grafana/pkg/services/accesscontrol/acimpl/basic_role_db_seed_test.go

package acimpl

import (
	"context"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"github.com/grafana/grafana/pkg/infra/db"
	"github.com/grafana/grafana/pkg/infra/localcache"
	"github.com/grafana/grafana/pkg/infra/tracing"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/accesscontrol/database"
	"github.com/grafana/grafana/pkg/services/accesscontrol/permreg"
	"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
	"github.com/grafana/grafana/pkg/services/featuremgmt"
	"github.com/grafana/grafana/pkg/services/org"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util/testutil"
)

func TestIntegration_OSSBasicRolePermissions_PersistAndRefreshOnRegisterFixedRoles(t *testing.T) {
	testutil.SkipIntegrationTestInShortMode(t)

	ctx := context.Background()
	sql := db.InitTestDB(t)
	store := database.ProvideService(sql)

	svc := ProvideOSSService(
		setting.NewCfg(),
		store,
		&resourcepermissions.FakeActionSetSvc{},
		localcache.ProvideService(),
		featuremgmt.WithFeatures(),
		tracing.InitializeTracerForTest(),
		sql,
		permreg.ProvidePermissionRegistry(),
		nil,
	)

	require.NoError(t, svc.DeclareFixedRoles(accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name: "fixed:test:role",
			Permissions: []accesscontrol.Permission{
				{Action: "test:read", Scope: ""},
			},
		},
		Grants: []string{string(org.RoleViewer)},
	}))

	require.NoError(t, svc.RegisterFixedRoles(ctx))

	// verify permission is persisted to DB for basic:viewer
	require.NoError(t, sql.WithDbSession(ctx, func(sess *db.Session) error {
		var role accesscontrol.Role
		ok, err := sess.Table("role").Where("uid = ?", accesscontrol.BasicRoleUIDPrefix+"viewer").Get(&role)
		require.NoError(t, err)
		require.True(t, ok)

		var count int64
		count, err = sess.Table("permission").Where("role_id = ? AND action = ? AND scope = ?", role.ID, "test:read", "").Count()
		require.NoError(t, err)
		require.Equal(t, int64(1), count)
		return nil
	}))

	// ensure RegisterFixedRoles refreshes it back to defaults
	require.NoError(t, sql.WithDbSession(ctx, func(sess *db.Session) error {
		ts := time.Now()
		var role accesscontrol.Role
		ok, err := sess.Table("role").Where("uid = ?", accesscontrol.BasicRoleUIDPrefix+"viewer").Get(&role)
		require.NoError(t, err)
		require.True(t, ok)

		_, err = sess.Exec("DELETE FROM permission WHERE role_id = ?", role.ID)
		require.NoError(t, err)
		p := accesscontrol.Permission{
			RoleID:  role.ID,
			Action:  "custom:keep",
			Scope:   "",
			Created: ts,
			Updated: ts,
		}
		p.Kind, p.Attribute, p.Identifier = accesscontrol.SplitScope(p.Scope)
		_, err = sess.Table("permission").Insert(&p)
		return err
	}))

	svc2 := ProvideOSSService(
		setting.NewCfg(),
		store,
		&resourcepermissions.FakeActionSetSvc{},
		localcache.ProvideService(),
		featuremgmt.WithFeatures(),
		tracing.InitializeTracerForTest(),
		sql,
		permreg.ProvidePermissionRegistry(),
		nil,
	)
	require.NoError(t, svc2.DeclareFixedRoles(accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name: "fixed:test:role",
			Permissions: []accesscontrol.Permission{
				{Action: "test:read", Scope: ""},
			},
		},
		Grants: []string{string(org.RoleViewer)},
	}))
	require.NoError(t, svc2.RegisterFixedRoles(ctx))

	require.NoError(t, sql.WithDbSession(ctx, func(sess *db.Session) error {
		var role accesscontrol.Role
		ok, err := sess.Table("role").Where("uid = ?", accesscontrol.BasicRoleUIDPrefix+"viewer").Get(&role)
		require.NoError(t, err)
		require.True(t, ok)

		var count int64
		count, err = sess.Table("permission").Where("role_id = ? AND action = ? AND scope = ?", role.ID, "test:read", "").Count()
		require.NoError(t, err)
		require.Equal(t, int64(1), count)

		count, err = sess.Table("permission").Where("role_id = ? AND action = ?", role.ID, "custom:keep").Count()
		require.NoError(t, err)
		require.Equal(t, int64(0), count)
		return nil
	}))
}