root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 84 Packages Projects Releases Wiki Activity
grafana/pkg/middleware/auth_test.go

440 lines
14 KiB
Go
Raw Normal View History

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921
2015-05-02 18:06:58 +08:00
package middleware
import (
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
"errors"
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
"fmt"
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
"net/http"
"net/http/httptest"
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921
2015-05-02 18:06:58 +08:00
"testing"
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible
2022-10-19 21:02:15 +08:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
Authlib: Use types package rather than claims (#99243)
2025-01-21 17:06:55 +08:00
authlib "github.com/grafana/authlib/types"
RBAC: Check forceLogin inside CanAdminPlugins (#93449)
2024-09-20 21:35:58 +08:00
"github.com/grafana/grafana/pkg/infra/log"
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
"github.com/grafana/grafana/pkg/infra/log/logtest"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
"github.com/grafana/grafana/pkg/services/authn"
"github.com/grafana/grafana/pkg/services/authn/authntest"
"github.com/grafana/grafana/pkg/services/contexthandler"
RBAC: Check forceLogin inside CanAdminPlugins (#93449)
2024-09-20 21:35:58 +08:00
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
Contexthandler: Remove code that is no longer used (#73101) * Contexthandler: remove dead code * Contexthandler: Add tests * Update pkg/tests/api/alerting/api_alertmanager_test.go Co-authored-by: Jo <joao.guerreiro@grafana.com> --------- Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-08-09 21:17:59 +08:00
"github.com/grafana/grafana/pkg/services/featuremgmt"
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginstore"
RBAC: Check forceLogin inside CanAdminPlugins (#93449)
2024-09-20 21:35:58 +08:00
"github.com/grafana/grafana/pkg/services/user"
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4)
2019-09-02 21:15:46 +08:00
"github.com/grafana/grafana/pkg/setting"
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
"github.com/grafana/grafana/pkg/web"
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921
2015-05-02 18:06:58 +08:00
)
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
func setupAuthMiddlewareTest(t *testing.T, identity *authn.Identity, authErr error) *contexthandler.ContextHandler {
K8s: refactor build handler chain func to allow easier injection from enterprise (#100777)
2025-02-15 10:08:00 +08:00
return contexthandler.ProvideService(setting.NewCfg(), &authntest.FakeService{
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
ExpectedErr: authErr,
ExpectedIdentity: identity,
Auth: Use sessionStorage instead of cookie for automatic redirection (#92759) * WIP: working as expected, has to be tested * Rename query param, small changes * Remove unused code * Address feedback * Cleanup * Use the feature toggle to control the behaviour * Use the toggle on the FE too * Prevent the extra redirect/reload Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> * Return to login if user is not authenticated * Add tracking issue * Align BE redirect constructor to locationSvc
2024-09-25 00:38:09 +08:00
}, featuremgmt.WithFeatures())
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
}
Auth: Should redirect to login when anonymous enabled and URL with different org than anonymous specified (#28158) If anonymous access is enabled for an org and there are multiple orgs. When requesting a page that requires user to be logged in and orgId query string is set in the request url to an org not equal the anonymous org, if the user is not logged in should be redirected to the login page. Fixes #26120 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-10-23 22:34:35 +08:00
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
func TestAuth_Middleware(t *testing.T) {
Snapshots: Add RBAC roles for creating and deleting (#96126)
2024-11-26 20:13:17 +08:00
ac := &actest.FakeAccessControl{}
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
type testCase struct {
desc string
identity *authn.Identity
path string
authErr error
authMiddleware web.Handler
expecedReached bool
expectedCode int
}
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4)
2019-09-02 21:15:46 +08:00
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
tests := []testCase{
{
desc: "ReqSignedIn should redirect unauthenticated request to secure endpoint",
path: "/secure",
authMiddleware: ReqSignedIn,
authErr: errors.New("no auth"),
expectedCode: http.StatusFound,
},
{
desc: "ReqSignedIn should return 401 for api endpint",
path: "/api/secure",
authMiddleware: ReqSignedIn,
authErr: errors.New("no auth"),
expectedCode: http.StatusUnauthorized,
},
{
desc: "ReqSignedIn should return 200 for anonymous user",
path: "/api/secure",
authMiddleware: ReqSignedIn,
Authlib: Use types package rather than claims (#99243)
2025-01-21 17:06:55 +08:00
identity: &authn.Identity{Type: authlib.TypeAnonymous},
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
expecedReached: true,
expectedCode: http.StatusOK,
},
{
desc: "ReqSignedIn should return redirect anonymous user with forceLogin query string",
path: "/secure?forceLogin=true",
authMiddleware: ReqSignedIn,
Authlib: Use types package rather than claims (#99243)
2025-01-21 17:06:55 +08:00
identity: &authn.Identity{Type: authlib.TypeAnonymous},
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
expecedReached: false,
expectedCode: http.StatusFound,
},
{
desc: "ReqSignedIn should return redirect anonymous user when orgId in query string is different from currently used",
path: "/secure?orgId=2",
authMiddleware: ReqSignedIn,
Authlib: Use types package rather than claims (#99243)
2025-01-21 17:06:55 +08:00
identity: &authn.Identity{Type: authlib.TypeAnonymous},
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
expecedReached: false,
expectedCode: http.StatusFound,
},
{
desc: "ReqSignedInNoAnonymous should return 401 for anonymous user",
path: "/api/secure",
authMiddleware: ReqSignedInNoAnonymous,
Authlib: Use types package rather than claims (#99243)
2025-01-21 17:06:55 +08:00
identity: &authn.Identity{Type: authlib.TypeAnonymous},
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
expecedReached: false,
expectedCode: http.StatusUnauthorized,
},
{
desc: "ReqSignedInNoAnonymous should return 200 for authenticated user",
path: "/api/secure",
authMiddleware: ReqSignedInNoAnonymous,
Authlib: Use types package rather than claims (#99243)
2025-01-21 17:06:55 +08:00
identity: &authn.Identity{ID: "1", Type: authlib.TypeUser},
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
expecedReached: true,
expectedCode: http.StatusOK,
},
{
desc: "snapshot public mode disabled should return 200 for authenticated user",
path: "/api/secure",
Snapshots: Add RBAC roles for creating and deleting (#96126)
2024-11-26 20:13:17 +08:00
authMiddleware: SnapshotPublicModeOrCreate(&setting.Cfg{SnapshotPublicMode: false}, ac),
Authlib: Use types package rather than claims (#99243)
2025-01-21 17:06:55 +08:00
identity: &authn.Identity{ID: "1", Type: authlib.TypeUser},
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
expecedReached: true,
expectedCode: http.StatusOK,
},
{
desc: "snapshot public mode disabled should return 401 for unauthenticated request",
path: "/api/secure",
Snapshots: Add RBAC roles for creating and deleting (#96126)
2024-11-26 20:13:17 +08:00
authMiddleware: SnapshotPublicModeOrCreate(&setting.Cfg{SnapshotPublicMode: false}, ac),
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
authErr: errors.New("no auth"),
expecedReached: false,
expectedCode: http.StatusUnauthorized,
},
{
desc: "snapshot public mode enabled should return 200 for unauthenticated request",
path: "/api/secure",
Snapshots: Add RBAC roles for creating and deleting (#96126)
2024-11-26 20:13:17 +08:00
authMiddleware: SnapshotPublicModeOrCreate(&setting.Cfg{SnapshotPublicMode: true}, ac),
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
authErr: errors.New("no auth"),
expecedReached: true,
expectedCode: http.StatusOK,
},
}
Snapshots: Disallow anonymous user to create snapshots (#31263)
2021-02-17 16:51:50 +08:00
Auth: Use authn.Service for all tests (#72921) * Dashboards: Fix tests when authn broker is enabled. StarService was not configured for tests, the call was guarded by !c.IsSignedIn * Change default to be anon user to match expectations from tests * OAuth: rewrite tests to work with authn.Service * Setup template renderer by default * Extract cookie options from cfg instead of relying on global variables * Fix test to work with authn service * Middleware: rewrite auth tests * Remvoe session cookie if we cannot refresh access token
2023-08-09 14:54:52 +08:00
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
ctxHandler := setupAuthMiddlewareTest(t, tt.identity, tt.authErr)
server := web.New()
server.Use(ctxHandler.Middleware)
server.Use(tt.authMiddleware)
var reached bool
server.Get("/secure", func(c *contextmodel.ReqContext) {
reached = true
c.Resp.WriteHeader(http.StatusOK)
})
server.Get("/api/secure", func(c *contextmodel.ReqContext) {
reached = true
c.Resp.WriteHeader(http.StatusOK)
})
req, err := http.NewRequest(http.MethodGet, tt.path, nil)
require.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, req)
res := recorder.Result()
assert.Equal(t, tt.expecedReached, reached)
assert.Equal(t, tt.expectedCode, res.StatusCode)
require.NoError(t, res.Body.Close())
})
}
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921
2015-05-02 18:06:58 +08:00
}
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
func TestRoleAppPluginAuth(t *testing.T) {
t.Run("Verify user's role when requesting app route which requires role", func(t *testing.T) {
appSubURL := setting.AppSubUrl
setting.AppSubUrl = "/grafana/"
t.Cleanup(func() {
setting.AppSubUrl = appSubURL
})
tcs := []struct {
roleRequired org.RoleType
role org.RoleType
expStatus int
expBody string
expLocation string
}{
{roleRequired: org.RoleViewer, role: org.RoleAdmin, expStatus: http.StatusOK, expBody: ""},
{roleRequired: org.RoleAdmin, role: org.RoleAdmin, expStatus: http.StatusOK, expBody: ""},
{roleRequired: org.RoleAdmin, role: org.RoleViewer, expStatus: http.StatusFound, expBody: "<a href=\"/grafana/\">Found</a>.\n\n", expLocation: "/grafana/"},
{roleRequired: "", role: org.RoleViewer, expStatus: http.StatusOK, expBody: ""},
{roleRequired: org.RoleEditor, role: "", expStatus: http.StatusFound, expBody: "<a href=\"/grafana/\">Found</a>.\n\n", expLocation: "/grafana/"},
}
const path = "/a/test-app/test"
for i, tc := range tcs {
t.Run(fmt.Sprintf("testcase %d", i), func(t *testing.T) {
ps := pluginstore.NewFakePluginStore(pluginstore.Plugin{
JSONData: plugins.JSONData{
ID: "test-app",
Includes: []*plugins.Includes{
{
Type: "page",
Role: tc.roleRequired,
Path: path,
},
},
},
})
middlewareScenario(t, t.Name(), func(t *testing.T, sc *scenarioContext) {
sc.withIdentity(&authn.Identity{
OrgRoles: map[int64]org.RoleType{
0: tc.role,
},
})
logger := &logtest.Fake{}
ac := &actest.FakeAccessControl{}
RBAC: Remove accessControlOnCall feature toggle (#101222) * RBAC: Remove accessControlOnCall feature toggle * Leave the other one in place * Tests * frontend * Readd empty ft to frontend test * Remove legacy RBAC check * Fix test * no need for context * Remove unused variable * Remove unecessary param * remove unecessary param from tests * More tests :D
2025-02-25 20:44:40 +08:00
sc.m.Get("/a/:id/*", RoleAppPluginAuth(ac, ps, logger), func(c *contextmodel.ReqContext) {
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
c.JSON(http.StatusOK, map[string]interface{}{})
})
sc.fakeReq("GET", path).exec()
assert.Equal(t, tc.expStatus, sc.resp.Code)
assert.Equal(t, tc.expBody, sc.resp.Body.String())
assert.Equal(t, tc.expLocation, sc.resp.Header().Get("Location"))
})
})
}
})
// We return success in this case because the frontend takes care of rendering the 404 page
middlewareScenario(t, "Plugin is not found returns success", func(t *testing.T, sc *scenarioContext) {
sc.withIdentity(&authn.Identity{
OrgRoles: map[int64]org.RoleType{
0: org.RoleViewer,
},
})
logger := &logtest.Fake{}
ac := &actest.FakeAccessControl{}
RBAC: Remove accessControlOnCall feature toggle (#101222) * RBAC: Remove accessControlOnCall feature toggle * Leave the other one in place * Tests * frontend * Readd empty ft to frontend test * Remove legacy RBAC check * Fix test * no need for context * Remove unused variable * Remove unecessary param * remove unecessary param from tests * More tests :D
2025-02-25 20:44:40 +08:00
sc.m.Get("/a/:id/*", RoleAppPluginAuth(ac, &pluginstore.FakePluginStore{}, logger), func(c *contextmodel.ReqContext) {
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
c.JSON(http.StatusOK, map[string]interface{}{})
})
sc.fakeReq("GET", "/a/test-app/test").exec()
assert.Equal(t, 200, sc.resp.Code)
assert.Equal(t, "", sc.resp.Body.String())
})
// We return success in this case because the frontend takes care of rendering the right page based on its router
middlewareScenario(t, "Plugin page not found returns success", func(t *testing.T, sc *scenarioContext) {
sc.withIdentity(&authn.Identity{
OrgRoles: map[int64]org.RoleType{
0: org.RoleViewer,
},
})
logger := &logtest.Fake{}
ac := &actest.FakeAccessControl{}
sc.m.Get("/a/:id/*", RoleAppPluginAuth(ac, pluginstore.NewFakePluginStore(pluginstore.Plugin{
JSONData: plugins.JSONData{
ID: "test-app",
Includes: []*plugins.Includes{
{
Type: "page",
Role: org.RoleViewer,
Path: "/a/test-app/test",
},
},
},
RBAC: Remove accessControlOnCall feature toggle (#101222) * RBAC: Remove accessControlOnCall feature toggle * Leave the other one in place * Tests * frontend * Readd empty ft to frontend test * Remove legacy RBAC check * Fix test * no need for context * Remove unused variable * Remove unecessary param * remove unecessary param from tests * More tests :D
2025-02-25 20:44:40 +08:00
}), logger), func(c *contextmodel.ReqContext) {
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
c.JSON(http.StatusOK, map[string]interface{}{})
})
sc.fakeReq("GET", "/a/test-app/notExistingPath").exec()
assert.Equal(t, 200, sc.resp.Code)
assert.Equal(t, "", sc.resp.Body.String())
})
t.Run("Plugin include with RBAC", func(t *testing.T) {
tcs := []struct {
name string
evalResult bool
evalErr error
expStatus int
expBody string
expLocation string
}{
{
name: "Unsuccessful RBAC eval will result in a redirect",
evalResult: false,
expStatus: 302,
expBody: "<a href=\"/\">Found</a>.\n\n",
expLocation: "/",
},
{
name: "An RBAC eval error will result in a redirect",
evalErr: errors.New("eval error"),
expStatus: 302,
expBody: "<a href=\"/\">Found</a>.\n\n",
expLocation: "/",
},
{
name: "Successful RBAC eval will result in a successful request",
evalResult: true,
expStatus: 200,
expBody: "",
expLocation: "",
},
}
for _, tc := range tcs {
middlewareScenario(t, "Plugin include with RBAC", func(t *testing.T, sc *scenarioContext) {
sc.withIdentity(&authn.Identity{
OrgRoles: map[int64]org.RoleType{
0: org.RoleViewer,
},
})
logger := &logtest.Fake{}
ac := &actest.FakeAccessControl{
ExpectedEvaluate: tc.evalResult,
ExpectedErr: tc.evalErr,
}
path := "/a/test-app/test"
ps := pluginstore.NewFakePluginStore(pluginstore.Plugin{
JSONData: plugins.JSONData{
ID: "test-app",
Includes: []*plugins.Includes{
{
Type: "page",
Role: org.RoleViewer,
Path: path,
Action: "test-app.test:read",
},
},
},
})
RBAC: Remove accessControlOnCall feature toggle (#101222) * RBAC: Remove accessControlOnCall feature toggle * Leave the other one in place * Tests * frontend * Readd empty ft to frontend test * Remove legacy RBAC check * Fix test * no need for context * Remove unused variable * Remove unecessary param * remove unecessary param from tests * More tests :D
2025-02-25 20:44:40 +08:00
sc.m.Get("/a/:id/*", RoleAppPluginAuth(ac, ps, logger), func(c *contextmodel.ReqContext) {
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
c.JSON(http.StatusOK, map[string]interface{}{})
})
sc.fakeReq("GET", path).exec()
assert.Equal(t, tc.expStatus, sc.resp.Code)
assert.Equal(t, tc.expBody, sc.resp.Body.String())
assert.Equal(t, tc.expLocation, sc.resp.Header().Get("Location"))
})
}
})
}
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
func TestRemoveForceLoginparams(t *testing.T) {
tcs := []struct {
inp string
exp string
}{
{inp: "/?forceLogin=true", exp: "/?"},
{inp: "/d/dash/dash-title?ordId=1&forceLogin=true", exp: "/d/dash/dash-title?ordId=1"},
{inp: "/?kiosk&forceLogin=true", exp: "/?kiosk"},
{inp: "/d/dash/dash-title?ordId=1&kiosk&forceLogin=true", exp: "/d/dash/dash-title?ordId=1&kiosk"},
{inp: "/d/dash/dash-title?ordId=1&forceLogin=true&kiosk", exp: "/d/dash/dash-title?ordId=1&kiosk"},
{inp: "/d/dash/dash-title?forceLogin=true&kiosk", exp: "/d/dash/dash-title?&kiosk"},
}
for i, tc := range tcs {
t.Run(fmt.Sprintf("testcase %d", i), func(t *testing.T) {
Auth: Fix redirection when auto_login is enabled (#94311) * Fix for SAML auto login * Fix for OAuth auto login
2024-10-07 20:59:00 +08:00
require.Equal(t, tc.exp, RemoveForceLoginParams(tc.inp))
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
})
}
}
RBAC: Check forceLogin inside CanAdminPlugins (#93449)
2024-09-20 21:35:58 +08:00
func TestCanAdminPlugin(t *testing.T) {
type testCase struct {
desc string
url string
isSignedIn bool
orgRole org.RoleType
expCode int
expReached bool
}
ac := &actest.FakeAccessControl{}
tests := []testCase{
{
desc: "CanAdminPlugins should redirect to login when anonymous is enabled, no user signed in, and forceLogin is present in the query param",
url: "/plugins/test-plugin?forceLogin=true",
isSignedIn: false,
orgRole: org.RoleAdmin,
expCode: http.StatusFound,
expReached: false,
},
{
desc: "CanAdminPlugins should bypass when user is signed in",
url: "/plugins/test-plugin",
expCode: http.StatusOK,
orgRole: org.RoleAdmin,
isSignedIn: true,
expReached: true,
},
{
desc: "CanAdminPlugins should return forbidden error when role is not present",
url: "/plugins/test",
isSignedIn: true,
orgRole: org.RoleViewer,
expCode: http.StatusFound, // it redirects to Home not 403 page.
expReached: false,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
var reached bool
server := web.New()
server.UseMiddleware(web.Renderer("../../public/views", "[[", "]]"))
server.Use(contextProvider(func(c *contextmodel.ReqContext) {
c.IsSignedIn = tt.isSignedIn
c.OrgRole = tt.orgRole
c.AllowAnonymous = true
}))
server.Use(CanAdminPlugins(&setting.Cfg{PluginAdminEnabled: true}, ac))
server.Get("/plugins/:id", func(c *contextmodel.ReqContext) {
reached = true
c.Resp.WriteHeader(http.StatusOK)
})
request, err := http.NewRequest(http.MethodGet, tt.url, nil)
assert.NoError(t, err)
recorder := httptest.NewRecorder()
server.ServeHTTP(recorder, request)
res := recorder.Result()
assert.Equal(t, tt.expCode, res.StatusCode)
assert.Equal(t, tt.expReached, reached)
require.NoError(t, res.Body.Close())
})
}
}
func contextProvider(modifiers ...func(c *contextmodel.ReqContext)) web.Handler {
return func(c *web.Context) {
reqCtx := &contextmodel.ReqContext{
Context: c,
Logger: log.New(""),
SignedInUser: &user.SignedInUser{},
IsSignedIn: false,
SkipDSCache: true,
}
for _, modifier := range modifiers {
modifier(reqCtx)
}
c.Req = c.Req.WithContext(ctxkey.Set(c.Req.Context(), reqCtx))
}
}