grafana/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go

package ossaccesscontrol

import (
	"context"
	"testing"

	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/infra/usagestats"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/registry"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func setupTestEnv(t testing.TB) *OSSAccessControlService {
	t.Helper()

	cfg := setting.NewCfg()
	cfg.FeatureToggles = map[string]bool{"accesscontrol": true}

	ac := OSSAccessControlService{
		Cfg:        cfg,
		UsageStats: &usageStatsMock{metricsFuncs: make([]usagestats.MetricsFunc, 0)},
		Log:        log.New("accesscontrol-test"),
	}

	err := ac.Init()
	require.NoError(t, err)
	return &ac
}

type usageStatsMock struct {
	t            *testing.T
	metricsFuncs []usagestats.MetricsFunc
}

func (usm *usageStatsMock) RegisterMetricsFunc(fn usagestats.MetricsFunc) {
	usm.metricsFuncs = append(usm.metricsFuncs, fn)
}

func (usm *usageStatsMock) GetUsageReport(_ context.Context) (usagestats.UsageReport, error) {
	all := make(map[string]interface{})
	for _, fn := range usm.metricsFuncs {
		fnMetrics, err := fn()
		require.NoError(usm.t, err)

		for name, value := range fnMetrics {
			all[name] = value
		}
	}
	return usagestats.UsageReport{Metrics: all}, nil
}

func (usm *usageStatsMock) ShouldBeReported(_ string) bool {
	return true
}

type evaluatingPermissionsTestCase struct {
	desc       string
	user       userTestCase
	endpoints  []endpointTestCase
	evalResult bool
}

type userTestCase struct {
	name           string
	orgRole        models.RoleType
	isGrafanaAdmin bool
}

type endpointTestCase struct {
	permission string
	scope      []string
}

func TestEvaluatingPermissions(t *testing.T) {
	testCases := []evaluatingPermissionsTestCase{
		{
			desc: "should successfully evaluate access to the endpoint",
			user: userTestCase{
				name:           "testuser",
				orgRole:        "Grafana Admin",
				isGrafanaAdmin: false,
			},
			endpoints: []endpointTestCase{
				{permission: accesscontrol.ActionUsersDisable, scope: []string{accesscontrol.ScopeGlobalUsersAll}},
				{permission: accesscontrol.ActionUsersEnable, scope: []string{accesscontrol.ScopeGlobalUsersAll}},
			},
			evalResult: true,
		},
		{
			desc: "should restrict access to the unauthorized endpoints",
			user: userTestCase{
				name:           "testuser",
				orgRole:        models.ROLE_VIEWER,
				isGrafanaAdmin: false,
			},
			endpoints: []endpointTestCase{
				{permission: accesscontrol.ActionUsersCreate, scope: []string{accesscontrol.ScopeGlobalUsersAll}},
			},
			evalResult: false,
		},
	}
	for _, tc := range testCases {
		t.Run(tc.desc, func(t *testing.T) {
			ac := setupTestEnv(t)
			t.Cleanup(registry.ClearOverrides)

			user := &models.SignedInUser{
				UserId:         1,
				OrgId:          1,
				Name:           tc.user.name,
				OrgRole:        tc.user.orgRole,
				IsGrafanaAdmin: tc.user.isGrafanaAdmin,
			}

			for _, endpoint := range tc.endpoints {
				result, err := ac.Evaluate(context.Background(), user, endpoint.permission, endpoint.scope...)
				require.NoError(t, err)
				assert.Equal(t, tc.evalResult, result)
			}
		})
	}
}

func TestUsageMetrics(t *testing.T) {
	tests := []struct {
		name          string
		enabled       bool
		expectedValue int
	}{
		{
			name:          "Expecting metric with value 0",
			enabled:       false,
			expectedValue: 0,
		},
		{
			name:          "Expecting metric with value 1",
			enabled:       true,
			expectedValue: 1,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			cfg := setting.NewCfg()
			if tt.enabled {
				cfg.FeatureToggles = map[string]bool{"accesscontrol": true}
			}

			s := &OSSAccessControlService{
				Cfg:        cfg,
				UsageStats: &usageStatsMock{t: t, metricsFuncs: make([]usagestats.MetricsFunc, 0)},
				Log:        log.New("accesscontrol-test"),
			}

			err := s.Init()
			assert.Nil(t, err)

			report, err := s.UsageStats.GetUsageReport(context.Background())
			assert.Nil(t, err)

			assert.Equal(t, tt.expectedValue, report.Metrics["stats.oss.accesscontrol.enabled.count"])
		})
	}
}
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`package ossaccesscontrol`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/grafana/grafana/pkg/infra/log"`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`"github.com/grafana/grafana/pkg/infra/usagestats"`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/registry"`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 22:31:27 +08:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`"github.com/grafana/grafana/pkg/setting"`
Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`)`

			`func setupTestEnv(t testing.TB) *OSSAccessControlService {`
			`t.Helper()`

			`cfg := setting.NewCfg()`
			`cfg.FeatureToggles = map[string]bool{"accesscontrol": true}`

			`ac := OSSAccessControlService{`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`Cfg: cfg,`
Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00			`UsageStats: &usageStatsMock{metricsFuncs: make([]usagestats.MetricsFunc, 0)},`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`Log: log.New("accesscontrol-test"),`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`}`

			`err := ac.Init()`
			`require.NoError(t, err)`
			`return &ac`
			`}`

Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`type usageStatsMock struct {`
Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00			`t *testing.T`
			`metricsFuncs []usagestats.MetricsFunc`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`}`

Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00			`func (usm *usageStatsMock) RegisterMetricsFunc(fn usagestats.MetricsFunc) {`
			`usm.metricsFuncs = append(usm.metricsFuncs, fn)`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`}`

			`func (usm *usageStatsMock) GetUsageReport(_ context.Context) (usagestats.UsageReport, error) {`
Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00			`all := make(map[string]interface{})`
			`for _, fn := range usm.metricsFuncs {`
			`fnMetrics, err := fn()`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`require.NoError(usm.t, err)`
Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00
			`for name, value := range fnMetrics {`
			`all[name] = value`
			`}`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`}`
Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00			`return usagestats.UsageReport{Metrics: all}, nil`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`}`

UsageStats: Expose what ds types should be reported (#35916) 2021-07-08 05:12:00 +08:00			`func (usm *usageStatsMock) ShouldBeReported(_ string) bool {`
			`return true`
			`}`

Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`type evaluatingPermissionsTestCase struct {`
			`desc string`
			`user userTestCase`
			`endpoints []endpointTestCase`
			`evalResult bool`
			`}`

			`type userTestCase struct {`
			`name string`
			`orgRole models.RoleType`
			`isGrafanaAdmin bool`
			`}`

			`type endpointTestCase struct {`
			`permission string`
			`scope []string`
			`}`

			`func TestEvaluatingPermissions(t *testing.T) {`
			`testCases := []evaluatingPermissionsTestCase{`
			`{`
			`desc: "should successfully evaluate access to the endpoint",`
			`user: userTestCase{`
			`name: "testuser",`
Access control: Add access control based permissions to admins/users (#32409) Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-04-14 22:31:27 +08:00			`orgRole: "Grafana Admin",`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`isGrafanaAdmin: false,`
			`},`
			`endpoints: []endpointTestCase{`
Access control: Clean up users scopes (#33532) Following discussion in grafana/grafana-enterprise#1292, removing org-scoped users scopes to make it clear that the local organization is the default and the alternative to that is a global scope (for a select few endpoints) 2021-05-03 16:27:12 +08:00			`{permission: accesscontrol.ActionUsersDisable, scope: []string{accesscontrol.ScopeGlobalUsersAll}},`
			`{permission: accesscontrol.ActionUsersEnable, scope: []string{accesscontrol.ScopeGlobalUsersAll}},`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`},`
			`evalResult: true,`
			`},`
			`{`
			`desc: "should restrict access to the unauthorized endpoints",`
			`user: userTestCase{`
			`name: "testuser",`
			`orgRole: models.ROLE_VIEWER,`
			`isGrafanaAdmin: false,`
			`},`
			`endpoints: []endpointTestCase{`
Access control: Clean up users scopes (#33532) Following discussion in grafana/grafana-enterprise#1292, removing org-scoped users scopes to make it clear that the local organization is the default and the alternative to that is a global scope (for a select few endpoints) 2021-05-03 16:27:12 +08:00			`{permission: accesscontrol.ActionUsersCreate, scope: []string{accesscontrol.ScopeGlobalUsersAll}},`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`},`
			`evalResult: false,`
			`},`
			`}`
			`for _, tc := range testCases {`
			`t.Run(tc.desc, func(t *testing.T) {`
			`ac := setupTestEnv(t)`
			`t.Cleanup(registry.ClearOverrides)`

			`user := &models.SignedInUser{`
			`UserId: 1,`
			`OrgId: 1,`
			`Name: tc.user.name,`
			`OrgRole: tc.user.orgRole,`
			`IsGrafanaAdmin: tc.user.isGrafanaAdmin,`
			`}`

			`for _, endpoint := range tc.endpoints {`
			`result, err := ac.Evaluate(context.Background(), user, endpoint.permission, endpoint.scope...)`
			`require.NoError(t, err)`
			`assert.Equal(t, tc.evalResult, result)`
			`}`
			`})`
			`}`
			`}`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00
			`func TestUsageMetrics(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`enabled bool`
			`expectedValue int`
			`}{`
			`{`
			`name: "Expecting metric with value 0",`
			`enabled: false,`
			`expectedValue: 0,`
			`},`
			`{`
			`name: "Expecting metric with value 1",`
			`enabled: true,`
			`expectedValue: 1,`
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`cfg := setting.NewCfg()`
			`if tt.enabled {`
			`cfg.FeatureToggles = map[string]bool{"accesscontrol": true}`
			`}`

			`s := &OSSAccessControlService{`
			`Cfg: cfg,`
Usage Stats: Make the UsageStatsService extension point more flexible (#34778) * Usage Stats: Rename service to use a more idiomatic name * Usage Stats: Update MetricsFunc definition and implementations * Revert "Usage Stats: Rename service to use a more idiomatic name" This reverts commit 910ecce3e8881ad51f7eddd82b8459de3711fdf8. * Usage Stats: Update MetricsFunc definition and implementations 2021-05-27 16:53:10 +08:00			`UsageStats: &usageStatsMock{t: t, metricsFuncs: make([]usagestats.MetricsFunc, 0)},`
Access control: Add phone-home metrics to check if fine-grained access control is enabled or not (#34107) * Access control: Add phone-home metrics to check if fine-grained access control is enabled or not * Apply suggestions from code review 2021-05-17 22:33:38 +08:00			`Log: log.New("accesscontrol-test"),`
			`}`

			`err := s.Init()`
			`assert.Nil(t, err)`

			`report, err := s.UsageStats.GetUsageReport(context.Background())`
			`assert.Nil(t, err)`

			`assert.Equal(t, tt.expectedValue, report.Metrics["stats.oss.accesscontrol.enabled.count"])`
			`})`
			`}`
			`}`