root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 73 Packages Projects Releases Wiki Activity
grafana/pkg/api/org_test.go

538 lines
23 KiB
Go
Raw Normal View History

AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
package api
import (
"fmt"
"net/http"
"strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/services/accesscontrol"
Chore: Move updateorg out of sqlstore (#54111) * Chore: move updateorg out of sqlstore * fix api test
2022-08-24 01:26:21 +08:00
"github.com/grafana/grafana/pkg/services/org/orgimpl"
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
"github.com/grafana/grafana/pkg/services/sqlstore"
UserService: use the UserService instead of calling sqlstore directly (#55745) * UserService: update callers to use the UserService instead of calling sqlstore directly There is one major change hiding in this PR. UserService.Delete originally called a number of services to delete user-related records. I moved everything except the actual call to the user table, and moved those into the API. This was done to avoid dependencies cycles; many of our services depend on the user service, so the user service itself should have as few dependencies as possible.
2022-09-27 19:58:49 +08:00
"github.com/grafana/grafana/pkg/services/user/usertest"
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
"github.com/grafana/grafana/pkg/setting"
)
var (
searchOrgsURL = "/api/orgs/"
getCurrentOrgURL = "/api/org/"
getOrgsURL = "/api/orgs/%v"
getOrgsByNameURL = "/api/orgs/name/%v"
putCurrentOrgURL = "/api/org/"
putOrgsURL = "/api/orgs/%v"
putCurrentOrgAddressURL = "/api/org/address"
putOrgsAddressURL = "/api/orgs/%v/address"
testUpdateOrgNameForm = `{ "name": "TestOrgChanged" }`
testUpdateOrgAddressForm = `{ "address1": "1 test road",
"address2": "2 test road",
"city": "TestCity",
"ZipCode": "TESTZIPCODE",
"State": "TestState",
"Country": "TestCountry" }`
deleteOrgsURL = "/api/orgs/%v"
createOrgsURL = "/api/orgs/"
testCreateOrgCmd = `{ "name": "TestOrg%v"}`
)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
// `/api/org` endpoints test
func TestAPIEndpoint_GetCurrentOrg_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
setInitCtxSignedInViewer(sc.initCtx)
_, err := sc.db.CreateOrgWithMember("TestOrg", testUserID)
require.NoError(t, err)
t.Run("Viewer can view CurrentOrg", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
sc.initCtx.IsSignedIn = false
t.Run("Unsigned user cannot view CurrentOrg", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusUnauthorized, response.Code)
})
}
func TestAPIEndpoint_GetCurrentOrg_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
setInitCtxSignedInViewer(sc.initCtx)
_, err := sc.db.CreateOrgWithMember("TestOrg", testUserID)
require.NoError(t, err)
t.Run("AccessControl allows viewing CurrentOrg with correct permissions", func(t *testing.T) {
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}}, sc.initCtx.OrgID)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents viewing CurrentOrg with correct permissions in another org", func(t *testing.T) {
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}}, 2)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents viewing CurrentOrg with incorrect permissions", func(t *testing.T) {
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgID)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodGet, getCurrentOrgURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestAPIEndpoint_PutCurrentOrg_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
_, err := sc.db.CreateOrgWithMember("TestOrg", testUserID)
require.NoError(t, err)
input := strings.NewReader(testUpdateOrgNameForm)
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Viewer cannot update current org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
setInitCtxSignedInOrgAdmin(sc.initCtx)
Chore: Move updateorg out of sqlstore (#54111) * Chore: move updateorg out of sqlstore * fix api test
2022-08-24 01:26:21 +08:00
sc.hs.orgService = orgimpl.ProvideService(sc.db, sc.cfg)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("Admin can update current org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_PutCurrentOrg_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setInitCtxSignedInViewer(sc.initCtx)
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
_, err := sc.db.CreateOrgWithMember("TestOrg", sc.initCtx.UserID)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
require.NoError(t, err)
Chore: Move updateorg out of sqlstore (#54111) * Chore: move updateorg out of sqlstore * fix api test
2022-08-24 01:26:21 +08:00
sc.hs.orgService = orgimpl.ProvideService(sc.db, sc.cfg)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
input := strings.NewReader(testUpdateOrgNameForm)
t.Run("AccessControl allows updating current org with correct permissions", func(t *testing.T) {
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, sc.initCtx.OrgID)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents updating current org with correct permissions in another org", func(t *testing.T) {
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, 2)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating current org with incorrect permissions", func(t *testing.T) {
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgID)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodPut, putCurrentOrgURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestAPIEndpoint_PutCurrentOrgAddress_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
_, err := sc.db.CreateOrgWithMember("TestOrg", testUserID)
require.NoError(t, err)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
input := strings.NewReader(testUpdateOrgAddressForm)
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Viewer cannot update current org address", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
setInitCtxSignedInOrgAdmin(sc.initCtx)
t.Run("Admin can update current org address", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_PutCurrentOrgAddress_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
setInitCtxSignedInViewer(sc.initCtx)
_, err := sc.db.CreateOrgWithMember("TestOrg", testUserID)
require.NoError(t, err)
input := strings.NewReader(testUpdateOrgAddressForm)
t.Run("AccessControl allows updating current org address with correct permissions", func(t *testing.T) {
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, sc.initCtx.OrgID)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(testUpdateOrgAddressForm)
t.Run("AccessControl prevents updating current org address with correct permissions in another org", func(t *testing.T) {
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, 2)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating current org address with incorrect permissions", func(t *testing.T) {
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, sc.initCtx.OrgID)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
response := callAPI(sc.server, http.MethodPut, putCurrentOrgAddressURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
// `/api/orgs/` endpoints test
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
// setupOrgsDBForAccessControlTests creates orgs up until orgID and fake user as member of org
Remove org methods from sqlstore interface (#56358) * Remove org methods from sqlstore interface * Remove some mocks * Fix some tests
2022-10-05 21:47:56 +08:00
func setupOrgsDBForAccessControlTests(t *testing.T, db *sqlstore.SQLStore, c accessControlScenarioContext, orgID int64) {
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Helper()
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setInitCtxSignedInViewer(c.initCtx)
u := *c.initCtx.SignedInUser
u.OrgID = orgID
UserService: use the UserService instead of calling sqlstore directly (#55745) * UserService: update callers to use the UserService instead of calling sqlstore directly There is one major change hiding in this PR. UserService.Delete originally called a number of services to delete user-related records. I moved everything except the actual call to the user table, and moved those into the API. This was done to avoid dependencies cycles; many of our services depend on the user service, so the user service itself should have as few dependencies as possible.
2022-09-27 19:58:49 +08:00
c.userService.(*usertest.FakeUserService).ExpectedSignedInUser = &u
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
// Create `orgsCount` orgs
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
for i := 1; i <= int(orgID); i++ {
_, err := db.CreateOrgWithMember(fmt.Sprintf("TestOrg%v", i), 0)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
require.NoError(t, err)
}
}
func TestAPIEndpoint_CreateOrgs_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
setInitCtxSignedInViewer(sc.initCtx)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setting.AllowUserOrgCreate = false
input := strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 2))
t.Run("Viewer cannot create Orgs", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = true
input = strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 3))
t.Run("Grafana Admin viewer can create Orgs", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = false
setting.AllowUserOrgCreate = true
input = strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 4))
t.Run("User viewer can create Orgs when AllowUserOrgCreate setting is true", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_CreateOrgs_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 0)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
input := strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 2))
t.Run("AccessControl allows creating Orgs with correct permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsCreate}}, accesscontrol.GlobalOrgID)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 3))
t.Run("AccessControl prevents creating Orgs with incorrect permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 16:17:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestAPIEndpoint_DeleteOrgs_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setInitCtxSignedInViewer(sc.initCtx)
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("Viewer cannot delete Orgs", func(t *testing.T) {
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = true
t.Run("Grafana Admin viewer can delete Orgs", func(t *testing.T) {
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_DeleteOrgs_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents deleting Orgs with incorrect permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 16:17:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
assert.Equal(t, http.StatusForbidden, response.Code)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents deleting Orgs with correct permissions in another org", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsDelete}}, 1)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl allows deleting Orgs with correct permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsDelete}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
assert.Equal(t, http.StatusOK, response.Code)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
})
}
func TestAPIEndpoint_SearchOrgs_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setInitCtxSignedInViewer(sc.initCtx)
t.Run("Viewer cannot list Orgs", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = true
t.Run("Grafana Admin viewer can list Orgs", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_SearchOrgs_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("AccessControl allows listing Orgs with correct permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}}, accesscontrol.GlobalOrgID)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents listing Orgs with correct permissions not granted globally", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}}, 1)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents listing Orgs with incorrect permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 16:17:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestAPIEndpoint_GetOrg_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setInitCtxSignedInViewer(sc.initCtx)
// Create two orgs, to fetch another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("Viewer cannot view another Org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = true
t.Run("Grafana admin viewer can view another Org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_GetOrg_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
// Create two orgs, to fetch another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents viewing another org with correct permissions in another org", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}}, 1)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 16:17:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestAPIEndpoint_GetOrgByName_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setInitCtxSignedInViewer(sc.initCtx)
// Create two orgs, to fetch another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("Viewer cannot view another Org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = true
t.Run("Grafana admin viewer can view another Org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_GetOrgByName_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
// Create two orgs, to fetch another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}}, accesscontrol.GlobalOrgID)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
assert.Equal(t, http.StatusOK, response.Code)
})
t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 16:17:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestAPIEndpoint_PutOrg_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setInitCtxSignedInViewer(sc.initCtx)
Chore: Move updateorg out of sqlstore (#54111) * Chore: move updateorg out of sqlstore * fix api test
2022-08-24 01:26:21 +08:00
sc.hs.orgService = orgimpl.ProvideService(sc.db, sc.cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
// Create two orgs, to update another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
input := strings.NewReader(testUpdateOrgNameForm)
t.Run("Viewer cannot update another org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = true
t.Run("Grafana Admin can update another org", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_PutOrg_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
Chore: Move updateorg out of sqlstore (#54111) * Chore: move updateorg out of sqlstore * fix api test
2022-08-24 01:26:21 +08:00
sc.hs.orgService = orgimpl.ProvideService(sc.db, sc.cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
// Create two orgs, to update another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
input := strings.NewReader(testUpdateOrgNameForm)
t.Run("AccessControl allows updating another org with correct permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents updating another org with correct permissions in another org", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, 1)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating another org with incorrect permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 16:17:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}
func TestAPIEndpoint_PutOrgAddress_LegacyAccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
cfg := setting.NewCfg()
cfg.RBACEnabled = false
sc := setupHTTPServerWithCfg(t, true, cfg)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
setInitCtxSignedInViewer(sc.initCtx)
// Create two orgs, to update another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
input := strings.NewReader(testUpdateOrgAddressForm)
t.Run("Viewer cannot update another org address", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
sc.initCtx.SignedInUser.IsGrafanaAdmin = true
t.Run("Grafana Admin can update another org address", func(t *testing.T) {
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
}
func TestAPIEndpoint_PutOrgAddress_AccessControl(t *testing.T) {
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
sc := setupHTTPServer(t, true)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
// Create two orgs, to update another one than the logged in one
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
input := strings.NewReader(testUpdateOrgAddressForm)
t.Run("AccessControl allows updating another org address with correct permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusOK, response.Code)
})
input = strings.NewReader(testUpdateOrgAddressForm)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
t.Run("AccessControl prevents updating another org address with correct permissions in the current org", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
NavTree: Refactor out the navtree building from api/index.go and into it's own service (#55552)
2022-09-23 04:04:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}}, 1)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
t.Run("AccessControl prevents updating another org address with incorrect permissions", func(t *testing.T) {
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
setInitCtxSignedInViewer(sc.initCtx)
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions
2022-06-14 16:17:48 +08:00
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-10-27 19:13:59 +08:00
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
assert.Equal(t, http.StatusForbidden, response.Code)
})
}