2018-02-21 01:11:50 +08:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
2020-11-24 19:10:32 +08:00
|
|
|
"encoding/json"
|
2023-08-24 21:37:54 +08:00
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
2018-02-21 01:11:50 +08:00
|
|
|
"testing"
|
|
|
|
|
|
2021-09-23 23:43:32 +08:00
|
|
|
"github.com/stretchr/testify/assert"
|
2022-05-10 21:48:47 +08:00
|
|
|
"github.com/stretchr/testify/require"
|
2022-03-11 01:19:50 +08:00
|
|
|
|
2023-07-18 00:21:01 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
2023-08-24 21:37:54 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
|
2018-02-21 01:11:50 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
2022-11-10 17:41:03 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/folder"
|
2022-10-11 03:47:53 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/folder/foldertest"
|
2020-11-24 19:10:32 +08:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2023-08-24 21:37:54 +08:00
|
|
|
"github.com/grafana/grafana/pkg/web/webtest"
|
2018-02-21 01:11:50 +08:00
|
|
|
)
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
func TestHTTPServer_GetFolderPermissionList(t *testing.T) {
|
|
|
|
|
t.Run("should not be able to list acl when user does not have permission to do so", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {})
|
2022-03-03 22:05:47 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
res, err := server.Send(webtest.RequestWithSignedInUser(server.NewGetRequest("/api/folders/1/permissions"), userWithPermissions(1, nil)))
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2020-11-13 16:52:38 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
t.Run("should be able to list acl with correct permission", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
2023-12-20 22:12:05 +08:00
|
|
|
hs.folderService = &foldertest.FakeService{ExpectedFolder: &folder.Folder{UID: "1"}}
|
2023-08-24 21:37:54 +08:00
|
|
|
hs.folderPermissionsService = &actest.FakePermissionsService{
|
|
|
|
|
ExpectedPermissions: []accesscontrol.ResourcePermission{},
|
|
|
|
|
}
|
2020-11-13 16:52:38 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
res, err := server.Send(webtest.RequestWithSignedInUser(server.NewGetRequest("/api/folders/1/permissions"), userWithPermissions(1, []accesscontrol.Permission{
|
|
|
|
|
{Action: dashboards.ActionFoldersPermissionsRead, Scope: "folders:uid:1"},
|
|
|
|
|
})))
|
2020-11-13 16:52:38 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusOK, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2020-11-13 16:52:38 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
t.Run("should filter out hidden users from acl", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
|
cfg := setting.NewCfg()
|
|
|
|
|
cfg.HiddenUsers = map[string]struct{}{"hidden": {}}
|
|
|
|
|
hs.Cfg = cfg
|
2023-12-20 22:12:05 +08:00
|
|
|
hs.folderService = &foldertest.FakeService{ExpectedFolder: &folder.Folder{UID: "1"}}
|
2023-08-24 21:37:54 +08:00
|
|
|
|
|
|
|
|
hs.folderPermissionsService = &actest.FakePermissionsService{
|
|
|
|
|
ExpectedPermissions: []accesscontrol.ResourcePermission{
|
|
|
|
|
{UserId: 1, UserLogin: "regular", IsManaged: true},
|
|
|
|
|
{UserId: 2, UserLogin: "hidden", IsManaged: true},
|
|
|
|
|
},
|
|
|
|
|
}
|
2020-11-13 16:52:38 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
res, err := server.Send(webtest.RequestWithSignedInUser(server.NewGetRequest("/api/folders/1/permissions"), userWithPermissions(1, []accesscontrol.Permission{
|
|
|
|
|
{Action: dashboards.ActionFoldersPermissionsRead, Scope: "folders:uid:1"},
|
|
|
|
|
})))
|
2020-11-24 19:10:32 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusOK, res.StatusCode)
|
2020-11-24 19:10:32 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
var result []dashboards.DashboardACLInfoDTO
|
|
|
|
|
require.NoError(t, json.NewDecoder(res.Body).Decode(&result))
|
2020-11-13 16:52:38 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
assert.Len(t, result, 1)
|
|
|
|
|
assert.Equal(t, result[0].UserLogin, "regular")
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
|
|
|
|
})
|
|
|
|
|
}
|
2020-11-24 19:10:32 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
func TestHTTPServer_UpdateFolderPermissions(t *testing.T) {
|
|
|
|
|
t.Run("should not be able to update acl when user does not have permission to do so", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {})
|
2020-11-24 19:10:32 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
res, err := server.Send(webtest.RequestWithSignedInUser(server.NewPostRequest("/api/folders/1/permissions", nil), userWithPermissions(1, nil)))
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusForbidden, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2020-11-13 16:52:38 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
t.Run("should be able to update acl with correct permissions", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
2023-12-20 22:12:05 +08:00
|
|
|
hs.folderService = &foldertest.FakeService{ExpectedFolder: &folder.Folder{UID: "1"}}
|
2023-08-24 21:37:54 +08:00
|
|
|
hs.folderPermissionsService = &actest.FakePermissionsService{}
|
2020-11-13 16:52:38 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
body := `{"items": []}`
|
|
|
|
|
res, err := server.SendJSON(webtest.RequestWithSignedInUser(server.NewPostRequest("/api/folders/1/permissions", strings.NewReader(body)), userWithPermissions(1, []accesscontrol.Permission{
|
|
|
|
|
{Action: dashboards.ActionFoldersPermissionsWrite, Scope: "folders:uid:1"},
|
|
|
|
|
})))
|
2020-11-13 16:52:38 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusOK, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2020-11-18 22:36:41 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
t.Run("should not be able to specify team and user in same acl", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
2023-12-20 22:12:05 +08:00
|
|
|
hs.folderService = &foldertest.FakeService{ExpectedFolder: &folder.Folder{UID: "1"}}
|
2023-08-24 21:37:54 +08:00
|
|
|
hs.folderPermissionsService = &actest.FakePermissionsService{}
|
2020-11-13 16:52:38 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
body := `{"items": [{ userId:1, teamId: 2 }]}`
|
|
|
|
|
res, err := server.SendJSON(webtest.RequestWithSignedInUser(server.NewPostRequest("/api/folders/1/permissions", strings.NewReader(body)), userWithPermissions(1, []accesscontrol.Permission{
|
|
|
|
|
{Action: dashboards.ActionFoldersPermissionsWrite, Scope: "folders:uid:1"},
|
|
|
|
|
})))
|
2020-11-13 16:52:38 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusBadRequest, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2020-11-24 19:10:32 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
t.Run("should not be able to specify team and role in same acl", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
2023-12-20 22:12:05 +08:00
|
|
|
hs.folderService = &foldertest.FakeService{ExpectedFolder: &folder.Folder{UID: "1"}}
|
2023-08-24 21:37:54 +08:00
|
|
|
hs.folderPermissionsService = &actest.FakePermissionsService{}
|
2018-02-27 03:14:21 +08:00
|
|
|
})
|
2020-11-24 19:10:32 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
body := `{"items": [{ teamId:1, role: "Admin" }]}`
|
|
|
|
|
res, err := server.SendJSON(webtest.RequestWithSignedInUser(server.NewPostRequest("/api/folders/1/permissions", strings.NewReader(body)), userWithPermissions(1, []accesscontrol.Permission{
|
|
|
|
|
{Action: dashboards.ActionFoldersPermissionsWrite, Scope: "folders:uid:1"},
|
|
|
|
|
})))
|
2020-11-24 19:10:32 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusBadRequest, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2018-02-21 01:11:50 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
t.Run("should not be able to specify user and role in same acl", func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
2023-12-20 22:12:05 +08:00
|
|
|
hs.folderService = &foldertest.FakeService{ExpectedFolder: &folder.Folder{UID: "1"}}
|
2023-08-24 21:37:54 +08:00
|
|
|
hs.folderPermissionsService = &actest.FakePermissionsService{}
|
2018-02-21 01:11:50 +08:00
|
|
|
})
|
|
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
body := `{"items": [{ userId:1, role: "Admin" }]}`
|
|
|
|
|
res, err := server.SendJSON(webtest.RequestWithSignedInUser(server.NewPostRequest("/api/folders/1/permissions", strings.NewReader(body)), userWithPermissions(1, []accesscontrol.Permission{
|
|
|
|
|
{Action: dashboards.ActionFoldersPermissionsWrite, Scope: "folders:uid:1"},
|
|
|
|
|
})))
|
2018-02-21 01:11:50 +08:00
|
|
|
|
2023-08-24 21:37:54 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, http.StatusBadRequest, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
2018-02-21 01:11:50 +08:00
|
|
|
})
|
|
|
|
|
}
|
