apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56159 Commits
1680 Branches
645 Tags
2.2 GiB
Tag: Branch: Tree: 86e8147df3
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '86e8147df3'
${ noResults }
grafana/pkg/services/annotations/accesscontrol/accesscontrol_test.go

195 lines
6.7 KiB
Raw Normal View History Unescape

Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
package accesscontrol
import (
"context"
"fmt"
"testing"
Annotations: Improve query performance when using dashboard filter (#83112) * Annotations: Improve query performance when using dashboard filter * Add dashboard id filter
2 years ago
"github.com/stretchr/testify/require"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
Annotations: Improve query performance when using dashboard filter (#83112) * Annotations: Improve query performance when using dashboard filter * Add dashboard id filter
2 years ago
"github.com/grafana/grafana/pkg/services/annotations"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
"github.com/grafana/grafana/pkg/services/annotations/testutil"
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/user"
Chore: Update test database initialization (#81673) * streamline initialization of test databases, support on-disk sqlite test db * clean up test databases * introduce testsuite helper * use testsuite everywhere we use a test db * update documentation * improve error handling * disable entity integration test until we can figure out locking error
2 years ago
"github.com/grafana/grafana/pkg/tests/testsuite"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
)
Chore: Update test database initialization (#81673) * streamline initialization of test databases, support on-disk sqlite test db * clean up test databases * introduce testsuite helper * use testsuite everywhere we use a test db * update documentation * improve error handling * disable entity integration test until we can figure out locking error
2 years ago
func TestMain(m *testing.M) {
testsuite.Run(m)
}
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
func TestIntegrationAuthorize(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test")
}
Revert read replica POC (#93551) * Revert "chore: add replDB to team service (#91799)" This reverts commit c6ae2d7999aa6fc797db39e9d66c6fea70278f83. * Revert "experiment: use read replica for Get and Find Dashboards (#91706)" This reverts commit 54177ca619dbb5ded2dcb158405802d8dbdbc982. * Revert "QuotaService: refactor to use ReplDB for Get queries (#91333)" This reverts commit 299c142f6a6e8c5673cfdea9f87b56ac304f9834. * Revert "refactor replCfg to look more like plugins/plugin config (#91142)" This reverts commit ac0b4bb34d495914cbe8daad85b7c75c31e8070d. * Revert "chore (replstore): fix registration with multiple sql drivers, again (#90990)" This reverts commit daedb358dded00d349d9fac6106aaaa6bf18322e. * Revert "Chore (sqlstore): add validation and testing for repl config (#90683)" This reverts commit af19f039b62d9945377292a8e679ee258fd56b3d. * Revert "ReplStore: Add support for round robin load balancing between multiple read replicas (#90530)" This reverts commit 27b52b1507f5218a7b38046b4d96bc004d949d46. * Revert "DashboardStore: Use ReplDB and get dashboard quotas from the ReadReplica (#90235)" This reverts commit 8a6107cd35f6444c0674ee4230d3d6bcfbbd4a58. * Revert "accesscontrol service read replica (#89963)" This reverts commit 77a4869fcadf13827d76d5767d4de74812d6dd6d. * Revert "Fix: add mapping for the new mysqlRepl driver (#89551)" This reverts commit ab5a079bcc5b0f0a6929f0a3742eb2859d4a3498. * Revert "fix: sql instrumentation dual registration error (#89508)" This reverts commit d988f5c3b064fade6e96511e0024190c22d48e50. * Revert "Experimental Feature Toggle: databaseReadReplica (#89232)" This reverts commit 50244ed4a1435cbf3e3c87d4af34fd7937f7c259.
1 year ago
sql, cfg := db.InitTestDBWithCfg(t)
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
Chore: Replace sqlstore with db interface (#85366) * replace sqlstore with db interface in a few packages * remove from stats * remove sqlstore in admin test * remove sqlstore from api plugin tests * fix another createUser * remove sqlstore in publicdashboards * remove sqlstore from orgs * clean up orguser test * more clean up in sso * clean up service accounts * further cleanup * more cleanup in accesscontrol * last cleanup in accesscontrol * clean up teams * more removals * split cfg from db in testenv * few remaining fixes * fix test with bus * pass cfg for testing inside db as an option * set query retries when no opts provided * revert golden test data * rebase and rollback
2 years ago
dash1 := testutil.CreateDashboard(t, sql, cfg, featuremgmt.WithFeatures(), dashboards.SaveDashboardCommand{
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
UserID: 1,
OrgID: 1,
Dashboard: simplejson.NewFromAny(map[string]any{
"title": "Dashboard 1",
}),
})
Chore: Replace sqlstore with db interface (#85366) * replace sqlstore with db interface in a few packages * remove from stats * remove sqlstore in admin test * remove sqlstore from api plugin tests * fix another createUser * remove sqlstore in publicdashboards * remove sqlstore from orgs * clean up orguser test * more clean up in sso * clean up service accounts * further cleanup * more cleanup in accesscontrol * last cleanup in accesscontrol * clean up teams * more removals * split cfg from db in testenv * few remaining fixes * fix test with bus * pass cfg for testing inside db as an option * set query retries when no opts provided * revert golden test data * rebase and rollback
2 years ago
dash2 := testutil.CreateDashboard(t, sql, cfg, featuremgmt.WithFeatures(), dashboards.SaveDashboardCommand{
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
UserID: 1,
OrgID: 1,
Dashboard: simplejson.NewFromAny(map[string]any{
"title": "Dashboard 2",
}),
})
u := &user.SignedInUser{
UserID: 1,
OrgID: 1,
}
role := testutil.SetupRBACRole(t, sql, u)
type testCase struct {
name string
permissions map[string][]string
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2 years ago
featureToggle string
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
expectedResources *AccessResources
expectedErr error
}
testCases := []testCase{
{
name: "should have both scopes and all dashboards",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2 years ago
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
},
},
{
name: "should have no dashboards if missing annotation read permission on dashboards and FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: nil,
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
},
},
{
name: "should have dashboard and organization scope and all dashboards if FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization, dashboards.ScopeDashboardsAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
},
},
{
name: "should have dashboard and organization scope and all dashboards if FlagAnnotationPermissionUpdate is enabled and folder based scope is used",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization, dashboards.ScopeFoldersAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
},
},
{
name: "should have only organization scope and no dashboards",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2 years ago
Dashboards: nil,
CanAccessOrgAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
},
},
{
name: "should have only dashboard scope and all dashboards",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2 years ago
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessDashAnnotations: true,
},
},
{
name: "should have only dashboard scope and all dashboards if FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {dashboards.ScopeDashboardsAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: false,
CanAccessDashAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
},
},
{
name: "should have only dashboard scope and only dashboard 1",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
dashboards.ActionDashboardsRead: {fmt.Sprintf("dashboards:uid:%s", dash1.UID)},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2 years ago
Dashboards: map[string]int64{dash1.UID: dash1.ID},
CanAccessDashAnnotations: true,
},
},
{
name: "should have only dashboard scope and only dashboard 1 if FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dash1.UID)},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID},
CanAccessOrgAnnotations: false,
CanAccessDashAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
u.Permissions = map[int64]map[string][]string{1: tc.permissions}
testutil.SetupRBACPermission(t, sql, role, u)
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2 years ago
authz := NewAuthService(sql, featuremgmt.WithFeatures(tc.featureToggle))
Annotations: Fix composite store read (#94158) * Annotations: Fix composite store read * Add test * check error
1 year ago
query := annotations.ItemQuery{SignedInUser: u, OrgID: 1}
Annotations: Optimize search by tags (#93547) * Annotations: Optimize search on large number of dashboards * refactor * fix batch size * Return early if no annotations found * revert go.mod * return nil in case of error * Move default limit to the API package * fix empty access control filter * Set default limit to 100 * optimize query when number of annotations is less than limit * Update pkg/services/annotations/annotationsimpl/annotations.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * remove limit from store since it's set in API * set default limit in Find method (do not break tests) * Only add limit to the query if it's set * use limit trick for all searches without dashboard filter * set default page if not provided --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
1 year ago
resources, err := authz.Authorize(context.Background(), query)
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
require.NoError(t, err)
if tc.expectedResources.Dashboards != nil {
require.Equal(t, tc.expectedResources.Dashboards, resources.Dashboards)
}
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2 years ago
require.Equal(t, tc.expectedResources.CanAccessDashAnnotations, resources.CanAccessDashAnnotations)
require.Equal(t, tc.expectedResources.CanAccessOrgAnnotations, resources.CanAccessOrgAnnotations)
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2 years ago
if tc.expectedErr != nil {
require.Equal(t, tc.expectedErr, err)
}
})
}
}