Alexander Zobnin
5922015fec
* Zanzana: Setup GRPC authentication in client/server mode * don't use grpcutils * refactor Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Add a namespace stub for in-proc mode Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Read parameters from config * authorize server requests * add namespace to the tests context * use stack id from config * simplify authorize func * properly format namespace * return Unauthenticated if namespace is empty * use insecure cred only in dev env * check request namespace * Use CallCredentials API for client auth * provide config * fail if stack id is missing * improve error message * use insecure connection by default --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
194 lines
8.5 KiB
Go
194 lines
8.5 KiB
Go
package server
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/grafana/grafana/pkg/apimachinery/utils"
|
|
authzextv1 "github.com/grafana/grafana/pkg/services/authz/proto/v1"
|
|
"github.com/grafana/grafana/pkg/services/authz/zanzana/common"
|
|
)
|
|
|
|
func testBatchCheck(t *testing.T, server *Server) {
|
|
newReq := func(subject, verb, group, resource, subresource string, items []*authzextv1.BatchCheckItem) *authzextv1.BatchCheckRequest {
|
|
for i, item := range items {
|
|
items[i] = &authzextv1.BatchCheckItem{
|
|
Verb: verb,
|
|
Group: group,
|
|
Resource: resource,
|
|
Subresource: subresource,
|
|
Name: item.GetName(),
|
|
Folder: item.GetFolder(),
|
|
}
|
|
}
|
|
|
|
return &authzextv1.BatchCheckRequest{
|
|
Namespace: namespace,
|
|
Subject: subject,
|
|
Items: items,
|
|
}
|
|
}
|
|
|
|
t.Run("user:1 should only be able to read resource:dashboard.grafana.app/dashboards/1", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:1", utils.VerbGet, dashboardGroup, dashboardResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "1", Folder: "1"},
|
|
{Name: "2", Folder: "2"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 2)
|
|
|
|
assert.True(t, res.Groups[groupResource].Items["1"])
|
|
assert.False(t, res.Groups[groupResource].Items["2"])
|
|
})
|
|
|
|
t.Run("user:2 should be able to read resource:dashboard.grafana.app/dashboards/{1,2} through group_resource", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:2", utils.VerbGet, dashboardGroup, dashboardResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "1", Folder: "1"},
|
|
{Name: "2", Folder: "2"},
|
|
}))
|
|
require.NoError(t, err)
|
|
assert.Len(t, res.Groups[groupResource].Items, 2)
|
|
})
|
|
|
|
t.Run("user:3 should be able to read resource:dashboard.grafana.app/dashboards/1 with set relation", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:3", utils.VerbGet, dashboardGroup, dashboardResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "1", Folder: "1"},
|
|
{Name: "2", Folder: "2"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 2)
|
|
|
|
assert.True(t, res.Groups[groupResource].Items["1"])
|
|
assert.False(t, res.Groups[groupResource].Items["2"])
|
|
})
|
|
|
|
t.Run("user:4 should be able to read all dashboard.grafana.app/dashboards in folder 1 and 3", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:4", utils.VerbGet, dashboardGroup, dashboardResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "1", Folder: "1"},
|
|
{Name: "2", Folder: "3"},
|
|
{Name: "3", Folder: "2"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 3)
|
|
|
|
assert.True(t, res.Groups[groupResource].Items["1"])
|
|
assert.True(t, res.Groups[groupResource].Items["2"])
|
|
assert.False(t, res.Groups[groupResource].Items["3"])
|
|
})
|
|
|
|
t.Run("user:5 should be able to read resource:dashboard.grafana.app/dashboards/1 through folder with set relation", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:5", utils.VerbGet, dashboardGroup, dashboardResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "1", Folder: "1"},
|
|
{Name: "2", Folder: "2"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 2)
|
|
|
|
assert.True(t, res.Groups[groupResource].Items["1"])
|
|
assert.False(t, res.Groups[groupResource].Items["2"])
|
|
})
|
|
|
|
t.Run("user:6 should be able to read folder 1", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(folderGroup, folderResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:6", utils.VerbGet, folderGroup, folderResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "1"},
|
|
{Name: "2"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 2)
|
|
|
|
assert.True(t, res.Groups[groupResource].Items["1"])
|
|
assert.False(t, res.Groups[groupResource].Items["2"])
|
|
})
|
|
|
|
t.Run("user:7 should be able to read folder {1,2} through group_resource access", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(folderGroup, folderResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:7", utils.VerbGet, folderGroup, folderResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "1"},
|
|
{Name: "2"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 2)
|
|
require.True(t, res.Groups[groupResource].Items["1"])
|
|
require.True(t, res.Groups[groupResource].Items["2"])
|
|
})
|
|
|
|
t.Run("user:8 should be able to read all resoruce:dashboard.grafana.app/dashboards in folder 6 through folder 5", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:8", utils.VerbGet, dashboardGroup, dashboardResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "10", Folder: "6"},
|
|
{Name: "20", Folder: "6"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 2)
|
|
require.True(t, res.Groups[groupResource].Items["10"])
|
|
require.True(t, res.Groups[groupResource].Items["20"])
|
|
})
|
|
|
|
t.Run("user:9 should be able to create dashboards in folder 6 through folder 5", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, "")
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:9", utils.VerbCreate, dashboardGroup, dashboardResource, "", []*authzextv1.BatchCheckItem{
|
|
{Name: "10", Folder: "6"},
|
|
{Name: "20", Folder: "6"},
|
|
}))
|
|
require.NoError(t, err)
|
|
t.Log(res.Groups)
|
|
require.Len(t, res.Groups[groupResource].Items, 2)
|
|
require.True(t, res.Groups[groupResource].Items["10"])
|
|
require.True(t, res.Groups[groupResource].Items["20"])
|
|
})
|
|
|
|
t.Run("user:10 should be able to get dashboard status for 10 and 11", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, statusSubresource)
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:10", utils.VerbGet, dashboardGroup, dashboardResource, statusSubresource, []*authzextv1.BatchCheckItem{
|
|
{Name: "10", Folder: "6"},
|
|
{Name: "11", Folder: "6"},
|
|
{Name: "12", Folder: "6"},
|
|
}))
|
|
require.NoError(t, err)
|
|
t.Log(res.Groups)
|
|
require.Len(t, res.Groups[groupResource].Items, 3)
|
|
require.True(t, res.Groups[groupResource].Items["10"])
|
|
require.True(t, res.Groups[groupResource].Items["11"])
|
|
require.False(t, res.Groups[groupResource].Items["12"])
|
|
})
|
|
|
|
t.Run("user:11 should be able to get dashboard status for 10, 11 and 12 through group_resource", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, statusSubresource)
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:11", utils.VerbGet, dashboardGroup, dashboardResource, statusSubresource, []*authzextv1.BatchCheckItem{
|
|
{Name: "10", Folder: "6"},
|
|
{Name: "11", Folder: "6"},
|
|
{Name: "12", Folder: "6"},
|
|
}))
|
|
require.NoError(t, err)
|
|
t.Log(res.Groups)
|
|
require.Len(t, res.Groups[groupResource].Items, 3)
|
|
require.True(t, res.Groups[groupResource].Items["10"])
|
|
require.True(t, res.Groups[groupResource].Items["11"])
|
|
require.True(t, res.Groups[groupResource].Items["12"])
|
|
})
|
|
|
|
t.Run("user:12 should be able to get dashboard status in folder 5 and 6", func(t *testing.T) {
|
|
groupResource := common.FormatGroupResource(dashboardGroup, dashboardResource, statusSubresource)
|
|
res, err := server.BatchCheck(newContextWithNamespace(), newReq("user:12", utils.VerbGet, dashboardGroup, dashboardResource, statusSubresource, []*authzextv1.BatchCheckItem{
|
|
{Name: "10", Folder: "5"},
|
|
{Name: "11", Folder: "6"},
|
|
{Name: "12", Folder: "6"},
|
|
{Name: "13", Folder: "1"},
|
|
}))
|
|
require.NoError(t, err)
|
|
require.Len(t, res.Groups[groupResource].Items, 4)
|
|
require.True(t, res.Groups[groupResource].Items["10"])
|
|
require.True(t, res.Groups[groupResource].Items["11"])
|
|
require.True(t, res.Groups[groupResource].Items["12"])
|
|
require.False(t, res.Groups[groupResource].Items["13"])
|
|
})
|
|
}
|