Karl Persson
2e38329026
* Unexport store and create new constructor function * Add ResourceAuthorizer and LegacyAccessClient * Configure checks for user store * List with checks if AccessClient is configured * Allow system user service account to read all users --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
119 lines
3.1 KiB
Go
119 lines
3.1 KiB
Go
package accesscontrol_test
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/grafana/authlib/claims"
|
|
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
|
"github.com/grafana/grafana/pkg/services/authz/zanzana"
|
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
|
)
|
|
|
|
func TestResourceAuthorizer_HasAccess(t *testing.T) {
|
|
ac := acimpl.ProvideAccessControl(featuremgmt.WithFeatures(), zanzana.NewNoopClient())
|
|
|
|
t.Run("should have no opinion for non resource requests", func(t *testing.T) {
|
|
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: "dashboards",
|
|
Attr: "uid",
|
|
})
|
|
|
|
ok, err := a.HasAccess(context.Background(), &identity.StaticRequester{}, claims.AccessRequest{
|
|
Verb: "get",
|
|
Resource: "dashboards",
|
|
Namespace: "default",
|
|
Name: "1",
|
|
})
|
|
assert.Error(t, err)
|
|
assert.Equal(t, false, ok)
|
|
})
|
|
|
|
t.Run("should reject when user don't have correct scope", func(t *testing.T) {
|
|
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: "dashboards",
|
|
Attr: "uid",
|
|
Mapping: map[string]string{
|
|
"get": "dashboards:read",
|
|
},
|
|
})
|
|
|
|
ident := newIdent(
|
|
accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:2"},
|
|
)
|
|
|
|
ok, err := a.HasAccess(context.Background(), ident, claims.AccessRequest{
|
|
Verb: "get",
|
|
Namespace: "default",
|
|
Resource: "dashboards",
|
|
Name: "1",
|
|
})
|
|
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, false, ok)
|
|
})
|
|
|
|
t.Run("should just check action for list requests", func(t *testing.T) {
|
|
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: "dashboards",
|
|
Attr: "uid",
|
|
Mapping: map[string]string{
|
|
"list": "dashboards:read",
|
|
},
|
|
})
|
|
|
|
ident := newIdent(
|
|
accesscontrol.Permission{Action: "dashboards:read"},
|
|
)
|
|
|
|
ok, err := a.HasAccess(context.Background(), ident, claims.AccessRequest{
|
|
Verb: "list",
|
|
Namespace: "default",
|
|
Resource: "dashboards",
|
|
})
|
|
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, true, ok)
|
|
})
|
|
|
|
t.Run("should allow when user have correct scope", func(t *testing.T) {
|
|
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
|
|
Resource: "dashboards",
|
|
Attr: "uid",
|
|
Mapping: map[string]string{
|
|
"get": "dashboards:read",
|
|
},
|
|
})
|
|
|
|
ident := newIdent(
|
|
accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:1"},
|
|
)
|
|
|
|
ok, err := a.HasAccess(context.Background(), ident, claims.AccessRequest{
|
|
Verb: "get",
|
|
Namespace: "default",
|
|
Resource: "dashboards",
|
|
Name: "1",
|
|
})
|
|
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, true, ok)
|
|
})
|
|
}
|
|
|
|
func newIdent(permissions ...accesscontrol.Permission) *identity.StaticRequester {
|
|
pmap := map[string][]string{}
|
|
for _, p := range permissions {
|
|
pmap[p.Action] = append(pmap[p.Action], p.Scope)
|
|
}
|
|
|
|
return &identity.StaticRequester{
|
|
OrgID: 1,
|
|
Permissions: map[int64]map[string][]string{1: pmap},
|
|
}
|
|
}
|