mirror of
https://github.com/grafana/grafana.git
synced 2025-08-03 01:42:12 +08:00
51114527dc
* Use alert:create action for folder search with edit permissions. This matches the action that is used to query dashboards (the update will be addressed later) * Update rule store to use FindDashboards instead of folder service to list folders the user has access to view alerts. Folder service does not support query type and additional filters. * Do not check whether the user can save to folder if FGAC is enabled because it is checked on API level.
148 lines
4.4 KiB
Go
148 lines
4.4 KiB
Go
package permissions
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
|
"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"
|
|
"github.com/grafana/grafana/pkg/util"
|
|
)
|
|
|
|
func TestNewAccessControlDashboardPermissionFilter(t *testing.T) {
|
|
randomType := "random_" + util.GenerateShortUID()
|
|
testCases := []struct {
|
|
permission models.PermissionType
|
|
queryType string
|
|
expectedDashboardActions []string
|
|
expectedFolderActions []string
|
|
}{
|
|
{
|
|
queryType: searchstore.TypeAlertFolder,
|
|
permission: models.PERMISSION_ADMIN,
|
|
expectedDashboardActions: nil,
|
|
expectedFolderActions: []string{
|
|
dashboards.ActionFoldersRead,
|
|
accesscontrol.ActionAlertingRuleRead,
|
|
accesscontrol.ActionAlertingRuleCreate,
|
|
},
|
|
},
|
|
{
|
|
queryType: searchstore.TypeAlertFolder,
|
|
permission: models.PERMISSION_EDIT,
|
|
expectedDashboardActions: nil,
|
|
expectedFolderActions: []string{
|
|
dashboards.ActionFoldersRead,
|
|
accesscontrol.ActionAlertingRuleRead,
|
|
accesscontrol.ActionAlertingRuleCreate,
|
|
},
|
|
},
|
|
{
|
|
queryType: searchstore.TypeAlertFolder,
|
|
permission: models.PERMISSION_VIEW,
|
|
expectedDashboardActions: nil,
|
|
expectedFolderActions: []string{
|
|
dashboards.ActionFoldersRead,
|
|
accesscontrol.ActionAlertingRuleRead,
|
|
},
|
|
},
|
|
{
|
|
queryType: randomType,
|
|
permission: models.PERMISSION_ADMIN,
|
|
expectedDashboardActions: []string{
|
|
accesscontrol.ActionDashboardsRead,
|
|
accesscontrol.ActionDashboardsWrite,
|
|
},
|
|
expectedFolderActions: []string{
|
|
dashboards.ActionFoldersRead,
|
|
accesscontrol.ActionDashboardsCreate,
|
|
},
|
|
},
|
|
{
|
|
queryType: randomType,
|
|
permission: models.PERMISSION_EDIT,
|
|
expectedDashboardActions: []string{
|
|
accesscontrol.ActionDashboardsRead,
|
|
accesscontrol.ActionDashboardsWrite,
|
|
},
|
|
expectedFolderActions: []string{
|
|
dashboards.ActionFoldersRead,
|
|
accesscontrol.ActionDashboardsCreate,
|
|
},
|
|
},
|
|
{
|
|
queryType: randomType,
|
|
permission: models.PERMISSION_VIEW,
|
|
expectedDashboardActions: []string{
|
|
accesscontrol.ActionDashboardsRead,
|
|
},
|
|
expectedFolderActions: []string{
|
|
dashboards.ActionFoldersRead,
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, testCase := range testCases {
|
|
t.Run(fmt.Sprintf("query type %s, permissions %s", testCase.queryType, testCase.permission), func(t *testing.T) {
|
|
filters := NewAccessControlDashboardPermissionFilter(&models.SignedInUser{}, testCase.permission, testCase.queryType)
|
|
|
|
require.Equal(t, testCase.expectedDashboardActions, filters.dashboardActions)
|
|
require.Equal(t, testCase.expectedFolderActions, filters.folderActions)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestAccessControlDashboardPermissionFilter_Where(t *testing.T) {
|
|
testCases := []struct {
|
|
title string
|
|
dashboardActions []string
|
|
folderActions []string
|
|
expectedResult string
|
|
}{
|
|
{
|
|
title: "folder and dashboard actions are defined",
|
|
dashboardActions: []string{"test"},
|
|
folderActions: []string{"test"},
|
|
expectedResult: "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE 1 = 0)) AND NOT dashboard.is_folder) OR ( 1 = 0 AND dashboard.is_folder))",
|
|
},
|
|
{
|
|
title: "folder actions are defined but not dashboard actions",
|
|
dashboardActions: nil,
|
|
folderActions: []string{"test"},
|
|
expectedResult: "(( 1 = 0 AND dashboard.is_folder))",
|
|
},
|
|
{
|
|
title: "dashboard actions are defined but not folder actions",
|
|
dashboardActions: []string{"test"},
|
|
folderActions: nil,
|
|
expectedResult: "((( 1 = 0 OR dashboard.folder_id IN(SELECT id FROM dashboard WHERE 1 = 0)) AND NOT dashboard.is_folder))",
|
|
},
|
|
{
|
|
title: "dashboard actions are defined but not folder actions",
|
|
dashboardActions: nil,
|
|
folderActions: nil,
|
|
expectedResult: "()",
|
|
},
|
|
}
|
|
|
|
for _, testCase := range testCases {
|
|
t.Run(testCase.title, func(t *testing.T) {
|
|
filter := AccessControlDashboardPermissionFilter{
|
|
User: &models.SignedInUser{Permissions: map[int64]map[string][]string{}},
|
|
dashboardActions: testCase.dashboardActions,
|
|
folderActions: testCase.folderActions,
|
|
}
|
|
|
|
query, args := filter.Where()
|
|
|
|
assert.Empty(t, args)
|
|
assert.Equal(t, testCase.expectedResult, query)
|
|
})
|
|
}
|
|
}
|