mirror of
https://github.com/grafana/grafana.git
synced 2026-02-19 02:30:53 -05:00
31f062cb49
Some checks failed
Actionlint / Lint GitHub Actions files (push) Has been cancelled
Backend Code Checks / Detect whether code changed (push) Has been cancelled
Backend Unit Tests / Detect whether code changed (push) Has been cancelled
CodeQL checks / Detect whether code changed (push) Has been cancelled
Deploy Storybook / Detect whether code changed (push) Has been cancelled
Lint Frontend / Detect whether code changed (push) Has been cancelled
Lint Frontend / Verify API clients (push) Has been cancelled
Lint Frontend / Verify API clients (enterprise) (push) Has been cancelled
golangci-lint / Detect whether code changed (push) Has been cancelled
Verify i18n / verify-i18n (push) Has been cancelled
Documentation / Build & Verify Docs (push) Has been cancelled
End-to-end tests / Detect whether code changed (push) Has been cancelled
Frontend tests / Detect whether code changed (push) Has been cancelled
Integration Tests / Detect whether code changed (push) Has been cancelled
publish-technical-documentation-next / sync (push) Has been cancelled
Reject GitHub secrets / reject-gh-secrets (push) Has been cancelled
Build Release Packages / setup (push) Has been cancelled
Run dashboard schema v2 e2e / dashboard-schema-v2-e2e (push) Has been cancelled
Shellcheck / Shellcheck scripts (push) Has been cancelled
Run Storybook a11y tests / Detect whether code changed (push) Has been cancelled
Swagger generated code / Detect whether code changed (push) Has been cancelled
Dispatch sync to mirror / dispatch-job (push) Has been cancelled
Backend Code Checks / Validate Backend Configs (push) Has been cancelled
Backend Unit Tests / Grafana (1/8) (push) Has been cancelled
Backend Unit Tests / Grafana (2/8) (push) Has been cancelled
Backend Unit Tests / Grafana (3/8) (push) Has been cancelled
Backend Unit Tests / Grafana (4/8) (push) Has been cancelled
Backend Unit Tests / Grafana (5/8) (push) Has been cancelled
Backend Unit Tests / Grafana (6/8) (push) Has been cancelled
Backend Unit Tests / Grafana (7/8) (push) Has been cancelled
Backend Unit Tests / Grafana (8/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (1/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (2/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (3/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (4/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (5/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (6/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (7/8) (push) Has been cancelled
Backend Unit Tests / Grafana Enterprise (8/8) (push) Has been cancelled
Backend Unit Tests / All backend unit tests complete (push) Has been cancelled
CodeQL checks / Analyze (push) Has been cancelled
Deploy Storybook / Deploy Storybook (push) Has been cancelled
Lint Frontend / Lint (push) Has been cancelled
Lint Frontend / Typecheck (push) Has been cancelled
Lint Frontend / Verify packed frontend packages (push) Has been cancelled
golangci-lint / go-fmt (push) Has been cancelled
golangci-lint / lint-go (push) Has been cancelled
End-to-end tests / Build & Package Grafana (push) Has been cancelled
End-to-end tests / Build E2E test runner (push) Has been cancelled
End-to-end tests / push-docker-image (push) Has been cancelled
End-to-end tests / dashboards-suite (old arch) (push) Has been cancelled
End-to-end tests / panels-suite (old arch) (push) Has been cancelled
End-to-end tests / smoke-tests-suite (old arch) (push) Has been cancelled
End-to-end tests / various-suite (old arch) (push) Has been cancelled
End-to-end tests / Verify Storybook (Playwright) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (1/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (2/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (3/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (4/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (5/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (6/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (7/8) (push) Has been cancelled
End-to-end tests / Playwright E2E tests (8/8) (push) Has been cancelled
End-to-end tests / run-azure-monitor-e2e (push) Has been cancelled
End-to-end tests / All Playwright tests complete (push) Has been cancelled
End-to-end tests / A11y test (push) Has been cancelled
End-to-end tests / Publish metrics (push) Has been cancelled
End-to-end tests / All E2E tests complete (push) Has been cancelled
Frontend tests / Unit tests (1 / 16) (push) Has been cancelled
Frontend tests / Unit tests (10 / 16) (push) Has been cancelled
Frontend tests / Unit tests (11 / 16) (push) Has been cancelled
Frontend tests / Unit tests (12 / 16) (push) Has been cancelled
Frontend tests / Unit tests (13 / 16) (push) Has been cancelled
Frontend tests / Unit tests (14 / 16) (push) Has been cancelled
Frontend tests / Unit tests (15 / 16) (push) Has been cancelled
Frontend tests / Unit tests (16 / 16) (push) Has been cancelled
Frontend tests / Unit tests (2 / 16) (push) Has been cancelled
Frontend tests / Unit tests (3 / 16) (push) Has been cancelled
Frontend tests / Unit tests (4 / 16) (push) Has been cancelled
Frontend tests / Unit tests (5 / 16) (push) Has been cancelled
Frontend tests / Unit tests (6 / 16) (push) Has been cancelled
Frontend tests / Unit tests (7 / 16) (push) Has been cancelled
Frontend tests / Unit tests (8 / 16) (push) Has been cancelled
Frontend tests / Unit tests (9 / 16) (push) Has been cancelled
Frontend tests / Decoupled plugin tests (push) Has been cancelled
Frontend tests / Packages unit tests (push) Has been cancelled
Frontend tests / All frontend unit tests complete (push) Has been cancelled
Frontend tests / Devenv frontend-service build (push) Has been cancelled
Integration Tests / Sqlite (1/4) (push) Has been cancelled
Integration Tests / Sqlite (2/4) (push) Has been cancelled
Integration Tests / Sqlite (3/4) (push) Has been cancelled
Integration Tests / Sqlite (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (1/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (2/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (3/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo (profiled) (push) Has been cancelled
Integration Tests / MySQL (1/16) (push) Has been cancelled
Integration Tests / MySQL (10/16) (push) Has been cancelled
Integration Tests / MySQL (11/16) (push) Has been cancelled
Integration Tests / MySQL (12/16) (push) Has been cancelled
Integration Tests / MySQL (13/16) (push) Has been cancelled
Integration Tests / MySQL (14/16) (push) Has been cancelled
Integration Tests / MySQL (15/16) (push) Has been cancelled
Integration Tests / MySQL (16/16) (push) Has been cancelled
Integration Tests / MySQL (2/16) (push) Has been cancelled
Integration Tests / MySQL (3/16) (push) Has been cancelled
Integration Tests / MySQL (4/16) (push) Has been cancelled
Integration Tests / MySQL (5/16) (push) Has been cancelled
Integration Tests / MySQL (6/16) (push) Has been cancelled
Integration Tests / MySQL (7/16) (push) Has been cancelled
Integration Tests / MySQL (8/16) (push) Has been cancelled
Integration Tests / MySQL (9/16) (push) Has been cancelled
Integration Tests / Postgres (1/16) (push) Has been cancelled
Integration Tests / Postgres (10/16) (push) Has been cancelled
Integration Tests / Postgres (11/16) (push) Has been cancelled
Integration Tests / Postgres (12/16) (push) Has been cancelled
Integration Tests / Postgres (13/16) (push) Has been cancelled
Integration Tests / Postgres (14/16) (push) Has been cancelled
Integration Tests / Postgres (15/16) (push) Has been cancelled
Integration Tests / Postgres (16/16) (push) Has been cancelled
Integration Tests / Postgres (2/16) (push) Has been cancelled
Integration Tests / Postgres (3/16) (push) Has been cancelled
Integration Tests / Postgres (4/16) (push) Has been cancelled
Integration Tests / Postgres (5/16) (push) Has been cancelled
Integration Tests / Postgres (6/16) (push) Has been cancelled
Integration Tests / Postgres (7/16) (push) Has been cancelled
Integration Tests / Postgres (8/16) (push) Has been cancelled
Integration Tests / Postgres (9/16) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (1/4) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (2/4) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (3/4) (push) Has been cancelled
Integration Tests / Sqlite Enterprise (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (1/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (2/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (3/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (4/4) (push) Has been cancelled
Integration Tests / Sqlite Without CGo Enterprise (profiled) (push) Has been cancelled
Integration Tests / MySQL Enterprise (1/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (10/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (11/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (12/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (13/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (14/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (15/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (16/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (2/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (3/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (4/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (5/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (6/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (7/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (8/16) (push) Has been cancelled
Integration Tests / MySQL Enterprise (9/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (1/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (10/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (11/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (12/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (13/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (14/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (15/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (16/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (2/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (3/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (4/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (5/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (6/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (7/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (8/16) (push) Has been cancelled
Integration Tests / Postgres Enterprise (9/16) (push) Has been cancelled
Integration Tests / All backend integration tests complete (push) Has been cancelled
Build Release Packages / Dispatch grafana-enterprise build (push) Has been cancelled
Build Release Packages / / darwin-amd64 (push) Has been cancelled
Build Release Packages / / darwin-arm64 (push) Has been cancelled
Build Release Packages / / linux-amd64 (push) Has been cancelled
Build Release Packages / / linux-armv6 (push) Has been cancelled
Build Release Packages / / linux-armv7 (push) Has been cancelled
Build Release Packages / / linux-arm64 (push) Has been cancelled
Build Release Packages / / linux-s390x (push) Has been cancelled
Build Release Packages / / windows-amd64 (push) Has been cancelled
Build Release Packages / / windows-arm64 (push) Has been cancelled
Build Release Packages / Upload artifacts (push) Has been cancelled
Build Release Packages / publish-dockerhub (push) Has been cancelled
Build Release Packages / Dispatch publish NPM canaries (push) Has been cancelled
Build Release Packages / notify-pr (push) Has been cancelled
Run Storybook a11y tests / Run Storybook a11y tests (light theme) (push) Has been cancelled
Run Storybook a11y tests / Run Storybook a11y tests (dark theme) (push) Has been cancelled
Swagger generated code / Verify committed API specs match (push) Has been cancelled
* Remove fully rolled out ft annotationPermissionUpdate * fix annot test and lint * fix frontend tests * fix integration test * fix flaky test
447 lines
20 KiB
Go
447 lines
20 KiB
Go
package api
|
|
|
|
import (
|
|
"context"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/mock"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
|
"github.com/grafana/grafana/pkg/services/annotations"
|
|
"github.com/grafana/grafana/pkg/services/annotations/annotationstest"
|
|
"github.com/grafana/grafana/pkg/services/dashboards"
|
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
|
"github.com/grafana/grafana/pkg/services/folder"
|
|
"github.com/grafana/grafana/pkg/services/folder/foldertest"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
"github.com/grafana/grafana/pkg/web/webtest"
|
|
)
|
|
|
|
func TestAPI_Annotations(t *testing.T) {
|
|
dashUID := "test-dash"
|
|
folderUID := "test-folder"
|
|
|
|
type testCase struct {
|
|
desc string
|
|
path string
|
|
method string
|
|
body string
|
|
expectedCode int
|
|
permissions []accesscontrol.Permission
|
|
}
|
|
|
|
tests := []testCase{
|
|
{
|
|
desc: "should be able to fetch annotations with correct permission",
|
|
path: "/api/annotations",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
|
|
},
|
|
{
|
|
desc: "should not be able to fetch annotations without correct permission",
|
|
path: "/api/annotations",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{},
|
|
},
|
|
{
|
|
desc: "should be able to fetch annotation by id with correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsAll}},
|
|
},
|
|
{
|
|
desc: "should not be able to fetch annotation by id without correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{},
|
|
},
|
|
{
|
|
desc: "should be able to fetch dashboard annotation by id with correct dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
|
|
},
|
|
{
|
|
desc: "should be able to fetch dashboard annotation by id with correct folder scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
|
|
},
|
|
{
|
|
desc: "should not be able to fetch dashboard annotation by id with the old dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should be able to fetch annotation tags with correct permission",
|
|
path: "/api/annotations/tags",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsRead}},
|
|
},
|
|
{
|
|
desc: "should not be able to fetch annotation tags without correct permission",
|
|
path: "/api/annotations/tags",
|
|
method: http.MethodGet,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{},
|
|
},
|
|
{
|
|
desc: "should not be able to update dashboard annotation without correct permission",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPut,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{},
|
|
},
|
|
{
|
|
desc: "should be able to update dashboard annotation with correct dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPut,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
|
|
},
|
|
{
|
|
desc: "should be able to update dashboard annotation with correct folder scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPut,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
|
|
},
|
|
{
|
|
desc: "should not be able to update dashboard annotation with the old dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPut,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should be able to update organization annotation with correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodPut,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should not be able to update organization annotation without correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodPut,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should not be able to patch dashboard annotation without correct permission",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPatch,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{},
|
|
},
|
|
{
|
|
desc: "should be able to patch dashboard annotation with correct dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPatch,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
|
|
},
|
|
{
|
|
desc: "should be able to patch dashboard annotation with correct folder scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPatch,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
|
|
},
|
|
{
|
|
desc: "should not be able to patch dashboard annotation with the old dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodPatch,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should be able to patch organization annotation with correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodPatch,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should not be able to patch organization annotation without correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodPatch,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsWrite, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should not be able to create dashboard annotation without correct permission",
|
|
path: "/api/annotations",
|
|
method: http.MethodPost,
|
|
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should be able to create dashboard annotation with correct dashboard scope",
|
|
path: "/api/annotations",
|
|
method: http.MethodPost,
|
|
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
|
|
},
|
|
{
|
|
desc: "should be able to create dashboard annotation with correct folder scope",
|
|
path: "/api/annotations",
|
|
method: http.MethodPost,
|
|
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
|
|
},
|
|
{
|
|
desc: "should not be able to create dashboard annotation with the old dashboard scope",
|
|
path: "/api/annotations",
|
|
method: http.MethodPost,
|
|
body: "{\"dashboardId\": 2,\"text\": \"test\"}",
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should be able to create organization annotation with correct permission",
|
|
path: "/api/annotations",
|
|
method: http.MethodPost,
|
|
body: "{\"text\": \"test\"}",
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should not be able to create organization annotation without correct permission",
|
|
path: "/api/annotations",
|
|
method: http.MethodPost,
|
|
body: "{\"text\": \"test\"}",
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should not be able to delete dashboard annotation without correct permission",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodDelete,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should be able to delete dashboard annotation with correct dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodDelete,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
|
|
},
|
|
{
|
|
desc: "should be able to delete dashboard annotation with correct folder scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodDelete,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
|
|
},
|
|
{
|
|
desc: "should not be able to delete dashboard annotation with the old dashboard scope",
|
|
path: "/api/annotations/2",
|
|
method: http.MethodDelete,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should be able to delete organization annotation with correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodDelete,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should not be able to delete organization annotation without correct permission",
|
|
path: "/api/annotations/1",
|
|
method: http.MethodDelete,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should be able to create graphite annotation with correct permission",
|
|
path: "/api/annotations/graphite",
|
|
body: "{\"what\": \"test\", \"tags\": []}",
|
|
method: http.MethodPost,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should not be able to create graphite annotation without correct permission",
|
|
path: "/api/annotations/graphite",
|
|
method: http.MethodPost,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsCreate, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
{
|
|
desc: "should not be able to mass delete dashboard annotations without correct permission",
|
|
path: "/api/annotations/mass-delete",
|
|
body: "{\"dashboardId\": 2, \"panelId\": 1}",
|
|
method: http.MethodPost,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeOrganization}},
|
|
},
|
|
{
|
|
desc: "should be able to mass delete dashboard annotation with correct dashboard scope",
|
|
path: "/api/annotations/mass-delete",
|
|
body: "{\"dashboardId\": 2, \"panelId\": 1}",
|
|
method: http.MethodPost,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeDashboardsProvider.GetResourceScopeUID(dashUID)}},
|
|
},
|
|
{
|
|
desc: "should be able to mass delete dashboard annotation with correct folder scope",
|
|
path: "/api/annotations/mass-delete",
|
|
body: "{\"dashboardId\": 2, \"panelId\": 1}",
|
|
method: http.MethodPost,
|
|
expectedCode: http.StatusOK,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID)}},
|
|
},
|
|
{
|
|
desc: "should not be able to mass delete dashboard annotation with the old dashboard scope",
|
|
path: "/api/annotations/mass-delete",
|
|
body: "{\"dashboardId\": 2, \"panelId\": 1}",
|
|
method: http.MethodPost,
|
|
expectedCode: http.StatusForbidden,
|
|
permissions: []accesscontrol.Permission{{Action: accesscontrol.ActionAnnotationsDelete, Scope: accesscontrol.ScopeAnnotationsTypeDashboard}},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.desc, func(t *testing.T) {
|
|
server := SetupAPITestServer(t, func(hs *HTTPServer) {
|
|
hs.Cfg = setting.NewCfg()
|
|
repo := annotationstest.NewFakeAnnotationsRepo()
|
|
_ = repo.Save(context.Background(), &annotations.Item{ID: 1, DashboardID: 0, DashboardUID: ""})
|
|
_ = repo.Save(context.Background(), &annotations.Item{ID: 2, DashboardID: 1, DashboardUID: "dashuid1"})
|
|
hs.annotationsRepo = repo
|
|
hs.Features = featuremgmt.WithFeatures()
|
|
dashService := &dashboards.FakeDashboardService{}
|
|
dashService.On("GetDashboard", mock.Anything, mock.Anything).Return(&dashboards.Dashboard{UID: dashUID, FolderUID: folderUID, FolderID: 1}, nil)
|
|
folderService := &foldertest.FakeService{}
|
|
folderService.ExpectedFolder = &folder.Folder{UID: folderUID, ID: 1}
|
|
hs.DashboardService = dashService
|
|
hs.folderService = folderService
|
|
hs.AccessControl = acimpl.ProvideAccessControl(featuremgmt.WithFeatures())
|
|
hs.AccessControl.RegisterScopeAttributeResolver(AnnotationTypeScopeResolver(hs.annotationsRepo, hs.Features, dashService, folderService))
|
|
hs.AccessControl.RegisterScopeAttributeResolver(dashboards.NewDashboardUIDScopeResolver(dashService, folderService))
|
|
})
|
|
var body io.Reader
|
|
if tt.body != "" {
|
|
body = strings.NewReader(tt.body)
|
|
}
|
|
|
|
req := webtest.RequestWithSignedInUser(server.NewRequest(tt.method, tt.path, body), authedUserWithPermissions(1, 1, tt.permissions))
|
|
res, err := server.SendJSON(req)
|
|
require.NoError(t, err)
|
|
assert.Equal(t, tt.expectedCode, res.StatusCode)
|
|
require.NoError(t, res.Body.Close())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestService_AnnotationTypeScopeResolver(t *testing.T) {
|
|
rootDashUID := "root-dashboard"
|
|
folderDashUID := "folder-dashboard"
|
|
folderUID := "folder"
|
|
dashSvc := &dashboards.FakeDashboardService{}
|
|
rootDash := &dashboards.Dashboard{ID: 1, OrgID: 1, UID: rootDashUID}
|
|
folderDash := &dashboards.Dashboard{ID: 2, OrgID: 1, UID: folderDashUID, FolderUID: folderUID}
|
|
dashSvc.On("GetDashboard", mock.Anything, &dashboards.GetDashboardQuery{UID: rootDash.UID, OrgID: 1}).Return(rootDash, nil)
|
|
dashSvc.On("GetDashboard", mock.Anything, &dashboards.GetDashboardQuery{UID: folderDash.UID, OrgID: 1}).Return(folderDash, nil)
|
|
|
|
rootDashboardAnnotation := annotations.Item{ID: 1, DashboardID: rootDash.ID, DashboardUID: rootDash.UID}
|
|
folderDashboardAnnotation := annotations.Item{ID: 3, DashboardID: folderDash.ID, DashboardUID: folderDash.UID}
|
|
organizationAnnotation := annotations.Item{ID: 2}
|
|
|
|
fakeAnnoRepo := annotationstest.NewFakeAnnotationsRepo()
|
|
_ = fakeAnnoRepo.Save(context.Background(), &rootDashboardAnnotation)
|
|
_ = fakeAnnoRepo.Save(context.Background(), &folderDashboardAnnotation)
|
|
_ = fakeAnnoRepo.Save(context.Background(), &organizationAnnotation)
|
|
|
|
type testCaseResolver struct {
|
|
desc string
|
|
given string
|
|
want []string
|
|
wantErr error
|
|
}
|
|
|
|
testCases := []testCaseResolver{
|
|
{
|
|
desc: "correctly resolves organization annotations",
|
|
given: "annotations:id:2",
|
|
want: []string{accesscontrol.ScopeAnnotationsTypeOrganization},
|
|
wantErr: nil,
|
|
},
|
|
{
|
|
desc: "invalid annotation ID",
|
|
given: "annotations:id:123abc",
|
|
want: []string{""},
|
|
wantErr: accesscontrol.ErrInvalidScope,
|
|
},
|
|
{
|
|
desc: "malformed scope",
|
|
given: "annotations:1",
|
|
want: []string{""},
|
|
wantErr: accesscontrol.ErrInvalidScope,
|
|
},
|
|
{
|
|
desc: "correctly resolves organization annotations",
|
|
given: "annotations:id:2",
|
|
want: []string{accesscontrol.ScopeAnnotationsTypeOrganization},
|
|
wantErr: nil,
|
|
},
|
|
{
|
|
desc: "correctly resolves annotations from root dashboard",
|
|
given: "annotations:id:1",
|
|
want: []string{
|
|
dashboards.ScopeDashboardsProvider.GetResourceScopeUID(rootDashUID),
|
|
dashboards.ScopeFoldersProvider.GetResourceScopeUID(accesscontrol.GeneralFolderUID),
|
|
},
|
|
wantErr: nil,
|
|
},
|
|
{
|
|
desc: "correctly resolves annotations from dashboard in a folder",
|
|
given: "annotations:id:3",
|
|
want: []string{
|
|
dashboards.ScopeDashboardsProvider.GetResourceScopeUID(folderDashUID),
|
|
dashboards.ScopeFoldersProvider.GetResourceScopeUID(folderUID),
|
|
},
|
|
wantErr: nil,
|
|
},
|
|
}
|
|
|
|
for _, tc := range testCases {
|
|
t.Run(tc.desc, func(t *testing.T) {
|
|
features := featuremgmt.WithFeatures()
|
|
prefix, resolver := AnnotationTypeScopeResolver(fakeAnnoRepo, features, dashSvc, &foldertest.FakeService{})
|
|
require.Equal(t, "annotations:id:", prefix)
|
|
|
|
resolved, err := resolver.Resolve(context.Background(), 1, tc.given)
|
|
if tc.wantErr != nil {
|
|
require.Error(t, err)
|
|
require.Equal(t, tc.wantErr, err)
|
|
} else {
|
|
require.NoError(t, err)
|
|
require.Len(t, resolved, len(tc.want))
|
|
require.Equal(t, tc.want, resolved)
|
|
}
|
|
})
|
|
}
|
|
}
|