grafana/apps/advisor/pkg/app/authorizer_test.go

package app

import (
	"context"
	"testing"

	"github.com/grafana/grafana/pkg/apimachinery/identity"
	"github.com/stretchr/testify/assert"
	"k8s.io/apiserver/pkg/authorization/authorizer"
)

func TestGetAuthorizer(t *testing.T) {
	tests := []struct {
		name             string
		ctx              context.Context
		attr             authorizer.Attributes
		expectedDecision authorizer.Decision
		expectedReason   string
		expectedErr      error
	}{
		{
			name:             "non-resource request",
			ctx:              context.TODO(),
			attr:             &mockAttributes{resourceRequest: false},
			expectedDecision: authorizer.DecisionNoOpinion,
			expectedReason:   "",
			expectedErr:      nil,
		},
		{
			name:             "user is admin",
			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: true}),
			attr:             &mockAttributes{resourceRequest: true},
			expectedDecision: authorizer.DecisionAllow,
			expectedReason:   "",
			expectedErr:      nil,
		},
		{
			name:             "user is not admin",
			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: false}),
			attr:             &mockAttributes{resourceRequest: true},
			expectedDecision: authorizer.DecisionDeny,
			expectedReason:   "forbidden",
			expectedErr:      nil,
		},
	}

	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			auth := GetAuthorizer()
			decision, reason, err := auth.Authorize(tt.ctx, tt.attr)
			assert.Equal(t, tt.expectedDecision, decision)
			assert.Equal(t, tt.expectedReason, reason)
			assert.Equal(t, tt.expectedErr, err)
		})
	}
}

type mockAttributes struct {
	authorizer.Attributes
	resourceRequest bool
}

func (m *mockAttributes) IsResourceRequest() bool {
	return m.resourceRequest
}

// Implement other methods of authorizer.Attributes as needed

type mockUser struct {
	identity.Requester
	isGrafanaAdmin bool
}

func (m *mockUser) GetIsGrafanaAdmin() bool {
	return m.isGrafanaAdmin
}

func (m *mockUser) HasRole(role identity.RoleType) bool {
	return role == identity.RoleAdmin && m.isGrafanaAdmin
}

// Implement other methods of identity.Requester as needed
Advisor: Implement authorizer (#99440) 2025-01-24 00:00:02 +08:00			`package app`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/grafana/grafana/pkg/apimachinery/identity"`
			`"github.com/stretchr/testify/assert"`
			`"k8s.io/apiserver/pkg/authorization/authorizer"`
			`)`

			`func TestGetAuthorizer(t *testing.T) {`
			`tests := []struct {`
			`name string`
			`ctx context.Context`
			`attr authorizer.Attributes`
			`expectedDecision authorizer.Decision`
			`expectedReason string`
			`expectedErr error`
			`}{`
			`{`
			`name: "non-resource request",`
			`ctx: context.TODO(),`
			`attr: &mockAttributes{resourceRequest: false},`
			`expectedDecision: authorizer.DecisionNoOpinion,`
			`expectedReason: "",`
			`expectedErr: nil,`
			`},`
			`{`
			`name: "user is admin",`
			`ctx: identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: true}),`
			`attr: &mockAttributes{resourceRequest: true},`
			`expectedDecision: authorizer.DecisionAllow,`
			`expectedReason: "",`
			`expectedErr: nil,`
			`},`
			`{`
			`name: "user is not admin",`
			`ctx: identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: false}),`
			`attr: &mockAttributes{resourceRequest: true},`
			`expectedDecision: authorizer.DecisionDeny,`
			`expectedReason: "forbidden",`
			`expectedErr: nil,`
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.name, func(t *testing.T) {`
			`auth := GetAuthorizer()`
			`decision, reason, err := auth.Authorize(tt.ctx, tt.attr)`
			`assert.Equal(t, tt.expectedDecision, decision)`
			`assert.Equal(t, tt.expectedReason, reason)`
			`assert.Equal(t, tt.expectedErr, err)`
			`})`
			`}`
			`}`

			`type mockAttributes struct {`
			`authorizer.Attributes`
			`resourceRequest bool`
			`}`

			`func (m *mockAttributes) IsResourceRequest() bool {`
			`return m.resourceRequest`
			`}`

			`// Implement other methods of authorizer.Attributes as needed`

			`type mockUser struct {`
			`identity.Requester`
			`isGrafanaAdmin bool`
			`}`

			`func (m *mockUser) GetIsGrafanaAdmin() bool {`
			`return m.isGrafanaAdmin`
			`}`

Advisor: Cloud fixes (#101136) 2025-02-25 18:41:44 +08:00			`func (m *mockUser) HasRole(role identity.RoleType) bool {`
			`return role == identity.RoleAdmin && m.isGrafanaAdmin`
			`}`

Advisor: Implement authorizer (#99440) 2025-01-24 00:00:02 +08:00			`// Implement other methods of identity.Requester as needed`