AccessControl: Add access control actions and scopes to team update and delete

* AccessControl: Add access control actions and scopes to team update and delete * AccessControl: Add tests for AC guards in update/delete * AccessControl: add fixed role for team writer * AccessControl: ensure team related AC is deleted with team * Update pkg/api/team_test.go
2025-09-26 04:34:28 +08:00 · 2022-01-27 15:16:44 +00:00
parent 1a9c293984
commit cb6e5ae8ce
7 changed files with 132 additions and 20 deletions
--- a/pkg/api/team_test.go
+++ b/pkg/api/team_test.go
@ -134,16 +134,17 @@ func TestTeamAPIEndpoint(t *testing.T) {
 	})
 }

-var (
+const (
 	createTeamURL = "/api/teams/"
-	createTeamCmd = `{"name": "MyTestTeam%d"}`
+	detailTeamURL = "/api/teams/%d"
+	teamCmd       = `{"name": "MyTestTeam%d"}`
 )

 func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl(t *testing.T) {
 	sc := setupHTTPServer(t, true, false)
 	setInitCtxSignedInOrgAdmin(sc.initCtx)

-	input := strings.NewReader(fmt.Sprintf(createTeamCmd, 1))
+	input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
 	t.Run("Organisation admin can create a team", func(t *testing.T) {
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -151,9 +152,9 @@ func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl(t *testing.T) {

 	setInitCtxSignedInEditor(sc.initCtx)
 	sc.initCtx.IsGrafanaAdmin = true
-	input = strings.NewReader(fmt.Sprintf(createTeamCmd, 2))
+	input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
 	t.Run("Org editor and server admin cannot create a team", func(t *testing.T) {
-		response := callAPI(sc.server, http.MethodPost, createTeamURL, strings.NewReader(createTeamCmd), t)
+		response := callAPI(sc.server, http.MethodPost, createTeamURL, strings.NewReader(teamCmd), t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 }
@ -164,7 +165,7 @@ func TestTeamAPIEndpoint_CreateTeam_LegacyAccessControl_EditorsCanAdmin(t *testi
 	sc := setupHTTPServerWithCfg(t, true, false, cfg)

 	setInitCtxSignedInEditor(sc.initCtx)
-	input := strings.NewReader(fmt.Sprintf(createTeamCmd, 1))
+	input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
 	t.Run("Editors can create a team if editorsCanAdmin is set to true", func(t *testing.T) {
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
@ -175,17 +176,98 @@ func TestTeamAPIEndpoint_CreateTeam_FGAC(t *testing.T) {
 	sc := setupHTTPServer(t, true, true)

 	setInitCtxSignedInViewer(sc.initCtx)
-	input := strings.NewReader(fmt.Sprintf(createTeamCmd, 1))
+	input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
 	t.Run("Access control allows creating teams with the correct permissions", func(t *testing.T) {
 		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsCreate}}, 1)
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusOK, response.Code)
 	})

-	input = strings.NewReader(fmt.Sprintf(createTeamCmd, 2))
+	input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
 	t.Run("Access control prevents creating teams with the incorrect permissions", func(t *testing.T) {
 		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: "teams:invalid"}}, accesscontrol.GlobalOrgID)
 		response := callAPI(sc.server, http.MethodPost, createTeamURL, input, t)
 		assert.Equal(t, http.StatusForbidden, response.Code)
 	})
 }
+
+// Given a team with a user, when the user is granted X permission,
+// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsWrite with teams:id:1 scope
+// else return 403
+func TestTeamAPIEndpoint_UpdateTeam_FGAC(t *testing.T) {
+	sc := setupHTTPServer(t, true, true)
+	sc.db = sqlstore.InitTestDB(t)
+	_, err := sc.db.CreateTeam("team1", "", 1)
+
+	require.NoError(t, err)
+
+	setInitCtxSignedInViewer(sc.initCtx)
+
+	input := strings.NewReader(fmt.Sprintf(teamCmd, 1))
+	t.Run("Access control allows updating teams with the correct permissions", func(t *testing.T) {
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:1"}}, 1)
+		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
+		assert.Equal(t, http.StatusOK, response.Code)
+
+		teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
+		err := sc.db.GetTeamById(context.Background(), teamQuery)
+		require.NoError(t, err)
+		assert.Equal(t, "MyTestTeam1", teamQuery.Result.Name)
+	})
+
+	input = strings.NewReader(fmt.Sprintf(teamCmd, 2))
+	t.Run("Access control allows updating teams with the correct global permissions", func(t *testing.T) {
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:*"}}, 1)
+		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
+		assert.Equal(t, http.StatusOK, response.Code)
+
+		teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
+		err := sc.db.GetTeamById(context.Background(), teamQuery)
+		require.NoError(t, err)
+		assert.Equal(t, "MyTestTeam2", teamQuery.Result.Name)
+	})
+
+	input = strings.NewReader(fmt.Sprintf(teamCmd, 3))
+	t.Run("Access control prevents updating teams with the incorrect permissions", func(t *testing.T) {
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsWrite, Scope: "teams:id:2"}}, 1)
+		response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(detailTeamURL, 1), input, t)
+		assert.Equal(t, http.StatusForbidden, response.Code)
+
+		teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
+		err := sc.db.GetTeamById(context.Background(), teamQuery)
+		assert.NoError(t, err)
+		assert.Equal(t, "MyTestTeam2", teamQuery.Result.Name)
+	})
+}
+
+// Given a team with a user, when the user is granted X permission,
+// Then the endpoint should return 200 if the user has accesscontrol.ActionTeamsDelete with teams:id:1 scope
+// else return 403
+func TestTeamAPIEndpoint_DeleteTeam_FGAC(t *testing.T) {
+	sc := setupHTTPServer(t, true, true)
+	sc.db = sqlstore.InitTestDB(t)
+	_, err := sc.db.CreateTeam("team1", "", 1)
+	require.NoError(t, err)
+
+	setInitCtxSignedInViewer(sc.initCtx)
+
+	t.Run("Access control prevents deleting teams with the incorrect permissions", func(t *testing.T) {
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:7"}}, 1)
+		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
+		assert.Equal(t, http.StatusForbidden, response.Code)
+
+		teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
+		err := sc.db.GetTeamById(context.Background(), teamQuery)
+		require.NoError(t, err)
+	})
+
+	t.Run("Access control allows deleting teams with the correct permissions", func(t *testing.T) {
+		setAccessControlPermissions(sc.acmock, []*accesscontrol.Permission{{Action: accesscontrol.ActionTeamsDelete, Scope: "teams:id:1"}}, 1)
+		response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(detailTeamURL, 1), http.NoBody, t)
+		assert.Equal(t, http.StatusOK, response.Code)
+
+		teamQuery := &models.GetTeamByIdQuery{OrgId: 1, SignedInUser: sc.initCtx.SignedInUser, Id: 1, Result: &models.TeamDTO{}}
+		err := sc.db.GetTeamById(context.Background(), teamQuery)
+		require.ErrorIs(t, err, models.ErrTeamNotFound)
+	})
+}