mirror of
https://github.com/grafana/grafana.git
synced 2025-08-02 11:13:11 +08:00
edf1775d49
* Moving POC files from #64283 to a new branch Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Adding missing permission definition Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Force the service instantiation while client isn't merged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Merge conf with main Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Leave go-sqlite3 version unchanged Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * tidy Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * User SearchUserPermissions instead of SearchUsersPermissions * Replace DummyKeyService with signingkeys.Service * Use user🆔<id> as subject * Fix introspection endpoint issue * Add X-Grafana-Org-Id to get_resources.bash script * Regenerate toggles_gen.go * Fix basic.go * Add GetExternalService tests * Add GetPublicKeyScopes tests * Add GetScopesOnUser tests * Add GetScopes tests * Add ParsePublicKeyPem tests * Add database test for GetByName * re-add comments * client tests added * Add GetExternalServicePublicKey tests * Add other test case to GetExternalServicePublicKey * client_credentials grant test * Add test to jwtbearer grant * Test Comments * Add handleKeyOptions tests * Add RSA key generation test * Add ECDSA by default to EmbeddedSigningKeysService * Clean up org id scope and audiences * Add audiences to the DB * Fix check on Audience * Fix double import * Add AC Store mock and align oauthserver tests * Fix test after rebase * Adding missing store function to mock * Fix double import * Add CODEOWNER * Fix some linting errors * errors don't need type assertion * Typo codeowners * use mockery for oauthserver store * Add feature toggle check * Fix db tests to handle the feature flag * Adding call to DeleteExternalServiceRole * Fix flaky test * Re-organize routes comments and plan futur work * Add client_id check to Extended JWT client * Clean up * Fix * Remove background service registry instantiation of the OAuth server * Comment cleanup * Remove unused client function * Update go.mod to use the latest ory/fosite commit * Remove oauth2_server related configs from defaults.ini * Add audiences to DTO * Fix flaky test * Remove registration endpoint and demo scripts. Document code * Rename packages * Remove the OAuthService vs OAuthServer confusion * fix incorrect import ext_jwt_test * Comments and order * Comment basic auth * Remove unecessary todo * Clean api * Moving ParsePublicKeyPem to utils * re ordering functions in service.go * Fix comment * comment on the redirect uri * Add RBAC actions, not only scopes * Fix tests * re-import featuremgmt in migrations * Fix wire * Fix scopes in test * Fix flaky test * Remove todo, the intersection should always return the minimal set * Remove unecessary check from intersection code * Allow env overrides on settings * remove the term app name * Remove app keyword for client instead and use Name instead of ExternalServiceName * LogID remove ExternalService ref * Use Name instead of ExternalServiceName * Imports order * Inline * Using ExternalService and ExternalServiceDTO * Remove xorm tags * comment * Rename client files * client -> external service * comments * Move test to correct package * slimmer test * cachedUser -> cachedExternalService * Fix aggregate store test * PluginAuthSession -> AuthSession * Revert the nil cehcks * Remove unecessary extra * Removing custom session * fix typo in test * Use constants for tests * Simplify HandleToken tests * Refactor the HandleTokenRequest test * test message * Review test * Prevent flacky test on client as well * go imports * Revert changes from 526e48ad4550fed7e2b753b9d0a0cc6097155f58 * AuthN: Change the External Service registration form (#68649) * AuthN: change the External Service registration form * Gen default permissions * Change demo script registration form * Remove unecessary comment * Nit. * Reduce cyclomatic complexity * Remove demo_scripts * Handle case with no service account * Comments * Group key gen * Nit. * Check the SaveExternalService test * Rename cachedUser to cachedClient in test * One more test case to database test * Comments * Remove last org scope Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> * Update pkg/services/oauthserver/utils/utils_test.go * Update pkg/services/sqlstore/migrations/oauthserver/migrations.go Remove comment * Update pkg/setting/setting.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>
211 lines
6.6 KiB
Go
211 lines
6.6 KiB
Go
package oauthserver
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
func setupTestEnv(t *testing.T) *ExternalService {
|
|
t.Helper()
|
|
|
|
client := &ExternalService{
|
|
Name: "my-ext-service",
|
|
ClientID: "RANDOMID",
|
|
Secret: "RANDOMSECRET",
|
|
GrantTypes: "client_credentials,urn:ietf:params:oauth:grant-type:jwt-bearer",
|
|
ServiceAccountID: 2,
|
|
SelfPermissions: []ac.Permission{
|
|
{Action: ac.ActionUsersImpersonate, Scope: ac.ScopeUsersAll},
|
|
},
|
|
SignedInUser: &user.SignedInUser{
|
|
UserID: 2,
|
|
OrgID: 1,
|
|
},
|
|
}
|
|
return client
|
|
}
|
|
|
|
func TestExternalService_GetScopesOnUser(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
impersonatePermissions []ac.Permission
|
|
initTestEnv func(*ExternalService)
|
|
expectedScopes []string
|
|
}{
|
|
{
|
|
name: "should return nil when the service account has no impersonate permissions",
|
|
expectedScopes: nil,
|
|
},
|
|
{
|
|
name: "should return the 'profile', 'email' and associated RBAC action",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionUsersRead, Scope: ScopeGlobalUsersSelf},
|
|
}
|
|
},
|
|
expectedScopes: []string{"profile", "email", ac.ActionUsersRead},
|
|
},
|
|
{
|
|
name: "should return 'entitlements' and associated RBAC action scopes",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionUsersPermissionsRead, Scope: ScopeUsersSelf},
|
|
}
|
|
},
|
|
expectedScopes: []string{"entitlements", ac.ActionUsersPermissionsRead},
|
|
},
|
|
{
|
|
name: "should return 'groups' and associated RBAC action scopes",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionTeamsRead, Scope: ScopeTeamsSelf},
|
|
}
|
|
},
|
|
expectedScopes: []string{"groups", ac.ActionTeamsRead},
|
|
},
|
|
{
|
|
name: "should return all scopes",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonatePermissions = []ac.Permission{
|
|
{Action: ac.ActionUsersRead, Scope: ScopeGlobalUsersSelf},
|
|
{Action: ac.ActionUsersPermissionsRead, Scope: ScopeUsersSelf},
|
|
{Action: ac.ActionTeamsRead, Scope: ScopeTeamsSelf},
|
|
{Action: dashboards.ActionDashboardsRead, Scope: dashboards.ScopeDashboardsAll},
|
|
}
|
|
},
|
|
expectedScopes: []string{"profile", "email", ac.ActionUsersRead,
|
|
"entitlements", ac.ActionUsersPermissionsRead,
|
|
"groups", ac.ActionTeamsRead,
|
|
"dashboards:read"},
|
|
},
|
|
{
|
|
name: "should return stored scopes when the client's impersonate scopes has already been set",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
ac.ActionUsersImpersonate: {ac.ScopeUsersAll},
|
|
},
|
|
}
|
|
c.ImpersonateScopes = []string{"dashboard:create", "profile", "email", "entitlements", "groups"}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups", "dashboard:create"},
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
c := setupTestEnv(t)
|
|
if tc.initTestEnv != nil {
|
|
tc.initTestEnv(c)
|
|
}
|
|
scopes := c.GetScopesOnUser(context.Background(), acimpl.ProvideAccessControl(setting.NewCfg()), 3)
|
|
require.ElementsMatch(t, tc.expectedScopes, scopes)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestExternalService_GetScopes(t *testing.T) {
|
|
testCases := []struct {
|
|
name string
|
|
impersonatePermissions []ac.Permission
|
|
initTestEnv func(*ExternalService)
|
|
expectedScopes []string
|
|
}{
|
|
{
|
|
name: "should return default scopes when the signed in user is nil",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser = nil
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
|
|
},
|
|
{
|
|
name: "should return default scopes when the signed in user has no permissions",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
|
|
},
|
|
{
|
|
name: "should return additional scopes from signed in user's permissions",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.SignedInUser.Permissions = map[int64]map[string][]string{
|
|
1: {
|
|
dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll},
|
|
},
|
|
}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups", "dashboards:read"},
|
|
},
|
|
{
|
|
name: "should return stored scopes when the client's scopes has already been set",
|
|
initTestEnv: func(c *ExternalService) {
|
|
c.Scopes = []string{"profile", "email", "entitlements", "groups"}
|
|
},
|
|
expectedScopes: []string{"profile", "email", "entitlements", "groups"},
|
|
},
|
|
}
|
|
for _, tc := range testCases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
c := setupTestEnv(t)
|
|
if tc.initTestEnv != nil {
|
|
tc.initTestEnv(c)
|
|
}
|
|
scopes := c.GetScopes()
|
|
require.ElementsMatch(t, tc.expectedScopes, scopes)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestExternalService_ToDTO(t *testing.T) {
|
|
client := &ExternalService{
|
|
ID: 1,
|
|
Name: "my-ext-service",
|
|
ClientID: "test",
|
|
Secret: "testsecret",
|
|
RedirectURI: "http://localhost:3000",
|
|
GrantTypes: "client_credentials,urn:ietf:params:oauth:grant-type:jwt-bearer",
|
|
Audiences: "https://example.org,https://second.example.org",
|
|
PublicPem: []byte("pem_encoded_public_key"),
|
|
}
|
|
|
|
dto := client.ToDTO()
|
|
|
|
require.Equal(t, client.ClientID, dto.ID)
|
|
require.Equal(t, client.Name, dto.Name)
|
|
require.Equal(t, client.RedirectURI, dto.RedirectURI)
|
|
require.Equal(t, client.GrantTypes, dto.GrantTypes)
|
|
require.Equal(t, client.Audiences, dto.Audiences)
|
|
require.Equal(t, client.PublicPem, []byte(dto.KeyResult.PublicPem))
|
|
require.Empty(t, dto.KeyResult.PrivatePem)
|
|
require.Empty(t, dto.KeyResult.URL)
|
|
require.False(t, dto.KeyResult.Generated)
|
|
require.Equal(t, client.Secret, dto.Secret)
|
|
}
|