apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45149 Commits
5979 Branches
596 Tags
1.7 GiB
Tag: Branch: Tree: 322fde1f5b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '322fde1f5b'
${ noResults }
grafana/pkg/services/accesscontrol/middleware_test.go

146 lines
4.0 KiB
Raw Normal View History Unescape

Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
3 years ago
package accesscontrol_test
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/stretchr/testify/assert"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/accesscontrol"
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
pkg/web: restrict handler types (#48495) Makes `pkg/web` only accept handles from the following set: ```go handlerStd = func(http.ResponseWriter, *http.Request) handlerStdCtx = func(http.ResponseWriter, *http.Request, *web.Context) handlerStdReqCtx = func(http.ResponseWriter, *http.Request, *models.ReqContext) handlerReqCtx = func(*models.ReqContext) handlerReqCtxRes = func(*models.ReqContext) Response handlerCtx = func(*web.Context) ``` This is a first step to reducing above set to only `http.Handler`. --- Due to a cyclic import situation between `pkg/models` and `pkg/web`, parts of this PR were put into `pkg/api/response`, even though they definitely do not belong there. This however is _temporary_ until we untangle `models.ReqContext`.
3 years ago
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2 years ago
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
3 years ago
"github.com/grafana/grafana/pkg/services/user"
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
"github.com/grafana/grafana/pkg/setting"
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
3 years ago
"github.com/grafana/grafana/pkg/web"
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
)
type middlewareTestCase struct {
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
desc string
expectEndpoint bool
evaluator accesscontrol.Evaluator
ctxSignedInUser *user.SignedInUser
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
}
func TestMiddleware(t *testing.T) {
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
cfg := setting.NewCfg()
ac := acimpl.ProvideAccessControl(cfg)
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
tests := []middlewareTestCase{
{
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
desc: "should pass middleware for correct permissions",
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
ctxSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{1: {"users:read": {"users:*"}}}},
expectEndpoint: true,
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
},
{
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
desc: "should not reach endpoint when missing permissions",
ctxSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{1: {"users:read": {"users:1"}}}},
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
expectEndpoint: false,
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
},
}
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
4 years ago
server := web.New()
server.UseMiddleware(web.Renderer("../../public/views", "[[", "]]"))
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
server.Use(contextProvider(
func(c *contextmodel.ReqContext) {
c.SignedInUser = test.ctxSignedInUser
},
))
server.Use(accesscontrol.Middleware(ac)(test.evaluator))
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
endpointCalled := false
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2 years ago
server.Get("/", func(c *contextmodel.ReqContext) {
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
endpointCalled = true
pkg/web: closure-style middlewares (#51238) * pkg/web: closure-style middlewares Switches the middleware execution model from web.Handlers in a slice to web.Middleware. Middlewares are temporarily kept in a slice to preserve ordering, but prior to execution they are applied, forming a giant call-stack, giving granular control over the execution flow. * pkg/middleware: adapt to web.Middleware * pkg/middleware/recovery: use c.Req over req c.Req gets updated by future handlers, while req stays static. The current recovery implementation needs this newer information * pkg/web: correct middleware ordering * pkg/webtest: adapt middleware * pkg/web/hack: set w and r onto web.Context By adopting std middlewares, it may happen they invoke next(w,r) without putting their modified w,r into the web.Context, leading old-style handlers to operate on outdated fields. pkg/web now takes care of this * pkg/middleware: selectively use future context * pkg/web: accept closure-style on Use() * webtest: Middleware testing adds a utility function to web/webtest to obtain a http.ResponseWriter, http.Request and http.Handler the same as a middleware that runs would receive * *: cleanup * pkg/web: don't wrap Middleware from Router * pkg/web: require chain to write response * *: remove temp files * webtest: don't require chain write * *: cleanup
3 years ago
c.Resp.WriteHeader(http.StatusOK)
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
})
request, err := http.NewRequest(http.MethodGet, "/", nil)
assert.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, request)
assert.Equal(t, test.expectEndpoint, endpointCalled)
})
}
}
RBAC: Redirect to /login when forceLogin is set (#56469)
3 years ago
func TestMiddleware_forceLogin(t *testing.T) {
tests := []struct {
url string
redirectToLogin bool
}{
{url: "/endpoint?forceLogin=true", redirectToLogin: true},
{url: "/endpoint?forceLogin=false"},
{url: "/endpoint"},
}
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
cfg := setting.NewCfg()
ac := acimpl.ProvideAccessControl(cfg)
RBAC: Redirect to /login when forceLogin is set (#56469)
3 years ago
for _, tc := range tests {
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
t.Run(tc.url, func(t *testing.T) {
var endpointCalled bool
RBAC: Redirect to /login when forceLogin is set (#56469)
3 years ago
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
server := web.New()
server.UseMiddleware(web.Renderer("../../public/views", "[[", "]]"))
RBAC: Redirect to /login when forceLogin is set (#56469)
3 years ago
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
server.Get("/endpoint", func(c *contextmodel.ReqContext) {
endpointCalled = true
c.Resp.WriteHeader(http.StatusOK)
})
RBAC: Redirect to /login when forceLogin is set (#56469)
3 years ago
AccessControl: Remove acmock.New from accesscontrol service tests (#71942) * remove mock ac provider from service accounts * remove mock ac provider from accesscontrol tests * remove mock ac from ac service tests
2 years ago
user := &user.SignedInUser{UserID: 1,
OrgID: 1,
IsAnonymous: true,
Permissions: map[int64]map[string][]string{1: {"endpoint:read": {"endpoint:1"}}}}
server.Use(contextProvider(func(c *contextmodel.ReqContext) {
c.AllowAnonymous = true
c.SignedInUser = user
c.IsSignedIn = false
}))
server.Use(
accesscontrol.Middleware(ac)(accesscontrol.EvalPermission("endpoint:read", "endpoint:1")),
)
request, err := http.NewRequest(http.MethodGet, tc.url, nil)
assert.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, request)
expectedCode := http.StatusOK
if tc.redirectToLogin {
expectedCode = http.StatusFound
}
assert.Equal(t, expectedCode, recorder.Code)
assert.Equal(t, !tc.redirectToLogin, endpointCalled, "/endpoint should be called")
})
RBAC: Redirect to /login when forceLogin is set (#56469)
3 years ago
}
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2 years ago
func contextProvider(modifiers ...func(c *contextmodel.ReqContext)) web.Handler {
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
4 years ago
return func(c *web.Context) {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2 years ago
reqCtx := &contextmodel.ReqContext{
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
Context: c,
Logger: log.New(""),
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
3 years ago
SignedInUser: &user.SignedInUser{},
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
IsSignedIn: true,
Caching: Refactor enterprise query caching middleware to a wire service (#65616) * define initial service and add to wire * update caching service interface * add skipQueryCache header handler and update metrics query function to use it * add caching service as a dependency to query service * working caching impl * propagate cache status to frontend in response * beginning of improvements suggested by Lean - separate caching logic from query logic. * more changes to simplify query function * Decided to revert renaming of function * Remove error status from cache request * add extra documentation * Move query caching duration metric to query package * add a little bit of documentation * wip: convert resource caching * Change return type of query service QueryData to a QueryDataResponse with Headers * update codeowners * change X-Cache value to const * use resource caching in endpoint handlers * write resource headers to response even if it's not a cache hit * fix panic caused by lack of nil check * update unit test * remove NONE header - shouldn't show up in OSS * Convert everything to use the plugin middleware * revert a few more things * clean up unused vars * start reverting resource caching, start to implement in plugin middleware * revert more, fix typo * Update caching interfaces - resource caching now has a separate cache method * continue wiring up new resource caching conventions - still in progress * add more safety to implementation * remove some unused objects * remove some code that I left in by accident * add some comments, fix codeowners, fix duplicate registration * fix source of panic in resource middleware * Update client decorator test to provide an empty response object * create tests for caching middleware * fix unit test * Update pkg/services/caching/service.go Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com> * improve error message in error log * quick docs update * Remove use of mockery. Update return signature to return an explicit hit/miss bool * create unit test for empty request context * rename caching metrics to make it clear they pertain to caching * Update pkg/services/pluginsintegration/clientmiddleware/caching_middleware.go Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Add clarifying comments to cache skip middleware func * Add comment pointing to the resource cache update call * fix unit tests (missing dependency) * try to fix mystery syntax error * fix a panic * Caching: Introduce feature toggle to caching service refactor (#66323) * introduce new feature toggle * hide calls to new service behind a feature flag * remove licensing flag from toggle (misunderstood what it was for) * fix unit tests * rerun toggle gen --------- Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
2 years ago
SkipDSCache: true,
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
}
RBAC: Redirect to /login when forceLogin is set (#56469)
3 years ago
for _, modifier := range modifiers {
modifier(reqCtx)
}
pkg/web: restrict handler types (#48495) Makes `pkg/web` only accept handles from the following set: ```go handlerStd = func(http.ResponseWriter, *http.Request) handlerStdCtx = func(http.ResponseWriter, *http.Request, *web.Context) handlerStdReqCtx = func(http.ResponseWriter, *http.Request, *models.ReqContext) handlerReqCtx = func(*models.ReqContext) handlerReqCtxRes = func(*models.ReqContext) Response handlerCtx = func(*web.Context) ``` This is a first step to reducing above set to only `http.Handler`. --- Due to a cyclic import situation between `pkg/models` and `pkg/web`, parts of this PR were put into `pkg/api/response`, even though they definitely do not belong there. This however is _temporary_ until we untangle `models.ReqContext`.
3 years ago
c.Req = c.Req.WithContext(ctxkey.Set(c.Req.Context(), reqCtx))
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
}
}