grafana/pkg/services/sqlstore/permissions/dashboard_test.go

package permissions

import (
	"fmt"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/dashboards"
	"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/util"
)

func TestNewAccessControlDashboardPermissionFilter(t *testing.T) {
	randomType := "random_" + util.GenerateShortUID()
	testCases := []struct {
		permission               models.PermissionType
		queryType                string
		expectedDashboardActions []string
		expectedFolderActions    []string
	}{
		{
			queryType:                searchstore.TypeAlertFolder,
			permission:               models.PERMISSION_ADMIN,
			expectedDashboardActions: nil,
			expectedFolderActions: []string{
				dashboards.ActionFoldersRead,
				accesscontrol.ActionAlertingRuleRead,
				accesscontrol.ActionAlertingRuleCreate,
			},
		},
		{
			queryType:                searchstore.TypeAlertFolder,
			permission:               models.PERMISSION_EDIT,
			expectedDashboardActions: nil,
			expectedFolderActions: []string{
				dashboards.ActionFoldersRead,
				accesscontrol.ActionAlertingRuleRead,
				accesscontrol.ActionAlertingRuleCreate,
			},
		},
		{
			queryType:                searchstore.TypeAlertFolder,
			permission:               models.PERMISSION_VIEW,
			expectedDashboardActions: nil,
			expectedFolderActions: []string{
				dashboards.ActionFoldersRead,
				accesscontrol.ActionAlertingRuleRead,
			},
		},
		{
			queryType:  randomType,
			permission: models.PERMISSION_ADMIN,
			expectedDashboardActions: []string{
				dashboards.ActionDashboardsRead,
				dashboards.ActionDashboardsWrite,
			},
			expectedFolderActions: []string{
				dashboards.ActionFoldersRead,
				dashboards.ActionDashboardsCreate,
			},
		},
		{
			queryType:  randomType,
			permission: models.PERMISSION_EDIT,
			expectedDashboardActions: []string{
				dashboards.ActionDashboardsRead,
				dashboards.ActionDashboardsWrite,
			},
			expectedFolderActions: []string{
				dashboards.ActionFoldersRead,
				dashboards.ActionDashboardsCreate,
			},
		},
		{
			queryType:  randomType,
			permission: models.PERMISSION_VIEW,
			expectedDashboardActions: []string{
				dashboards.ActionDashboardsRead,
			},
			expectedFolderActions: []string{
				dashboards.ActionFoldersRead,
			},
		},
	}

	for _, testCase := range testCases {
		t.Run(fmt.Sprintf("query type %s, permissions %s", testCase.queryType, testCase.permission), func(t *testing.T) {
			filters := NewAccessControlDashboardPermissionFilter(&user.SignedInUser{}, testCase.permission, testCase.queryType)

			require.Equal(t, testCase.expectedDashboardActions, filters.dashboardActions)
			require.Equal(t, testCase.expectedFolderActions, filters.folderActions)
		})
	}
}

func TestAccessControlDashboardPermissionFilter_Where(t *testing.T) {
	testCases := []struct {
		title            string
		dashboardActions []string
		folderActions    []string
		expectedResult   string
	}{
		{
			title:            "folder and dashboard actions are defined",
			dashboardActions: []string{"test"},
			folderActions:    []string{"test"},
			expectedResult:   "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE  1 = 0)) AND NOT dashboard.is_folder) OR ( 1 = 0 AND dashboard.is_folder))",
		},
		{
			title:            "folder actions are defined but not dashboard actions",
			dashboardActions: nil,
			folderActions:    []string{"test"},
			expectedResult:   "(( 1 = 0 AND dashboard.is_folder))",
		},
		{
			title:            "dashboard actions are defined but not folder actions",
			dashboardActions: []string{"test"},
			folderActions:    nil,
			expectedResult:   "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE  1 = 0)) AND NOT dashboard.is_folder))",
		},
		{
			title:            "dashboard actions are defined but not folder actions",
			dashboardActions: nil,
			folderActions:    nil,
			expectedResult:   "()",
		},
	}

	for _, testCase := range testCases {
		t.Run(testCase.title, func(t *testing.T) {
			filter := AccessControlDashboardPermissionFilter{
				User:             &user.SignedInUser{Permissions: map[int64]map[string][]string{}},
				dashboardActions: testCase.dashboardActions,
				folderActions:    testCase.folderActions,
			}

			query, args := filter.Where()

			assert.Empty(t, args)
			assert.Equal(t, testCase.expectedResult, query)
		})
	}
}
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`package permissions`

			`import (`
			`"fmt"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`"github.com/grafana/grafana/pkg/services/dashboards"`
			`"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 17:56:48 +08:00			`"github.com/grafana/grafana/pkg/services/user"`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`"github.com/grafana/grafana/pkg/util"`
			`)`

			`func TestNewAccessControlDashboardPermissionFilter(t *testing.T) {`
			`randomType := "random_" + util.GenerateShortUID()`
			`testCases := []struct {`
			`permission models.PermissionType`
			`queryType string`
			`expectedDashboardActions []string`
			`expectedFolderActions []string`
			`}{`
			`{`
			`queryType: searchstore.TypeAlertFolder,`
			`permission: models.PERMISSION_ADMIN,`
			`expectedDashboardActions: nil,`
			`expectedFolderActions: []string{`
			`dashboards.ActionFoldersRead,`
			`accesscontrol.ActionAlertingRuleRead,`
Alerting: handle folder permissions when fine-grained access enabled (#47035) * Use alert:create action for folder search with edit permissions. This matches the action that is used to query dashboards (the update will be addressed later) * Update rule store to use FindDashboards instead of folder service to list folders the user has access to view alerts. Folder service does not support query type and additional filters. * Do not check whether the user can save to folder if FGAC is enabled because it is checked on API level. 2022-04-02 07:33:26 +08:00			`accesscontrol.ActionAlertingRuleCreate,`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`},`
			`{`
			`queryType: searchstore.TypeAlertFolder,`
			`permission: models.PERMISSION_EDIT,`
			`expectedDashboardActions: nil,`
			`expectedFolderActions: []string{`
			`dashboards.ActionFoldersRead,`
			`accesscontrol.ActionAlertingRuleRead,`
Alerting: handle folder permissions when fine-grained access enabled (#47035) * Use alert:create action for folder search with edit permissions. This matches the action that is used to query dashboards (the update will be addressed later) * Update rule store to use FindDashboards instead of folder service to list folders the user has access to view alerts. Folder service does not support query type and additional filters. * Do not check whether the user can save to folder if FGAC is enabled because it is checked on API level. 2022-04-02 07:33:26 +08:00			`accesscontrol.ActionAlertingRuleCreate,`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`},`
			`{`
			`queryType: searchstore.TypeAlertFolder,`
			`permission: models.PERMISSION_VIEW,`
			`expectedDashboardActions: nil,`
			`expectedFolderActions: []string{`
			`dashboards.ActionFoldersRead,`
			`accesscontrol.ActionAlertingRuleRead,`
			`},`
			`},`
			`{`
			`queryType: randomType,`
			`permission: models.PERMISSION_ADMIN,`
			`expectedDashboardActions: []string{`
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider 2022-05-04 22:12:09 +08:00			`dashboards.ActionDashboardsRead,`
			`dashboards.ActionDashboardsWrite,`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`expectedFolderActions: []string{`
			`dashboards.ActionFoldersRead,`
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider 2022-05-04 22:12:09 +08:00			`dashboards.ActionDashboardsCreate,`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`},`
			`{`
			`queryType: randomType,`
			`permission: models.PERMISSION_EDIT,`
			`expectedDashboardActions: []string{`
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider 2022-05-04 22:12:09 +08:00			`dashboards.ActionDashboardsRead,`
			`dashboards.ActionDashboardsWrite,`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`expectedFolderActions: []string{`
			`dashboards.ActionFoldersRead,`
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider 2022-05-04 22:12:09 +08:00			`dashboards.ActionDashboardsCreate,`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`},`
			`{`
			`queryType: randomType,`
			`permission: models.PERMISSION_VIEW,`
			`expectedDashboardActions: []string{`
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider 2022-05-04 22:12:09 +08:00			`dashboards.ActionDashboardsRead,`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`expectedFolderActions: []string{`
			`dashboards.ActionFoldersRead,`
			`},`
			`},`
			`}`

			`for _, testCase := range testCases {`
			`t.Run(fmt.Sprintf("query type %s, permissions %s", testCase.queryType, testCase.permission), func(t *testing.T) {`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 17:56:48 +08:00			`filters := NewAccessControlDashboardPermissionFilter(&user.SignedInUser{}, testCase.permission, testCase.queryType)`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00
			`require.Equal(t, testCase.expectedDashboardActions, filters.dashboardActions)`
			`require.Equal(t, testCase.expectedFolderActions, filters.folderActions)`
			`})`
			`}`
			`}`

			`func TestAccessControlDashboardPermissionFilter_Where(t *testing.T) {`
			`testCases := []struct {`
			`title string`
			`dashboardActions []string`
			`folderActions []string`
			`expectedResult string`
			`}{`
			`{`
			`title: "folder and dashboard actions are defined",`
			`dashboardActions: []string{"test"},`
			`folderActions: []string{"test"},`
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-03-30 21:14:26 +08:00			`expectedResult: "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE 1 = 0)) AND NOT dashboard.is_folder) OR ( 1 = 0 AND dashboard.is_folder))",`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`{`
			`title: "folder actions are defined but not dashboard actions",`
			`dashboardActions: nil,`
			`folderActions: []string{"test"},`
			`expectedResult: "(( 1 = 0 AND dashboard.is_folder))",`
			`},`
			`{`
			`title: "dashboard actions are defined but not folder actions",`
			`dashboardActions: []string{"test"},`
			`folderActions: nil,`
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-03-30 21:14:26 +08:00			`expectedResult: "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE 1 = 0)) AND NOT dashboard.is_folder))",`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`},`
			`{`
			`title: "dashboard actions are defined but not folder actions",`
			`dashboardActions: nil,`
			`folderActions: nil,`
			`expectedResult: "()",`
			`},`
			`}`

			`for _, testCase := range testCases {`
			`t.Run(testCase.title, func(t *testing.T) {`
			`filter := AccessControlDashboardPermissionFilter{`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 17:56:48 +08:00			`User: &user.SignedInUser{Permissions: map[int64]map[string][]string{}},`
Search Service to support search for folders available for alerting (#46483) * support new query type "alert-folder" * move action calculation to the constructor of the filter * update filter to support query type `dash-folder-alerting` and empty dashboard actions * require folders:read to access alert rules 2022-03-16 22:07:04 +08:00			`dashboardActions: testCase.dashboardActions,`
			`folderActions: testCase.folderActions,`
			`}`

			`query, args := filter.Where()`

			`assert.Empty(t, args)`
			`assert.Equal(t, testCase.expectedResult, query)`
			`})`
			`}`
			`}`