2021-10-27 19:13:59 +08:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
2024-07-03 14:08:57 +08:00
|
|
|
"context"
|
2021-10-27 19:13:59 +08:00
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
claims "github.com/grafana/authlib/types"
|
|
|
|
|
|
2021-10-27 19:13:59 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
2023-01-13 17:22:32 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
|
2024-07-25 17:52:14 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/authn"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/authn/authntest"
|
2022-11-28 19:05:46 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2023-01-13 17:22:32 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/org/orgtest"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/user"
|
2022-09-27 19:58:49 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/user/usertest"
|
2021-10-27 19:13:59 +08:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2023-01-13 17:22:32 +08:00
|
|
|
"github.com/grafana/grafana/pkg/web/webtest"
|
2021-10-27 19:13:59 +08:00
|
|
|
)
|
|
|
|
|
|
2023-05-23 22:29:20 +08:00
|
|
|
func TestAPIEndpoint_GetCurrentOrg(t *testing.T) {
|
2023-01-13 17:22:32 +08:00
|
|
|
type testCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
expectedCode int
|
|
|
|
|
permission []accesscontrol.Permission
|
|
|
|
|
}
|
2021-11-17 17:12:28 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
tests := []testCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to view current org with correct permission",
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to view current org without correct permission",
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
permission: []accesscontrol.Permission{},
|
|
|
|
|
},
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
|
hs.Cfg = setting.NewCfg()
|
|
|
|
|
hs.orgService = &orgtest.FakeOrgService{ExpectedOrg: &org.Org{}}
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
req := webtest.RequestWithSignedInUser(server.NewGetRequest("/api/org/"), userWithPermissions(1, tt.permission))
|
|
|
|
|
res, err := server.Send(req)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-11-17 17:12:28 +08:00
|
|
|
|
2023-05-23 22:29:20 +08:00
|
|
|
func TestAPIEndpoint_UpdateOrg(t *testing.T) {
|
2023-01-13 17:22:32 +08:00
|
|
|
type testCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
path string
|
|
|
|
|
body string
|
|
|
|
|
targetOrgID int64
|
|
|
|
|
permission []accesscontrol.Permission
|
|
|
|
|
expectedCode int
|
|
|
|
|
}
|
2021-11-17 17:12:28 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
tests := []testCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to update current org with correct permissions",
|
|
|
|
|
path: "/api/org",
|
|
|
|
|
body: `{"name": "test"}`,
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}},
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to update current org without correct permissions",
|
|
|
|
|
path: "/api/org",
|
|
|
|
|
body: `{"name": "test"}`,
|
|
|
|
|
permission: []accesscontrol.Permission{},
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to update address of current org with correct permissions",
|
|
|
|
|
path: "/api/org/address",
|
|
|
|
|
body: `{}`,
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}},
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to update address of current org without correct permissions",
|
|
|
|
|
path: "/api/org/address",
|
|
|
|
|
body: `{}`,
|
|
|
|
|
permission: []accesscontrol.Permission{},
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to update target org with correct permissions",
|
|
|
|
|
path: "/api/orgs/1",
|
|
|
|
|
body: `{"name": "test"}`,
|
|
|
|
|
targetOrgID: 1,
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}},
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to update target org without correct permissions",
|
|
|
|
|
path: "/api/orgs/2",
|
|
|
|
|
targetOrgID: 2,
|
|
|
|
|
body: `{"name": "test"}`,
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}},
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to update address of target org with correct permissions",
|
|
|
|
|
path: "/api/orgs/1/address",
|
|
|
|
|
body: `{}`,
|
|
|
|
|
targetOrgID: 1,
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}},
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to update address of target org without correct permissions",
|
|
|
|
|
path: "/api/orgs/2/address",
|
|
|
|
|
body: `{}`,
|
|
|
|
|
targetOrgID: 2,
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsWrite}},
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
}
|
2021-11-17 17:12:28 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
|
hs.Cfg = setting.NewCfg()
|
|
|
|
|
hs.orgService = &orgtest.FakeOrgService{ExpectedOrg: &org.Org{}}
|
|
|
|
|
hs.userService = &usertest.FakeUserService{
|
|
|
|
|
ExpectedSignedInUser: &user.SignedInUser{OrgID: tt.targetOrgID},
|
|
|
|
|
}
|
|
|
|
|
hs.accesscontrolService = actest.FakeService{}
|
2024-04-10 18:42:13 +08:00
|
|
|
hs.authnService = &authntest.FakeService{
|
|
|
|
|
ExpectedIdentity: &authn.Identity{
|
|
|
|
|
OrgID: tt.targetOrgID,
|
|
|
|
|
},
|
|
|
|
|
}
|
2023-01-13 17:22:32 +08:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
req := webtest.RequestWithSignedInUser(server.NewRequest(http.MethodPut, tt.path, strings.NewReader(tt.body)), userWithPermissions(1, tt.permission))
|
|
|
|
|
res, err := server.SendJSON(req)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
|
|
|
|
})
|
2021-11-17 17:12:28 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-23 22:29:20 +08:00
|
|
|
func TestAPIEndpoint_CreateOrgs(t *testing.T) {
|
2023-01-13 17:22:32 +08:00
|
|
|
type testCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
permission []accesscontrol.Permission
|
|
|
|
|
expectedCode int
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
tests := []testCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to create org with correct permission",
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsCreate}},
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to create org without correct permission",
|
|
|
|
|
permission: []accesscontrol.Permission{},
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
|
hs.Cfg = setting.NewCfg()
|
|
|
|
|
hs.orgService = &orgtest.FakeOrgService{ExpectedOrg: &org.Org{}}
|
|
|
|
|
hs.accesscontrolService = actest.FakeService{}
|
|
|
|
|
hs.userService = &usertest.FakeUserService{
|
2023-08-28 16:42:24 +08:00
|
|
|
ExpectedSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 0},
|
2023-01-13 17:22:32 +08:00
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
|
2023-08-28 16:42:24 +08:00
|
|
|
req := webtest.RequestWithSignedInUser(server.NewPostRequest("/api/orgs", strings.NewReader(`{"name": "test"}`)), authedUserWithPermissions(1, 0, tt.permission))
|
2023-01-13 17:22:32 +08:00
|
|
|
res, err := server.SendJSON(req)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
|
|
|
|
})
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-23 22:29:20 +08:00
|
|
|
func TestAPIEndpoint_DeleteOrgs(t *testing.T) {
|
2023-01-13 17:22:32 +08:00
|
|
|
type testCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
permission []accesscontrol.Permission
|
|
|
|
|
expectedCode int
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
tests := []testCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to delete org with correct permission",
|
|
|
|
|
permission: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsDelete}},
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to delete org without correct permission",
|
|
|
|
|
permission: []accesscontrol.Permission{},
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
2024-04-10 18:42:13 +08:00
|
|
|
expectedIdentity := &authn.Identity{
|
|
|
|
|
OrgID: 1,
|
|
|
|
|
Permissions: map[int64]map[string][]string{
|
2024-07-03 14:08:57 +08:00
|
|
|
1: accesscontrol.GroupScopesByActionContext(context.Background(), tt.permission),
|
2024-04-10 18:42:13 +08:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
|
hs.Cfg = setting.NewCfg()
|
|
|
|
|
hs.orgService = &orgtest.FakeOrgService{ExpectedOrg: &org.Org{}}
|
2025-01-07 01:05:22 +08:00
|
|
|
hs.orgDeletionService = &orgtest.FakeOrgDeletionService{}
|
2023-01-13 17:22:32 +08:00
|
|
|
hs.userService = &usertest.FakeUserService{ExpectedSignedInUser: &user.SignedInUser{OrgID: 1}}
|
|
|
|
|
hs.accesscontrolService = actest.FakeService{ExpectedPermissions: tt.permission}
|
2024-04-10 18:42:13 +08:00
|
|
|
hs.authnService = &authntest.FakeService{}
|
|
|
|
|
hs.authnService = &authntest.FakeService{
|
|
|
|
|
ExpectedIdentity: expectedIdentity,
|
|
|
|
|
}
|
2023-01-13 17:22:32 +08:00
|
|
|
})
|
|
|
|
|
|
|
|
|
|
req := webtest.RequestWithSignedInUser(server.NewRequest(http.MethodDelete, "/api/orgs/1", nil), userWithPermissions(2, nil))
|
|
|
|
|
res, err := server.Send(req)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
|
|
|
|
})
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-23 22:29:20 +08:00
|
|
|
func TestAPIEndpoint_GetOrg(t *testing.T) {
|
2023-01-13 17:22:32 +08:00
|
|
|
type testCase struct {
|
|
|
|
|
desc string
|
|
|
|
|
permissions []accesscontrol.Permission
|
|
|
|
|
expectedCode int
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
tests := []testCase{
|
|
|
|
|
{
|
|
|
|
|
desc: "should be able to fetch org with correct permissions",
|
|
|
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionOrgsRead}},
|
|
|
|
|
expectedCode: http.StatusOK,
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
desc: "should not be able to fetch org without correct permissions",
|
|
|
|
|
expectedCode: http.StatusForbidden,
|
|
|
|
|
},
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
for _, tt := range tests {
|
|
|
|
|
t.Run(tt.desc, func(t *testing.T) {
|
2024-04-10 18:42:13 +08:00
|
|
|
expectedIdentity := &authn.Identity{
|
2024-08-13 16:18:28 +08:00
|
|
|
ID: "1",
|
|
|
|
|
Type: claims.TypeUser,
|
2024-04-10 18:42:13 +08:00
|
|
|
OrgID: 1,
|
|
|
|
|
Permissions: map[int64]map[string][]string{
|
2024-07-03 14:08:57 +08:00
|
|
|
0: accesscontrol.GroupScopesByActionContext(context.Background(), tt.permissions),
|
|
|
|
|
1: accesscontrol.GroupScopesByActionContext(context.Background(), tt.permissions),
|
2024-04-10 18:42:13 +08:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-13 17:22:32 +08:00
|
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
|
|
|
hs.Cfg = setting.NewCfg()
|
|
|
|
|
hs.orgService = &orgtest.FakeOrgService{ExpectedOrg: &org.Org{}}
|
2023-10-14 02:01:47 +08:00
|
|
|
hs.userService = &usertest.FakeUserService{ExpectedSignedInUser: &user.SignedInUser{OrgID: 1}}
|
2023-01-13 17:22:32 +08:00
|
|
|
hs.accesscontrolService = &actest.FakeService{ExpectedPermissions: tt.permissions}
|
2024-04-10 18:42:13 +08:00
|
|
|
hs.authnService = &authntest.FakeService{
|
|
|
|
|
ExpectedIdentity: expectedIdentity,
|
|
|
|
|
}
|
2023-01-13 17:22:32 +08:00
|
|
|
})
|
|
|
|
|
verify := func(path string) {
|
2023-10-14 02:01:47 +08:00
|
|
|
req := webtest.RequestWithSignedInUser(server.NewGetRequest(path), authedUserWithPermissions(1, 1, tt.permissions))
|
2023-01-13 17:22:32 +08:00
|
|
|
res, err := server.Send(req)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
|
|
|
if tt.expectedCode != res.StatusCode {
|
|
|
|
|
t.Log("Failed on path", path)
|
|
|
|
|
}
|
|
|
|
|
require.NoError(t, res.Body.Close())
|
|
|
|
|
}
|
|
|
|
|
// search orgs
|
|
|
|
|
verify("/api/orgs")
|
|
|
|
|
// fetch by id
|
|
|
|
|
verify("/api/orgs/1")
|
|
|
|
|
// fetch by name
|
|
|
|
|
verify("/api/orgs/name/test")
|
|
|
|
|
})
|
|
|
|
|
}
|
2021-10-27 19:13:59 +08:00
|
|
|
}
|
