apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683)

Browse Source 
* Return slice of permissions instead of slice of pointers for permissions
pull/47504/head^2
Karl Persson 4 years ago committed by GitHub
parent 5aab95885f
commit 44ffbfd6aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 311 additions and 315 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 14
      pkg/api/admin_provisioning_test.go
  2. 16
      pkg/api/admin_test.go
  3. 70
      pkg/api/annotations_test.go
  4. 8
      pkg/api/common_test.go
  5. 44
      pkg/api/datasources_test.go
  6. 16
      pkg/api/ldap_debug_test.go
  7. 56
      pkg/api/org_test.go
  8. 4
      pkg/api/org_users_test.go
  9. 12
      pkg/api/preferences_test.go
  10. 18
      pkg/api/quota_test.go
  11. 4
      pkg/api/search_test.go
  12. 24
      pkg/api/team_members_test.go
  13. 32
      pkg/api/team_test.go
  14. 8
      pkg/services/accesscontrol/accesscontrol.go
  15. 4
      pkg/services/accesscontrol/database/database.go
  16. 6
      pkg/services/accesscontrol/filter_bench_test.go
  17. 4
      pkg/services/accesscontrol/middleware_test.go
  18. 10
      pkg/services/accesscontrol/mock/mock.go
  19. 18
      pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
  20. 10
      pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
  21. 44
      pkg/services/accesscontrol/resourcepermissions/api_test.go
  22. 10
      pkg/services/accesscontrol/resourcepermissions/service_test.go
  23. 78
      pkg/services/guardian/accesscontrol_guardian_test.go
  24. 4
      pkg/services/ngalert/api/api_alertmanager_test.go
  25. 6
      pkg/services/ngalert/api/api_ruler_test.go
  26. 8
      pkg/services/ngalert/api/api_testing_test.go
  27. 56
      pkg/services/serviceaccounts/api/api_test.go
  28. 40
      pkg/services/serviceaccounts/api/token_test.go
  29. 2
      pkg/services/serviceaccounts/tests/common.go

14
pkg/api/admin_provisioning_test.go
Unescape View File

@ -17,7 +17,7 @@ type reloadProvisioningTestCase struct {
url string
expectedCode int
expectedBody string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
exit bool
checkCall func(mock provisioning.ProvisioningServiceMock)
}
@ -28,7 +28,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
desc: "should work for dashboards with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Dashboards config reloaded"}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersDashboards,
@ -43,7 +43,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
desc: "should work for dashboards with broader scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Dashboards config reloaded"}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersAll,
@ -57,7 +57,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
{
desc: "should fail for dashboard with wrong scope",
expectedCode: http.StatusForbidden,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: "services:noservice",
@ -76,7 +76,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
desc: "should work for notifications with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Notifications config reloaded"}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersNotifications,
@ -97,7 +97,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
desc: "should work for datasources with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Datasources config reloaded"}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersDatasources,
@ -118,7 +118,7 @@ func TestAPI_AdminProvisioningReload_AccessControl(t *testing.T) {
desc: "should work for plugins with specific scope",
expectedCode: http.StatusOK,
expectedBody: `{"message":"Plugins config reloaded"}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: ActionProvisioningReload,
Scope: ScopeProvisionersPlugins,

16
pkg/api/admin_test.go
Unescape View File

@ -15,7 +15,7 @@ type getSettingsTestCase struct {
desc string
expectedCode int
expectedBody string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
}
func TestAPI_AdminGetSettings(t *testing.T) {
@ -24,7 +24,7 @@ func TestAPI_AdminGetSettings(t *testing.T) {
desc: "should return all settings",
expectedCode: http.StatusOK,
expectedBody: `{"auth.proxy":{"enable_login_token":"false","enabled":"false"},"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: accesscontrol.ActionSettingsRead,
Scope: accesscontrol.ScopeSettingsAll,
@ -35,7 +35,7 @@ func TestAPI_AdminGetSettings(t *testing.T) {
desc: "should only return auth.saml settings",
expectedCode: http.StatusOK,
expectedBody: `{"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: accesscontrol.ActionSettingsRead,
Scope: "settings:auth.saml:*",
@ -46,7 +46,7 @@ func TestAPI_AdminGetSettings(t *testing.T) {
desc: "should only partial properties from auth.saml and auth.proxy settings",
expectedCode: http.StatusOK,
expectedBody: `{"auth.proxy":{"enable_login_token":"false"},"auth.saml":{"enabled":"true"}}`,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: accesscontrol.ActionSettingsRead,
Scope: "settings:auth.saml:enabled",
@ -101,7 +101,7 @@ func TestAdmin_AccessControl(t *testing.T) {
desc: "AdminGetStats should return 200 for user with correct permissions",
url: "/api/admin/stats",
method: http.MethodGet,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: accesscontrol.ActionServerStatsRead,
},
@ -112,7 +112,7 @@ func TestAdmin_AccessControl(t *testing.T) {
desc: "AdminGetStats should return 403 for user without required permissions",
url: "/api/admin/stats",
method: http.MethodGet,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: "wrong",
},
@ -123,7 +123,7 @@ func TestAdmin_AccessControl(t *testing.T) {
desc: "AdminGetSettings should return 200 for user with correct permissions",
url: "/api/admin/settings",
method: http.MethodGet,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: accesscontrol.ActionSettingsRead,
},
@ -134,7 +134,7 @@ func TestAdmin_AccessControl(t *testing.T) {
desc: "AdminGetSettings should return 403 for user without required permissions",
url: "/api/admin/settings",
method: http.MethodGet,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: "wrong",
},

70
pkg/api/annotations_test.go
Unescape View File

@ -501,7 +501,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
}
type args struct {
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
url string
body io.Reader
method string
@ -515,7 +515,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl getting annotations with correct permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
url: "/api/annotations",
method: http.MethodGet,
},
@ -524,7 +524,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl getting annotations without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
url: "/api/annotations",
method: http.MethodGet,
},
@ -533,7 +533,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl getting annotation by ID with correct permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
url: "/api/annotations/1",
method: http.MethodGet,
},
@ -542,7 +542,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl getting annotation by ID without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
url: "/api/annotations",
method: http.MethodGet,
},
@ -551,7 +551,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl getting tags for annotations with correct permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead}},
url: "/api/annotations/tags",
method: http.MethodGet,
},
@ -560,7 +560,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl getting tags for annotations without correct permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite}},
url: "/api/annotations/tags",
method: http.MethodGet,
},
@ -569,7 +569,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl update dashboard annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations/1",
@ -581,7 +581,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl update dashboard annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
url: "/api/annotations/1",
method: http.MethodPut,
body: mockRequestBody(updateCmd),
@ -591,7 +591,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl update organization annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsAll,
}},
url: "/api/annotations/2",
@ -603,7 +603,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl update organization annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations/2",
@ -615,7 +615,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl patch dashboard annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations/1",
@ -627,7 +627,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl patch dashboard annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
url: "/api/annotations/1",
method: http.MethodPatch,
body: mockRequestBody(patchCmd),
@ -637,7 +637,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl patch organization annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsAll,
}},
url: "/api/annotations/2",
@ -649,7 +649,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl patch organization annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations/2",
@ -661,7 +661,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl create dashboard annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations",
@ -673,7 +673,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl create dashboard annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
url: "/api/annotations",
method: http.MethodPost,
body: mockRequestBody(postDashboardCmd),
@ -683,7 +683,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl create dashboard annotation with incorrect permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization,
}},
url: "/api/annotations",
@ -695,7 +695,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl create organization annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsAll,
}},
url: "/api/annotations",
@ -707,7 +707,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl create organization annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations",
@ -719,7 +719,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl delete dashboard annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations/1",
@ -730,7 +730,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl delete dashboard annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
url: "/api/annotations/1",
method: http.MethodDelete,
},
@ -739,7 +739,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl delete organization annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsAll,
}},
url: "/api/annotations/2",
@ -750,7 +750,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl delete organization annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations/2",
@ -761,7 +761,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl create graphite annotation with permissions is allowed",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsAll,
}},
url: "/api/annotations/graphite",
@ -773,7 +773,7 @@ func TestAPI_Annotations_AccessControl(t *testing.T) {
{
name: "AccessControl create organization annotation without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{
permissions: []accesscontrol.Permission{{
Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard,
}},
url: "/api/annotations/graphite",
@ -865,7 +865,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
require.NoError(t, err)
type args struct {
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
url string
body io.Reader
method string
@ -879,7 +879,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "Mass delete dashboard annotations without dashboardId is not allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -892,7 +892,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "Mass delete dashboard annotations without panelId is not allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -905,7 +905,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "AccessControl mass delete dashboard annotations with correct dashboardId and panelId as input is allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -918,7 +918,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "Mass delete organization annotations without input to delete all organization annotations is allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -931,7 +931,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "Mass delete organization annotations without permissions is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -944,7 +944,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "AccessControl mass delete dashboard annotations with correct annotationId as input is allowed",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -956,7 +956,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "AccessControl mass delete annotation without access to dashboard annotations is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{
@ -968,7 +968,7 @@ func TestAPI_MassDeleteAnnotations_AccessControl(t *testing.T) {
{
name: "AccessControl mass delete annotation without access to organization annotations is forbidden",
args: args{
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
url: "/api/annotations/mass-delete",
method: http.MethodPost,
body: mockRequestBody(dtos.MassDeleteAnnotationsCmd{

8
pkg/api/common_test.go
Unescape View File

@ -231,7 +231,7 @@ func (s *fakeRenderService) Init() error {
return nil
}
func setupAccessControlScenarioContext(t *testing.T, cfg *setting.Cfg, url string, permissions []*accesscontrol.Permission) (*scenarioContext, *HTTPServer) {
func setupAccessControlScenarioContext(t *testing.T, cfg *setting.Cfg, url string, permissions []accesscontrol.Permission) (*scenarioContext, *HTTPServer) {
cfg.Quota.Enabled = false
store := sqlstore.InitTestDB(t)
@ -260,7 +260,7 @@ type accessControlTestCase struct {
desc string
url string
method string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
}
// accessControlScenarioContext contains the setups for accesscontrol tests
@ -287,9 +287,9 @@ type accessControlScenarioContext struct {
dashboardsStore dashboards.Store
}
func setAccessControlPermissions(acmock *accesscontrolmock.Mock, perms []*accesscontrol.Permission, org int64) {
func setAccessControlPermissions(acmock *accesscontrolmock.Mock, perms []accesscontrol.Permission, org int64) {
acmock.GetUserPermissionsFunc =
func(_ context.Context, u *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
func(_ context.Context, u *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
if u.OrgId == org {
return perms, nil
}

44
pkg/api/datasources_test.go
Unescape View File

@ -239,7 +239,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesPut should return 404 if datasource not found",
url: fmt.Sprintf("/api/datasources/%v", "12345678"),
method: http.MethodPut,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionWrite,
Scope: datasources.ScopeAll,
@ -254,7 +254,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGet should return 200 for user with correct permissions",
url: "/api/datasources/",
method: http.MethodGet,
permissions: []*ac.Permission{{Action: datasources.ActionRead, Scope: datasources.ScopeAll}},
permissions: []ac.Permission{{Action: datasources.ActionRead, Scope: datasources.ScopeAll}},
},
},
{
@ -263,7 +263,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGet should return 403 for user without required permissions",
url: "/api/datasources/",
method: http.MethodGet,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -273,7 +273,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesPost should return 200 for user with correct permissions",
url: "/api/datasources/",
method: http.MethodPost,
permissions: []*ac.Permission{{Action: datasources.ActionCreate}},
permissions: []ac.Permission{{Action: datasources.ActionCreate}},
},
expectedDS: &testDatasource,
},
@ -283,7 +283,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesPost should return 403 for user without required permissions",
url: "/api/datasources/",
method: http.MethodPost,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -293,7 +293,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesPut should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
method: http.MethodPut,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionWrite,
Scope: fmt.Sprintf("datasources:id:%v", testDatasource.Id),
@ -308,7 +308,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesPut should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
method: http.MethodPut,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -318,7 +318,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesPut should return 403 for read only datasource",
url: fmt.Sprintf("/api/datasources/%v", testDatasourceReadOnly.Id),
method: http.MethodPut,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionWrite,
Scope: fmt.Sprintf("datasources:id:%v", testDatasourceReadOnly.Id),
@ -333,7 +333,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesDeleteByID should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
method: http.MethodDelete,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionDelete,
Scope: fmt.Sprintf("datasources:id:%v", testDatasource.Id),
@ -348,7 +348,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesDeleteByID should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
method: http.MethodDelete,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -357,7 +357,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesDeleteByUID should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
method: http.MethodDelete,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionDelete,
Scope: fmt.Sprintf("datasources:uid:%v", testDatasource.Uid),
@ -372,7 +372,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesDeleteByUID should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
method: http.MethodDelete,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -381,7 +381,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesDeleteByName should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
method: http.MethodDelete,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionDelete,
Scope: fmt.Sprintf("datasources:name:%v", testDatasource.Name),
@ -396,7 +396,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesDeleteByName should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
method: http.MethodDelete,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -405,7 +405,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetByID should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
method: http.MethodGet,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionRead,
Scope: fmt.Sprintf("datasources:id:%v", testDatasource.Id),
@ -420,7 +420,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetByID should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
method: http.MethodGet,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -429,7 +429,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetByUID should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
method: http.MethodGet,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionRead,
Scope: fmt.Sprintf("datasources:uid:%v", testDatasource.Uid),
@ -444,7 +444,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetByUID should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
method: http.MethodGet,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
},
{
@ -453,7 +453,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetByName should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
method: http.MethodGet,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionRead,
Scope: fmt.Sprintf("datasources:name:%v", testDatasource.Name),
@ -468,7 +468,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetByName should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
method: http.MethodGet,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
expectedDS: &testDatasource,
},
@ -478,7 +478,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetIdByName should return 200 for user with correct permissions",
url: fmt.Sprintf("/api/datasources/id/%v", testDatasource.Name),
method: http.MethodGet,
permissions: []*ac.Permission{
permissions: []ac.Permission{
{
Action: datasources.ActionIDRead,
Scope: fmt.Sprintf("datasources:name:%v", testDatasource.Name),
@ -493,7 +493,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
desc: "DatasourcesGetIdByName should return 403 for user without required permissions",
url: fmt.Sprintf("/api/datasources/id/%v", testDatasource.Name),
method: http.MethodGet,
permissions: []*ac.Permission{{Action: "wrong"}},
permissions: []ac.Permission{{Action: "wrong"}},
},
expectedDS: &testDatasource,
},

16
pkg/api/ldap_debug_test.go
Unescape View File

@ -514,7 +514,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodPost,
desc: "ReloadLDAPCfg should return 200 for user with correct permissions",
expectedCode: http.StatusOK,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionLDAPConfigReload},
},
},
@ -523,7 +523,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodPost,
desc: "ReloadLDAPCfg should return 403 for user without required permissions",
expectedCode: http.StatusForbidden,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "wrong"},
},
},
@ -532,7 +532,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodGet,
desc: "GetLDAPStatus should return 200 for user without required permissions",
expectedCode: http.StatusOK,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionLDAPStatusRead},
},
},
@ -541,7 +541,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodGet,
desc: "GetLDAPStatus should return 200 for user without required permissions",
expectedCode: http.StatusForbidden,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "wrong"},
},
},
@ -550,7 +550,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodGet,
desc: "GetUserFromLDAP should return 200 for user with required permissions",
expectedCode: http.StatusOK,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionLDAPUsersRead},
},
},
@ -559,7 +559,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodGet,
desc: "GetUserFromLDAP should return 403 for user without required permissions",
expectedCode: http.StatusForbidden,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "wrong"},
},
},
@ -568,7 +568,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodPost,
desc: "PostSyncUserWithLDAP should return 200 for user without required permissions",
expectedCode: http.StatusOK,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionLDAPUsersSync},
},
},
@ -577,7 +577,7 @@ func TestLDAP_AccessControl(t *testing.T) {
method: http.MethodPost,
desc: "PostSyncUserWithLDAP should return 200 for user without required permissions",
expectedCode: http.StatusForbidden,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "wrong"},
},
},

56
pkg/api/org_test.go
Unescape View File

@ -69,17 +69,17 @@ func TestAPIEndpoint_GetCurrentOrg_AccessControl(t *testing.T) {
require.NoError(t, err)
t.Run("AccessControl allows viewing CurrentOrg with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents viewing CurrentOrg with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents viewing CurrentOrg with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -115,19 +115,19 @@ func TestAPIEndpoint_PutCurrentOrg_AccessControl(t *testing.T) {
input := strings.NewReader(testUpdateOrgNameForm)
t.Run("AccessControl allows updating current org with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents updating current org with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating current org with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -163,20 +163,20 @@ func TestAPIEndpoint_PutCurrentOrgAddress_AccessControl(t *testing.T) {
input := strings.NewReader(testUpdateOrgAddressForm)
t.Run("AccessControl allows updating current org address with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(testUpdateOrgAddressForm)
t.Run("AccessControl prevents updating current org address with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating current org address with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -235,14 +235,14 @@ func TestAPIEndpoint_CreateOrgs_AccessControl(t *testing.T) {
input := strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 2))
t.Run("AccessControl allows creating Orgs with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsCreate}}, accesscontrol.GlobalOrgID)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsCreate}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 3))
t.Run("AccessControl prevents creating Orgs with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -273,17 +273,17 @@ func TestAPIEndpoint_DeleteOrgs_AccessControl(t *testing.T) {
setupOrgsDBForAccessControlTests(t, sc.db, *sc.initCtx.SignedInUser, 2)
t.Run("AccessControl prevents deleting Orgs with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents deleting Orgs with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsDelete}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsDelete}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl allows deleting Orgs with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsDelete}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsDelete}}, 2)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
@ -310,17 +310,17 @@ func TestAPIEndpoint_SearchOrgs_AccessControl(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
t.Run("AccessControl allows listing Orgs with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents listing Orgs with correct permissions not granted globally", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents listing Orgs with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -353,17 +353,17 @@ func TestAPIEndpoint_GetOrg_AccessControl(t *testing.T) {
setupOrgsDBForAccessControlTests(t, sc.db, *sc.initCtx.SignedInUser, 2)
t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents viewing another org with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -396,12 +396,12 @@ func TestAPIEndpoint_GetOrgByName_AccessControl(t *testing.T) {
setupOrgsDBForAccessControlTests(t, sc.db, *sc.initCtx.SignedInUser, 2)
t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -437,19 +437,19 @@ func TestAPIEndpoint_PutOrg_AccessControl(t *testing.T) {
input := strings.NewReader(testUpdateOrgNameForm)
t.Run("AccessControl allows updating another org with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents updating another org with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating another org with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -485,20 +485,20 @@ func TestAPIEndpoint_PutOrgAddress_AccessControl(t *testing.T) {
input := strings.NewReader(testUpdateOrgAddressForm)
t.Run("AccessControl allows updating another org address with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(testUpdateOrgAddressForm)
t.Run("AccessControl prevents updating another org address with correct permissions in the current org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating another org address with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})

4
pkg/api/org_users_test.go
Unescape View File

@ -208,14 +208,14 @@ func TestOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
desc: "UsersLookupGet should return 200 for user with correct permissions",
url: "/api/org/users/lookup",
method: http.MethodGet,
permissions: []*accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll}},
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll}},
},
{
expectedCode: http.StatusForbidden,
desc: "UsersLookupGet should return 403 for user without required permissions",
url: "/api/org/users/lookup",
method: http.MethodGet,
permissions: []*accesscontrol.Permission{{Action: "wrong"}},
permissions: []accesscontrol.Permission{{Action: "wrong"}},
},
}

12
pkg/api/preferences_test.go
Unescape View File

@ -79,17 +79,17 @@ func TestAPIEndpoint_GetCurrentOrgPreferences_AccessControl(t *testing.T) {
require.NoError(t, err)
t.Run("AccessControl allows getting org preferences with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodGet, getOrgPreferencesURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents getting org preferences with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesRead}}, 2)
response := callAPI(sc.server, http.MethodGet, getOrgPreferencesURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents getting org preferences with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodGet, getOrgPreferencesURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -125,21 +125,21 @@ func TestAPIEndpoint_PutCurrentOrgPreferences_AccessControl(t *testing.T) {
input := strings.NewReader(testUpdateOrgPreferencesCmd)
t.Run("AccessControl allows updating org preferences with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodPut, putOrgPreferencesURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(testUpdateOrgPreferencesCmd)
t.Run("AccessControl prevents updating org preferences with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsPreferencesWrite}}, 2)
response := callAPI(sc.server, http.MethodPut, putOrgPreferencesURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
input = strings.NewReader(testUpdateOrgPreferencesCmd)
t.Run("AccessControl prevents updating org preferences with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodPut, putOrgPreferencesURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})

18
pkg/api/quota_test.go
Unescape View File

@ -66,17 +66,17 @@ func TestAPIEndpoint_GetCurrentOrgQuotas_AccessControl(t *testing.T) {
setupDBAndSettingsForAccessControlQuotaTests(t, sc)
t.Run("AccessControl allows viewing CurrentOrgQuotas with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodGet, getCurrentOrgQuotasURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents viewing CurrentOrgQuotas with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
response := callAPI(sc.server, http.MethodGet, getCurrentOrgQuotasURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents viewing CurrentOrgQuotas with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgId)
response := callAPI(sc.server, http.MethodGet, getCurrentOrgQuotasURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -107,17 +107,17 @@ func TestAPIEndpoint_GetOrgQuotas_AccessControl(t *testing.T) {
setupDBAndSettingsForAccessControlQuotaTests(t, sc)
t.Run("AccessControl allows viewing another org quotas with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents viewing another org quotas with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents viewing another org quotas with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -151,21 +151,21 @@ func TestAPIEndpoint_PutOrgQuotas_AccessControl(t *testing.T) {
input := strings.NewReader(testUpdateOrgQuotaCmd)
t.Run("AccessControl allows updating another org quotas with correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 2)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(testUpdateOrgQuotaCmd)
t.Run("AccessControl prevents updating another org quotas with correct permissions in another org", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
input = strings.NewReader(testUpdateOrgQuotaCmd)
t.Run("AccessControl prevents updating another org quotas with incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})

4
pkg/api/search_test.go
Unescape View File

@ -27,8 +27,8 @@ func TestHTTPServer_Search(t *testing.T) {
},
}
sc.acmock.GetUserPermissionsFunc = func(ctx context.Context, user *models.SignedInUser, options accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{
sc.acmock.GetUserPermissionsFunc = func(ctx context.Context, user *models.SignedInUser, options accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{
{Action: "folders:read", Scope: "folders:*"},
{Action: "folders:write", Scope: "folders:uid:folder2"},
{Action: "dashboards:read", Scope: "dashboards:*"},

24
pkg/api/team_members_test.go
Unescape View File

@ -202,7 +202,7 @@ func TestGetTeamMembersAPIEndpoint_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control allows getting a team members with the right permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock,
[]*ac.Permission{
[]ac.Permission{
{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "1")},
{Action: ac.ActionOrgUsersRead, Scope: ac.ScopeUsersAll},
},
@ -220,7 +220,7 @@ func TestGetTeamMembersAPIEndpoint_RBAC(t *testing.T) {
setInitCtxSignedInOrgAdmin(sc.initCtx)
t.Run("Access control filters team members based on user permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock,
[]*ac.Permission{
[]ac.Permission{
{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "1")},
{Action: ac.ActionOrgUsersRead, Scope: ac.Scope("users", "id", "2")},
{Action: ac.ActionOrgUsersRead, Scope: ac.Scope("users", "id", "3")},
@ -238,7 +238,7 @@ func TestGetTeamMembersAPIEndpoint_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents getting a team member with incorrect scope", func(t *testing.T) {
setAccessControlPermissions(sc.acmock,
[]*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "2")}},
[]ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: ac.Scope("teams", "id", "2")}},
testOrgId)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(teamMemberGetRoute, "1"), nil, t)
require.Equal(t, http.StatusForbidden, response.Code)
@ -256,7 +256,7 @@ func TestAddTeamMembersAPIEndpoint_RBAC(t *testing.T) {
newUserId := createUser(sc.db, testOrgId, t)
input := strings.NewReader(fmt.Sprintf(createTeamMemberCmd, newUserId))
t.Run("Access control allows adding a team member with the right permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPost, fmt.Sprintf(teamMemberAddRoute, "1"), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
@ -265,14 +265,14 @@ func TestAddTeamMembersAPIEndpoint_RBAC(t *testing.T) {
newUserId = createUser(sc.db, testOrgId, t)
input = strings.NewReader(fmt.Sprintf(teamCmd, newUserId))
t.Run("Access control prevents from adding a team member with the wrong permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPost, fmt.Sprintf(teamMemberAddRoute, "1"), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents adding a team member with incorrect scope", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodPost, fmt.Sprintf(teamMemberAddRoute, "1"), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -335,7 +335,7 @@ func TestUpdateTeamMembersAPIEndpoint_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
input := strings.NewReader(fmt.Sprintf(updateTeamMemberCmd, models.PERMISSION_ADMIN))
t.Run("Access control allows updating a team member with the right permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(teamMemberUpdateRoute, "1", "2"), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
@ -343,14 +343,14 @@ func TestUpdateTeamMembersAPIEndpoint_RBAC(t *testing.T) {
setInitCtxSignedInOrgAdmin(sc.initCtx)
input = strings.NewReader(fmt.Sprintf(updateTeamMemberCmd, models.PERMISSION_ADMIN))
t.Run("Access control prevents updating a team member with the wrong permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(teamMemberUpdateRoute, "1", "2"), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents updating a team member with incorrect scope", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(teamMemberUpdateRoute, "1", "2"), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -408,21 +408,21 @@ func TestDeleteTeamMembersAPIEndpoint_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control allows removing a team member with the right permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(teamMemberDeleteRoute, "1", "2"), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
setInitCtxSignedInOrgAdmin(sc.initCtx)
t.Run("Access control prevents removing a team member with the wrong permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsRead, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(teamMemberDeleteRoute, "1", "3"), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents removing a team member with incorrect scope", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
setAccessControlPermissions(sc.acmock, []ac.Permission{{Action: ac.ActionTeamsPermissionsWrite, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(teamMemberDeleteRoute, "1", "3"), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})

32
pkg/api/team_test.go
Unescape View File

@ -195,14 +195,14 @@ func TestTeamAPIEndpoint_CreateTeam_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
t.Run("Access control prevents creating teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "teams:invalid"}}, accesscontrol.GlobalOrgID)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "teams:invalid"}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -219,13 +219,13 @@ func TestTeamAPIEndpoint_SearchTeams_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents searching for teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:*"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:*"}}, 1)
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("Access control allows searching for teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"}}, 1)
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
@ -237,7 +237,7 @@ func TestTeamAPIEndpoint_SearchTeams_RBAC(t *testing.T) {
})
t.Run("Access control filters teams based on user permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:3"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:3"}}, 1)
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
@ -262,13 +262,13 @@ func TestTeamAPIEndpoint_GetTeamByID_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents getting a team with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("Access control allows getting a team with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
@ -293,7 +293,7 @@ func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
t.Run("Access control allows updating teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
assert.Equal(t, http.StatusOK, response.Code)
@ -305,7 +305,7 @@ func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
t.Run("Access control allows updating teams with the correct global permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:*"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:*"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
assert.Equal(t, http.StatusOK, response.Code)
@ -317,7 +317,7 @@ func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
input = strings.NewReader(fmt.Sprintf(teamCmd, 3))
t.Run("Access control prevents updating teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
@ -340,7 +340,7 @@ func TestTeamAPIEndpoint_DeleteTeam_RBAC(t *testing.T) {
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents deleting teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:7"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:7"}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
@ -350,7 +350,7 @@ func TestTeamAPIEndpoint_DeleteTeam_RBAC(t *testing.T) {
})
t.Run("Access control allows deleting teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
@ -381,13 +381,13 @@ func TestTeamAPIEndpoint_GetTeamPreferences_RBAC(t *testing.T) {
t.Run("Access control allows getting team preferences with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock,
[]*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
[]accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("Access control prevents getting team preferences with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
@ -413,7 +413,7 @@ func TestTeamAPIEndpoint_UpdateTeamPreferences_RBAC(t *testing.T) {
input := strings.NewReader(teamPreferenceCmd)
t.Run("Access control allows updating team preferences with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
assert.Equal(t, http.StatusOK, response.Code)
@ -425,7 +425,7 @@ func TestTeamAPIEndpoint_UpdateTeamPreferences_RBAC(t *testing.T) {
input = strings.NewReader(teamPreferenceCmdLight)
t.Run("Access control prevents updating team preferences with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)

8
pkg/services/accesscontrol/accesscontrol.go
Unescape View File

@ -21,7 +21,7 @@ type AccessControl interface {
Evaluate(ctx context.Context, user *models.SignedInUser, evaluator Evaluator) (bool, error)
// GetUserPermissions returns user permissions with only action and scope fields set.
GetUserPermissions(ctx context.Context, user *models.SignedInUser, options Options) ([]*Permission, error)
GetUserPermissions(ctx context.Context, user *models.SignedInUser, options Options) ([]Permission, error)
//IsDisabled returns if access control is enabled or not
IsDisabled() bool
@ -42,7 +42,7 @@ type RoleRegistry interface {
type PermissionsStore interface {
// GetUserPermissions returns user permissions with only action and scope fields set.
GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]*Permission, error)
GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]Permission, error)
}
type TeamPermissionsService interface {
@ -144,7 +144,7 @@ var ReqOrgAdminOrEditor = func(c *models.ReqContext) bool {
return c.OrgRole == models.ROLE_ADMIN || c.OrgRole == models.ROLE_EDITOR
}
func BuildPermissionsMap(permissions []*Permission) map[string]bool {
func BuildPermissionsMap(permissions []Permission) map[string]bool {
permissionsMap := make(map[string]bool)
for _, p := range permissions {
permissionsMap[p.Action] = true
@ -154,7 +154,7 @@ func BuildPermissionsMap(permissions []*Permission) map[string]bool {
}
// GroupScopesByAction will group scopes on action
func GroupScopesByAction(permissions []*Permission) map[string][]string {
func GroupScopesByAction(permissions []Permission) map[string][]string {
m := make(map[string][]string)
for _, p := range permissions {
m[p.Action] = append(m[p.Action], p.Scope)

4
pkg/services/accesscontrol/database/database.go
Unescape View File

@ -20,8 +20,8 @@ type AccessControlStore struct {
sql *sqlstore.SQLStore
}
func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query accesscontrol.GetUserPermissionsQuery) ([]*accesscontrol.Permission, error) {
result := make([]*accesscontrol.Permission, 0)
func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query accesscontrol.GetUserPermissionsQuery) ([]accesscontrol.Permission, error) {
result := make([]accesscontrol.Permission, 0)
err := s.sql.WithDbSession(ctx, func(sess *sqlstore.DBSession) error {
filter, params := userRolesFilter(query.OrgID, query.UserID, query.Roles)

6
pkg/services/accesscontrol/filter_bench_test.go
Unescape View File

@ -48,7 +48,7 @@ func benchmarkFilter(b *testing.B, numDs, numPermissions int) {
}
}
func setupFilterBenchmark(b *testing.B, numDs, numPermissions int) (*sqlstore.SQLStore, []*accesscontrol.Permission) {
func setupFilterBenchmark(b *testing.B, numDs, numPermissions int) (*sqlstore.SQLStore, []accesscontrol.Permission) {
b.Helper()
store := sqlstore.InitTestDB(b)
@ -64,9 +64,9 @@ func setupFilterBenchmark(b *testing.B, numDs, numPermissions int) (*sqlstore.SQ
numPermissions = numDs
}
permissions := make([]*accesscontrol.Permission, 0, numPermissions)
permissions := make([]accesscontrol.Permission, 0, numPermissions)
for i := 1; i <= numPermissions; i++ {
permissions = append(permissions, &accesscontrol.Permission{
permissions = append(permissions, accesscontrol.Permission{
Action: "datasources:read",
Scope: accesscontrol.Scope("datasources", "id", strconv.Itoa(i)),
})

4
pkg/services/accesscontrol/middleware_test.go
Unescape View File

@ -34,7 +34,7 @@ func TestMiddleware(t *testing.T) {
{
desc: "should pass middleware for correct permissions",
ac: mock.New().WithPermissions(
[]*accesscontrol.Permission{{Action: "users:read", Scope: "users:*"}},
[]accesscontrol.Permission{{Action: "users:read", Scope: "users:*"}},
),
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
expectFallback: false,
@ -43,7 +43,7 @@ func TestMiddleware(t *testing.T) {
{
desc: "should not reach endpoint when missing permissions",
ac: mock.New().WithPermissions(
[]*accesscontrol.Permission{{Action: "users:read", Scope: "users:1"}},
[]accesscontrol.Permission{{Action: "users:read", Scope: "users:1"}},
),
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
expectFallback: false,

10
pkg/services/accesscontrol/mock/mock.go
Unescape View File

@ -25,7 +25,7 @@ type Calls struct {
type Mock struct {
// Unless an override is provided, permissions will be returned by GetUserPermissions
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
// Unless an override is provided, disabled will be returned by IsDisabled
disabled bool
// Unless an override is provided, builtInRoles will be returned by GetUserBuiltInRoles
@ -36,7 +36,7 @@ type Mock struct {
// Override functions
EvaluateFunc func(context.Context, *models.SignedInUser, accesscontrol.Evaluator) (bool, error)
GetUserPermissionsFunc func(context.Context, *models.SignedInUser, accesscontrol.Options) ([]*accesscontrol.Permission, error)
GetUserPermissionsFunc func(context.Context, *models.SignedInUser, accesscontrol.Options) ([]accesscontrol.Permission, error)
IsDisabledFunc func() bool
DeclareFixedRolesFunc func(...accesscontrol.RoleRegistration) error
GetUserBuiltInRolesFunc func(user *models.SignedInUser) []string
@ -53,7 +53,7 @@ func New() *Mock {
mock := &Mock{
Calls: Calls{},
disabled: false,
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
builtInRoles: []string{},
scopeResolvers: accesscontrol.NewScopeResolvers(),
}
@ -65,7 +65,7 @@ func (m Mock) GetUsageStats(ctx context.Context) map[string]interface{} {
return make(map[string]interface{})
}
func (m Mock) WithPermissions(permissions []*accesscontrol.Permission) *Mock {
func (m Mock) WithPermissions(permissions []accesscontrol.Permission) *Mock {
m.permissions = permissions
return &m
}
@ -104,7 +104,7 @@ func (m *Mock) Evaluate(ctx context.Context, user *models.SignedInUser, evaluato
// GetUserPermissions returns user permissions.
// This mock return m.permissions unless an override is provided.
func (m *Mock) GetUserPermissions(ctx context.Context, user *models.SignedInUser, opts accesscontrol.Options) ([]*accesscontrol.Permission, error) {
func (m *Mock) GetUserPermissions(ctx context.Context, user *models.SignedInUser, opts accesscontrol.Options) ([]accesscontrol.Permission, error) {
m.Calls.GetUserPermissions = append(m.Calls.GetUserPermissions, []interface{}{ctx, user, opts})
// Use override if provided
if m.GetUserPermissionsFunc != nil {

18
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
Unescape View File

@ -103,7 +103,7 @@ func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.Si
}
// GetUserPermissions returns user permissions based on built-in roles
func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
timer := prometheus.NewTimer(metrics.MAccessPermissionsSummary)
defer timer.ObserveDuration()
@ -120,28 +120,24 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user
}
permissions = append(permissions, dbPermissions...)
resolved := make([]*accesscontrol.Permission, 0, len(permissions))
keywordMutator := ac.scopeResolvers.GetScopeKeywordMutator(user)
for _, p := range permissions {
for i := range permissions {
// if the permission has a keyword in its scope it will be resolved
p.Scope, err = keywordMutator(ctx, p.Scope)
permissions[i].Scope, err = keywordMutator(ctx, permissions[i].Scope)
if err != nil {
return nil, err
}
resolved = append(resolved, p)
}
return resolved, nil
return permissions, nil
}
func (ac *OSSAccessControlService) getFixedPermissions(ctx context.Context, user *models.SignedInUser) []*accesscontrol.Permission {
permissions := make([]*accesscontrol.Permission, 0)
func (ac *OSSAccessControlService) getFixedPermissions(ctx context.Context, user *models.SignedInUser) []accesscontrol.Permission {
permissions := make([]accesscontrol.Permission, 0)
for _, builtin := range accesscontrol.GetOrgRoles(ac.cfg, user) {
if basicRole, ok := ac.roles[builtin]; ok {
for i := range basicRole.Permissions {
permissions = append(permissions, &basicRole.Permissions[i])
}
permissions = append(permissions, basicRole.Permissions...)
}
}

10
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
Unescape View File

@ -35,10 +35,10 @@ func setupTestEnv(t testing.TB) *OSSAccessControlService {
}
// extractRawPermissionsHelper extracts action and scope fields only from a permission slice
func extractRawPermissionsHelper(perms []*accesscontrol.Permission) []*accesscontrol.Permission {
res := make([]*accesscontrol.Permission, len(perms))
func extractRawPermissionsHelper(perms []accesscontrol.Permission) []accesscontrol.Permission {
res := make([]accesscontrol.Permission, len(perms))
for i, p := range perms {
res[i] = &accesscontrol.Permission{Action: p.Action, Scope: p.Scope}
res[i] = accesscontrol.Permission{Action: p.Action, Scope: p.Scope}
}
return res
}
@ -421,8 +421,8 @@ func TestOSSAccessControlService_GetUserPermissions(t *testing.T) {
rawUserPerms := extractRawPermissionsHelper(userPerms)
assert.Contains(t, rawUserPerms, &tt.wantPerm, "Expected resolution of raw permission")
assert.NotContains(t, rawUserPerms, &tt.rawPerm, "Expected raw permission to have been resolved")
assert.Contains(t, rawUserPerms, tt.wantPerm, "Expected resolution of raw permission")
assert.NotContains(t, rawUserPerms, tt.rawPerm, "Expected raw permission to have been resolved")
})
}
}

44
pkg/services/accesscontrol/resourcepermissions/api_test.go
Unescape View File

@ -26,7 +26,7 @@ import (
type getDescriptionTestCase struct {
desc string
options Options
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
expected Description
expectedStatus int
}
@ -49,7 +49,7 @@ func TestApi_getDescription(t *testing.T) {
"Admin": {"dashboards:read", "dashboards:write", "dashboards:delete", "dashboards.permissions:read", "dashboards:permissions:write"},
},
},
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read"},
},
expected: Description{
@ -76,7 +76,7 @@ func TestApi_getDescription(t *testing.T) {
"View": {"dashboards:read"},
},
},
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read"},
},
expected: Description{
@ -103,7 +103,7 @@ func TestApi_getDescription(t *testing.T) {
"View": {"dashboards:read"},
},
},
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
expected: Description{},
expectedStatus: http.StatusForbidden,
},
@ -132,7 +132,7 @@ func TestApi_getDescription(t *testing.T) {
type getPermissionsTestCase struct {
desc string
resourceID string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
expectedStatus int
}
@ -141,7 +141,7 @@ func TestApi_getPermissions(t *testing.T) {
{
desc: "expect permissions for resource with id 1",
resourceID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
{Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll},
@ -151,7 +151,7 @@ func TestApi_getPermissions(t *testing.T) {
{
desc: "expect http status 403 when missing permission",
resourceID: "1",
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
expectedStatus: 403,
},
}
@ -179,7 +179,7 @@ type setBuiltinPermissionTestCase struct {
builtInRole string
expectedStatus int
permission string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
}
func TestApi_setBuiltinRolePermission(t *testing.T) {
@ -190,7 +190,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
builtInRole: "Viewer",
expectedStatus: 200,
permission: "Edit",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -203,7 +203,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
builtInRole: "Admin",
expectedStatus: 200,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -216,7 +216,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
builtInRole: "Invalid",
expectedStatus: http.StatusBadRequest,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
},
@ -227,7 +227,7 @@ func TestApi_setBuiltinRolePermission(t *testing.T) {
builtInRole: "Invalid",
expectedStatus: http.StatusForbidden,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
},
},
@ -257,7 +257,7 @@ type setTeamPermissionTestCase struct {
resourceID string
expectedStatus int
permission string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
}
func TestApi_setTeamPermission(t *testing.T) {
@ -268,7 +268,7 @@ func TestApi_setTeamPermission(t *testing.T) {
resourceID: "1",
expectedStatus: 200,
permission: "Edit",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -281,7 +281,7 @@ func TestApi_setTeamPermission(t *testing.T) {
resourceID: "1",
expectedStatus: 200,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -294,7 +294,7 @@ func TestApi_setTeamPermission(t *testing.T) {
resourceID: "1",
expectedStatus: http.StatusBadRequest,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
},
@ -305,7 +305,7 @@ func TestApi_setTeamPermission(t *testing.T) {
resourceID: "1",
expectedStatus: http.StatusForbidden,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
},
},
@ -340,7 +340,7 @@ type setUserPermissionTestCase struct {
resourceID string
expectedStatus int
permission string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
}
func TestApi_setUserPermission(t *testing.T) {
@ -351,7 +351,7 @@ func TestApi_setUserPermission(t *testing.T) {
resourceID: "1",
expectedStatus: 200,
permission: "Edit",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -364,7 +364,7 @@ func TestApi_setUserPermission(t *testing.T) {
resourceID: "1",
expectedStatus: 200,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
@ -377,7 +377,7 @@ func TestApi_setUserPermission(t *testing.T) {
resourceID: "1",
expectedStatus: http.StatusBadRequest,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
{Action: "dashboards.permissions:write", Scope: "dashboards:id:1"},
},
@ -388,7 +388,7 @@ func TestApi_setUserPermission(t *testing.T) {
resourceID: "1",
expectedStatus: http.StatusForbidden,
permission: "View",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"},
},
},

10
pkg/services/accesscontrol/resourcepermissions/service_test.go
Unescape View File

@ -36,7 +36,7 @@ func TestService_SetUserPermission(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, []*accesscontrol.Permission{}, Options{
service, sql := setupTestEnvironment(t, []accesscontrol.Permission{}, Options{
Resource: "dashboards",
Assignments: Assignments{Users: true},
PermissionsToActions: nil,
@ -80,7 +80,7 @@ func TestService_SetTeamPermission(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, []*accesscontrol.Permission{}, Options{
service, sql := setupTestEnvironment(t, []accesscontrol.Permission{}, Options{
Resource: "dashboards",
Assignments: Assignments{Teams: true},
PermissionsToActions: nil,
@ -124,7 +124,7 @@ func TestService_SetBuiltInRolePermission(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, _ := setupTestEnvironment(t, []*accesscontrol.Permission{}, Options{
service, _ := setupTestEnvironment(t, []accesscontrol.Permission{}, Options{
Resource: "dashboards",
Assignments: Assignments{BuiltInRoles: true},
PermissionsToActions: nil,
@ -197,7 +197,7 @@ func TestService_SetPermissions(t *testing.T) {
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
service, sql := setupTestEnvironment(t, []*accesscontrol.Permission{}, tt.options)
service, sql := setupTestEnvironment(t, []accesscontrol.Permission{}, tt.options)
// seed user
_, err := sql.CreateUser(context.Background(), models.CreateUserCommand{Login: "user", OrgId: 1})
@ -216,7 +216,7 @@ func TestService_SetPermissions(t *testing.T) {
}
}
func setupTestEnvironment(t *testing.T, permissions []*accesscontrol.Permission, ops Options) (*Service, *sqlstore.SQLStore) {
func setupTestEnvironment(t *testing.T, permissions []accesscontrol.Permission, ops Options) (*Service, *sqlstore.SQLStore) {
t.Helper()
sql := sqlstore.InitTestDB(t)

78
pkg/services/guardian/accesscontrol_guardian_test.go
Unescape View File

@ -25,7 +25,7 @@ import (
type accessControlGuardianTestCase struct {
desc string
dashUID string
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
viewersCanEdit bool
expected bool
}
@ -35,7 +35,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
{
desc: "should be able to save with dashboard wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "dashboards:*",
@ -46,7 +46,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
{
desc: "should be able to save with folder wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "folders:*",
@ -57,7 +57,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
{
desc: "should be able to save with dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "dashboards:uid:1",
@ -68,7 +68,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
{
desc: "should be able to save with folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "folders:uid:general",
@ -79,7 +79,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
{
desc: "should not be able to save with incorrect dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "dashboards:uid:10",
@ -90,7 +90,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
{
desc: "should not be able to save with incorrect folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "folders:uid:100",
@ -114,7 +114,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
{
desc: "should be able to edit with dashboard wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "dashboards:*",
@ -125,7 +125,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
{
desc: "should be able to edit with folder wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "folders:*",
@ -136,7 +136,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
{
desc: "should be able to edit with dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "dashboards:uid:1",
@ -147,7 +147,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
{
desc: "should be able to edit with folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "folders:uid:general",
@ -158,7 +158,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
{
desc: "should not be able to edit with incorrect dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "dashboards:uid:10",
@ -169,7 +169,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
{
desc: "should not be able to edit with incorrect folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsWrite,
Scope: "folders:uid:10",
@ -180,7 +180,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
{
desc: "should be able to edit with read action when viewer_can_edit is true",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsRead,
Scope: "dashboards:uid:1",
@ -210,7 +210,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
{
desc: "should be able to view with dashboard wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsRead,
Scope: "dashboards:*",
@ -221,7 +221,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
{
desc: "should be able to view with folder wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsRead,
Scope: "folders:*",
@ -232,7 +232,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
{
desc: "should be able to view with dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsRead,
Scope: "dashboards:uid:1",
@ -243,7 +243,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
{
desc: "should be able to view with folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsRead,
Scope: "folders:uid:general",
@ -254,7 +254,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
{
desc: "should not be able to view with incorrect dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsRead,
Scope: "dashboards:uid:10",
@ -265,7 +265,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
{
desc: "should not be able to view with incorrect folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsRead,
Scope: "folders:uid:10",
@ -290,7 +290,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
{
desc: "should be able to admin with dashboard wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsPermissionsRead,
Scope: "dashboards:*",
@ -305,7 +305,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
{
desc: "should be able to admin with folder wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsPermissionsRead,
Scope: "folders:*",
@ -320,7 +320,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
{
desc: "should be able to admin with dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsPermissionsRead,
Scope: "dashboards:uid:1",
@ -335,7 +335,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
{
desc: "should be able to admin with folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsPermissionsRead,
Scope: "folders:uid:general",
@ -350,7 +350,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
{
desc: "should not be able to admin with incorrect dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsPermissionsRead,
Scope: "dashboards:uid:10",
@ -365,7 +365,7 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
{
desc: "should not be able to admin with incorrect folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsPermissionsRead,
Scope: "folders:uid:10",
@ -394,7 +394,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
{
desc: "should be able to delete with dashboard wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsDelete,
Scope: "dashboards:*",
@ -405,7 +405,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
{
desc: "should be able to delete with folder wildcard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsDelete,
Scope: "folders:*",
@ -416,7 +416,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
{
desc: "should be able to delete with dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsDelete,
Scope: "dashboards:uid:1",
@ -427,7 +427,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
{
desc: "should be able to delete with folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsDelete,
Scope: "folders:uid:general",
@ -438,7 +438,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
{
desc: "should not be able to delete with incorrect dashboard scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsDelete,
Scope: "dashboards:uid:10",
@ -449,7 +449,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
{
desc: "should not be able to delete with incorrect folder scope",
dashUID: "1",
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{
Action: dashboards.ActionDashboardsDelete,
Scope: "folders:uid:10",
@ -474,7 +474,7 @@ type accessControlGuardianCanCreateTestCase struct {
desc string
isFolder bool
folderID int64
permissions []*accesscontrol.Permission
permissions []accesscontrol.Permission
expected bool
}
@ -484,7 +484,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
desc: "should be able to create dashboard in general folder",
isFolder: false,
folderID: 0,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:general"},
},
expected: true,
@ -493,7 +493,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
desc: "should be able to create dashboard in any folder",
isFolder: false,
folderID: 0,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionDashboardsCreate, Scope: "folders:*"},
},
expected: true,
@ -502,14 +502,14 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
desc: "should not be able to create dashboard without permissions",
isFolder: false,
folderID: 0,
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
expected: false,
},
{
desc: "should be able to create folder with correct permissions",
isFolder: true,
folderID: 0,
permissions: []*accesscontrol.Permission{
permissions: []accesscontrol.Permission{
{Action: dashboards.ActionFoldersCreate},
},
expected: true,
@ -518,7 +518,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
desc: "should not be able to create folders without permissions",
isFolder: true,
folderID: 0,
permissions: []*accesscontrol.Permission{},
permissions: []accesscontrol.Permission{},
expected: false,
},
}
@ -579,7 +579,7 @@ func TestAccessControlDashboardGuardian_GetHiddenACL(t *testing.T) {
}
}
func setupAccessControlGuardianTest(t *testing.T, uid string, permissions []*accesscontrol.Permission, dashboardSvc dashboards.DashboardService) (*AccessControlDashboardGuardian, *models.Dashboard) {
func setupAccessControlGuardianTest(t *testing.T, uid string, permissions []accesscontrol.Permission, dashboardSvc dashboards.DashboardService) (*AccessControlDashboardGuardian, *models.Dashboard) {
t.Helper()
store := sqlstore.InitTestDB(t)

4
pkg/services/ngalert/api/api_alertmanager_test.go
Unescape View File

@ -368,7 +368,7 @@ func TestRouteCreateSilence(t *testing.T) {
name: "new silence, role-based access control is enabled, authorized",
silence: silenceGen(withEmptyID),
accessControl: func() accesscontrol.AccessControl {
return acMock.New().WithPermissions([]*accesscontrol.Permission{
return acMock.New().WithPermissions([]accesscontrol.Permission{
{Action: accesscontrol.ActionAlertingInstanceCreate},
})
},
@ -413,7 +413,7 @@ func TestRouteCreateSilence(t *testing.T) {
name: "update silence, role-based access control is enabled, authorized",
silence: silenceGen(),
accessControl: func() accesscontrol.AccessControl {
return acMock.New().WithPermissions([]*accesscontrol.Permission{
return acMock.New().WithPermissions([]accesscontrol.Permission{
{Action: accesscontrol.ActionAlertingInstanceUpdate},
})
},

6
pkg/services/ngalert/api/api_ruler_test.go
Unescape View File

@ -687,11 +687,11 @@ func createRequestContext(orgID int64, role models2.RoleType, params map[string]
}
}
func createPermissionsForRules(rules []*models.AlertRule) []*accesscontrol.Permission {
var permissions []*accesscontrol.Permission
func createPermissionsForRules(rules []*models.AlertRule) []accesscontrol.Permission {
var permissions []accesscontrol.Permission
for _, rule := range rules {
for _, query := range rule.Data {
permissions = append(permissions, &accesscontrol.Permission{
permissions = append(permissions, accesscontrol.Permission{
Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(query.DatasourceUID),
})
}

8
pkg/services/ngalert/api/api_testing_test.go
Unescape View File

@ -35,7 +35,7 @@ func TestRouteTestGrafanaRuleConfig(t *testing.T) {
data1 := models.GenerateAlertQuery()
data2 := models.GenerateAlertQuery()
ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
ac := acMock.New().WithPermissions([]accesscontrol.Permission{
{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
})
@ -57,7 +57,7 @@ func TestRouteTestGrafanaRuleConfig(t *testing.T) {
data1 := models.GenerateAlertQuery()
data2 := models.GenerateAlertQuery()
ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
ac := acMock.New().WithPermissions([]accesscontrol.Permission{
{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data2.DatasourceUID)},
})
@ -158,7 +158,7 @@ func TestRouteEvalQueries(t *testing.T) {
data1 := models.GenerateAlertQuery()
data2 := models.GenerateAlertQuery()
ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
ac := acMock.New().WithPermissions([]accesscontrol.Permission{
{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
})
@ -178,7 +178,7 @@ func TestRouteEvalQueries(t *testing.T) {
data1 := models.GenerateAlertQuery()
data2 := models.GenerateAlertQuery()
ac := acMock.New().WithPermissions([]*accesscontrol.Permission{
ac := acMock.New().WithPermissions([]accesscontrol.Permission{
{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data1.DatasourceUID)},
{Action: datasources.ActionQuery, Scope: datasources.ScopeProvider.GetResourceScopeUID(data2.DatasourceUID)},
})

56
pkg/services/serviceaccounts/api/api_test.go
Unescape View File

@ -61,8 +61,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
wantID: "sa-new-sa",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
},
false,
),
@ -74,8 +74,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
wantError: "service account name already in use",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
},
false,
),
@ -87,8 +87,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
wantError: "required value Name must not be empty",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
},
false,
),
@ -99,8 +99,8 @@ func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
body: map[string]interface{}{},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{}, nil
},
false,
),
@ -171,8 +171,8 @@ func TestServiceAccountsAPI_DeleteServiceAccount(t *testing.T) {
user: tests.TestUser{Login: "servicetest1@admin", IsServiceAccount: true},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionDelete, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionDelete, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -195,8 +195,8 @@ func TestServiceAccountsAPI_DeleteServiceAccount(t *testing.T) {
user: tests.TestUser{Login: "servicetest2@admin", IsServiceAccount: true},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{}, nil
},
false,
),
@ -260,8 +260,8 @@ func TestServiceAccountsAPI_RetrieveServiceAccount(t *testing.T) {
user: &tests.TestUser{Login: "servicetest1@admin", IsServiceAccount: true},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -272,8 +272,8 @@ func TestServiceAccountsAPI_RetrieveServiceAccount(t *testing.T) {
user: &tests.TestUser{Login: "servicetest2@admin", IsServiceAccount: true},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{}, nil
},
false,
),
@ -285,8 +285,8 @@ func TestServiceAccountsAPI_RetrieveServiceAccount(t *testing.T) {
Id: 12,
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -355,8 +355,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("New Name"), Role: &viewerRole},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -368,8 +368,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("New Name 2"), Role: &editorRole},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -381,8 +381,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("NameB"), Role: &invalidRole},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -394,8 +394,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
body: nil,
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{}, nil
},
false,
),
@ -408,8 +408,8 @@ func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
Id: 12,
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),

40
pkg/services/serviceaccounts/api/token_test.go
Unescape View File

@ -65,8 +65,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
desc: "should be ok to create serviceaccount token with scope all permissions",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -77,8 +77,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
desc: "serviceaccount token should match SA orgID and SA provided in parameters even if specified in body",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -89,8 +89,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
desc: "should be ok to create serviceaccount token with scope id permissions",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
},
false,
),
@ -101,8 +101,8 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
desc: "should be forbidden to create serviceaccount token if wrong scoped",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:2"}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:2"}}, nil
},
false,
),
@ -181,8 +181,8 @@ func TestServiceAccountsAPI_DeleteToken(t *testing.T) {
keyName: "Test1",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}}, nil
},
false,
),
@ -193,8 +193,8 @@ func TestServiceAccountsAPI_DeleteToken(t *testing.T) {
keyName: "Test2",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
},
false,
),
@ -205,8 +205,8 @@ func TestServiceAccountsAPI_DeleteToken(t *testing.T) {
keyName: "Test3",
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:10"}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:10"}}, nil
},
false,
),
@ -288,8 +288,8 @@ func TestServiceAccountsAPI_ListTokens(t *testing.T) {
}},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
},
false,
),
@ -308,8 +308,8 @@ func TestServiceAccountsAPI_ListTokens(t *testing.T) {
}},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
},
false,
),
@ -328,8 +328,8 @@ func TestServiceAccountsAPI_ListTokens(t *testing.T) {
}},
acmock: tests.SetupMockAccesscontrol(
t,
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]*accesscontrol.Permission, error) {
return []*accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
func(c context.Context, siu *models.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: "serviceaccounts:id:1"}}, nil
},
false,
),

2
pkg/services/serviceaccounts/tests/common.go
Unescape View File

@ -55,7 +55,7 @@ func (s *ServiceAccountMock) Migrated(ctx context.Context, orgID int64) bool {
}
func SetupMockAccesscontrol(t *testing.T,
userpermissionsfunc func(c context.Context, siu *models.SignedInUser, opt accesscontrol.Options) ([]*accesscontrol.Permission, error),
userpermissionsfunc func(c context.Context, siu *models.SignedInUser, opt accesscontrol.Options) ([]accesscontrol.Permission, error),
disableAccessControl bool) *accesscontrolmock.Mock {
t.Helper()
acmock := accesscontrolmock.New()

Write Preview
Loading…
Cancel
Save