databricks-cli/bundle/config/validate/folder_permissions_test.go

package validate

import (
	"context"
	"testing"

	"github.com/databricks/cli/bundle"
	"github.com/databricks/cli/bundle/config"
	"github.com/databricks/cli/bundle/config/resources"
	"github.com/databricks/cli/bundle/permissions"
	"github.com/databricks/cli/libs/diag"
	"github.com/databricks/databricks-sdk-go/apierr"
	"github.com/databricks/databricks-sdk-go/experimental/mocks"
	"github.com/databricks/databricks-sdk-go/service/workspace"
	"github.com/stretchr/testify/mock"
	"github.com/stretchr/testify/require"
)

func TestFolderPermissionsInheritedWhenRootPathDoesNotExist(t *testing.T) {
	b := &bundle.Bundle{
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/Workspace/Users/foo@bar.com",
				ArtifactPath: "/Workspace/Users/otherfoo@bar.com/artifacts",
				FilePath:     "/Workspace/Users/foo@bar.com/files",
				StatePath:    "/Workspace/Users/foo@bar.com/state",
				ResourcePath: "/Workspace/Users/foo@bar.com/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com/artifacts").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace").Return(&workspace.ObjectInfo{
		ObjectId: 1234,
	}, nil)

	api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{
		WorkspaceObjectId:   "1234",
		WorkspaceObjectType: "directories",
	}).Return(&workspace.WorkspaceObjectPermissions{
		ObjectId: "1234",
		AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{
			{
				UserName: "foo@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
		},
	}, nil)

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Empty(t, diags)
}

func TestValidateFolderPermissionsFailsOnMissingBundlePermission(t *testing.T) {
	b := &bundle.Bundle{
		SyncRootPath: t.TempDir(),
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/Workspace/Users/foo@bar.com",
				ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",
				FilePath:     "/Workspace/Users/foo@bar.com/files",
				StatePath:    "/Workspace/Users/foo@bar.com/state",
				ResourcePath: "/Workspace/Users/foo@bar.com/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{
		ObjectId: 1234,
	}, nil)

	api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{
		WorkspaceObjectId:   "1234",
		WorkspaceObjectType: "directories",
	}).Return(&workspace.WorkspaceObjectPermissions{
		ObjectId: "1234",
		AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{
			{
				UserName: "foo@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
			{
				UserName: "foo2@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
		},
	}, nil)

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Len(t, diags, 1)
	require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
	require.Equal(t, diag.Warning, diags[0].Severity)
	require.Equal(t, "The following permissions apply to the workspace folder at \"/Workspace/Users/foo@bar.com\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n", diags[0].Detail)
}

func TestValidateFolderPermissionsFailsOnPermissionMismatch(t *testing.T) {
	b := &bundle.Bundle{
		SyncRootPath: t.TempDir(),
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/Workspace/Users/foo@bar.com",
				ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",
				FilePath:     "/Workspace/Users/foo@bar.com/files",
				StatePath:    "/Workspace/Users/foo@bar.com/state",
				ResourcePath: "/Workspace/Users/foo@bar.com/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{
		ObjectId: 1234,
	}, nil)

	api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{
		WorkspaceObjectId:   "1234",
		WorkspaceObjectType: "directories",
	}).Return(&workspace.WorkspaceObjectPermissions{
		ObjectId: "1234",
		AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{
			{
				UserName: "foo2@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
		},
	}, nil)

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Len(t, diags, 1)
	require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
	require.Equal(t, diag.Warning, diags[0].Severity)
}

func TestValidateFolderPermissionsFailsOnNoRootFolder(t *testing.T) {
	b := &bundle.Bundle{
		SyncRootPath: t.TempDir(),
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/NotExisting",
				ArtifactPath: "/NotExisting/artifacts",
				FilePath:     "/NotExisting/files",
				StatePath:    "/NotExisting/state",
				ResourcePath: "/NotExisting/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/NotExisting").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Len(t, diags, 1)
	require.Equal(t, "folder / and its parent folders do not exist", diags[0].Summary)
	require.Equal(t, diag.Error, diags[0].Severity)
}
Added validator for folder permissions (#1824) ## Changes This validator checks permissions defined in top-level bundle config and permissions set in workspace for the folders bundle is deployed to. It raises the warning if the permissions defined in the workspace are not defined in bundle. This validator is executed only during `bundle validate` command. ## Tests ``` Warning: untracked permissions apply to target workspace path The following permissions apply to the workspace folder at "/Workspace/Users/andrew.nester@databricks.com/.bundle/clusters/default" but are not configured in the bundle: - level: CAN_MANAGE, user_name: andrew.nester@databricks.com ``` --------- Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> 2024-10-24 12:36:17 +00:00			`package validate`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/databricks/cli/bundle"`
			`"github.com/databricks/cli/bundle/config"`
			`"github.com/databricks/cli/bundle/config/resources"`
			`"github.com/databricks/cli/bundle/permissions"`
			`"github.com/databricks/cli/libs/diag"`
			`"github.com/databricks/databricks-sdk-go/apierr"`
			`"github.com/databricks/databricks-sdk-go/experimental/mocks"`
			`"github.com/databricks/databricks-sdk-go/service/workspace"`
			`"github.com/stretchr/testify/mock"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestFolderPermissionsInheritedWhenRootPathDoesNotExist(t *testing.T) {`
			`b := &bundle.Bundle{`
			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/Workspace/Users/foo@bar.com",`
			`ArtifactPath: "/Workspace/Users/otherfoo@bar.com/artifacts",`
			`FilePath: "/Workspace/Users/foo@bar.com/files",`
			`StatePath: "/Workspace/Users/foo@bar.com/state",`
			`ResourcePath: "/Workspace/Users/foo@bar.com/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com/artifacts").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace").Return(&workspace.ObjectInfo{`
			`ObjectId: 1234,`
			`}, nil)`

			`api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{`
			`WorkspaceObjectId: "1234",`
			`WorkspaceObjectType: "directories",`
			`}).Return(&workspace.WorkspaceObjectPermissions{`
			`ObjectId: "1234",`
			`AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`}, nil)`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Empty(t, diags)`
			`}`

			`func TestValidateFolderPermissionsFailsOnMissingBundlePermission(t *testing.T) {`
			`b := &bundle.Bundle{`
fix: Skip permissions set and check for in-place 2024-11-18 15:05:21 +00:00			`SyncRootPath: t.TempDir(),`
Added validator for folder permissions (#1824) ## Changes This validator checks permissions defined in top-level bundle config and permissions set in workspace for the folders bundle is deployed to. It raises the warning if the permissions defined in the workspace are not defined in bundle. This validator is executed only during `bundle validate` command. ## Tests ``` Warning: untracked permissions apply to target workspace path The following permissions apply to the workspace folder at "/Workspace/Users/andrew.nester@databricks.com/.bundle/clusters/default" but are not configured in the bundle: - level: CAN_MANAGE, user_name: andrew.nester@databricks.com ``` --------- Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> 2024-10-24 12:36:17 +00:00			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/Workspace/Users/foo@bar.com",`
			`ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",`
			`FilePath: "/Workspace/Users/foo@bar.com/files",`
			`StatePath: "/Workspace/Users/foo@bar.com/state",`
			`ResourcePath: "/Workspace/Users/foo@bar.com/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{`
			`ObjectId: 1234,`
			`}, nil)`

			`api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{`
			`WorkspaceObjectId: "1234",`
			`WorkspaceObjectType: "directories",`
			`}).Return(&workspace.WorkspaceObjectPermissions{`
			`ObjectId: "1234",`
			`AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`{`
			`UserName: "foo2@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`}, nil)`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Len(t, diags, 1)`
			`require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)`
			`require.Equal(t, diag.Warning, diags[0].Severity)`
			`require.Equal(t, "The following permissions apply to the workspace folder at \"/Workspace/Users/foo@bar.com\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n", diags[0].Detail)`
			`}`

			`func TestValidateFolderPermissionsFailsOnPermissionMismatch(t *testing.T) {`
			`b := &bundle.Bundle{`
fix: Skip permissions set and check for in-place 2024-11-18 15:05:21 +00:00			`SyncRootPath: t.TempDir(),`
Added validator for folder permissions (#1824) ## Changes This validator checks permissions defined in top-level bundle config and permissions set in workspace for the folders bundle is deployed to. It raises the warning if the permissions defined in the workspace are not defined in bundle. This validator is executed only during `bundle validate` command. ## Tests ``` Warning: untracked permissions apply to target workspace path The following permissions apply to the workspace folder at "/Workspace/Users/andrew.nester@databricks.com/.bundle/clusters/default" but are not configured in the bundle: - level: CAN_MANAGE, user_name: andrew.nester@databricks.com ``` --------- Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> 2024-10-24 12:36:17 +00:00			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/Workspace/Users/foo@bar.com",`
			`ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",`
			`FilePath: "/Workspace/Users/foo@bar.com/files",`
			`StatePath: "/Workspace/Users/foo@bar.com/state",`
			`ResourcePath: "/Workspace/Users/foo@bar.com/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{`
			`ObjectId: 1234,`
			`}, nil)`

			`api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{`
			`WorkspaceObjectId: "1234",`
			`WorkspaceObjectType: "directories",`
			`}).Return(&workspace.WorkspaceObjectPermissions{`
			`ObjectId: "1234",`
			`AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo2@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`}, nil)`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Len(t, diags, 1)`
			`require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)`
			`require.Equal(t, diag.Warning, diags[0].Severity)`
			`}`

			`func TestValidateFolderPermissionsFailsOnNoRootFolder(t *testing.T) {`
			`b := &bundle.Bundle{`
fix: Skip permissions set and check for in-place 2024-11-18 15:05:21 +00:00			`SyncRootPath: t.TempDir(),`
Added validator for folder permissions (#1824) ## Changes This validator checks permissions defined in top-level bundle config and permissions set in workspace for the folders bundle is deployed to. It raises the warning if the permissions defined in the workspace are not defined in bundle. This validator is executed only during `bundle validate` command. ## Tests ``` Warning: untracked permissions apply to target workspace path The following permissions apply to the workspace folder at "/Workspace/Users/andrew.nester@databricks.com/.bundle/clusters/default" but are not configured in the bundle: - level: CAN_MANAGE, user_name: andrew.nester@databricks.com ``` --------- Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> 2024-10-24 12:36:17 +00:00			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/NotExisting",`
			`ArtifactPath: "/NotExisting/artifacts",`
			`FilePath: "/NotExisting/files",`
			`StatePath: "/NotExisting/state",`
			`ResourcePath: "/NotExisting/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/NotExisting").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Len(t, diags, 1)`
			`require.Equal(t, "folder / and its parent folders do not exist", diags[0].Summary)`
			`require.Equal(t, diag.Error, diags[0].Severity)`
			`}`