mirror of
https://github.com/grafana/grafana.git
synced 2025-08-02 13:32:15 +08:00
605d056136
* * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
421 lines
13 KiB
Go
421 lines
13 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/grafana/grafana/pkg/api/dtos"
|
|
"github.com/grafana/grafana/pkg/api/response"
|
|
"github.com/grafana/grafana/pkg/api/routing"
|
|
"github.com/grafana/grafana/pkg/bus"
|
|
dashboardifaces "github.com/grafana/grafana/pkg/dashboards"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
|
"github.com/grafana/grafana/pkg/services/guardian"
|
|
"github.com/grafana/grafana/pkg/services/sqlstore/mockstore"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
func TestFolderPermissionAPIEndpoint(t *testing.T) {
|
|
settings := setting.NewCfg()
|
|
hs := &HTTPServer{Cfg: settings}
|
|
|
|
t.Run("Given folder not exists", func(t *testing.T) {
|
|
mock := &fakeFolderService{
|
|
GetFolderByUIDError: models.ErrFolderNotFound,
|
|
}
|
|
|
|
origNewFolderService := dashboards.NewFolderService
|
|
t.Cleanup(func() {
|
|
dashboards.NewFolderService = origNewFolderService
|
|
})
|
|
mockFolderService(mock)
|
|
mockSQLStore := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling GET on", "GET", "/api/folders/uid/permissions", "/api/folders/:uid/permissions", models.ROLE_EDITOR, func(sc *scenarioContext) {
|
|
callGetFolderPermissions(sc, hs)
|
|
assert.Equal(t, 404, sc.resp.Code)
|
|
}, mockSQLStore)
|
|
|
|
cmd := dtos.UpdateDashboardAclCommand{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{UserID: 1000, Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
}
|
|
|
|
updateFolderPermissionScenario(t, updatePermissionContext{
|
|
desc: "When calling POST on",
|
|
url: "/api/folders/uid/permissions",
|
|
routePattern: "/api/folders/:uid/permissions",
|
|
cmd: cmd,
|
|
fn: func(sc *scenarioContext) {
|
|
callUpdateFolderPermissions(t, sc)
|
|
assert.Equal(t, 404, sc.resp.Code)
|
|
},
|
|
}, hs)
|
|
})
|
|
|
|
t.Run("Given user has no admin permissions", func(t *testing.T) {
|
|
origNewGuardian := guardian.New
|
|
origNewFolderService := dashboards.NewFolderService
|
|
t.Cleanup(func() {
|
|
guardian.New = origNewGuardian
|
|
dashboards.NewFolderService = origNewFolderService
|
|
})
|
|
|
|
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{CanAdminValue: false})
|
|
|
|
mock := &fakeFolderService{
|
|
GetFolderByUIDResult: &models.Folder{
|
|
Id: 1,
|
|
Uid: "uid",
|
|
Title: "Folder",
|
|
},
|
|
}
|
|
|
|
mockFolderService(mock)
|
|
mockSQLStore := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling GET on", "GET", "/api/folders/uid/permissions", "/api/folders/:uid/permissions", models.ROLE_EDITOR, func(sc *scenarioContext) {
|
|
callGetFolderPermissions(sc, hs)
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
}, mockSQLStore)
|
|
|
|
cmd := dtos.UpdateDashboardAclCommand{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{UserID: 1000, Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
}
|
|
|
|
updateFolderPermissionScenario(t, updatePermissionContext{
|
|
desc: "When calling POST on",
|
|
url: "/api/folders/uid/permissions",
|
|
routePattern: "/api/folders/:uid/permissions",
|
|
cmd: cmd,
|
|
fn: func(sc *scenarioContext) {
|
|
callUpdateFolderPermissions(t, sc)
|
|
assert.Equal(t, 403, sc.resp.Code)
|
|
},
|
|
}, hs)
|
|
})
|
|
|
|
t.Run("Given user has admin permissions and permissions to update", func(t *testing.T) {
|
|
origNewGuardian := guardian.New
|
|
origNewFolderService := dashboards.NewFolderService
|
|
t.Cleanup(func() {
|
|
guardian.New = origNewGuardian
|
|
dashboards.NewFolderService = origNewFolderService
|
|
})
|
|
|
|
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{
|
|
CanAdminValue: true,
|
|
CheckPermissionBeforeUpdateValue: true,
|
|
GetAclValue: []*models.DashboardAclInfoDTO{
|
|
{OrgId: 1, DashboardId: 1, UserId: 2, Permission: models.PERMISSION_VIEW},
|
|
{OrgId: 1, DashboardId: 1, UserId: 3, Permission: models.PERMISSION_EDIT},
|
|
{OrgId: 1, DashboardId: 1, UserId: 4, Permission: models.PERMISSION_ADMIN},
|
|
{OrgId: 1, DashboardId: 1, TeamId: 1, Permission: models.PERMISSION_VIEW},
|
|
{OrgId: 1, DashboardId: 1, TeamId: 2, Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
})
|
|
|
|
mock := &fakeFolderService{
|
|
GetFolderByUIDResult: &models.Folder{
|
|
Id: 1,
|
|
Uid: "uid",
|
|
Title: "Folder",
|
|
},
|
|
}
|
|
|
|
mockFolderService(mock)
|
|
mockSQLStore := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling GET on", "GET", "/api/folders/uid/permissions", "/api/folders/:uid/permissions", models.ROLE_ADMIN, func(sc *scenarioContext) {
|
|
callGetFolderPermissions(sc, hs)
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
|
|
var resp []*models.DashboardAclInfoDTO
|
|
err := json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
|
require.NoError(t, err)
|
|
|
|
assert.Len(t, resp, 5)
|
|
assert.Equal(t, int64(2), resp[0].UserId)
|
|
assert.Equal(t, models.PERMISSION_VIEW, resp[0].Permission)
|
|
}, mockSQLStore)
|
|
|
|
cmd := dtos.UpdateDashboardAclCommand{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{UserID: 1000, Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
}
|
|
|
|
updateFolderPermissionScenario(t, updatePermissionContext{
|
|
desc: "When calling POST on",
|
|
url: "/api/folders/uid/permissions",
|
|
routePattern: "/api/folders/:uid/permissions",
|
|
cmd: cmd,
|
|
fn: func(sc *scenarioContext) {
|
|
callUpdateFolderPermissions(t, sc)
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
|
|
var resp struct {
|
|
ID int64
|
|
Title string
|
|
}
|
|
err := json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
|
require.NoError(t, err)
|
|
|
|
assert.Equal(t, int64(1), resp.ID)
|
|
assert.Equal(t, "Folder", resp.Title)
|
|
},
|
|
}, hs)
|
|
})
|
|
|
|
t.Run("When trying to update permissions with duplicate permissions", func(t *testing.T) {
|
|
origNewGuardian := guardian.New
|
|
origNewFolderService := dashboards.NewFolderService
|
|
t.Cleanup(func() {
|
|
guardian.New = origNewGuardian
|
|
dashboards.NewFolderService = origNewFolderService
|
|
})
|
|
|
|
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{
|
|
CanAdminValue: true,
|
|
CheckPermissionBeforeUpdateValue: false,
|
|
CheckPermissionBeforeUpdateError: guardian.ErrGuardianPermissionExists,
|
|
})
|
|
|
|
mock := &fakeFolderService{
|
|
GetFolderByUIDResult: &models.Folder{
|
|
Id: 1,
|
|
Uid: "uid",
|
|
Title: "Folder",
|
|
},
|
|
}
|
|
|
|
mockFolderService(mock)
|
|
|
|
cmd := dtos.UpdateDashboardAclCommand{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{UserID: 1000, Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
}
|
|
|
|
updateFolderPermissionScenario(t, updatePermissionContext{
|
|
desc: "When calling POST on",
|
|
url: "/api/folders/uid/permissions",
|
|
routePattern: "/api/folders/:uid/permissions",
|
|
cmd: cmd,
|
|
fn: func(sc *scenarioContext) {
|
|
callUpdateFolderPermissions(t, sc)
|
|
assert.Equal(t, 400, sc.resp.Code)
|
|
},
|
|
}, hs)
|
|
})
|
|
|
|
t.Run("When trying to update team or user permissions with a role", func(t *testing.T) {
|
|
role := models.ROLE_ADMIN
|
|
cmds := []dtos.UpdateDashboardAclCommand{
|
|
{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{UserID: 1000, Permission: models.PERMISSION_ADMIN, Role: &role},
|
|
},
|
|
},
|
|
{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{TeamID: 1000, Permission: models.PERMISSION_ADMIN, Role: &role},
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, cmd := range cmds {
|
|
updateFolderPermissionScenario(t, updatePermissionContext{
|
|
desc: "When calling POST on",
|
|
url: "/api/folders/uid/permissions",
|
|
routePattern: "/api/folders/:uid/permissions",
|
|
cmd: cmd,
|
|
fn: func(sc *scenarioContext) {
|
|
callUpdateFolderPermissions(t, sc)
|
|
assert.Equal(t, 400, sc.resp.Code)
|
|
respJSON, err := jsonMap(sc.resp.Body.Bytes())
|
|
require.NoError(t, err)
|
|
assert.Equal(t, models.ErrPermissionsWithRoleNotAllowed.Error(), respJSON["error"])
|
|
},
|
|
}, hs)
|
|
}
|
|
})
|
|
|
|
t.Run("When trying to override inherited permissions with lower precedence", func(t *testing.T) {
|
|
origNewGuardian := guardian.New
|
|
origNewFolderService := dashboards.NewFolderService
|
|
t.Cleanup(func() {
|
|
guardian.New = origNewGuardian
|
|
dashboards.NewFolderService = origNewFolderService
|
|
})
|
|
|
|
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{
|
|
CanAdminValue: true,
|
|
CheckPermissionBeforeUpdateValue: false,
|
|
CheckPermissionBeforeUpdateError: guardian.ErrGuardianOverride},
|
|
)
|
|
|
|
mock := &fakeFolderService{
|
|
GetFolderByUIDResult: &models.Folder{
|
|
Id: 1,
|
|
Uid: "uid",
|
|
Title: "Folder",
|
|
},
|
|
}
|
|
|
|
mockFolderService(mock)
|
|
|
|
cmd := dtos.UpdateDashboardAclCommand{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{UserID: 1000, Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
}
|
|
|
|
updateFolderPermissionScenario(t, updatePermissionContext{
|
|
desc: "When calling POST on",
|
|
url: "/api/folders/uid/permissions",
|
|
routePattern: "/api/folders/:uid/permissions",
|
|
cmd: cmd,
|
|
fn: func(sc *scenarioContext) {
|
|
callUpdateFolderPermissions(t, sc)
|
|
assert.Equal(t, 400, sc.resp.Code)
|
|
},
|
|
}, hs)
|
|
})
|
|
|
|
t.Run("Getting and updating folder permissions with hidden users", func(t *testing.T) {
|
|
origNewGuardian := guardian.New
|
|
origNewFolderService := dashboards.NewFolderService
|
|
settings.HiddenUsers = map[string]struct{}{
|
|
"hiddenUser": {},
|
|
testUserLogin: {},
|
|
}
|
|
t.Cleanup(func() {
|
|
guardian.New = origNewGuardian
|
|
dashboards.NewFolderService = origNewFolderService
|
|
settings.HiddenUsers = make(map[string]struct{})
|
|
})
|
|
|
|
guardian.MockDashboardGuardian(&guardian.FakeDashboardGuardian{
|
|
CanAdminValue: true,
|
|
CheckPermissionBeforeUpdateValue: true,
|
|
GetAclValue: []*models.DashboardAclInfoDTO{
|
|
{OrgId: 1, DashboardId: 1, UserId: 2, UserLogin: "hiddenUser", Permission: models.PERMISSION_VIEW},
|
|
{OrgId: 1, DashboardId: 1, UserId: 3, UserLogin: testUserLogin, Permission: models.PERMISSION_EDIT},
|
|
{OrgId: 1, DashboardId: 1, UserId: 4, UserLogin: "user_1", Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
GetHiddenAclValue: []*models.DashboardAcl{
|
|
{OrgID: 1, DashboardID: 1, UserID: 2, Permission: models.PERMISSION_VIEW},
|
|
},
|
|
})
|
|
|
|
mock := &fakeFolderService{
|
|
GetFolderByUIDResult: &models.Folder{
|
|
Id: 1,
|
|
Uid: "uid",
|
|
Title: "Folder",
|
|
},
|
|
}
|
|
|
|
mockFolderService(mock)
|
|
|
|
var resp []*models.DashboardAclInfoDTO
|
|
mockSQLStore := mockstore.NewSQLStoreMock()
|
|
loggedInUserScenarioWithRole(t, "When calling GET on", "GET", "/api/folders/uid/permissions", "/api/folders/:uid/permissions", models.ROLE_ADMIN, func(sc *scenarioContext) {
|
|
callGetFolderPermissions(sc, hs)
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
|
|
err := json.Unmarshal(sc.resp.Body.Bytes(), &resp)
|
|
require.NoError(t, err)
|
|
|
|
assert.Len(t, resp, 2)
|
|
assert.Equal(t, int64(3), resp[0].UserId)
|
|
assert.Equal(t, models.PERMISSION_EDIT, resp[0].Permission)
|
|
assert.Equal(t, int64(4), resp[1].UserId)
|
|
assert.Equal(t, models.PERMISSION_ADMIN, resp[1].Permission)
|
|
}, mockSQLStore)
|
|
|
|
cmd := dtos.UpdateDashboardAclCommand{
|
|
Items: []dtos.DashboardAclUpdateItem{
|
|
{UserID: 1000, Permission: models.PERMISSION_ADMIN},
|
|
},
|
|
}
|
|
for _, acl := range resp {
|
|
cmd.Items = append(cmd.Items, dtos.DashboardAclUpdateItem{
|
|
UserID: acl.UserId,
|
|
Permission: acl.Permission,
|
|
})
|
|
}
|
|
assert.Len(t, cmd.Items, 3)
|
|
|
|
updateFolderPermissionScenario(t, updatePermissionContext{
|
|
desc: "When calling POST on",
|
|
url: "/api/folders/uid/permissions",
|
|
routePattern: "/api/folders/:uid/permissions",
|
|
cmd: cmd,
|
|
fn: func(sc *scenarioContext) {
|
|
origUpdateDashboardACL := updateDashboardACL
|
|
t.Cleanup(func() {
|
|
updateDashboardACL = origUpdateDashboardACL
|
|
})
|
|
var gotItems []*models.DashboardAcl
|
|
updateDashboardACL = func(_ context.Context, _ dashboardifaces.Store, _ int64, items []*models.DashboardAcl) error {
|
|
gotItems = items
|
|
return nil
|
|
}
|
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
assert.Equal(t, 200, sc.resp.Code)
|
|
assert.Len(t, gotItems, 4)
|
|
},
|
|
}, hs)
|
|
})
|
|
}
|
|
|
|
func callGetFolderPermissions(sc *scenarioContext, hs *HTTPServer) {
|
|
sc.handlerFunc = hs.GetFolderPermissionList
|
|
sc.fakeReqWithParams("GET", sc.url, map[string]string{}).exec()
|
|
}
|
|
|
|
func callUpdateFolderPermissions(t *testing.T, sc *scenarioContext) {
|
|
t.Helper()
|
|
|
|
origUpdateDashboardACL := updateDashboardACL
|
|
t.Cleanup(func() {
|
|
updateDashboardACL = origUpdateDashboardACL
|
|
})
|
|
updateDashboardACL = func(_ context.Context, _ dashboardifaces.Store, dashID int64, items []*models.DashboardAcl) error {
|
|
return nil
|
|
}
|
|
|
|
sc.fakeReqWithParams("POST", sc.url, map[string]string{}).exec()
|
|
}
|
|
|
|
func updateFolderPermissionScenario(t *testing.T, ctx updatePermissionContext, hs *HTTPServer) {
|
|
t.Run(fmt.Sprintf("%s %s", ctx.desc, ctx.url), func(t *testing.T) {
|
|
defer bus.ClearBusHandlers()
|
|
|
|
sc := setupScenarioContext(t, ctx.url)
|
|
|
|
sc.defaultHandler = routing.Wrap(func(c *models.ReqContext) response.Response {
|
|
c.Req.Body = mockRequestBody(ctx.cmd)
|
|
c.Req.Header.Add("Content-Type", "application/json")
|
|
sc.context = c
|
|
sc.context.OrgId = testOrgID
|
|
sc.context.UserId = testUserID
|
|
|
|
return hs.UpdateFolderPermissions(c)
|
|
})
|
|
|
|
sc.m.Post(ctx.routePattern, sc.defaultHandler)
|
|
|
|
ctx.fn(sc)
|
|
})
|
|
}
|