opensource/grafana
1
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-07-30 00:42:27 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
grafana/pkg/services/accesscontrol/database/externalservices_test.go
Jeff Levin a21a232a8e Revert read replica POC (#93551) 
* Revert "chore: add replDB to team service (#91799)"

This reverts commit c6ae2d7999aa6fc797db39e9d66c6fea70278f83.

* Revert "experiment: use read replica for Get and Find Dashboards (#91706)"

This reverts commit 54177ca619dbb5ded2dcb158405802d8dbdbc982.

* Revert "QuotaService: refactor to use ReplDB for Get queries (#91333)"

This reverts commit 299c142f6a6e8c5673cfdea9f87b56ac304f9834.

* Revert "refactor replCfg to look more like plugins/plugin config (#91142)"

This reverts commit ac0b4bb34d495914cbe8daad85b7c75c31e8070d.

* Revert "chore (replstore): fix registration with multiple sql drivers, again (#90990)"

This reverts commit daedb358dded00d349d9fac6106aaaa6bf18322e.

* Revert "Chore (sqlstore): add validation and testing for repl config (#90683)"

This reverts commit af19f039b62d9945377292a8e679ee258fd56b3d.

* Revert "ReplStore: Add support for round robin load balancing between multiple read replicas (#90530)"

This reverts commit 27b52b1507f5218a7b38046b4d96bc004d949d46.

* Revert "DashboardStore: Use ReplDB and get dashboard quotas from the ReadReplica (#90235)"

This reverts commit 8a6107cd35f6444c0674ee4230d3d6bcfbbd4a58.

* Revert "accesscontrol service read replica (#89963)"

This reverts commit 77a4869fcadf13827d76d5767d4de74812d6dd6d.

* Revert "Fix: add mapping for the new mysqlRepl driver (#89551)"

This reverts commit ab5a079bcc5b0f0a6929f0a3742eb2859d4a3498.

* Revert "fix: sql instrumentation dual registration error (#89508)"

This reverts commit d988f5c3b064fade6e96511e0024190c22d48e50.

* Revert "Experimental Feature Toggle: databaseReadReplica (#89232)"

This reverts commit 50244ed4a1435cbf3e3c87d4af34fd7937f7c259.
2024-09-25 15:21:39 -08:00

247 lines
6.5 KiB
Go
Raw Blame History

package database
import (
"context"
// #nosec G505 Used only for generating a 160 bit hash, it's not used for security purposes
"errors"
"testing"
"github.com/grafana/grafana/pkg/infra/db"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/stretchr/testify/require"
)
func TestAccessControlStore_SaveExternalServiceRole(t *testing.T) {
type run struct {
cmd accesscontrol.SaveExternalServiceRoleCommand
wantErr bool
}
tests := []struct {
name string
runs []run
}{
{
name: "create app role",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
AssignmentOrgID: 1,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
wantErr: false,
},
},
},
{
name: "update app role",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
AssignmentOrgID: 1,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
AssignmentOrgID: 1,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:write", Scope: "users:id:1"},
{Action: "users:write", Scope: "users:id:2"},
},
},
},
},
},
{
name: "edge case - remove all permissions",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
AssignmentOrgID: 1,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:read", Scope: "users:id:2"},
},
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
AssignmentOrgID: 1,
ServiceAccountID: 1,
Permissions: []accesscontrol.Permission{},
},
},
},
},
{
name: "edge case - reassign to another service account",
runs: []run{
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
AssignmentOrgID: 1,
ServiceAccountID: 1,
},
},
{
cmd: accesscontrol.SaveExternalServiceRoleCommand{
ExternalServiceID: "app1",
AssignmentOrgID: 2,
ServiceAccountID: 2,
},
wantErr: false,
},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ctx := context.Background()
s := &AccessControlStore{
sql: db.InitTestDB(t),
}
for i := range tt.runs {
err := s.SaveExternalServiceRole(ctx, tt.runs[i].cmd)
if tt.runs[i].wantErr {
require.Error(t, err)
continue
}
require.NoError(t, err)
errDBSession := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
storedRole, err := getRoleByUID(ctx, sess, accesscontrol.PrefixedRoleUID(extServiceRoleName(tt.runs[i].cmd.ExternalServiceID)))
require.NoError(t, err)
require.NotNil(t, storedRole)
require.True(t, storedRole.Global(), "Incorrect global state of the role")
storedPerm, err := getRolePermissions(ctx, sess, storedRole.ID)
require.NoError(t, err)
for i := range storedPerm {
storedPerm[i] = accesscontrol.Permission{Action: storedPerm[i].Action, Scope: storedPerm[i].Scope}
}
require.ElementsMatch(t, tt.runs[i].cmd.Permissions, storedPerm)
var assignment accesscontrol.UserRole
has, err := sess.Where("role_id = ? AND user_id = ?", storedRole.ID, tt.runs[i].cmd.ServiceAccountID).Get(&assignment)
require.NoError(t, err)
require.True(t, has)
require.Equal(t, tt.runs[i].cmd.AssignmentOrgID, assignment.OrgID, "Incorrect OrgID for the role assignment")
return nil
})
require.NoError(t, errDBSession)
}
})
}
}
func TestAccessControlStore_DeleteExternalServiceRole(t *testing.T) {
extID := "app1"
tests := []struct {
name string
init func(t *testing.T, ctx context.Context, s *AccessControlStore)
id string
wantErr bool
}{
{
name: "delete no role",
id: extID,
wantErr: false,
},
{
name: "delete role",
init: func(t *testing.T, ctx context.Context, s *AccessControlStore) {
errSave := s.SaveExternalServiceRole(ctx, accesscontrol.SaveExternalServiceRoleCommand{
AssignmentOrgID: 2,
ExternalServiceID: extID,
ServiceAccountID: 3,
Permissions: []accesscontrol.Permission{
{Action: "users:read", Scope: "users:id:1"},
{Action: "users:write", Scope: "users:id:1"},
},
})
require.NoError(t, errSave)
},
id: extID,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
ctx := context.Background()
s := &AccessControlStore{
sql: db.InitTestDB(t),
}
if tt.init != nil {
tt.init(t, ctx, s)
}
roleID := int64(-1)
err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
role, err := getRoleByUID(ctx, sess, accesscontrol.PrefixedRoleUID(extServiceRoleName(tt.id)))
if err != nil && !errors.Is(err, accesscontrol.ErrRoleNotFound) {
return err
}
if role != nil {
roleID = role.ID
}
return nil
})
require.NoError(t, err)
err = s.DeleteExternalServiceRole(ctx, tt.id)
if tt.wantErr {
require.Error(t, err)
return
}
require.NoError(t, err)
// Only check removal if the role existed before
if roleID == -1 {
return
}
// Assignments should be deleted
_ = s.sql.WithDbSession(ctx, func(sess *db.Session) error {
var assignment accesscontrol.UserRole
count, err := sess.Where("role_id = ?", roleID).Count(&assignment)
require.NoError(t, err)
require.Zero(t, count)
return nil
})
// Permissions should be deleted
_ = s.sql.WithDbSession(ctx, func(sess *db.Session) error {
var permission accesscontrol.Permission
count, err := sess.Where("role_id = ?", roleID).Count(&permission)
require.NoError(t, err)
require.Zero(t, count)
return nil
})
// Role should be deleted
_ = s.sql.WithDbSession(ctx, func(sess *db.Session) error {
storedRole, err := getRoleByUID(ctx, sess, accesscontrol.PrefixedRoleUID(extServiceRoleName(tt.id)))
require.ErrorIs(t, err, accesscontrol.ErrRoleNotFound)
require.Nil(t, storedRole)
return nil
})
})
}
}
Reference in New Issue View Git Blame Copy Permalink