databricks-cli/bundle/config/validate/folder_permissions_test.go

package validate

import (
	"context"
	"testing"

	"github.com/databricks/cli/bundle"
	"github.com/databricks/cli/bundle/config"
	"github.com/databricks/cli/bundle/config/resources"
	"github.com/databricks/cli/bundle/permissions"
	"github.com/databricks/cli/libs/diag"
	"github.com/databricks/databricks-sdk-go/apierr"
	"github.com/databricks/databricks-sdk-go/experimental/mocks"
	"github.com/databricks/databricks-sdk-go/service/workspace"
	"github.com/stretchr/testify/mock"
	"github.com/stretchr/testify/require"
)

func TestFolderPermissionsInheritedWhenRootPathDoesNotExist(t *testing.T) {
	b := &bundle.Bundle{
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/Workspace/Users/foo@bar.com",
				ArtifactPath: "/Workspace/Users/otherfoo@bar.com/artifacts",
				FilePath:     "/Workspace/Users/foo@bar.com/files",
				StatePath:    "/Workspace/Users/foo@bar.com/state",
				ResourcePath: "/Workspace/Users/foo@bar.com/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com/artifacts").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace").Return(&workspace.ObjectInfo{
		ObjectId: 1234,
	}, nil)

	api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{
		WorkspaceObjectId:   "1234",
		WorkspaceObjectType: "directories",
	}).Return(&workspace.WorkspaceObjectPermissions{
		ObjectId: "1234",
		AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{
			{
				UserName: "foo@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
		},
	}, nil)

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Empty(t, diags)
}

func TestValidateFolderPermissionsFailsOnMissingBundlePermission(t *testing.T) {
	b := &bundle.Bundle{
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/Workspace/Users/foo@bar.com",
				ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",
				FilePath:     "/Workspace/Users/foo@bar.com/files",
				StatePath:    "/Workspace/Users/foo@bar.com/state",
				ResourcePath: "/Workspace/Users/foo@bar.com/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{
		ObjectId: 1234,
	}, nil)

	api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{
		WorkspaceObjectId:   "1234",
		WorkspaceObjectType: "directories",
	}).Return(&workspace.WorkspaceObjectPermissions{
		ObjectId: "1234",
		AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{
			{
				UserName: "foo@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
			{
				UserName: "foo2@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
		},
	}, nil)

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Len(t, diags, 1)
	require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
	require.Equal(t, diag.Warning, diags[0].Severity)
	require.Equal(t, "The following permissions apply to the workspace folder at \"/Workspace/Users/foo@bar.com\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n", diags[0].Detail)
}

func TestValidateFolderPermissionsFailsOnPermissionMismatch(t *testing.T) {
	b := &bundle.Bundle{
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/Workspace/Users/foo@bar.com",
				ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",
				FilePath:     "/Workspace/Users/foo@bar.com/files",
				StatePath:    "/Workspace/Users/foo@bar.com/state",
				ResourcePath: "/Workspace/Users/foo@bar.com/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{
		ObjectId: 1234,
	}, nil)

	api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{
		WorkspaceObjectId:   "1234",
		WorkspaceObjectType: "directories",
	}).Return(&workspace.WorkspaceObjectPermissions{
		ObjectId: "1234",
		AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{
			{
				UserName: "foo2@bar.com",
				AllPermissions: []workspace.WorkspaceObjectPermission{
					{PermissionLevel: "CAN_MANAGE"},
				},
			},
		},
	}, nil)

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Len(t, diags, 1)
	require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)
	require.Equal(t, diag.Warning, diags[0].Severity)
}

func TestValidateFolderPermissionsFailsOnNoRootFolder(t *testing.T) {
	b := &bundle.Bundle{
		Config: config.Root{
			Workspace: config.Workspace{
				RootPath:     "/NotExisting",
				ArtifactPath: "/NotExisting/artifacts",
				FilePath:     "/NotExisting/files",
				StatePath:    "/NotExisting/state",
				ResourcePath: "/NotExisting/resources",
			},
			Permissions: []resources.Permission{
				{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},
			},
		},
	}
	m := mocks.NewMockWorkspaceClient(t)
	api := m.GetMockWorkspaceAPI()
	api.EXPECT().GetStatusByPath(mock.Anything, "/NotExisting").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})
	api.EXPECT().GetStatusByPath(mock.Anything, "/").Return(nil, &apierr.APIError{
		StatusCode: 404,
		ErrorCode:  "RESOURCE_DOES_NOT_EXIST",
	})

	b.SetWorkpaceClient(m.WorkspaceClient)
	rb := bundle.ReadOnly(b)

	diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())
	require.Len(t, diags, 1)
	require.Equal(t, "folder / and its parent folders do not exist", diags[0].Summary)
	require.Equal(t, diag.Error, diags[0].Severity)
}
Added validator for folder permissions (#1824) ## Changes This validator checks permissions defined in top-level bundle config and permissions set in workspace for the folders bundle is deployed to. It raises the warning if the permissions defined in the workspace are not defined in bundle. This validator is executed only during `bundle validate` command. ## Tests ``` Warning: untracked permissions apply to target workspace path The following permissions apply to the workspace folder at "/Workspace/Users/andrew.nester@databricks.com/.bundle/clusters/default" but are not configured in the bundle: - level: CAN_MANAGE, user_name: andrew.nester@databricks.com ``` --------- Co-authored-by: Pieter Noordhuis <pieter.noordhuis@databricks.com> 2024-10-24 12:36:17 +00:00			`package validate`

			`import (`
			`"context"`
			`"testing"`

			`"github.com/databricks/cli/bundle"`
			`"github.com/databricks/cli/bundle/config"`
			`"github.com/databricks/cli/bundle/config/resources"`
			`"github.com/databricks/cli/bundle/permissions"`
			`"github.com/databricks/cli/libs/diag"`
			`"github.com/databricks/databricks-sdk-go/apierr"`
			`"github.com/databricks/databricks-sdk-go/experimental/mocks"`
			`"github.com/databricks/databricks-sdk-go/service/workspace"`
			`"github.com/stretchr/testify/mock"`
			`"github.com/stretchr/testify/require"`
			`)`

			`func TestFolderPermissionsInheritedWhenRootPathDoesNotExist(t *testing.T) {`
			`b := &bundle.Bundle{`
			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/Workspace/Users/foo@bar.com",`
			`ArtifactPath: "/Workspace/Users/otherfoo@bar.com/artifacts",`
			`FilePath: "/Workspace/Users/foo@bar.com/files",`
			`StatePath: "/Workspace/Users/foo@bar.com/state",`
			`ResourcePath: "/Workspace/Users/foo@bar.com/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com/artifacts").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/otherfoo@bar.com").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace").Return(&workspace.ObjectInfo{`
			`ObjectId: 1234,`
			`}, nil)`

			`api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{`
			`WorkspaceObjectId: "1234",`
			`WorkspaceObjectType: "directories",`
			`}).Return(&workspace.WorkspaceObjectPermissions{`
			`ObjectId: "1234",`
			`AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`}, nil)`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Empty(t, diags)`
			`}`

			`func TestValidateFolderPermissionsFailsOnMissingBundlePermission(t *testing.T) {`
			`b := &bundle.Bundle{`
			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/Workspace/Users/foo@bar.com",`
			`ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",`
			`FilePath: "/Workspace/Users/foo@bar.com/files",`
			`StatePath: "/Workspace/Users/foo@bar.com/state",`
			`ResourcePath: "/Workspace/Users/foo@bar.com/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{`
			`ObjectId: 1234,`
			`}, nil)`

			`api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{`
			`WorkspaceObjectId: "1234",`
			`WorkspaceObjectType: "directories",`
			`}).Return(&workspace.WorkspaceObjectPermissions{`
			`ObjectId: "1234",`
			`AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`{`
			`UserName: "foo2@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`}, nil)`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Len(t, diags, 1)`
			`require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)`
			`require.Equal(t, diag.Warning, diags[0].Severity)`
			`require.Equal(t, "The following permissions apply to the workspace folder at \"/Workspace/Users/foo@bar.com\" but are not configured in the bundle:\n- level: CAN_MANAGE, user_name: foo2@bar.com\n", diags[0].Detail)`
			`}`

			`func TestValidateFolderPermissionsFailsOnPermissionMismatch(t *testing.T) {`
			`b := &bundle.Bundle{`
			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/Workspace/Users/foo@bar.com",`
			`ArtifactPath: "/Workspace/Users/foo@bar.com/artifacts",`
			`FilePath: "/Workspace/Users/foo@bar.com/files",`
			`StatePath: "/Workspace/Users/foo@bar.com/state",`
			`ResourcePath: "/Workspace/Users/foo@bar.com/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/Workspace/Users/foo@bar.com").Return(&workspace.ObjectInfo{`
			`ObjectId: 1234,`
			`}, nil)`

			`api.EXPECT().GetPermissions(mock.Anything, workspace.GetWorkspaceObjectPermissionsRequest{`
			`WorkspaceObjectId: "1234",`
			`WorkspaceObjectType: "directories",`
			`}).Return(&workspace.WorkspaceObjectPermissions{`
			`ObjectId: "1234",`
			`AccessControlList: []workspace.WorkspaceObjectAccessControlResponse{`
			`{`
			`UserName: "foo2@bar.com",`
			`AllPermissions: []workspace.WorkspaceObjectPermission{`
			`{PermissionLevel: "CAN_MANAGE"},`
			`},`
			`},`
			`},`
			`}, nil)`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Len(t, diags, 1)`
			`require.Equal(t, "untracked permissions apply to target workspace path", diags[0].Summary)`
			`require.Equal(t, diag.Warning, diags[0].Severity)`
			`}`

			`func TestValidateFolderPermissionsFailsOnNoRootFolder(t *testing.T) {`
			`b := &bundle.Bundle{`
			`Config: config.Root{`
			`Workspace: config.Workspace{`
			`RootPath: "/NotExisting",`
			`ArtifactPath: "/NotExisting/artifacts",`
			`FilePath: "/NotExisting/files",`
			`StatePath: "/NotExisting/state",`
			`ResourcePath: "/NotExisting/resources",`
			`},`
			`Permissions: []resources.Permission{`
			`{Level: permissions.CAN_MANAGE, UserName: "foo@bar.com"},`
			`},`
			`},`
			`}`
			`m := mocks.NewMockWorkspaceClient(t)`
			`api := m.GetMockWorkspaceAPI()`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/NotExisting").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`
			`api.EXPECT().GetStatusByPath(mock.Anything, "/").Return(nil, &apierr.APIError{`
			`StatusCode: 404,`
			`ErrorCode: "RESOURCE_DOES_NOT_EXIST",`
			`})`

			`b.SetWorkpaceClient(m.WorkspaceClient)`
			`rb := bundle.ReadOnly(b)`

			`diags := bundle.ApplyReadOnly(context.Background(), rb, ValidateFolderPermissions())`
			`require.Len(t, diags, 1)`
			`require.Equal(t, "folder / and its parent folders do not exist", diags[0].Summary)`
			`require.Equal(t, diag.Error, diags[0].Severity)`
			`}`