Jo
edcd113054
* remove API key roles * remove API key gen * remove frontend and doc mentions * restore legacy keygen * restore codeowners * prettier * update swagger * remove permissions including apikeys * add migrator for removing deprecated permissions * add tracing * update openapi3 * simplify migrator for now * accesscontrol/migrator: remove batching for deprecated permissions deletion
304 lines
11 KiB
Go
304 lines
11 KiB
Go
package migrator
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/grafana/grafana/pkg/infra/db"
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
|
"github.com/grafana/grafana/pkg/tests/testsuite"
|
|
"github.com/grafana/grafana/pkg/util/testutil"
|
|
)
|
|
|
|
func TestMain(m *testing.M) {
|
|
testsuite.Run(m)
|
|
}
|
|
|
|
func batchInsertPermissions(cnt int, sqlStore db.DB) error {
|
|
now := time.Now()
|
|
|
|
return batch(cnt, batchSize, func(start, end int) error {
|
|
n := end - start
|
|
permissions := make([]ac.Permission, 0, n)
|
|
for i := start + 1; i < end+1; i++ {
|
|
permissions = append(permissions, ac.Permission{
|
|
RoleID: 1,
|
|
Action: "action",
|
|
Scope: fmt.Sprintf("resource:uid:%v", i),
|
|
Created: now,
|
|
Updated: now,
|
|
})
|
|
}
|
|
return sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
_, err := sess.Insert(permissions)
|
|
return err
|
|
})
|
|
})
|
|
}
|
|
|
|
// TestIntegrationMigrateScopeSplit tests the scope split migration
|
|
// also tests the scope split truncation logic
|
|
func TestIntegrationMigrateScopeSplitTruncation(t *testing.T) {
|
|
testutil.SkipIntegrationTestInShortMode(t)
|
|
|
|
sqlStore := db.InitTestDB(t)
|
|
logger := log.New("accesscontrol.migrator.test")
|
|
|
|
batchSize = 20
|
|
// Populate permissions
|
|
require.NoError(t, batchInsertPermissions(3*batchSize, sqlStore), "could not insert permissions")
|
|
|
|
// Insert a permission with a scope longer than 240 characters
|
|
longScope := strings.Repeat("a", 60) + ":" + strings.Repeat("b", 60) + ":" + strings.Repeat("c", 60)
|
|
permission := ac.Permission{
|
|
RoleID: 1,
|
|
Action: "action",
|
|
Scope: longScope,
|
|
Created: time.Now(),
|
|
Updated: time.Now(),
|
|
}
|
|
require.NoError(t, sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
_, err := sess.Insert(permission)
|
|
return err
|
|
}), "could not insert permission with long scope")
|
|
|
|
// Migrate
|
|
require.NoError(t, MigrateScopeSplit(sqlStore, logger))
|
|
|
|
// Check migration result
|
|
permissions := make([]ac.Permission, 0, 3*batchSize+1)
|
|
errFind := sqlStore.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
|
|
return sess.Find(&permissions)
|
|
})
|
|
require.NoError(t, errFind, "could not find permissions in store")
|
|
|
|
for i := range permissions {
|
|
if permissions[i].Scope == longScope {
|
|
assert.Equal(t, strings.Repeat("a", 40), permissions[i].Kind)
|
|
assert.Equal(t, strings.Repeat("b", 40), permissions[i].Attribute)
|
|
assert.Equal(t, strings.Repeat("c", 40), permissions[i].Identifier)
|
|
}
|
|
}
|
|
}
|
|
|
|
// batchInsertTestPermissions inserts test permissions for migration testing
|
|
func batchInsertTestPermissions(cnt int, sqlStore db.DB, actionPrefix string) error {
|
|
now := time.Now()
|
|
suffixes := []string{"read", "write", "delete"}
|
|
|
|
return batch(cnt, batchSize, func(start, end int) error {
|
|
n := end - start
|
|
permissions := make([]ac.Permission, 0, n)
|
|
for i := start; i < end; i++ {
|
|
suffix := suffixes[i%len(suffixes)]
|
|
permissions = append(permissions, ac.Permission{
|
|
RoleID: 1,
|
|
Action: fmt.Sprintf("%s:%s", actionPrefix, suffix),
|
|
Scope: fmt.Sprintf("%s:uid:%v", actionPrefix, i+1),
|
|
Created: now,
|
|
Updated: now,
|
|
})
|
|
}
|
|
return sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
_, err := sess.Insert(permissions)
|
|
return err
|
|
})
|
|
})
|
|
}
|
|
|
|
// TestIntegrationMigrateRemoveDeprecatedPermissions tests the deprecated permissions removal migration
|
|
func TestIntegrationMigrateRemoveDeprecatedPermissions(t *testing.T) {
|
|
testutil.SkipIntegrationTestInShortMode(t)
|
|
|
|
sqlStore := db.InitTestDB(t)
|
|
logger := log.New("accesscontrol.migrator.test")
|
|
|
|
// Test 1: Basic functionality - remove deprecated permissions
|
|
t.Run("removes deprecated permissions", func(t *testing.T) {
|
|
// Insert deprecated permissions (apikeys: pattern)
|
|
require.NoError(t, batchInsertTestPermissions(5, sqlStore, "apikeys"), "could not insert deprecated permissions")
|
|
|
|
// Insert non-deprecated permissions
|
|
require.NoError(t, batchInsertTestPermissions(3, sqlStore, "dashboards"), "could not insert non-deprecated permissions")
|
|
|
|
// Count permissions before migration
|
|
var permissionsBefore []ac.Permission
|
|
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsBefore)
|
|
})
|
|
require.NoError(t, err, "could not count permissions before migration")
|
|
assert.Equal(t, 8, len(permissionsBefore), "expected 8 permissions before migration")
|
|
|
|
// Run migration
|
|
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
|
|
|
|
// Count permissions after migration
|
|
var permissionsAfter []ac.Permission
|
|
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsAfter)
|
|
})
|
|
require.NoError(t, err, "could not count permissions after migration")
|
|
assert.Equal(t, 3, len(permissionsAfter), "expected 3 permissions after migration")
|
|
|
|
// Verify only non-deprecated permissions remain
|
|
for _, perm := range permissionsAfter {
|
|
assert.NotContains(t, perm.Action, "apikeys:", "deprecated permission should have been removed")
|
|
}
|
|
})
|
|
}
|
|
|
|
// TestIntegrationMigrateRemoveDeprecatedPermissionsEmptyDB tests migration with empty database
|
|
func TestIntegrationMigrateRemoveDeprecatedPermissionsEmptyDB(t *testing.T) {
|
|
testutil.SkipIntegrationTestInShortMode(t)
|
|
|
|
sqlStore := db.InitTestDB(t)
|
|
logger := log.New("accesscontrol.migrator.test")
|
|
|
|
// Run migration on empty database
|
|
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
|
|
|
|
// Verify no permissions exist
|
|
var permissions []ac.Permission
|
|
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissions)
|
|
})
|
|
require.NoError(t, err, "could not query permissions")
|
|
assert.Empty(t, permissions, "expected no permissions in empty database")
|
|
}
|
|
|
|
// TestIntegrationMigrateRemoveDeprecatedPermissionsBatchProcessing tests batch processing with large dataset
|
|
func TestIntegrationMigrateRemoveDeprecatedPermissionsBatchProcessing(t *testing.T) {
|
|
testutil.SkipIntegrationTestInShortMode(t)
|
|
|
|
sqlStore := db.InitTestDB(t)
|
|
logger := log.New("accesscontrol.migrator.test")
|
|
|
|
// Set small batch size for testing
|
|
originalBatchSize := batchSize
|
|
batchSize = 3
|
|
defer func() { batchSize = originalBatchSize }()
|
|
|
|
// Insert more deprecated permissions than batch size
|
|
require.NoError(t, batchInsertTestPermissions(10, sqlStore, "apikeys"), "could not insert deprecated permissions")
|
|
|
|
// Insert some non-deprecated permissions
|
|
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "folders"), "could not insert non-deprecated permissions")
|
|
|
|
// Count permissions before migration
|
|
var permissionsBefore []ac.Permission
|
|
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsBefore)
|
|
})
|
|
require.NoError(t, err, "could not count permissions before migration")
|
|
assert.Equal(t, 12, len(permissionsBefore), "expected 12 permissions before migration")
|
|
|
|
// Run migration
|
|
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
|
|
|
|
// Count permissions after migration
|
|
var permissionsAfter []ac.Permission
|
|
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsAfter)
|
|
})
|
|
require.NoError(t, err, "could not count permissions after migration")
|
|
assert.Equal(t, 2, len(permissionsAfter), "expected 2 permissions after migration")
|
|
|
|
// Verify only non-deprecated permissions remain
|
|
for _, perm := range permissionsAfter {
|
|
assert.NotContains(t, perm.Action, "apikeys:", "deprecated permission should have been removed")
|
|
assert.Contains(t, perm.Action, "folders:", "non-deprecated permission should remain")
|
|
}
|
|
}
|
|
|
|
// TestIntegrationMigrateRemoveDeprecatedPermissionsNoDeprecated tests when no deprecated permissions exist
|
|
func TestIntegrationMigrateRemoveDeprecatedPermissionsNoDeprecated(t *testing.T) {
|
|
testutil.SkipIntegrationTestInShortMode(t)
|
|
|
|
sqlStore := db.InitTestDB(t)
|
|
logger := log.New("accesscontrol.migrator.test")
|
|
|
|
// Insert only non-deprecated permissions
|
|
require.NoError(t, batchInsertTestPermissions(5, sqlStore, "users"), "could not insert non-deprecated permissions")
|
|
|
|
// Count permissions before migration
|
|
var permissionsBefore []ac.Permission
|
|
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsBefore)
|
|
})
|
|
require.NoError(t, err, "could not count permissions before migration")
|
|
assert.Equal(t, 5, len(permissionsBefore), "expected 5 permissions before migration")
|
|
|
|
// Run migration
|
|
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
|
|
|
|
// Count permissions after migration
|
|
var permissionsAfter []ac.Permission
|
|
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsAfter)
|
|
})
|
|
require.NoError(t, err, "could not count permissions after migration")
|
|
assert.Equal(t, 5, len(permissionsAfter), "expected 5 permissions after migration (none should be removed)")
|
|
|
|
// Verify all permissions remain unchanged
|
|
for _, perm := range permissionsAfter {
|
|
assert.NotContains(t, perm.Action, "apikeys:", "no deprecated permissions should exist")
|
|
assert.Contains(t, perm.Action, "users:", "non-deprecated permissions should remain")
|
|
}
|
|
}
|
|
|
|
// TestIntegrationMigrateRemoveDeprecatedPermissionsMixedPatterns tests mixed deprecated and non-deprecated patterns
|
|
func TestIntegrationMigrateRemoveDeprecatedPermissionsMixedPatterns(t *testing.T) {
|
|
testutil.SkipIntegrationTestInShortMode(t)
|
|
|
|
sqlStore := db.InitTestDB(t)
|
|
logger := log.New("accesscontrol.migrator.test")
|
|
|
|
// Insert deprecated permissions
|
|
require.NoError(t, batchInsertTestPermissions(3, sqlStore, "apikeys"), "could not insert deprecated permissions")
|
|
|
|
// Insert various non-deprecated permissions
|
|
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "dashboards"), "could not insert dashboard permissions")
|
|
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "folders"), "could not insert folder permissions")
|
|
require.NoError(t, batchInsertTestPermissions(2, sqlStore, "datasources"), "could not insert datasource permissions")
|
|
|
|
// Count permissions before migration
|
|
var permissionsBefore []ac.Permission
|
|
err := sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsBefore)
|
|
})
|
|
require.NoError(t, err, "could not count permissions before migration")
|
|
assert.Equal(t, 9, len(permissionsBefore), "expected 9 permissions before migration")
|
|
|
|
// Run migration
|
|
require.NoError(t, MigrateRemoveDeprecatedPermissions(sqlStore, logger))
|
|
|
|
// Count permissions after migration
|
|
var permissionsAfter []ac.Permission
|
|
err = sqlStore.WithDbSession(context.Background(), func(sess *db.Session) error {
|
|
return sess.Find(&permissionsAfter)
|
|
})
|
|
require.NoError(t, err, "could not count permissions after migration")
|
|
assert.Equal(t, 6, len(permissionsAfter), "expected 6 permissions after migration")
|
|
|
|
// Verify deprecated permissions are removed and others remain
|
|
deprecatedCount := 0
|
|
validCount := 0
|
|
for _, perm := range permissionsAfter {
|
|
if strings.HasPrefix(perm.Action, "apikeys:") {
|
|
deprecatedCount++
|
|
} else {
|
|
validCount++
|
|
}
|
|
}
|
|
assert.Equal(t, 0, deprecatedCount, "no deprecated permissions should remain")
|
|
assert.Equal(t, 6, validCount, "expected 6 valid permissions to remain")
|
|
}
|