apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
58853 Commits
2186 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: 94ee07eebf
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '94ee07eebf'
${ noResults }
grafana/pkg/services/authn/authnimpl/sync/user_sync_test.go

1050 lines
30 KiB
Raw Normal View History Unescape

AuthN: Add post auth hook for oauth token refresh (#61608) * AuthN: rename package to sync * AuthN: rename sync files * Ouath: Add mock for OauthTokenService * AuthN: Implement access token refresh hook * AuthN: remove feature check from hook * AuthN: register post auth hook for oauth token refresh
2 years ago
package sync
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
import (
"context"
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
"errors"
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
"testing"
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
"github.com/stretchr/testify/assert"
AuthN: Refetch user on "ErrUserAlreadyExists" (#100346) * AuthN: Refetch user on "ErrUserAlreadyExists"
5 months ago
"github.com/stretchr/testify/mock"
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
"github.com/stretchr/testify/require"
Authlib: Use types package rather than claims (#99243)
5 months ago
claims "github.com/grafana/authlib/types"
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
"github.com/grafana/grafana/pkg/infra/log"
Add auth spans and remove deduplication code for scopes (#89804) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
1 year ago
"github.com/grafana/grafana/pkg/infra/tracing"
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
"github.com/grafana/grafana/pkg/services/authn"
OAuth: Use the attached external session data in OAuthToken and OAuthTokenSync (#96655) * wip * wip + tests * wip * wip opt2 * Use authn.Identity struct's SessionToken * Merge fixes * Handle disabling the feature flag correctly * Fix test * Cleanup * Remove HasOAuthEntry from the OAuthTokenService interface * Remove unused function
7 months ago
"github.com/grafana/grafana/pkg/services/featuremgmt"
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
"github.com/grafana/grafana/pkg/services/login"
Login: refactor auth info package (#78459) * Remove unused stats and metrics * No longer collect metrics * Remove unused dependency * Move database from sub package
2 years ago
"github.com/grafana/grafana/pkg/services/login/authinfoimpl"
"github.com/grafana/grafana/pkg/services/login/authinfotest"
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
"github.com/grafana/grafana/pkg/services/quota"
"github.com/grafana/grafana/pkg/services/quota/quotatest"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/services/user/usertest"
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
"github.com/grafana/grafana/pkg/setting"
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
)
func ptrString(s string) *string {
return &s
}
func ptrBool(b bool) *bool {
return &b
}
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead
2 years ago
func TestUserSync_SyncUserHook(t *testing.T) {
Login: refactor auth info package (#78459) * Remove unused stats and metrics * No longer collect metrics * Remove unused dependency * Move database from sub package
2 years ago
userProtection := &authinfoimpl.OSSUserProtectionImpl{}
AuthN: Readd user protection service to user sync (#61534) * add user protection service to user sync * fix tests
2 years ago
Login: refactor auth info package (#78459) * Remove unused stats and metrics * No longer collect metrics * Remove unused dependency * Move database from sub package
2 years ago
authFakeNil := &authinfotest.FakeService{
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
ExpectedError: user.ErrUserNotFound,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
SetAuthInfoFn: func(ctx context.Context, cmd *login.SetAuthInfoCommand) error {
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
return nil
},
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
UpdateAuthInfoFn: func(ctx context.Context, cmd *login.UpdateAuthInfoCommand) error {
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
return nil
},
}
Login: refactor auth info package (#78459) * Remove unused stats and metrics * No longer collect metrics * Remove unused dependency * Move database from sub package
2 years ago
authFakeUserID := &authinfotest.FakeService{
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
ExpectedError: nil,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
ExpectedUserAuth: &login.UserAuth{
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
AuthModule: "oauth",
AuthId: "2032",
UserId: 1,
OAuth: Use the attached external session data in OAuthToken and OAuthTokenSync (#96655) * wip * wip + tests * wip * wip opt2 * Use authn.Identity struct's SessionToken * Merge fixes * Handle disabling the feature flag correctly * Fix test * Cleanup * Remove HasOAuthEntry from the OAuthTokenService interface * Remove unused function
7 months ago
Id: 1,
},
}
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
userService := &usertest.FakeUserService{ExpectedUser: &user.User{
ID: 1,
AuthN: Set uid during authentication (#87797) * Identity: Remove GetNamespacedUID and use GetUID instead * Authn: Set uid for users and service accounts
1 year ago
UID: "1",
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
Login: "test",
Name: "test",
Email: "test",
}}
userServiceMod := &usertest.FakeUserService{ExpectedUser: &user.User{
ID: 3,
AuthN: Set uid during authentication (#87797) * Identity: Remove GetNamespacedUID and use GetUID instead * Authn: Set uid for users and service accounts
1 year ago
UID: "3",
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
Login: "test",
Name: "test",
Email: "test",
IsDisabled: true,
IsAdmin: false,
}}
AuthN: reset email verified on email change (#85643) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
1 year ago
userServiceEmailMod := &usertest.FakeUserService{ExpectedUser: &user.User{
ID: 3,
AuthN: Set uid during authentication (#87797) * Identity: Remove GetNamespacedUID and use GetUID instead * Authn: Set uid for users and service accounts
1 year ago
UID: "3",
AuthN: reset email verified on email change (#85643) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
1 year ago
Login: "test",
Name: "test",
Email: "test@test.com",
EmailVerified: true,
IsDisabled: true,
IsAdmin: false,
}}
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
userServiceNil := &usertest.FakeUserService{
ExpectedError: user.ErrUserNotFound,
CreateFn: func(ctx context.Context, cmd *user.CreateUserCommand) (*user.User, error) {
return &user.User{
ID: 2,
AuthN: Set uid during authentication (#87797) * Identity: Remove GetNamespacedUID and use GetUID instead * Authn: Set uid for users and service accounts
1 year ago
UID: "2",
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
Login: cmd.Login,
Name: cmd.Name,
Email: cmd.Email,
IsAdmin: cmd.IsAdmin,
}, nil
},
}
type fields struct {
userService user.Service
authInfoService login.AuthInfoService
quotaService quota.Service
}
type args struct {
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ctx context.Context
id *authn.Identity
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
}
tests := []struct {
name string
fields fields
args args
wantErr bool
wantID *authn.Identity
}{
{
name: "no sync",
fields: fields{
userService: userService,
authInfoService: authFakeNil,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
Login: "test",
Name: "test",
Email: "test",
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
ClientParams: authn.ClientParams{
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: ptrString("test"),
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
},
wantErr: false,
wantID: &authn.Identity{
Login: "test",
Name: "test",
Email: "test",
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
ClientParams: authn.ClientParams{
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: ptrString("test"),
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
},
{
name: "sync - user found in DB - by email",
fields: fields{
userService: userService,
authInfoService: authFakeNil,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
Login: "test",
Name: "test",
Email: "test",
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
SyncUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: ptrString("test"),
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
wantErr: false,
wantID: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "1",
UID: "1",
Type: claims.TypeUser,
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
Login: "test",
Name: "test",
Email: "test",
IsGrafanaAdmin: ptrBool(false),
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
SyncUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: ptrString("test"),
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
{
name: "sync - user found in DB - by login",
fields: fields{
userService: userService,
authInfoService: authFakeNil,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
Login: "test",
Name: "test",
Email: "test",
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
SyncUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: ptrString("test"),
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
wantErr: false,
wantID: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "1",
UID: "1",
Type: claims.TypeUser,
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
Login: "test",
Name: "test",
Email: "test",
IsGrafanaAdmin: ptrBool(false),
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: ptrString("test"),
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
SyncUser: true,
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
{
name: "sync - user found in authInfo",
fields: fields{
userService: userService,
authInfoService: authFakeUserID,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
AuthID: "2032",
AuthenticatedBy: "oauth",
Login: "test",
Name: "test",
Email: "test",
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
SyncUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
wantErr: false,
wantID: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "1",
UID: "1",
Type: claims.TypeUser,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
AuthID: "2032",
AuthenticatedBy: "oauth",
Login: "test",
Name: "test",
Email: "test",
IsGrafanaAdmin: ptrBool(false),
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
SyncUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
{
name: "sync - user needs to be created - disabled signup",
fields: fields{
userService: userService,
authInfoService: authFakeNil,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
Login: "test",
Name: "test",
Email: "test",
AuthenticatedBy: "oauth",
AuthID: "2032",
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
SyncUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
wantErr: true,
},
{
name: "sync - user needs to be created - enabled signup",
fields: fields{
userService: userServiceNil,
authInfoService: authFakeNil,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
Login: "test_create",
Name: "test_create",
IsGrafanaAdmin: ptrBool(true),
Email: "test_create",
AuthenticatedBy: "oauth",
AuthID: "2032",
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
SyncUser: true,
AllowSignUp: true,
EnableUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: ptrString("test_create"),
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
wantErr: false,
wantID: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "2",
UID: "2",
Type: claims.TypeUser,
AuthZ: Extend /api/search to work with self-contained permissions (#70749) * Search sql filter draft, unfinished * Search works for empty roles * Add current AuthModule to SignedInUser * clean up, changes to the search * Use constant prefixes * Change AuthModule to AuthenticatedBy * Add tests for using the permissions from the SignedInUser * Refactor and simplify code * Fix sql generation for pg and mysql * Fixes, clean up * Add test for empty permission list * Fix * Fix any vs all in case of edit permission * Update pkg/services/authn/authn.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/sqlstore/permissions/dashboard_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Fixes, changes based on the review --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
Login: "test_create",
Name: "test_create",
Email: "test_create",
AuthenticatedBy: "oauth",
AuthID: "2032",
IsGrafanaAdmin: ptrBool(true),
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
SyncUser: true,
AllowSignUp: true,
EnableUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: ptrString("test_create"),
Login: nil,
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
{
name: "sync - needs full update",
fields: fields{
userService: userServiceMod,
authInfoService: authFakeNil,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
Login: "test_mod",
Name: "test_mod",
Email: "test_mod",
IsDisabled: false,
IsGrafanaAdmin: ptrBool(true),
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
SyncUser: true,
EnableUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: ptrString("test"),
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
wantErr: false,
wantID: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "3",
UID: "3",
Type: claims.TypeUser,
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
Login: "test_mod",
Name: "test_mod",
Email: "test_mod",
IsDisabled: false,
IsGrafanaAdmin: ptrBool(true),
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
ClientParams: authn.ClientParams{
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
SyncUser: true,
EnableUser: true,
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service
2 years ago
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: ptrString("test"),
Authn: JWT client (#61157) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
3 years ago
},
AuthN: Make client params part of the identity (#61050) * AuthN: Change client params to be a return value of authenticate * AuthN: move client params to be part of the identity
3 years ago
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
},
},
AuthN: reset email verified on email change (#85643) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
1 year ago
{
name: "sync - reset email verified on email change",
fields: fields{
userService: userServiceEmailMod,
authInfoService: authFakeNil,
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
Login: "test",
Name: "test",
Email: "test_mod@test.com",
EmailVerified: true,
IsDisabled: false,
IsGrafanaAdmin: ptrBool(true),
ClientParams: authn.ClientParams{
SyncUser: true,
EnableUser: true,
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: ptrString("test"),
AuthN: reset email verified on email change (#85643) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
1 year ago
},
},
},
},
wantErr: false,
wantID: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "3",
UID: "3",
Type: claims.TypeUser,
AuthN: reset email verified on email change (#85643) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
1 year ago
Name: "test",
AuthN: Set uid during authentication (#87797) * Identity: Remove GetNamespacedUID and use GetUID instead * Authn: Set uid for users and service accounts
1 year ago
Login: "test",
AuthN: reset email verified on email change (#85643) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
1 year ago
Email: "test_mod@test.com",
IsDisabled: false,
EmailVerified: false,
IsGrafanaAdmin: ptrBool(true),
ClientParams: authn.ClientParams{
SyncUser: true,
EnableUser: true,
LookUpParams: login.UserLookupParams{
User: Fix GetByID (#86282) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID
1 year ago
Email: nil,
Login: ptrString("test"),
AuthN: reset email verified on email change (#85643) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
1 year ago
},
},
},
},
Backport 105046 to 12.0.1 (#105337)
2 months ago
{
name: "SyncUserHook: Provisioned user, Incoming ExternalUID is empty, DB ExternalUID non-empty - expect errEmptyExternalUID",
fields: fields{
userService: &usertest.FakeUserService{ExpectedUser: &user.User{ID: 1, IsProvisioned: true}},
authInfoService: &authinfotest.FakeService{ExpectedUserAuth: &login.UserAuth{UserId: 1, AuthModule: login.SAMLAuthModule, ExternalUID: "db-uid"}},
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
AuthID: "1",
AuthenticatedBy: login.SAMLAuthModule,
ExternalUID: "",
ClientParams: authn.ClientParams{SyncUser: true},
},
},
wantErr: true, // Expecting errEmptyExternalUID
},
{
name: "SyncUserHook: Provisioned user, Incoming ExternalUID is empty, DB ExternalUID also empty - expect errEmptyExternalUID",
fields: fields{
userService: &usertest.FakeUserService{ExpectedUser: &user.User{ID: 1, IsProvisioned: true}},
authInfoService: &authinfotest.FakeService{ExpectedUserAuth: &login.UserAuth{UserId: 1, AuthModule: login.SAMLAuthModule, ExternalUID: ""}}, // DB empty
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
AuthID: "1",
AuthenticatedBy: login.SAMLAuthModule,
ExternalUID: "",
ClientParams: authn.ClientParams{SyncUser: true},
},
},
wantErr: true, // Expecting errEmptyExternalUID
},
{
name: "SyncUserHook: Provisioned user, Incoming and DB ExternalUIDs non-empty and mismatch - expect errMismatchedExternalUID",
fields: fields{
userService: &usertest.FakeUserService{ExpectedUser: &user.User{ID: 1, IsProvisioned: true}},
authInfoService: &authinfotest.FakeService{ExpectedUserAuth: &login.UserAuth{UserId: 1, AuthModule: login.SAMLAuthModule, ExternalUID: "db-uid"}},
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
AuthID: "1",
AuthenticatedBy: login.SAMLAuthModule,
ExternalUID: "incoming-uid",
ClientParams: authn.ClientParams{SyncUser: true},
},
},
wantErr: true, // Expecting errMismatchedExternalUID
},
{
name: "SyncUserHook: Provisioned user, Incoming and DB ExternalUIDs non-empty and match - expect success",
fields: fields{
userService: &usertest.FakeUserService{ExpectedUser: &user.User{ID: 1, Login: "user1", Email: "user1@test.com", Name: "User One", IsProvisioned: true}},
authInfoService: &authinfotest.FakeService{ExpectedUserAuth: &login.UserAuth{UserId: 1, AuthModule: login.SAMLAuthModule, AuthId: "1", ExternalUID: "matching-uid"}},
quotaService: &quotatest.FakeQuotaService{},
},
args: args{
ctx: context.Background(),
id: &authn.Identity{
AuthID: "1",
AuthenticatedBy: login.SAMLAuthModule,
Login: "user1",
Email: "user1@test.com",
Name: "User One",
ExternalUID: "matching-uid",
ClientParams: authn.ClientParams{SyncUser: true},
},
},
wantErr: false,
wantID: &authn.Identity{
ID: "1",
UID: "",
Type: claims.TypeUser,
AuthID: "1",
AuthenticatedBy: login.SAMLAuthModule,
Login: "user1",
Email: "user1@test.com",
Name: "User One",
ExternalUID: "matching-uid",
IsGrafanaAdmin: ptrBool(false),
ClientParams: authn.ClientParams{SyncUser: true},
},
},
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
s := ProvideUserSync(tt.fields.userService, userProtection, tt.fields.authInfoService, tt.fields.quotaService, tracing.InitializeTracerForTest(), featuremgmt.WithFeatures(), setting.NewCfg())
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead
2 years ago
err := s.SyncUserHook(tt.args.ctx, tt.args.id, nil)
Authn: Refactor user sync and org sync as post auth hooks (#60504) * add user sync * add org user sync * add client params * merge remaining conflicts * remove change to report.go * update comments * add basic tests for user ID population * add tests for auth ID find * add tests for user sync create and update * add tests for orgsync * satisfy lint * add userID guards
3 years ago
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
require.EqualValues(t, tt.wantID, tt.args.id)
})
}
}
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead
2 years ago
AuthN: Refetch user on "ErrUserAlreadyExists" (#100346) * AuthN: Refetch user on "ErrUserAlreadyExists"
5 months ago
func TestUserSync_SyncUserRetryFetch(t *testing.T) {
userSrv := usertest.NewMockService(t)
userSrv.On("GetByEmail", mock.Anything, mock.Anything).Return(nil, user.ErrUserNotFound).Once()
userSrv.On("Create", mock.Anything, mock.Anything).Return(nil, user.ErrUserAlreadyExists).Once()
userSrv.On("GetByEmail", mock.Anything, mock.Anything).Return(&user.User{ID: 1}, nil).Once()
s := ProvideUserSync(
userSrv,
authinfoimpl.ProvideOSSUserProtectionService(),
&authinfotest.FakeService{},
&quotatest.FakeQuotaService{},
tracing.NewNoopTracerService(),
featuremgmt.WithFeatures(),
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
setting.NewCfg(),
AuthN: Refetch user on "ErrUserAlreadyExists" (#100346) * AuthN: Refetch user on "ErrUserAlreadyExists"
5 months ago
)
email := "test@test.com"
err := s.SyncUserHook(context.Background(), &authn.Identity{
ClientParams: authn.ClientParams{
SyncUser: true,
AllowSignUp: true,
LookUpParams: login.UserLookupParams{
Email: &email,
},
},
}, nil)
require.NoError(t, err)
}
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead
2 years ago
func TestUserSync_FetchSyncedUserHook(t *testing.T) {
type testCase struct {
desc string
req *authn.Request
identity *authn.Identity
expectedErr error
}
tests := []testCase{
{
desc: "should skip hook when flag is not enabled",
req: &authn.Request{},
identity: &authn.Identity{ClientParams: authn.ClientParams{FetchSyncedUser: false}},
},
{
desc: "should skip hook when identity is not a user",
req: &authn.Request{},
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
identity: &authn.Identity{ID: "1", Type: claims.TypeAPIKey, ClientParams: authn.ClientParams{FetchSyncedUser: true}},
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead
2 years ago
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
Add auth spans and remove deduplication code for scopes (#89804) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
1 year ago
s := UserSync{
tracer: tracing.InitializeTracerForTest(),
}
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead
2 years ago
err := s.FetchSyncedUserHook(context.Background(), tt.identity, tt.req)
require.ErrorIs(t, err, tt.expectedErr)
})
}
}
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
func TestUserSync_EnableDisabledUserHook(t *testing.T) {
type testCase struct {
desc string
identity *authn.Identity
enableUser bool
}
tests := []testCase{
{
desc: "should skip if correct flag is not set",
identity: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "1",
Type: claims.TypeUser,
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
IsDisabled: true,
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
ClientParams: authn.ClientParams{EnableUser: false},
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
},
enableUser: false,
},
{
desc: "should skip if identity is not a user",
identity: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "1",
Type: claims.TypeAPIKey,
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
IsDisabled: true,
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
ClientParams: authn.ClientParams{EnableUser: true},
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
},
enableUser: false,
},
{
desc: "should enabled disabled user",
identity: &authn.Identity{
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID
11 months ago
ID: "1",
Type: claims.TypeUser,
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
IsDisabled: true,
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
ClientParams: authn.ClientParams{EnableUser: true},
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
},
enableUser: true,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
userSvc := usertest.NewUserServiceFake()
called := false
User: Clean up update functions (#86341) * User: remove unused function * User: Remove UpdatePermissions and support IsGrafanaAdmin flag in Update function instead * User: Remove Disable function and use Update instead
1 year ago
userSvc.UpdateFn = func(ctx context.Context, cmd *user.UpdateUserCommand) error {
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
called = true
return nil
}
Add auth spans and remove deduplication code for scopes (#89804) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
1 year ago
s := UserSync{userService: userSvc, tracer: tracing.InitializeTracerForTest()}
AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test
2 years ago
err := s.EnableUserHook(context.Background(), tt.identity, nil)
AuthN: Extract enable disabled users logic to its own hook (#63628)
2 years ago
require.NoError(t, err)
assert.Equal(t, tt.enableUser, called)
})
}
}
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
func initUserSyncService() *UserSync {
userSvc := usertest.NewUserServiceFake()
log := log.New("test")
authInfoSvc := &authinfotest.FakeService{
ExpectedUserAuth: &login.UserAuth{
UserId: 1,
AuthModule: login.SAMLAuthModule,
AuthId: "1",
},
}
quotaSvc := &quotatest.FakeQuotaService{}
return &UserSync{
userService: userSvc,
authInfoService: authInfoSvc,
quotaService: quotaSvc,
tracer: tracing.InitializeTracerForTest(),
log: log,
}
}
func TestUserSync_ValidateUserProvisioningHook(t *testing.T) {
type testCase struct {
desc string
identity *authn.Identity
userSyncServiceSetup func() *UserSync
expectedErr error
}
tests := []testCase{
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
{
desc: "it should skip validation if the user identity is not syncying a user",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.isUserProvisioningEnabled = true
return userSyncService
},
identity: &authn.Identity{
ID: "1",
Type: claims.TypeAPIKey,
ClientParams: authn.ClientParams{
SyncUser: false,
},
},
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
{
desc: "it should skip validation if the user provisioning is disabled",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.isUserProvisioningEnabled = false
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.GenericOAuthModule,
AuthID: "1",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
},
{
desc: "it should skip validation if allowedNonProvisionedUsers is enabled",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = true
userSyncService.isUserProvisioningEnabled = true
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.GenericOAuthModule,
AuthID: "1",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
},
{
desc: "it should skip validation if the user is authenticated via GrafanaComAuthModule",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.GrafanaComAuthModule,
AuthID: "1",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
},
{
desc: "it should fail to validate the identity with the provisioned user, unexpected error",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{
ExpectedError: errors.New("random error"),
}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ExternalUID: "random-external-uid",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
expectedErr: errUnableToRetrieveUserOrAuthInfo.Errorf("unable to retrieve user or authInfo for validation"),
},
{
desc: "it should fail to validate the identity with the provisioned user, no user found",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ExternalUID: "random-external-uid",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
expectedErr: errUnableToRetrieveUser.Errorf("unable to retrieve user for validation"),
},
{
desc: "it should fail to validate the provisioned user.ExternalUID with the identity.ExternalUID - empty ExternalUID",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{
ID: 1,
IsProvisioned: true,
},
}
userSyncService.authInfoService = &authinfotest.FakeService{
ExpectedUserAuth: &login.UserAuth{
UserId: 1,
AuthModule: login.SAMLAuthModule,
AuthId: "1",
},
}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ExternalUID: "random-external-uid",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
expectedErr: errUserExternalUIDMismatch.Errorf("the provisioned user.ExternalUID does not match the authinfo.ExternalUID"),
},
{
desc: "it should fail to validate the provisioned user.ExternalUID with the identity.ExternalUID - different ExternalUID",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{
ID: 1,
IsProvisioned: true,
},
}
userSyncService.authInfoService = &authinfotest.FakeService{
ExpectedUserAuth: &login.UserAuth{
UserId: 1,
AuthModule: login.SAMLAuthModule,
AuthId: "1",
ExternalUID: "different-external-uid",
},
}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ExternalUID: "random-external-uid",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
expectedErr: errUserExternalUIDMismatch.Errorf("the provisioned user.ExternalUID does not match the authinfo.ExternalUID"),
},
{
desc: "it should successfully validate the provisioned user.ExternalUID with the identity.ExternalUID",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{
ID: 1,
IsProvisioned: true,
},
}
userSyncService.authInfoService = &authinfotest.FakeService{
ExpectedUserAuth: &login.UserAuth{
UserId: 1,
AuthModule: login.SAMLAuthModule,
AuthId: "1",
ExternalUID: "random-external-uid",
},
}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ExternalUID: "random-external-uid",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
},
{
desc: "it should failed to validate a non provisioned user when retrieved from the database",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{
ID: 1,
IsProvisioned: false,
},
}
userSyncService.authInfoService = &authinfotest.FakeService{
ExpectedUserAuth: &login.UserAuth{
UserId: 1,
AuthModule: login.SAMLAuthModule,
AuthId: "1",
ExternalUID: "random-external-uid",
},
}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ExternalUID: "random-external-uid",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
},
expectedErr: errUserNotProvisioned.Errorf("user is not provisioned"),
},
Backport 105046 to 12.0.1 (#105337)
2 months ago
{
desc: "ValidateProvisioning: DB ExternalUID is empty, Incoming ExternalUID is empty - expect mismatch (stricter logic)",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{ExpectedUser: &user.User{ID: 1, IsProvisioned: true}}
userSyncService.authInfoService = &authinfotest.FakeService{ExpectedUserAuth: &login.UserAuth{UserId: 1, AuthModule: login.SAMLAuthModule, ExternalUID: ""}}
return userSyncService
},
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ClientParams: authn.ClientParams{
SyncUser: true,
},
ExternalUID: "",
Backport 105046 to 12.0.1 (#105337)
2 months ago
},
expectedErr: errUserExternalUIDMismatch,
},
{
desc: "ValidateProvisioning: DB ExternalUID is empty, Incoming ExternalUID non-empty - expect mismatch (stricter logic)",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{ExpectedUser: &user.User{ID: 1, IsProvisioned: true}}
userSyncService.authInfoService = &authinfotest.FakeService{ExpectedUserAuth: &login.UserAuth{UserId: 1, AuthModule: login.SAMLAuthModule, ExternalUID: ""}}
return userSyncService
},
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ClientParams: authn.ClientParams{
SyncUser: true,
},
ExternalUID: "valid-uid",
},
Backport 105046 to 12.0.1 (#105337)
2 months ago
expectedErr: errUserExternalUIDMismatch,
},
{
desc: "ValidateProvisioning: DB and Incoming ExternalUIDs non-empty and mismatch - expect mismatch",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{ExpectedUser: &user.User{ID: 1, IsProvisioned: true}}
userSyncService.authInfoService = &authinfotest.FakeService{ExpectedUserAuth: &login.UserAuth{UserId: 1, AuthModule: login.SAMLAuthModule, ExternalUID: "db-uid"}}
return userSyncService
},
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ClientParams: authn.ClientParams{
SyncUser: true,
},
ExternalUID: "incoming-uid",
},
Backport 105046 to 12.0.1 (#105337)
2 months ago
expectedErr: errUserExternalUIDMismatch,
},
{
desc: "it should skip ExternalUID validation for a SAML-provisioned user accessed by a non-SAML method with an empty incoming ExternalUID",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{
ID: 1,
IsProvisioned: true,
},
}
userSyncService.authInfoService = &authinfotest.FakeService{
ExpectedUserAuth: &login.UserAuth{
UserId: 1,
AuthModule: login.SAMLAuthModule,
AuthId: "1",
ExternalUID: "saml-originated-uid",
},
}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.GenericOAuthModule,
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
AuthID: "1",
ExternalUID: "",
},
expectedErr: nil,
},
Backport 105046 to 12.0.1 (#105337)
2 months ago
{
desc: "it should fail validation when a provisioned user is accessed by SAML with an empty incoming ExternalUID",
userSyncServiceSetup: func() *UserSync {
userSyncService := initUserSyncService()
userSyncService.allowNonProvisionedUsers = false
userSyncService.isUserProvisioningEnabled = true
userSyncService.userService = &usertest.FakeUserService{
ExpectedUser: &user.User{
ID: 1,
IsProvisioned: true,
},
}
userSyncService.authInfoService = &authinfotest.FakeService{
ExpectedUserAuth: &login.UserAuth{
UserId: 1,
AuthModule: login.SAMLAuthModule,
AuthId: "1",
ExternalUID: "saml-originated-uid",
},
}
return userSyncService
},
identity: &authn.Identity{
AuthenticatedBy: login.SAMLAuthModule,
AuthID: "1",
ExternalUID: "",
[release-12.0.2] SCIM: Change SCIM hook registration (#106255) SCIM: Change SCIM hook registration (#106200) * Add function to skip provisioning hook * Rework provisioning hook to PostLoginHook * Revert back to PostAuthHook and remove unused tests * Fix tests (cherry picked from commit 374bd5bec7244866c6447f8355a12de03ca75e65) Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
4 weeks ago
ClientParams: authn.ClientParams{
SyncUser: true,
},
Backport 105046 to 12.0.1 (#105337)
2 months ago
},
expectedErr: errUserExternalUIDMismatch.Errorf("the provisioned user.ExternalUID does not match the authinfo.ExternalUID"),
},
SCIM: Add access control for non provisioned users (#103596) * Add hook to validate access for users based on provisioning logic * Wire the hook * Add tests * declare new variables for errors * rework the authorization flow for provisioned users * Add scim feature to testinfra opts * Grant access if the identity doesn't have associated a user * skip external uid check for subsequent calls * Update tests
3 months ago
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
userSyncService := tt.userSyncServiceSetup()
err := userSyncService.ValidateUserProvisioningHook(context.Background(), tt.identity, nil)
require.ErrorIs(t, err, tt.expectedErr)
})
}
}