apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49746 Commits
5978 Branches
596 Tags
1.7 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 33f9e8554d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '33f9e8554d'
${ noResults }
grafana/pkg/api/user_token_test.go

371 lines
13 KiB
Raw Blame History

package api
import (
"context"
"fmt"
"net/http"
"testing"
"time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/api/response"
"github.com/grafana/grafana/pkg/api/routing"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/auth"
"github.com/grafana/grafana/pkg/services/auth/authtest"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/services/user/usertest"
"github.com/grafana/grafana/pkg/setting"
)
func TestUserTokenAPIEndpoint(t *testing.T) {
userMock := usertest.NewUserServiceFake()
t.Run("When current user attempts to revoke an auth token for a non-existing user", func(t *testing.T) {
cmd := auth.RevokeAuthTokenCmd{AuthTokenId: 2}
userMock.ExpectedError = user.ErrUserNotFound
revokeUserAuthTokenScenario(t, "Should return not found when calling POST on", "/api/user/revoke-auth-token",
"/api/user/revoke-auth-token", cmd, 200, func(sc *scenarioContext) {
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
assert.Equal(t, 404, sc.resp.Code)
}, userMock)
})
t.Run("When current user gets auth tokens for a non-existing user", func(t *testing.T) {
mockUser := &usertest.FakeUserService{
ExpectedUser: &user.User{ID: 200},
ExpectedError: user.ErrUserNotFound,
}
getUserAuthTokensScenario(t, "Should return not found when calling GET on", "/api/user/auth-tokens", "/api/user/auth-tokens", 200, func(sc *scenarioContext) {
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
assert.Equal(t, 404, sc.resp.Code)
}, mockUser)
})
t.Run("When logging out an existing user from all devices", func(t *testing.T) {
userMock := &usertest.FakeUserService{
ExpectedUser: &user.User{ID: 200},
}
logoutUserFromAllDevicesInternalScenario(t, "Should be successful", 1, func(sc *scenarioContext) {
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
assert.Equal(t, 200, sc.resp.Code)
}, userMock)
})
t.Run("When logout a non-existing user from all devices", func(t *testing.T) {
logoutUserFromAllDevicesInternalScenario(t, "Should return not found", testUserID, func(sc *scenarioContext) {
userMock.ExpectedError = user.ErrUserNotFound
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
assert.Equal(t, 404, sc.resp.Code)
}, userMock)
})
t.Run("When revoke an auth token for a user", func(t *testing.T) {
cmd := auth.RevokeAuthTokenCmd{AuthTokenId: 2}
token := &auth.UserToken{Id: 1}
mockUser := &usertest.FakeUserService{
ExpectedUser: &user.User{ID: 200},
}
revokeUserAuthTokenInternalScenario(t, "Should be successful", cmd, 200, token, func(sc *scenarioContext) {
sc.userAuthTokenService.GetUserTokenProvider = func(ctx context.Context, userId, userTokenId int64) (*auth.UserToken, error) {
return &auth.UserToken{Id: 2}, nil
}
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
assert.Equal(t, 200, sc.resp.Code)
}, mockUser)
})
t.Run("When revoke the active auth token used by himself", func(t *testing.T) {
cmd := auth.RevokeAuthTokenCmd{AuthTokenId: 2}
token := &auth.UserToken{Id: 2}
mockUser := usertest.NewUserServiceFake()
revokeUserAuthTokenInternalScenario(t, "Should not be successful", cmd, testUserID, token, func(sc *scenarioContext) {
sc.userAuthTokenService.GetUserTokenProvider = func(ctx context.Context, userId, userTokenId int64) (*auth.UserToken, error) {
return token, nil
}
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
assert.Equal(t, 400, sc.resp.Code)
}, mockUser)
})
t.Run("When gets auth tokens for a user", func(t *testing.T) {
currentToken := &auth.UserToken{Id: 1}
mockUser := usertest.NewUserServiceFake()
getUserAuthTokensInternalScenario(t, "Should be successful", currentToken, func(sc *scenarioContext) {
tokens := []*auth.UserToken{
{
Id: 1,
ClientIp: "127.0.0.1",
UserAgent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
CreatedAt: time.Now().Unix(),
SeenAt: time.Now().Unix(),
},
{
Id: 2,
ClientIp: "127.0.0.2",
UserAgent: "Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1",
CreatedAt: time.Now().Unix(),
SeenAt: 0,
},
}
sc.userAuthTokenService.GetUserTokensProvider = func(ctx context.Context, userId int64) ([]*auth.UserToken, error) {
return tokens, nil
}
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
assert.Equal(t, 200, sc.resp.Code)
result := sc.ToJSON()
assert.Len(t, result.MustArray(), 2)
resultOne := result.GetIndex(0)
assert.Equal(t, tokens[0].Id, resultOne.Get("id").MustInt64())
assert.True(t, resultOne.Get("isActive").MustBool())
assert.Equal(t, "127.0.0.1", resultOne.Get("clientIp").MustString())
assert.Equal(t, time.Unix(tokens[0].CreatedAt, 0).Format(time.RFC3339), resultOne.Get("createdAt").MustString())
assert.Equal(t, time.Unix(tokens[0].SeenAt, 0).Format(time.RFC3339), resultOne.Get("seenAt").MustString())
assert.Equal(t, "Other", resultOne.Get("device").MustString())
assert.Equal(t, "Chrome", resultOne.Get("browser").MustString())
assert.Equal(t, "72.0", resultOne.Get("browserVersion").MustString())
assert.Equal(t, "Linux", resultOne.Get("os").MustString())
assert.Empty(t, resultOne.Get("osVersion").MustString())
resultTwo := result.GetIndex(1)
assert.Equal(t, tokens[1].Id, resultTwo.Get("id").MustInt64())
assert.False(t, resultTwo.Get("isActive").MustBool())
assert.Equal(t, "127.0.0.2", resultTwo.Get("clientIp").MustString())
assert.Equal(t, time.Unix(tokens[1].CreatedAt, 0).Format(time.RFC3339), resultTwo.Get("createdAt").MustString())
assert.Equal(t, time.Unix(tokens[1].CreatedAt, 0).Format(time.RFC3339), resultTwo.Get("seenAt").MustString())
assert.Equal(t, "iPhone", resultTwo.Get("device").MustString())
assert.Equal(t, "Mobile Safari", resultTwo.Get("browser").MustString())
assert.Equal(t, "11.0", resultTwo.Get("browserVersion").MustString())
assert.Equal(t, "iOS", resultTwo.Get("os").MustString())
assert.Equal(t, "11.0", resultTwo.Get("osVersion").MustString())
}, mockUser)
})
}
func TestHTTPServer_RotateUserAuthToken(t *testing.T) {
type testCase struct {
desc string
cookie *http.Cookie
rotatedToken *auth.UserToken
rotatedErr error
expectedStatus int
expectNewSession bool
expectSessionDeleted bool
}
tests := []testCase{
{
desc: "Should return 401 and delete cookie if the token is invalid",
cookie: &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
rotatedErr: auth.ErrInvalidSessionToken,
expectSessionDeleted: true,
expectedStatus: http.StatusUnauthorized,
},
{
desc: "Should return 401 and when token not found",
cookie: &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
rotatedErr: auth.ErrUserTokenNotFound,
expectedStatus: http.StatusUnauthorized,
},
{
desc: "Should return 200 and but not set new cookie if token was not rotated",
cookie: &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
rotatedToken: &auth.UserToken{UnhashedToken: "123"},
expectedStatus: http.StatusOK,
},
{
desc: "Should return 200 and set new session and expiry cookies",
cookie: &http.Cookie{Name: "grafana_session", Value: "123", Path: "/"},
rotatedToken: &auth.UserToken{UnhashedToken: "new"},
expectNewSession: true,
expectedStatus: http.StatusOK,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
server := SetupAPITestServer(t, func(hs *HTTPServer) {
cfg := setting.NewCfg()
cfg.LoginCookieName = "grafana_session"
cfg.LoginMaxLifetime = 10 * time.Hour
hs.Cfg = cfg
hs.log = log.New()
hs.Cfg.LoginCookieName = "grafana_session"
hs.AuthTokenService = &authtest.FakeUserAuthTokenService{
RotateTokenProvider: func(ctx context.Context, cmd auth.RotateCommand) (*auth.UserToken, error) {
return tt.rotatedToken, tt.rotatedErr
},
}
})
req := server.NewPostRequest("/api/user/auth-tokens/rotate", nil)
if tt.cookie != nil {
req.AddCookie(tt.cookie)
}
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, tt.expectedStatus, res.StatusCode)
if tt.expectedStatus != http.StatusOK {
if tt.expectSessionDeleted {
cookies := res.Header.Values("Set-Cookie")
require.Len(t, cookies, 2)
assert.Equal(t, "grafana_session=; Path=/; Max-Age=0; HttpOnly", cookies[0])
assert.Equal(t, "grafana_session_expiry=; Path=/; Max-Age=0", cookies[1])
} else {
assert.Empty(t, res.Header.Get("Set-Cookie"))
}
} else {
if tt.expectNewSession {
cookies := res.Header.Values("Set-Cookie")
require.Len(t, cookies, 2)
assert.Equal(t, "grafana_session=new; Path=/; Max-Age=36000; HttpOnly", cookies[0])
assert.Equal(t, "grafana_session_expiry=-5; Path=/; Max-Age=36000", cookies[1])
} else {
assert.Empty(t, res.Header.Get("Set-Cookie"))
}
}
require.NoError(t, res.Body.Close())
})
}
}
func revokeUserAuthTokenScenario(t *testing.T, desc string, url string, routePattern string, cmd auth.RevokeAuthTokenCmd,
userId int64, fn scenarioFunc, userService user.Service) {
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
hs := HTTPServer{
AuthTokenService: fakeAuthTokenService,
userService: userService,
}
sc := setupScenarioContext(t, url)
sc.userAuthTokenService = fakeAuthTokenService
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
c.Req.Body = mockRequestBody(cmd)
sc.context = c
sc.context.UserID = userId
sc.context.OrgID = testOrgID
sc.context.OrgRole = org.RoleAdmin
return hs.RevokeUserAuthToken(c)
})
sc.m.Post(routePattern, sc.defaultHandler)
fn(sc)
})
}
func getUserAuthTokensScenario(t *testing.T, desc string, url string, routePattern string, userId int64, fn scenarioFunc, userService user.Service) {
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
hs := HTTPServer{
AuthTokenService: fakeAuthTokenService,
userService: userService,
}
sc := setupScenarioContext(t, url)
sc.userAuthTokenService = fakeAuthTokenService
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
sc.context = c
sc.context.UserID = userId
sc.context.OrgID = testOrgID
sc.context.OrgRole = org.RoleAdmin
return hs.GetUserAuthTokens(c)
})
sc.m.Get(routePattern, sc.defaultHandler)
fn(sc)
})
}
func logoutUserFromAllDevicesInternalScenario(t *testing.T, desc string, userId int64, fn scenarioFunc, userService user.Service) {
t.Run(desc, func(t *testing.T) {
hs := HTTPServer{
AuthTokenService: authtest.NewFakeUserAuthTokenService(),
userService: userService,
}
sc := setupScenarioContext(t, "/")
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
sc.context = c
sc.context.UserID = testUserID
sc.context.OrgID = testOrgID
sc.context.OrgRole = org.RoleAdmin
return hs.logoutUserFromAllDevicesInternal(context.Background(), userId)
})
sc.m.Post("/", sc.defaultHandler)
fn(sc)
})
}
func revokeUserAuthTokenInternalScenario(t *testing.T, desc string, cmd auth.RevokeAuthTokenCmd, userId int64,
token *auth.UserToken, fn scenarioFunc, userService user.Service) {
t.Run(desc, func(t *testing.T) {
fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
hs := HTTPServer{
AuthTokenService: fakeAuthTokenService,
userService: userService,
}
sc := setupScenarioContext(t, "/")
sc.userAuthTokenService = fakeAuthTokenService
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
sc.context = c
sc.context.UserID = testUserID
sc.context.OrgID = testOrgID
sc.context.OrgRole = org.RoleAdmin
sc.context.UserToken = token
return hs.revokeUserAuthTokenInternal(c, userId, cmd)
})
sc.m.Post("/", sc.defaultHandler)
fn(sc)
})
}
func getUserAuthTokensInternalScenario(t *testing.T, desc string, token *auth.UserToken, fn scenarioFunc, userService user.Service) {
t.Run(desc, func(t *testing.T) {
fakeAuthTokenService := authtest.NewFakeUserAuthTokenService()
hs := HTTPServer{
AuthTokenService: fakeAuthTokenService,
userService: userService,
}
sc := setupScenarioContext(t, "/")
sc.userAuthTokenService = fakeAuthTokenService
sc.defaultHandler = routing.Wrap(func(c *contextmodel.ReqContext) response.Response {
sc.context = c
sc.context.UserID = testUserID
sc.context.OrgID = testOrgID
sc.context.OrgRole = org.RoleAdmin
sc.context.UserToken = token
return hs.getUserAuthTokensInternal(c, testUserID)
})
sc.m.Get("/", sc.defaultHandler)
fn(sc)
})
}