mirror of
https://github.com/grafana/grafana.git
synced 2025-08-02 23:53:10 +08:00
AccessControl: SQL filters for team search (#44557)
* AccessControl: SQL filters for team search Set test config * Remove userIdFilter when FGAC is on
This commit is contained in:
Gabriel MABILLE
@ -198,8 +198,8 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
|
||||
// team without requirement of user to be org admin
|
||||
apiRoute.Group("/teams", func(teamsRoute routing.RouteRegister) {
|
||||
teamsRoute.Get("/:teamId", routing.Wrap(hs.GetTeamByID))
|
||||
teamsRoute.Get("/search", routing.Wrap(hs.SearchTeams))
|
||||
teamsRoute.Get("/:teamId", authorize(reqSignedIn, ac.EvalPermission(ac.ActionTeamsRead, ac.ScopeTeamsID)), routing.Wrap(hs.GetTeamByID))
|
||||
teamsRoute.Get("/search", authorize(reqSignedIn, ac.EvalPermission(ac.ActionTeamsRead)), routing.Wrap(hs.SearchTeams))
|
||||
})
|
||||
|
||||
// org information available to all users.
|
||||
|
||||
@ -130,11 +130,17 @@ func (hs *HTTPServer) SearchTeams(c *models.ReqContext) response.Response {
|
||||
page = 1
|
||||
}
|
||||
|
||||
// Using accesscontrol the filtering is done based on user permissions
|
||||
userIdFilter := models.FilterIgnoreUser
|
||||
if !hs.Features.IsEnabled(featuremgmt.FlagAccesscontrol) {
|
||||
userIdFilter = userFilter(hs.Cfg.EditorsCanAdmin, c)
|
||||
}
|
||||
|
||||
query := models.SearchTeamsQuery{
|
||||
OrgId: c.OrgId,
|
||||
Query: c.Query("query"),
|
||||
Name: c.Query("name"),
|
||||
UserIdFilter: userFilter(hs.Cfg.EditorsCanAdmin, c),
|
||||
UserIdFilter: userIdFilter,
|
||||
Page: page,
|
||||
Limit: perPage,
|
||||
SignedInUser: c.SignedInUser,
|
||||
@ -201,12 +207,18 @@ func (hs *HTTPServer) GetTeamByID(c *models.ReqContext) response.Response {
|
||||
return response.Error(http.StatusBadRequest, "teamId is invalid", err)
|
||||
}
|
||||
|
||||
// Using accesscontrol the filtering has already been performed at middleware layer
|
||||
userIdFilter := models.FilterIgnoreUser
|
||||
if !hs.Features.IsEnabled(featuremgmt.FlagAccesscontrol) {
|
||||
userIdFilter = userFilter(hs.Cfg.EditorsCanAdmin, c)
|
||||
}
|
||||
|
||||
query := models.GetTeamByIdQuery{
|
||||
OrgId: c.OrgId,
|
||||
Id: teamId,
|
||||
SignedInUser: c.SignedInUser,
|
||||
HiddenUsers: hs.Cfg.HiddenUsers,
|
||||
UserIdFilter: userFilter(hs.Cfg.EditorsCanAdmin, c),
|
||||
UserIdFilter: userIdFilter,
|
||||
}
|
||||
|
||||
if err := hs.SQLStore.GetTeamById(c.Req.Context(), &query); err != nil {
|
||||
|
||||
@ -34,9 +34,12 @@ func (stub *testLogger) Warn(testMessage string, ctx ...interface{}) {
|
||||
func TestTeamAPIEndpoint(t *testing.T) {
|
||||
t.Run("Given two teams", func(t *testing.T) {
|
||||
hs := setupSimpleHTTPServer(nil)
|
||||
hs.SQLStore = sqlstore.InitTestDB(t)
|
||||
mock := &mockstore.SQLStoreMock{}
|
||||
hs.Cfg.EditorsCanAdmin = true
|
||||
store := sqlstore.InitTestDB(t)
|
||||
store.Cfg = hs.Cfg
|
||||
hs.SQLStore = store
|
||||
mock := &mockstore.SQLStoreMock{}
|
||||
|
||||
loggedInUserScenario(t, "When calling GET on", "/api/teams/search", "/api/teams/search", func(sc *scenarioContext) {
|
||||
_, err := hs.SQLStore.CreateTeam("team1", "", 1)
|
||||
require.NoError(t, err)
|
||||
@ -123,6 +126,7 @@ func TestTeamAPIEndpoint(t *testing.T) {
|
||||
}
|
||||
|
||||
const (
|
||||
searchTeamsURL = "/api/teams/search"
|
||||
createTeamURL = "/api/teams/"
|
||||
detailTeamURL = "/api/teams/%d"
|
||||
detailTeamPreferenceURL = "/api/teams/%d/preferences"
|
||||
@ -182,6 +186,79 @@ func TestTeamAPIEndpoint_CreateTeam_FGAC(t *testing.T) {
|
||||
})
|
||||
}
|
||||
|
||||
func TestTeamAPIEndpoint_SearchTeams_FGAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true, true)
|
||||
sc.db = sqlstore.InitTestDB(t)
|
||||
|
||||
// Seed three teams
|
||||
for i := 1; i <= 3; i++ {
|
||||
_, err := sc.db.CreateTeam(fmt.Sprintf("team%d", i), fmt.Sprintf("team%d@example.org", i), 1)
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
t.Run("Access control prevents searching for teams with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:*"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
|
||||
t.Run("Access control allows searching for teams with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:*"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
res := &models.SearchTeamQueryResult{}
|
||||
err := json.Unmarshal(response.Body.Bytes(), res)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, res.Teams, 3, "expected all teams to have been returned")
|
||||
require.Equal(t, res.TotalCount, int64(3), "expected count to match teams length")
|
||||
})
|
||||
|
||||
t.Run("Access control filters teams based on user permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:3"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, searchTeamsURL, http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
res := &models.SearchTeamQueryResult{}
|
||||
err := json.Unmarshal(response.Body.Bytes(), res)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, res.Teams, 2, "expected a subset of teams to have been returned")
|
||||
require.Equal(t, res.TotalCount, int64(2), "expected count to match teams length")
|
||||
for _, team := range res.Teams {
|
||||
require.NotEqual(t, team.Name, "team2", "expected team2 to have been filtered")
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
func TestTeamAPIEndpoint_GetTeamByID_FGAC(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true, true)
|
||||
sc.db = sqlstore.InitTestDB(t)
|
||||
|
||||
_, err := sc.db.CreateTeam("team1", "team1@example.org", 1)
|
||||
require.NoError(t, err)
|
||||
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
t.Run("Access control prevents getting a team with the incorrect permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:2"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
|
||||
t.Run("Access control allows getting a team with the correct permissions", func(t *testing.T) {
|
||||
setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
|
||||
res := &models.TeamDTO{}
|
||||
err := json.Unmarshal(response.Body.Bytes(), res)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "team1", res.Name)
|
||||
})
|
||||
}
|
||||
|
||||
// Given a team with a user, when the user is granted X permission,
|
||||
// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
|
||||
// else return 403
|
||||
|
||||
Reference in New Issue
Block a user