Authz: fix snapshot tests legacy guardian (#73823)
* Guardian: remove unused dependencies * API: rewrite tests to use access control guardian
This commit is contained in:
Karl Persson
GitHub
+129
-163
@@ -9,6 +9,10 @@ import (
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
"github.com/grafana/grafana/pkg/web/webtest"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/mock"
|
||||
"github.com/stretchr/testify/require"
|
||||
@@ -19,11 +23,106 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/dashboardsnapshots"
|
||||
"github.com/grafana/grafana/pkg/services/guardian"
|
||||
"github.com/grafana/grafana/pkg/services/org"
|
||||
"github.com/grafana/grafana/pkg/services/team/teamtest"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/util/errutil"
|
||||
)
|
||||
|
||||
func TestHTTPServer_DeleteDashboardSnapshot(t *testing.T) {
|
||||
setup := func(t *testing.T, svc dashboards.DashboardService, userID int64, deleteURL string) *webtest.Server {
|
||||
t.Helper()
|
||||
|
||||
return SetupAPITestServer(t, func(hs *HTTPServer) {
|
||||
cfg := setting.NewCfg()
|
||||
cfg.SnapshotEnabled = true
|
||||
hs.Cfg = cfg
|
||||
hs.dashboardsnapshotsService = setUpSnapshotTest(t, userID, deleteURL)
|
||||
|
||||
hs.DashboardService = svc
|
||||
|
||||
hs.AccessControl = acimpl.ProvideAccessControl(hs.Cfg)
|
||||
guardian.InitAccessControlGuardian(hs.Cfg, hs.AccessControl, hs.DashboardService)
|
||||
})
|
||||
}
|
||||
|
||||
allowedUser := userWithPermissions(1, []accesscontrol.Permission{
|
||||
{Action: dashboards.ActionDashboardsWrite, Scope: "dashboards:uid:1"},
|
||||
})
|
||||
|
||||
t.Run("User should not be able to delete snapshot without permissions", func(t *testing.T) {
|
||||
svc := dashboards.NewFakeDashboardService(t)
|
||||
svc.On("GetDashboard", mock.Anything, mock.Anything).Return(&dashboards.Dashboard{UID: "1"}, nil)
|
||||
server := setup(t, svc, 0, "")
|
||||
|
||||
res, err := server.Send(webtest.RequestWithSignedInUser(
|
||||
server.NewRequest(http.MethodDelete, "/api/snapshots/12345", nil),
|
||||
&user.SignedInUser{UserID: 1, OrgID: 1},
|
||||
))
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("User should be able to delete snapshot with correct permissions", func(t *testing.T) {
|
||||
svc := dashboards.NewFakeDashboardService(t)
|
||||
svc.On("GetDashboard", mock.Anything, mock.Anything).Return(&dashboards.Dashboard{UID: "1"}, nil)
|
||||
|
||||
server := setup(t, svc, 0, "")
|
||||
res, err := server.Send(webtest.RequestWithSignedInUser(
|
||||
server.NewRequest(http.MethodDelete, "/api/snapshots/12345", nil),
|
||||
allowedUser,
|
||||
))
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("User should not be able to delete snapshot if fetching dashboard fails", func(t *testing.T) {
|
||||
svc := dashboards.NewFakeDashboardService(t)
|
||||
svc.On("GetDashboard", mock.Anything, mock.Anything).Return(nil, errors.New("some-error"))
|
||||
|
||||
server := setup(t, svc, 0, "")
|
||||
res, err := server.Send(webtest.RequestWithSignedInUser(
|
||||
server.NewRequest(http.MethodDelete, "/api/snapshots/12345", nil),
|
||||
allowedUser,
|
||||
))
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusInternalServerError, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("User should be able to delete snapshot if connected dashboard no longer exists", func(t *testing.T) {
|
||||
svc := dashboards.NewFakeDashboardService(t)
|
||||
svc.On("GetDashboard", mock.Anything, mock.Anything).Return(nil, dashboards.ErrDashboardNotFound)
|
||||
|
||||
server := setup(t, svc, 0, "")
|
||||
res, err := server.Send(webtest.RequestWithSignedInUser(
|
||||
server.NewRequest(http.MethodDelete, "/api/snapshots/12345", nil),
|
||||
allowedUser,
|
||||
))
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
|
||||
t.Run("User should be able to delete when user is creator but does not have permissions to edit dashboard", func(t *testing.T) {
|
||||
svc := dashboards.NewFakeDashboardService(t)
|
||||
svc.On("GetDashboard", mock.Anything, mock.Anything).Return(&dashboards.Dashboard{UID: "1"}, nil)
|
||||
|
||||
server := setup(t, svc, 1, "")
|
||||
res, err := server.Send(webtest.RequestWithSignedInUser(
|
||||
server.NewRequest(http.MethodDelete, "/api/snapshots/12345", nil),
|
||||
&user.SignedInUser{UserID: 1, OrgID: 1},
|
||||
))
|
||||
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, http.StatusOK, res.StatusCode)
|
||||
require.NoError(t, res.Body.Close())
|
||||
})
|
||||
}
|
||||
|
||||
func TestDashboardSnapshotAPIEndpoint_singleSnapshot(t *testing.T) {
|
||||
setupRemoteServer := func(fn func(http.ResponseWriter, *http.Request)) *httptest.Server {
|
||||
s := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||
@@ -34,60 +133,6 @@ func TestDashboardSnapshotAPIEndpoint_singleSnapshot(t *testing.T) {
|
||||
}
|
||||
|
||||
sqlmock := dbtest.NewFakeDB()
|
||||
jsonModel, err := simplejson.NewJson([]byte(`{"id":100}`))
|
||||
require.NoError(t, err)
|
||||
|
||||
setUpSnapshotTest := func(t *testing.T, userId int64, deleteUrl string) dashboardsnapshots.Service {
|
||||
t.Helper()
|
||||
|
||||
dashSnapSvc := dashboardsnapshots.NewMockService(t)
|
||||
dashSnapSvc.On("DeleteDashboardSnapshot", mock.Anything, mock.AnythingOfType("*dashboardsnapshots.DeleteDashboardSnapshotCommand")).Return(nil).Maybe()
|
||||
res := &dashboardsnapshots.DashboardSnapshot{
|
||||
ID: 1,
|
||||
Key: "12345",
|
||||
DeleteKey: "54321",
|
||||
Dashboard: jsonModel,
|
||||
Expires: time.Now().Add(time.Duration(1000) * time.Second),
|
||||
UserID: 999999,
|
||||
}
|
||||
if userId != 0 {
|
||||
res.UserID = userId
|
||||
}
|
||||
if deleteUrl != "" {
|
||||
res.External = true
|
||||
res.ExternalDeleteURL = deleteUrl
|
||||
}
|
||||
dashSnapSvc.On("GetDashboardSnapshot", mock.Anything, mock.AnythingOfType("*dashboardsnapshots.GetDashboardSnapshotQuery")).Return(res, nil)
|
||||
dashSnapSvc.On("DeleteDashboardSnapshot", mock.Anything, mock.AnythingOfType("*dashboardsnapshots.DeleteDashboardSnapshotCommand")).Return(nil).Maybe()
|
||||
return dashSnapSvc
|
||||
}
|
||||
|
||||
t.Run("When user has editor role and is not in the ACL", func(t *testing.T) {
|
||||
loggedInUserScenarioWithRole(t, "Should not be able to delete snapshot when calling DELETE on",
|
||||
"DELETE", "/api/snapshots/12345", "/api/snapshots/:key", org.RoleEditor, func(sc *scenarioContext) {
|
||||
d := setUpSnapshotTest(t, 0, "")
|
||||
hs := buildHttpServer(d, true)
|
||||
sc.handlerFunc = hs.DeleteDashboardSnapshot
|
||||
|
||||
teamSvc := &teamtest.FakeService{}
|
||||
dashSvc := dashboards.NewFakeDashboardService(t)
|
||||
var qResult *dashboards.Dashboard
|
||||
dashSvc.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Run(func(args mock.Arguments) {
|
||||
q := args.Get(1).(*dashboards.GetDashboardQuery)
|
||||
qResult = &dashboards.Dashboard{
|
||||
ID: q.ID,
|
||||
UID: q.UID,
|
||||
}
|
||||
}).Return(qResult, nil).Maybe()
|
||||
dashSvc.On("GetDashboardACLInfoList", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardACLInfoListQuery")).Return(nil, nil).Maybe()
|
||||
hs.DashboardService = dashSvc
|
||||
|
||||
guardian.InitLegacyGuardian(setting.NewCfg(), sc.sqlStore, dashSvc, teamSvc)
|
||||
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"key": "12345"}).exec()
|
||||
|
||||
assert.Equal(t, 403, sc.resp.Code)
|
||||
}, sqlmock)
|
||||
})
|
||||
|
||||
t.Run("When user is anonymous", func(t *testing.T) {
|
||||
anonymousUserScenario(t, "Should be able to delete a snapshot when calling GET on", "GET",
|
||||
@@ -116,113 +161,6 @@ func TestDashboardSnapshotAPIEndpoint_singleSnapshot(t *testing.T) {
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("When user is editor and dashboard has default ACL", func(t *testing.T) {
|
||||
teamSvc := &teamtest.FakeService{}
|
||||
dashSvc := &dashboards.FakeDashboardService{}
|
||||
qResult := []*dashboards.DashboardACLInfoDTO{
|
||||
{Role: &viewerRole, Permission: dashboards.PERMISSION_VIEW},
|
||||
{Role: &editorRole, Permission: dashboards.PERMISSION_EDIT},
|
||||
}
|
||||
dashSvc.On("GetDashboardACLInfoList", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardACLInfoListQuery")).Return(qResult, nil)
|
||||
|
||||
loggedInUserScenarioWithRole(t, "Should not be able to delete a snapshot when fetching guardian fails during calling DELETE on", "DELETE",
|
||||
"/api/snapshots/12345", "/api/snapshots/:key", org.RoleEditor, func(sc *scenarioContext) {
|
||||
ts := setupRemoteServer(func(rw http.ResponseWriter, req *http.Request) {
|
||||
rw.WriteHeader(200)
|
||||
})
|
||||
dashSvc := dashboards.NewFakeDashboardService(t)
|
||||
dashSvc.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Return(nil, errutil.Error{PublicMessage: "some error"}).Maybe()
|
||||
|
||||
guardian.InitLegacyGuardian(sc.cfg, sc.sqlStore, dashSvc, teamSvc)
|
||||
d := setUpSnapshotTest(t, 0, ts.URL)
|
||||
hs := buildHttpServer(d, true)
|
||||
hs.DashboardService = dashSvc
|
||||
sc.handlerFunc = hs.DeleteDashboardSnapshot
|
||||
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"key": "12345"}).exec()
|
||||
|
||||
assert.Equal(t, http.StatusInternalServerError, sc.resp.Code)
|
||||
}, sqlmock)
|
||||
|
||||
loggedInUserScenarioWithRole(t, "Should be able to delete a snapshot from a deleted dashboard when calling DELETE on", "DELETE",
|
||||
"/api/snapshots/12345", "/api/snapshots/:key", org.RoleEditor, func(sc *scenarioContext) {
|
||||
var externalRequest *http.Request
|
||||
ts := setupRemoteServer(func(rw http.ResponseWriter, req *http.Request) {
|
||||
rw.WriteHeader(200)
|
||||
externalRequest = req
|
||||
})
|
||||
dashSvc := dashboards.NewFakeDashboardService(t)
|
||||
dashSvc.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Return(nil, dashboards.ErrDashboardNotFound).Maybe()
|
||||
|
||||
guardian.InitLegacyGuardian(sc.cfg, sc.sqlStore, dashSvc, teamSvc)
|
||||
d := setUpSnapshotTest(t, 0, ts.URL)
|
||||
hs := buildHttpServer(d, true)
|
||||
hs.DashboardService = dashSvc
|
||||
sc.handlerFunc = hs.DeleteDashboardSnapshot
|
||||
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"key": "12345"}).exec()
|
||||
|
||||
assert.Equal(t, 200, sc.resp.Code)
|
||||
respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.True(t, strings.HasPrefix(respJSON.Get("message").MustString(), "Snapshot deleted"))
|
||||
assert.Equal(t, 1, respJSON.Get("id").MustInt())
|
||||
assert.Equal(t, ts.URL, fmt.Sprintf("http://%s", externalRequest.Host))
|
||||
assert.Equal(t, "/", externalRequest.URL.EscapedPath())
|
||||
}, sqlmock)
|
||||
|
||||
loggedInUserScenarioWithRole(t, "Should be able to delete a snapshot when calling DELETE on", "DELETE",
|
||||
"/api/snapshots/12345", "/api/snapshots/:key", org.RoleEditor, func(sc *scenarioContext) {
|
||||
var externalRequest *http.Request
|
||||
ts := setupRemoteServer(func(rw http.ResponseWriter, req *http.Request) {
|
||||
rw.WriteHeader(200)
|
||||
externalRequest = req
|
||||
})
|
||||
dashSvc := dashboards.NewFakeDashboardService(t)
|
||||
qResult := &dashboards.Dashboard{}
|
||||
dashSvc.On("GetDashboard", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardQuery")).Return(qResult, nil).Maybe()
|
||||
qResultACL := []*dashboards.DashboardACLInfoDTO{
|
||||
{Role: &viewerRole, Permission: dashboards.PERMISSION_VIEW},
|
||||
{Role: &editorRole, Permission: dashboards.PERMISSION_EDIT},
|
||||
}
|
||||
dashSvc.On("GetDashboardACLInfoList", mock.Anything, mock.AnythingOfType("*dashboards.GetDashboardACLInfoListQuery")).Return(qResultACL, nil)
|
||||
guardian.InitLegacyGuardian(sc.cfg, sc.sqlStore, dashSvc, teamSvc)
|
||||
d := setUpSnapshotTest(t, 0, ts.URL)
|
||||
hs := buildHttpServer(d, true)
|
||||
hs.DashboardService = dashSvc
|
||||
sc.handlerFunc = hs.DeleteDashboardSnapshot
|
||||
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"key": "12345"}).exec()
|
||||
|
||||
assert.Equal(t, 200, sc.resp.Code)
|
||||
respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.True(t, strings.HasPrefix(respJSON.Get("message").MustString(), "Snapshot deleted"))
|
||||
assert.Equal(t, 1, respJSON.Get("id").MustInt())
|
||||
assert.Equal(t, ts.URL, fmt.Sprintf("http://%s", externalRequest.Host))
|
||||
assert.Equal(t, "/", externalRequest.URL.EscapedPath())
|
||||
}, sqlmock)
|
||||
})
|
||||
|
||||
t.Run("When user is editor and creator of the snapshot", func(t *testing.T) {
|
||||
loggedInUserScenarioWithRole(t, "Should be able to delete a snapshot when calling DELETE on",
|
||||
"DELETE", "/api/snapshots/12345", "/api/snapshots/:key", org.RoleEditor, func(sc *scenarioContext) {
|
||||
d := setUpSnapshotTest(t, testUserID, "")
|
||||
|
||||
dashSvc := dashboards.NewFakeDashboardService(t)
|
||||
hs := buildHttpServer(d, true)
|
||||
hs.DashboardService = dashSvc
|
||||
sc.handlerFunc = hs.DeleteDashboardSnapshot
|
||||
sc.fakeReqWithParams("DELETE", sc.url, map[string]string{"key": "12345"}).exec()
|
||||
|
||||
assert.Equal(t, 200, sc.resp.Code)
|
||||
respJSON, err := simplejson.NewJson(sc.resp.Body.Bytes())
|
||||
require.NoError(t, err)
|
||||
|
||||
assert.True(t, strings.HasPrefix(respJSON.Get("message").MustString(), "Snapshot deleted"))
|
||||
assert.Equal(t, 1, respJSON.Get("id").MustInt())
|
||||
}, sqlmock)
|
||||
})
|
||||
|
||||
t.Run("When deleting an external snapshot", func(t *testing.T) {
|
||||
loggedInUserScenarioWithRole(t,
|
||||
"Should gracefully delete local snapshot when remote snapshot has already been removed when calling DELETE on",
|
||||
@@ -442,3 +380,31 @@ func buildHttpServer(d dashboardsnapshots.Service, snapshotEnabled bool) *HTTPSe
|
||||
}
|
||||
return hs
|
||||
}
|
||||
func setUpSnapshotTest(t *testing.T, userId int64, deleteUrl string) dashboardsnapshots.Service {
|
||||
t.Helper()
|
||||
|
||||
dashSnapSvc := dashboardsnapshots.NewMockService(t)
|
||||
dashSnapSvc.On("DeleteDashboardSnapshot", mock.Anything, mock.AnythingOfType("*dashboardsnapshots.DeleteDashboardSnapshotCommand")).Return(nil).Maybe()
|
||||
|
||||
jsonModel, err := simplejson.NewJson([]byte(`{"id":100}`))
|
||||
require.NoError(t, err)
|
||||
|
||||
res := &dashboardsnapshots.DashboardSnapshot{
|
||||
ID: 1,
|
||||
Key: "12345",
|
||||
DeleteKey: "54321",
|
||||
Dashboard: jsonModel,
|
||||
Expires: time.Now().Add(time.Duration(1000) * time.Second),
|
||||
UserID: 999999,
|
||||
}
|
||||
if userId != 0 {
|
||||
res.UserID = userId
|
||||
}
|
||||
if deleteUrl != "" {
|
||||
res.External = true
|
||||
res.ExternalDeleteURL = deleteUrl
|
||||
}
|
||||
dashSnapSvc.On("GetDashboardSnapshot", mock.Anything, mock.AnythingOfType("*dashboardsnapshots.GetDashboardSnapshotQuery")).Return(res, nil)
|
||||
dashSnapSvc.On("DeleteDashboardSnapshot", mock.Anything, mock.AnythingOfType("*dashboardsnapshots.DeleteDashboardSnapshotCommand")).Return(nil).Maybe()
|
||||
return dashSnapSvc
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user