From 90c4868c8cc38cb7e68062ea82f1c791bff8bf2e Mon Sep 17 00:00:00 2001
From: Matheus Macabu <macabu@users.noreply.github.com>
Date: Mon, 9 Jun 2025 09:49:46 +0200
Subject: [PATCH] CloudMigrations: Add test case for invalid permissions to
 fetch contact points (#106143)

---
 .../cloudmigrationimpl/cloudmigration_test.go |  8 ++--
 .../snapshot_mgmt_alerts_test.go              | 45 ++++++++++++++++---
 2 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/pkg/services/cloudmigration/cloudmigrationimpl/cloudmigration_test.go b/pkg/services/cloudmigration/cloudmigrationimpl/cloudmigration_test.go
index a8bf9c0466d..210c8c1540a 100644
--- a/pkg/services/cloudmigration/cloudmigrationimpl/cloudmigration_test.go
+++ b/pkg/services/cloudmigration/cloudmigrationimpl/cloudmigration_test.go
@@ -24,6 +24,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/kvstore"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
+	"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
 	"github.com/grafana/grafana/pkg/services/annotations/annotationstest"
 	"github.com/grafana/grafana/pkg/services/cloudmigration"
@@ -918,19 +919,20 @@ func setUpServiceTest(t *testing.T, withDashboardMock bool, cfgOverrides ...conf
 	kvStore := kvstore.ProvideService(sqlStore)
 
 	bus := bus.ProvideBus(tracer)
-	fakeAccessControl := actest.FakeAccessControl{ExpectedEvaluate: true}
+
+	accessControl := acimpl.ProvideAccessControl(featureToggles)
 	fakeAccessControlService := actest.FakeService{}
 	alertMetrics := metrics.NewNGAlert(prometheus.NewRegistry())
 
 	cfg.UnifiedAlerting.DefaultRuleEvaluationInterval = time.Minute
 	cfg.UnifiedAlerting.BaseInterval = time.Minute
 	cfg.UnifiedAlerting.InitializationTimeout = 30 * time.Second
-	ruleStore, err := ngalertstore.ProvideDBStore(cfg, featureToggles, sqlStore, mockFolder, dashboardService, fakeAccessControl, bus)
+	ruleStore, err := ngalertstore.ProvideDBStore(cfg, featureToggles, sqlStore, mockFolder, dashboardService, accessControl, bus)
 	require.NoError(t, err)
 
 	ng, err := ngalert.ProvideService(
 		cfg, featureToggles, nil, nil, rr, sqlStore, kvStore, nil, nil, quotatest.New(false, nil),
-		secretsService, nil, alertMetrics, mockFolder, fakeAccessControl, dashboardService, nil, bus, fakeAccessControlService,
+		secretsService, nil, alertMetrics, mockFolder, accessControl, dashboardService, nil, bus, fakeAccessControlService,
 		annotationstest.NewFakeAnnotationsRepo(), &pluginstore.FakePluginStore{}, tracer, ruleStore,
 		httpclient.NewProvider(), ngalertfakes.NewFakeReceiverPermissionsService(), usertest.NewUserServiceFake(),
 	)
diff --git a/pkg/services/cloudmigration/cloudmigrationimpl/snapshot_mgmt_alerts_test.go b/pkg/services/cloudmigration/cloudmigrationimpl/snapshot_mgmt_alerts_test.go
index c7a42105dd8..3ab80d6838e 100644
--- a/pkg/services/cloudmigration/cloudmigrationimpl/snapshot_mgmt_alerts_test.go
+++ b/pkg/services/cloudmigration/cloudmigrationimpl/snapshot_mgmt_alerts_test.go
@@ -4,15 +4,19 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"testing"
 	"time"
 
+	"github.com/grafana/alerting/definition"
 	"github.com/prometheus/alertmanager/pkg/labels"
 	"github.com/stretchr/testify/require"
 
-	"github.com/grafana/alerting/definition"
+	"github.com/grafana/grafana/pkg/apimachinery/errutil"
 	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/dashboards"
+	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	ac "github.com/grafana/grafana/pkg/services/ngalert/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/ngalert/api/tooling/definitions"
@@ -21,6 +25,15 @@ import (
 	"github.com/grafana/grafana/pkg/setting"
 )
 
+// Read-only.
+var alertRulesPermissions = map[string][]string{
+	accesscontrol.ActionAlertingRuleRead:   {"*"},
+	accesscontrol.ActionAlertingRuleCreate: {"*"},
+	accesscontrol.ActionAlertingRuleUpdate: {"*"},
+	dashboards.ActionFoldersRead:           {"*"},
+	datasources.ActionQuery:                {"*"},
+}
+
 func TestGetAlertMuteTimings(t *testing.T) {
 	t.Parallel()
 
@@ -98,6 +111,28 @@ func TestGetContactPoints(t *testing.T) {
 		require.NotNil(t, contactPoints)
 		require.Len(t, contactPoints, len(createdContactPoints)+defaultEmailContactPointCount)
 	})
+
+	t.Run("it returns an error when user lacks permission to read contact point secrets", func(t *testing.T) {
+		t.Parallel()
+
+		s := setUpServiceTest(t, false).(*Service)
+
+		user := &user.SignedInUser{
+			OrgID: 1,
+			Permissions: map[int64]map[string][]string{
+				1: {
+					accesscontrol.ActionAlertingNotificationsRead: nil,
+				},
+			},
+		}
+
+		contactPoints, err := s.getContactPoints(ctx, user)
+		require.Nil(t, contactPoints)
+
+		gfErr := errutil.Error{}
+		require.ErrorAs(t, err, &gfErr)
+		require.Equal(t, http.StatusForbidden, gfErr.Reason.Status().HTTPStatus())
+	})
 }
 
 func TestGetNotificationPolicies(t *testing.T) {
@@ -139,7 +174,7 @@ func TestGetAlertRules(t *testing.T) {
 
 		s := setUpServiceTest(t, false).(*Service)
 
-		user := &user.SignedInUser{OrgID: 1}
+		user := &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{1: alertRulesPermissions}}
 
 		alertRule := createAlertRule(t, ctx, s, user, false, "")
 
@@ -158,7 +193,7 @@ func TestGetAlertRules(t *testing.T) {
 
 		s := setUpServiceTest(t, false, alertRulesState).(*Service)
 
-		user := &user.SignedInUser{OrgID: 1}
+		user := &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{1: alertRulesPermissions}}
 
 		alertRulePaused := createAlertRule(t, ctx, s, user, true, "")
 		require.True(t, alertRulePaused.IsPaused)
@@ -185,7 +220,7 @@ func TestGetAlertRuleGroups(t *testing.T) {
 
 		s := setUpServiceTest(t, false).(*Service)
 
-		user := &user.SignedInUser{OrgID: 1}
+		user := &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{1: alertRulesPermissions}}
 
 		ruleGroupTitle := "ruleGroupTitle"
 
@@ -224,7 +259,7 @@ func TestGetAlertRuleGroups(t *testing.T) {
 
 		s := setUpServiceTest(t, false, alertRulesState).(*Service)
 
-		user := &user.SignedInUser{OrgID: 1}
+		user := &user.SignedInUser{OrgID: 1, Permissions: map[int64]map[string][]string{1: alertRulesPermissions}}
 
 		ruleGroupTitle := "ruleGroupTitle"