opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-29 05:42:28 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
grafana/pkg/services/accesscontrol/authorizer_test.go
Ryan McKinley 680e6bc1f8 Authlib: Use types package rather than claims (#99243)
2025-01-21 12:06:55 +03:00

150 lines
3.8 KiB
Go
Raw Permalink Blame History

package accesscontrol_test
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
authlib "github.com/grafana/authlib/types"
"github.com/grafana/grafana/pkg/apimachinery/identity"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
"github.com/grafana/grafana/pkg/services/featuremgmt"
)
func TestLegacyAccessClient_Check(t *testing.T) {
ac := acimpl.ProvideAccessControl(featuremgmt.WithFeatures())
t.Run("should reject when when no configuration for resource exist", func(t *testing.T) {
a := accesscontrol.NewLegacyAccessClient(ac)
res, err := a.Check(context.Background(), &identity.StaticRequester{}, authlib.CheckRequest{
Verb: "get",
Resource: "dashboards",
Namespace: "default",
Name: "1",
})
assert.NoError(t, err)
assert.Equal(t, false, res.Allowed)
})
t.Run("should reject when user don't have correct scope", func(t *testing.T) {
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
Resource: "dashboards",
Attr: "uid",
Mapping: map[string]string{
"get": "dashboards:read",
},
})
ident := newIdent(
accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:2"},
)
res, err := a.Check(context.Background(), ident, authlib.CheckRequest{
Verb: "get",
Namespace: "default",
Resource: "dashboards",
Name: "1",
})
assert.NoError(t, err)
assert.Equal(t, false, res.Allowed)
})
t.Run("should just check action for list requests", func(t *testing.T) {
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
Resource: "dashboards",
Attr: "uid",
Mapping: map[string]string{
"list": "dashboards:read",
},
})
ident := newIdent(
accesscontrol.Permission{Action: "dashboards:read"},
)
res, err := a.Check(context.Background(), ident, authlib.CheckRequest{
Verb: "list",
Namespace: "default",
Resource: "dashboards",
})
assert.NoError(t, err)
assert.Equal(t, true, res.Allowed)
})
t.Run("should allow when user have correct scope", func(t *testing.T) {
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
Resource: "dashboards",
Attr: "uid",
Mapping: map[string]string{
"get": "dashboards:read",
},
})
ident := newIdent(
accesscontrol.Permission{Action: "dashboards:read", Scope: "dashboards:uid:1"},
)
res, err := a.Check(context.Background(), ident, authlib.CheckRequest{
Verb: "get",
Namespace: "default",
Resource: "dashboards",
Name: "1",
})
assert.NoError(t, err)
assert.Equal(t, true, res.Allowed)
})
t.Run("should skip authorization for configured verb", func(t *testing.T) {
a := accesscontrol.NewLegacyAccessClient(ac, accesscontrol.ResourceAuthorizerOptions{
Resource: "dashboards",
Attr: "uid",
Unchecked: map[string]bool{
"get": true,
},
Mapping: map[string]string{
"create": "dashboards:create",
},
})
ident := newIdent(accesscontrol.Permission{})
res, err := a.Check(context.Background(), ident, authlib.CheckRequest{
Verb: "get",
Namespace: "default",
Resource: "dashboards",
Name: "1",
})
assert.NoError(t, err)
assert.Equal(t, true, res.Allowed)
res, err = a.Check(context.Background(), ident, authlib.CheckRequest{
Verb: "create",
Namespace: "default",
Resource: "dashboards",
Name: "1",
})
assert.NoError(t, err)
assert.Equal(t, false, res.Allowed)
})
}
func newIdent(permissions ...accesscontrol.Permission) *identity.StaticRequester {
pmap := map[string][]string{}
for _, p := range permissions {
pmap[p.Action] = append(pmap[p.Action], p.Scope)
}
return &identity.StaticRequester{
OrgID: 1,
Permissions: map[int64]map[string][]string{1: pmap},
}
}
Reference in New Issue View Git Blame Copy Permalink