databricks-cli/bundle/permissions/permission_diagnostics_test.go

package permissions_test

import (
	"context"
	"testing"

	"github.com/databricks/cli/bundle"
	"github.com/databricks/cli/bundle/config"
	"github.com/databricks/cli/bundle/config/resources"
	"github.com/databricks/cli/bundle/permissions"
	"github.com/databricks/cli/libs/diag"
	"github.com/databricks/databricks-sdk-go/service/iam"
	"github.com/stretchr/testify/require"
)

func TestPermissionDiagnosticsApplySuccess(t *testing.T) {
	b := mockBundle([]resources.Permission{
		{Level: "CAN_MANAGE", UserName: "testuser@databricks.com"},
	})

	diags := bundle.Apply(context.Background(), b, permissions.PermissionDiagnostics())
	require.NoError(t, diags.Error())
}

func TestPermissionDiagnosticsEmpty(t *testing.T) {
	b := mockBundle(nil)

	diags := bundle.Apply(context.Background(), b, permissions.PermissionDiagnostics())
	require.NoError(t, diags.Error())
}

func TestPermissionDiagnosticsApplyFail(t *testing.T) {
	b := mockBundle([]resources.Permission{
		{Level: "CAN_VIEW", UserName: "testuser@databricks.com"},
	})

	diags := bundle.Apply(context.Background(), b, permissions.PermissionDiagnostics())
	require.Equal(t, diag.Recommendation, diags[0].Severity)

	expectedMsg := "permissions section should explicitly include the current deployment identity " +
		"'testuser@databricks.com' or one of its groups\n" +
		"If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.\n\n" +
		"Consider using a adding a top-level permissions section such as the following:\n\n" +
		"  permissions:\n" +
		"    - user_name: testuser@databricks.com\n" +
		"      level: CAN_MANAGE\n\n" +
		"See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration."

	require.Contains(t, diags[0].Summary, expectedMsg)
}

func mockBundle(permissions []resources.Permission) *bundle.Bundle {
	return &bundle.Bundle{
		Config: config.Root{
			Workspace: config.Workspace{
				CurrentUser: &config.User{
					User: &iam.User{
						UserName:    "testuser@databricks.com",
						DisplayName: "Test User",
						Groups: []iam.ComplexValue{
							{Display: "testgroup"},
						},
					},
				},
			},
			Permissions: permissions,
		},
	}
}
Show actionable errors for collaborative deployment scenarios (#1386) ## Changes This adds diagnostics for collaborative (production) deployment scenarios, including: - Bob deploys a bundle that is normally deployed by Alice, but this fails because Bob can't write to `/Users/Alice/.bundle`. - Charlie deploys a bundle that is normally deployed by Alice, but this fails because he can't create a new pipeline where Alice would be the owner. - Alice deploys a bundle where she didn't list herself as one of the CAN_MANAGE users in permissions. That can work, but is probably a mistake. ## Tests Unit tests, manual testing. 2024-10-10 11:18:23 +00:00			`package permissions_test`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/databricks/cli/bundle"`
			`"github.com/databricks/cli/bundle/config"`
			`"github.com/databricks/cli/bundle/config/resources"`
			`"github.com/databricks/cli/bundle/permissions"`
			`"github.com/databricks/cli/libs/diag"`
			`"github.com/databricks/databricks-sdk-go/service/iam"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestPermissionDiagnosticsApplySuccess(t *testing.T) {`
			`b := mockBundle([]resources.Permission{`
			`{Level: "CAN_MANAGE", UserName: "testuser@databricks.com"},`
			`})`

Change warning about incomplete permissions section into a recommendation (#2043) ## Changes Changes the warning about an incomplete / implicit permissions section into a recommendation, and does a minor bit of cleanup. ## Tests New unit test. 2025-02-24 09:39:03 +00:00			`diags := bundle.Apply(context.Background(), b, permissions.PermissionDiagnostics())`
			`require.NoError(t, diags.Error())`
			`}`

			`func TestPermissionDiagnosticsEmpty(t *testing.T) {`
			`b := mockBundle(nil)`

			`diags := bundle.Apply(context.Background(), b, permissions.PermissionDiagnostics())`
Show actionable errors for collaborative deployment scenarios (#1386) ## Changes This adds diagnostics for collaborative (production) deployment scenarios, including: - Bob deploys a bundle that is normally deployed by Alice, but this fails because Bob can't write to `/Users/Alice/.bundle`. - Charlie deploys a bundle that is normally deployed by Alice, but this fails because he can't create a new pipeline where Alice would be the owner. - Alice deploys a bundle where she didn't list herself as one of the CAN_MANAGE users in permissions. That can work, but is probably a mistake. ## Tests Unit tests, manual testing. 2024-10-10 11:18:23 +00:00			`require.NoError(t, diags.Error())`
			`}`

			`func TestPermissionDiagnosticsApplyFail(t *testing.T) {`
			`b := mockBundle([]resources.Permission{`
			`{Level: "CAN_VIEW", UserName: "testuser@databricks.com"},`
			`})`

Change warning about incomplete permissions section into a recommendation (#2043) ## Changes Changes the warning about an incomplete / implicit permissions section into a recommendation, and does a minor bit of cleanup. ## Tests New unit test. 2025-02-24 09:39:03 +00:00			`diags := bundle.Apply(context.Background(), b, permissions.PermissionDiagnostics())`
			`require.Equal(t, diag.Recommendation, diags[0].Severity)`

			`expectedMsg := "permissions section should explicitly include the current deployment identity " +`
			`"'testuser@databricks.com' or one of its groups\n" +`
			`"If it is not included, CAN_MANAGE permissions are only applied if the present identity is used to deploy.\n\n" +`
			`"Consider using a adding a top-level permissions section such as the following:\n\n" +`
			`" permissions:\n" +`
			`" - user_name: testuser@databricks.com\n" +`
			`" level: CAN_MANAGE\n\n" +`
			`"See https://docs.databricks.com/dev-tools/bundles/permissions.html to learn more about permission configuration."`

			`require.Contains(t, diags[0].Summary, expectedMsg)`
Show actionable errors for collaborative deployment scenarios (#1386) ## Changes This adds diagnostics for collaborative (production) deployment scenarios, including: - Bob deploys a bundle that is normally deployed by Alice, but this fails because Bob can't write to `/Users/Alice/.bundle`. - Charlie deploys a bundle that is normally deployed by Alice, but this fails because he can't create a new pipeline where Alice would be the owner. - Alice deploys a bundle where she didn't list herself as one of the CAN_MANAGE users in permissions. That can work, but is probably a mistake. ## Tests Unit tests, manual testing. 2024-10-10 11:18:23 +00:00			`}`

			`func mockBundle(permissions []resources.Permission) *bundle.Bundle {`
			`return &bundle.Bundle{`
			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`CurrentUser: &config.User{`
			`User: &iam.User{`
			`UserName: "testuser@databricks.com",`
			`DisplayName: "Test User",`
			`Groups: []iam.ComplexValue{`
			`{Display: "testgroup"},`
			`},`
			`},`
			`},`
			`},`
			`Permissions: permissions,`
			`},`
			`}`
			`}`