root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 197 Packages Projects Releases Wiki Activity
grafana/pkg/services/annotations/accesscontrol/accesscontrol_test.go

229 lines
8.9 KiB
Go
Raw Normal View History

Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
package accesscontrol
import (
"context"
"fmt"
"testing"
Annotations: Improve query performance when using dashboard filter (#83112) * Annotations: Improve query performance when using dashboard filter * Add dashboard id filter
2024-02-21 17:30:26 +08:00
"github.com/stretchr/testify/require"
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
"github.com/grafana/grafana/pkg/bus"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/db"
App platform: Add cleanup job for dashboards when going through /apis (kubectl) (#102506) * Add dashboard cleanup job Change log message Adjust logic to account for new head RV logic Don't update lastResourceVersion due to pagination Save improvements * Address review feedback * Update docs. * Remove docs * Rename config --------- Co-authored-by: Marco de Abreu <18629099+marcoabreu@users.noreply.github.com>
2025-03-23 06:47:27 +08:00
"github.com/grafana/grafana/pkg/infra/kvstore"
"github.com/grafana/grafana/pkg/infra/serverlock"
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
"github.com/grafana/grafana/pkg/infra/tracing"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol"
RBAC: Remove dashboard guardians pt 1 (#102314) * replace the usage of dashboard guardians with calling AC evaluators or checking access in middleware * linting fixes * fix test * more test fixes * remove a todo comment
2025-03-21 01:38:09 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
Annotations: Improve query performance when using dashboard filter (#83112) * Annotations: Improve query performance when using dashboard filter * Add dashboard id filter
2024-02-21 17:30:26 +08:00
"github.com/grafana/grafana/pkg/services/annotations"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
"github.com/grafana/grafana/pkg/services/annotations/testutil"
App Platform: Remove mutable globals (#102962) * App Platform: Remove mutable globals * chore: clarify why this exists * fix: support multi-tenant mode * refactor: call builder providers directly * CI: Force re-build
2025-03-27 22:46:09 +08:00
"github.com/grafana/grafana/pkg/services/apiserver"
K8s: Folders: Fix legacy search (#100393)
2025-02-12 03:14:25 +08:00
"github.com/grafana/grafana/pkg/services/apiserver/client"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
"github.com/grafana/grafana/pkg/services/dashboards"
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
"github.com/grafana/grafana/pkg/services/dashboards/database"
dashboardsservice "github.com/grafana/grafana/pkg/services/dashboards/service"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
"github.com/grafana/grafana/pkg/services/featuremgmt"
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
"github.com/grafana/grafana/pkg/services/folder/folderimpl"
"github.com/grafana/grafana/pkg/services/quota/quotatest"
K8s: Search fallback: Support all sort by methods (#100776)
2025-02-19 02:30:11 +08:00
"github.com/grafana/grafana/pkg/services/search/sort"
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
"github.com/grafana/grafana/pkg/services/supportbundles/supportbundlestest"
"github.com/grafana/grafana/pkg/services/tag/tagimpl"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
"github.com/grafana/grafana/pkg/services/user"
DualWriter: Support managed DualWriter (#100881)
2025-02-19 22:50:39 +08:00
"github.com/grafana/grafana/pkg/storage/legacysql/dualwrite"
Chore: Update test database initialization (#81673) * streamline initialization of test databases, support on-disk sqlite test db * clean up test databases * introduce testsuite helper * use testsuite everywhere we use a test db * update documentation * improve error handling * disable entity integration test until we can figure out locking error
2024-02-09 22:35:39 +08:00
"github.com/grafana/grafana/pkg/tests/testsuite"
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
)
Chore: Update test database initialization (#81673) * streamline initialization of test databases, support on-disk sqlite test db * clean up test databases * introduce testsuite helper * use testsuite everywhere we use a test db * update documentation * improve error handling * disable entity integration test until we can figure out locking error
2024-02-09 22:35:39 +08:00
func TestMain(m *testing.M) {
testsuite.Run(m)
}
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
func TestIntegrationAuthorize(t *testing.T) {
if testing.Short() {
t.Skip("skipping integration test")
}
Revert read replica POC (#93551) * Revert "chore: add replDB to team service (#91799)" This reverts commit c6ae2d7999aa6fc797db39e9d66c6fea70278f83. * Revert "experiment: use read replica for Get and Find Dashboards (#91706)" This reverts commit 54177ca619dbb5ded2dcb158405802d8dbdbc982. * Revert "QuotaService: refactor to use ReplDB for Get queries (#91333)" This reverts commit 299c142f6a6e8c5673cfdea9f87b56ac304f9834. * Revert "refactor replCfg to look more like plugins/plugin config (#91142)" This reverts commit ac0b4bb34d495914cbe8daad85b7c75c31e8070d. * Revert "chore (replstore): fix registration with multiple sql drivers, again (#90990)" This reverts commit daedb358dded00d349d9fac6106aaaa6bf18322e. * Revert "Chore (sqlstore): add validation and testing for repl config (#90683)" This reverts commit af19f039b62d9945377292a8e679ee258fd56b3d. * Revert "ReplStore: Add support for round robin load balancing between multiple read replicas (#90530)" This reverts commit 27b52b1507f5218a7b38046b4d96bc004d949d46. * Revert "DashboardStore: Use ReplDB and get dashboard quotas from the ReadReplica (#90235)" This reverts commit 8a6107cd35f6444c0674ee4230d3d6bcfbbd4a58. * Revert "accesscontrol service read replica (#89963)" This reverts commit 77a4869fcadf13827d76d5767d4de74812d6dd6d. * Revert "Fix: add mapping for the new mysqlRepl driver (#89551)" This reverts commit ab5a079bcc5b0f0a6929f0a3742eb2859d4a3498. * Revert "fix: sql instrumentation dual registration error (#89508)" This reverts commit d988f5c3b064fade6e96511e0024190c22d48e50. * Revert "Experimental Feature Toggle: databaseReadReplica (#89232)" This reverts commit 50244ed4a1435cbf3e3c87d4af34fd7937f7c259.
2024-09-26 07:21:39 +08:00
sql, cfg := db.InitTestDBWithCfg(t)
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
folderStore := folderimpl.ProvideDashboardFolderStore(sql)
fStore := folderimpl.ProvideStore(sql)
dashStore, err := database.ProvideDashboardStore(sql, cfg, featuremgmt.WithFeatures(), tagimpl.ProvideService(sql))
require.NoError(t, err)
RBAC: Remove dashboard guardians pt 1 (#102314) * replace the usage of dashboard guardians with calling AC evaluators or checking access in middleware * linting fixes * fix test * more test fixes * remove a todo comment
2025-03-21 01:38:09 +08:00
ac := actest.FakeAccessControl{ExpectedEvaluate: true}
Folders: Add user service to folder service implementation (#99518) Add user service to folder service implementation
2025-01-27 21:29:47 +08:00
folderSvc := folderimpl.ProvideService(
RBAC: Remove dashboard guardians pt 1 (#102314) * replace the usage of dashboard guardians with calling AC evaluators or checking access in middleware * linting fixes * fix test * more test fixes * remove a todo comment
2025-03-21 01:38:09 +08:00
fStore, ac, bus.ProvideBus(tracing.InitializeTracerForTest()), dashStore, folderStore,
App Platform: Remove mutable globals (#102962) * App Platform: Remove mutable globals * chore: clarify why this exists * fix: support multi-tenant mode * refactor: call builder providers directly * CI: Force re-build
2025-03-27 22:46:09 +08:00
nil, sql, featuremgmt.WithFeatures(), supportbundlestest.NewFakeBundleService(), nil, cfg, nil, tracing.InitializeTracerForTest(), nil, dualwrite.ProvideTestService(), sort.ProvideService(), apiserver.WithoutRestConfig)
Dashboards: Use dashboard service in access control (#99053)
2025-01-22 04:57:43 +08:00
dashSvc, err := dashboardsservice.ProvideDashboardServiceImpl(cfg, dashStore, folderStore, featuremgmt.WithFeatures(), accesscontrolmock.NewMockedPermissionsService(),
Access control: Make sure that user permission cache is cleared after new dashboard and folder creation (#104193) * make sure that user permission cache is cleared after new dashboard and folder creation * more test fixes * Update pkg/services/dashboards/service/dashboard_service.go * check identity type in SetDefaultPermissionsAfterCreate, set default permissions for service accounts * set SA permissions for folders as well * fix tests
2025-04-24 21:02:39 +08:00
ac, actest.FakeService{}, folderSvc, nil, client.MockTestRestConfig{}, nil, quotatest.New(false, nil), nil, nil, nil, dualwrite.ProvideTestService(), sort.ProvideService(),
App platform: Add cleanup job for dashboards when going through /apis (kubectl) (#102506) * Add dashboard cleanup job Change log message Adjust logic to account for new head RV logic Don't update lastResourceVersion due to pagination Save improvements * Address review feedback * Update docs. * Remove docs * Rename config --------- Co-authored-by: Marco de Abreu <18629099+marcoabreu@users.noreply.github.com>
2025-03-23 06:47:27 +08:00
serverlock.ProvideService(sql, tracing.InitializeTracerForTest()),
kvstore.NewFakeKVStore())
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
require.NoError(t, err)
Dashboards: Use dashboard service in access control (#99053)
2025-01-22 04:57:43 +08:00
dashSvc.RegisterDashboardPermissions(accesscontrolmock.NewMockedPermissionsService())
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
u := &user.SignedInUser{
UserID: 1,
OrgID: 1,
}
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
dash1, err := dashSvc.SaveDashboard(context.Background(), &dashboards.SaveDashboardDTO{
User: u,
OrgID: 1,
Dashboard: &dashboards.Dashboard{
Title: "Dashboard 1",
Data: simplejson.New(),
},
}, false)
require.NoError(t, err)
dash2, err := dashSvc.SaveDashboard(context.Background(), &dashboards.SaveDashboardDTO{
User: u,
OrgID: 1,
Dashboard: &dashboards.Dashboard{
Title: "Dashboard 2",
Data: simplejson.New(),
},
}, false)
require.NoError(t, err)
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
role := testutil.SetupRBACRole(t, sql, u)
type testCase struct {
name string
permissions map[string][]string
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2023-11-29 18:34:44 +08:00
featureToggle string
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
expectedResources *AccessResources
expectedErr error
}
testCases := []testCase{
{
name: "should have both scopes and all dashboards",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2023-11-29 18:34:44 +08:00
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
},
},
{
name: "should have no dashboards if missing annotation read permission on dashboards and FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsAll},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: nil,
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
},
},
{
name: "should have dashboard and organization scope and all dashboards if FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization, dashboards.ScopeDashboardsAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
},
},
{
name: "should have dashboard and organization scope and all dashboards if FlagAnnotationPermissionUpdate is enabled and folder based scope is used",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization, dashboards.ScopeFoldersAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: true,
CanAccessDashAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
},
},
{
name: "should have only organization scope and no dashboards",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeOrganization},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2023-11-29 18:34:44 +08:00
Dashboards: nil,
CanAccessOrgAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
},
},
{
name: "should have only dashboard scope and all dashboards",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2023-11-29 18:34:44 +08:00
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessDashAnnotations: true,
},
},
{
name: "should have only dashboard scope and all dashboards if FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {dashboards.ScopeDashboardsAll},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID, dash2.UID: dash2.ID},
CanAccessOrgAnnotations: false,
CanAccessDashAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
},
},
{
name: "should have only dashboard scope and only dashboard 1",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {accesscontrol.ScopeAnnotationsTypeDashboard},
dashboards.ActionDashboardsRead: {fmt.Sprintf("dashboards:uid:%s", dash1.UID)},
},
expectedResources: &AccessResources{
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2023-11-29 18:34:44 +08:00
Dashboards: map[string]int64{dash1.UID: dash1.ID},
CanAccessDashAnnotations: true,
},
},
{
name: "should have only dashboard scope and only dashboard 1 if FlagAnnotationPermissionUpdate is enabled",
permissions: map[string][]string{
accesscontrol.ActionAnnotationsRead: {dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dash1.UID)},
},
featureToggle: featuremgmt.FlagAnnotationPermissionUpdate,
expectedResources: &AccessResources{
Dashboards: map[string]int64{dash1.UID: dash1.ID},
CanAccessOrgAnnotations: false,
CanAccessDashAnnotations: true,
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
},
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
u.Permissions = map[int64]map[string][]string{1: tc.permissions}
testutil.SetupRBACPermission(t, sql, role, u)
Annotations: Fix usage of dashboard table for permissions (#98774)
2025-01-10 22:35:38 +08:00
authz := NewAuthService(sql, featuremgmt.WithFeatures(tc.featureToggle), dashSvc)
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2023-11-29 18:34:44 +08:00
Annotations: Fix composite store read (#94158) * Annotations: Fix composite store read * Add test * check error
2024-10-03 15:14:06 +08:00
query := annotations.ItemQuery{SignedInUser: u, OrgID: 1}
Annotations: Optimize search by tags (#93547) * Annotations: Optimize search on large number of dashboards * refactor * fix batch size * Return early if no annotations found * revert go.mod * return nil in case of error * Move default limit to the API package * fix empty access control filter * Set default limit to 100 * optimize query when number of annotations is less than limit * Update pkg/services/annotations/annotationsimpl/annotations.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * remove limit from store since it's set in API * set default limit in Find method (do not break tests) * Only add limit to the query if it's set * use limit trick for all searches without dashboard filter * set default page if not provided --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-09-23 23:29:29 +08:00
resources, err := authz.Authorize(context.Background(), query)
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
require.NoError(t, err)
if tc.expectedResources.Dashboards != nil {
require.Equal(t, tc.expectedResources.Dashboards, resources.Dashboards)
}
RBAC: Change annotation filter to use dashboard based annotation scopes (#78635) change annotation filter to use dash based annotation scopes
2023-11-29 18:34:44 +08:00
require.Equal(t, tc.expectedResources.CanAccessDashAnnotations, resources.CanAccessDashAnnotations)
require.Equal(t, tc.expectedResources.CanAccessOrgAnnotations, resources.CanAccessOrgAnnotations)
Annotations: Lift parts of RBAC from xorm store into auth service (#76967) * [WIP] Lift RBAC from xorm store * Cleanup RBAC, fix tests * Use the scope type map as a map * Remove dependency on dashboard service * Make dashboards a map for constant time lookups (useful later) --- * Lift RBAC tests into a new file to test at service level * Add necessary access resource structs to xorm store tests * Move authorization into separate service * Pass features to searchstore.Builder * Sort imports * Code cleanup * Remove useless scope type check * Lift permission check into `Authorize()` * Use clearer language when checking scope types * Include dashboard permissions in test to ensure they're ignored * Switch to errutil * Cleanup sql.Cfg refs
2023-11-15 07:11:01 +08:00
if tc.expectedErr != nil {
require.Equal(t, tc.expectedErr, err)
}
})
}
}