grafana/pkg/services/sqlstore/org_users_test.go

package sqlstore

import (
	"context"
	"fmt"
	"strings"
	"testing"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"github.com/grafana/grafana/pkg/models"
	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/featuremgmt"
)

type getOrgUsersTestCase struct {
	desc             string
	query            *models.GetOrgUsersQuery
	expectedNumUsers int
}

func TestSQLStore_GetOrgUsers(t *testing.T) {
	tests := []getOrgUsersTestCase{
		{
			desc: "should return all users",
			query: &models.GetOrgUsersQuery{
				OrgId: 1,
				User: &models.SignedInUser{
					OrgId:       1,
					Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {ac.ScopeUsersAll}}},
				},
			},
			expectedNumUsers: 10,
		},
		{
			desc: "should return no users",
			query: &models.GetOrgUsersQuery{
				OrgId: 1,
				User: &models.SignedInUser{
					OrgId:       1,
					Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {""}}},
				},
			},
			expectedNumUsers: 0,
		},
		{
			desc: "should return some users",
			query: &models.GetOrgUsersQuery{
				OrgId: 1,
				User: &models.SignedInUser{
					OrgId: 1,
					Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {
						"users:id:1",
						"users:id:5",
						"users:id:9",
					}}},
				},
			},
			expectedNumUsers: 3,
		},
	}

	store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
	seedOrgUsers(t, store, 10)

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			err := store.GetOrgUsers(context.Background(), tt.query)
			require.NoError(t, err)
			require.Len(t, tt.query.Result, tt.expectedNumUsers)

			if !hasWildcardScope(tt.query.User, ac.ActionOrgUsersRead) {
				for _, u := range tt.query.Result {
					assert.Contains(t, tt.query.User.Permissions[tt.query.User.OrgId][ac.ActionOrgUsersRead], fmt.Sprintf("users:id:%d", u.UserId))
				}
			}
		})
	}
}

type searchOrgUsersTestCase struct {
	desc             string
	query            *models.SearchOrgUsersQuery
	expectedNumUsers int
}

func TestSQLStore_SearchOrgUsers(t *testing.T) {
	tests := []searchOrgUsersTestCase{
		{
			desc: "should return all users",
			query: &models.SearchOrgUsersQuery{
				OrgID: 1,
				User: &models.SignedInUser{
					OrgId:       1,
					Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {ac.ScopeUsersAll}}},
				},
			},
			expectedNumUsers: 10,
		},
		{
			desc: "should return no users",
			query: &models.SearchOrgUsersQuery{
				OrgID: 1,
				User: &models.SignedInUser{
					OrgId:       1,
					Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {""}}},
				},
			},
			expectedNumUsers: 0,
		},
		{
			desc: "should return some users",
			query: &models.SearchOrgUsersQuery{
				OrgID: 1,
				User: &models.SignedInUser{
					OrgId: 1,
					Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {
						"users:id:1",
						"users:id:5",
						"users:id:9",
					}}},
				},
			},
			expectedNumUsers: 3,
		},
	}

	store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})
	seedOrgUsers(t, store, 10)

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			err := store.SearchOrgUsers(context.Background(), tt.query)
			require.NoError(t, err)
			assert.Len(t, tt.query.Result.OrgUsers, tt.expectedNumUsers)

			if !hasWildcardScope(tt.query.User, ac.ActionOrgUsersRead) {
				for _, u := range tt.query.Result.OrgUsers {
					assert.Contains(t, tt.query.User.Permissions[tt.query.User.OrgId][ac.ActionOrgUsersRead], fmt.Sprintf("users:id:%d", u.UserId))
				}
			}
		})
	}
}

func seedOrgUsers(t *testing.T, store *SQLStore, numUsers int) {
	t.Helper()
	// Seed users
	for i := 1; i <= numUsers; i++ {
		user, err := store.CreateUser(context.Background(), models.CreateUserCommand{
			Login: fmt.Sprintf("user-%d", i),
			OrgId: 1,
		})
		require.NoError(t, err)

		if i != 1 {
			err = store.AddOrgUser(context.Background(), &models.AddOrgUserCommand{
				Role:   "Viewer",
				OrgId:  1,
				UserId: user.Id,
			})
			require.NoError(t, err)
		}
	}
}

func hasWildcardScope(user *models.SignedInUser, action string) bool {
	for _, scope := range user.Permissions[user.OrgId][action] {
		if strings.HasSuffix(scope, ":*") {
			return true
		}
	}
	return false
}
Access control: Add access control sql filter to org user queries (#43961) * Add access control SQL filter to org user queries 2022-01-13 21:40:32 +08:00			`package sqlstore`

			`import (`
			`"context"`
			`"fmt"`
			`"strings"`
			`"testing"`

			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

			`"github.com/grafana/grafana/pkg/models"`
			`ac "github.com/grafana/grafana/pkg/services/accesscontrol"`
FeatureFlags: define features outside settings.Cfg (take 3) (#44443) 2022-01-27 01:44:20 +08:00			`"github.com/grafana/grafana/pkg/services/featuremgmt"`
Access control: Add access control sql filter to org user queries (#43961) * Add access control SQL filter to org user queries 2022-01-13 21:40:32 +08:00			`)`

			`type getOrgUsersTestCase struct {`
			`desc string`
			`query *models.GetOrgUsersQuery`
			`expectedNumUsers int`
			`}`

			`func TestSQLStore_GetOrgUsers(t *testing.T) {`
			`tests := []getOrgUsersTestCase{`
			`{`
			`desc: "should return all users",`
			`query: &models.GetOrgUsersQuery{`
			`OrgId: 1,`
			`User: &models.SignedInUser{`
			`OrgId: 1,`
			`Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {ac.ScopeUsersAll}}},`
			`},`
			`},`
			`expectedNumUsers: 10,`
			`},`
			`{`
			`desc: "should return no users",`
			`query: &models.GetOrgUsersQuery{`
			`OrgId: 1,`
			`User: &models.SignedInUser{`
			`OrgId: 1,`
			`Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {""}}},`
			`},`
			`},`
			`expectedNumUsers: 0,`
			`},`
			`{`
			`desc: "should return some users",`
			`query: &models.GetOrgUsersQuery{`
			`OrgId: 1,`
			`User: &models.SignedInUser{`
			`OrgId: 1,`
			`Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {`
			`"users:id:1",`
			`"users:id:5",`
			`"users:id:9",`
			`}}},`
			`},`
			`},`
			`expectedNumUsers: 3,`
			`},`
			`}`

Access Control: Add test flag to enable access control (#46780) * Add feature flags options to test db 2022-03-23 03:48:32 +08:00			`store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})`
Access control: Add access control sql filter to org user queries (#43961) * Add access control SQL filter to org user queries 2022-01-13 21:40:32 +08:00			`seedOrgUsers(t, store, 10)`

			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`err := store.GetOrgUsers(context.Background(), tt.query)`
			`require.NoError(t, err)`
			`require.Len(t, tt.query.Result, tt.expectedNumUsers)`

			`if !hasWildcardScope(tt.query.User, ac.ActionOrgUsersRead) {`
			`for _, u := range tt.query.Result {`
			`assert.Contains(t, tt.query.User.Permissions[tt.query.User.OrgId][ac.ActionOrgUsersRead], fmt.Sprintf("users:id:%d", u.UserId))`
			`}`
			`}`
			`})`
			`}`
			`}`

			`type searchOrgUsersTestCase struct {`
			`desc string`
			`query *models.SearchOrgUsersQuery`
			`expectedNumUsers int`
			`}`

			`func TestSQLStore_SearchOrgUsers(t *testing.T) {`
			`tests := []searchOrgUsersTestCase{`
			`{`
			`desc: "should return all users",`
			`query: &models.SearchOrgUsersQuery{`
			`OrgID: 1,`
			`User: &models.SignedInUser{`
			`OrgId: 1,`
			`Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {ac.ScopeUsersAll}}},`
			`},`
			`},`
			`expectedNumUsers: 10,`
			`},`
			`{`
			`desc: "should return no users",`
			`query: &models.SearchOrgUsersQuery{`
			`OrgID: 1,`
			`User: &models.SignedInUser{`
			`OrgId: 1,`
			`Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {""}}},`
			`},`
			`},`
			`expectedNumUsers: 0,`
			`},`
			`{`
			`desc: "should return some users",`
			`query: &models.SearchOrgUsersQuery{`
			`OrgID: 1,`
			`User: &models.SignedInUser{`
			`OrgId: 1,`
			`Permissions: map[int64]map[string][]string{1: {ac.ActionOrgUsersRead: {`
			`"users:id:1",`
			`"users:id:5",`
			`"users:id:9",`
			`}}},`
			`},`
			`},`
			`expectedNumUsers: 3,`
			`},`
			`}`

Access Control: Add test flag to enable access control (#46780) * Add feature flags options to test db 2022-03-23 03:48:32 +08:00			`store := InitTestDB(t, InitTestDBOpt{FeatureFlags: []string{featuremgmt.FlagAccesscontrol}})`
Access control: Add access control sql filter to org user queries (#43961) * Add access control SQL filter to org user queries 2022-01-13 21:40:32 +08:00			`seedOrgUsers(t, store, 10)`

			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`err := store.SearchOrgUsers(context.Background(), tt.query)`
			`require.NoError(t, err)`
			`assert.Len(t, tt.query.Result.OrgUsers, tt.expectedNumUsers)`

			`if !hasWildcardScope(tt.query.User, ac.ActionOrgUsersRead) {`
			`for _, u := range tt.query.Result.OrgUsers {`
			`assert.Contains(t, tt.query.User.Permissions[tt.query.User.OrgId][ac.ActionOrgUsersRead], fmt.Sprintf("users:id:%d", u.UserId))`
			`}`
			`}`
			`})`
			`}`
			`}`

			`func seedOrgUsers(t testing.T, store SQLStore, numUsers int) {`
			`t.Helper()`
			`// Seed users`
			`for i := 1; i <= numUsers; i++ {`
			`user, err := store.CreateUser(context.Background(), models.CreateUserCommand{`
			`Login: fmt.Sprintf("user-%d", i),`
			`OrgId: 1,`
			`})`
			`require.NoError(t, err)`

			`if i != 1 {`
			`err = store.AddOrgUser(context.Background(), &models.AddOrgUserCommand{`
			`Role: "Viewer",`
			`OrgId: 1,`
			`UserId: user.Id,`
			`})`
			`require.NoError(t, err)`
			`}`
			`}`
			`}`

			`func hasWildcardScope(user *models.SignedInUser, action string) bool {`
			`for _, scope := range user.Permissions[user.OrgId][action] {`
			`if strings.HasSuffix(scope, ":*") {`
			`return true`
			`}`
			`}`
			`return false`
			`}`