apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37460 Commits
5948 Branches
591 Tags
1.7 GiB
 
 
 
 
 
 
Tag: Branch: Tree: bcd7afd1f5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bcd7afd1f5'
${ noResults }
grafana/pkg/services/accesscontrol/acimpl/accesscontrol_test.go

81 lines
2.2 KiB
Raw Blame History

package acimpl
import (
"context"
"testing"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/setting"
"github.com/stretchr/testify/assert"
)
func TestAccessControl_Evaluate(t *testing.T) {
type testCase struct {
desc string
user user.SignedInUser
evaluator accesscontrol.Evaluator
resolverPrefix string
expected bool
expectedErr error
resolver accesscontrol.ScopeAttributeResolver
}
tests := []testCase{
{
desc: "expect user to have access when correct permission is stored on user",
user: user.SignedInUser{
OrgID: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionTeamsWrite: {"teams:*"}},
},
},
evaluator: accesscontrol.EvalPermission(accesscontrol.ActionTeamsWrite, "teams:id:1"),
expected: true,
},
{
desc: "expect user to not have access without required permissions",
user: user.SignedInUser{
OrgID: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionTeamsWrite: {"teams:*"}},
},
},
evaluator: accesscontrol.EvalPermission(accesscontrol.ActionOrgUsersWrite, "users:id:1"),
expected: false,
},
{
desc: "expect user to have access when resolver translate scope",
user: user.SignedInUser{
OrgID: 1,
Permissions: map[int64]map[string][]string{
1: {accesscontrol.ActionTeamsWrite: {"another:scope"}},
},
},
evaluator: accesscontrol.EvalPermission(accesscontrol.ActionTeamsWrite, "teams:id:1"),
resolverPrefix: "teams:id:",
resolver: accesscontrol.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
return []string{"another:scope"}, nil
}),
expected: true,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
ac := ProvideAccessControl(setting.NewCfg())
if tt.resolver != nil {
ac.RegisterScopeAttributeResolver(tt.resolverPrefix, tt.resolver)
}
hasAccess, err := ac.Evaluate(context.Background(), &tt.user, tt.evaluator)
assert.Equal(t, tt.expected, hasAccess)
if tt.expectedErr != nil {
assert.Equal(t, tt.expectedErr, err)
} else {
assert.NoError(t, err)
}
})
}
}