Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143
fleet/server/service/global_policies_test.go
Scott Gress fca1e1ab42
Add GitOps for policy labels (#27781) 
For #27301 

# Checklist for submitter

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [X] Added/updated automated tests
- [X] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [X] Manual QA for all new/changed functionality

# Details

This PR adds the ability to set/unset labels on policies via GitOps. It
builds on https://github.com/fleetdm/fleet/pull/27575 (back end for
policy labels) and updates the `PolicySpec` type and `ApplyPolicySpecs`
methods to update the `policy_labels` table where needed.

## Testing

1. Create a few labels in the UI
1. Create a global policy "foo" in the UI without labels
2. Create a global policy "bar" in the UI with labels
2. Create a global policy "baz" in the UI with labels
4. Use `fleetctl gitops` with a global .yml file, and under `policies:`
add "foo", "bar", "baz" and "boop".
  * Add labels to "foo" with `labels_include_any:`
  * Don't add `labels_include_any:` to "bar"
* Add labels to "baz" with `labels_include_any:`, but different labels
than what you added in the UI
  * Add labels to "boop" with `labels_include_any:`

The expected outcome when viewing the queries in the UI (on the "edit
query" screen)
* Foo, Baz and Boop should have the labels specified in gitops
* Bar should have no labels

Repeat testing with _excluded_ labels.

---------

Co-authored-by: dantecatalfamo <dante.catalfamo@gmail.com>
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
2025-04-04 09:46:51 -05:00

322 lines
8.3 KiB
Go
Raw Blame History

package service
import (
"context"
"testing"
"time"
"github.com/fleetdm/fleet/v4/server/contexts/viewer"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/mock"
"github.com/fleetdm/fleet/v4/server/ptr"
"github.com/stretchr/testify/require"
)
func TestCheckPolicySpecAuthorization(t *testing.T) {
t.Run("when team not found", func(t *testing.T) {
ds := new(mock.Store)
ds.TeamByNameFunc = func(ctx context.Context, name string) (*fleet.Team, error) {
return nil, &notFoundError{}
}
svc, ctx := newTestService(t, ds, nil, nil)
req := []*fleet.PolicySpec{
{
Team: "some_team",
},
}
user := &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}
ctx = viewer.NewContext(ctx, viewer.Viewer{User: user})
actual := svc.ApplyPolicySpecs(ctx, req)
var expected fleet.NotFoundError
require.ErrorAs(t, actual, &expected)
})
}
func TestGlobalPoliciesAuth(t *testing.T) {
ds := new(mock.Store)
svc, ctx := newTestService(t, ds, nil, nil)
ds.NewGlobalPolicyFunc = func(ctx context.Context, authorID *uint, args fleet.PolicyPayload) (*fleet.Policy, error) {
return &fleet.Policy{}, nil
}
ds.ListGlobalPoliciesFunc = func(ctx context.Context, opts fleet.ListOptions) ([]*fleet.Policy, error) {
return nil, nil
}
ds.PoliciesByIDFunc = func(ctx context.Context, ids []uint) (map[uint]*fleet.Policy, error) {
return nil, nil
}
ds.PolicyFunc = func(ctx context.Context, id uint) (*fleet.Policy, error) {
return &fleet.Policy{
PolicyData: fleet.PolicyData{
ID: id,
},
}, nil
}
ds.DeleteGlobalPoliciesFunc = func(ctx context.Context, ids []uint) ([]uint, error) {
return nil, nil
}
ds.TeamByNameFunc = func(ctx context.Context, name string) (*fleet.Team, error) {
return &fleet.Team{ID: 1}, nil
}
ds.ApplyPolicySpecsFunc = func(ctx context.Context, authorID uint, specs []*fleet.PolicySpec) error {
return nil
}
ds.NewActivityFunc = func(
ctx context.Context, user *fleet.User, activity fleet.ActivityDetails, details []byte, createdAt time.Time,
) error {
return nil
}
ds.SavePolicyFunc = func(ctx context.Context, p *fleet.Policy, shouldDeleteAll bool, removePolicyStats bool) error {
return nil
}
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &fleet.AppConfig{
WebhookSettings: fleet.WebhookSettings{
FailingPoliciesWebhook: fleet.FailingPoliciesWebhookSettings{
Enable: false,
},
},
}, nil
}
testCases := []struct {
name string
user *fleet.User
shouldFailWrite bool
shouldFailRead bool
}{
{
"global admin",
&fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)},
false,
false,
},
{
"global maintainer",
&fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)},
false,
false,
},
{
"global observer",
&fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)},
true,
false,
},
{
"team admin",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleAdmin}}},
true,
false,
},
{
"team maintainer",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleMaintainer}}},
true,
false,
},
{
"team observer",
&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleObserver}}},
true,
false,
},
}
for _, tt := range testCases {
t.Run(tt.name, func(t *testing.T) {
ctx := viewer.NewContext(ctx, viewer.Viewer{User: tt.user})
_, err := svc.NewGlobalPolicy(ctx, fleet.PolicyPayload{
Name: "query1",
Query: "select 1;",
})
checkAuthErr(t, tt.shouldFailWrite, err)
_, err = svc.ListGlobalPolicies(ctx, fleet.ListOptions{})
checkAuthErr(t, tt.shouldFailRead, err)
_, err = svc.GetPolicyByIDQueries(ctx, 1)
checkAuthErr(t, tt.shouldFailRead, err)
_, err = svc.ModifyGlobalPolicy(ctx, 1, fleet.ModifyPolicyPayload{})
checkAuthErr(t, tt.shouldFailWrite, err)
_, err = svc.DeleteGlobalPolicies(ctx, []uint{1})
checkAuthErr(t, tt.shouldFailWrite, err)
err = svc.ApplyPolicySpecs(ctx, []*fleet.PolicySpec{
{
Name: "query2",
Query: "select 1;",
},
})
checkAuthErr(t, tt.shouldFailWrite, err)
})
}
}
func TestRemoveGlobalPoliciesFromWebhookConfig(t *testing.T) {
ds := new(mock.Store)
svc := &Service{ds: ds}
var storedAppConfig fleet.AppConfig
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &storedAppConfig, nil
}
ds.SaveAppConfigFunc = func(ctx context.Context, info *fleet.AppConfig) error {
storedAppConfig = *info
return nil
}
for _, tc := range []struct {
name string
currCfg []uint
toDelete []uint
expCfg []uint
}{
{
name: "delete-one",
currCfg: []uint{1},
toDelete: []uint{1},
expCfg: []uint{},
},
{
name: "delete-all-2",
currCfg: []uint{1, 2, 3},
toDelete: []uint{1, 2, 3},
expCfg: []uint{},
},
{
name: "basic",
currCfg: []uint{1, 2, 3},
toDelete: []uint{1, 2},
expCfg: []uint{3},
},
{
name: "empty-cfg",
currCfg: []uint{},
toDelete: []uint{1},
expCfg: []uint{},
},
{
name: "no-deletion-cfg",
currCfg: []uint{1},
toDelete: []uint{2, 3, 4},
expCfg: []uint{1},
},
{
name: "no-deletion-cfg-2",
currCfg: []uint{1},
toDelete: []uint{},
expCfg: []uint{1},
},
} {
t.Run(tc.name, func(t *testing.T) {
storedAppConfig.WebhookSettings.FailingPoliciesWebhook.PolicyIDs = tc.currCfg
err := svc.removeGlobalPoliciesFromWebhookConfig(context.Background(), tc.toDelete)
require.NoError(t, err)
require.Equal(t, tc.expCfg, storedAppConfig.WebhookSettings.FailingPoliciesWebhook.PolicyIDs)
})
}
}
// test ApplyPolicySpecsReturnsErrorOnDuplicatePolicyNamesInSpecs
func TestApplyPolicySpecsReturnsErrorOnDuplicatePolicyNamesInSpecs(t *testing.T) {
ds := new(mock.Store)
ds.TeamByNameFunc = func(ctx context.Context, name string) (*fleet.Team, error) {
return nil, &notFoundError{}
}
svc, ctx := newTestService(t, ds, nil, nil)
req := []*fleet.PolicySpec{
{
Name: "query1",
Query: "select 1;",
Platform: "windows",
},
{
Name: "query1",
Query: "select 1;",
Platform: "windows",
},
}
user := &fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)}
ctx = viewer.NewContext(ctx, viewer.Viewer{User: user})
err := svc.ApplyPolicySpecs(ctx, req)
badRequestError := &fleet.BadRequestError{}
require.ErrorAs(t, err, &badRequestError)
require.Equal(t, "duplicate policy names not allowed", badRequestError.Message)
}
func TestApplyPolicySpecsLabelsValidation(t *testing.T) {
ds := new(mock.Store)
ds.NewGlobalPolicyFunc = func(ctx context.Context, authorID *uint, args fleet.PolicyPayload) (*fleet.Policy, error) {
return &fleet.Policy{}, nil
}
ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
return &fleet.AppConfig{}, nil
}
ds.NewActivityFunc = func(
ctx context.Context, user *fleet.User, activity fleet.ActivityDetails, details []byte, createdAt time.Time,
) error {
return nil
}
ds.ApplyPolicySpecsFunc = func(ctx context.Context, authorID uint, specs []*fleet.PolicySpec) error {
return nil
}
ds.LabelsByNameFunc = func(ctx context.Context, names []string) (map[string]*fleet.Label, error) {
labels := make(map[string]*fleet.Label, len(names))
for _, name := range names {
if name == "foo" {
labels["foo"] = &fleet.Label{
Name: "foo",
ID: 1,
}
}
}
return labels, nil
}
svc, ctx := newTestService(t, ds, nil, nil)
testAdmin := fleet.User{
ID: 1,
Teams: []fleet.UserTeam{},
GlobalRole: ptr.String(fleet.RoleAdmin),
}
viewerCtx := viewer.NewContext(ctx, viewer.Viewer{User: &testAdmin})
// Test that a query spec with a label that exists doesn't return an error
err := svc.ApplyPolicySpecs(viewerCtx, []*fleet.PolicySpec{
{
Name: "test query",
Query: "select 1",
LabelsIncludeAny: []string{"foo"},
Platform: "darwin,windows",
},
})
// Check that no error is returned
require.NoError(t, err)
// Test that a query spec with a label that doesn't exist returns an error.
err = svc.ApplyPolicySpecs(viewerCtx, []*fleet.PolicySpec{
{
Name: "test query",
Query: "select 1",
LabelsIncludeAny: []string{"nope"},
Platform: "darwin,windows",
},
})
require.Error(t, err)
}
Reference in a new issue View git blame Copy permalink