root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 266 Packages Projects Releases Wiki Activity
grafana/pkg/api/team_test.go

455 lines
18 KiB
Go
Raw Normal View History

WIP: add user group search
2017-04-10 07:24:16 +08:00
package api
import (
AccessControl: Implement teams resource service (#43951) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * moving resourceservice to the main wire file pt2 * move team related actions so that they can be reused * PR feedback * fix * typo * Access Control: adding hooks for team member endpoints (#43991) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * add access control to list and add team member endpoint, and hooks for adding team members * member permission type is 0 * add ID scope for team permission checks * add more team actions, use Member for member permission name * protect team member update endpoint with FGAC permissions * update SQL functions for teams and the corresponding tests * also protect team member removal endpoint with FGAC permissions and add a hook to permission service * a few small fixes, provide team permission service to test setup * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * remove resource services from wireexts * remove unneeded actions * linting fix * remove comments * feedback fixes * feedback * simplifying * remove team member within the same transaction * fix a mistake with the error * call the correct sql fction * linting * Access control: tests for team member endpoints (#44177) * tests for team member endpoints * clean up and fix the tests * fixing tests take 2 * don't import enterprise test license * don't import enterprise test license * remove unused variable Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-01-26 22:48:41 +08:00
"context"
Chore: Remove bus from team (#44218) * Remove bus from team * Fix api team test * Remove bus from team members
2022-01-24 18:52:35 +08:00
"encoding/json"
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
"fmt"
"net/http"
"strings"
WIP: add user group search
2017-04-10 07:24:16 +08:00
"testing"
Logging: Unify logging fakes (#48822)
2022-05-06 23:44:22 +08:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible
2022-10-19 21:02:15 +08:00
"github.com/grafana/grafana/pkg/infra/db"
Chore: Remove mockstore and use dbtest instead (#61629) * remove mockstore and use dbtest instead * fix wire * remove unused expected fields * fix more tests in alerting * fix api tests
2023-01-18 23:01:25 +08:00
"github.com/grafana/grafana/pkg/infra/db/dbtest"
RBAC: Enable rbac when creating new settings (#53531) * Settings: Set RBACEnabled to true by default * Remove accessControlEnabledFlag and explicitly set to false when needed * Disable rbac for tests
2022-08-11 21:37:31 +08:00
"github.com/grafana/grafana/pkg/infra/log/logtest"
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol"
Access Control: Clear user's permission cache after resource creation (#59101) * refresh user's permission cache after resource creation * clear the cache instead of reloading the permissions * don't error if can't clear cache * fix tests * fix tests again
2022-11-24 22:38:55 +08:00
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
"github.com/grafana/grafana/pkg/services/org"
Implement preference service (#47870) * Implement preference service * Adjust wire.go * Fix integration test user * Fix api pref tests * Fix a11y error Co-authored-by: Alexandra Vargas <alexa1866@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2022-04-21 21:03:17 +08:00
pref "github.com/grafana/grafana/pkg/services/preference"
"github.com/grafana/grafana/pkg/services/preference/preftest"
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
"github.com/grafana/grafana/pkg/services/team"
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
"github.com/grafana/grafana/pkg/services/team/teamimpl"
"github.com/grafana/grafana/pkg/services/team/teamtest"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
"github.com/grafana/grafana/pkg/services/user"
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 20:30:59 +08:00
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/web"
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
"github.com/grafana/grafana/pkg/web/webtest"
WIP: add user group search
2017-04-10 07:24:16 +08:00
)
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2020-11-13 16:52:38 +08:00
func TestTeamAPIEndpoint(t *testing.T) {
t.Run("Given two teams", func(t *testing.T) {
FeatureFlags: define features outside settings.Cfg (take 3) (#44443)
2022-01-27 01:44:20 +08:00
hs := setupSimpleHTTPServer(nil)
Security: Sync security changes on main (#45083) * * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2022-02-09 20:44:38 +08:00
hs.Cfg.EditorsCanAdmin = true
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible
2022-10-19 21:02:15 +08:00
store := db.InitTestDB(t)
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
store.Cfg = hs.Cfg
Chore: Move team store implementation to a separate package (#55514) * Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
2022-09-23 01:16:21 +08:00
hs.teamService = teamimpl.ProvideService(store, hs.Cfg)
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
hs.SQLStore = store
Chore: Remove mockstore and use dbtest instead (#61629) * remove mockstore and use dbtest instead * fix wire * remove unused expected fields * fix more tests in alerting * fix api tests
2023-01-18 23:01:25 +08:00
mock := dbtest.NewFakeDB()
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
loggedInUserScenarioWithRole(t, "When admin is calling GET on", "GET", "/api/teams/search", "/api/teams/search",
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
org.RoleAdmin, func(sc *scenarioContext) {
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
_, err := hs.teamService.CreateTeam("team1", "", 1)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
_, err = hs.teamService.CreateTeam("team2", "", 1)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
sc.handlerFunc = hs.SearchTeams
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
require.Equal(t, http.StatusOK, sc.resp.Code)
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
var resp team.SearchTeamQueryResult
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
require.NoError(t, err)
assert.EqualValues(t, 2, resp.TotalCount)
assert.Equal(t, 2, len(resp.Teams))
}, mock)
loggedInUserScenario(t, "When editor (with editors_can_admin) is calling GET on", "/api/teams/search",
"/api/teams/search", func(sc *scenarioContext) {
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
team1, err := hs.teamService.CreateTeam("team1", "", 1)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
_, err = hs.teamService.CreateTeam("team2", "", 1)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
// Adding the test user to the teams in order for him to list them
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
err = hs.teamService.AddTeamMember(testUserID, testOrgID, team1.ID, false, 0)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
sc.handlerFunc = hs.SearchTeams
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
require.Equal(t, http.StatusOK, sc.resp.Code)
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
var resp team.SearchTeamQueryResult
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
require.NoError(t, err)
assert.EqualValues(t, 1, resp.TotalCount)
assert.Equal(t, 1, len(resp.Teams))
}, mock)
loggedInUserScenario(t, "When editor (with editors_can_admin) calling GET with pagination on",
"/api/teams/search", "/api/teams/search", func(sc *scenarioContext) {
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
team1, err := hs.teamService.CreateTeam("team1", "", 1)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
team2, err := hs.teamService.CreateTeam("team2", "", 1)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
// Adding the test user to the teams in order for him to list them
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
err = hs.teamService.AddTeamMember(testUserID, testOrgID, team1.ID, false, 0)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
err = hs.teamService.AddTeamMember(testUserID, testOrgID, team2.ID, false, 0)
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
require.NoError(t, err)
sc.handlerFunc = hs.SearchTeams
sc.fakeReqWithParams("GET", sc.url, map[string]string{"perpage": "10", "page": "2"}).exec()
require.Equal(t, http.StatusOK, sc.resp.Code)
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
var resp team.SearchTeamQueryResult
Team access changes for editors when editorsCanAdmin is enabled (#45405) * filter teams for editors to only show the teams that they are members of * frontend changes to only allow clicking on teams that the user can edit * update frontend test snapshots * extend docs * reword * remove the comment for now * Update backend tests * reword the warning, and add it back in * docs feedback Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-02-16 01:09:03 +08:00
err = json.Unmarshal(sc.resp.Body.Bytes(), &resp)
require.NoError(t, err)
assert.EqualValues(t, 2, resp.TotalCount)
assert.Equal(t, 0, len(resp.Teams))
}, mock)
WIP: add user group search
2017-04-10 07:24:16 +08:00
})
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
Chore: Convert API tests to standard Go lib (#29009) * Chore: Convert tests to standard Go lib Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2020-11-13 16:52:38 +08:00
t.Run("When creating team with API key", func(t *testing.T) {
FeatureFlags: define features outside settings.Cfg (take 3) (#44443)
2022-01-27 01:44:20 +08:00
hs := setupSimpleHTTPServer(nil)
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
hs.Cfg.EditorsCanAdmin = true
Chore: Remove mockstore and use dbtest instead (#61629) * remove mockstore and use dbtest instead * fix wire * remove unused expected fields * fix more tests in alerting * fix api tests
2023-01-18 23:01:25 +08:00
hs.SQLStore = dbtest.NewFakeDB()
Chore: Switch over to team.Service instead of sqlstore (#55497) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package
2022-09-21 00:58:04 +08:00
hs.teamService = &teamtest.FakeService{}
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
teamName := "team foo"
addTeamMemberCalled := 0
AccessControl: Create own interface and impl for each permission service (#48871) * Create own interfaces for team, folder, dashboard and data source permissions services * Remove service container and inject them individually
2022-05-10 21:48:47 +08:00
addOrUpdateTeamMember = func(ctx context.Context, resourcePermissionService accesscontrol.TeamPermissionsService, userID, orgID, teamID int64,
AccessControl: Implement teams resource service (#43951) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * moving resourceservice to the main wire file pt2 * move team related actions so that they can be reused * PR feedback * fix * typo * Access Control: adding hooks for team member endpoints (#43991) * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * add access control to list and add team member endpoint, and hooks for adding team members * member permission type is 0 * add ID scope for team permission checks * add more team actions, use Member for member permission name * protect team member update endpoint with FGAC permissions * update SQL functions for teams and the corresponding tests * also protect team member removal endpoint with FGAC permissions and add a hook to permission service * a few small fixes, provide team permission service to test setup * AccessControl: cover team permissions Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Add background service as a consumer to resource_services Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Define actions in roles.go Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Remove action from accesscontrol model Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * As suggested by kalle * move some changes from branch to the skeleton PR * remove resource services from wireexts * remove unneeded actions * linting fix * remove comments * feedback fixes * feedback * simplifying * remove team member within the same transaction * fix a mistake with the error * call the correct sql fction * linting * Access control: tests for team member endpoints (#44177) * tests for team member endpoints * clean up and fix the tests * fixing tests take 2 * don't import enterprise test license * don't import enterprise test license * remove unused variable Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-01-26 22:48:41 +08:00
permission string) error {
PluginManager: Make Plugins, Renderer and DataSources non-global (#31866) * PluginManager: Make Plugins and DataSources non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Replace outdated command Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix build Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove FocusConvey Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo interface changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Backend: Move tsdbifaces.RequestHandler to plugins.DataRequestHandler Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Rename to DataSourceCount Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Consolidate dashboard interfaces into one Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix dashboard integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-03-17 23:06:10 +08:00
addTeamMemberCalled++
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
return nil
PluginManager: Make Plugins, Renderer and DataSources non-global (#31866) * PluginManager: Make Plugins and DataSources non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Replace outdated command Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix build Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove FocusConvey Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo interface changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Backend: Move tsdbifaces.RequestHandler to plugins.DataRequestHandler Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Rename to DataSourceCount Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Consolidate dashboard interfaces into one Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix dashboard integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-03-17 23:06:10 +08:00
}
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
PluginManager: Make Plugins, Renderer and DataSources non-global (#31866) * PluginManager: Make Plugins and DataSources non-global Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Replace outdated command Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix build Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * DashboardService: Ensure it gets constructed with necessary parameters Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove FocusConvey Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Remove dead code Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Undo interface changes Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Backend: Move tsdbifaces.RequestHandler to plugins.DataRequestHandler Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Rename to DataSourceCount Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Consolidate dashboard interfaces into one Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix test Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix dashboard integration tests Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-03-17 23:06:10 +08:00
req, err := http.NewRequest("POST", "/api/teams", nil)
require.NoError(t, err)
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
t.Run("with no real signed in user", func(t *testing.T) {
Logging: Unify logging fakes (#48822)
2022-05-06 23:44:22 +08:00
logger := &logtest.Fake{}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
c := &contextmodel.ReqContext{
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 20:30:59 +08:00
Context: &web.Context{Req: req},
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
SignedInUser: &user.SignedInUser{},
Logging: Unify logging fakes (#48822)
2022-05-06 23:44:22 +08:00
Logger: logger,
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
c.OrgRole = org.RoleEditor
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
c.Req.Body = mockRequestBody(team.CreateTeamCommand{Name: teamName})
Security: Sync security changes on main (#45083) * * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2022-02-09 20:44:38 +08:00
c.Req.Header.Add("Content-Type", "application/json")
Remove bus from quota, preferences, plugins, user_token (#44762) * Remove bus from quota, preferences, plugins, user_token * Bind sqlstore.Store to *sqlstore.SQLStore * Fix test * Fix sqlstore wire injection, dependency
2022-02-03 16:20:20 +08:00
r := hs.CreateTeam(c)
assert.Equal(t, 200, r.Status())
Logging: Unify logging fakes (#48822)
2022-05-06 23:44:22 +08:00
assert.NotZero(t, logger.WarnLogs.Calls)
assert.Equal(t, "Could not add creator to team because is not a real user", logger.WarnLogs.Message)
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
})
t.Run("with real signed in user", func(t *testing.T) {
Logging: Unify logging fakes (#48822)
2022-05-06 23:44:22 +08:00
logger := &logtest.Fake{}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
c := &contextmodel.ReqContext{
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 20:30:59 +08:00
Context: &web.Context{Req: req},
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields
2022-08-11 19:28:55 +08:00
SignedInUser: &user.SignedInUser{UserID: 42},
Logging: Unify logging fakes (#48822)
2022-05-06 23:44:22 +08:00
Logger: logger,
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
c.OrgRole = org.RoleEditor
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
c.Req.Body = mockRequestBody(team.CreateTeamCommand{Name: teamName})
Security: Sync security changes on main (#45083) * * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
2022-02-09 20:44:38 +08:00
c.Req.Header.Add("Content-Type", "application/json")
Remove bus from quota, preferences, plugins, user_token (#44762) * Remove bus from quota, preferences, plugins, user_token * Bind sqlstore.Store to *sqlstore.SQLStore * Fix test * Fix sqlstore wire injection, dependency
2022-02-03 16:20:20 +08:00
r := hs.CreateTeam(c)
assert.Equal(t, 200, r.Status())
Logging: Unify logging fakes (#48822)
2022-05-06 23:44:22 +08:00
assert.Zero(t, logger.WarnLogs.Calls)
API: Minor fix for team creation endpoint when using API key (#18252) * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update middleware test Assert that `isAnonymous` is set for `SignedInUser` authenticated via API key. * Add test for team creation Assert that no team member is created if the signed in user is anomymous. * Revert "Fix CreateTeam api endpoint" This reverts commit 9fcc4e67f589008d7c44097f5cf08438c09c3c05. * Revert "Update middleware test" This reverts commit 75f767e58d212e21a351efea14bed79bbf881d2e. * Fix CreateTeam api endpoint No team member should be created for requests authenticated by API tokens. * Update team test * Change error to warning and update tests
2019-08-08 16:27:47 +08:00
})
})
WIP: add user group search
2017-04-10 07:24:16 +08:00
}
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
const (
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
searchTeamsURL = "/api/teams/search"
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
createTeamURL = "/api/teams/"
detailTeamURL = "/api/teams/%d"
detailTeamPreferenceURL = "/api/teams/%d/preferences"
teamCmd = `{"name": "MyTestTeam%d"}`
teamPreferenceCmd = `{"theme": "dark"}`
teamPreferenceCmdLight = `{"theme": "light"}`
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
)
func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.teamService = teamtest.NewFakeService()
})
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
t.Run("Organisation admin can create a team", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
req := server.NewPostRequest(createTeamURL, input)
req = webtest.RequestWithSignedInUser(req, &user.SignedInUser{OrgRole: org.RoleAdmin})
res, err := server.SendJSON(req)
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
})
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
t.Run("Org editor and server admin cannot create a team", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
req := server.NewPostRequest(createTeamURL, input)
req = webtest.RequestWithSignedInUser(req, &user.SignedInUser{OrgRole: org.RoleEditor, IsGrafanaAdmin: true})
res, err := server.SendJSON(req)
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
})
}
func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl_EditorsCanAdmin(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
cfg := setting.NewCfg()
cfg.RBACEnabled = false
cfg.EditorsCanAdmin = true
hs.Cfg = cfg
hs.teamService = teamtest.NewFakeService()
})
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
t.Run("Editors can create a team if editorsCanAdmin is set to true", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
req := server.NewPostRequest(createTeamURL, input)
req = webtest.RequestWithSignedInUser(req, &user.SignedInUser{OrgRole: org.RoleAdmin})
res, err := server.SendJSON(req)
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
})
}
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func TestTeamAPIEndpoint_CreateTeam_RBAC(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
hs.teamService = teamtest.NewFakeService()
Access Control: Clear user's permission cache after resource creation (#59101) * refresh user's permission cache after resource creation * clear the cache instead of reloading the permissions * don't error if can't clear cache * fix tests * fix tests again
2022-11-24 22:38:55 +08:00
hs.AccessControl = acimpl.ProvideAccessControl(setting.NewCfg())
hs.accesscontrolService = actest.FakeService{}
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
})
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
req := server.NewPostRequest(createTeamURL, input)
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}))
res, err := server.SendJSON(req)
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
})
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
t.Run("Access control prevents creating teams with the incorrect permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
req := server.NewPostRequest(createTeamURL, input)
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{}))
res, err := server.SendJSON(req)
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
Access control: permissions for team creation (#43506) * FGAC for team creation * tests * fix snapshot for UI tests * linting * update snapshots * Remove unecessary class and update tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Make the condition slightly easier Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
2022-01-11 01:05:53 +08:00
})
}
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func TestTeamAPIEndpoint_SearchTeams_RBAC(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
hs.teamService = teamtest.NewFakeService()
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
})
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
t.Run("Access control prevents searching for teams with the incorrect permissions", func(t *testing.T) {
req := server.NewGetRequest(searchTeamsURL)
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{}))
res, err := server.Send(req)
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
require.NoError(t, err)
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
})
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
t.Run("Access control allows searching for teams with the correct permissions", func(t *testing.T) {
req := server.NewGetRequest(searchTeamsURL)
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll},
}))
res, err := server.Send(req)
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
require.NoError(t, err)
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
})
}
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func TestTeamAPIEndpoint_GetTeamByID_RBAC(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
hs.teamService = &teamtest.FakeService{ExpectedTeamDTO: &team.TeamDTO{}}
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
})
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
url := fmt.Sprintf(detailTeamURL, 1)
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
t.Run("Access control prevents getting a team when missing permissions", func(t *testing.T) {
req := server.NewGetRequest(url)
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{}))
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
})
t.Run("Access control allows getting a team with the correct permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
req := server.NewGetRequest(url)
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"},
}))
res, err := server.Send(req)
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
})
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
t.Run("Access control allows getting a team with wildcard scope", func(t *testing.T) {
req := server.NewGetRequest(url)
req = webtest.RequestWithSignedInUser(req, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"},
}))
res, err := server.Send(req)
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
require.NoError(t, err)
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: SQL filters for team search (#44557) * AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
2022-02-09 23:17:31 +08:00
})
}
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
// else return 403
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func TestTeamAPIEndpoint_UpdateTeam_RBAC(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
hs.teamService = &teamtest.FakeService{ExpectedTeamDTO: &team.TeamDTO{}}
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
})
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
req := server.NewRequest(http.MethodPut, fmt.Sprintf(detailTeamURL, teamID), strings.NewReader(teamCmd))
req = webtest.RequestWithSignedInUser(req, user)
return server.SendJSON(req)
}
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
t.Run("Access control allows updating team with the correct permissions", func(t *testing.T) {
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"},
}))
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
require.NoError(t, err)
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
})
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
t.Run("Access control allows updating teams with the wildcard scope", func(t *testing.T) {
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:*"},
}))
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
require.NoError(t, err)
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
})
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
t.Run("Access control prevent updating a team with wrong scope", func(t *testing.T) {
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"},
}))
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
})
}
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsDelete with teams:id:1 scope
// else return 403
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func TestTeamAPIEndpoint_DeleteTeam_RBAC(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
Chore: Move team models to models pkg (#61262) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint
2023-01-11 21:20:09 +08:00
hs.teamService = &teamtest.FakeService{ExpectedTeamDTO: &team.TeamDTO{}}
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
})
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
req := server.NewRequest(http.MethodDelete, fmt.Sprintf(detailTeamURL, teamID), http.NoBody)
req = webtest.RequestWithSignedInUser(req, user)
return server.Send(req)
}
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
t.Run("Access control prevents deleting teams with the incorrect permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:2"},
}))
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
require.NoError(t, err)
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
})
t.Run("Access control allows deleting teams with the correct permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"},
}))
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2022-01-27 23:16:44 +08:00
})
}
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsRead with teams:id:1 scope
// else return 403
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func TestTeamAPIEndpoint_GetTeamPreferences_RBAC(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
hs.preferenceService = &preftest.FakePreferenceService{ExpectedPreference: &pref.Preference{}}
})
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
req := server.NewGetRequest(fmt.Sprintf(detailTeamPreferenceURL, teamID))
req = webtest.RequestWithSignedInUser(req, user)
return server.Send(req)
}
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
t.Run("Access control allows getting team preferences with the correct permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"},
}))
require.NoError(t, err)
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
})
t.Run("Access control prevents getting team preferences with the incorrect permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"},
}))
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
})
}
// Given a team with a user, when the user is granted X permission,
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
// else return 403
Rename FGAC to RBAC in the codebase (#48051)
2022-04-21 20:31:02 +08:00
func TestTeamAPIEndpoint_UpdateTeamPreferences_RBAC(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg()
hs.preferenceService = &preftest.FakePreferenceService{ExpectedPreference: &pref.Preference{}}
})
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
request := func(teamID int64, user *user.SignedInUser) (*http.Response, error) {
req := server.NewRequest(http.MethodPut, fmt.Sprintf(detailTeamPreferenceURL, teamID), strings.NewReader(teamPreferenceCmd))
req = webtest.RequestWithSignedInUser(req, user)
return server.SendJSON(req)
}
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
t.Run("Access control allows updating team preferences with the correct permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"},
}))
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
require.NoError(t, err)
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
assert.Equal(t, http.StatusOK, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
})
t.Run("Access control prevents updating team preferences with the incorrect permissions", func(t *testing.T) {
RBAC: Cleaup team api rbac tests (#57265) * RBAC: Remove the access control evaluator fake * API: Change to use access control implementation instead of mocks with rbac disabled in tests * Tests: Set cfg and access control defaults after applying options * Tests: Rewrite team legacy access control tests * Tests: Add helper function to create user with permissions * Tests: set fake quota service as default * Team: Add ExpectedTeamDTO and set in query result * RBAC: Revert change * RBAC: Add deprecation notice to mock
2022-10-20 15:11:47 +08:00
res, err := request(1, userWithPermissions(1, []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"},
}))
require.NoError(t, err)
assert.Equal(t, http.StatusForbidden, res.StatusCode)
require.NoError(t, res.Body.Close())
AccessControl: Add AC to team preferences (#44554) * AccessControl: Add AC to team preferences * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-01-28 19:17:54 +08:00
})
}