Alexander Zobnin
823f0bc460
* Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface
99 lines
2.3 KiB
Go
99 lines
2.3 KiB
Go
package ossaccesscontrol
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/registry"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
func setupTestEnv(t testing.TB) *OSSAccessControlService {
|
|
t.Helper()
|
|
|
|
cfg := setting.NewCfg()
|
|
cfg.FeatureToggles = map[string]bool{"accesscontrol": true}
|
|
|
|
ac := OSSAccessControlService{
|
|
Cfg: cfg,
|
|
Log: log.New("accesscontrol-test"),
|
|
}
|
|
|
|
err := ac.Init()
|
|
require.NoError(t, err)
|
|
return &ac
|
|
}
|
|
|
|
type evaluatingPermissionsTestCase struct {
|
|
desc string
|
|
user userTestCase
|
|
endpoints []endpointTestCase
|
|
evalResult bool
|
|
}
|
|
|
|
type userTestCase struct {
|
|
name string
|
|
orgRole models.RoleType
|
|
isGrafanaAdmin bool
|
|
}
|
|
|
|
type endpointTestCase struct {
|
|
permission string
|
|
scope []string
|
|
}
|
|
|
|
func TestEvaluatingPermissions(t *testing.T) {
|
|
testCases := []evaluatingPermissionsTestCase{
|
|
{
|
|
desc: "should successfully evaluate access to the endpoint",
|
|
user: userTestCase{
|
|
name: "testuser",
|
|
orgRole: models.ROLE_EDITOR,
|
|
isGrafanaAdmin: false,
|
|
},
|
|
endpoints: []endpointTestCase{
|
|
{permission: "users.teams:read", scope: []string{"users:self"}},
|
|
{permission: "users:read", scope: []string{"users:self"}},
|
|
},
|
|
evalResult: true,
|
|
},
|
|
{
|
|
desc: "should restrict access to the unauthorized endpoints",
|
|
user: userTestCase{
|
|
name: "testuser",
|
|
orgRole: models.ROLE_VIEWER,
|
|
isGrafanaAdmin: false,
|
|
},
|
|
endpoints: []endpointTestCase{
|
|
{permission: "users:create", scope: []string{"users"}},
|
|
},
|
|
evalResult: false,
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.desc, func(t *testing.T) {
|
|
ac := setupTestEnv(t)
|
|
t.Cleanup(registry.ClearOverrides)
|
|
|
|
user := &models.SignedInUser{
|
|
UserId: 1,
|
|
OrgId: 1,
|
|
Name: tc.user.name,
|
|
OrgRole: tc.user.orgRole,
|
|
IsGrafanaAdmin: tc.user.isGrafanaAdmin,
|
|
}
|
|
|
|
for _, endpoint := range tc.endpoints {
|
|
result, err := ac.Evaluate(context.Background(), user, endpoint.permission, endpoint.scope...)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, tc.evalResult, result)
|
|
}
|
|
})
|
|
}
|
|
}
|