grafana/pkg/api/quota_test.go

package api

import (
	"fmt"
	"net/http"
	"strings"
	"testing"

	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/authn/authntest"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/services/user/usertest"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/web/webtest"
)

var (
	getCurrentOrgQuotasURL = "/api/org/quotas"
	getOrgsQuotasURL       = "/api/orgs/%v/quotas"
	putOrgsQuotasURL       = "/api/orgs/%v/quotas/%v"

	testUpdateOrgQuotaCmd = `{ "limit": 20 }`
)

func TestAPIEndpoint_GetCurrentOrgQuotas(t *testing.T) {
	cfg := setting.NewCfg()
	cfg.Quota.Enabled = true
	server := SetupAPITestServer(t, func(hs *HTTPServer) {
		hs.Cfg = cfg
	})

	t.Run("AccessControl allows viewing CurrentOrgQuotas with correct permissions", func(t *testing.T) {
		req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}}))
		res, err := server.Send(req)
		require.NoError(t, err)
		assert.Equal(t, http.StatusOK, res.StatusCode)
		require.NoError(t, res.Body.Close())
	})
	t.Run("AccessControl prevents viewing CurrentOrgQuotas with correct permissions in another org", func(t *testing.T) {
		// Set permissions in org 2, but set current org to org 1
		user := userWithPermissions(2, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}})
		user.OrgID = 1
		req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), user)
		res, err := server.Send(req)
		require.NoError(t, err)
		assert.Equal(t, http.StatusForbidden, res.StatusCode)
		require.NoError(t, res.Body.Close())
	})
	t.Run("AccessControl prevents viewing CurrentOrgQuotas with incorrect permissions", func(t *testing.T) {
		req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), userWithPermissions(1, []accesscontrol.Permission{{Action: "orgs:invalid"}}))
		res, err := server.Send(req)
		require.NoError(t, err)
		assert.Equal(t, http.StatusForbidden, res.StatusCode)
		require.NoError(t, res.Body.Close())
	})
}

func TestAPIEndpoint_GetOrgQuotas(t *testing.T) {
	cfg := setting.NewCfg()
	cfg.Quota.Enabled = true
	server := SetupAPITestServer(t, func(hs *HTTPServer) {
		hs.Cfg = cfg
		hs.accesscontrolService = &actest.FakeService{ExpectedPermissions: []accesscontrol.Permission{}}
		hs.userService = &usertest.FakeUserService{
			ExpectedSignedInUser: &user.SignedInUser{OrgID: 2},
		}
		hs.authnService = &authntest.FakeService{
			ExpectedIdentity: &authn.Identity{OrgID: 1},
		}
	})

	t.Run("AccessControl allows viewing another org quotas with correct permissions", func(t *testing.T) {
		req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), userWithPermissions(2, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}}))
		res, err := server.Send(req)
		require.NoError(t, err)
		assert.Equal(t, http.StatusOK, res.StatusCode)
		require.NoError(t, res.Body.Close())
	})
	t.Run("AccessControl prevents viewing another org quotas with correct permissions in another org", func(t *testing.T) {
		// Set correct permissions in org 1 and empty permissions in org 2
		user := userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}})
		user.Permissions[2] = nil
		req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), user)
		res, err := server.Send(req)
		require.NoError(t, err)
		assert.Equal(t, http.StatusForbidden, res.StatusCode)
		require.NoError(t, res.Body.Close())
	})
	t.Run("AccessControl prevents viewing another org quotas with incorrect permissions", func(t *testing.T) {
		req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), userWithPermissions(2, []accesscontrol.Permission{{Action: "orgs:invalid"}}))
		res, err := server.Send(req)
		require.NoError(t, err)
		assert.Equal(t, http.StatusForbidden, res.StatusCode)
		require.NoError(t, res.Body.Close())
	})
}

func TestAPIEndpoint_PutOrgQuotas(t *testing.T) {
	type testCase struct {
		desc         string
		userOrg      int64
		targetOrg    int64
		permissions  map[int64][]accesscontrol.Permission
		expectedCode int
	}

	tests := []testCase{
		{
			desc:         "AccessControl allows updating another org quotas with correct permissions",
			userOrg:      1,
			targetOrg:    2,
			permissions:  map[int64][]accesscontrol.Permission{2: {{Action: accesscontrol.ActionOrgsQuotasWrite}}},
			expectedCode: http.StatusOK,
		},
		{
			desc:         "AccessControl prevents updating another org quotas with correct permissions in another org",
			userOrg:      1,
			targetOrg:    2,
			permissions:  map[int64][]accesscontrol.Permission{1: {{Action: accesscontrol.ActionOrgsQuotasWrite}}},
			expectedCode: http.StatusForbidden,
		},
		{
			desc:         "AccessControl prevents updating another org quotas with incorrect permissions",
			userOrg:      2,
			targetOrg:    2,
			permissions:  map[int64][]accesscontrol.Permission{2: {{Action: "orgs:invalid"}}},
			expectedCode: http.StatusForbidden,
		},
	}

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			cfg := setting.NewCfg()
			cfg.Quota = setting.QuotaSettings{
				Enabled: true,
				Global: setting.GlobalQuota{
					Org: 5,
				},
				Org: setting.OrgQuota{
					User: 5,
				},
				User: setting.UserQuota{
					Org: 5,
				},
			}
			fakeACService := &actest.FakeService{}
			input := strings.NewReader(testUpdateOrgQuotaCmd)
			expectedIdentity := &authn.Identity{
				OrgID:       tt.userOrg,
				Permissions: map[int64]map[string][]string{},
			}
			for orgID, permissions := range tt.permissions {
				expectedIdentity.Permissions[orgID] = accesscontrol.GroupScopesByAction(permissions)
			}

			server := SetupAPITestServer(t, func(hs *HTTPServer) {
				hs.Cfg = cfg
				hs.accesscontrolService = fakeACService
				hs.userService = &usertest.FakeUserService{
					ExpectedSignedInUser: &user.SignedInUser{OrgID: tt.userOrg},
				}
				hs.authnService = &authntest.FakeService{
					ExpectedIdentity: expectedIdentity,
				}
			})

			user := userWithPermissions(tt.userOrg, getFirstOrgPermissions(tt.permissions))
			fakeACService.ExpectedPermissions = []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasWrite}}
			req := webtest.RequestWithSignedInUser(server.NewRequest(http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, tt.targetOrg, "org_user"), input), user)
			response, err := server.SendJSON(req)
			require.NoError(t, err)
			assert.Equal(t, tt.expectedCode, response.StatusCode)
			require.NoError(t, response.Body.Close())
		})
	}
}

func getFirstOrgPermissions(p map[int64][]accesscontrol.Permission) []accesscontrol.Permission {
	for _, permissions := range p {
		return permissions
	}
	return []accesscontrol.Permission{}
}
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`package api`

			`import (`
			`"fmt"`
			`"net/http"`
			`"strings"`
			`"testing"`

Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`"github.com/grafana/grafana/pkg/services/authn"`
			`"github.com/grafana/grafana/pkg/services/authn/authntest"`

AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`"github.com/stretchr/testify/assert"`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`"github.com/stretchr/testify/require"`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit 2023-07-12 18:28:04 +08:00			`"github.com/grafana/grafana/pkg/services/accesscontrol/actest"`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`"github.com/grafana/grafana/pkg/services/user"`
			`"github.com/grafana/grafana/pkg/services/user/usertest"`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`"github.com/grafana/grafana/pkg/setting"`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`"github.com/grafana/grafana/pkg/web/webtest"`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`)`

			`var (`
			`getCurrentOrgQuotasURL = "/api/org/quotas"`
			`getOrgsQuotasURL = "/api/orgs/%v/quotas"`
			`putOrgsQuotasURL = "/api/orgs/%v/quotas/%v"`

			testUpdateOrgQuotaCmd = `{ "limit": 20 }`
			`)`

Chore: remove tests for legacy AC, update other tests to work with RBAC (#68895) * remove tests for legacy AC, update other tests to work with RBAC * update usage stat tests to use RBAC 2023-05-23 22:29:20 +08:00			`func TestAPIEndpoint_GetCurrentOrgQuotas(t *testing.T) {`
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review 2022-11-15 03:08:10 +08:00			`cfg := setting.NewCfg()`
			`cfg.Quota.Enabled = true`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`server := SetupAPITestServer(t, func(hs *HTTPServer) {`
			`hs.Cfg = cfg`
			`})`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00
			`t.Run("AccessControl allows viewing CurrentOrgQuotas with correct permissions", func(t *testing.T) {`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}}))`
			`res, err := server.Send(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, http.StatusOK, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`})`
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva 2021-11-17 17:12:28 +08:00			`t.Run("AccessControl prevents viewing CurrentOrgQuotas with correct permissions in another org", func(t *testing.T) {`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`// Set permissions in org 2, but set current org to org 1`
			`user := userWithPermissions(2, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}})`
			`user.OrgID = 1`
			`req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), user)`
			`res, err := server.Send(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, http.StatusForbidden, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`})`
			`t.Run("AccessControl prevents viewing CurrentOrgQuotas with incorrect permissions", func(t *testing.T) {`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`req := webtest.RequestWithSignedInUser(server.NewGetRequest(getCurrentOrgQuotasURL), userWithPermissions(1, []accesscontrol.Permission{{Action: "orgs:invalid"}}))`
			`res, err := server.Send(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, http.StatusForbidden, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`})`
			`}`

Chore: remove tests for legacy AC, update other tests to work with RBAC (#68895) * remove tests for legacy AC, update other tests to work with RBAC * update usage stat tests to use RBAC 2023-05-23 22:29:20 +08:00			`func TestAPIEndpoint_GetOrgQuotas(t *testing.T) {`
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review 2022-11-15 03:08:10 +08:00			`cfg := setting.NewCfg()`
			`cfg.Quota.Enabled = true`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`server := SetupAPITestServer(t, func(hs *HTTPServer) {`
			`hs.Cfg = cfg`
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit 2023-07-12 18:28:04 +08:00			`hs.accesscontrolService = &actest.FakeService{ExpectedPermissions: []accesscontrol.Permission{}}`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`hs.userService = &usertest.FakeUserService{`
			`ExpectedSignedInUser: &user.SignedInUser{OrgID: 2},`
			`}`
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`hs.authnService = &authntest.FakeService{`
			`ExpectedIdentity: &authn.Identity{OrgID: 1},`
			`}`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`})`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00
			`t.Run("AccessControl allows viewing another org quotas with correct permissions", func(t *testing.T) {`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), userWithPermissions(2, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}}))`
			`res, err := server.Send(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, http.StatusOK, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`})`
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva 2021-11-17 17:12:28 +08:00			`t.Run("AccessControl prevents viewing another org quotas with correct permissions in another org", func(t *testing.T) {`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`// Set correct permissions in org 1 and empty permissions in org 2`
			`user := userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasRead}})`
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit 2023-07-12 18:28:04 +08:00			`user.Permissions[2] = nil`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), user)`
			`res, err := server.Send(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, http.StatusForbidden, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`})`
			`t.Run("AccessControl prevents viewing another org quotas with incorrect permissions", func(t *testing.T) {`
RBAC: remove access control mock from org quota tests (#61574) * remove ac mock from org quota tests * fix incorrect expected status code and swap tests to make setup easier * remove empty line 2023-01-17 18:33:01 +08:00			`req := webtest.RequestWithSignedInUser(server.NewGetRequest(fmt.Sprintf(getOrgsQuotasURL, 2)), userWithPermissions(2, []accesscontrol.Permission{{Action: "orgs:invalid"}}))`
			`res, err := server.Send(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, http.StatusForbidden, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`})`
			`}`

Chore: remove tests for legacy AC, update other tests to work with RBAC (#68895) * remove tests for legacy AC, update other tests to work with RBAC * update usage stat tests to use RBAC 2023-05-23 22:29:20 +08:00			`func TestAPIEndpoint_PutOrgQuotas(t *testing.T) {`
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`type testCase struct {`
			`desc string`
			`userOrg int64`
			`targetOrg int64`
			`permissions map[int64][]accesscontrol.Permission`
			`expectedCode int`
			`}`

			`tests := []testCase{`
			`{`
			`desc: "AccessControl allows updating another org quotas with correct permissions",`
			`userOrg: 1,`
			`targetOrg: 2,`
			`permissions: map[int64][]accesscontrol.Permission{2: {{Action: accesscontrol.ActionOrgsQuotasWrite}}},`
			`expectedCode: http.StatusOK,`
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review 2022-11-15 03:08:10 +08:00			`},`
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`{`
			`desc: "AccessControl prevents updating another org quotas with correct permissions in another org",`
			`userOrg: 1,`
			`targetOrg: 2,`
			`permissions: map[int64][]accesscontrol.Permission{1: {{Action: accesscontrol.ActionOrgsQuotasWrite}}},`
			`expectedCode: http.StatusForbidden,`
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review 2022-11-15 03:08:10 +08:00			`},`
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`{`
			`desc: "AccessControl prevents updating another org quotas with incorrect permissions",`
			`userOrg: 2,`
			`targetOrg: 2,`
			`permissions: map[int64][]accesscontrol.Permission{2: {{Action: "orgs:invalid"}}},`
			`expectedCode: http.StatusForbidden,`
Chore: Refactor quota service (#58643) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review 2022-11-15 03:08:10 +08:00			`},`
			`}`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`cfg := setting.NewCfg()`
			`cfg.Quota = setting.QuotaSettings{`
			`Enabled: true,`
			`Global: setting.GlobalQuota{`
			`Org: 5,`
			`},`
			`Org: setting.OrgQuota{`
			`User: 5,`
			`},`
			`User: setting.UserQuota{`
			`Org: 5,`
			`},`
			`}`
			`fakeACService := &actest.FakeService{}`
			`input := strings.NewReader(testUpdateOrgQuotaCmd)`
			`expectedIdentity := &authn.Identity{`
			`OrgID: tt.userOrg,`
			`Permissions: map[int64]map[string][]string{},`
			`}`
			`for orgID, permissions := range tt.permissions {`
			`expectedIdentity.Permissions[orgID] = accesscontrol.GroupScopesByAction(permissions)`
			`}`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`server := SetupAPITestServer(t, func(hs *HTTPServer) {`
			`hs.Cfg = cfg`
			`hs.accesscontrolService = fakeACService`
			`hs.userService = &usertest.FakeUserService{`
			`ExpectedSignedInUser: &user.SignedInUser{OrgID: tt.userOrg},`
			`}`
			`hs.authnService = &authntest.FakeService{`
			`ExpectedIdentity: expectedIdentity,`
			`}`
			`})`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00
Access control: Use ResolveIdentity() for authorizing in org (#85549) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg() 2024-04-10 18:42:13 +08:00			`user := userWithPermissions(tt.userOrg, getFirstOrgPermissions(tt.permissions))`
			`fakeACService.ExpectedPermissions = []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsQuotasWrite}}`
			`req := webtest.RequestWithSignedInUser(server.NewRequest(http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, tt.targetOrg, "org_user"), input), user)`
			`response, err := server.SendJSON(req)`
			`require.NoError(t, err)`
			`assert.Equal(t, tt.expectedCode, response.StatusCode)`
			`require.NoError(t, response.Body.Close())`
			`})`
			`}`
			`}`

			`func getFirstOrgPermissions(p map[int64][]accesscontrol.Permission) []accesscontrol.Permission {`
			`for _, permissions := range p {`
			`return permissions`
			`}`
			`return []accesscontrol.Permission{}`
AccessControl: Add FGAC to orgs endpoints (#39579) * AccessControl: Add FGAC to orgs endpoints Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2021-10-27 19:13:59 +08:00			`}`