databricks-cli/bundle/permissions/workspace_path_permissions_...

package permissions

import (
	"testing"

	"github.com/databricks/cli/bundle/config/resources"
	"github.com/databricks/cli/libs/diag"
	"github.com/databricks/databricks-sdk-go/service/workspace"
	"github.com/stretchr/testify/require"
)

func TestWorkspacePathPermissionsCompare(t *testing.T) {
	testCases := []struct {
		perms    []resources.Permission
		acl      []workspace.WorkspaceObjectAccessControlResponse
		expected diag.Diagnostics
	}{
		{
			perms: []resources.Permission{
				{Level: CAN_MANAGE, UserName: "foo@bar.com"},
			},
			acl: []workspace.WorkspaceObjectAccessControlResponse{
				{
					UserName: "foo@bar.com",
					AllPermissions: []workspace.WorkspaceObjectPermission{
						{PermissionLevel: "CAN_MANAGE"},
					},
				},
			},
			expected: nil,
		},
		{
			perms: []resources.Permission{
				{Level: CAN_MANAGE, UserName: "foo@bar.com"},
			},
			acl: []workspace.WorkspaceObjectAccessControlResponse{
				{
					UserName: "foo@bar.com",
					AllPermissions: []workspace.WorkspaceObjectPermission{
						{PermissionLevel: "CAN_MANAGE"},
					},
				},
				{
					GroupName: "admins",
					AllPermissions: []workspace.WorkspaceObjectPermission{
						{PermissionLevel: "CAN_MANAGE"},
					},
				},
			},
			expected: nil,
		},
		{
			perms: []resources.Permission{
				{Level: CAN_VIEW, UserName: "foo@bar.com"},
				{Level: CAN_MANAGE, ServicePrincipalName: "sp.com"},
			},
			acl: []workspace.WorkspaceObjectAccessControlResponse{
				{
					UserName: "foo@bar.com",
					AllPermissions: []workspace.WorkspaceObjectPermission{
						{PermissionLevel: "CAN_READ"},
					},
				},
			},
			expected: nil,
		},
		{
			perms: []resources.Permission{
				{Level: CAN_MANAGE, UserName: "foo@bar.com"},
			},
			acl: []workspace.WorkspaceObjectAccessControlResponse{
				{
					UserName: "foo@bar.com",
					AllPermissions: []workspace.WorkspaceObjectPermission{
						{PermissionLevel: "CAN_MANAGE"},
					},
				},
				{
					GroupName: "foo",
					AllPermissions: []workspace.WorkspaceObjectPermission{
						{PermissionLevel: "CAN_MANAGE"},
					},
				},
			},
			expected: diag.Diagnostics{
				{
					Severity: diag.Warning,
					Summary:  "untracked permissions apply to target workspace path",
					Detail:   "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, group_name: foo\n",
				},
			},
		},
		{
			perms: []resources.Permission{
				{Level: CAN_MANAGE, UserName: "foo@bar.com"},
			},
			acl: []workspace.WorkspaceObjectAccessControlResponse{
				{
					UserName: "foo2@bar.com",
					AllPermissions: []workspace.WorkspaceObjectPermission{
						{PermissionLevel: "CAN_MANAGE"},
					},
				},
			},
			expected: diag.Diagnostics{
				{
					Severity: diag.Warning,
					Summary:  "untracked permissions apply to target workspace path",
					Detail:   "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n",
				},
			},
		},
	}

	for _, tc := range testCases {
		wp := ObjectAclToResourcePermissions("path", tc.acl)
		diags := wp.Compare(tc.perms)
		require.Equal(t, tc.expected, diags)
	}

}
Added validator for folder permissions (#1824) ## Changes This validator checks permissions defined in top-level bundle config and permissions set in workspace for the folders bundle is deployed to. It raises the warning if the permissions defined in the workspace are not defined in bundle. This validator is executed only during `bundle validate` command. ## Tests ``` Warning: untracked permissions apply to target workspace path The following permissions apply to the workspace folder at "/Workspace/Users/andrew.nester@databricks.com/.bundle/clusters/default" but are not configured in the bundle: - level: CAN_MANAGE, user_name: andrew.nester@databricks.com ``` --------- Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> 2024-10-24 12:36:17 +00:00			`package permissions`

			`import (`
			`"testing"`

			`"github.com/databricks/cli/bundle/config/resources"`
			`"github.com/databricks/cli/libs/diag"`
			`"github.com/databricks/databricks-sdk-go/service/workspace"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestWorkspacePathPermissionsCompare(t *testing.T) {`
			`testCases := []struct {`
			`perms []resources.Permission`
			`acl []workspace.WorkspaceObjectAccessControlResponse`
			`expected diag.Diagnostics`
			`}{`
			`{`
			`perms: []resources.Permission{`
			`{Level: CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`acl: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`expected: nil,`
			`},`
			`{`
			`perms: []resources.Permission{`
			`{Level: CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`acl: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`{`
			`GroupName: "admins",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`expected: nil,`
			`},`
			`{`
			`perms: []resources.Permission{`
			`{Level: CAN_VIEW, UserName: "foo@bar.com"},`
			`{Level: CAN_MANAGE, ServicePrincipalName: "sp.com"},`
			`},`
			`acl: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_READ"},`
			`},`
			`},`
			`},`
			`expected: nil,`
			`},`
			`{`
			`perms: []resources.Permission{`
			`{Level: CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`acl: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`{`
			`GroupName: "foo",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`expected: diag.Diagnostics{`
			`{`
			`Severity: diag.Warning,`
			`Summary: "untracked permissions apply to target workspace path",`
			`Detail: "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, group_name: foo\n",`
			`},`
			`},`
			`},`
			`{`
			`perms: []resources.Permission{`
			`{Level: CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`acl: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo2@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`expected: diag.Diagnostics{`
			`{`
			`Severity: diag.Warning,`
			`Summary: "untracked permissions apply to target workspace path",`
			`Detail: "The following permissions apply to the workspace folder at \"path\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n",`
			`},`
			`},`
			`},`
			`}`

			`for _, tc := range testCases {`
			`wp := ObjectAclToResourcePermissions("path", tc.acl)`
			`diags := wp.Compare(tc.perms)`
			`require.Equal(t, tc.expected, diags)`
			`}`

			`}`