grafana/pkg/services/accesscontrol/authorizer_test.go

package accesscontrol_test

import (
	"context"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/grafana/authlib/authz"
	"github.com/grafana/grafana/pkg/apimachinery/identity"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
	"github.com/grafana/grafana/pkg/services/authz/zanzana"
	"github.com/grafana/grafana/pkg/services/featuremgmt"
)

func TestLegacyAccessClient_Check(t *testing.T) {
	ac := acimpl.ProvideAccessControl(featuremgmt.WithFeatures(), zanzana.NewNoopClient())

	t.Run("should reject when when no configuration for resource exist", func(t *testing.T) {
		a := accesscontrol.NewLegacyAccessClient(ac)

		res, err := a.Check(context.Background(), &identity.StaticRequester{}, authz.CheckRequest{
			Verb:      "get",
			Resource:  "dashboards",
			Namespace: "default",
			Name:      "1",
		})
		assert.NoError(t, err)
		assert.Equal(t, false, res.Allowed)
	})

	t.Run("should reject when user don't have correct scope", func(t *testing.T) {
		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
			Resource: "dashboards",
			Attr:     "uid",
			Mapping: map[string]string{
				"get": "dashboards:read",
			},
		})

		ident := newIdent(
			accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:2"},
		)

		res, err := a.Check(context.Background(), ident, authz.CheckRequest{
			Verb:      "get",
			Namespace: "default",
			Resource:  "dashboards",
			Name:      "1",
		})

		assert.NoError(t, err)
		assert.Equal(t, false, res.Allowed)
	})

	t.Run("should just check action for list requests", func(t *testing.T) {
		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
			Resource: "dashboards",
			Attr:     "uid",
			Mapping: map[string]string{
				"list": "dashboards:read",
			},
		})

		ident := newIdent(
			accesscontrol.Permission{Action: "dashboards:read"},
		)

		res, err := a.Check(context.Background(), ident, authz.CheckRequest{
			Verb:      "list",
			Namespace: "default",
			Resource:  "dashboards",
		})

		assert.NoError(t, err)
		assert.Equal(t, true, res.Allowed)
	})

	t.Run("should allow when user have correct scope", func(t *testing.T) {
		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
			Resource: "dashboards",
			Attr:     "uid",
			Mapping: map[string]string{
				"get": "dashboards:read",
			},
		})

		ident := newIdent(
			accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:1"},
		)

		res, err := a.Check(context.Background(), ident, authz.CheckRequest{
			Verb:      "get",
			Namespace: "default",
			Resource:  "dashboards",
			Name:      "1",
		})

		assert.NoError(t, err)
		assert.Equal(t, true, res.Allowed)
	})

	t.Run("should skip authorization for configured verb", func(t *testing.T) {
		a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
			Resource: "dashboards",
			Attr:     "uid",
			Unchecked: map[string]bool{
				"get": true,
			},
			Mapping: map[string]string{
				"create": "dashboards:create",
			},
		})

		ident := newIdent(accesscontrol.Permission{})

		res, err := a.Check(context.Background(), ident, authz.CheckRequest{
			Verb:      "get",
			Namespace: "default",
			Resource:  "dashboards",
			Name:      "1",
		})

		assert.NoError(t, err)
		assert.Equal(t, true, res.Allowed)

		res, err = a.Check(context.Background(), ident, authz.CheckRequest{
			Verb:      "create",
			Namespace: "default",
			Resource:  "dashboards",
			Name:      "1",
		})

		assert.NoError(t, err)
		assert.Equal(t, false, res.Allowed)
	})
}

func newIdent(permissions ...accesscontrol.Permission) *identity.StaticRequester {
	pmap := map[string][]string{}
	for _, p := range permissions {
		pmap[p.Action] = append(pmap[p.Action], p.Scope)
	}

	return &identity.StaticRequester{
		OrgID:       1,
		Permissions: map[int64]map[string][]string{1: pmap},
	}
}