apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33503 Commits
2179 Branches
608 Tags
1.9 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 742a71abfa
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '742a71abfa'
${ noResults }
grafana/pkg/api/team_test.go

404 lines
17 KiB
Raw Blame History

package api
import (
"context"
"encoding/json"
"fmt"
"net/http"
"strings"
"testing"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/services/sqlstore/mockstore"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/web"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
type testLogger struct {
log.Logger
warnCalled bool
warnMessage string
}
func (stub *testLogger) Warn(testMessage string, ctx ...interface{}) {
stub.warnCalled = true
stub.warnMessage = testMessage
}
func TestTeamAPIEndpoint(t *testing.T) {
t.Run("Given two teams", func(t *testing.T) {
hs := setupSimpleHTTPServer(nil)
hs.Cfg.EditorsCanAdmin = true
store := sqlstore.InitTestDB(t)
store.Cfg = hs.Cfg
hs.SQLStore = store
mock := &mockstore.SQLStoreMock{}
loggedInUserScenario(t, "When calling GET on", "/api/teams/search", "/api/teams/search", func(sc *scenarioContext) {
_, err := hs.SQLStore.CreateTeam("team1", "", 1)
require.NoError(t, err)
_, err = hs.SQLStore.CreateTeam("team2", "", 1)
require.NoError(t, err)
sc.handlerFunc = hs.SearchTeams
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
require.Equal(t, http.StatusOK, sc.resp.Code)
var resp models.SearchTeamQueryResult
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
require.NoError(t, err)
assert.EqualValues(t, 2, resp.TotalCount)
assert.Equal(t, 2, len(resp.Teams))
}, mock)
loggedInUserScenario(t, "When calling GET on", "/api/teams/search", "/api/teams/search", func(sc *scenarioContext) {
_, err := hs.SQLStore.CreateTeam("team1", "", 1)
require.NoError(t, err)
_, err = hs.SQLStore.CreateTeam("team2", "", 1)
require.NoError(t, err)
sc.handlerFunc = hs.SearchTeams
sc.fakeReqWithParams("GET", sc.url, map[string]string{"perpage": "10", "page": "2"}).exec()
require.Equal(t, http.StatusOK, sc.resp.Code)
var resp models.SearchTeamQueryResult
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
require.NoError(t, err)
assert.EqualValues(t, 2, resp.TotalCount)
assert.Equal(t, 0, len(resp.Teams))
}, mock)
})
t.Run("When creating team with API key", func(t *testing.T) {
hs := setupSimpleHTTPServer(nil)
hs.Cfg.EditorsCanAdmin = true
hs.SQLStore = mockstore.NewSQLStoreMock()
teamName := "team foo"
addTeamMemberCalled := 0
addOrUpdateTeamMember = func(ctx context.Context, resourcePermissionService *resourcepermissions.Service, userID, orgID, teamID int64,
permission string) error {
addTeamMemberCalled++
return nil
}
req, err := http.NewRequest("POST", "/api/teams", nil)
require.NoError(t, err)
t.Run("with no real signed in user", func(t *testing.T) {
stub := &testLogger{}
c := &models.ReqContext{
Context: &web.Context{Req: req},
SignedInUser: &models.SignedInUser{},
Logger: stub,
}
c.OrgRole = models.ROLE_EDITOR
c.Req.Body = mockRequestBody(models.CreateTeamCommand{Name: teamName})
c.Req.Header.Add("Content-Type", "application/json")
r := hs.CreateTeam(c)
assert.Equal(t, 200, r.Status())
assert.True(t, stub.warnCalled)
assert.Equal(t, stub.warnMessage, "Could not add creator to team because is not a real user")
})
t.Run("with real signed in user", func(t *testing.T) {
stub := &testLogger{}
c := &models.ReqContext{
Context: &web.Context{Req: req},
SignedInUser: &models.SignedInUser{UserId: 42},
Logger: stub,
}
c.OrgRole = models.ROLE_EDITOR
c.Req.Body = mockRequestBody(models.CreateTeamCommand{Name: teamName})
c.Req.Header.Add("Content-Type", "application/json")
r := hs.CreateTeam(c)
assert.Equal(t, 200, r.Status())
assert.False(t, stub.warnCalled)
})
})
}
const (
searchTeamsURL = "/api/teams/search"
createTeamURL = "/api/teams/"
detailTeamURL = "/api/teams/%d"
detailTeamPreferenceURL = "/api/teams/%d/preferences"
teamCmd = `{"name": "MyTestTeam%d"}`
teamPreferenceCmd = `{"theme": "dark"}`
teamPreferenceCmdLight = `{"theme": "light"}`
)
func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl(t *testing.T) {
sc := setupHTTPServer(t, true, false)
setInitCtxSignedInOrgAdmin(sc.initCtx)
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
t.Run("Organisation admin can create a team", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
setInitCtxSignedInEditor(sc.initCtx)
sc.initCtx.IsGrafanaAdmin = true
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
t.Run("Org editor and server admin cannot create a team", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPost, createTeamURL, strings.NewReader(teamCmd), t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl_EditorsCanAdmin(t *testing.T) {
cfg := setting.NewCfg()
cfg.EditorsCanAdmin = true
sc := setupHTTPServerWithCfg(t, true, false, cfg)
setInitCtxSignedInEditor(sc.initCtx)
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
t.Run("Editors can create a team if editorsCanAdmin is set to true", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestTeamAPIEndpoint_CreateTeam_FGAC(t *testing.T) {
sc := setupHTTPServer(t, true, true)
setInitCtxSignedInViewer(sc.initCtx)
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
t.Run("Access control prevents creating teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "teams:invalid"}}, accesscontrol.GlobalOrgID)
response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestTeamAPIEndpoint_SearchTeams_FGAC(t *testing.T) {
sc := setupHTTPServer(t, true, true)
sc.db = sqlstore.InitTestDB(t)
// Seed three teams
for i := 1; i <= 3; i++ {
_, err := sc.db.CreateTeam(fmt.Sprintf("team%d", i), fmt.Sprintf("team%d@example.org", i), 1)
require.NoError(t, err)
}
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents searching for teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:*"}}, 1)
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("Access control allows searching for teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"}}, 1)
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
res := &models.SearchTeamQueryResult{}
err := json.Unmarshal(response.Body.Bytes(), res)
require.NoError(t, err)
require.Len(t, res.Teams, 3, "expected all teams to have been returned")
require.Equal(t, res.TotalCount, int64(3), "expected count to match teams length")
})
t.Run("Access control filters teams based on user permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:3"}}, 1)
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
res := &models.SearchTeamQueryResult{}
err := json.Unmarshal(response.Body.Bytes(), res)
require.NoError(t, err)
require.Len(t, res.Teams, 2, "expected a subset of teams to have been returned")
require.Equal(t, res.TotalCount, int64(2), "expected count to match teams length")
for _, team := range res.Teams {
require.NotEqual(t, team.Name, "team2", "expected team2 to have been filtered")
}
})
}
func TestTeamAPIEndpoint_GetTeamByID_FGAC(t *testing.T) {
sc := setupHTTPServer(t, true, true)
sc.db = sqlstore.InitTestDB(t)
_, err := sc.db.CreateTeam("team1", "team1@example.org", 1)
require.NoError(t, err)
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents getting a team with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("Access control allows getting a team with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
res := &models.TeamDTO{}
err := json.Unmarshal(response.Body.Bytes(), res)
require.NoError(t, err)
assert.Equal(t, "team1", res.Name)
})
}
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
// else return 403
func TestTeamAPIEndpoint_UpdateTeam_FGAC(t *testing.T) {
sc := setupHTTPServer(t, true, true)
sc.db = sqlstore.InitTestDB(t)
_, err := sc.db.CreateTeam("team1", "", 1)
require.NoError(t, err)
setInitCtxSignedInViewer(sc.initCtx)
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
t.Run("Access control allows updating teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
assert.Equal(t, http.StatusOK, response.Code)
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
err := sc.db.GetTeamById(context.Background(), teamQuery)
require.NoError(t, err)
assert.Equal(t, "MyTestTeam1", teamQuery.Result.Name)
})
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
t.Run("Access control allows updating teams with the correct global permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:*"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
assert.Equal(t, http.StatusOK, response.Code)
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
err := sc.db.GetTeamById(context.Background(), teamQuery)
require.NoError(t, err)
assert.Equal(t, "MyTestTeam2", teamQuery.Result.Name)
})
input = strings.NewReader(fmt.Sprintf(teamCmd, 3))
t.Run("Access control prevents updating teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
err := sc.db.GetTeamById(context.Background(), teamQuery)
assert.NoError(t, err)
assert.Equal(t, "MyTestTeam2", teamQuery.Result.Name)
})
}
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsDelete with teams:id:1 scope
// else return 403
func TestTeamAPIEndpoint_DeleteTeam_FGAC(t *testing.T) {
sc := setupHTTPServer(t, true, true)
sc.db = sqlstore.InitTestDB(t)
_, err := sc.db.CreateTeam("team1", "", 1)
require.NoError(t, err)
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control prevents deleting teams with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:7"}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
err := sc.db.GetTeamById(context.Background(), teamQuery)
require.NoError(t, err)
})
t.Run("Access control allows deleting teams with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
err := sc.db.GetTeamById(context.Background(), teamQuery)
require.ErrorIs(t, err, models.ErrTeamNotFound)
})
}
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsRead with teams:id:1 scope
// else return 403
func TestTeamAPIEndpoint_GetTeamPreferences_FGAC(t *testing.T) {
sc := setupHTTPServer(t, true, true)
sc.db = sqlstore.InitTestDB(t)
_, err := sc.db.CreateTeam("team1", "", 1)
require.NoError(t, err)
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Access control allows getting team preferences with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock,
[]*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("Access control prevents getting team preferences with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamPreferenceURL, 1), http.NoBody, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
// else return 403
func TestTeamAPIEndpoint_UpdateTeamPreferences_FGAC(t *testing.T) {
sc := setupHTTPServer(t, true, true)
sc.db = sqlstore.InitTestDB(t)
_, err := sc.db.CreateTeam("team1", "", 1)
require.NoError(t, err)
setInitCtxSignedInViewer(sc.initCtx)
input := strings.NewReader(teamPreferenceCmd)
t.Run("Access control allows updating team preferences with the correct permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
assert.Equal(t, http.StatusOK, response.Code)
prefQuery := &models.GetPreferencesQuery{OrgId: 1, TeamId: 1, Result: &models.Preferences{}}
err := sc.db.GetPreferences(context.Background(), prefQuery)
require.NoError(t, err)
assert.Equal(t, "dark", prefQuery.Result.Theme)
})
input = strings.NewReader(teamPreferenceCmdLight)
t.Run("Access control prevents updating team preferences with the incorrect permissions", func(t *testing.T) {
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, 1), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
prefQuery := &models.GetPreferencesQuery{OrgId: 1, TeamId: 1, Result: &models.Preferences{}}
err := sc.db.GetPreferences(context.Background(), prefQuery)
assert.NoError(t, err)
assert.Equal(t, "dark", prefQuery.Result.Theme)
})
}