mirror of
https://github.com/grafana/grafana.git
synced 2025-07-30 15:12:39 +08:00
30fae33f66
* Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
143 lines
3.1 KiB
Go
143 lines
3.1 KiB
Go
package pluginutils
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/grafana/grafana/pkg/plugins"
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestToRegistrations(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
regs []plugins.RoleRegistration
|
|
want []ac.RoleRegistration
|
|
}{
|
|
{
|
|
name: "no registration",
|
|
regs: nil,
|
|
want: []ac.RoleRegistration{},
|
|
},
|
|
{
|
|
name: "registration gets converted successfully",
|
|
regs: []plugins.RoleRegistration{
|
|
{
|
|
Role: plugins.Role{
|
|
Name: "test:name",
|
|
DisplayName: "Test",
|
|
Description: "Test",
|
|
Permissions: []plugins.Permission{
|
|
{Action: "test:action"},
|
|
{Action: "test:action", Scope: "test:scope"},
|
|
},
|
|
},
|
|
Grants: []string{"Admin", "Editor"},
|
|
},
|
|
{
|
|
Role: plugins.Role{
|
|
Name: "test:name",
|
|
Permissions: []plugins.Permission{},
|
|
},
|
|
},
|
|
},
|
|
want: []ac.RoleRegistration{
|
|
{
|
|
Role: ac.RoleDTO{
|
|
Version: 1,
|
|
Name: "test:name",
|
|
DisplayName: "Test",
|
|
Description: "Test",
|
|
Group: "PluginName",
|
|
Permissions: []ac.Permission{
|
|
{Action: "test:action"},
|
|
{Action: "test:action", Scope: "test:scope"},
|
|
},
|
|
OrgID: ac.GlobalOrgID,
|
|
},
|
|
Grants: []string{"Admin", "Editor"},
|
|
},
|
|
{
|
|
Role: ac.RoleDTO{
|
|
Version: 1,
|
|
Name: "test:name",
|
|
Group: "PluginName",
|
|
Permissions: []ac.Permission{},
|
|
OrgID: ac.GlobalOrgID,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got := ToRegistrations("PluginName", tt.regs)
|
|
require.Equal(t, tt.want, got)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestValidatePluginRole(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
pluginID string
|
|
role ac.RoleDTO
|
|
wantErr error
|
|
}{
|
|
{
|
|
name: "empty",
|
|
pluginID: "",
|
|
role: ac.RoleDTO{Name: "plugins::"},
|
|
wantErr: ac.ErrPluginIDRequired,
|
|
},
|
|
{
|
|
name: "invalid name",
|
|
pluginID: "test-app",
|
|
role: ac.RoleDTO{Name: "test-app:reader"},
|
|
wantErr: &ac.ErrorInvalidRole{},
|
|
},
|
|
{
|
|
name: "invalid id in name",
|
|
pluginID: "test-app",
|
|
role: ac.RoleDTO{Name: "plugins:test-app2:reader"},
|
|
wantErr: &ac.ErrorInvalidRole{},
|
|
},
|
|
{
|
|
name: "valid name",
|
|
pluginID: "test-app",
|
|
role: ac.RoleDTO{Name: "plugins:test-app:reader"},
|
|
},
|
|
{
|
|
name: "invalid permission",
|
|
pluginID: "test-app",
|
|
role: ac.RoleDTO{
|
|
Name: "plugins:test-app:reader",
|
|
Permissions: []ac.Permission{{Action: "invalidtest-app:read"}},
|
|
},
|
|
wantErr: &ac.ErrorInvalidRole{},
|
|
},
|
|
{
|
|
name: "valid permissions",
|
|
pluginID: "test-app",
|
|
role: ac.RoleDTO{
|
|
Name: "plugins:test-app:reader",
|
|
Permissions: []ac.Permission{
|
|
{Action: "plugins.app:access"},
|
|
{Action: "test-app:read"},
|
|
{Action: "test-app.resources:read"},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
err := ValidatePluginRole(tt.pluginID, tt.role)
|
|
if tt.wantErr != nil {
|
|
require.ErrorIs(t, err, tt.wantErr)
|
|
return
|
|
}
|
|
require.NoError(t, err)
|
|
})
|
|
}
|
|
}
|