root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 254 Packages Projects Releases Wiki Activity
grafana/pkg/api/quota_test.go

191 lines
7.0 KiB
Go
Raw Normal View History

AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
package api
import (
Add auth spans and remove deduplication code for scopes (#89804) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-07-03 14:08:57 +08:00
"context"
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
"fmt"
"net/http"
"strings"
"testing"
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
"github.com/grafana/grafana/pkg/services/authn"
"github.com/grafana/grafana/pkg/services/authn/authntest"
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
"github.com/stretchr/testify/assert"
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
"github.com/stretchr/testify/require"
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol"
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit
2023-07-12 18:28:04 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/services/user/usertest"
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
"github.com/grafana/grafana/pkg/setting"
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
"github.com/grafana/grafana/pkg/web/webtest"
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
)
var (
getCurrentOrgQuotasURL = "/api/org/quotas"
getOrgsQuotasURL = "/api/orgs/%v/quotas"
putOrgsQuotasURL = "/api/orgs/%v/quotas/%v"
testUpdateOrgQuotaCmd = `{ "limit": 20 }`
)
Chore: remove tests for legacy AC, update other tests to work with RBAC (#68895) * remove tests for legacy AC, update other tests to work with RBAC * update usage stat tests to use RBAC
2023-05-23 22:29:20 +08:00
func TestAPIEndpoint_GetCurrentOrgQuotas(t *testing.T) {
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review
2022-11-15 03:08:10 +08:00
cfg := setting.NewCfg()
cfg.Quota.Enabled = true
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = cfg
})
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("AccessControl allows viewing CurrentOrgQuotas with correct permissions", func(t *testing.T) {
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}}))
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents viewing CurrentOrgQuotas with correct permissions in another org", func(t *testing.T) {
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
// Set permissions in org 2, but set current org to org 1
user := userWithPermissions(2, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}})
user.OrgID = 1
req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), user)
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
t.Run("AccessControl prevents viewing CurrentOrgQuotas with incorrect permissions", func(t *testing.T) {
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), userWithPermissions(1, []accesscontrol.Permission{{Action: "orgs:invalid"}}))
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
}
Chore: remove tests for legacy AC, update other tests to work with RBAC (#68895) * remove tests for legacy AC, update other tests to work with RBAC * update usage stat tests to use RBAC
2023-05-23 22:29:20 +08:00
func TestAPIEndpoint_GetOrgQuotas(t *testing.T) {
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review
2022-11-15 03:08:10 +08:00
cfg := setting.NewCfg()
cfg.Quota.Enabled = true
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = cfg
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit
2023-07-12 18:28:04 +08:00
hs.accesscontrolService = &actest.FakeService{ExpectedPermissions: []accesscontrol.Permission{}}
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
hs.userService = &usertest.FakeUserService{
ExpectedSignedInUser: &user.SignedInUser{OrgID: 2},
}
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
hs.authnService = &authntest.FakeService{
ExpectedIdentity: &authn.Identity{OrgID: 1},
}
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
})
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("AccessControl allows viewing another org quotas with correct permissions", func(t *testing.T) {
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), userWithPermissions(2, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}}))
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents viewing another org quotas with correct permissions in another org", func(t *testing.T) {
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
// Set correct permissions in org 1 and empty permissions in org 2
user := userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}})
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit
2023-07-12 18:28:04 +08:00
user.Permissions[2] = nil
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), user)
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
t.Run("AccessControl prevents viewing another org quotas with incorrect permissions", func(t *testing.T) {
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line
2023-01-17 18:33:01 +08:00
req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), userWithPermissions(2, []accesscontrol.Permission{{Action: "orgs:invalid"}}))
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
}
Chore: remove tests for legacy AC, update other tests to work with RBAC (#68895) * remove tests for legacy AC, update other tests to work with RBAC * update usage stat tests to use RBAC
2023-05-23 22:29:20 +08:00
func TestAPIEndpoint_PutOrgQuotas(t *testing.T) {
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
type testCase struct {
desc string
userOrg int64
targetOrg int64
permissions map[int64][]accesscontrol.Permission
expectedCode int
}
tests := []testCase{
{
desc: "AccessControl allows updating another org quotas with correct permissions",
userOrg: 1,
targetOrg: 2,
permissions: map[int64][]accesscontrol.Permission{2: {{Action: accesscontrol.ActionOrgsQuotasWrite}}},
expectedCode: http.StatusOK,
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review
2022-11-15 03:08:10 +08:00
},
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
{
desc: "AccessControl prevents updating another org quotas with correct permissions in another org",
userOrg: 1,
targetOrg: 2,
permissions: map[int64][]accesscontrol.Permission{1: {{Action: accesscontrol.ActionOrgsQuotasWrite}}},
expectedCode: http.StatusForbidden,
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review
2022-11-15 03:08:10 +08:00
},
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
{
desc: "AccessControl prevents updating another org quotas with incorrect permissions",
userOrg: 2,
targetOrg: 2,
permissions: map[int64][]accesscontrol.Permission{2: {{Action: "orgs:invalid"}}},
expectedCode: http.StatusForbidden,
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review
2022-11-15 03:08:10 +08:00
},
}
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
cfg := setting.NewCfg()
cfg.Quota = setting.QuotaSettings{
Enabled: true,
Global: setting.GlobalQuota{
Org: 5,
},
Org: setting.OrgQuota{
User: 5,
},
User: setting.UserQuota{
Org: 5,
},
}
fakeACService := &actest.FakeService{}
input := strings.NewReader(testUpdateOrgQuotaCmd)
expectedIdentity := &authn.Identity{
OrgID: tt.userOrg,
Permissions: map[int64]map[string][]string{},
}
for orgID, permissions := range tt.permissions {
Add auth spans and remove deduplication code for scopes (#89804) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-07-03 14:08:57 +08:00
expectedIdentity.Permissions[orgID] = accesscontrol.GroupScopesByActionContext(context.Background(), permissions)
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
}
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = cfg
hs.accesscontrolService = fakeACService
hs.userService = &usertest.FakeUserService{
ExpectedSignedInUser: &user.SignedInUser{OrgID: tt.userOrg},
}
hs.authnService = &authntest.FakeService{
ExpectedIdentity: expectedIdentity,
}
})
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()
2024-04-10 18:42:13 +08:00
user := userWithPermissions(tt.userOrg, getFirstOrgPermissions(tt.permissions))
fakeACService.ExpectedPermissions = []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasWrite}}
req := webtest.RequestWithSignedInUser(server.NewRequest(http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, tt.targetOrg, "org_user"), input), user)
response, err := server.SendJSON(req)
require.NoError(t, err)
assert.Equal(t, tt.expectedCode, response.StatusCode)
require.NoError(t, response.Body.Close())
})
}
}
func getFirstOrgPermissions(p map[int64][]accesscontrol.Permission) []accesscontrol.Permission {
for _, permissions := range p {
return permissions
}
return []accesscontrol.Permission{}
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
}