grafana/pkg/services/accesscontrol/resolvers_test.go

package accesscontrol_test

import (
	"context"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/datasources"
)

func TestResolvers_AttributeScope(t *testing.T) {
	// Calls allow us to see how many times the fakeDataSourceResolution has been called
	calls := 0
	fakeDataSourceResolver := accesscontrol.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, initialScope string) ([]string, error) {
		calls++
		if initialScope == "datasources:name:testds" {
			return []string{accesscontrol.Scope("datasources", "id", "1")}, nil
		} else if initialScope == "datasources:name:testds2" {
			return []string{accesscontrol.Scope("datasources", "id", "2")}, nil
		} else if initialScope == "datasources:name:test:ds4" {
			return []string{accesscontrol.Scope("datasources", "id", "4")}, nil
		} else if initialScope == "datasources:name:testds5*" {
			return []string{accesscontrol.Scope("datasources", "id", "5")}, nil
		} else {
			return nil, datasources.ErrDataSourceNotFound
		}
	})

	tests := []struct {
		name          string
		orgID         int64
		evaluator     accesscontrol.Evaluator
		wantEvaluator accesscontrol.Evaluator
		wantCalls     int
		wantErr       error
	}{
		{
			name:          "should work with scope less permissions",
			evaluator:     accesscontrol.EvalPermission("datasources:read"),
			wantEvaluator: accesscontrol.EvalPermission("datasources:read"),
			wantCalls:     0,
		},
		{
			name:      "should handle an error",
			orgID:     1,
			evaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds3")),
			wantErr:   datasources.ErrDataSourceNotFound,
			wantCalls: 1,
		},
		{
			name:          "should resolve a scope",
			orgID:         1,
			evaluator:     accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds")),
			wantEvaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "1")),
			wantCalls:     1,
		},
		{
			name:  "should resolve nested scopes with cache",
			orgID: 1,
			evaluator: accesscontrol.EvalAll(
				accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds")),
				accesscontrol.EvalAny(
					accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds")),
					accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds2")),
				),
			),
			wantEvaluator: accesscontrol.EvalAll(
				accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "1")),
				accesscontrol.EvalAny(
					accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "1")),
					accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "2")),
				),
			),
			wantCalls: 2,
		},
		{
			name:          "should resolve name with colon",
			orgID:         1,
			evaluator:     accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "test:ds4")),
			wantEvaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "4")),
			wantCalls:     1,
		},
		{
			name:          "should resolve names with '*'",
			orgID:         1,
			evaluator:     accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds5*")),
			wantEvaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "5")),
			wantCalls:     1,
		},
		{
			name:          "should return error if no resolver is found for scope",
			orgID:         1,
			evaluator:     accesscontrol.EvalPermission("dashboards:read", "dashboards:id:1"),
			wantEvaluator: nil,
			wantCalls:     0,
			wantErr:       accesscontrol.ErrResolverNotFound,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			resolvers := accesscontrol.NewResolvers(log.NewNopLogger())

			// Reset calls counter
			calls = 0
			// Register a resolution method
			resolvers.AddScopeAttributeResolver("datasources:name:", fakeDataSourceResolver)

			// Test
			mutate := resolvers.GetScopeAttributeMutator(tt.orgID)
			resolvedEvaluator, err := tt.evaluator.MutateScopes(context.Background(), mutate)
			if tt.wantErr != nil {
				assert.ErrorAs(t, err, &tt.wantErr, "expected an error during the resolution of the scope")
				return
			}
			assert.NoError(t, err)
			assert.EqualValues(t, tt.wantEvaluator, resolvedEvaluator, "permission did not match expected resolution")
			assert.Equal(t, tt.wantCalls, calls, "cache has not been used")
		})
	}
}
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`package accesscontrol_test`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00
			`import (`
			`"context"`
			`"testing"`

Chore: Fix goimports grouping (#62426) fix goimports ordering 2023-01-30 16:34:18 +08:00			`"github.com/stretchr/testify/assert"`

RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 19:29:17 +08:00			`"github.com/grafana/grafana/pkg/infra/log"`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`"github.com/grafana/grafana/pkg/services/datasources"`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`)`

RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 19:29:17 +08:00			`func TestResolvers_AttributeScope(t *testing.T) {`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`// Calls allow us to see how many times the fakeDataSourceResolution has been called`
			`calls := 0`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`fakeDataSourceResolver := accesscontrol.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, initialScope string) ([]string, error) {`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`calls++`
			`if initialScope == "datasources:name:testds" {`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`return []string{accesscontrol.Scope("datasources", "id", "1")}, nil`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`} else if initialScope == "datasources:name:testds2" {`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`return []string{accesscontrol.Scope("datasources", "id", "2")}, nil`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`} else if initialScope == "datasources:name:test:ds4" {`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`return []string{accesscontrol.Scope("datasources", "id", "4")}, nil`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`} else if initialScope == "datasources:name:testds5*" {`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`return []string{accesscontrol.Scope("datasources", "id", "5")}, nil`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`} else {`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`return nil, datasources.ErrDataSourceNotFound`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`}`
			`})`

			`tests := []struct {`
			`name string`
			`orgID int64`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`evaluator accesscontrol.Evaluator`
			`wantEvaluator accesscontrol.Evaluator`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`wantCalls int`
			`wantErr error`
			`}{`
			`{`
			`name: "should work with scope less permissions",`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`evaluator: accesscontrol.EvalPermission("datasources:read"),`
			`wantEvaluator: accesscontrol.EvalPermission("datasources:read"),`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`wantCalls: 0,`
			`},`
			`{`
			`name: "should handle an error",`
			`orgID: 1,`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`evaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds3")),`
			`wantErr: datasources.ErrDataSourceNotFound,`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`wantCalls: 1,`
			`},`
			`{`
			`name: "should resolve a scope",`
			`orgID: 1,`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`evaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds")),`
			`wantEvaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "1")),`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`wantCalls: 1,`
			`},`
			`{`
			`name: "should resolve nested scopes with cache",`
			`orgID: 1,`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`evaluator: accesscontrol.EvalAll(`
			`accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds")),`
			`accesscontrol.EvalAny(`
			`accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds")),`
			`accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds2")),`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`),`
			`),`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`wantEvaluator: accesscontrol.EvalAll(`
			`accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "1")),`
			`accesscontrol.EvalAny(`
			`accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "1")),`
			`accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "2")),`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`),`
			`),`
			`wantCalls: 2,`
			`},`
			`{`
			`name: "should resolve name with colon",`
			`orgID: 1,`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`evaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "test:ds4")),`
			`wantEvaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "4")),`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`wantCalls: 1,`
			`},`
			`{`
			`name: "should resolve names with '*'",`
			`orgID: 1,`
backend/datasources: move datasources models into the datasources service package (#51267) * backend/datasources: move datasources models into the datasources service pkg 2022-06-28 00:23:15 +08:00			`evaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "name", "testds5*")),`
			`wantEvaluator: accesscontrol.EvalPermission("datasources:read", accesscontrol.Scope("datasources", "id", "5")),`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`wantCalls: 1,`
			`},`
RBAC: Fix resolver issue on wildcard resulting in wrong status code for endpoints (#54208) * RBAC: Test evaluation before attaching mutator * RBAC: Return error if no resolver is found for scope * RBAC: Sync changes to evaluation in mock * RBAC: Check for resolver not found error and just fail the evaluation in that case 2022-08-25 18:50:27 +08:00			`{`
			`name: "should return error if no resolver is found for scope",`
			`orgID: 1,`
			`evaluator: accesscontrol.EvalPermission("dashboards:read", "dashboards:id:1"),`
			`wantEvaluator: nil,`
			`wantCalls: 0,`
			`wantErr: accesscontrol.ErrResolverNotFound,`
			`},`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`}`
			`for _, tt := range tests {`
RBAC: Fix resolver issue on wildcard resulting in wrong status code for endpoints (#54208) * RBAC: Test evaluation before attaching mutator * RBAC: Return error if no resolver is found for scope * RBAC: Sync changes to evaluation in mock * RBAC: Check for resolver not found error and just fail the evaluation in that case 2022-08-25 18:50:27 +08:00			`t.Run(tt.name, func(t *testing.T) {`
			`resolvers := accesscontrol.NewResolvers(log.NewNopLogger())`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00
RBAC: Fix resolver issue on wildcard resulting in wrong status code for endpoints (#54208) * RBAC: Test evaluation before attaching mutator * RBAC: Return error if no resolver is found for scope * RBAC: Sync changes to evaluation in mock * RBAC: Check for resolver not found error and just fail the evaluation in that case 2022-08-25 18:50:27 +08:00			`// Reset calls counter`
			`calls = 0`
			`// Register a resolution method`
			`resolvers.AddScopeAttributeResolver("datasources:name:", fakeDataSourceResolver)`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00
RBAC: Fix resolver issue on wildcard resulting in wrong status code for endpoints (#54208) * RBAC: Test evaluation before attaching mutator * RBAC: Return error if no resolver is found for scope * RBAC: Sync changes to evaluation in mock * RBAC: Check for resolver not found error and just fail the evaluation in that case 2022-08-25 18:50:27 +08:00			`// Test`
			`mutate := resolvers.GetScopeAttributeMutator(tt.orgID)`
			`resolvedEvaluator, err := tt.evaluator.MutateScopes(context.Background(), mutate)`
			`if tt.wantErr != nil {`
			`assert.ErrorAs(t, err, &tt.wantErr, "expected an error during the resolution of the scope")`
			`return`
			`}`
			`assert.NoError(t, err)`
			`assert.EqualValues(t, tt.wantEvaluator, resolvedEvaluator, "permission did not match expected resolution")`
			`assert.Equal(t, tt.wantCalls, calls, "cache has not been used")`
			`})`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 15:29:30 +08:00			`}`
			`}`