ff8e53a347
* Security: Sync security changes on main (#45083)
* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search
* Teams: Ensure that users searching for teams are only able see teams they have access to
* Teams: Require teamGuardian admin privileges to list team members
* Teams: Prevent org viewers from administering teams
* Teams: Add org_id condition to team count query
* Teams: clarify permission requirements in teams api docs
* Teams: expand scenarios for team search tests
* Teams: mock teamGuardian in tests
Co-authored-by: Dan Cech <dcech@grafana.com>
* remove duplicate WHERE statement
* Fix for CVE-2022-21702
(cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e)
* Lint and test fixes
(cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981)
* check content type properly
(cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98)
* basic csrf origin check
(cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1)
* compare origin to host
(cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42)
* simplify url parsing
(cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d)
* check csrf for GET requests, only compare origin
(cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709)
* parse content type properly
(cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0)
* mentioned get in the comment
(cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345)
* add content-type: application/json to test HTTP requests
* fix pluginproxy test
* Fix linter when comparing errors
Co-authored-by: Kevin Minehart <kmineh0151@gmail.com>
Co-authored-by: Dan Cech <dcech@grafana.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com>
Co-authored-by: Vardan Torosyan <vardants@gmail.com>
(cherry picked from commit 605d056136)
* Apply suggestions from code review
* remove uneeded test fix from patch
Co-authored-by: Dimitris Sotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: jguer <joao.guerreiro@grafana.com>
185 lines
5.4 KiB
Go
185 lines
5.4 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/grafana/grafana/pkg/api/routing"
|
|
|
|
"github.com/grafana/grafana/pkg/api/dtos"
|
|
"github.com/grafana/grafana/pkg/api/response"
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/search"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
type setUpConf struct {
|
|
aclMockResp []*models.DashboardAclInfoDTO
|
|
}
|
|
|
|
func TestAlertingAPIEndpoint(t *testing.T) {
|
|
singleAlert := &models.Alert{Id: 1, DashboardId: 1, Name: "singlealert"}
|
|
viewerRole := models.ROLE_VIEWER
|
|
editorRole := models.ROLE_EDITOR
|
|
|
|
setUp := func(confs ...setUpConf) {
|
|
bus.AddHandler("test", func(ctx context.Context, query *models.GetAlertByIdQuery) error {
|
|
query.Result = singleAlert
|
|
return nil
|
|
})
|
|
|
|
aclMockResp := []*models.DashboardAclInfoDTO{}
|
|
for _, c := range confs {
|
|
if c.aclMockResp != nil {
|
|
aclMockResp = c.aclMockResp
|
|
}
|
|
}
|
|
bus.AddHandler("test", func(ctx context.Context, query *models.GetDashboardAclInfoListQuery) error {
|
|
query.Result = aclMockResp
|
|
return nil
|
|
})
|
|
|
|
bus.AddHandler("test", func(ctx context.Context, query *models.GetTeamsByUserQuery) error {
|
|
query.Result = []*models.TeamDTO{}
|
|
return nil
|
|
})
|
|
}
|
|
|
|
t.Run("When user is editor and not in the ACL", func(t *testing.T) {
|
|
cmd := dtos.PauseAlertCommand{
|
|
AlertId: 1,
|
|
Paused: true,
|
|
}
|
|
postAlertScenario(t, "When calling POST on", "/api/alerts/1/pause", "/api/alerts/:alertId/pause",
|
|
models.ROLE_EDITOR, cmd, func(sc *scenarioContext) {
|
|
setUp()
|
|
|
|
callPauseAlert(sc)
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
})
|
|
})
|
|
|
|
t.Run("When user is editor and dashboard has default ACL", func(t *testing.T) {
|
|
cmd := dtos.PauseAlertCommand{
|
|
AlertId: 1,
|
|
Paused: true,
|
|
}
|
|
postAlertScenario(t, "When calling POST on", "/api/alerts/1/pause", "/api/alerts/:alertId/pause",
|
|
models.ROLE_EDITOR, cmd, func(sc *scenarioContext) {
|
|
setUp(setUpConf{
|
|
aclMockResp: []*models.DashboardAclInfoDTO{
|
|
{Role: &viewerRole, Permission: models.PERMISSION_VIEW},
|
|
{Role: &editorRole, Permission: models.PERMISSION_EDIT},
|
|
},
|
|
})
|
|
|
|
callPauseAlert(sc)
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
})
|
|
})
|
|
|
|
loggedInUserScenarioWithRole(t, "When calling GET on", "GET", "/api/alerts?dashboardId=1", "/api/alerts",
|
|
models.ROLE_EDITOR, func(sc *scenarioContext) {
|
|
setUp()
|
|
|
|
var searchQuery *search.Query
|
|
bus.AddHandler("test", func(ctx context.Context, query *search.Query) error {
|
|
searchQuery = query
|
|
return nil
|
|
})
|
|
|
|
var getAlertsQuery *models.GetAlertsQuery
|
|
bus.AddHandler("test", func(ctx context.Context, query *models.GetAlertsQuery) error {
|
|
getAlertsQuery = query
|
|
return nil
|
|
})
|
|
|
|
sc.handlerFunc = GetAlerts
|
|
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
|
|
|
|
require.Nil(t, searchQuery)
|
|
assert.NotNil(t, getAlertsQuery)
|
|
})
|
|
|
|
loggedInUserScenarioWithRole(t, "When calling GET on", "GET",
|
|
"/api/alerts?dashboardId=1&dashboardId=2&folderId=3&dashboardTag=abc&dashboardQuery=dbQuery&limit=5&query=alertQuery",
|
|
"/api/alerts", models.ROLE_EDITOR, func(sc *scenarioContext) {
|
|
setUp()
|
|
|
|
var searchQuery *search.Query
|
|
bus.AddHandler("test", func(ctx context.Context, query *search.Query) error {
|
|
searchQuery = query
|
|
query.Result = search.HitList{
|
|
&search.Hit{ID: 1},
|
|
&search.Hit{ID: 2},
|
|
}
|
|
return nil
|
|
})
|
|
|
|
var getAlertsQuery *models.GetAlertsQuery
|
|
bus.AddHandler("test", func(ctx context.Context, query *models.GetAlertsQuery) error {
|
|
getAlertsQuery = query
|
|
return nil
|
|
})
|
|
|
|
sc.handlerFunc = GetAlerts
|
|
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
|
|
|
|
require.NotNil(t, searchQuery)
|
|
assert.Equal(t, int64(1), searchQuery.DashboardIds[0])
|
|
assert.Equal(t, int64(2), searchQuery.DashboardIds[1])
|
|
assert.Equal(t, int64(3), searchQuery.FolderIds[0])
|
|
assert.Equal(t, "abc", searchQuery.Tags[0])
|
|
assert.Equal(t, "dbQuery", searchQuery.Title)
|
|
|
|
require.NotNil(t, getAlertsQuery)
|
|
assert.Equal(t, int64(1), getAlertsQuery.DashboardIDs[0])
|
|
assert.Equal(t, int64(2), getAlertsQuery.DashboardIDs[1])
|
|
assert.Equal(t, int64(5), getAlertsQuery.Limit)
|
|
assert.Equal(t, "alertQuery", getAlertsQuery.Query)
|
|
})
|
|
|
|
loggedInUserScenarioWithRole(t, "When calling GET on", "GET", "/api/alert-notifications/1",
|
|
"/alert-notifications/:notificationId", models.ROLE_ADMIN, func(sc *scenarioContext) {
|
|
setUp()
|
|
|
|
sc.handlerFunc = GetAlertNotificationByID
|
|
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 404, sc.resp.Code)
|
|
})
|
|
}
|
|
|
|
func callPauseAlert(sc *scenarioContext) {
|
|
bus.AddHandler("test", func(ctx context.Context, cmd *models.PauseAlertCommand) error {
|
|
return nil
|
|
})
|
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
}
|
|
|
|
func postAlertScenario(t *testing.T, desc string, url string, routePattern string, role models.RoleType,
|
|
cmd dtos.PauseAlertCommand, fn scenarioFunc) {
|
|
t.Run(fmt.Sprintf("%s %s", desc, url), func(t *testing.T) {
|
|
defer bus.ClearBusHandlers()
|
|
|
|
sc := setupScenarioContext(t, url)
|
|
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
|
|
c.Req.Body = mockRequestBody(cmd)
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
|
sc.context = c
|
|
sc.context.UserId = testUserID
|
|
sc.context.OrgId = testOrgID
|
|
sc.context.OrgRole = role
|
|
|
|
return PauseAlert(c)
|
|
})
|
|
|
|
sc.m.Post(routePattern, sc.defaultHandler)
|
|
|
|
fn(sc)
|
|
})
|
|
}
|