api_test.go 32 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921
  1. package api
  2. import (
  3. "context"
  4. "net/http"
  5. "net/http/httptest"
  6. "path"
  7. "testing"
  8. "time"
  9. "connectrpc.com/connect"
  10. "github.com/google/uuid"
  11. log "github.com/sirupsen/logrus"
  12. "github.com/stretchr/testify/assert"
  13. "github.com/stretchr/testify/require"
  14. apiv1 "github.com/OliveTin/OliveTin/gen/olivetin/api/v1"
  15. apiv1connect "github.com/OliveTin/OliveTin/gen/olivetin/api/v1/apiv1connect"
  16. authpublic "github.com/OliveTin/OliveTin/internal/auth/authpublic"
  17. config "github.com/OliveTin/OliveTin/internal/config"
  18. "github.com/OliveTin/OliveTin/internal/entities"
  19. "github.com/OliveTin/OliveTin/internal/executor"
  20. )
  21. func getNewTestServerAndClient(injectedConfig *config.Config) (*httptest.Server, apiv1connect.OliveTinApiServiceClient) {
  22. ex := executor.DefaultExecutor(injectedConfig)
  23. ex.RebuildActionMap()
  24. return getNewTestServerAndClientWithExecutor(injectedConfig, ex)
  25. }
  26. func getNewTestServerAndClientWithExecutor(injectedConfig *config.Config, ex *executor.Executor) (*httptest.Server, apiv1connect.OliveTinApiServiceClient) {
  27. apiPath, apiHandler := GetNewHandler(ex)
  28. mux := http.NewServeMux()
  29. mux.Handle("/api/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  30. log.Infof("HTTP Request: %s %s", r.Method, r.URL.Path)
  31. // Translate /api/<service>/<method> to <service>/<method>
  32. fn := path.Base(r.URL.Path)
  33. r.URL.Path = apiPath + fn
  34. apiHandler.ServeHTTP(w, r)
  35. }))
  36. log.Infof("API path is %s", apiPath)
  37. httpclient := &http.Client{}
  38. ts := httptest.NewServer(mux)
  39. client := apiv1connect.NewOliveTinApiServiceClient(httpclient, ts.URL+"/api")
  40. log.Infof("Test server URL is %s", ts.URL+"/api"+apiPath)
  41. return ts, client
  42. }
  43. func TestApplyActionExecTriggersIncludesWebhookHeaderAndQueryMatches(t *testing.T) {
  44. cfg := &config.Action{
  45. ExecOnWebhook: []config.WebhookConfig{
  46. {
  47. MatchHeaders: map[string]string{"X-GitHub-Event": "push"},
  48. MatchQuery: map[string]string{"source": "github"},
  49. },
  50. },
  51. }
  52. pb := &apiv1.Action{}
  53. applyActionExecTriggers(pb, cfg)
  54. require.Len(t, pb.ExecOnWebhooks, 1)
  55. assert.Equal(t, cfg.ExecOnWebhook[0].MatchHeaders, pb.ExecOnWebhooks[0].MatchHeaders)
  56. assert.Equal(t, cfg.ExecOnWebhook[0].MatchQuery, pb.ExecOnWebhooks[0].MatchQuery)
  57. }
  58. func TestGetActionsAndStart(t *testing.T) {
  59. cfg := config.DefaultConfig()
  60. btn1 := &config.Action{}
  61. btn1.Title = "blat"
  62. btn1.ID = "blat"
  63. btn1.Shell = "echo 'test'"
  64. cfg.Actions = append(cfg.Actions, btn1)
  65. ex := executor.DefaultExecutor(cfg)
  66. ex.RebuildActionMap()
  67. conn, client := getNewTestServerAndClient(cfg)
  68. respInit, errInit := client.Init(context.Background(), connect.NewRequest(&apiv1.InitRequest{}))
  69. respGetReady, errReady := client.GetReadyz(context.Background(), connect.NewRequest(&apiv1.GetReadyzRequest{}))
  70. if errInit != nil {
  71. t.Errorf("Init request failed: %v", errInit)
  72. return
  73. }
  74. if errReady != nil {
  75. t.Errorf("GetReadyz request failed: %v", errReady)
  76. return
  77. }
  78. log.Infof("GetReadyz response: %v", respGetReady.Msg)
  79. assert.Equal(t, true, true, "sayHello Failed")
  80. // assert.Equal(t, 1, len(respGb.Msg.Actions), "Got 1 action button back")
  81. log.Printf("Response: %+v", respInit)
  82. respSa, err := client.StartAction(context.Background(), connect.NewRequest(&apiv1.StartActionRequest{
  83. // ActionId: "blat"
  84. }))
  85. assert.NotNil(t, err, "Error 404 after start action")
  86. assert.Nil(t, respSa, "Nil response for non existing action")
  87. defer conn.Close()
  88. }
  89. func TestGetEntities(t *testing.T) {
  90. cfg := config.DefaultConfig()
  91. ts, client := getNewTestServerAndClient(cfg)
  92. defer ts.Close()
  93. setupTestEntities()
  94. resp, err := client.GetEntities(context.Background(), connect.NewRequest(&apiv1.GetEntitiesRequest{}))
  95. assert.NoError(t, err, "GetEntities should not return an error")
  96. assert.NotNil(t, resp, "GetEntities response should not be nil")
  97. assert.NotNil(t, resp.Msg, "GetEntities response message should not be nil")
  98. entityDefinitions := resp.Msg.EntityDefinitions
  99. assert.Equal(t, 3, len(entityDefinitions), "Should return 3 entity definitions")
  100. validateEntityOrderAndStructure(t, entityDefinitions)
  101. validateNoDuplicates(t, entityDefinitions)
  102. validateConsistency(t, client, entityDefinitions)
  103. }
  104. func setupTestEntities() {
  105. entities.ClearEntitiesOfType("server")
  106. entities.ClearEntitiesOfType("database")
  107. entities.ClearEntitiesOfType("application")
  108. entities.AddEntity("server", "zebra", map[string]any{"title": "Server Zebra", "hostname": "zebra.example.com"})
  109. entities.AddEntity("server", "alpha", map[string]any{"title": "Server Alpha", "hostname": "alpha.example.com"})
  110. entities.AddEntity("server", "beta", map[string]any{"title": "Server Beta", "hostname": "beta.example.com"})
  111. entities.AddEntity("database", "mysql", map[string]any{"title": "MySQL Database", "type": "mysql"})
  112. entities.AddEntity("database", "postgres", map[string]any{"title": "PostgreSQL Database", "type": "postgres"})
  113. entities.AddEntity("application", "webapp", map[string]any{"title": "Web Application", "port": 8080})
  114. }
  115. func validateEntityOrderAndStructure(t *testing.T, entityDefinitions []*apiv1.EntityDefinition) {
  116. assert.Equal(t, "application", entityDefinitions[0].Title, "First entity should be 'application' (alphabetically first)")
  117. assert.Equal(t, 1, len(entityDefinitions[0].Instances), "Application should have 1 instance")
  118. assert.Equal(t, "webapp", entityDefinitions[0].Instances[0].UniqueKey, "Application instance should be 'webapp'")
  119. assert.Equal(t, "database", entityDefinitions[1].Title, "Second entity should be 'database' (alphabetically second)")
  120. assert.Equal(t, 2, len(entityDefinitions[1].Instances), "Database should have 2 instances")
  121. assert.Equal(t, "mysql", entityDefinitions[1].Instances[0].UniqueKey, "First database instance should be 'mysql' (alphabetically first)")
  122. assert.Equal(t, "postgres", entityDefinitions[1].Instances[1].UniqueKey, "Second database instance should be 'postgres' (alphabetically second)")
  123. assert.Equal(t, "server", entityDefinitions[2].Title, "Third entity should be 'server' (alphabetically third)")
  124. assert.Equal(t, 3, len(entityDefinitions[2].Instances), "Server should have 3 instances")
  125. assert.Equal(t, "alpha", entityDefinitions[2].Instances[0].UniqueKey, "First server instance should be 'alpha' (alphabetically first)")
  126. assert.Equal(t, "beta", entityDefinitions[2].Instances[1].UniqueKey, "Second server instance should be 'beta' (alphabetically second)")
  127. assert.Equal(t, "zebra", entityDefinitions[2].Instances[2].UniqueKey, "Third server instance should be 'zebra' (alphabetically third)")
  128. }
  129. func validateNoDuplicates(t *testing.T, entityDefinitions []*apiv1.EntityDefinition) {
  130. instanceKeys := make(map[string]map[string]bool)
  131. for _, def := range entityDefinitions {
  132. instanceKeys[def.Title] = make(map[string]bool)
  133. for _, inst := range def.Instances {
  134. assert.False(t, instanceKeys[def.Title][inst.UniqueKey], "Instance key %s should not be duplicated in entity %s", inst.UniqueKey, def.Title)
  135. instanceKeys[def.Title][inst.UniqueKey] = true
  136. }
  137. }
  138. }
  139. func validateConsistency(t *testing.T, client apiv1connect.OliveTinApiServiceClient, entityDefinitions []*apiv1.EntityDefinition) {
  140. resp2, err2 := client.GetEntities(context.Background(), connect.NewRequest(&apiv1.GetEntitiesRequest{}))
  141. assert.NoError(t, err2, "Second GetEntities call should not return an error")
  142. assert.Equal(t, len(entityDefinitions), len(resp2.Msg.EntityDefinitions), "Second call should return same number of entity definitions")
  143. for i, def := range entityDefinitions {
  144. assert.Equal(t, def.Title, resp2.Msg.EntityDefinitions[i].Title, "Entity order should be consistent across calls")
  145. assert.Equal(t, len(def.Instances), len(resp2.Msg.EntityDefinitions[i].Instances), "Instance count should be consistent")
  146. for j, inst := range def.Instances {
  147. assert.Equal(t, inst.UniqueKey, resp2.Msg.EntityDefinitions[i].Instances[j].UniqueKey, "Instance order should be consistent across calls")
  148. }
  149. }
  150. }
  151. func TestEvaluateEnabledExpression(t *testing.T) {
  152. tests := []struct {
  153. name string
  154. expression string
  155. entity *entities.Entity
  156. expectedResult bool
  157. }{
  158. {
  159. name: "empty expression returns true",
  160. expression: "",
  161. entity: nil,
  162. expectedResult: true,
  163. },
  164. {
  165. name: "literal true returns true",
  166. expression: "true",
  167. entity: nil,
  168. expectedResult: true,
  169. },
  170. {
  171. name: "literal True returns true (case insensitive)",
  172. expression: "True",
  173. entity: nil,
  174. expectedResult: true,
  175. },
  176. {
  177. name: "literal 1 returns true",
  178. expression: "1",
  179. entity: nil,
  180. expectedResult: true,
  181. },
  182. {
  183. name: "literal false returns false",
  184. expression: "false",
  185. entity: nil,
  186. expectedResult: false,
  187. },
  188. {
  189. name: "literal 0 returns false",
  190. expression: "0",
  191. entity: nil,
  192. expectedResult: false,
  193. },
  194. {
  195. name: "empty result returns false",
  196. expression: "{{ .NonExistent }}",
  197. entity: nil,
  198. expectedResult: false,
  199. },
  200. {
  201. name: "expression with CurrentEntity true",
  202. expression: "{{ eq .CurrentEntity.powered_on true }}",
  203. entity: &entities.Entity{Data: map[string]any{"powered_on": true}},
  204. expectedResult: true,
  205. },
  206. {
  207. name: "expression with CurrentEntity false",
  208. expression: "{{ eq .CurrentEntity.powered_on true }}",
  209. entity: &entities.Entity{Data: map[string]any{"powered_on": false}},
  210. expectedResult: false,
  211. },
  212. {
  213. name: "expression with CurrentEntity integer 1",
  214. expression: "{{ .CurrentEntity.status }}",
  215. entity: &entities.Entity{Data: map[string]any{"status": 1}},
  216. expectedResult: true,
  217. },
  218. {
  219. name: "expression with CurrentEntity integer 0",
  220. expression: "{{ .CurrentEntity.status }}",
  221. entity: &entities.Entity{Data: map[string]any{"status": 0}},
  222. expectedResult: false,
  223. },
  224. {
  225. name: "template parse error returns false",
  226. expression: "{{ invalid syntax }}",
  227. entity: nil,
  228. expectedResult: false,
  229. },
  230. {
  231. name: "template exec error returns false",
  232. expression: "{{ .CurrentEntity.nonexistent }}",
  233. entity: nil,
  234. expectedResult: false,
  235. },
  236. }
  237. for _, tt := range tests {
  238. t.Run(tt.name, func(t *testing.T) {
  239. action := &config.Action{
  240. EnabledExpression: tt.expression,
  241. }
  242. result := evaluateEnabledExpression(action, tt.entity)
  243. assert.Equal(t, tt.expectedResult, result, "evaluateEnabledExpression should return expected result")
  244. })
  245. }
  246. }
  247. func TestBuildActionWithEnabledExpression(t *testing.T) {
  248. cfg := config.DefaultConfig()
  249. cfg.DefaultPermissions.Exec = true
  250. action := &config.Action{
  251. Title: "Test Action",
  252. Shell: "echo test",
  253. EnabledExpression: "{{ eq .CurrentEntity.enabled true }}",
  254. }
  255. cfg.Actions = append(cfg.Actions, action)
  256. ex := executor.DefaultExecutor(cfg)
  257. ex.RebuildActionMap()
  258. binding := findBindingByTitle(ex, "Test Action")
  259. assert.NotNil(t, binding, "Binding should be found")
  260. rr := &DashboardRenderRequest{
  261. AuthenticatedUser: &authpublic.AuthenticatedUser{Username: "testuser"},
  262. cfg: cfg,
  263. ex: ex,
  264. }
  265. testWithEntity(t, binding, rr, true, true, "Action should be executable when entity.enabled is true")
  266. testWithEntity(t, binding, rr, false, false, "Action should not be executable when entity.enabled is false")
  267. bindingNoExpr := findBindingByTitle(ex, "Test Action No Expression")
  268. if bindingNoExpr == nil {
  269. actionNoExpression := &config.Action{
  270. Title: "Test Action No Expression",
  271. Shell: "echo test",
  272. }
  273. cfg.Actions = append(cfg.Actions, actionNoExpression)
  274. ex.RebuildActionMap()
  275. bindingNoExpr = findBindingByTitle(ex, "Test Action No Expression")
  276. }
  277. actionResult := buildAction(bindingNoExpr, rr)
  278. assert.True(t, actionResult.CanExec, "Action without enabledExpression should be executable")
  279. }
  280. func findBindingByTitle(ex *executor.Executor, title string) *executor.ActionBinding {
  281. ex.MapActionBindingsLock.RLock()
  282. defer ex.MapActionBindingsLock.RUnlock()
  283. for _, b := range ex.MapActionBindings {
  284. if b.Action.Title == title {
  285. return b
  286. }
  287. }
  288. return nil
  289. }
  290. func testWithEntity(t *testing.T, binding *executor.ActionBinding, rr *DashboardRenderRequest, enabled bool, expectedCanExec bool, message string) {
  291. binding.Entity = &entities.Entity{
  292. UniqueKey: "test-entity",
  293. Data: map[string]any{"enabled": enabled},
  294. }
  295. actionResult := buildAction(binding, rr)
  296. assert.Equal(t, expectedCanExec, actionResult.CanExec, message)
  297. }
  298. // buildViewPermissionTestConfig returns config and users for GHSA view-permission tests:
  299. // one action "secret_action", ACL "restricted" (view:false, logs:false) for user "low", ACL "full" (view:true, logs:true) for user "admin".
  300. func buildViewPermissionTestConfig(t *testing.T) (*config.Config, *authpublic.AuthenticatedUser, *authpublic.AuthenticatedUser) {
  301. t.Helper()
  302. cfg := config.DefaultConfig()
  303. cfg.DefaultPermissions.View = false
  304. cfg.DefaultPermissions.Exec = false
  305. cfg.DefaultPermissions.Logs = false
  306. cfg.Actions = append(cfg.Actions, &config.Action{
  307. ID: "secret_action",
  308. Title: "Secret Action",
  309. Shell: "echo sensitive",
  310. Icon: "🔒",
  311. })
  312. cfg.AccessControlLists = append(cfg.AccessControlLists,
  313. &config.AccessControlList{
  314. Name: "restricted",
  315. MatchUsernames: []string{"low"},
  316. AddToEveryAction: true,
  317. Permissions: config.PermissionsList{View: false, Exec: false, Logs: false, Kill: false},
  318. },
  319. &config.AccessControlList{
  320. Name: "full",
  321. MatchUsernames: []string{"admin"},
  322. AddToEveryAction: true,
  323. Permissions: config.PermissionsList{View: true, Exec: true, Logs: true, Kill: true},
  324. },
  325. )
  326. lowUser := &authpublic.AuthenticatedUser{Username: "low"}
  327. lowUser.BuildUserAcls(cfg)
  328. adminUser := &authpublic.AuthenticatedUser{Username: "admin"}
  329. adminUser.BuildUserAcls(cfg)
  330. return cfg, lowUser, adminUser
  331. }
  332. // TestViewPermissionExcludedFromDashboard (GHSA: view permission) asserts that when a user has view: false,
  333. // the default dashboard must not include that action. Covers GetDashboard not leaking action metadata.
  334. func TestViewPermissionExcludedFromDashboard(t *testing.T) {
  335. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  336. ex := executor.DefaultExecutor(cfg)
  337. ex.RebuildActionMap()
  338. rr := &DashboardRenderRequest{
  339. AuthenticatedUser: lowUser,
  340. cfg: cfg,
  341. ex: ex,
  342. }
  343. db := buildDefaultDashboard(rr)
  344. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  345. assert.NotContains(t, bindingIdsInDashboard, "secret_action",
  346. "user with view:false must not see action in dashboard; got bindingIds: %v", bindingIdsInDashboard)
  347. }
  348. // TestGetActionBindingDeniedWhenNoViewPermission (GHSA: view permission) asserts that GetActionBinding
  349. // returns permission denied for a user with view: false. Covers GetActionBinding not exposing action details.
  350. func TestGetActionBindingDeniedWhenNoViewPermission(t *testing.T) {
  351. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  352. ex := executor.DefaultExecutor(cfg)
  353. ex.RebuildActionMap()
  354. api := newServer(ex)
  355. _, err := api.getActionBindingResponse(lowUser, "secret_action")
  356. require.Error(t, err)
  357. assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err),
  358. "user with view:false must get permission denied from GetActionBinding")
  359. }
  360. // TestValidateArgumentTypeDeniesGuestsWhenLoginRequired (GHSA-f637-w7p2-m7fx) asserts that when
  361. // guests must log in, ValidateArgumentType does not bypass dashboard access controls.
  362. func TestValidateArgumentTypeDeniesGuestsWhenLoginRequired(t *testing.T) {
  363. cfg := config.DefaultConfig()
  364. cfg.AuthRequireGuestsToLogin = true
  365. cfg.Actions = append(cfg.Actions, &config.Action{
  366. ID: "a1",
  367. Title: "Probe",
  368. Shell: "echo",
  369. Arguments: []config.ActionArgument{
  370. {Name: "x", Type: "ascii"},
  371. },
  372. })
  373. ex := executor.DefaultExecutor(cfg)
  374. ex.RebuildActionMap()
  375. ts, client := getNewTestServerAndClient(cfg)
  376. defer ts.Close()
  377. _, err := client.ValidateArgumentType(context.Background(), connect.NewRequest(&apiv1.ValidateArgumentTypeRequest{
  378. BindingId: "a1",
  379. ArgumentName: "x",
  380. Value: "v",
  381. Type: "ascii",
  382. }))
  383. require.Error(t, err)
  384. assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err),
  385. "guest must not call ValidateArgumentType when AuthRequireGuestsToLogin is true")
  386. }
  387. // TestValidateArgumentTypeDeniedWithoutViewPermission (GHSA-f637-w7p2-m7fx) asserts ValidateArgumentType
  388. // respects the same view ACL as GetActionBinding so the RPC cannot enumerate restricted actions.
  389. func TestValidateArgumentTypeDeniedWithoutViewPermission(t *testing.T) {
  390. cfg, _, _ := buildViewPermissionTestConfig(t)
  391. cfg.AuthHttpHeaderUsername = "X-Ot-User"
  392. for i := range cfg.Actions {
  393. if cfg.Actions[i].ID == "secret_action" {
  394. cfg.Actions[i].Arguments = []config.ActionArgument{{Name: "target", Type: "ascii"}}
  395. break
  396. }
  397. }
  398. ex := executor.DefaultExecutor(cfg)
  399. ex.RebuildActionMap()
  400. ts, client := getNewTestServerAndClient(cfg)
  401. defer ts.Close()
  402. req := connect.NewRequest(&apiv1.ValidateArgumentTypeRequest{
  403. BindingId: "secret_action",
  404. ArgumentName: "target",
  405. Value: "ok",
  406. Type: "ascii",
  407. })
  408. req.Header().Set("X-Ot-User", "low")
  409. _, err := client.ValidateArgumentType(context.Background(), req)
  410. require.Error(t, err)
  411. assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err),
  412. "user with view:false must get permission denied from ValidateArgumentType")
  413. }
  414. // TestValidateArgumentTypeAllowedWithViewPermission (GHSA-f637-w7p2-m7fx) asserts authenticated users
  415. // with view access can still use ValidateArgumentType for argument validation.
  416. func TestValidateArgumentTypeAllowedWithViewPermission(t *testing.T) {
  417. cfg, _, _ := buildViewPermissionTestConfig(t)
  418. cfg.AuthHttpHeaderUsername = "X-Ot-User"
  419. for i := range cfg.Actions {
  420. if cfg.Actions[i].ID == "secret_action" {
  421. cfg.Actions[i].Arguments = []config.ActionArgument{{Name: "target", Type: "ascii"}}
  422. break
  423. }
  424. }
  425. ex := executor.DefaultExecutor(cfg)
  426. ex.RebuildActionMap()
  427. ts, client := getNewTestServerAndClient(cfg)
  428. defer ts.Close()
  429. req := connect.NewRequest(&apiv1.ValidateArgumentTypeRequest{
  430. BindingId: "secret_action",
  431. ArgumentName: "target",
  432. Value: "ok",
  433. Type: "ascii",
  434. })
  435. req.Header().Set("X-Ot-User", "admin")
  436. resp, err := client.ValidateArgumentType(context.Background(), req)
  437. require.NoError(t, err)
  438. require.NotNil(t, resp)
  439. require.NotNil(t, resp.Msg)
  440. assert.True(t, resp.Msg.Valid, "admin with view:true should get successful validation for a valid ascii value")
  441. }
  442. // TestViewPermissionAllowedSeesAction (GHSA: view permission) asserts that a user with view: true
  443. // still sees the action in the dashboard and can fetch it via GetActionBinding.
  444. func TestViewPermissionAllowedSeesAction(t *testing.T) {
  445. cfg, _, adminUser := buildViewPermissionTestConfig(t)
  446. ex := executor.DefaultExecutor(cfg)
  447. ex.RebuildActionMap()
  448. api := newServer(ex)
  449. rr := &DashboardRenderRequest{
  450. AuthenticatedUser: adminUser,
  451. cfg: cfg,
  452. ex: ex,
  453. }
  454. db := buildDefaultDashboard(rr)
  455. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  456. assert.Contains(t, bindingIdsInDashboard, "secret_action",
  457. "user with view:true must see action in dashboard; got bindingIds: %v", bindingIdsInDashboard)
  458. resp, err := api.getActionBindingResponse(adminUser, "secret_action")
  459. require.NoError(t, err)
  460. require.NotNil(t, resp)
  461. require.NotNil(t, resp.Action)
  462. assert.Equal(t, "secret_action", resp.Action.BindingId)
  463. }
  464. // TestViewPermissionExcludedFromCustomDashboard (issue #921) asserts that when a custom dashboard
  465. // lists an action by title, users without view permission do not see that action (title or icon).
  466. func TestViewPermissionExcludedFromCustomDashboard(t *testing.T) {
  467. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  468. cfg.Dashboards = []*config.DashboardComponent{
  469. {
  470. Title: "Custom",
  471. Contents: []*config.DashboardComponent{
  472. {Title: "Secret Action"},
  473. },
  474. },
  475. }
  476. ex := executor.DefaultExecutor(cfg)
  477. ex.RebuildActionMap()
  478. rr := &DashboardRenderRequest{
  479. AuthenticatedUser: lowUser,
  480. cfg: cfg,
  481. ex: ex,
  482. }
  483. dashboard := findDashboardByTitle(rr, "Custom")
  484. require.NotNil(t, dashboard)
  485. db := buildDashboardFromConfig(dashboard, rr)
  486. require.NotNil(t, db)
  487. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  488. assert.NotContains(t, bindingIdsInDashboard, "secret_action",
  489. "user with view:false must not see action on custom dashboard; got bindingIds: %v", bindingIdsInDashboard)
  490. assert.False(t, dashboardContentsContainForbiddenComponent(db.Contents, "Secret Action", "🔒"),
  491. "user with view:false must not see Secret Action title or lock icon in custom dashboard")
  492. }
  493. // TestViewPermissionExcludedFromEntityDashboard (GHSA: view permission) asserts that when a dashboard
  494. // has an entity fieldset listing an action, users without view permission do not see that action.
  495. func TestViewPermissionExcludedFromEntityDashboard(t *testing.T) {
  496. entities.ClearEntitiesOfType("vp_entity_test")
  497. defer entities.ClearEntitiesOfType("vp_entity_test")
  498. entities.AddEntity("vp_entity_test", "1", map[string]any{"title": "Test Entity"})
  499. cfg, lowUser, _ := buildViewPermissionTestConfig(t)
  500. cfg.Dashboards = []*config.DashboardComponent{
  501. {
  502. Title: "WithEntity",
  503. Contents: []*config.DashboardComponent{
  504. {
  505. Title: "Servers", Type: "fieldset", Entity: "vp_entity_test",
  506. Contents: []*config.DashboardComponent{{Title: "Secret Action"}},
  507. },
  508. },
  509. },
  510. }
  511. ex := executor.DefaultExecutor(cfg)
  512. ex.RebuildActionMap()
  513. rr := &DashboardRenderRequest{
  514. AuthenticatedUser: lowUser,
  515. cfg: cfg,
  516. ex: ex,
  517. }
  518. dashboard := findDashboardByTitle(rr, "WithEntity")
  519. require.NotNil(t, dashboard)
  520. db := buildDashboardFromConfig(dashboard, rr)
  521. require.NotNil(t, db)
  522. bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
  523. assert.NotContains(t, bindingIdsInDashboard, "secret_action",
  524. "user with view:false must not see action in entity fieldset; got bindingIds: %v", bindingIdsInDashboard)
  525. assert.False(t, dashboardContentsContainForbiddenComponent(db.Contents, "Secret Action", "🔒"),
  526. "user with view:false must not see Secret Action title or lock icon in entity dashboard")
  527. }
  528. func bindingIdsInDashboardContents(contents []*apiv1.DashboardComponent) []string {
  529. var ids []string
  530. for _, c := range contents {
  531. ids = append(ids, bindingIdsFromComponent(c)...)
  532. }
  533. return ids
  534. }
  535. func bindingIdsFromComponent(c *apiv1.DashboardComponent) []string {
  536. if c == nil {
  537. return nil
  538. }
  539. var ids []string
  540. if c.Action != nil && c.Action.BindingId != "" {
  541. ids = append(ids, c.Action.BindingId)
  542. }
  543. return append(ids, bindingIdsInDashboardContents(c.Contents)...)
  544. }
  545. func componentHasForbiddenTitleOrIcon(c *apiv1.DashboardComponent, forbiddenTitle, forbiddenIcon string) bool {
  546. return c != nil && (c.Title == forbiddenTitle || c.Icon == forbiddenIcon)
  547. }
  548. func componentOrDescendantsContainForbidden(c *apiv1.DashboardComponent, forbiddenTitle, forbiddenIcon string) bool {
  549. if c == nil {
  550. return false
  551. }
  552. if componentHasForbiddenTitleOrIcon(c, forbiddenTitle, forbiddenIcon) {
  553. return true
  554. }
  555. return dashboardContentsContainForbiddenComponent(c.Contents, forbiddenTitle, forbiddenIcon)
  556. }
  557. // dashboardContentsContainForbiddenComponent recursively walks contents and returns true if any
  558. // component has Title == forbiddenTitle or Icon == forbiddenIcon.
  559. func dashboardContentsContainForbiddenComponent(contents []*apiv1.DashboardComponent, forbiddenTitle, forbiddenIcon string) bool {
  560. for _, c := range contents {
  561. if componentOrDescendantsContainForbidden(c, forbiddenTitle, forbiddenIcon) {
  562. return true
  563. }
  564. }
  565. return false
  566. }
  567. func TestOrderTopLevelDashboardComponents_RegularFieldsetsPreserveConfigOrder(t *testing.T) {
  568. zebra := &apiv1.DashboardComponent{Title: "Zebra", Type: "fieldset", EntityType: ""}
  569. alpha := &apiv1.DashboardComponent{Title: "Alpha", Type: "fieldset", EntityType: ""}
  570. root := &apiv1.DashboardComponent{Title: "Actions", Type: "fieldset", EntityType: ""}
  571. components := []*apiv1.DashboardComponent{zebra, alpha, root}
  572. out := orderTopLevelDashboardComponents(components, root)
  573. require.Len(t, out, 3)
  574. assert.Same(t, zebra, out[0], "first must be Zebra (config order)")
  575. assert.Same(t, alpha, out[1], "second must be Alpha (config order)")
  576. assert.Same(t, root, out[2], "third must be root Actions fieldset")
  577. }
  578. func TestOrderTopLevelDashboardComponents_SortablesSorted(t *testing.T) {
  579. entityBeta := &apiv1.DashboardComponent{Title: "Beta", Type: "fieldset", EntityType: "server"}
  580. entityAlpha := &apiv1.DashboardComponent{Title: "Alpha", Type: "fieldset", EntityType: "server"}
  581. components := []*apiv1.DashboardComponent{entityBeta, entityAlpha}
  582. out := orderTopLevelDashboardComponents(components, nil)
  583. require.Len(t, out, 2)
  584. assert.Equal(t, "Alpha", out[0].Title, "sortables ordered by title")
  585. assert.Equal(t, "Beta", out[1].Title)
  586. }
  587. // TestEventStreamACLNoLeakToUnauthorizedUser (GHSA-228v-wc5r-j8m7) asserts that EventStream
  588. // does not send execution events or output chunks to users who are not allowed to view that action's logs.
  589. func TestEventStreamACLNoLeakToUnauthorizedUser(t *testing.T) {
  590. cfg, lowUser, adminUser := buildViewPermissionTestConfig(t)
  591. ex := executor.DefaultExecutor(cfg)
  592. ex.RebuildActionMap()
  593. api := newServer(ex)
  594. binding := ex.FindBindingByID("secret_action")
  595. require.NotNil(t, binding, "secret_action binding must exist")
  596. clientLow, clientAdmin := addEventStreamTestClients(t, api, lowUser, adminUser)
  597. defer removeEventStreamTestClients(api, clientLow, clientAdmin)
  598. runEventStreamTestExecution(t, ex, cfg, binding, adminUser)
  599. adminEvents := drainEventStreamUntilFinished(clientAdmin.channel, 2*time.Second)
  600. lowEvents := drainEventStreamWithTimeout(clientLow.channel, 50*time.Millisecond)
  601. assertEventStreamLowUserReceivesNothing(t, lowEvents)
  602. assertEventStreamAdminReceivesSecretActionEvents(t, adminEvents)
  603. }
  604. func addEventStreamTestClients(t *testing.T, api *oliveTinAPI, lowUser, adminUser *authpublic.AuthenticatedUser) (*streamingClient, *streamingClient) {
  605. t.Helper()
  606. clientLow := &streamingClient{
  607. channel: make(chan *apiv1.EventStreamResponse, 20),
  608. AuthenticatedUser: lowUser,
  609. }
  610. clientAdmin := &streamingClient{
  611. channel: make(chan *apiv1.EventStreamResponse, 20),
  612. AuthenticatedUser: adminUser,
  613. }
  614. api.streamingClientsMutex.Lock()
  615. api.streamingClients[clientLow] = struct{}{}
  616. api.streamingClients[clientAdmin] = struct{}{}
  617. api.streamingClientsMutex.Unlock()
  618. return clientLow, clientAdmin
  619. }
  620. func removeEventStreamTestClients(api *oliveTinAPI, clientLow, clientAdmin *streamingClient) {
  621. api.streamingClientsMutex.Lock()
  622. delete(api.streamingClients, clientLow)
  623. delete(api.streamingClients, clientAdmin)
  624. api.streamingClientsMutex.Unlock()
  625. close(clientLow.channel)
  626. close(clientAdmin.channel)
  627. }
  628. func runEventStreamTestExecution(t *testing.T, ex *executor.Executor, cfg *config.Config, binding *executor.ActionBinding, adminUser *authpublic.AuthenticatedUser) {
  629. t.Helper()
  630. execReq := &executor.ExecutionRequest{
  631. Binding: binding,
  632. Arguments: map[string]string{},
  633. TrackingID: uuid.NewString(),
  634. Cfg: cfg,
  635. AuthenticatedUser: adminUser,
  636. }
  637. wg, _ := ex.ExecRequest(execReq)
  638. wg.Wait()
  639. }
  640. func drainEventStreamUntilFinished(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) []*apiv1.EventStreamResponse {
  641. var out []*apiv1.EventStreamResponse
  642. deadline := time.Now().Add(timeout)
  643. for time.Now().Before(deadline) {
  644. ev, finished := recvEventStreamOne(ch, 50*time.Millisecond)
  645. if ev != nil {
  646. out = append(out, ev)
  647. }
  648. if finished {
  649. return out
  650. }
  651. }
  652. return out
  653. }
  654. func recvEventStreamOne(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) (*apiv1.EventStreamResponse, bool) {
  655. select {
  656. case ev, ok := <-ch:
  657. if !ok {
  658. return nil, true
  659. }
  660. return ev, ev.GetExecutionFinished() != nil
  661. case <-time.After(timeout):
  662. return nil, true
  663. }
  664. }
  665. func eventStreamRecvResult(ev *apiv1.EventStreamResponse, ok bool) (*apiv1.EventStreamResponse, bool) {
  666. if !ok {
  667. return nil, true
  668. }
  669. return ev, false
  670. }
  671. func recvEventStreamWithTimeoutOne(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) (*apiv1.EventStreamResponse, bool) {
  672. select {
  673. case ev, ok := <-ch:
  674. return eventStreamRecvResult(ev, ok)
  675. case <-time.After(timeout):
  676. return nil, true
  677. }
  678. }
  679. func drainEventStreamWithTimeout(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) []*apiv1.EventStreamResponse {
  680. var out []*apiv1.EventStreamResponse
  681. for {
  682. ev, done := recvEventStreamWithTimeoutOne(ch, timeout)
  683. if done {
  684. return out
  685. }
  686. out = append(out, ev)
  687. }
  688. }
  689. func assertEventStreamLowUserReceivesNothing(t *testing.T, lowEvents []*apiv1.EventStreamResponse) {
  690. t.Helper()
  691. for _, ev := range lowEvents {
  692. assert.Nil(t, ev.GetExecutionStarted(), "low-privilege user must not receive ExecutionStarted")
  693. assert.Nil(t, ev.GetExecutionFinished(), "low-privilege user must not receive ExecutionFinished")
  694. assert.Nil(t, ev.GetOutputChunk(), "low-privilege user must not receive OutputChunk")
  695. }
  696. assert.Empty(t, lowEvents, "low-privilege user with Logs:false must not receive any execution events")
  697. }
  698. func assertEventStreamAdminReceivesSecretActionEvents(t *testing.T, adminEvents []*apiv1.EventStreamResponse) {
  699. t.Helper()
  700. var gotStarted, gotFinished bool
  701. for _, ev := range adminEvents {
  702. if ev.GetExecutionStarted() != nil {
  703. gotStarted = true
  704. assert.Equal(t, "secret_action", ev.GetExecutionStarted().LogEntry.GetBindingId())
  705. }
  706. if ev.GetExecutionFinished() != nil {
  707. gotFinished = true
  708. assert.Equal(t, "secret_action", ev.GetExecutionFinished().LogEntry.GetBindingId())
  709. }
  710. }
  711. assert.True(t, gotStarted, "admin must receive ExecutionStarted for secret_action")
  712. assert.True(t, gotFinished, "admin must receive ExecutionFinished for secret_action")
  713. }
  714. func TestExecutionStatusReturnsBackToDashboards(t *testing.T) {
  715. cfg := config.DefaultConfig()
  716. cfg.Actions = []*config.Action{
  717. {Title: "Dashboard Action", Shell: "echo ok"},
  718. }
  719. cfg.Dashboards = []*config.DashboardComponent{
  720. {
  721. Title: "Ops",
  722. Contents: []*config.DashboardComponent{
  723. {Title: "Dashboard Action"},
  724. },
  725. },
  726. }
  727. ex := executor.DefaultExecutor(cfg)
  728. ex.RebuildActionMap()
  729. binding := ex.FindBindingWithNoEntity(cfg.Actions[0])
  730. require.NotNil(t, binding)
  731. _, client := getNewTestServerAndClientWithExecutor(cfg, ex)
  732. startResp, err := client.StartAction(context.Background(), connect.NewRequest(&apiv1.StartActionRequest{
  733. BindingId: binding.ID,
  734. }))
  735. require.NoError(t, err)
  736. statusResp, err := client.ExecutionStatus(context.Background(), connect.NewRequest(&apiv1.ExecutionStatusRequest{
  737. ExecutionTrackingId: startResp.Msg.ExecutionTrackingId,
  738. }))
  739. require.NoError(t, err)
  740. require.NotNil(t, statusResp.Msg)
  741. require.Len(t, statusResp.Msg.BackToDashboards, 1)
  742. assert.Equal(t, "Ops", statusResp.Msg.BackToDashboards[0].Title)
  743. assert.Equal(t, "/dashboards/Ops", statusResp.Msg.BackToDashboards[0].Path)
  744. }
  745. func TestGetActionBindingReturnsBackToDashboards(t *testing.T) {
  746. cfg := config.DefaultConfig()
  747. cfg.Actions = []*config.Action{
  748. {Title: "Dashboard Action", Shell: "echo ok"},
  749. }
  750. cfg.Dashboards = []*config.DashboardComponent{
  751. {
  752. Title: "Ops",
  753. Contents: []*config.DashboardComponent{
  754. {Title: "Dashboard Action"},
  755. },
  756. },
  757. }
  758. ex := executor.DefaultExecutor(cfg)
  759. ex.RebuildActionMap()
  760. binding := ex.FindBindingWithNoEntity(cfg.Actions[0])
  761. require.NotNil(t, binding)
  762. _, client := getNewTestServerAndClientWithExecutor(cfg, ex)
  763. resp, err := client.GetActionBinding(context.Background(), connect.NewRequest(&apiv1.GetActionBindingRequest{
  764. BindingId: binding.ID,
  765. }))
  766. require.NoError(t, err)
  767. require.NotNil(t, resp.Msg)
  768. require.Len(t, resp.Msg.BackToDashboards, 1)
  769. assert.Equal(t, "Ops", resp.Msg.BackToDashboards[0].Title)
  770. assert.Equal(t, "/dashboards/Ops", resp.Msg.BackToDashboards[0].Path)
  771. }
  772. func TestBuildActionIncludesGroups(t *testing.T) {
  773. cfg := config.DefaultConfig()
  774. cfg.ActionGroups = map[string]*config.ActionGroup{
  775. "con2queue10": {MaxConcurrent: 2, QueueSize: 10},
  776. }
  777. cfg.Actions = []*config.Action{
  778. {Title: "Long running action", Shell: "sleep 1", Groups: []string{"con2queue10", "missing"}},
  779. }
  780. cfg.Sanitize()
  781. ex := executor.DefaultExecutor(cfg)
  782. ex.RebuildActionMap()
  783. binding := ex.FindBindingWithNoEntity(cfg.Actions[0])
  784. require.NotNil(t, binding)
  785. rr := &DashboardRenderRequest{cfg: cfg, ex: ex}
  786. actionResult := buildAction(binding, rr)
  787. require.Len(t, actionResult.Groups, 2)
  788. assert.Equal(t, "con2queue10", actionResult.Groups[0].Name)
  789. assert.Equal(t, int32(2), actionResult.Groups[0].MaxConcurrent)
  790. assert.Equal(t, int32(10), actionResult.Groups[0].QueueSize)
  791. assert.Equal(t, "missing", actionResult.Groups[1].Name)
  792. assert.Equal(t, int32(0), actionResult.Groups[1].MaxConcurrent)
  793. }