grafana/pkg/api/org_invite_test.go

package api

import (
	"net/http"
	"strings"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/org/orgtest"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/services/user/usertest"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/web/webtest"
)

func TestOrgInvitesAPIEndpoint_RBAC(t *testing.T) {
	type testCase struct {
		desc         string
		body         string
		permissions  []accesscontrol.Permission
		expectedCode int
	}

	tests := []testCase{
		{
			desc: "should be able to invite user to org with correct permissions",
			body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
			permissions: []accesscontrol.Permission{
				{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:1"},
			},
			expectedCode: http.StatusOK,
		},
		{
			desc:         "should not be able to invite user to org without correct permissions",
			body:         `{"loginOrEmail": "new user", "role": "Viewer"}`,
			permissions:  []accesscontrol.Permission{},
			expectedCode: http.StatusForbidden,
		},
		{
			desc: "should not be able to invite user to org with wrong scope",
			body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
			permissions: []accesscontrol.Permission{
				{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:2"},
			},
			expectedCode: http.StatusForbidden,
		},
		{
			desc: "should not be able to invite user to org with higher role then requester",
			body: `{"loginOrEmail": "new user", "role": "Admin"}`,
			permissions: []accesscontrol.Permission{
				{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:1"},
			},
			expectedCode: http.StatusForbidden,
		},
	}

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			server := SetupAPITestServer(t, func(hs *HTTPServer) {
				hs.Cfg = setting.NewCfg()
				hs.orgService = orgtest.NewOrgServiceFake()
				hs.userService = &usertest.FakeUserService{
					ExpectedUser: &user.User{ID: 1},
				}
			})

			req := webtest.RequestWithSignedInUser(server.NewPostRequest("/api/org/invites", strings.NewReader(tt.body)), userWithPermissions(1, tt.permissions))
			res, err := server.SendJSON(req)
			require.NoError(t, err)
			assert.Equal(t, tt.expectedCode, res.StatusCode)
			require.NoError(t, res.Body.Close())
		})
	}
}
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`package api`

			`import (`
			`"net/http"`
			`"strings"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`"github.com/stretchr/testify/require"`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
Chore: Fix goimports grouping in pkg/api (#62419) * fix goimports * fix goimports order 2023-01-30 16:18:26 +08:00			`"github.com/grafana/grafana/pkg/services/org/orgtest"`
Chore: Add user service method GetByLogin (#53204) * Add wrapper around sqlstore method GetUserByLogin * Use new method from user service * Fix lint * Fix lint 2 * fix middleware basic auth test * Fix grafana login returning a user by login * Remove GetUserByLogin from store interface * Merge commit 2022-08-04 19:22:43 +08:00			`"github.com/grafana/grafana/pkg/services/user"`
			`"github.com/grafana/grafana/pkg/services/user/usertest"`
Chore: Fix goimports grouping in pkg/api (#62419) * fix goimports * fix goimports order 2023-01-30 16:18:26 +08:00			`"github.com/grafana/grafana/pkg/setting"`
			`"github.com/grafana/grafana/pkg/web/webtest"`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`)`

RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`func TestOrgInvitesAPIEndpoint_RBAC(t *testing.T) {`
			`type testCase struct {`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`desc string`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`body string`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`permissions []accesscontrol.Permission`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`expectedCode int`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`}`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00
			`tests := []testCase{`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`{`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`desc: "should be able to invite user to org with correct permissions",`
			body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
			`permissions: []accesscontrol.Permission{`
			`{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:1"},`
			`},`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`expectedCode: http.StatusOK,`
			`},`
			`{`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`desc: "should not be able to invite user to org without correct permissions",`
			body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`permissions: []accesscontrol.Permission{},`
			`expectedCode: http.StatusForbidden,`
			`},`
			`{`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`desc: "should not be able to invite user to org with wrong scope",`
			body: `{"loginOrEmail": "new user", "role": "Viewer"}`,
			`permissions: []accesscontrol.Permission{`
			`{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:2"},`
			`},`
			`expectedCode: http.StatusForbidden,`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`},`
			`{`
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`desc: "should not be able to invite user to org with higher role then requester",`
			body: `{"loginOrEmail": "new user", "role": "Admin"}`,
			`permissions: []accesscontrol.Permission{`
			`{Action: accesscontrol.ActionOrgUsersAdd, Scope: "users:id:1"},`
			`},`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`expectedCode: http.StatusForbidden,`
			`},`
			`}`

RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`server := SetupAPITestServer(t, func(hs *HTTPServer) {`
			`hs.Cfg = setting.NewCfg()`
			`hs.orgService = orgtest.NewOrgServiceFake()`
			`hs.userService = &usertest.FakeUserService{`
			`ExpectedUser: &user.User{ID: 1},`
			`}`
			`})`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00
RBAC: Update org invite rbac tests to not used mocked access control (#61141) 2023-01-09 19:23:24 +08:00			`req := webtest.RequestWithSignedInUser(server.NewPostRequest("/api/org/invites", strings.NewReader(tt.body)), userWithPermissions(1, tt.permissions))`
			`res, err := server.SendJSON(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, tt.expectedCode, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
Access control: Allow organisation admins to add existing users to org (#51668) * check users with user add permission to access the invite endpoint * undo unneeded changes * tests and cleanup * linting * linting * betterer * betterer again * fix prettier issue Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-07-08 19:07:00 +08:00			`})`
			`}`
			`}`