grafana/pkg/api/admin_test.go

package api

import (
	"io"
	"net/http"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/grafana/grafana/pkg/infra/db/dbtest"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/stats/statstest"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/web/webtest"
)

func TestAPI_AdminGetSettings(t *testing.T) {
	type testCase struct {
		desc         string
		expectedCode int
		expectedBody string
		permissions  []accesscontrol.Permission
	}
	tests := []testCase{
		{
			desc:         "should return all settings",
			expectedCode: http.StatusOK,
			expectedBody: `{"auth.proxy":{"enable_login_token":"false","enabled":"false"},"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
			permissions: []accesscontrol.Permission{
				{
					Action: accesscontrol.ActionSettingsRead,
					Scope:  accesscontrol.ScopeSettingsAll,
				},
			},
		},
		{
			desc:         "should only return auth.saml settings",
			expectedCode: http.StatusOK,
			expectedBody: `{"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
			permissions: []accesscontrol.Permission{
				{
					Action: accesscontrol.ActionSettingsRead,
					Scope:  "settings:auth.saml:*",
				},
			},
		},
		{
			desc:         "should only partial properties from auth.saml and auth.proxy settings",
			expectedCode: http.StatusOK,
			expectedBody: `{"auth.proxy":{"enable_login_token":"false"},"auth.saml":{"enabled":"true"}}`,
			permissions: []accesscontrol.Permission{
				{
					Action: accesscontrol.ActionSettingsRead,
					Scope:  "settings:auth.saml:enabled",
				},
				{
					Action: accesscontrol.ActionSettingsRead,
					Scope:  "settings:auth.proxy:enable_login_token",
				},
			},
		},
	}

	cfg := setting.NewCfg()
	//seed sections and keys
	cfg.Raw.DeleteSection("DEFAULT")
	saml, err := cfg.Raw.NewSection("auth.saml")
	assert.NoError(t, err)
	_, err = saml.NewKey("enabled", "true")
	assert.NoError(t, err)
	_, err = saml.NewKey("allow_idp_initiated", "false")
	assert.NoError(t, err)

	proxy, err := cfg.Raw.NewSection("auth.proxy")
	assert.NoError(t, err)
	_, err = proxy.NewKey("enabled", "false")
	assert.NoError(t, err)
	_, err = proxy.NewKey("enable_login_token", "false")
	assert.NoError(t, err)

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			server := SetupAPITestServer(t, func(hs *HTTPServer) {
				hs.Cfg = cfg
				hs.SettingsProvider = setting.ProvideProvider(hs.Cfg)
			})

			res, err := server.Send(webtest.RequestWithSignedInUser(server.NewGetRequest("/api/admin/settings"), userWithPermissions(1, tt.permissions)))
			require.NoError(t, err)
			assert.Equal(t, tt.expectedCode, res.StatusCode)
			body, err := io.ReadAll(res.Body)
			require.NoError(t, err)
			assert.Equal(t, tt.expectedBody, string(body))
			require.NoError(t, res.Body.Close())
		})
	}
}

func TestAdmin_AccessControl(t *testing.T) {
	type testCase struct {
		desc         string
		url          string
		permissions  []accesscontrol.Permission
		expectedCode int
	}

	tests := []testCase{
		{
			expectedCode: http.StatusOK,
			desc:         "AdminGetStats should return 200 for user with correct permissions",
			url:          "/api/admin/stats",
			permissions: []accesscontrol.Permission{
				{
					Action: accesscontrol.ActionServerStatsRead,
				},
			},
		},
		{
			expectedCode: http.StatusForbidden,
			desc:         "AdminGetStats should return 403 for user without required permissions",
			url:          "/api/admin/stats",
			permissions: []accesscontrol.Permission{
				{
					Action: "wrong",
				},
			},
		},
		{
			expectedCode: http.StatusOK,
			desc:         "AdminGetSettings should return 200 for user with correct permissions",
			url:          "/api/admin/settings",
			permissions: []accesscontrol.Permission{
				{
					Action: accesscontrol.ActionSettingsRead,
				},
			},
		},
		{
			expectedCode: http.StatusForbidden,
			desc:         "AdminGetSettings should return 403 for user without required permissions",
			url:          "/api/admin/settings",
			permissions: []accesscontrol.Permission{
				{
					Action: "wrong",
				},
			},
		},
	}

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			server := SetupAPITestServer(t, func(hs *HTTPServer) {
				hs.Cfg = setting.NewCfg()
				hs.SQLStore = dbtest.NewFakeDB()
				hs.SettingsProvider = &setting.OSSImpl{Cfg: hs.Cfg}
				hs.statsService = statstest.NewFakeService()
			})

			res, err := server.Send(webtest.RequestWithSignedInUser(server.NewGetRequest(tt.url), userWithPermissions(1, tt.permissions)))
			require.NoError(t, err)
			assert.Equal(t, tt.expectedCode, res.StatusCode)
			require.NoError(t, res.Body.Close())
		})
	}
}
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`package api`

			`import (`
RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`"io"`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`"net/http"`
			`"testing"`

RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

Chore: Fix goimports grouping in pkg/api (#62419) * fix goimports * fix goimports order 2023-01-30 16:18:26 +08:00			`"github.com/grafana/grafana/pkg/infra/db/dbtest"`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`"github.com/grafana/grafana/pkg/services/stats/statstest"`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`"github.com/grafana/grafana/pkg/setting"`
RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`"github.com/grafana/grafana/pkg/web/webtest"`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`)`

			`func TestAPI_AdminGetSettings(t *testing.T) {`
RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`type testCase struct {`
			`desc string`
			`expectedCode int`
			`expectedBody string`
			`permissions []accesscontrol.Permission`
			`}`
			`tests := []testCase{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`desc: "should return all settings",`
			`expectedCode: http.StatusOK,`
			expectedBody: `{"auth.proxy":{"enable_login_token":"false","enabled":"false"},"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 16:17:48 +08:00			`permissions: []accesscontrol.Permission{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`Action: accesscontrol.ActionSettingsRead,`
			`Scope: accesscontrol.ScopeSettingsAll,`
			`},`
			`},`
			`},`
			`{`
			`desc: "should only return auth.saml settings",`
			`expectedCode: http.StatusOK,`
			expectedBody: `{"auth.saml":{"allow_idp_initiated":"false","enabled":"true"}}`,
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 16:17:48 +08:00			`permissions: []accesscontrol.Permission{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`Action: accesscontrol.ActionSettingsRead,`
			`Scope: "settings:auth.saml:*",`
			`},`
			`},`
			`},`
			`{`
			`desc: "should only partial properties from auth.saml and auth.proxy settings",`
			`expectedCode: http.StatusOK,`
			expectedBody: `{"auth.proxy":{"enable_login_token":"false"},"auth.saml":{"enabled":"true"}}`,
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 16:17:48 +08:00			`permissions: []accesscontrol.Permission{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`Action: accesscontrol.ActionSettingsRead,`
			`Scope: "settings:auth.saml:enabled",`
			`},`
			`{`
			`Action: accesscontrol.ActionSettingsRead,`
			`Scope: "settings:auth.proxy:enable_login_token",`
			`},`
			`},`
			`},`
			`}`

			`cfg := setting.NewCfg()`
			`//seed sections and keys`
			`cfg.Raw.DeleteSection("DEFAULT")`
			`saml, err := cfg.Raw.NewSection("auth.saml")`
			`assert.NoError(t, err)`
			`_, err = saml.NewKey("enabled", "true")`
			`assert.NoError(t, err)`
			`_, err = saml.NewKey("allow_idp_initiated", "false")`
			`assert.NoError(t, err)`

			`proxy, err := cfg.Raw.NewSection("auth.proxy")`
			`assert.NoError(t, err)`
			`_, err = proxy.NewKey("enabled", "false")`
			`assert.NoError(t, err)`
			`_, err = proxy.NewKey("enable_login_token", "false")`
			`assert.NoError(t, err)`

RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`server := SetupAPITestServer(t, func(hs *HTTPServer) {`
			`hs.Cfg = cfg`
			`hs.SettingsProvider = setting.ProvideProvider(hs.Cfg)`
			`})`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00
RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`res, err := server.Send(webtest.RequestWithSignedInUser(server.NewGetRequest("/api/admin/settings"), userWithPermissions(1, tt.permissions)))`
			`require.NoError(t, err)`
			`assert.Equal(t, tt.expectedCode, res.StatusCode)`
			`body, err := io.ReadAll(res.Body)`
			`require.NoError(t, err)`
			`assert.Equal(t, tt.expectedBody, string(body))`
			`require.NoError(t, res.Body.Close())`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`})`
			`}`
			`}`

			`func TestAdmin_AccessControl(t *testing.T) {`
RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`type testCase struct {`
			`desc string`
			`url string`
			`permissions []accesscontrol.Permission`
			`expectedCode int`
			`}`

			`tests := []testCase{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`expectedCode: http.StatusOK,`
			`desc: "AdminGetStats should return 200 for user with correct permissions",`
			`url: "/api/admin/stats",`
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 16:17:48 +08:00			`permissions: []accesscontrol.Permission{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`Action: accesscontrol.ActionServerStatsRead,`
			`},`
			`},`
			`},`
			`{`
			`expectedCode: http.StatusForbidden,`
			`desc: "AdminGetStats should return 403 for user without required permissions",`
			`url: "/api/admin/stats",`
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 16:17:48 +08:00			`permissions: []accesscontrol.Permission{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`Action: "wrong",`
			`},`
			`},`
			`},`
			`{`
			`expectedCode: http.StatusOK,`
			`desc: "AdminGetSettings should return 200 for user with correct permissions",`
			`url: "/api/admin/settings",`
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 16:17:48 +08:00			`permissions: []accesscontrol.Permission{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`Action: accesscontrol.ActionSettingsRead,`
			`},`
			`},`
			`},`
			`{`
			`expectedCode: http.StatusForbidden,`
			`desc: "AdminGetSettings should return 403 for user without required permissions",`
			`url: "/api/admin/settings",`
RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 16:17:48 +08:00			`permissions: []accesscontrol.Permission{`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`{`
			`Action: "wrong",`
			`},`
			`},`
			`},`
			`}`

RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`server := SetupAPITestServer(t, func(hs *HTTPServer) {`
			`hs.Cfg = setting.NewCfg()`
			`hs.SQLStore = dbtest.NewFakeDB()`
			`hs.SettingsProvider = &setting.OSSImpl{Cfg: hs.Cfg}`
			`hs.statsService = statstest.NewFakeService()`
			`})`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00
RBAC: Rewrite admin api test setup to not use mocked access control (#61741) * RBAC: Rewrite admin api test setup to not use mocked access control 2023-01-19 18:36:44 +08:00			`res, err := server.Send(webtest.RequestWithSignedInUser(server.NewGetRequest(tt.url), userWithPermissions(1, tt.permissions)))`
			`require.NoError(t, err)`
			`assert.Equal(t, tt.expectedCode, res.StatusCode)`
			`require.NoError(t, res.Body.Close())`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`})`
			`}`
			`}`