled(context.Background())
keys := make([]string, 0, len(m))
for k := range m {
keys = append(keys, k)
}
t.Run(tt.desc+" with features "+strings.Join(keys, ","), func(t *testing.T) {
filter := permissions.NewAccessControlDashboardPermissionFilter(usr, tt.permission, tt.queryType, features, recursiveQueriesAreSupported)
var result int
err = store.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
q, params := filter.Where()
recQry, recQryParams := filter.With()
params = append(recQryParams, params...)
s := recQry + "\nSELECT COUNT(*) FROM dashboard WHERE " + q
leftJoin := filter.LeftJoin()
if leftJoin != "" {
s = recQry + "\nSELECT COUNT(*) FROM dashboard LEFT OUTER JOIN " + leftJoin + " WHERE " + q
}
_, err := sess.SQL(s, params...).Get(&result)
return err
})
require.NoError(t, err)
assert.Equal(t, tt.expectedResult, result)
})
}
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
}
}
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
func TestIntegration_DashboardNestedPermissionFilter(t *testing.T) {
testCases := []struct {
desc string
queryType string
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission dashboardaccess.PermissionType
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
permissions []accesscontrol.Permission
expectedResult []string
Chore: use any rather than interface{} (#74066)
2 years ago
features []any
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
}{
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
{
desc: "Should not be able to view dashboards under inherited folders with no permissions if nested folders are enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
permissions: nil,
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: nil,
},
{
desc: "Should not be able to view inherited folders with no permissions if nested folders are enabled",
queryType: searchstore.TypeFolder,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
permissions: nil,
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: nil,
},
{
desc: "Should not be able to view inherited dashboards and folders with no permissions if nested folders are enabled",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
permissions: nil,
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: nil,
},
{
desc: "Should be able to view dashboards under inherited folders with wildcard scope if nested folders are enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: []string{"dashboard under parent folder", "dashboard under subfolder"},
},
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
{
desc: "Should be able to view dashboards under inherited folders if nested folders are enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
expectedResult: []string{"dashboard under parent folder", "dashboard under subfolder"},
},
{
desc: "Should not be able to view dashboards under inherited folders if nested folders are not enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{},
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
expectedResult: []string{"dashboard under parent folder"},
},
{
desc: "Should be able to view inherited folders if nested folders are enabled",
queryType: searchstore.TypeFolder,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
expectedResult: []string{"parent", "subfolder"},
},
{
desc: "Should not be able to view inherited folders if nested folders are not enabled",
queryType: searchstore.TypeFolder,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{},
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
expectedResult: []string{"parent"},
},
{
desc: "Should be able to view inherited dashboards and folders if nested folders are enabled",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
expectedResult: []string{"parent", "subfolder", "dashboard under parent folder", "dashboard under subfolder"},
},
{
desc: "Should not be able to view inherited dashboards and folders if nested folders are not enabled",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{},
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
expectedResult: []string{"parent", "dashboard under parent folder"},
},
}
origNewGuardian := guardian.New
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{CanViewValue: true, CanSaveValue: true})
t.Cleanup(func() {
guardian.New = origNewGuardian
})
var orgID int64 = 1
for _, tc := range testCases {
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
tc.permissions = append(tc.permissions, accesscontrol.Permission{
Action: dashboards.ActionFoldersCreate,
}, accesscontrol.Permission{
Action: dashboards.ActionFoldersWrite,
Scope: dashboards.ScopeFoldersAll,
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
})
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
usr := &user.SignedInUser{OrgID: orgID, OrgRole: org.RoleViewer, Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByAction(tc.permissions)}}
FeatureFlags: Use interface rather than manager (#80000)
1 year ago
for _, features := range []featuremgmt.FeatureToggles{featuremgmt.WithFeatures(tc.features...), featuremgmt.WithFeatures(append(tc.features, featuremgmt.FlagPermissionsFilterRemoveSubquery)...)} {
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
m := features.GetEnabled(context.Background())
keys := make([]string, 0, len(m))
for k := range m {
keys = append(keys, k)
}
t.Run(tc.desc+" with features "+strings.Join(keys, ","), func(t *testing.T) {
db := setupNestedTest(t, usr, tc.permissions, orgID, features)
recursiveQueriesAreSupported, err := db.RecursiveQueriesAreSupported()
require.NoError(t, err)
filter := permissions.NewAccessControlDashboardPermissionFilter(usr, tc.permission, tc.queryType, features, recursiveQueriesAreSupported)
var result []string
err = db.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
q, params := filter.Where()
recQry, recQryParams := filter.With()
params = append(recQryParams, params...)
s := recQry + "\nSELECT dashboard.title FROM dashboard WHERE " + q
leftJoin := filter.LeftJoin()
if leftJoin != "" {
s = recQry + "\nSELECT dashboard.title FROM dashboard LEFT OUTER JOIN " + leftJoin + " WHERE " + q + "ORDER BY dashboard.id ASC"
}
err := sess.SQL(s, params...).Find(&result)
return err
})
require.NoError(t, err)
assert.Equal(t, tc.expectedResult, result)
})
}
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
}
}
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
func TestIntegration_DashboardNestedPermissionFilter_WithSelfContainedPermissions(t *testing.T) {
testCases := []struct {
desc string
queryType string
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission dashboardaccess.PermissionType
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions []accesscontrol.Permission
expectedResult []string
Chore: use any rather than interface{} (#74066)
2 years ago
features []any
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
}{
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
{
desc: "Should not be able to view dashboards under inherited folders with no permissions if nested folders are enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
signedInUserPermissions: nil,
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: nil,
},
{
desc: "Should not be able to view inherited folders with no permissions if nested folders are enabled",
queryType: searchstore.TypeFolder,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
signedInUserPermissions: nil,
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: nil,
},
{
desc: "Should not be able to view inherited dashboards and folders with no permissions if nested folders are enabled",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
signedInUserPermissions: nil,
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: nil,
},
{
desc: "Should be able to view dashboards under inherited folders with wildcard scope if nested folders are enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeFoldersAll},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
Nested folders: Fix search query for empty self-contained permissions (#72727) * Add tests * Fix query for nested folders with zero self-contained permissions * Fix query behind permissionsFilterRemoveSubquery flag * Apply suggestion from code review
2 years ago
expectedResult: []string{"dashboard under parent folder", "dashboard under subfolder"},
},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
{
desc: "Should be able to view dashboards under inherited folders if nested folders are enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: []string{"dashboard under parent folder", "dashboard under subfolder"},
},
{
desc: "Should not be able to view dashboards under inherited folders if nested folders are not enabled",
queryType: searchstore.TypeDashboard,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: []string{"dashboard under parent folder"},
},
{
desc: "Should be able to view inherited folders if nested folders are enabled",
queryType: searchstore.TypeFolder,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: []string{"parent", "subfolder"},
},
{
desc: "Should not be able to view inherited folders if nested folders are not enabled",
queryType: searchstore.TypeFolder,
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: []string{"parent"},
},
{
desc: "Should be able to view inherited dashboards and folders if nested folders are enabled",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: []string{"parent", "subfolder", "dashboard under parent folder", "dashboard under subfolder"},
},
{
desc: "Should not be able to view inherited dashboards and folders if nested folders are not enabled",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_VIEW,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:parent"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: []string{"parent", "dashboard under parent folder"},
},
{
desc: "Should be able to edit inherited dashboards and folders if nested folders are enabled",
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2 years ago
permission: dashboardaccess.PERMISSION_EDIT,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
signedInUserPermissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersRead, Scope: "folders:uid:subfolder"},
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:subfolder"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:subfolder"},
{Action: dashboards.ActionDashboardsWrite, Scope: "folders:uid:subfolder"},
{Action: dashboards.ActionDashboardsRead, Scope: "folders:uid:parent"},
{Action: dashboards.ActionDashboardsWrite, Scope: "folders:uid:parent"},
},
Chore: use any rather than interface{} (#74066)
2 years ago
features: []any{featuremgmt.FlagNestedFolders},
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
expectedResult: []string{"subfolder", "dashboard under parent folder", "dashboard under subfolder"},
},
}
origNewGuardian := guardian.New
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{CanViewValue: true, CanSaveValue: true})
t.Cleanup(func() {
guardian.New = origNewGuardian
})
var orgID int64 = 1
for _, tc := range testCases {
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
helperUser := &user.SignedInUser{OrgID: orgID, OrgRole: org.RoleViewer, AuthenticatedBy: login.ExtendedJWTModule,
Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
{
Action: dashboards.ActionFoldersCreate,
},
{
Action: dashboards.ActionFoldersWrite,
Scope: dashboards.ScopeFoldersAll,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
},
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
}),
},
}
FeatureFlags: Use interface rather than manager (#80000)
1 year ago
for _, features := range []featuremgmt.FeatureToggles{featuremgmt.WithFeatures(tc.features...), featuremgmt.WithFeatures(append(tc.features, featuremgmt.FlagPermissionsFilterRemoveSubquery)...)} {
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
m := features.GetEnabled(context.Background())
keys := make([]string, 0, len(m))
for k := range m {
keys = append(keys, k)
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
}
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
t.Run(tc.desc+" with features "+strings.Join(keys, ","), func(t *testing.T) {
usr := &user.SignedInUser{OrgID: orgID, OrgRole: org.RoleViewer, AuthenticatedBy: login.ExtendedJWTModule, Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByAction(tc.signedInUserPermissions)}}
db := setupNestedTest(t, helperUser, []accesscontrol.Permission{}, orgID, features)
recursiveQueriesAreSupported, err := db.RecursiveQueriesAreSupported()
require.NoError(t, err)
filter := permissions.NewAccessControlDashboardPermissionFilter(usr, tc.permission, tc.queryType, features, recursiveQueriesAreSupported)
var result []string
err = db.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
q, params := filter.Where()
recQry, recQryParams := filter.With()
params = append(recQryParams, params...)
s := recQry + "\nSELECT dashboard.title FROM dashboard WHERE " + q
leftJoin := filter.LeftJoin()
if leftJoin != "" {
s = recQry + "\nSELECT dashboard.title FROM dashboard LEFT OUTER JOIN " + leftJoin + " WHERE " + q + " ORDER BY dashboard.id ASC"
}
err := sess.SQL(s, params...).Find(&result)
return err
})
require.NoError(t, err)
assert.Equal(t, tc.expectedResult, result)
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
})
Search v1: Remove unnecessary subqueries (#72388) * Add feature flag * Introduce interface and dummy implementation * Add tests for the new filter * accessControlDashboardPermissionFilterNoFolderSubquery implementation * join only if it's necessary * force ordering for tests * Temporarily enable new query for benchmarks
2 years ago
}
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
}
}
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
func setupTest(t *testing.T, numFolders, numDashboards int, permissions []accesscontrol.Permission) db.DB {
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
t.Helper()
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
store := db.InitTestDB(t)
err := store.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
Chore: Remove dashboards from models pkg (#61578) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint * Chore: Remove dashboards models * Remove dashboards from models pkg * Fix lint in tests * Fix lint in tests 2 * Fix for import in auth * Remove newline * Revert unused fix
2 years ago
dashes := make([]dashboards.Dashboard, 0, numFolders+numDashboards)
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
for i := 1; i <= numFolders; i++ {
str := strconv.Itoa(i)
Chore: Remove dashboards from models pkg (#61578) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint * Chore: Remove dashboards models * Remove dashboards from models pkg * Fix lint in tests * Fix lint in tests 2 * Fix for import in auth * Remove newline * Revert unused fix
2 years ago
dashes = append(dashes, dashboards.Dashboard{
OrgID: 1,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
Slug: str,
Chore: Remove dashboards from models pkg (#61578) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint * Chore: Remove dashboards models * Remove dashboards from models pkg * Fix lint in tests * Fix lint in tests 2 * Fix for import in auth * Remove newline * Revert unused fix
2 years ago
UID: str,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
Title: str,
IsFolder: true,
Data: simplejson.New(),
Created: time.Now(),
Updated: time.Now(),
})
}
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
// Seed dashboards
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
for i := numFolders + 1; i <= numFolders+numDashboards; i++ {
str := strconv.Itoa(i)
RBAC: Allow scoping access to root level dashboards (#76987) * correctly check permissions to list dashboards on the root * correctly display the access inherited from general folder for dashboards * Update pkg/services/sqlstore/permissions/dashboard.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update dashboard_filter_no_subquery.go --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
folderID := 0
if i%(numFolders+1) != 0 {
folderID = i % (numFolders + 1)
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
}
Chore: Remove dashboards from models pkg (#61578) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint * Chore: Remove dashboards models * Remove dashboards from models pkg * Fix lint in tests * Fix lint in tests 2 * Fix for import in auth * Remove newline * Revert unused fix
2 years ago
dashes = append(dashes, dashboards.Dashboard{
OrgID: 1,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
IsFolder: false,
Chore: Deprecate FolderID from Dashboard (#77823) * Chore: Deprecate FolderID from Dashboard * chore: add two missing nolint comments
2 years ago
FolderID: int64(folderID), // nolint:staticcheck
Chore: Remove dashboards from models pkg (#61578) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint * Chore: Remove dashboards models * Remove dashboards from models pkg * Fix lint in tests * Fix lint in tests 2 * Fix for import in auth * Remove newline * Revert unused fix
2 years ago
UID: str,
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
Slug: str,
Title: str,
Data: simplejson.New(),
Created: time.Now(),
Updated: time.Now(),
})
}
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
_, err := sess.InsertMulti(&dashes)
if err != nil {
return err
}
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
role := &accesscontrol.Role{
OrgID: 0,
UID: "basic_viewer",
Name: "basic:viewer",
Updated: time.Now(),
Created: time.Now(),
}
_, err = sess.Insert(role)
if err != nil {
return err
}
_, err = sess.Insert(accesscontrol.BuiltinRole{
OrgID: 0,
RoleID: role.ID,
Role: "Viewer",
Created: time.Now(),
Updated: time.Now(),
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
})
RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
3 years ago
if err != nil {
return err
}
for i := range permissions {
permissions[i].RoleID = role.ID
permissions[i].Created = time.Now()
permissions[i].Updated = time.Now()
}
if len(permissions) > 0 {
_, err = sess.InsertMulti(&permissions)
if err != nil {
return err
}
}
return nil
})
require.NoError(t, err)
return store
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
}
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
func setupNestedTest(t *testing.T, usr *user.SignedInUser, perms []accesscontrol.Permission, orgID int64, features featuremgmt.FeatureToggles) db.DB {
t.Helper()
db := sqlstore.InitTestDB(t)
// dashboard store commands that should be called.
FeatureFlags: Cleanup usage of cfg.IsFeatureToggleEnabled (#78014)
2 years ago
dashStore, err := database.ProvideDashboardStore(db, db.Cfg, features, tagimpl.ProvideService(db), quotatest.New(false, nil))
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
require.NoError(t, err)
Folders: Show dashboards and folders with directly assigned permissions in "Shared" folder (#78465) * Folders: Show folders user has access to at the root level * Refactor * Refactor * Hide parent folders user has no access to * Skip expensive computation if possible * Fix tests * Fix potential nil access * Fix duplicated folders * Fix linter error * Fix querying folders if no managed permissions set * Update benchmark * Add special shared with me folder and fetch available non-root folders on demand * Fix parents query * Improve db query for folders * Reset benchmark changes * Fix permissions for shared with me folder * Simplify dedup * Add option to include shared folder permission to user's permissions * Fix nil UID * Remove duplicated folders from shared list * Folders: Fix fetching empty folder * Nested folders: Show dashboards with directly assigned permissions * Fix slow dashboards fetch * Refactor * Fix cycle dependencies * Move shared folder to models * Fix shared folder links * Refactor * Use feature flag for permissions * Use feature flag * Review comments * Expose shared folder UID through frontend settings * Add frontend type for sharedWithMeFolderUID option * Refactor: apply review suggestions * Fix parent uid for shared folder * Fix listing shared dashboards for users with access to all folders * Prevent creating folder with "shared" UID * Add tests for shared folders * Add test for shared dashboards * Fix linter * Add metrics for shared with me folder * Add metrics for shared with me dashboards * Fix tests * Tests: add metrics as a dependency * Fix access control metadata for shared with me folder * Use constant for shared with me * Optimize parent folders access check, fetch all folders in one query. * Use labels for metrics
2 years ago
folderSvc := folderimpl.ProvideService(mock.New(), bus.ProvideBus(tracing.InitializeTracerForTest()), db.Cfg, dashStore, folderimpl.ProvideDashboardFolderStore(db), db, features, nil)
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
// create parent folder
parent, err := folderSvc.Create(context.Background(), &folder.CreateFolderCommand{
UID: "parent",
OrgID: orgID,
Title: "parent",
SignedInUser: usr,
})
require.NoError(t, err)
// create subfolder
subfolder, err := folderSvc.Create(context.Background(), &folder.CreateFolderCommand{
UID: "subfolder",
ParentUID: "parent",
OrgID: orgID,
Title: "subfolder",
SignedInUser: usr,
})
require.NoError(t, err)
// create dashboard under parent folder
_, err = dashStore.SaveDashboard(context.Background(), dashboards.SaveDashboardCommand{
Search: Fix empty folder details for nested folder items (#76504) * Introduce dashboard.folder_uid column * Add data migration * Search: Fix empty folder details for nested folders * Set `dashboard.folder_uid` and update tests * Add unique index * lint Ignore cyclomatic complexity of func `(*DashboardServiceImpl).BuildSaveDashboardCommand * Fix search by folder UID
2 years ago
OrgID: orgID,
Chore: Deprecate FolderID from SaveDashboardCommand (#77813)
2 years ago
FolderID: parent.ID, // nolint:staticcheck
Search: Fix empty folder details for nested folder items (#76504) * Introduce dashboard.folder_uid column * Add data migration * Search: Fix empty folder details for nested folders * Set `dashboard.folder_uid` and update tests * Add unique index * lint Ignore cyclomatic complexity of func `(*DashboardServiceImpl).BuildSaveDashboardCommand * Fix search by folder UID
2 years ago
FolderUID: parent.UID,
Chore: use any rather than interface{} (#74066)
2 years ago
Dashboard: simplejson.NewFromAny(map[string]any{
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"title": "dashboard under parent folder",
}),
})
require.NoError(t, err)
// create dashboard under subfolder
_, err = dashStore.SaveDashboard(context.Background(), dashboards.SaveDashboardCommand{
Search: Fix empty folder details for nested folder items (#76504) * Introduce dashboard.folder_uid column * Add data migration * Search: Fix empty folder details for nested folders * Set `dashboard.folder_uid` and update tests * Add unique index * lint Ignore cyclomatic complexity of func `(*DashboardServiceImpl).BuildSaveDashboardCommand * Fix search by folder UID
2 years ago
OrgID: orgID,
Chore: Deprecate FolderID from SaveDashboardCommand (#77813)
2 years ago
FolderID: subfolder.ID, // nolint:staticcheck
Search: Fix empty folder details for nested folder items (#76504) * Introduce dashboard.folder_uid column * Add data migration * Search: Fix empty folder details for nested folders * Set `dashboard.folder_uid` and update tests * Add unique index * lint Ignore cyclomatic complexity of func `(*DashboardServiceImpl).BuildSaveDashboardCommand * Fix search by folder UID
2 years ago
FolderUID: subfolder.UID,
Chore: use any rather than interface{} (#74066)
2 years ago
Dashboard: simplejson.NewFromAny(map[string]any{
Search v1: Add support for inherited folder permissions if nested folders are enabled (#63275) * Add features dependency to SQLBuilder * Add features dependency to AccessControlDashboardPermissionFilter * Add test for folder inheritance * Dashboard permissions: Return recursive query * Recursive query for inherited folders * Modify search builder * Adjust db.SQLBuilder * Pass flag to SQLbuilder if CTEs are supported * Add support for mysql < 8.0 * Add benchmarking for search with nested folders * Set features to AlertStore * Update pkg/infra/db/sqlbuilder.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Set features to LibraryElementService * SQLBuilder tests with nested folder flag set * Apply suggestion from code review Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2 years ago
"title": "dashboard under subfolder",
}),
})
require.NoError(t, err)
err = db.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
role := &accesscontrol.Role{
OrgID: 0,
UID: "basic_viewer",
Name: "basic:viewer",
Updated: time.Now(),
Created: time.Now(),
}
_, err = sess.Insert(role)
if err != nil {
return err
}
_, err = sess.Insert(accesscontrol.BuiltinRole{
OrgID: 0,
RoleID: role.ID,
Role: "Viewer",
Created: time.Now(),
Updated: time.Now(),
})
if err != nil {
return err
}
for i := range perms {
perms[i].RoleID = role.ID
perms[i].Created = time.Now()
perms[i].Updated = time.Now()
}
if len(perms) > 0 {
_, err = sess.InsertMulti(&perms)
if err != nil {
return err
}
}
return nil
})
require.NoError(t, err)
return db
}