grafana/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go

package ossaccesscontrol

import (
	"context"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/registry"
	"github.com/grafana/grafana/pkg/setting"
)

func setupTestEnv(t testing.TB) *OSSAccessControlService {
	t.Helper()

	cfg := setting.NewCfg()
	cfg.FeatureToggles = map[string]bool{"accesscontrol": true}

	ac := OSSAccessControlService{
		Cfg: cfg,
		Log: log.New("accesscontrol-test"),
	}

	err := ac.Init()
	require.NoError(t, err)
	return &ac
}

type evaluatingPermissionsTestCase struct {
	desc       string
	user       userTestCase
	endpoints  []endpointTestCase
	evalResult bool
}

type userTestCase struct {
	name           string
	orgRole        models.RoleType
	isGrafanaAdmin bool
}

type endpointTestCase struct {
	permission string
	scope      []string
}

func TestEvaluatingPermissions(t *testing.T) {
	testCases := []evaluatingPermissionsTestCase{
		{
			desc: "should successfully evaluate access to the endpoint",
			user: userTestCase{
				name:           "testuser",
				orgRole:        models.ROLE_EDITOR,
				isGrafanaAdmin: false,
			},
			endpoints: []endpointTestCase{
				{permission: "users.teams:read", scope: []string{"users:self"}},
				{permission: "users:read", scope: []string{"users:self"}},
			},
			evalResult: true,
		},
		{
			desc: "should restrict access to the unauthorized endpoints",
			user: userTestCase{
				name:           "testuser",
				orgRole:        models.ROLE_VIEWER,
				isGrafanaAdmin: false,
			},
			endpoints: []endpointTestCase{
				{permission: "users:create", scope: []string{"users"}},
			},
			evalResult: false,
		},
	}
	for _, tc := range testCases {
		t.Run(tc.desc, func(t *testing.T) {
			ac := setupTestEnv(t)
			t.Cleanup(registry.ClearOverrides)

			user := &models.SignedInUser{
				UserId:         1,
				OrgId:          1,
				Name:           tc.user.name,
				OrgRole:        tc.user.orgRole,
				IsGrafanaAdmin: tc.user.isGrafanaAdmin,
			}

			for _, endpoint := range tc.endpoints {
				result, err := ac.Evaluate(context.Background(), user, endpoint.permission, endpoint.scope...)
				require.NoError(t, err)
				assert.Equal(t, tc.evalResult, result)
			}
		})
	}
}
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 21:49:09 +08:00			`package ossaccesscontrol`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

			`"github.com/grafana/grafana/pkg/infra/log"`
			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/registry"`
			`"github.com/grafana/grafana/pkg/setting"`
			`)`

			`func setupTestEnv(t testing.TB) *OSSAccessControlService {`
			`t.Helper()`

			`cfg := setting.NewCfg()`
			`cfg.FeatureToggles = map[string]bool{"accesscontrol": true}`

			`ac := OSSAccessControlService{`
			`Cfg: cfg,`
			`Log: log.New("accesscontrol-test"),`
			`}`

			`err := ac.Init()`
			`require.NoError(t, err)`
			`return &ac`
			`}`

			`type evaluatingPermissionsTestCase struct {`
			`desc string`
			`user userTestCase`
			`endpoints []endpointTestCase`
			`evalResult bool`
			`}`

			`type userTestCase struct {`
			`name string`
			`orgRole models.RoleType`
			`isGrafanaAdmin bool`
			`}`

			`type endpointTestCase struct {`
			`permission string`
			`scope []string`
			`}`

			`func TestEvaluatingPermissions(t *testing.T) {`
			`testCases := []evaluatingPermissionsTestCase{`
			`{`
			`desc: "should successfully evaluate access to the endpoint",`
			`user: userTestCase{`
			`name: "testuser",`
			`orgRole: models.ROLE_EDITOR,`
			`isGrafanaAdmin: false,`
			`},`
			`endpoints: []endpointTestCase{`
			`{permission: "users.teams:read", scope: []string{"users:self"}},`
			`{permission: "users:read", scope: []string{"users:self"}},`
			`},`
			`evalResult: true,`
			`},`
			`{`
			`desc: "should restrict access to the unauthorized endpoints",`
			`user: userTestCase{`
			`name: "testuser",`
			`orgRole: models.ROLE_VIEWER,`
			`isGrafanaAdmin: false,`
			`},`
			`endpoints: []endpointTestCase{`
			`{permission: "users:create", scope: []string{"users"}},`
			`},`
			`evalResult: false,`
			`},`
			`}`
			`for _, tc := range testCases {`
			`t.Run(tc.desc, func(t *testing.T) {`
			`ac := setupTestEnv(t)`
			`t.Cleanup(registry.ClearOverrides)`

			`user := &models.SignedInUser{`
			`UserId: 1,`
			`OrgId: 1,`
			`Name: tc.user.name,`
			`OrgRole: tc.user.orgRole,`
			`IsGrafanaAdmin: tc.user.isGrafanaAdmin,`
			`}`

			`for _, endpoint := range tc.endpoints {`
			`result, err := ac.Evaluate(context.Background(), user, endpoint.permission, endpoint.scope...)`
			`require.NoError(t, err)`
			`assert.Equal(t, tc.evalResult, result)`
			`}`
			`})`
			`}`
			`}`