| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921 |
- package api
- import (
- "context"
- "net/http"
- "net/http/httptest"
- "path"
- "testing"
- "time"
- "connectrpc.com/connect"
- "github.com/google/uuid"
- log "github.com/sirupsen/logrus"
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
- apiv1 "github.com/OliveTin/OliveTin/gen/olivetin/api/v1"
- apiv1connect "github.com/OliveTin/OliveTin/gen/olivetin/api/v1/apiv1connect"
- authpublic "github.com/OliveTin/OliveTin/internal/auth/authpublic"
- config "github.com/OliveTin/OliveTin/internal/config"
- "github.com/OliveTin/OliveTin/internal/entities"
- "github.com/OliveTin/OliveTin/internal/executor"
- )
- func getNewTestServerAndClient(injectedConfig *config.Config) (*httptest.Server, apiv1connect.OliveTinApiServiceClient) {
- ex := executor.DefaultExecutor(injectedConfig)
- ex.RebuildActionMap()
- return getNewTestServerAndClientWithExecutor(injectedConfig, ex)
- }
- func getNewTestServerAndClientWithExecutor(injectedConfig *config.Config, ex *executor.Executor) (*httptest.Server, apiv1connect.OliveTinApiServiceClient) {
- apiPath, apiHandler := GetNewHandler(ex)
- mux := http.NewServeMux()
- mux.Handle("/api/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- log.Infof("HTTP Request: %s %s", r.Method, r.URL.Path)
- // Translate /api/<service>/<method> to <service>/<method>
- fn := path.Base(r.URL.Path)
- r.URL.Path = apiPath + fn
- apiHandler.ServeHTTP(w, r)
- }))
- log.Infof("API path is %s", apiPath)
- httpclient := &http.Client{}
- ts := httptest.NewServer(mux)
- client := apiv1connect.NewOliveTinApiServiceClient(httpclient, ts.URL+"/api")
- log.Infof("Test server URL is %s", ts.URL+"/api"+apiPath)
- return ts, client
- }
- func TestApplyActionExecTriggersIncludesWebhookHeaderAndQueryMatches(t *testing.T) {
- cfg := &config.Action{
- ExecOnWebhook: []config.WebhookConfig{
- {
- MatchHeaders: map[string]string{"X-GitHub-Event": "push"},
- MatchQuery: map[string]string{"source": "github"},
- },
- },
- }
- pb := &apiv1.Action{}
- applyActionExecTriggers(pb, cfg)
- require.Len(t, pb.ExecOnWebhooks, 1)
- assert.Equal(t, cfg.ExecOnWebhook[0].MatchHeaders, pb.ExecOnWebhooks[0].MatchHeaders)
- assert.Equal(t, cfg.ExecOnWebhook[0].MatchQuery, pb.ExecOnWebhooks[0].MatchQuery)
- }
- func TestGetActionsAndStart(t *testing.T) {
- cfg := config.DefaultConfig()
- btn1 := &config.Action{}
- btn1.Title = "blat"
- btn1.ID = "blat"
- btn1.Shell = "echo 'test'"
- cfg.Actions = append(cfg.Actions, btn1)
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- conn, client := getNewTestServerAndClient(cfg)
- respInit, errInit := client.Init(context.Background(), connect.NewRequest(&apiv1.InitRequest{}))
- respGetReady, errReady := client.GetReadyz(context.Background(), connect.NewRequest(&apiv1.GetReadyzRequest{}))
- if errInit != nil {
- t.Errorf("Init request failed: %v", errInit)
- return
- }
- if errReady != nil {
- t.Errorf("GetReadyz request failed: %v", errReady)
- return
- }
- log.Infof("GetReadyz response: %v", respGetReady.Msg)
- assert.Equal(t, true, true, "sayHello Failed")
- // assert.Equal(t, 1, len(respGb.Msg.Actions), "Got 1 action button back")
- log.Printf("Response: %+v", respInit)
- respSa, err := client.StartAction(context.Background(), connect.NewRequest(&apiv1.StartActionRequest{
- // ActionId: "blat"
- }))
- assert.NotNil(t, err, "Error 404 after start action")
- assert.Nil(t, respSa, "Nil response for non existing action")
- defer conn.Close()
- }
- func TestGetEntities(t *testing.T) {
- cfg := config.DefaultConfig()
- ts, client := getNewTestServerAndClient(cfg)
- defer ts.Close()
- setupTestEntities()
- resp, err := client.GetEntities(context.Background(), connect.NewRequest(&apiv1.GetEntitiesRequest{}))
- assert.NoError(t, err, "GetEntities should not return an error")
- assert.NotNil(t, resp, "GetEntities response should not be nil")
- assert.NotNil(t, resp.Msg, "GetEntities response message should not be nil")
- entityDefinitions := resp.Msg.EntityDefinitions
- assert.Equal(t, 3, len(entityDefinitions), "Should return 3 entity definitions")
- validateEntityOrderAndStructure(t, entityDefinitions)
- validateNoDuplicates(t, entityDefinitions)
- validateConsistency(t, client, entityDefinitions)
- }
- func setupTestEntities() {
- entities.ClearEntitiesOfType("server")
- entities.ClearEntitiesOfType("database")
- entities.ClearEntitiesOfType("application")
- entities.AddEntity("server", "zebra", map[string]any{"title": "Server Zebra", "hostname": "zebra.example.com"})
- entities.AddEntity("server", "alpha", map[string]any{"title": "Server Alpha", "hostname": "alpha.example.com"})
- entities.AddEntity("server", "beta", map[string]any{"title": "Server Beta", "hostname": "beta.example.com"})
- entities.AddEntity("database", "mysql", map[string]any{"title": "MySQL Database", "type": "mysql"})
- entities.AddEntity("database", "postgres", map[string]any{"title": "PostgreSQL Database", "type": "postgres"})
- entities.AddEntity("application", "webapp", map[string]any{"title": "Web Application", "port": 8080})
- }
- func validateEntityOrderAndStructure(t *testing.T, entityDefinitions []*apiv1.EntityDefinition) {
- assert.Equal(t, "application", entityDefinitions[0].Title, "First entity should be 'application' (alphabetically first)")
- assert.Equal(t, 1, len(entityDefinitions[0].Instances), "Application should have 1 instance")
- assert.Equal(t, "webapp", entityDefinitions[0].Instances[0].UniqueKey, "Application instance should be 'webapp'")
- assert.Equal(t, "database", entityDefinitions[1].Title, "Second entity should be 'database' (alphabetically second)")
- assert.Equal(t, 2, len(entityDefinitions[1].Instances), "Database should have 2 instances")
- assert.Equal(t, "mysql", entityDefinitions[1].Instances[0].UniqueKey, "First database instance should be 'mysql' (alphabetically first)")
- assert.Equal(t, "postgres", entityDefinitions[1].Instances[1].UniqueKey, "Second database instance should be 'postgres' (alphabetically second)")
- assert.Equal(t, "server", entityDefinitions[2].Title, "Third entity should be 'server' (alphabetically third)")
- assert.Equal(t, 3, len(entityDefinitions[2].Instances), "Server should have 3 instances")
- assert.Equal(t, "alpha", entityDefinitions[2].Instances[0].UniqueKey, "First server instance should be 'alpha' (alphabetically first)")
- assert.Equal(t, "beta", entityDefinitions[2].Instances[1].UniqueKey, "Second server instance should be 'beta' (alphabetically second)")
- assert.Equal(t, "zebra", entityDefinitions[2].Instances[2].UniqueKey, "Third server instance should be 'zebra' (alphabetically third)")
- }
- func validateNoDuplicates(t *testing.T, entityDefinitions []*apiv1.EntityDefinition) {
- instanceKeys := make(map[string]map[string]bool)
- for _, def := range entityDefinitions {
- instanceKeys[def.Title] = make(map[string]bool)
- for _, inst := range def.Instances {
- assert.False(t, instanceKeys[def.Title][inst.UniqueKey], "Instance key %s should not be duplicated in entity %s", inst.UniqueKey, def.Title)
- instanceKeys[def.Title][inst.UniqueKey] = true
- }
- }
- }
- func validateConsistency(t *testing.T, client apiv1connect.OliveTinApiServiceClient, entityDefinitions []*apiv1.EntityDefinition) {
- resp2, err2 := client.GetEntities(context.Background(), connect.NewRequest(&apiv1.GetEntitiesRequest{}))
- assert.NoError(t, err2, "Second GetEntities call should not return an error")
- assert.Equal(t, len(entityDefinitions), len(resp2.Msg.EntityDefinitions), "Second call should return same number of entity definitions")
- for i, def := range entityDefinitions {
- assert.Equal(t, def.Title, resp2.Msg.EntityDefinitions[i].Title, "Entity order should be consistent across calls")
- assert.Equal(t, len(def.Instances), len(resp2.Msg.EntityDefinitions[i].Instances), "Instance count should be consistent")
- for j, inst := range def.Instances {
- assert.Equal(t, inst.UniqueKey, resp2.Msg.EntityDefinitions[i].Instances[j].UniqueKey, "Instance order should be consistent across calls")
- }
- }
- }
- func TestEvaluateEnabledExpression(t *testing.T) {
- tests := []struct {
- name string
- expression string
- entity *entities.Entity
- expectedResult bool
- }{
- {
- name: "empty expression returns true",
- expression: "",
- entity: nil,
- expectedResult: true,
- },
- {
- name: "literal true returns true",
- expression: "true",
- entity: nil,
- expectedResult: true,
- },
- {
- name: "literal True returns true (case insensitive)",
- expression: "True",
- entity: nil,
- expectedResult: true,
- },
- {
- name: "literal 1 returns true",
- expression: "1",
- entity: nil,
- expectedResult: true,
- },
- {
- name: "literal false returns false",
- expression: "false",
- entity: nil,
- expectedResult: false,
- },
- {
- name: "literal 0 returns false",
- expression: "0",
- entity: nil,
- expectedResult: false,
- },
- {
- name: "empty result returns false",
- expression: "{{ .NonExistent }}",
- entity: nil,
- expectedResult: false,
- },
- {
- name: "expression with CurrentEntity true",
- expression: "{{ eq .CurrentEntity.powered_on true }}",
- entity: &entities.Entity{Data: map[string]any{"powered_on": true}},
- expectedResult: true,
- },
- {
- name: "expression with CurrentEntity false",
- expression: "{{ eq .CurrentEntity.powered_on true }}",
- entity: &entities.Entity{Data: map[string]any{"powered_on": false}},
- expectedResult: false,
- },
- {
- name: "expression with CurrentEntity integer 1",
- expression: "{{ .CurrentEntity.status }}",
- entity: &entities.Entity{Data: map[string]any{"status": 1}},
- expectedResult: true,
- },
- {
- name: "expression with CurrentEntity integer 0",
- expression: "{{ .CurrentEntity.status }}",
- entity: &entities.Entity{Data: map[string]any{"status": 0}},
- expectedResult: false,
- },
- {
- name: "template parse error returns false",
- expression: "{{ invalid syntax }}",
- entity: nil,
- expectedResult: false,
- },
- {
- name: "template exec error returns false",
- expression: "{{ .CurrentEntity.nonexistent }}",
- entity: nil,
- expectedResult: false,
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- action := &config.Action{
- EnabledExpression: tt.expression,
- }
- result := evaluateEnabledExpression(action, tt.entity)
- assert.Equal(t, tt.expectedResult, result, "evaluateEnabledExpression should return expected result")
- })
- }
- }
- func TestBuildActionWithEnabledExpression(t *testing.T) {
- cfg := config.DefaultConfig()
- cfg.DefaultPermissions.Exec = true
- action := &config.Action{
- Title: "Test Action",
- Shell: "echo test",
- EnabledExpression: "{{ eq .CurrentEntity.enabled true }}",
- }
- cfg.Actions = append(cfg.Actions, action)
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- binding := findBindingByTitle(ex, "Test Action")
- assert.NotNil(t, binding, "Binding should be found")
- rr := &DashboardRenderRequest{
- AuthenticatedUser: &authpublic.AuthenticatedUser{Username: "testuser"},
- cfg: cfg,
- ex: ex,
- }
- testWithEntity(t, binding, rr, true, true, "Action should be executable when entity.enabled is true")
- testWithEntity(t, binding, rr, false, false, "Action should not be executable when entity.enabled is false")
- bindingNoExpr := findBindingByTitle(ex, "Test Action No Expression")
- if bindingNoExpr == nil {
- actionNoExpression := &config.Action{
- Title: "Test Action No Expression",
- Shell: "echo test",
- }
- cfg.Actions = append(cfg.Actions, actionNoExpression)
- ex.RebuildActionMap()
- bindingNoExpr = findBindingByTitle(ex, "Test Action No Expression")
- }
- actionResult := buildAction(bindingNoExpr, rr)
- assert.True(t, actionResult.CanExec, "Action without enabledExpression should be executable")
- }
- func findBindingByTitle(ex *executor.Executor, title string) *executor.ActionBinding {
- ex.MapActionBindingsLock.RLock()
- defer ex.MapActionBindingsLock.RUnlock()
- for _, b := range ex.MapActionBindings {
- if b.Action.Title == title {
- return b
- }
- }
- return nil
- }
- func testWithEntity(t *testing.T, binding *executor.ActionBinding, rr *DashboardRenderRequest, enabled bool, expectedCanExec bool, message string) {
- binding.Entity = &entities.Entity{
- UniqueKey: "test-entity",
- Data: map[string]any{"enabled": enabled},
- }
- actionResult := buildAction(binding, rr)
- assert.Equal(t, expectedCanExec, actionResult.CanExec, message)
- }
- // buildViewPermissionTestConfig returns config and users for GHSA view-permission tests:
- // one action "secret_action", ACL "restricted" (view:false, logs:false) for user "low", ACL "full" (view:true, logs:true) for user "admin".
- func buildViewPermissionTestConfig(t *testing.T) (*config.Config, *authpublic.AuthenticatedUser, *authpublic.AuthenticatedUser) {
- t.Helper()
- cfg := config.DefaultConfig()
- cfg.DefaultPermissions.View = false
- cfg.DefaultPermissions.Exec = false
- cfg.DefaultPermissions.Logs = false
- cfg.Actions = append(cfg.Actions, &config.Action{
- ID: "secret_action",
- Title: "Secret Action",
- Shell: "echo sensitive",
- Icon: "🔒",
- })
- cfg.AccessControlLists = append(cfg.AccessControlLists,
- &config.AccessControlList{
- Name: "restricted",
- MatchUsernames: []string{"low"},
- AddToEveryAction: true,
- Permissions: config.PermissionsList{View: false, Exec: false, Logs: false, Kill: false},
- },
- &config.AccessControlList{
- Name: "full",
- MatchUsernames: []string{"admin"},
- AddToEveryAction: true,
- Permissions: config.PermissionsList{View: true, Exec: true, Logs: true, Kill: true},
- },
- )
- lowUser := &authpublic.AuthenticatedUser{Username: "low"}
- lowUser.BuildUserAcls(cfg)
- adminUser := &authpublic.AuthenticatedUser{Username: "admin"}
- adminUser.BuildUserAcls(cfg)
- return cfg, lowUser, adminUser
- }
- // TestViewPermissionExcludedFromDashboard (GHSA: view permission) asserts that when a user has view: false,
- // the default dashboard must not include that action. Covers GetDashboard not leaking action metadata.
- func TestViewPermissionExcludedFromDashboard(t *testing.T) {
- cfg, lowUser, _ := buildViewPermissionTestConfig(t)
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- rr := &DashboardRenderRequest{
- AuthenticatedUser: lowUser,
- cfg: cfg,
- ex: ex,
- }
- db := buildDefaultDashboard(rr)
- bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
- assert.NotContains(t, bindingIdsInDashboard, "secret_action",
- "user with view:false must not see action in dashboard; got bindingIds: %v", bindingIdsInDashboard)
- }
- // TestGetActionBindingDeniedWhenNoViewPermission (GHSA: view permission) asserts that GetActionBinding
- // returns permission denied for a user with view: false. Covers GetActionBinding not exposing action details.
- func TestGetActionBindingDeniedWhenNoViewPermission(t *testing.T) {
- cfg, lowUser, _ := buildViewPermissionTestConfig(t)
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- api := newServer(ex)
- _, err := api.getActionBindingResponse(lowUser, "secret_action")
- require.Error(t, err)
- assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err),
- "user with view:false must get permission denied from GetActionBinding")
- }
- // TestValidateArgumentTypeDeniesGuestsWhenLoginRequired (GHSA-f637-w7p2-m7fx) asserts that when
- // guests must log in, ValidateArgumentType does not bypass dashboard access controls.
- func TestValidateArgumentTypeDeniesGuestsWhenLoginRequired(t *testing.T) {
- cfg := config.DefaultConfig()
- cfg.AuthRequireGuestsToLogin = true
- cfg.Actions = append(cfg.Actions, &config.Action{
- ID: "a1",
- Title: "Probe",
- Shell: "echo",
- Arguments: []config.ActionArgument{
- {Name: "x", Type: "ascii"},
- },
- })
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- ts, client := getNewTestServerAndClient(cfg)
- defer ts.Close()
- _, err := client.ValidateArgumentType(context.Background(), connect.NewRequest(&apiv1.ValidateArgumentTypeRequest{
- BindingId: "a1",
- ArgumentName: "x",
- Value: "v",
- Type: "ascii",
- }))
- require.Error(t, err)
- assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err),
- "guest must not call ValidateArgumentType when AuthRequireGuestsToLogin is true")
- }
- // TestValidateArgumentTypeDeniedWithoutViewPermission (GHSA-f637-w7p2-m7fx) asserts ValidateArgumentType
- // respects the same view ACL as GetActionBinding so the RPC cannot enumerate restricted actions.
- func TestValidateArgumentTypeDeniedWithoutViewPermission(t *testing.T) {
- cfg, _, _ := buildViewPermissionTestConfig(t)
- cfg.AuthHttpHeaderUsername = "X-Ot-User"
- for i := range cfg.Actions {
- if cfg.Actions[i].ID == "secret_action" {
- cfg.Actions[i].Arguments = []config.ActionArgument{{Name: "target", Type: "ascii"}}
- break
- }
- }
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- ts, client := getNewTestServerAndClient(cfg)
- defer ts.Close()
- req := connect.NewRequest(&apiv1.ValidateArgumentTypeRequest{
- BindingId: "secret_action",
- ArgumentName: "target",
- Value: "ok",
- Type: "ascii",
- })
- req.Header().Set("X-Ot-User", "low")
- _, err := client.ValidateArgumentType(context.Background(), req)
- require.Error(t, err)
- assert.Equal(t, connect.CodePermissionDenied, connect.CodeOf(err),
- "user with view:false must get permission denied from ValidateArgumentType")
- }
- // TestValidateArgumentTypeAllowedWithViewPermission (GHSA-f637-w7p2-m7fx) asserts authenticated users
- // with view access can still use ValidateArgumentType for argument validation.
- func TestValidateArgumentTypeAllowedWithViewPermission(t *testing.T) {
- cfg, _, _ := buildViewPermissionTestConfig(t)
- cfg.AuthHttpHeaderUsername = "X-Ot-User"
- for i := range cfg.Actions {
- if cfg.Actions[i].ID == "secret_action" {
- cfg.Actions[i].Arguments = []config.ActionArgument{{Name: "target", Type: "ascii"}}
- break
- }
- }
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- ts, client := getNewTestServerAndClient(cfg)
- defer ts.Close()
- req := connect.NewRequest(&apiv1.ValidateArgumentTypeRequest{
- BindingId: "secret_action",
- ArgumentName: "target",
- Value: "ok",
- Type: "ascii",
- })
- req.Header().Set("X-Ot-User", "admin")
- resp, err := client.ValidateArgumentType(context.Background(), req)
- require.NoError(t, err)
- require.NotNil(t, resp)
- require.NotNil(t, resp.Msg)
- assert.True(t, resp.Msg.Valid, "admin with view:true should get successful validation for a valid ascii value")
- }
- // TestViewPermissionAllowedSeesAction (GHSA: view permission) asserts that a user with view: true
- // still sees the action in the dashboard and can fetch it via GetActionBinding.
- func TestViewPermissionAllowedSeesAction(t *testing.T) {
- cfg, _, adminUser := buildViewPermissionTestConfig(t)
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- api := newServer(ex)
- rr := &DashboardRenderRequest{
- AuthenticatedUser: adminUser,
- cfg: cfg,
- ex: ex,
- }
- db := buildDefaultDashboard(rr)
- bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
- assert.Contains(t, bindingIdsInDashboard, "secret_action",
- "user with view:true must see action in dashboard; got bindingIds: %v", bindingIdsInDashboard)
- resp, err := api.getActionBindingResponse(adminUser, "secret_action")
- require.NoError(t, err)
- require.NotNil(t, resp)
- require.NotNil(t, resp.Action)
- assert.Equal(t, "secret_action", resp.Action.BindingId)
- }
- // TestViewPermissionExcludedFromCustomDashboard (issue #921) asserts that when a custom dashboard
- // lists an action by title, users without view permission do not see that action (title or icon).
- func TestViewPermissionExcludedFromCustomDashboard(t *testing.T) {
- cfg, lowUser, _ := buildViewPermissionTestConfig(t)
- cfg.Dashboards = []*config.DashboardComponent{
- {
- Title: "Custom",
- Contents: []*config.DashboardComponent{
- {Title: "Secret Action"},
- },
- },
- }
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- rr := &DashboardRenderRequest{
- AuthenticatedUser: lowUser,
- cfg: cfg,
- ex: ex,
- }
- dashboard := findDashboardByTitle(rr, "Custom")
- require.NotNil(t, dashboard)
- db := buildDashboardFromConfig(dashboard, rr)
- require.NotNil(t, db)
- bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
- assert.NotContains(t, bindingIdsInDashboard, "secret_action",
- "user with view:false must not see action on custom dashboard; got bindingIds: %v", bindingIdsInDashboard)
- assert.False(t, dashboardContentsContainForbiddenComponent(db.Contents, "Secret Action", "🔒"),
- "user with view:false must not see Secret Action title or lock icon in custom dashboard")
- }
- // TestViewPermissionExcludedFromEntityDashboard (GHSA: view permission) asserts that when a dashboard
- // has an entity fieldset listing an action, users without view permission do not see that action.
- func TestViewPermissionExcludedFromEntityDashboard(t *testing.T) {
- entities.ClearEntitiesOfType("vp_entity_test")
- defer entities.ClearEntitiesOfType("vp_entity_test")
- entities.AddEntity("vp_entity_test", "1", map[string]any{"title": "Test Entity"})
- cfg, lowUser, _ := buildViewPermissionTestConfig(t)
- cfg.Dashboards = []*config.DashboardComponent{
- {
- Title: "WithEntity",
- Contents: []*config.DashboardComponent{
- {
- Title: "Servers", Type: "fieldset", Entity: "vp_entity_test",
- Contents: []*config.DashboardComponent{{Title: "Secret Action"}},
- },
- },
- },
- }
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- rr := &DashboardRenderRequest{
- AuthenticatedUser: lowUser,
- cfg: cfg,
- ex: ex,
- }
- dashboard := findDashboardByTitle(rr, "WithEntity")
- require.NotNil(t, dashboard)
- db := buildDashboardFromConfig(dashboard, rr)
- require.NotNil(t, db)
- bindingIdsInDashboard := bindingIdsInDashboardContents(db.Contents)
- assert.NotContains(t, bindingIdsInDashboard, "secret_action",
- "user with view:false must not see action in entity fieldset; got bindingIds: %v", bindingIdsInDashboard)
- assert.False(t, dashboardContentsContainForbiddenComponent(db.Contents, "Secret Action", "🔒"),
- "user with view:false must not see Secret Action title or lock icon in entity dashboard")
- }
- func bindingIdsInDashboardContents(contents []*apiv1.DashboardComponent) []string {
- var ids []string
- for _, c := range contents {
- ids = append(ids, bindingIdsFromComponent(c)...)
- }
- return ids
- }
- func bindingIdsFromComponent(c *apiv1.DashboardComponent) []string {
- if c == nil {
- return nil
- }
- var ids []string
- if c.Action != nil && c.Action.BindingId != "" {
- ids = append(ids, c.Action.BindingId)
- }
- return append(ids, bindingIdsInDashboardContents(c.Contents)...)
- }
- func componentHasForbiddenTitleOrIcon(c *apiv1.DashboardComponent, forbiddenTitle, forbiddenIcon string) bool {
- return c != nil && (c.Title == forbiddenTitle || c.Icon == forbiddenIcon)
- }
- func componentOrDescendantsContainForbidden(c *apiv1.DashboardComponent, forbiddenTitle, forbiddenIcon string) bool {
- if c == nil {
- return false
- }
- if componentHasForbiddenTitleOrIcon(c, forbiddenTitle, forbiddenIcon) {
- return true
- }
- return dashboardContentsContainForbiddenComponent(c.Contents, forbiddenTitle, forbiddenIcon)
- }
- // dashboardContentsContainForbiddenComponent recursively walks contents and returns true if any
- // component has Title == forbiddenTitle or Icon == forbiddenIcon.
- func dashboardContentsContainForbiddenComponent(contents []*apiv1.DashboardComponent, forbiddenTitle, forbiddenIcon string) bool {
- for _, c := range contents {
- if componentOrDescendantsContainForbidden(c, forbiddenTitle, forbiddenIcon) {
- return true
- }
- }
- return false
- }
- func TestOrderTopLevelDashboardComponents_RegularFieldsetsPreserveConfigOrder(t *testing.T) {
- zebra := &apiv1.DashboardComponent{Title: "Zebra", Type: "fieldset", EntityType: ""}
- alpha := &apiv1.DashboardComponent{Title: "Alpha", Type: "fieldset", EntityType: ""}
- root := &apiv1.DashboardComponent{Title: "Actions", Type: "fieldset", EntityType: ""}
- components := []*apiv1.DashboardComponent{zebra, alpha, root}
- out := orderTopLevelDashboardComponents(components, root)
- require.Len(t, out, 3)
- assert.Same(t, zebra, out[0], "first must be Zebra (config order)")
- assert.Same(t, alpha, out[1], "second must be Alpha (config order)")
- assert.Same(t, root, out[2], "third must be root Actions fieldset")
- }
- func TestOrderTopLevelDashboardComponents_SortablesSorted(t *testing.T) {
- entityBeta := &apiv1.DashboardComponent{Title: "Beta", Type: "fieldset", EntityType: "server"}
- entityAlpha := &apiv1.DashboardComponent{Title: "Alpha", Type: "fieldset", EntityType: "server"}
- components := []*apiv1.DashboardComponent{entityBeta, entityAlpha}
- out := orderTopLevelDashboardComponents(components, nil)
- require.Len(t, out, 2)
- assert.Equal(t, "Alpha", out[0].Title, "sortables ordered by title")
- assert.Equal(t, "Beta", out[1].Title)
- }
- // TestEventStreamACLNoLeakToUnauthorizedUser (GHSA-228v-wc5r-j8m7) asserts that EventStream
- // does not send execution events or output chunks to users who are not allowed to view that action's logs.
- func TestEventStreamACLNoLeakToUnauthorizedUser(t *testing.T) {
- cfg, lowUser, adminUser := buildViewPermissionTestConfig(t)
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- api := newServer(ex)
- binding := ex.FindBindingByID("secret_action")
- require.NotNil(t, binding, "secret_action binding must exist")
- clientLow, clientAdmin := addEventStreamTestClients(t, api, lowUser, adminUser)
- defer removeEventStreamTestClients(api, clientLow, clientAdmin)
- runEventStreamTestExecution(t, ex, cfg, binding, adminUser)
- adminEvents := drainEventStreamUntilFinished(clientAdmin.channel, 2*time.Second)
- lowEvents := drainEventStreamWithTimeout(clientLow.channel, 50*time.Millisecond)
- assertEventStreamLowUserReceivesNothing(t, lowEvents)
- assertEventStreamAdminReceivesSecretActionEvents(t, adminEvents)
- }
- func addEventStreamTestClients(t *testing.T, api *oliveTinAPI, lowUser, adminUser *authpublic.AuthenticatedUser) (*streamingClient, *streamingClient) {
- t.Helper()
- clientLow := &streamingClient{
- channel: make(chan *apiv1.EventStreamResponse, 20),
- AuthenticatedUser: lowUser,
- }
- clientAdmin := &streamingClient{
- channel: make(chan *apiv1.EventStreamResponse, 20),
- AuthenticatedUser: adminUser,
- }
- api.streamingClientsMutex.Lock()
- api.streamingClients[clientLow] = struct{}{}
- api.streamingClients[clientAdmin] = struct{}{}
- api.streamingClientsMutex.Unlock()
- return clientLow, clientAdmin
- }
- func removeEventStreamTestClients(api *oliveTinAPI, clientLow, clientAdmin *streamingClient) {
- api.streamingClientsMutex.Lock()
- delete(api.streamingClients, clientLow)
- delete(api.streamingClients, clientAdmin)
- api.streamingClientsMutex.Unlock()
- close(clientLow.channel)
- close(clientAdmin.channel)
- }
- func runEventStreamTestExecution(t *testing.T, ex *executor.Executor, cfg *config.Config, binding *executor.ActionBinding, adminUser *authpublic.AuthenticatedUser) {
- t.Helper()
- execReq := &executor.ExecutionRequest{
- Binding: binding,
- Arguments: map[string]string{},
- TrackingID: uuid.NewString(),
- Cfg: cfg,
- AuthenticatedUser: adminUser,
- }
- wg, _ := ex.ExecRequest(execReq)
- wg.Wait()
- }
- func drainEventStreamUntilFinished(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) []*apiv1.EventStreamResponse {
- var out []*apiv1.EventStreamResponse
- deadline := time.Now().Add(timeout)
- for time.Now().Before(deadline) {
- ev, finished := recvEventStreamOne(ch, 50*time.Millisecond)
- if ev != nil {
- out = append(out, ev)
- }
- if finished {
- return out
- }
- }
- return out
- }
- func recvEventStreamOne(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) (*apiv1.EventStreamResponse, bool) {
- select {
- case ev, ok := <-ch:
- if !ok {
- return nil, true
- }
- return ev, ev.GetExecutionFinished() != nil
- case <-time.After(timeout):
- return nil, true
- }
- }
- func eventStreamRecvResult(ev *apiv1.EventStreamResponse, ok bool) (*apiv1.EventStreamResponse, bool) {
- if !ok {
- return nil, true
- }
- return ev, false
- }
- func recvEventStreamWithTimeoutOne(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) (*apiv1.EventStreamResponse, bool) {
- select {
- case ev, ok := <-ch:
- return eventStreamRecvResult(ev, ok)
- case <-time.After(timeout):
- return nil, true
- }
- }
- func drainEventStreamWithTimeout(ch <-chan *apiv1.EventStreamResponse, timeout time.Duration) []*apiv1.EventStreamResponse {
- var out []*apiv1.EventStreamResponse
- for {
- ev, done := recvEventStreamWithTimeoutOne(ch, timeout)
- if done {
- return out
- }
- out = append(out, ev)
- }
- }
- func assertEventStreamLowUserReceivesNothing(t *testing.T, lowEvents []*apiv1.EventStreamResponse) {
- t.Helper()
- for _, ev := range lowEvents {
- assert.Nil(t, ev.GetExecutionStarted(), "low-privilege user must not receive ExecutionStarted")
- assert.Nil(t, ev.GetExecutionFinished(), "low-privilege user must not receive ExecutionFinished")
- assert.Nil(t, ev.GetOutputChunk(), "low-privilege user must not receive OutputChunk")
- }
- assert.Empty(t, lowEvents, "low-privilege user with Logs:false must not receive any execution events")
- }
- func assertEventStreamAdminReceivesSecretActionEvents(t *testing.T, adminEvents []*apiv1.EventStreamResponse) {
- t.Helper()
- var gotStarted, gotFinished bool
- for _, ev := range adminEvents {
- if ev.GetExecutionStarted() != nil {
- gotStarted = true
- assert.Equal(t, "secret_action", ev.GetExecutionStarted().LogEntry.GetBindingId())
- }
- if ev.GetExecutionFinished() != nil {
- gotFinished = true
- assert.Equal(t, "secret_action", ev.GetExecutionFinished().LogEntry.GetBindingId())
- }
- }
- assert.True(t, gotStarted, "admin must receive ExecutionStarted for secret_action")
- assert.True(t, gotFinished, "admin must receive ExecutionFinished for secret_action")
- }
- func TestExecutionStatusReturnsBackToDashboards(t *testing.T) {
- cfg := config.DefaultConfig()
- cfg.Actions = []*config.Action{
- {Title: "Dashboard Action", Shell: "echo ok"},
- }
- cfg.Dashboards = []*config.DashboardComponent{
- {
- Title: "Ops",
- Contents: []*config.DashboardComponent{
- {Title: "Dashboard Action"},
- },
- },
- }
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- binding := ex.FindBindingWithNoEntity(cfg.Actions[0])
- require.NotNil(t, binding)
- _, client := getNewTestServerAndClientWithExecutor(cfg, ex)
- startResp, err := client.StartAction(context.Background(), connect.NewRequest(&apiv1.StartActionRequest{
- BindingId: binding.ID,
- }))
- require.NoError(t, err)
- statusResp, err := client.ExecutionStatus(context.Background(), connect.NewRequest(&apiv1.ExecutionStatusRequest{
- ExecutionTrackingId: startResp.Msg.ExecutionTrackingId,
- }))
- require.NoError(t, err)
- require.NotNil(t, statusResp.Msg)
- require.Len(t, statusResp.Msg.BackToDashboards, 1)
- assert.Equal(t, "Ops", statusResp.Msg.BackToDashboards[0].Title)
- assert.Equal(t, "/dashboards/Ops", statusResp.Msg.BackToDashboards[0].Path)
- }
- func TestGetActionBindingReturnsBackToDashboards(t *testing.T) {
- cfg := config.DefaultConfig()
- cfg.Actions = []*config.Action{
- {Title: "Dashboard Action", Shell: "echo ok"},
- }
- cfg.Dashboards = []*config.DashboardComponent{
- {
- Title: "Ops",
- Contents: []*config.DashboardComponent{
- {Title: "Dashboard Action"},
- },
- },
- }
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- binding := ex.FindBindingWithNoEntity(cfg.Actions[0])
- require.NotNil(t, binding)
- _, client := getNewTestServerAndClientWithExecutor(cfg, ex)
- resp, err := client.GetActionBinding(context.Background(), connect.NewRequest(&apiv1.GetActionBindingRequest{
- BindingId: binding.ID,
- }))
- require.NoError(t, err)
- require.NotNil(t, resp.Msg)
- require.Len(t, resp.Msg.BackToDashboards, 1)
- assert.Equal(t, "Ops", resp.Msg.BackToDashboards[0].Title)
- assert.Equal(t, "/dashboards/Ops", resp.Msg.BackToDashboards[0].Path)
- }
- func TestBuildActionIncludesGroups(t *testing.T) {
- cfg := config.DefaultConfig()
- cfg.ActionGroups = map[string]*config.ActionGroup{
- "con2queue10": {MaxConcurrent: 2, QueueSize: 10},
- }
- cfg.Actions = []*config.Action{
- {Title: "Long running action", Shell: "sleep 1", Groups: []string{"con2queue10", "missing"}},
- }
- cfg.Sanitize()
- ex := executor.DefaultExecutor(cfg)
- ex.RebuildActionMap()
- binding := ex.FindBindingWithNoEntity(cfg.Actions[0])
- require.NotNil(t, binding)
- rr := &DashboardRenderRequest{cfg: cfg, ex: ex}
- actionResult := buildAction(binding, rr)
- require.Len(t, actionResult.Groups, 2)
- assert.Equal(t, "con2queue10", actionResult.Groups[0].Name)
- assert.Equal(t, int32(2), actionResult.Groups[0].MaxConcurrent)
- assert.Equal(t, int32(10), actionResult.Groups[0].QueueSize)
- assert.Equal(t, "missing", actionResult.Groups[1].Name)
- assert.Equal(t, int32(0), actionResult.Groups[1].MaxConcurrent)
- }
|