root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 249 Packages Projects Releases Wiki Activity
grafana/pkg/api/annotations_test.go

530 lines
24 KiB
Go
Raw Normal View History

dashfolders: permissions for saving annotations ref #10275 Use folder permissions instead of hard coded permissions on the annotations routes.
2017-12-21 07:52:21 +08:00
package api
import (
Replace AddHandler with AddHandlerCtx in tests (#42585)
2021-12-01 22:43:31 +08:00
"context"
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
"io"
"net/http"
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
"strings"
dashfolders: permissions for saving annotations ref #10275 Use folder permissions instead of hard coded permissions on the annotations routes.
2017-12-21 07:52:21 +08:00
"testing"
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
"github.com/stretchr/testify/assert"
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
"github.com/stretchr/testify/mock"
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
"github.com/stretchr/testify/require"
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol"
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
dashfolders: permissions for saving annotations ref #10275 Use folder permissions instead of hard coded permissions on the annotations routes.
2017-12-21 07:52:21 +08:00
"github.com/grafana/grafana/pkg/services/annotations"
Chore: SQL store split for annotations (#55089) * Chore: SQL store split for annotations * Apply suggestion from code review
2022-09-19 15:54:37 +08:00
"github.com/grafana/grafana/pkg/services/annotations/annotationstest"
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
"github.com/grafana/grafana/pkg/services/dashboards"
"github.com/grafana/grafana/pkg/services/featuremgmt"
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
"github.com/grafana/grafana/pkg/services/folder"
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
"github.com/grafana/grafana/pkg/services/folder/foldertest"
Chore: Remove bus.Dispatch from guardian package (#46711) * replace bus in guardian with sqlstore * fix a couple of tests * replace bus in the rest of the tests * allow init guardian from other packages * make linter happy * init guardian in library elements * fix another test in libraryelements * fix more tests * move guardian mock one level deeper * fix more tests * rename init functions
2022-03-21 17:49:49 +08:00
"github.com/grafana/grafana/pkg/services/guardian"
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/web/webtest"
dashfolders: permissions for saving annotations ref #10275 Use folder permissions instead of hard coded permissions on the annotations routes.
2017-12-21 07:52:21 +08:00
)
RBAC: remove some `IsDisabled` checks (#69272) * remove some access contorl IsDisabled() checks * cleaning up tests * update tests * linting
2023-05-31 16:58:57 +08:00
func TestAPI_Annotations(t *testing.T) {
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
dashUID := "test-dash"
folderUID := "test-folder"
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
type testCase struct {
desc string
path string
method string
body string
expectedCode int
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
featureFlags []any
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
permissions []accesscontrol.Permission
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
}
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
tests := []testCase{
{
desc: "should be able to fetch annotations with correct permission",
path: "/api/annotations",
method: http.MethodGet,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to fetch annotations without correct permission",
path: "/api/annotations",
method: http.MethodGet,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to fetch annotation by id with correct permission",
path: "/api/annotations/1",
method: http.MethodGet,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
},
AnnotationsApi: GET /api/annotations/:annotationId (#47739)
2022-05-16 23:16:36 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to fetch annotation by id without correct permission",
path: "/api/annotations/1",
method: http.MethodGet,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{},
AnnotationsApi: GET /api/annotations/:annotationId (#47739)
2022-05-16 23:16:36 +08:00
},
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
{
desc: "should be able to fetch dashboard annotation by id with correct dashboard scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodGet,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
},
{
desc: "should be able to fetch dashboard annotation by id with correct folder scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodGet,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
},
{
desc: "should not be able to fetch dashboard annotation by id with the old dashboard scope when annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodGet,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
},
AnnotationsApi: GET /api/annotations/:annotationId (#47739)
2022-05-16 23:16:36 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to fetch annotation tags with correct permission",
path: "/api/annotations/tags",
method: http.MethodGet,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead}},
AnnotationsApi: GET /api/annotations/:annotationId (#47739)
2022-05-16 23:16:36 +08:00
},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to fetch annotation tags without correct permission",
path: "/api/annotations/tags",
method: http.MethodGet,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to update dashboard annotation with correct permission",
path: "/api/annotations/2",
method: http.MethodPut,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to update dashboard annotation without correct permission",
path: "/api/annotations/2",
method: http.MethodPut,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
{
desc: "should be able to update dashboard annotation with correct dashboard scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodPut,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
},
{
desc: "should be able to update dashboard annotation with correct folder scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodPut,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
},
{
desc: "should not be able to update dashboard annotation with the old dashboard scope when annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodPut,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to update organization annotation with correct permission",
path: "/api/annotations/1",
method: http.MethodPut,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to update organization annotation without correct permission",
path: "/api/annotations/1",
method: http.MethodPut,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to patch dashboard annotation with correct permission",
path: "/api/annotations/2",
method: http.MethodPatch,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to patch dashboard annotation without correct permission",
path: "/api/annotations/2",
method: http.MethodPatch,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
{
desc: "should be able to patch dashboard annotation with correct dashboard scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodPatch,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
},
{
desc: "should be able to patch dashboard annotation with correct folder scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodPatch,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
},
{
desc: "should not be able to patch dashboard annotation with the old dashboard scope when annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodPatch,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to patch organization annotation with correct permission",
path: "/api/annotations/1",
method: http.MethodPatch,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to patch organization annotation without correct permission",
path: "/api/annotations/1",
method: http.MethodPatch,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to create dashboard annotation with correct permission",
path: "/api/annotations",
method: http.MethodPost,
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to create dashboard annotation without correct permission",
path: "/api/annotations",
method: http.MethodPost,
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
{
desc: "should be able to create dashboard annotation with correct dashboard scope with annotationPermissionUpdate enabled",
path: "/api/annotations",
method: http.MethodPost,
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
},
{
desc: "should be able to create dashboard annotation with correct folder scope with annotationPermissionUpdate enabled",
path: "/api/annotations",
method: http.MethodPost,
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
},
{
desc: "should not be able to create dashboard annotation with the old dashboard scope when annotationPermissionUpdate enabled",
path: "/api/annotations",
method: http.MethodPost,
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to create organization annotation with correct permission",
path: "/api/annotations",
method: http.MethodPost,
body: "{\"text\": \"test\"}",
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
check that the user has RBAC permissions to save dashboard annotation (#47882)
2022-04-20 15:43:42 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to create organization annotation without correct permission",
path: "/api/annotations",
method: http.MethodPost,
body: "{\"text\": \"test\"}",
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
check that the user has RBAC permissions to save dashboard annotation (#47882)
2022-04-20 15:43:42 +08:00
},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to delete dashboard annotation with correct permission",
path: "/api/annotations/2",
method: http.MethodDelete,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to delete dashboard annotation without correct permission",
path: "/api/annotations/2",
method: http.MethodDelete,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
{
desc: "should be able to delete dashboard annotation with correct dashboard scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodDelete,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
},
{
desc: "should be able to delete dashboard annotation with correct folder scope with annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodDelete,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
},
{
desc: "should not be able to delete dashboard annotation with the old dashboard scope when annotationPermissionUpdate enabled",
path: "/api/annotations/2",
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
method: http.MethodDelete,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to delete organization annotation with correct permission",
path: "/api/annotations/1",
method: http.MethodDelete,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to delete organization annotation without correct permission",
path: "/api/annotations/1",
method: http.MethodDelete,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to create graphite annotation with correct permission",
path: "/api/annotations/graphite",
body: "{\"what\": \"test\", \"tags\": []}",
method: http.MethodPost,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to create graphite annotation without correct permission",
path: "/api/annotations/graphite",
method: http.MethodPost,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should be able to mass delete dashboard annotations with correct permission",
path: "/api/annotations/mass-delete",
body: "{\"dashboardId\": 2, \"panelId\": 1}",
method: http.MethodPost,
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
{
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
desc: "should not be able to mass delete dashboard annotations without correct permission",
path: "/api/annotations/mass-delete",
body: "{\"dashboardId\": 2, \"panelId\": 1}",
method: http.MethodPost,
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
},
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
{
desc: "should be able to mass delete dashboard annotation with correct dashboard scope with annotationPermissionUpdate enabled",
path: "/api/annotations/mass-delete",
body: "{\"dashboardId\": 2, \"panelId\": 1}",
method: http.MethodPost,
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
},
{
desc: "should be able to mass delete dashboard annotation with correct folder scope with annotationPermissionUpdate enabled",
path: "/api/annotations/mass-delete",
body: "{\"dashboardId\": 2, \"panelId\": 1}",
method: http.MethodPost,
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
expectedCode: http.StatusOK,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
},
{
desc: "should not be able to mass delete dashboard annotation with the old dashboard scope when annotationPermissionUpdate enabled",
path: "/api/annotations/mass-delete",
body: "{\"dashboardId\": 2, \"panelId\": 1}",
method: http.MethodPost,
featureFlags: []any{featuremgmt.FlagAnnotationPermissionUpdate},
expectedCode: http.StatusForbidden,
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
},
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
}
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
for _, tt := range tests {
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
t.Run(tt.desc, func(t *testing.T) {
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
// Don't need access to dashboards if annotationPermissionUpdate is enabled
if len(tt.featureFlags) == 0 {
setUpRBACGuardian(t)
}
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
repo := annotationstest.NewFakeAnnotationsRepo()
Rename Id to ID for annotation models (#62886) * Rename Id to ID for annotation models * Add xorm tags * Rename Id to ID for API key models * Add xorm tags
2023-02-04 00:23:09 +08:00
_ = repo.Save(context.Background(), &annotations.Item{ID: 1, DashboardID: 0})
_ = repo.Save(context.Background(), &annotations.Item{ID: 2, DashboardID: 1})
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
hs.annotationsRepo = repo
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
hs.Features = featuremgmt.WithFeatures(tt.featureFlags...)
dashService := &dashboards.FakeDashboardService{}
dashService.On("GetDashboard", mock.Anything, mock.Anything).Return(&dashboards.Dashboard{UID: dashUID, FolderUID: folderUID, FolderID: 1}, nil)
folderService := &foldertest.FakeService{}
folderService.ExpectedFolder = &folder.Folder{UID: folderUID, ID: 1}
folderDB := &foldertest.FakeFolderStore{}
folderDB.On("GetFolderByID", mock.Anything, mock.Anything, mock.Anything).Return(&folder.Folder{UID: folderUID, ID: 1}, nil)
hs.DashboardService = dashService
hs.folderService = folderService
Zanzana: Remove usage from legacy access control (#98883) * Zanzana: Remove usage from legacy access control * remove unused * remove zanzana client from services where it's not used * remove unused metrics * fix linter
2025-01-14 17:26:15 +08:00
hs.AccessControl = acimpl.ProvideAccessControl(featuremgmt.WithFeatures())
Ensure all internal Services are using FolderService and not FolderStore (#98370) * Ensure all internal Services are using FolderService and not FolderStore Signed-off-by: Maicon Costa <maiconscosta@gmail.com> --------- Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
2024-12-31 00:48:35 +08:00
hs.AccessControl.RegisterScopeAttributeResolver(AnnotationTypeScopeResolver(hs.annotationsRepo, hs.Features, dashService, folderService))
hs.AccessControl.RegisterScopeAttributeResolver(dashboards.NewDashboardIDScopeResolver(folderDB, dashService, folderService))
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
})
var body io.Reader
if tt.body != "" {
body = strings.NewReader(tt.body)
}
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
Identity: Unfurl UserID and Email in pkg/api to user identity.Requester (#76112) * Unfurl OrgRole in pkg/api to allow using identity.Requester interface * Unfurl Email in pkg/api to allow using identity.Requester interface * Update UserID in pkg/api to allow using identity.Requester interface * fix authed test * fix datasource tests * guard login * fix preferences anon testing * fix anonymous index rendering * do not error with user id 0
2023-10-09 22:07:28 +08:00
req := webtest.RequestWithSignedInUser(server.NewRequest(tt.method, tt.path, body), authedUserWithPermissions(1, 1, tt.permissions))
RBAC: Rewrite rbac annotations test (#61036) * API: Rewrite annotation rbac tests to not use mocked access control * API: rewrite mass deletion rbac tests
2023-01-09 16:59:14 +08:00
res, err := server.SendJSON(req)
require.NoError(t, err)
assert.Equal(t, tt.expectedCode, res.StatusCode)
require.NoError(t, res.Body.Close())
Access control: adding FGAC to annotation GET endpoints and fixed roles (#45102) * Access control: adding FGAC to annotation GET endpoints and fixed roles Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2022-02-12 02:43:29 +08:00
})
}
}
Annotations: Remove dashboard permission checks for annotations (#78352) remove checks for access to dashboard if FlagAnnotationPermissionUpdate is enabled
2023-11-23 18:47:37 +08:00
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
func TestService_AnnotationTypeScopeResolver(t *testing.T) {
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
rootDashUID := "root-dashboard"
folderDashUID := "folder-dashboard"
folderUID := "folder"
dashSvc := &dashboards.FakeDashboardService{}
rootDash := &dashboards.Dashboard{ID: 1, OrgID: 1, UID: rootDashUID}
folderDash := &dashboards.Dashboard{ID: 2, OrgID: 1, UID: folderDashUID, FolderUID: folderUID}
dashSvc.On("GetDashboard", context.Background(), &dashboards.GetDashboardQuery{ID: rootDash.ID, OrgID: 1}).Return(rootDash, nil)
dashSvc.On("GetDashboard", context.Background(), &dashboards.GetDashboardQuery{ID: folderDash.ID, OrgID: 1}).Return(folderDash, nil)
rootDashboardAnnotation := annotations.Item{ID: 1, DashboardID: rootDash.ID}
folderDashboardAnnotation := annotations.Item{ID: 3, DashboardID: folderDash.ID}
organizationAnnotation := annotations.Item{ID: 2}
fakeAnnoRepo := annotationstest.NewFakeAnnotationsRepo()
_ = fakeAnnoRepo.Save(context.Background(), &rootDashboardAnnotation)
_ = fakeAnnoRepo.Save(context.Background(), &folderDashboardAnnotation)
_ = fakeAnnoRepo.Save(context.Background(), &organizationAnnotation)
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
type testCaseResolver struct {
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
desc string
given string
featureToggles []any
want []string
wantErr error
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
}
testCases := []testCaseResolver{
{
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
desc: "correctly resolves dashboard annotations",
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
given: "annotations:id:1",
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
want: []string{accesscontrol.ScopeAnnotationsTypeDashboard},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
wantErr: nil,
},
{
Adding FGAC annotations validation for creation and deletion (#46736) Access Control: Adding FGAC annotations validation for creation and deletion Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2022-03-22 01:28:39 +08:00
desc: "correctly resolves organization annotations",
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
given: "annotations:id:2",
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
want: []string{accesscontrol.ScopeAnnotationsTypeOrganization},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
wantErr: nil,
},
{
desc: "invalid annotation ID",
given: "annotations:id:123abc",
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
want: []string{""},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
wantErr: accesscontrol.ErrInvalidScope,
},
{
desc: "malformed scope",
given: "annotations:1",
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
want: []string{""},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
wantErr: accesscontrol.ErrInvalidScope,
},
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
{
desc: "correctly resolves organization annotations with feature toggle",
given: "annotations:id:2",
featureToggles: []any{featuremgmt.FlagAnnotationPermissionUpdate},
want: []string{accesscontrol.ScopeAnnotationsTypeOrganization},
wantErr: nil,
},
{
desc: "correctly resolves annotations from root dashboard with feature toggle",
given: "annotations:id:1",
featureToggles: []any{featuremgmt.FlagAnnotationPermissionUpdate},
want: []string{
dashboards.ScopeDashboardsProvider.GetResourceScopeUID(rootDashUID),
dashboards.ScopeFoldersProvider.GetResourceScopeUID(accesscontrol.GeneralFolderUID),
},
wantErr: nil,
},
{
desc: "correctly resolves annotations from dashboard in a folder with feature toggle",
given: "annotations:id:3",
featureToggles: []any{featuremgmt.FlagAnnotationPermissionUpdate},
want: []string{
dashboards.ScopeDashboardsProvider.GetResourceScopeUID(folderDashUID),
dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID),
},
wantErr: nil,
},
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
}
for _, tc := range testCases {
t.Run(tc.desc, func(t *testing.T) {
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
features := featuremgmt.WithFeatures(tc.featureToggles...)
Ensure all internal Services are using FolderService and not FolderStore (#98370) * Ensure all internal Services are using FolderService and not FolderStore Signed-off-by: Maicon Costa <maiconscosta@gmail.com> --------- Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
2024-12-31 00:48:35 +08:00
prefix, resolver := AnnotationTypeScopeResolver(fakeAnnoRepo, features, dashSvc, &foldertest.FakeService{})
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
require.Equal(t, "annotations:id:", prefix)
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 15:29:30 +08:00
resolved, err := resolver.Resolve(context.Background(), 1, tc.given)
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
if tc.wantErr != nil {
require.Error(t, err)
require.Equal(t, tc.wantErr, err)
} else {
require.NoError(t, err)
Annotations: Update annotation scope resolver to resolve annotation scopes to dash and folder scopes (#78222) * update annotation scope resolver to resolve dashboard annotation scopes to dash and folder scopes * Update annotations.go remove unwanted changes * remove unwanted change * use switch statement
2023-11-17 17:57:25 +08:00
require.Len(t, resolved, len(tc.want))
require.Equal(t, tc.want, resolved)
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
2022-03-19 00:33:21 +08:00
}
})
}
}
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func setUpRBACGuardian(t *testing.T) {
Access Control: adding FGAC validation to mass delete annotation endpoint (#46846) * Access Control: adding FGAC validation to mass delete annotation endpoint
2022-03-24 05:39:00 +08:00
origNewGuardian := guardian.New
t.Cleanup(func() {
guardian.New = origNewGuardian
})
Folders: Able to fetch folders available for user as "shared" folder (#77774) * Folders: Show folders user has access to at the root level * Refactor * Refactor * Hide parent folders user has no access to * Skip expensive computation if possible * Fix tests * Fix potential nil access * Fix duplicated folders * Fix linter error * Fix querying folders if no managed permissions set * Update benchmark * Add special shared with me folder and fetch available non-root folders on demand * Fix parents query * Improve db query for folders * Reset benchmark changes * Fix permissions for shared with me folder * Simplify dedup * Add option to include shared folder permission to user's permissions * Fix nil UID * Remove duplicated folders from shared list * Only left the base part * Apply suggestions from code review Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com> * Add tests * Fix linter errors --------- Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
2023-11-08 22:28:49 +08:00
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{CanEditValue: true, CanViewValue: true})
Access Control: adding FGAC validation to mass delete annotation endpoint (#46846) * Access Control: adding FGAC validation to mass delete annotation endpoint
2022-03-24 05:39:00 +08:00
}