From 4a9872d10897406b4da236573dbf0932c09760b3 Mon Sep 17 00:00:00 2001
From: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
Date: Mon, 27 Jun 2022 09:31:49 -0400
Subject: [PATCH] reload permissions after create folder (#51288)

---
 .../api/alerting/api_alertmanager_test.go     |  5 -----
 .../alerting/api_notification_channel_test.go |  1 -
 pkg/tests/api/alerting/api_prometheus_test.go | 21 ++-----------------
 pkg/tests/api/alerting/api_ruler_test.go      | 10 ++-------
 pkg/tests/api/alerting/testing.go             | 17 ++++++++++++++-
 5 files changed, 20 insertions(+), 34 deletions(-)

diff --git a/pkg/tests/api/alerting/api_alertmanager_test.go b/pkg/tests/api/alerting/api_alertmanager_test.go
index abbe4721220..029c95ca171 100644
--- a/pkg/tests/api/alerting/api_alertmanager_test.go
+++ b/pkg/tests/api/alerting/api_alertmanager_test.go
@@ -479,7 +479,6 @@ func TestAlertAndGroupsQuery(t *testing.T) {
 	{
 		// Create the namespace we'll save our alerts to.
 		apiClient.CreateFolder(t, "default", "default")
-		reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
 	}
 
 	// Create an alert that will fire as quickly as possible
@@ -580,7 +579,6 @@ func TestRulerAccess(t *testing.T) {
 
 	// Create the namespace we'll save our alerts to.
 	client.CreateFolder(t, "default", "default")
-	reloadCachedPermissions(t, grafanaListedAddr, "editor", "editor")
 
 	// Now, let's test the access policies.
 	testCases := []struct {
@@ -691,7 +689,6 @@ func TestDeleteFolderWithRules(t *testing.T) {
 	// Create the namespace we'll save our alerts to.
 	namespaceUID := "default"
 	apiClient.CreateFolder(t, namespaceUID, namespaceUID)
-	reloadCachedPermissions(t, grafanaListedAddr, "editor", "editor")
 
 	createRule(t, apiClient, "default")
 
@@ -846,7 +843,6 @@ func TestAlertRuleCRUD(t *testing.T) {
 
 	// Create the namespace we'll save our alerts to.
 	apiClient.CreateFolder(t, "default", "default")
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
 
 	interval, err := model.ParseDuration("1m")
 	require.NoError(t, err)
@@ -1886,7 +1882,6 @@ func TestQuota(t *testing.T) {
 	apiClient := newAlertingApiClient(grafanaListedAddr, "grafana", "password")
 	// Create the namespace we'll save our alerts to.
 	apiClient.CreateFolder(t, "default", "default")
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
 
 	interval, err := model.ParseDuration("1m")
 	require.NoError(t, err)
diff --git a/pkg/tests/api/alerting/api_notification_channel_test.go b/pkg/tests/api/alerting/api_notification_channel_test.go
index be946a25a90..fda8edcc7af 100644
--- a/pkg/tests/api/alerting/api_notification_channel_test.go
+++ b/pkg/tests/api/alerting/api_notification_channel_test.go
@@ -758,7 +758,6 @@ func TestNotificationChannels(t *testing.T) {
 	{
 		// Create the namespace we'll save our alerts to.
 		apiClient.CreateFolder(t, "default", "default")
-		reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
 
 		// Post the alertmanager config.
 		u := fmt.Sprintf("http://grafana:password@%s/api/alertmanager/grafana/config/api/v1/alerts", grafanaListedAddr)
diff --git a/pkg/tests/api/alerting/api_prometheus_test.go b/pkg/tests/api/alerting/api_prometheus_test.go
index c4a3ff7c6f0..d8019c0d032 100644
--- a/pkg/tests/api/alerting/api_prometheus_test.go
+++ b/pkg/tests/api/alerting/api_prometheus_test.go
@@ -45,7 +45,6 @@ func TestPrometheusRules(t *testing.T) {
 
 	// Create the namespace we'll save our alerts to.
 	apiClient.CreateFolder(t, "default", "default")
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
 
 	interval, err := model.ParseDuration("10s")
 	require.NoError(t, err)
@@ -340,7 +339,6 @@ func TestPrometheusRulesFilterByDashboard(t *testing.T) {
 	// Create the namespace we'll save our alerts to.
 	dashboardUID := "default"
 	apiClient.CreateFolder(t, dashboardUID, dashboardUID)
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
 
 	interval, err := model.ParseDuration("10s")
 	require.NoError(t, err)
@@ -642,8 +640,6 @@ func TestPrometheusRulesPermissions(t *testing.T) {
 	// Create the namespace we'll save our alerts to.
 	apiClient.CreateFolder(t, "folder2", "folder2")
 
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
-
 	// Create rule under folder1
 	createRule(t, apiClient, "folder1")
 
@@ -678,7 +674,7 @@ func TestPrometheusRulesPermissions(t *testing.T) {
 
 	// remove permissions from folder2
 	removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder2")
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
+	apiClient.ReloadCachedPermissions(t)
 
 	// make sure that folder2 is not included in the response
 	{
@@ -703,7 +699,7 @@ func TestPrometheusRulesPermissions(t *testing.T) {
 
 	// remove permissions from folder1
 	removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder1")
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
+	apiClient.ReloadCachedPermissions(t)
 
 	// make sure that no folders are included in the response
 	{
@@ -729,19 +725,6 @@ func TestPrometheusRulesPermissions(t *testing.T) {
 	}
 }
 
-func reloadCachedPermissions(t *testing.T, addr, login, password string) {
-	t.Helper()
-
-	u := fmt.Sprintf("http://%s:%s@%s/api/access-control/user/permissions?reloadcache=true", login, password, addr)
-	// nolint:gosec
-	resp, err := http.Get(u)
-	t.Cleanup(func() {
-		require.NoError(t, resp.Body.Close())
-	})
-	require.NoError(t, err)
-	require.Equal(t, http.StatusOK, resp.StatusCode)
-}
-
 func removeFolderPermission(t *testing.T, store *acdb.AccessControlStore, orgID, userID int64, role models.RoleType, uid string) {
 	t.Helper()
 	// remove user permissions on folder
diff --git a/pkg/tests/api/alerting/api_ruler_test.go b/pkg/tests/api/alerting/api_ruler_test.go
index 5a60b5c6e9f..46abe65a5e8 100644
--- a/pkg/tests/api/alerting/api_ruler_test.go
+++ b/pkg/tests/api/alerting/api_ruler_test.go
@@ -47,8 +47,6 @@ func TestAlertRulePermissions(t *testing.T) {
 	// Create the namespace we'll save our alerts to.
 	apiClient.CreateFolder(t, "folder2", "folder2")
 
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
-
 	// Create rule under folder1
 	createRule(t, apiClient, "folder1")
 
@@ -178,7 +176,7 @@ func TestAlertRulePermissions(t *testing.T) {
 
 		// remove permissions from folder2
 		removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder2")
-		reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
+		apiClient.ReloadCachedPermissions(t)
 
 		// make sure that folder2 is not included in the response
 		// nolint:gosec
@@ -252,7 +250,7 @@ func TestAlertRulePermissions(t *testing.T) {
 
 	// Remove permissions from folder1.
 	removeFolderPermission(t, permissionsStore, 1, userID, models.ROLE_EDITOR, "folder1")
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
+	apiClient.ReloadCachedPermissions(t)
 	{
 		u := fmt.Sprintf("http://grafana:password@%s/api/ruler/grafana/api/v1/rules", grafanaListedAddr)
 		// nolint:gosec
@@ -405,8 +403,6 @@ func TestRulerRulesFilterByDashboard(t *testing.T) {
 	// Create the namespace under default organisation (orgID = 1) where we'll save our alerts to.
 	apiClient.CreateFolder(t, "default", "default")
 
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
-
 	interval, err := model.ParseDuration("10s")
 	require.NoError(t, err)
 
@@ -742,8 +738,6 @@ func TestRuleGroupSequence(t *testing.T) {
 	folder1Title := "folder1"
 	client.CreateFolder(t, util.GenerateShortUID(), folder1Title)
 
-	reloadCachedPermissions(t, grafanaListedAddr, "grafana", "password")
-
 	group1 := generateAlertRuleGroup(5, alertRuleGen())
 	group2 := generateAlertRuleGroup(5, alertRuleGen())
 
diff --git a/pkg/tests/api/alerting/testing.go b/pkg/tests/api/alerting/testing.go
index a7910819160..8d56b9ac261 100644
--- a/pkg/tests/api/alerting/testing.go
+++ b/pkg/tests/api/alerting/testing.go
@@ -171,7 +171,21 @@ func newAlertingApiClient(host, user, pass string) apiClient {
 	return apiClient{url: fmt.Sprintf("http://%s:%s@%s", user, pass, host)}
 }
 
-// CreateFolder creates a folder for storing our alerts under.
+// ReloadCachedPermissions sends a request to access control API to refresh cached user permissions
+func (a apiClient) ReloadCachedPermissions(t *testing.T) {
+	t.Helper()
+
+	u := fmt.Sprintf("%s/api/access-control/user/permissions?reloadcache=true", a.url)
+	// nolint:gosec
+	resp, err := http.Get(u)
+	defer func() {
+		_ = resp.Body.Close()
+	}()
+	require.NoErrorf(t, err, "failed to reload permissions cache")
+	require.Equalf(t, http.StatusOK, resp.StatusCode, "failed to reload permissions cache")
+}
+
+// CreateFolder creates a folder for storing our alerts, and then refreshes the permission cache to make sure that following requests will be accepted
 func (a apiClient) CreateFolder(t *testing.T, uID string, title string) {
 	t.Helper()
 	payload := fmt.Sprintf(`{"uid": "%s","title": "%s"}`, uID, title)
@@ -184,6 +198,7 @@ func (a apiClient) CreateFolder(t *testing.T, uID string, title string) {
 	}()
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	a.ReloadCachedPermissions(t)
 }
 
 func (a apiClient) PostRulesGroup(t *testing.T, folder string, group *apimodels.PostableRuleGroupConfig) (int, string) {