api_test.go 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545
  1. package api
  2. import (
  3. "context"
  4. "testing"
  5. "connectrpc.com/connect"
  6. "github.com/stretchr/testify/assert"
  7. "github.com/stretchr/testify/require"
  8. log "github.com/sirupsen/logrus"
  9. apiv1 "github.com/OliveTin/OliveTin/gen/olivetin/api/v1"
  10. apiv1connect "github.com/OliveTin/OliveTin/gen/olivetin/api/v1/apiv1connect"
  11. authpublic "github.com/OliveTin/OliveTin/internal/auth/authpublic"
  12. config "github.com/OliveTin/OliveTin/internal/config"
  13. "github.com/OliveTin/OliveTin/internal/entities"
  14. "github.com/OliveTin/OliveTin/internal/executor"
  15. "net/http"
  16. "net/http/httptest"
  17. "path"
  18. )
  19. func getNewTestServerAndClient(injectedConfig *config.Config) (*httptest.Server, apiv1connect.OliveTinApiServiceClient) {
  20. ex := executor.DefaultExecutor(injectedConfig)
  21. ex.RebuildActionMap()
  22. apiPath, apiHandler := GetNewHandler(ex)
  23. mux := http.NewServeMux()
  24. mux.Handle("/api/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  25. log.Infof("HTTP Request: %s %s", r.Method, r.URL.Path)
  26. // Translate /api/<service>/<method> to <service>/<method>
  27. fn := path.Base(r.URL.Path)
  28. r.URL.Path = apiPath + fn
  29. apiHandler.ServeHTTP(w, r)
  30. }))
  31. log.Infof("API path is %s", apiPath)
  32. httpclient := &http.Client{}
  33. ts := httptest.NewServer(mux)
  34. client := apiv1connect.NewOliveTinApiServiceClient(httpclient, ts.URL+"/api")
  35. log.Infof("Test server URL is %s", ts.URL+"/api"+apiPath)
  36. return ts, client
  37. }
  38. func TestGetActionsAndStart(t *testing.T) {
  39. cfg := config.DefaultConfig()
  40. btn1 := &config.Action{}
  41. btn1.Title = "blat"
  42. btn1.ID = "blat"
  43. btn1.Shell = "echo 'test'"
  44. cfg.Actions = append(cfg.Actions, btn1)
  45. ex := executor.DefaultExecutor(cfg)
  46. ex.RebuildActionMap()
  47. conn, client := getNewTestServerAndClient(cfg)
  48. respInit, errInit := client.Init(context.Background(), connect.NewRequest(&apiv1.InitRequest{}))
  49. respGetReady, errReady := client.GetReadyz(context.Background(), connect.NewRequest(&apiv1.GetReadyzRequest{}))
  50. if errInit != nil {
  51. t.Errorf("Init request failed: %v", errInit)
  52. return
  53. }
  54. if errReady != nil {
  55. t.Errorf("GetReadyz request failed: %v", errReady)
  56. return
  57. }
  58. log.Infof("GetReadyz response: %v", respGetReady.Msg)
  59. assert.Equal(t, true, true, "sayHello Failed")
  60. // assert.Equal(t, 1, len(respGb.Msg.Actions), "Got 1 action button back")
  61. log.Printf("Response: %+v", respInit)
  62. respSa, err := client.StartAction(context.Background(), connect.NewRequest(&apiv1.StartActionRequest{
  63. // ActionId: "blat"
  64. }))
  65. assert.NotNil(t, err, "Error 404 after start action")
  66. assert.Nil(t, respSa, "Nil response for non existing action")
  67. defer conn.Close()
  68. }
  69. func TestGetEntities(t *testing.T) {
  70. cfg := config.DefaultConfig()
  71. ts, client := getNewTestServerAndClient(cfg)
  72. defer ts.Close()
  73. setupTestEntities()
  74. resp, err := client.GetEntities(context.Background(), connect.NewRequest(&apiv1.GetEntitiesRequest{}))
  75. assert.NoError(t, err, "GetEntities should not return an error")
  76. assert.NotNil(t, resp, "GetEntities response should not be nil")
  77. assert.NotNil(t, resp.Msg, "GetEntities response message should not be nil")
  78. entityDefinitions := resp.Msg.EntityDefinitions
  79. assert.Equal(t, 3, len(entityDefinitions), "Should return 3 entity definitions")
  80. validateEntityOrderAndStructure(t, entityDefinitions)
  81. validateNoDuplicates(t, entityDefinitions)
  82. validateConsistency(t, client, entityDefinitions)
  83. }
  84. func setupTestEntities() {
  85. entities.ClearEntitiesOfType("server")
  86. entities.ClearEntitiesOfType("database")
  87. entities.ClearEntitiesOfType("application")
  88. entities.AddEntity("server", "zebra", map[string]any{"title": "Server Zebra", "hostname": "zebra.example.com"})
  89. entities.AddEntity("server", "alpha", map[string]any{"title": "Server Alpha", "hostname": "alpha.example.com"})
  90. entities.AddEntity("server", "beta", map[string]any{"title": "Server Beta", "hostname": "beta.example.com"})
  91. entities.AddEntity("database", "mysql", map[string]any{"title": "MySQL Database", "type": "mysql"})
  92. entities.AddEntity("database", "postgres", map[string]any{"title": "PostgreSQL Database", "type": "postgres"})
  93. entities.AddEntity("application", "webapp", map[string]any{"title": "Web Application", "port": 8080})
  94. }
  95. func validateEntityOrderAndStructure(t *testing.T, entityDefinitions []*apiv1.EntityDefinition) {
  96. assert.Equal(t, "application", entityDefinitions[0].Title, "First entity should be 'application' (alphabetically first)")
  97. assert.Equal(t, 1, len(entityDefinitions[0].Instances), "Application should have 1 instance")
  98. assert.Equal(t, "webapp", entityDefinitions[0].Instances[0].UniqueKey, "Application instance should be 'webapp'")
  99. assert.Equal(t, "database", entityDefinitions[1].Title, "Second entity should be 'database' (alphabetically second)")
  100. assert.Equal(t, 2, len(entityDefinitions[1].Instances), "Database should have 2 instances")
  101. assert.Equal(t, "mysql", entityDefinitions[1].Instances[0].UniqueKey, "First database instance should be 'mysql' (alphabetically first)")
  102. assert.Equal(t, "postgres", entityDefinitions[1].Instances[1].UniqueKey, "Second database instance should be 'postgres' (alphabetically second)")
  103. assert.Equal(t, "server", entityDefinitions[2].Title, "Third entity should be 'server' (alphabetically third)")
  104. assert.Equal(t, 3, len(entityDefinitions[2].Instances), "Server should have 3 instances")
  105. assert.Equal(t, "alpha", entityDefinitions[2].Instances[0].UniqueKey, "First server instance should be 'alpha' (alphabetically first)")
  106. assert.Equal(t, "beta", entityDefinitions[2].Instances[1].UniqueKey, "Second server instance should be 'beta' (alphabetically second)")
  107. assert.Equal(t, "zebra", entityDefinitions[2].Instances[2].UniqueKey, "Third server instance should be 'zebra' (alphabetically third)")
  108. }
  109. func validateNoDuplicates(t *testing.T, entityDefinitions []*apiv1.EntityDefinition) {
  110. instanceKeys := make(map[string]map[string]bool)
  111. for _, def := range entityDefinitions {
  112. instanceKeys[def.Title] = make(map[string]bool)
  113. for _, inst := range def.Instances {
  114. assert.False(t, instanceKeys[def.Title][inst.UniqueKey], "Instance key %s should not be duplicated in entity %s", inst.UniqueKey, def.Title)
  115. instanceKeys[def.Title][inst.UniqueKey] = true
  116. }
  117. }
  118. }
  119. func validateConsistency(t *testing.T, client apiv1connect.OliveTinApiServiceClient, entityDefinitions []*apiv1.EntityDefinition) {
  120. resp2, err2 := client.GetEntities(context.Background(), connect.NewRequest(&apiv1.GetEntitiesRequest{}))
  121. assert.NoError(t, err2, "Second GetEntities call should not return an error")
  122. assert.Equal(t, len(entityDefinitions), len(resp2.Msg.EntityDefinitions), "Second call should return same number of entity definitions")
  123. for i, def := range entityDefinitions {
  124. assert.Equal(t, def.Title, resp2.Msg.EntityDefinitions[i].Title, "Entity order should be consistent across calls")
  125. assert.Equal(t, len(def.Instances), len(resp2.Msg.EntityDefinitions[i].Instances), "Instance count should be consistent")
  126. for j, inst := range def.Instances {
  127. assert.Equal(t, inst.UniqueKey, resp2.Msg.EntityDefinitions[i].Instances[j].UniqueKey, "Instance order should be consistent across calls")
  128. }
  129. }
  130. }
  131. func TestEvaluateEnabledExpression(t *testing.T) {
  132. tests := []struct {
  133. name string
  134. expression string
  135. entity *entities.Entity
  136. expectedResult bool
  137. }{
  138. {
  139. name: "empty expression returns true",
  140. expression: "",
  141. entity: nil,
  142. expectedResult: true,
  143. },
  144. {
  145. name: "literal true returns true",
  146. expression: "true",
  147. entity: nil,
  148. expectedResult: true,
  149. },
  150. {
  151. name: "literal True returns true (case insensitive)",
  152. expression: "True",
  153. entity: nil,
  154. expectedResult: true,
  155. },
  156. {
  157. name: "literal 1 returns true",
  158. expression: "1",
  159. entity: nil,
  160. expectedResult: true,
  161. },
  162. {
  163. name: "literal false returns false",
  164. expression: "false",
  165. entity: nil,
  166. expectedResult: false,
  167. },
  168. {
  169. name: "literal 0 returns false",
  170. expression: "0",
  171. entity: nil,
  172. expectedResult: false,
  173. },
  174. {
  175. name: "empty result returns false",
  176. expression: "{{ .NonExistent }}",
  177. entity: nil,
  178. expectedResult: false,
  179. },
  180. {
  181. name: "expression with CurrentEntity true",
  182. expression: "{{ eq .CurrentEntity.powered_on true }}",
  183. entity: &entities.Entity{Data: map[string]any{"powered_on": true}},
  184. expectedResult: true,
  185. },
  186. {
  187. name: "expression with CurrentEntity false",
  188. expression: "{{ eq .CurrentEntity.powered_on true }}",
  189. entity: &entities.Entity{Data: map[string]any{"powered_on": false}},
  190. expectedResult: false,
  191. },
  192. {
  193. name: "expression with CurrentEntity integer 1",
  194. expression: "{{ .CurrentEntity.status }}",
  195. entity: &entities.Entity{Data: map[string]any{"status": 1}},
  196. expectedResult: true,
  197. },
  198. {
  199. name: "expression with CurrentEntity integer 0",
  200. expression: "{{ .CurrentEntity.status }}",
  201. entity: &entities.Entity{Data: map[string]any{"status": 0}},
  202. expectedResult: false,
  203. },
  204. {
  205. name: "template parse error returns false",
  206. expression: "{{ invalid syntax }}",
  207. entity: nil,
  208. expectedResult: false,
  209. },
  210. {
  211. name: "template exec error returns false",
  212. expression: "{{ .CurrentEntity.nonexistent }}",
  213. entity: nil,
  214. expectedResult: false,
  215. },
  216. }
  217. for _, tt := range tests {
  218. t.Run(tt.name, func(t *testing.T) {
  219. action := &config.Action{
  220. EnabledExpression: tt.expression,
  221. }
  222. result := evaluateEnabledExpression(action, tt.entity)
  223. assert.Equal(t, tt.expectedResult, result, "evaluateEnabledExpression should return expected result")
  224. })
  225. }
  226. }
  227. func TestBuildActionWithEnabledExpression(t *testing.T) {
  228. cfg := config.DefaultConfig()
  229. cfg.DefaultPermissions.Exec = true
  230. action := &config.Action{
  231. Title: "Test Action",
  232. Shell: "echo test",
  233. EnabledExpression: "{{ eq .CurrentEntity.enabled true }}",
  234. }
  235. cfg.Actions = append(cfg.Actions, action)
  236. ex := executor.DefaultExecutor(cfg)
  237. ex.RebuildActionMap()
  238. binding := findBindingByTitle(ex, "Test Action")
  239. assert.NotNil(t, binding, "Binding should be found")
  240. rr := &DashboardRenderRequest{
  241. AuthenticatedUser: &authpublic.AuthenticatedUser{Username: "testuser"},
  242. cfg: cfg,
  243. ex: ex,
  244. }
  245. testWithEntity(t, binding, rr, true, true, "Action should be executable when entity.enabled is true")
  246. testWithEntity(t, binding, rr, false, false, "Action should not be executable when entity.enabled is false")
  247. bindingNoExpr := findBindingByTitle(ex, "Test Action No Expression")
  248. if bindingNoExpr == nil {
  249. actionNoExpression := &config.Action{
  250. Title: "Test Action No Expression",
  251. Shell: "echo test",
  252. }
  253. cfg.Actions = append(cfg.Actions, actionNoExpression)
  254. ex.RebuildActionMap()
  255. bindingNoExpr = findBindingByTitle(ex, "Test Action No Expression")
  256. }
  257. actionResult := buildAction(bindingNoExpr, rr)
  258. assert.True(t, actionResult.CanExec, "Action without enabledExpression should be executable")
  259. }
  260. func findBindingByTitle(ex *executor.Executor, title string) *executor.ActionBinding {
  261. ex.MapActionBindingsLock.RLock()
  262. defer ex.MapActionBindingsLock.RUnlock()
  263. for _, b := range ex.MapActionBindings {
  264. if b.Action.Title == title {
  265. return b
  266. }
  267. }
  268. return nil
  269. }
  270. func testWithEntity(t *testing.T, binding *executor.ActionBinding, rr *DashboardRenderRequest, enabled bool, expectedCanExec bool, message string) {
  271. binding.Entity = &entities.Entity{
  272. UniqueKey: "test-entity",
  273. Data: map[string]any{"enabled": enabled},
  274. }
  275. actionResult := buildAction(binding, rr)
  276. assert.Equal(t, expectedCanExec, actionResult.CanExec, message)
  277. }
  278. // buildViewPermissionTestConfig returns config and users for GHSA view-permission tests:
  279. // one action "secret_action", ACL "restricted" (view:false) for user "low", ACL "full" (view:true) for user "admin".
  280. func buildViewPermissionTestConfig(t *testing.T) (*config.Config, *authpublic.AuthenticatedUser, *authpublic.AuthenticatedUser) {
  281. t.Helper()
  282. cfg := config.DefaultConfig()
  283. cfg.DefaultPermissions.View = false
  284. cfg.DefaultPermissions.Exec = false
  285. cfg.Actions = append(cfg.Actions, &config.Action{
  286. ID: "secret_action",
  287. Title: "Secret Action",
  288. Shell: "echo sensitive",
  289. Icon: "🔒",
  290. })
  291. cfg.AccessControlLists = append(cfg.AccessControlLists,
  292. &config.AccessControlList{
  293. Name: "restricted",
  294. MatchUsernames: []string{"low"},
  295. AddToEveryAction: true,
  296. Permissions: config.PermissionsList{View: false, Exec: false, Logs: false, Kill: false},
  297. },
  298. &config.AccessControlList{
  299. Name: "full",
  300. MatchUsernames: []string{"admin"},
  301. AddToEveryAction: true,
  302. Permissions: config.PermissionsList{View: true, Exec: true, Logs: true, Kill: true},
  303. },
  304. )
  305. lowUser := &authpublic.AuthenticatedUser{Username: "low"}
  306. lowUser.BuildUserAcls(cfg)
  307. adminUser := &authpublic.AuthenticatedUser{Username: "admin"}
  308. adminUser.BuildUserAcls(cfg)
  309. return cfg, lowUser, adminUser
  310. }
  311. // TestViewPermissionExcludedFromDashboard (GHSA: view permission) asserts that when a user has view: false,
  312. // the default dashboard must not include that action. Covers GetDashboard not leaking action metadata.
  313. func TestViewPermissionExcludedFromDashboard(t *testing.T) {
  314. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  315. ex := executor.DefaultExecutor(cfg)
  316. ex.RebuildActionMap()
  317. rr := &DashboardRenderRequest{
  318. AuthenticatedUser: lowUser,
  319. cfg: cfg,
  320. ex: ex,
  321. }
  322. db := buildDefaultDashboard(rr)
  323. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  324. assert.NotContains(t, bindingIdsInDashboard, "secret_action",
  325. "user with view:false must not see action in dashboard; got bindingIds: %v", bindingIdsInDashboard)
  326. }
  327. // TestGetActionBindingDeniedWhenNoViewPermission (GHSA: view permission) asserts that GetActionBinding
  328. // returns permission denied for a user with view: false. Covers GetActionBinding not exposing action details.
  329. func TestGetActionBindingDeniedWhenNoViewPermission(t *testing.T) {
  330. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  331. ex := executor.DefaultExecutor(cfg)
  332. ex.RebuildActionMap()
  333. api := newServer(ex)
  334. _, err := api.getActionBindingResponse(lowUser, "secret_action")
  335. require.Error(t, err)
  336. assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err),
  337. "user with view:false must get permission denied from GetActionBinding")
  338. }
  339. // TestViewPermissionAllowedSeesAction (GHSA: view permission) asserts that a user with view: true
  340. // still sees the action in the dashboard and can fetch it via GetActionBinding.
  341. func TestViewPermissionAllowedSeesAction(t *testing.T) {
  342. cfg, _, adminUser := buildViewPermissionTestConfig(t)
  343. ex := executor.DefaultExecutor(cfg)
  344. ex.RebuildActionMap()
  345. api := newServer(ex)
  346. rr := &DashboardRenderRequest{
  347. AuthenticatedUser: adminUser,
  348. cfg: cfg,
  349. ex: ex,
  350. }
  351. db := buildDefaultDashboard(rr)
  352. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  353. assert.Contains(t, bindingIdsInDashboard, "secret_action",
  354. "user with view:true must see action in dashboard; got bindingIds: %v", bindingIdsInDashboard)
  355. resp, err := api.getActionBindingResponse(adminUser, "secret_action")
  356. require.NoError(t, err)
  357. require.NotNil(t, resp)
  358. require.NotNil(t, resp.Action)
  359. assert.Equal(t, "secret_action", resp.Action.BindingId)
  360. }
  361. // TestViewPermissionExcludedFromCustomDashboard (issue #921) asserts that when a custom dashboard
  362. // lists an action by title, users without view permission do not see that action (title or icon).
  363. func TestViewPermissionExcludedFromCustomDashboard(t *testing.T) {
  364. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  365. cfg.Dashboards = []*config.DashboardComponent{
  366. {
  367. Title: "Custom",
  368. Contents: []*config.DashboardComponent{
  369. {Title: "Secret Action"},
  370. },
  371. },
  372. }
  373. ex := executor.DefaultExecutor(cfg)
  374. ex.RebuildActionMap()
  375. rr := &DashboardRenderRequest{
  376. AuthenticatedUser: lowUser,
  377. cfg: cfg,
  378. ex: ex,
  379. }
  380. dashboard := findDashboardByTitle(rr, "Custom")
  381. require.NotNil(t, dashboard)
  382. db := buildDashboardFromConfig(dashboard, rr)
  383. require.NotNil(t, db)
  384. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  385. assert.NotContains(t, bindingIdsInDashboard, "secret_action",
  386. "user with view:false must not see action on custom dashboard; got bindingIds: %v", bindingIdsInDashboard)
  387. }
  388. // TestViewPermissionExcludedFromEntityDashboard (GHSA: view permission) asserts that when a dashboard
  389. // has an entity fieldset listing an action, users without view permission do not see that action.
  390. func TestViewPermissionExcludedFromEntityDashboard(t *testing.T) {
  391. entities.ClearEntitiesOfType("vp_entity_test")
  392. defer entities.ClearEntitiesOfType("vp_entity_test")
  393. entities.AddEntity("vp_entity_test", "1", map[string]any{"title": "Test Entity"})
  394. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  395. cfg.Dashboards = []*config.DashboardComponent{
  396. {
  397. Title: "WithEntity",
  398. Contents: []*config.DashboardComponent{
  399. {
  400. Title: "Servers", Type: "fieldset", Entity: "vp_entity_test",
  401. Contents: []*config.DashboardComponent{{Title: "Secret Action"}},
  402. },
  403. },
  404. },
  405. }
  406. ex := executor.DefaultExecutor(cfg)
  407. ex.RebuildActionMap()
  408. rr := &DashboardRenderRequest{
  409. AuthenticatedUser: lowUser,
  410. cfg: cfg,
  411. ex: ex,
  412. }
  413. dashboard := findDashboardByTitle(rr, "WithEntity")
  414. require.NotNil(t, dashboard)
  415. db := buildDashboardFromConfig(dashboard, rr)
  416. require.NotNil(t, db)
  417. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  418. assert.NotContains(t, bindingIdsInDashboard, "secret_action",
  419. "user with view:false must not see action in entity fieldset; got bindingIds: %v", bindingIdsInDashboard)
  420. }
  421. func bindingIdsInDashboardContents(contents []*apiv1.DashboardComponent) []string {
  422. var ids []string
  423. for _, c := range contents {
  424. ids = append(ids, bindingIdsFromComponent(c)...)
  425. }
  426. return ids
  427. }
  428. func bindingIdsFromComponent(c *apiv1.DashboardComponent) []string {
  429. if c == nil {
  430. return nil
  431. }
  432. var ids []string
  433. if c.Action != nil && c.Action.BindingId != "" {
  434. ids = append(ids, c.Action.BindingId)
  435. }
  436. return append(ids, bindingIdsInDashboardContents(c.Contents)...)
  437. }
  438. func TestOrderTopLevelDashboardComponents_RegularFieldsetsPreserveConfigOrder(t *testing.T) {
  439. zebra := &apiv1.DashboardComponent{Title: "Zebra", Type: "fieldset", EntityType: ""}
  440. alpha := &apiv1.DashboardComponent{Title: "Alpha", Type: "fieldset", EntityType: ""}
  441. root := &apiv1.DashboardComponent{Title: "Actions", Type: "fieldset", EntityType: ""}
  442. components := []*apiv1.DashboardComponent{zebra, alpha, root}
  443. out := orderTopLevelDashboardComponents(components)
  444. require.Len(t, out, 3)
  445. assert.Same(t, zebra, out[0], "first must be Zebra (config order)")
  446. assert.Same(t, alpha, out[1], "second must be Alpha (config order)")
  447. assert.Same(t, root, out[2], "third must be root Actions fieldset")
  448. }
  449. func TestOrderTopLevelDashboardComponents_SortablesSorted(t *testing.T) {
  450. entityBeta := &apiv1.DashboardComponent{Title: "Beta", Type: "fieldset", EntityType: "server"}
  451. entityAlpha := &apiv1.DashboardComponent{Title: "Alpha", Type: "fieldset", EntityType: "server"}
  452. components := []*apiv1.DashboardComponent{entityBeta, entityAlpha}
  453. out := orderTopLevelDashboardComponents(components)
  454. require.Len(t, out, 2)
  455. assert.Equal(t, "Alpha", out[0].Title, "sortables ordered by title")
  456. assert.Equal(t, "Beta", out[1].Title)
  457. }