2021-11-11 23:10:24 +08:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
2022-02-17 20:19:58 +08:00
|
|
|
"bytes"
|
2021-11-11 23:10:24 +08:00
|
|
|
"context"
|
2022-01-19 17:23:46 +08:00
|
|
|
"encoding/json"
|
2021-11-11 23:10:24 +08:00
|
|
|
"fmt"
|
2022-02-17 20:19:58 +08:00
|
|
|
"io"
|
2021-11-11 23:10:24 +08:00
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
2022-07-08 17:53:18 +08:00
|
|
|
"strconv"
|
2021-11-11 23:10:24 +08:00
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/grafana/grafana/pkg/api/routing"
|
2022-06-15 20:59:40 +08:00
|
|
|
"github.com/grafana/grafana/pkg/infra/kvstore"
|
2021-11-11 23:10:24 +08:00
|
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
|
|
|
"github.com/grafana/grafana/pkg/models"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
|
|
|
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
|
2022-07-08 17:53:18 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/ossaccesscontrol"
|
2022-08-03 20:13:05 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/apikey/apikeyimpl"
|
2022-05-21 00:45:18 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
|
2022-07-08 17:53:18 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/licensing"
|
2022-08-10 17:56:48 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2022-09-23 17:59:07 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/org/orgimpl"
|
2021-11-11 23:10:24 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
2022-02-18 18:43:33 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts/database"
|
2021-11-11 23:10:24 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts/tests"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
2022-09-23 01:16:21 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/team/teamimpl"
|
2022-08-10 17:56:48 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/user"
|
2022-02-07 21:51:54 +08:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2021-12-13 22:56:14 +08:00
|
|
|
"github.com/grafana/grafana/pkg/web"
|
2022-02-17 20:19:58 +08:00
|
|
|
"github.com/stretchr/testify/assert"
|
2021-11-11 23:10:24 +08:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
2022-03-08 19:07:58 +08:00
|
|
|
serviceAccountPath = "/api/serviceaccounts/"
|
|
|
|
|
serviceAccountIDPath = serviceAccountPath + "%v"
|
2021-11-11 23:10:24 +08:00
|
|
|
)
|
|
|
|
|
|
2022-03-08 19:07:58 +08:00
|
|
|
func TestServiceAccountsAPI_CreateServiceAccount(t *testing.T) {
|
|
|
|
|
store := sqlstore.InitTestDB(t)
|
2022-08-03 20:13:05 +08:00
|
|
|
apiKeyService := apikeyimpl.ProvideService(store, store.Cfg)
|
2022-06-15 20:59:40 +08:00
|
|
|
kvStore := kvstore.ProvideService(store)
|
2022-09-23 17:59:07 +08:00
|
|
|
orgService := orgimpl.ProvideService(store, setting.NewCfg())
|
|
|
|
|
saStore := database.ProvideServiceAccountsStore(store, apiKeyService, kvStore, orgService)
|
2022-03-08 19:07:58 +08:00
|
|
|
svcmock := tests.ServiceAccountMock{}
|
|
|
|
|
|
2022-06-07 21:49:18 +08:00
|
|
|
autoAssignOrg := store.Cfg.AutoAssignOrg
|
|
|
|
|
store.Cfg.AutoAssignOrg = true
|
2022-03-08 19:07:58 +08:00
|
|
|
defer func() {
|
2022-06-07 21:49:18 +08:00
|
|
|
store.Cfg.AutoAssignOrg = autoAssignOrg
|
2022-03-08 19:07:58 +08:00
|
|
|
}()
|
|
|
|
|
|
|
|
|
|
orgCmd := &models.CreateOrgCommand{Name: "Some Test Org"}
|
2022-04-26 01:07:11 +08:00
|
|
|
err := store.CreateOrg(context.Background(), orgCmd)
|
2022-03-08 19:07:58 +08:00
|
|
|
require.Nil(t, err)
|
|
|
|
|
|
|
|
|
|
type testCreateSATestCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
body map[string]interface{}
|
|
|
|
|
expectedCode int
|
|
|
|
|
wantID string
|
|
|
|
|
wantError string
|
|
|
|
|
acmock *accesscontrolmock.Mock
|
|
|
|
|
}
|
|
|
|
|
testCases := []testCreateSATestCase{
|
|
|
|
|
{
|
2022-07-08 00:32:56 +08:00
|
|
|
desc: "should be ok to create service account with permissions",
|
|
|
|
|
body: map[string]interface{}{"name": "New SA", "role": "Viewer", "is_disabled": "false"},
|
2022-03-08 19:07:58 +08:00
|
|
|
wantID: "sa-new-sa",
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
|
2022-03-08 19:07:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusCreated,
|
|
|
|
|
},
|
2022-07-08 00:32:56 +08:00
|
|
|
{
|
|
|
|
|
desc: "should fail to create a service account with higher privilege",
|
|
|
|
|
body: map[string]interface{}{"name": "New SA HP", "role": "Admin"},
|
|
|
|
|
wantID: "sa-new-sa-hp",
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-07-08 00:32:56 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
|
|
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should fail to create a service account with invalid role",
|
|
|
|
|
body: map[string]interface{}{"name": "New SA", "role": "Random"},
|
|
|
|
|
wantID: "sa-new-sa",
|
|
|
|
|
wantError: "invalid role value: Random",
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-07-08 00:32:56 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
|
|
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusBadRequest,
|
|
|
|
|
},
|
2022-03-08 19:07:58 +08:00
|
|
|
{
|
|
|
|
|
desc: "not ok - duplicate name",
|
|
|
|
|
body: map[string]interface{}{"name": "New SA"},
|
2022-06-16 22:02:03 +08:00
|
|
|
wantError: "service account already exists",
|
2022-03-08 19:07:58 +08:00
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
|
2022-03-08 19:07:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusBadRequest,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "not ok - missing name",
|
|
|
|
|
body: map[string]interface{}{},
|
|
|
|
|
wantError: "required value Name must not be empty",
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionCreate}}, nil
|
2022-03-08 19:07:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusBadRequest,
|
|
|
|
|
},
|
|
|
|
|
{
|
2022-07-08 00:32:56 +08:00
|
|
|
desc: "should be forbidden to create service account if no permissions",
|
2022-03-08 19:07:58 +08:00
|
|
|
body: map[string]interface{}{},
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{}, nil
|
2022-03-08 19:07:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var requestResponse = func(server *web.Mux, httpMethod, requestpath string, body io.Reader) *httptest.ResponseRecorder {
|
|
|
|
|
req, err := http.NewRequest(httpMethod, requestpath, body)
|
|
|
|
|
req.Header.Add("Content-Type", "application/json")
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
server.ServeHTTP(recorder, req)
|
|
|
|
|
return recorder
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
testUser := &tests.TestUser{}
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
|
t.Run(tc.desc, func(t *testing.T) {
|
2022-08-10 17:56:48 +08:00
|
|
|
serviceAccountRequestScenario(t, http.MethodPost, serviceAccountPath, testUser, func(httpmethod string, endpoint string, usr *tests.TestUser) {
|
2022-07-08 17:53:18 +08:00
|
|
|
server, api := setupTestServer(t, &svcmock, routing.NewRouteRegister(), tc.acmock, store, saStore)
|
2022-03-08 19:07:58 +08:00
|
|
|
marshalled, err := json.Marshal(tc.body)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
ioReader := bytes.NewReader(marshalled)
|
|
|
|
|
|
|
|
|
|
actual := requestResponse(server, httpmethod, endpoint, ioReader)
|
|
|
|
|
|
|
|
|
|
actualCode := actual.Code
|
|
|
|
|
actualBody := map[string]interface{}{}
|
|
|
|
|
|
|
|
|
|
err = json.Unmarshal(actual.Body.Bytes(), &actualBody)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, tc.expectedCode, actualCode, actualBody)
|
|
|
|
|
|
|
|
|
|
if actualCode == http.StatusCreated {
|
2022-07-08 17:53:18 +08:00
|
|
|
sa := serviceaccounts.ServiceAccountDTO{}
|
|
|
|
|
err = json.Unmarshal(actual.Body.Bytes(), &sa)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.NotZero(t, sa.Id)
|
|
|
|
|
assert.Equal(t, tc.body["name"], sa.Name)
|
|
|
|
|
assert.Equal(t, tc.wantID, sa.Login)
|
2022-08-10 17:56:48 +08:00
|
|
|
tempUser := &user.SignedInUser{
|
2022-08-11 19:28:55 +08:00
|
|
|
OrgID: 1,
|
|
|
|
|
UserID: 1,
|
2022-07-08 17:53:18 +08:00
|
|
|
Permissions: map[int64]map[string][]string{
|
|
|
|
|
1: {
|
2022-07-26 16:43:29 +08:00
|
|
|
serviceaccounts.ActionRead: []string{serviceaccounts.ScopeAll},
|
|
|
|
|
accesscontrol.ActionOrgUsersRead: []string{accesscontrol.ScopeUsersAll},
|
2022-07-08 17:53:18 +08:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
perms, err := api.permissionService.GetPermissions(context.Background(), tempUser, strconv.FormatInt(sa.Id, 10))
|
|
|
|
|
assert.NoError(t, err)
|
|
|
|
|
assert.Equal(t, 1, len(perms), "should have added managed permissions for SA creator")
|
|
|
|
|
assert.Equal(t, int64(1), perms[0].ID)
|
|
|
|
|
assert.Equal(t, int64(1), perms[0].UserId)
|
2022-03-08 19:07:58 +08:00
|
|
|
} else if actualCode == http.StatusBadRequest {
|
|
|
|
|
assert.Contains(t, tc.wantError, actualBody["error"].(string))
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-11 23:10:24 +08:00
|
|
|
// test the accesscontrol endpoints
|
|
|
|
|
// with permissions and without permissions
|
|
|
|
|
func TestServiceAccountsAPI_DeleteServiceAccount(t *testing.T) {
|
|
|
|
|
store := sqlstore.InitTestDB(t)
|
2022-06-15 20:59:40 +08:00
|
|
|
kvStore := kvstore.ProvideService(store)
|
2022-08-03 20:13:05 +08:00
|
|
|
apiKeyService := apikeyimpl.ProvideService(store, store.Cfg)
|
2022-09-23 17:59:07 +08:00
|
|
|
saStore := database.ProvideServiceAccountsStore(store, apiKeyService, kvStore, nil)
|
2021-11-11 23:10:24 +08:00
|
|
|
svcmock := tests.ServiceAccountMock{}
|
|
|
|
|
|
2021-12-13 22:56:14 +08:00
|
|
|
var requestResponse = func(server *web.Mux, httpMethod, requestpath string) *httptest.ResponseRecorder {
|
2021-11-11 23:10:24 +08:00
|
|
|
req, err := http.NewRequest(httpMethod, requestpath, nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
server.ServeHTTP(recorder, req)
|
|
|
|
|
return recorder
|
|
|
|
|
}
|
|
|
|
|
t.Run("should be able to delete serviceaccount for with permissions", func(t *testing.T) {
|
|
|
|
|
testcase := struct {
|
|
|
|
|
user tests.TestUser
|
|
|
|
|
acmock *accesscontrolmock.Mock
|
|
|
|
|
expectedCode int
|
|
|
|
|
}{
|
|
|
|
|
|
|
|
|
|
user: tests.TestUser{Login: "servicetest1@admin", IsServiceAccount: true},
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionDelete, Scope: serviceaccounts.ScopeAll}}, nil
|
2021-11-11 23:10:24 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
}
|
2022-03-08 19:07:58 +08:00
|
|
|
serviceAccountRequestScenario(t, http.MethodDelete, serviceAccountIDPath, &testcase.user, func(httpmethod string, endpoint string, user *tests.TestUser) {
|
2021-11-11 23:10:24 +08:00
|
|
|
createduser := tests.SetupUserServiceAccount(t, store, testcase.user)
|
2022-06-15 20:59:40 +08:00
|
|
|
server, _ := setupTestServer(t, &svcmock, routing.NewRouteRegister(), testcase.acmock, store, saStore)
|
2022-06-28 20:32:25 +08:00
|
|
|
actual := requestResponse(server, httpmethod, fmt.Sprintf(endpoint, fmt.Sprint(createduser.ID))).Code
|
2021-11-11 23:10:24 +08:00
|
|
|
require.Equal(t, testcase.expectedCode, actual)
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
t.Run("should be forbidden to delete serviceaccount via accesscontrol on endpoint", func(t *testing.T) {
|
|
|
|
|
testcase := struct {
|
|
|
|
|
user tests.TestUser
|
|
|
|
|
acmock *accesscontrolmock.Mock
|
|
|
|
|
expectedCode int
|
|
|
|
|
}{
|
|
|
|
|
user: tests.TestUser{Login: "servicetest2@admin", IsServiceAccount: true},
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{}, nil
|
2021-11-11 23:10:24 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
}
|
2022-03-08 19:07:58 +08:00
|
|
|
serviceAccountRequestScenario(t, http.MethodDelete, serviceAccountIDPath, &testcase.user, func(httpmethod string, endpoint string, user *tests.TestUser) {
|
2021-11-11 23:10:24 +08:00
|
|
|
createduser := tests.SetupUserServiceAccount(t, store, testcase.user)
|
2022-06-15 20:59:40 +08:00
|
|
|
server, _ := setupTestServer(t, &svcmock, routing.NewRouteRegister(), testcase.acmock, store, saStore)
|
2022-06-28 20:32:25 +08:00
|
|
|
actual := requestResponse(server, httpmethod, fmt.Sprintf(endpoint, createduser.ID)).Code
|
2021-11-11 23:10:24 +08:00
|
|
|
require.Equal(t, testcase.expectedCode, actual)
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-19 17:23:46 +08:00
|
|
|
func serviceAccountRequestScenario(t *testing.T, httpMethod string, endpoint string, user *tests.TestUser, fn func(httpmethod string, endpoint string, user *tests.TestUser)) {
|
2021-11-11 23:10:24 +08:00
|
|
|
t.Helper()
|
|
|
|
|
fn(httpMethod, endpoint, user)
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-18 18:43:33 +08:00
|
|
|
func setupTestServer(t *testing.T, svc *tests.ServiceAccountMock,
|
|
|
|
|
routerRegister routing.RouteRegister,
|
|
|
|
|
acmock *accesscontrolmock.Mock,
|
2022-03-15 01:24:07 +08:00
|
|
|
sqlStore *sqlstore.SQLStore, saStore serviceaccounts.Store) (*web.Mux, *ServiceAccountsAPI) {
|
2022-07-08 17:53:18 +08:00
|
|
|
cfg := setting.NewCfg()
|
2022-09-23 01:16:21 +08:00
|
|
|
teamSvc := teamimpl.ProvideService(sqlStore, cfg)
|
|
|
|
|
saPermissionService, err := ossaccesscontrol.ProvideServiceAccountPermissions(cfg, routing.NewRouteRegister(), sqlStore, acmock, &licensing.OSSLicensingService{}, saStore, acmock, teamSvc)
|
2022-07-08 17:53:18 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
a := NewServiceAccountsAPI(cfg, svc, acmock, routerRegister, saStore, saPermissionService)
|
2022-06-27 16:22:49 +08:00
|
|
|
a.RegisterAPIEndpoints()
|
2021-11-11 23:10:24 +08:00
|
|
|
|
2022-02-07 21:51:54 +08:00
|
|
|
a.cfg.ApiKeyMaxSecondsToLive = -1 // disable api key expiration
|
|
|
|
|
|
2021-12-13 22:56:14 +08:00
|
|
|
m := web.New()
|
2022-08-10 17:56:48 +08:00
|
|
|
signedUser := &user.SignedInUser{
|
2022-08-11 19:28:55 +08:00
|
|
|
OrgID: 1,
|
|
|
|
|
UserID: 1,
|
2022-08-10 17:56:48 +08:00
|
|
|
OrgRole: org.RoleViewer,
|
2021-11-11 23:10:24 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-13 22:56:14 +08:00
|
|
|
m.Use(func(c *web.Context) {
|
2021-11-11 23:10:24 +08:00
|
|
|
ctx := &models.ReqContext{
|
|
|
|
|
Context: c,
|
|
|
|
|
IsSignedIn: true,
|
|
|
|
|
SignedInUser: signedUser,
|
|
|
|
|
Logger: log.New("serviceaccounts-test"),
|
|
|
|
|
}
|
2022-05-21 00:45:18 +08:00
|
|
|
c.Req = c.Req.WithContext(ctxkey.Set(c.Req.Context(), ctx))
|
2021-11-11 23:10:24 +08:00
|
|
|
})
|
|
|
|
|
a.RouterRegister.Register(m.Router)
|
2022-03-15 01:24:07 +08:00
|
|
|
return m, a
|
2021-11-11 23:10:24 +08:00
|
|
|
}
|
2022-01-19 17:23:46 +08:00
|
|
|
|
|
|
|
|
func TestServiceAccountsAPI_RetrieveServiceAccount(t *testing.T) {
|
|
|
|
|
store := sqlstore.InitTestDB(t)
|
2022-08-03 20:13:05 +08:00
|
|
|
apiKeyService := apikeyimpl.ProvideService(store, store.Cfg)
|
2022-06-15 20:59:40 +08:00
|
|
|
kvStore := kvstore.ProvideService(store)
|
2022-09-23 17:59:07 +08:00
|
|
|
saStore := database.ProvideServiceAccountsStore(store, apiKeyService, kvStore, nil)
|
2022-01-19 17:23:46 +08:00
|
|
|
svcmock := tests.ServiceAccountMock{}
|
|
|
|
|
type testRetrieveSATestCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
user *tests.TestUser
|
|
|
|
|
expectedCode int
|
|
|
|
|
acmock *accesscontrolmock.Mock
|
2022-02-08 21:31:34 +08:00
|
|
|
Id int
|
2022-01-19 17:23:46 +08:00
|
|
|
}
|
|
|
|
|
testCases := []testRetrieveSATestCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be ok to retrieve serviceaccount with permissions",
|
|
|
|
|
user: &tests.TestUser{Login: "servicetest1@admin", IsServiceAccount: true},
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
|
2022-01-19 17:23:46 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should be forbidden to retrieve serviceaccount if no permissions",
|
|
|
|
|
user: &tests.TestUser{Login: "servicetest2@admin", IsServiceAccount: true},
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{}, nil
|
2022-01-19 17:23:46 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
{
|
2022-02-08 21:31:34 +08:00
|
|
|
desc: "should be not found when the user doesnt exist",
|
|
|
|
|
user: nil,
|
|
|
|
|
Id: 12,
|
2022-01-19 17:23:46 +08:00
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionRead, Scope: serviceaccounts.ScopeAll}}, nil
|
2022-01-19 17:23:46 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusNotFound,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var requestResponse = func(server *web.Mux, httpMethod, requestpath string) *httptest.ResponseRecorder {
|
|
|
|
|
req, err := http.NewRequest(httpMethod, requestpath, nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
server.ServeHTTP(recorder, req)
|
|
|
|
|
return recorder
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
|
t.Run(tc.desc, func(t *testing.T) {
|
2022-03-08 19:07:58 +08:00
|
|
|
serviceAccountRequestScenario(t, http.MethodGet, serviceAccountIDPath, tc.user, func(httpmethod string, endpoint string, user *tests.TestUser) {
|
2022-02-08 21:31:34 +08:00
|
|
|
scopeID := tc.Id
|
2022-01-19 17:23:46 +08:00
|
|
|
if tc.user != nil {
|
|
|
|
|
createdUser := tests.SetupUserServiceAccount(t, store, *tc.user)
|
2022-06-28 20:32:25 +08:00
|
|
|
scopeID = int(createdUser.ID)
|
2022-01-19 17:23:46 +08:00
|
|
|
}
|
2022-06-15 20:59:40 +08:00
|
|
|
server, _ := setupTestServer(t, &svcmock, routing.NewRouteRegister(), tc.acmock, store, saStore)
|
2022-01-19 17:23:46 +08:00
|
|
|
|
|
|
|
|
actual := requestResponse(server, httpmethod, fmt.Sprintf(endpoint, scopeID))
|
|
|
|
|
|
|
|
|
|
actualCode := actual.Code
|
|
|
|
|
require.Equal(t, tc.expectedCode, actualCode)
|
|
|
|
|
|
|
|
|
|
if actualCode == http.StatusOK {
|
|
|
|
|
actualBody := map[string]interface{}{}
|
|
|
|
|
err := json.Unmarshal(actual.Body.Bytes(), &actualBody)
|
|
|
|
|
require.NoError(t, err)
|
2022-02-08 21:31:34 +08:00
|
|
|
require.Equal(t, scopeID, int(actualBody["id"].(float64)))
|
2022-01-19 17:23:46 +08:00
|
|
|
require.Equal(t, tc.user.Login, actualBody["login"].(string))
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-02-17 20:19:58 +08:00
|
|
|
|
|
|
|
|
func newString(s string) *string {
|
|
|
|
|
return &s
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestServiceAccountsAPI_UpdateServiceAccount(t *testing.T) {
|
|
|
|
|
store := sqlstore.InitTestDB(t)
|
2022-08-03 20:13:05 +08:00
|
|
|
apiKeyService := apikeyimpl.ProvideService(store, store.Cfg)
|
2022-06-15 20:59:40 +08:00
|
|
|
kvStore := kvstore.ProvideService(store)
|
2022-09-23 17:59:07 +08:00
|
|
|
saStore := database.ProvideServiceAccountsStore(store, apiKeyService, kvStore, nil)
|
2022-02-17 20:19:58 +08:00
|
|
|
svcmock := tests.ServiceAccountMock{}
|
|
|
|
|
type testUpdateSATestCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
user *tests.TestUser
|
|
|
|
|
expectedCode int
|
|
|
|
|
acmock *accesscontrolmock.Mock
|
|
|
|
|
body *serviceaccounts.UpdateServiceAccountForm
|
|
|
|
|
Id int
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-10 17:56:48 +08:00
|
|
|
viewerRole := org.RoleViewer
|
|
|
|
|
editorRole := org.RoleEditor
|
|
|
|
|
var invalidRole org.RoleType = "InvalidRole"
|
2022-02-17 20:19:58 +08:00
|
|
|
testCases := []testUpdateSATestCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be ok to update serviceaccount with permissions",
|
2022-04-14 00:11:03 +08:00
|
|
|
user: &tests.TestUser{Login: "servicetest1@admin", IsServiceAccount: true, Role: "Viewer", Name: "Unaltered"},
|
|
|
|
|
body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("New Name"), Role: &viewerRole},
|
2022-02-17 20:19:58 +08:00
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
|
2022-02-17 20:19:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
2022-04-14 00:11:03 +08:00
|
|
|
{
|
|
|
|
|
desc: "should be forbidden to set role higher than user's role",
|
|
|
|
|
user: &tests.TestUser{Login: "servicetest2@admin", IsServiceAccount: true, Role: "Viewer", Name: "Unaltered 2"},
|
|
|
|
|
body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("New Name 2"), Role: &editorRole},
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
|
2022-04-14 00:11:03 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
2022-02-17 20:19:58 +08:00
|
|
|
{
|
|
|
|
|
desc: "bad request when invalid role",
|
|
|
|
|
user: &tests.TestUser{Login: "servicetest3@admin", IsServiceAccount: true, Role: "Invalid", Name: "Unaltered"},
|
|
|
|
|
body: &serviceaccounts.UpdateServiceAccountForm{Name: newString("NameB"), Role: &invalidRole},
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
|
2022-02-17 20:19:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusBadRequest,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should be forbidden to update serviceaccount if no permissions",
|
2022-04-14 00:11:03 +08:00
|
|
|
user: &tests.TestUser{Login: "servicetest4@admin", IsServiceAccount: true},
|
2022-02-17 20:19:58 +08:00
|
|
|
body: nil,
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{}, nil
|
2022-02-17 20:19:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should be not found when the user doesnt exist",
|
|
|
|
|
user: nil,
|
|
|
|
|
body: nil,
|
|
|
|
|
Id: 12,
|
|
|
|
|
acmock: tests.SetupMockAccesscontrol(
|
|
|
|
|
t,
|
2022-08-10 17:56:48 +08:00
|
|
|
func(c context.Context, siu *user.SignedInUser, _ accesscontrol.Options) ([]accesscontrol.Permission, error) {
|
2022-06-14 16:17:48 +08:00
|
|
|
return []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: serviceaccounts.ScopeAll}}, nil
|
2022-02-17 20:19:58 +08:00
|
|
|
},
|
|
|
|
|
false,
|
|
|
|
|
),
|
|
|
|
|
expectedCode: http.StatusNotFound,
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var requestResponse = func(server *web.Mux, httpMethod, requestpath string, body io.Reader) *httptest.ResponseRecorder {
|
|
|
|
|
req, err := http.NewRequest(httpMethod, requestpath, body)
|
|
|
|
|
req.Header.Add("Content-Type", "application/json")
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
recorder := httptest.NewRecorder()
|
|
|
|
|
server.ServeHTTP(recorder, req)
|
|
|
|
|
return recorder
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, tc := range testCases {
|
|
|
|
|
t.Run(tc.desc, func(t *testing.T) {
|
2022-06-15 20:59:40 +08:00
|
|
|
server, saAPI := setupTestServer(t, &svcmock, routing.NewRouteRegister(), tc.acmock, store, saStore)
|
2022-03-15 01:24:07 +08:00
|
|
|
scopeID := tc.Id
|
|
|
|
|
if tc.user != nil {
|
|
|
|
|
createdUser := tests.SetupUserServiceAccount(t, store, *tc.user)
|
2022-06-28 20:32:25 +08:00
|
|
|
scopeID = int(createdUser.ID)
|
2022-03-15 01:24:07 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var rawBody io.Reader = http.NoBody
|
|
|
|
|
if tc.body != nil {
|
|
|
|
|
body, err := json.Marshal(tc.body)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
rawBody = bytes.NewReader(body)
|
|
|
|
|
}
|
2022-02-17 20:19:58 +08:00
|
|
|
|
2022-03-15 01:24:07 +08:00
|
|
|
actual := requestResponse(server, http.MethodPatch, fmt.Sprintf(serviceAccountIDPath, scopeID), rawBody)
|
2022-02-17 20:19:58 +08:00
|
|
|
|
2022-03-15 01:24:07 +08:00
|
|
|
actualCode := actual.Code
|
|
|
|
|
require.Equal(t, tc.expectedCode, actualCode)
|
2022-02-17 20:19:58 +08:00
|
|
|
|
2022-03-15 01:24:07 +08:00
|
|
|
if actualCode == http.StatusOK {
|
|
|
|
|
actualBody := map[string]interface{}{}
|
|
|
|
|
err := json.Unmarshal(actual.Body.Bytes(), &actualBody)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, scopeID, int(actualBody["id"].(float64)))
|
|
|
|
|
assert.Equal(t, *tc.body.Name, actualBody["name"].(string))
|
2022-06-01 15:35:16 +08:00
|
|
|
serviceAccountData := actualBody["serviceaccount"].(map[string]interface{})
|
|
|
|
|
assert.Equal(t, string(*tc.body.Role), serviceAccountData["role"].(string))
|
|
|
|
|
assert.Equal(t, tc.user.Login, serviceAccountData["login"].(string))
|
2022-02-17 20:19:58 +08:00
|
|
|
|
2022-03-15 01:24:07 +08:00
|
|
|
// Ensure the user was updated in DB
|
|
|
|
|
sa, err := saAPI.store.RetrieveServiceAccount(context.Background(), 1, int64(scopeID))
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.Equal(t, *tc.body.Name, sa.Name)
|
|
|
|
|
require.Equal(t, string(*tc.body.Role), sa.Role)
|
|
|
|
|
}
|
2022-02-17 20:19:58 +08:00
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
