fix: allow service account requests to access organization teams (#5326)

Related to grafana/oncall-private#2826
grafana · Dec 5, 2024 · cc0674e · cc0674e
1 parent 03b791e
commit cc0674e
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/engine/apps/public_api/tests/test_escalation_chain.py b/engine/apps/public_api/tests/test_escalation_chain.py
@@ -1,8 +1,12 @@
+import httpretty
 import pytest
 from django.urls import reverse
 from rest_framework import status
 from rest_framework.test import APIClient
 
+from apps.api import permissions
+from apps.auth_token.tests.helpers import setup_service_account_api_mocks
+
 
 @pytest.mark.django_db
 def test_get_escalation_chains(make_organization_and_user_with_token):
@@ -54,6 +58,43 @@ def test_create_escalation_chain(make_organization_and_user_with_token):
     assert response.data == expected_data
 
 
+@pytest.mark.django_db
+@httpretty.activate(verbose=True, allow_net_connect=False)
+def test_create_escalation_chain_via_service_account(
+    make_organization,
+    make_service_account_for_organization,
+    make_token_for_service_account,
+    make_team,
+):
+    organization = make_organization(grafana_url="http://grafana.test")
+    team = make_team(organization=organization)
+    service_account = make_service_account_for_organization(organization)
+    token_string = "glsa_token"
+    make_token_for_service_account(service_account, token_string)
+
+    perms = {
+        permissions.RBACPermission.Permissions.ESCALATION_CHAINS_WRITE.value: ["*"],
+    }
+    setup_service_account_api_mocks(organization.grafana_url, perms)
+
+    client = APIClient()
+    url = reverse("api-public:escalation_chains-list")
+    data = {"name": "test", "team_id": team.public_primary_key}
+    response = client.post(
+        url,
+        data=data,
+        format="json",
+        HTTP_AUTHORIZATION=f"{token_string}",
+        HTTP_X_GRAFANA_URL=organization.grafana_url,
+    )
+    if not organization.is_rbac_permissions_enabled:
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+    else:
+        assert response.status_code == status.HTTP_201_CREATED
+        escalation_chain = organization.escalation_chains.get(name="test")
+        assert escalation_chain.team == team
+
+
 @pytest.mark.django_db
 def test_change_name(make_organization_and_user_with_token):
     organization, user, token = make_organization_and_user_with_token()

diff --git a/engine/apps/user_management/models/service_account.py b/engine/apps/user_management/models/service_account.py
@@ -29,6 +29,10 @@ def pk(self):
     def current_team(self):
         return None
 
+    @property
+    def available_teams(self):
+        return self.organization.teams
+
     @property
     def organization_id(self):
         return self.organization.id