apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
38517 Commits
2186 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: d2a70bc42d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd2a70bc42d'
${ noResults }
grafana/pkg/services/sqlstore/permissions/dashboard_test.go

149 lines
4.5 KiB
Raw Normal View History Unescape

Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
package permissions
import (
"fmt"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
3 years ago
"github.com/grafana/grafana/pkg/services/user"
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
"github.com/grafana/grafana/pkg/util"
)
func TestNewAccessControlDashboardPermissionFilter(t *testing.T) {
randomType := "random_" + util.GenerateShortUID()
testCases := []struct {
permission models.PermissionType
queryType string
expectedDashboardActions []string
expectedFolderActions []string
}{
{
queryType: searchstore.TypeAlertFolder,
permission: models.PERMISSION_ADMIN,
expectedDashboardActions: nil,
expectedFolderActions: []string{
dashboards.ActionFoldersRead,
accesscontrol.ActionAlertingRuleRead,
Alerting: handle folder permissions when fine-grained access enabled (#47035) * Use alert:create action for folder search with edit permissions. This matches the action that is used to query dashboards (the update will be addressed later) * Update rule store to use FindDashboards instead of folder service to list folders the user has access to view alerts. Folder service does not support query type and additional filters. * Do not check whether the user can save to folder if FGAC is enabled because it is checked on API level.
3 years ago
accesscontrol.ActionAlertingRuleCreate,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
},
{
queryType: searchstore.TypeAlertFolder,
permission: models.PERMISSION_EDIT,
expectedDashboardActions: nil,
expectedFolderActions: []string{
dashboards.ActionFoldersRead,
accesscontrol.ActionAlertingRuleRead,
Alerting: handle folder permissions when fine-grained access enabled (#47035) * Use alert:create action for folder search with edit permissions. This matches the action that is used to query dashboards (the update will be addressed later) * Update rule store to use FindDashboards instead of folder service to list folders the user has access to view alerts. Folder service does not support query type and additional filters. * Do not check whether the user can save to folder if FGAC is enabled because it is checked on API level.
3 years ago
accesscontrol.ActionAlertingRuleCreate,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
},
{
queryType: searchstore.TypeAlertFolder,
permission: models.PERMISSION_VIEW,
expectedDashboardActions: nil,
expectedFolderActions: []string{
dashboards.ActionFoldersRead,
accesscontrol.ActionAlertingRuleRead,
},
},
{
queryType: randomType,
permission: models.PERMISSION_ADMIN,
expectedDashboardActions: []string{
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
3 years ago
dashboards.ActionDashboardsRead,
dashboards.ActionDashboardsWrite,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
expectedFolderActions: []string{
dashboards.ActionFoldersRead,
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
3 years ago
dashboards.ActionDashboardsCreate,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
},
{
queryType: randomType,
permission: models.PERMISSION_EDIT,
expectedDashboardActions: []string{
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
3 years ago
dashboards.ActionDashboardsRead,
dashboards.ActionDashboardsWrite,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
expectedFolderActions: []string{
dashboards.ActionFoldersRead,
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
3 years ago
dashboards.ActionDashboardsCreate,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
},
{
queryType: randomType,
permission: models.PERMISSION_VIEW,
expectedDashboardActions: []string{
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
3 years ago
dashboards.ActionDashboardsRead,
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
expectedFolderActions: []string{
dashboards.ActionFoldersRead,
},
},
}
for _, testCase := range testCases {
t.Run(fmt.Sprintf("query type %s, permissions %s", testCase.queryType, testCase.permission), func(t *testing.T) {
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
3 years ago
filters := NewAccessControlDashboardPermissionFilter(&user.SignedInUser{}, testCase.permission, testCase.queryType)
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
require.Equal(t, testCase.expectedDashboardActions, filters.dashboardActions)
require.Equal(t, testCase.expectedFolderActions, filters.folderActions)
})
}
}
func TestAccessControlDashboardPermissionFilter_Where(t *testing.T) {
testCases := []struct {
title string
dashboardActions []string
folderActions []string
expectedResult string
}{
{
title: "folder and dashboard actions are defined",
dashboardActions: []string{"test"},
folderActions: []string{"test"},
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
3 years ago
expectedResult: "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE 1 = 0)) AND NOT dashboard.is_folder) OR ( 1 = 0 AND dashboard.is_folder))",
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
{
title: "folder actions are defined but not dashboard actions",
dashboardActions: nil,
folderActions: []string{"test"},
expectedResult: "(( 1 = 0 AND dashboard.is_folder))",
},
{
title: "dashboard actions are defined but not folder actions",
dashboardActions: []string{"test"},
folderActions: nil,
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
3 years ago
expectedResult: "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE 1 = 0)) AND NOT dashboard.is_folder))",
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
},
{
title: "dashboard actions are defined but not folder actions",
dashboardActions: nil,
folderActions: nil,
expectedResult: "()",
},
}
for _, testCase := range testCases {
t.Run(testCase.title, func(t *testing.T) {
filter := AccessControlDashboardPermissionFilter{
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
3 years ago
User: &user.SignedInUser{Permissions: map[int64]map[string][]string{}},
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules
3 years ago
dashboardActions: testCase.dashboardActions,
folderActions: testCase.folderActions,
}
query, args := filter.Where()
assert.Empty(t, args)
assert.Equal(t, testCase.expectedResult, query)
})
}
}