2021-03-22 07:22:48 -05:00
|
|
|
package accesscontrol
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2022-03-16 04:43:44 -05:00
|
|
|
"fmt"
|
2021-08-23 07:03:20 -05:00
|
|
|
"strings"
|
2021-03-22 07:22:48 -05:00
|
|
|
|
2022-04-28 04:06:49 -05:00
|
|
|
"github.com/grafana/grafana/pkg/registry"
|
2023-01-27 01:50:36 -06:00
|
|
|
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
2022-08-10 04:56:48 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/user"
|
2022-05-05 10:31:14 -05:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2021-03-22 07:22:48 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type AccessControl interface {
|
2021-08-24 04:36:28 -05:00
|
|
|
// Evaluate evaluates access to the given resources.
|
2022-08-10 04:56:48 -05:00
|
|
|
Evaluate(ctx context.Context, user *user.SignedInUser, evaluator Evaluator) (bool, error)
|
2022-05-02 02:29:30 -05:00
|
|
|
// RegisterScopeAttributeResolver allows the caller to register a scope resolver for a
|
2022-01-18 10:34:35 -06:00
|
|
|
// specific scope prefix (ex: datasources:name:)
|
2022-08-24 06:29:17 -05:00
|
|
|
RegisterScopeAttributeResolver(prefix string, resolver ScopeAttributeResolver)
|
|
|
|
|
//IsDisabled returns if access control is enabled or not
|
|
|
|
|
IsDisabled() bool
|
|
|
|
|
}
|
2022-07-19 09:01:05 -05:00
|
|
|
|
2022-08-24 06:29:17 -05:00
|
|
|
type Service interface {
|
|
|
|
|
registry.ProvidesUsageStats
|
|
|
|
|
// GetUserPermissions returns user permissions with only action and scope fields set.
|
|
|
|
|
GetUserPermissions(ctx context.Context, user *user.SignedInUser, options Options) ([]Permission, error)
|
2022-11-30 08:38:49 -06:00
|
|
|
// SearchUsersPermissions returns all users' permissions filtered by an action prefix
|
|
|
|
|
SearchUsersPermissions(ctx context.Context, user *user.SignedInUser, orgID int64, options SearchOptions) (map[int64][]Permission, error)
|
2022-11-24 08:38:55 -06:00
|
|
|
// ClearUserPermissionCache removes the permission cache entry for the given user
|
|
|
|
|
ClearUserPermissionCache(user *user.SignedInUser)
|
2022-12-14 04:53:25 -06:00
|
|
|
// SearchUserPermissions returns single user's permissions filtered by an action prefix or an action
|
|
|
|
|
SearchUserPermissions(ctx context.Context, orgID int64, filterOptions SearchOptions) ([]Permission, error)
|
2022-08-17 09:32:02 -05:00
|
|
|
// DeleteUserPermissions removes all permissions user has in org and all permission to that user
|
|
|
|
|
// If orgID is set to 0 remove permissions from all orgs
|
|
|
|
|
DeleteUserPermissions(ctx context.Context, orgID, userID int64) error
|
2022-08-24 06:29:17 -05:00
|
|
|
// DeclareFixedRoles allows the caller to declare, to the service, fixed roles and their
|
|
|
|
|
// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
|
|
|
|
|
DeclareFixedRoles(registrations ...RoleRegistration) error
|
|
|
|
|
//IsDisabled returns if access control is enabled or not
|
|
|
|
|
IsDisabled() bool
|
2021-03-22 07:22:48 -05:00
|
|
|
}
|
2021-04-16 08:02:16 -05:00
|
|
|
|
2022-05-30 10:48:12 -05:00
|
|
|
type RoleRegistry interface {
|
|
|
|
|
// RegisterFixedRoles registers all roles declared to AccessControl
|
|
|
|
|
RegisterFixedRoles(ctx context.Context) error
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-24 06:29:17 -05:00
|
|
|
type Options struct {
|
|
|
|
|
ReloadCache bool
|
|
|
|
|
}
|
|
|
|
|
|
2022-11-30 08:38:49 -06:00
|
|
|
type SearchOptions struct {
|
|
|
|
|
ActionPrefix string // Needed for the PoC v1, it's probably going to be removed.
|
|
|
|
|
Action string
|
|
|
|
|
Scope string
|
2022-12-14 04:53:25 -06:00
|
|
|
UserID int64 // ID for the user for which to return information, if none is specified information is returned for all users.
|
2022-11-30 08:38:49 -06:00
|
|
|
}
|
|
|
|
|
|
2022-05-10 08:48:47 -05:00
|
|
|
type TeamPermissionsService interface {
|
2022-08-10 04:56:48 -05:00
|
|
|
GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]ResourcePermission, error)
|
2022-05-10 08:48:47 -05:00
|
|
|
SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type FolderPermissionsService interface {
|
|
|
|
|
PermissionsService
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type DashboardPermissionsService interface {
|
|
|
|
|
PermissionsService
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type DatasourcePermissionsService interface {
|
|
|
|
|
PermissionsService
|
2022-02-17 07:03:45 -06:00
|
|
|
}
|
|
|
|
|
|
2022-07-08 04:53:18 -05:00
|
|
|
type ServiceAccountPermissionsService interface {
|
|
|
|
|
PermissionsService
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-17 07:03:45 -06:00
|
|
|
type PermissionsService interface {
|
2021-12-20 02:52:24 -06:00
|
|
|
// GetPermissions returns all permissions for given resourceID
|
2022-08-10 04:56:48 -05:00
|
|
|
GetPermissions(ctx context.Context, user *user.SignedInUser, resourceID string) ([]ResourcePermission, error)
|
2021-12-20 02:52:24 -06:00
|
|
|
// SetUserPermission sets permission on resource for a user
|
2022-02-03 09:27:05 -06:00
|
|
|
SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error)
|
2021-12-20 02:52:24 -06:00
|
|
|
// SetTeamPermission sets permission on resource for a team
|
2022-01-25 10:12:00 -06:00
|
|
|
SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*ResourcePermission, error)
|
2021-12-20 02:52:24 -06:00
|
|
|
// SetBuiltInRolePermission sets permission on resource for a built-in role (Admin, Editor, Viewer)
|
2022-01-25 10:12:00 -06:00
|
|
|
SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole string, resourceID string, permission string) (*ResourcePermission, error)
|
2022-02-07 10:04:32 -06:00
|
|
|
// SetPermissions sets several permissions on resource for either built-in role, team or user
|
|
|
|
|
SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...SetResourcePermissionCommand) ([]ResourcePermission, error)
|
2022-03-03 08:05:47 -06:00
|
|
|
// MapActions will map actions for a ResourcePermissions to it's "friendly" name configured in PermissionsToActions map.
|
|
|
|
|
MapActions(permission ResourcePermission) string
|
2021-11-11 07:02:53 -06:00
|
|
|
}
|
|
|
|
|
|
2022-02-03 09:27:05 -06:00
|
|
|
type User struct {
|
|
|
|
|
ID int64
|
|
|
|
|
IsExternal bool
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-18 07:10:38 -06:00
|
|
|
// HasGlobalAccess checks user access with globally assigned permissions only
|
2023-01-27 01:50:36 -06:00
|
|
|
func HasGlobalAccess(ac AccessControl, service Service, c *contextmodel.ReqContext) func(fallback func(*contextmodel.ReqContext) bool, evaluator Evaluator) bool {
|
|
|
|
|
return func(fallback func(*contextmodel.ReqContext) bool, evaluator Evaluator) bool {
|
2021-11-18 07:10:38 -06:00
|
|
|
if ac.IsDisabled() {
|
|
|
|
|
return fallback(c)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userCopy := *c.SignedInUser
|
2022-08-11 06:28:55 -05:00
|
|
|
userCopy.OrgID = GlobalOrgID
|
2021-11-18 07:10:38 -06:00
|
|
|
userCopy.OrgRole = ""
|
|
|
|
|
userCopy.OrgName = ""
|
2022-09-09 02:07:45 -05:00
|
|
|
if userCopy.Permissions[GlobalOrgID] == nil {
|
|
|
|
|
permissions, err := service.GetUserPermissions(c.Req.Context(), &userCopy, Options{})
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Logger.Error("failed fetching permissions for user", "userID", userCopy.UserID, "error", err)
|
|
|
|
|
}
|
|
|
|
|
userCopy.Permissions[GlobalOrgID] = GroupScopesByAction(permissions)
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-18 07:10:38 -06:00
|
|
|
hasAccess, err := ac.Evaluate(c.Req.Context(), &userCopy, evaluator)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Logger.Error("Error from access control system", "error", err)
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-09 02:07:45 -05:00
|
|
|
// set on user so we don't fetch global permissions every time this is called
|
|
|
|
|
c.SignedInUser.Permissions[GlobalOrgID] = userCopy.Permissions[GlobalOrgID]
|
|
|
|
|
|
2021-11-18 07:10:38 -06:00
|
|
|
return hasAccess
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
func HasAccess(ac AccessControl, c *contextmodel.ReqContext) func(fallback func(*contextmodel.ReqContext) bool, evaluator Evaluator) bool {
|
|
|
|
|
return func(fallback func(*contextmodel.ReqContext) bool, evaluator Evaluator) bool {
|
2021-04-19 04:23:29 -05:00
|
|
|
if ac.IsDisabled() {
|
|
|
|
|
return fallback(c)
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-24 04:36:28 -05:00
|
|
|
hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, evaluator)
|
2021-04-19 04:23:29 -05:00
|
|
|
if err != nil {
|
|
|
|
|
c.Logger.Error("Error from access control system", "error", err)
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return hasAccess
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
var ReqSignedIn = func(c *contextmodel.ReqContext) bool {
|
2022-03-03 08:05:47 -06:00
|
|
|
return c.IsSignedIn
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
var ReqGrafanaAdmin = func(c *contextmodel.ReqContext) bool {
|
2021-04-19 04:23:29 -05:00
|
|
|
return c.IsGrafanaAdmin
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-10 04:56:48 -05:00
|
|
|
// ReqViewer returns true if the current user has org.RoleViewer. Note: this can be anonymous user as well
|
2023-01-27 01:50:36 -06:00
|
|
|
var ReqViewer = func(c *contextmodel.ReqContext) bool {
|
2022-08-10 04:56:48 -05:00
|
|
|
return c.OrgRole.Includes(org.RoleViewer)
|
2022-05-19 08:22:26 -05:00
|
|
|
}
|
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
var ReqOrgAdmin = func(c *contextmodel.ReqContext) bool {
|
2022-08-10 04:56:48 -05:00
|
|
|
return c.OrgRole == org.RoleAdmin
|
2021-04-22 05:19:41 -05:00
|
|
|
}
|
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
var ReqOrgAdminOrEditor = func(c *contextmodel.ReqContext) bool {
|
2022-08-10 04:56:48 -05:00
|
|
|
return c.OrgRole == org.RoleAdmin || c.OrgRole == org.RoleEditor
|
2022-03-03 08:05:47 -06:00
|
|
|
}
|
|
|
|
|
|
2022-09-09 02:44:50 -05:00
|
|
|
// ReqHasRole generates a fallback to check whether the user has a role
|
|
|
|
|
// Note that while ReqOrgAdmin returns false for a Grafana Admin / Viewer, ReqHasRole(org.RoleAdmin) will return true
|
2023-01-27 01:50:36 -06:00
|
|
|
func ReqHasRole(role org.RoleType) func(c *contextmodel.ReqContext) bool {
|
|
|
|
|
return func(c *contextmodel.ReqContext) bool { return c.HasRole(role) }
|
2022-09-09 02:44:50 -05:00
|
|
|
}
|
|
|
|
|
|
2022-06-14 03:17:48 -05:00
|
|
|
func BuildPermissionsMap(permissions []Permission) map[string]bool {
|
2021-04-22 05:19:41 -05:00
|
|
|
permissionsMap := make(map[string]bool)
|
2021-04-16 08:02:16 -05:00
|
|
|
for _, p := range permissions {
|
2021-04-22 05:19:41 -05:00
|
|
|
permissionsMap[p.Action] = true
|
2021-04-16 08:02:16 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return permissionsMap
|
|
|
|
|
}
|
2021-08-23 07:03:20 -05:00
|
|
|
|
2021-08-24 04:36:28 -05:00
|
|
|
// GroupScopesByAction will group scopes on action
|
2022-06-14 03:17:48 -05:00
|
|
|
func GroupScopesByAction(permissions []Permission) map[string][]string {
|
2021-12-14 09:05:59 -06:00
|
|
|
m := make(map[string][]string)
|
2022-09-20 05:03:08 -05:00
|
|
|
for i := range permissions {
|
|
|
|
|
m[permissions[i].Action] = append(m[permissions[i].Action], permissions[i].Scope)
|
2021-08-24 04:36:28 -05:00
|
|
|
}
|
|
|
|
|
return m
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-05 10:32:13 -06:00
|
|
|
func Reduce(ps []Permission) map[string][]string {
|
|
|
|
|
reduced := make(map[string][]string)
|
|
|
|
|
scopesByAction := make(map[string]map[string]bool)
|
|
|
|
|
wildcardsByAction := make(map[string]map[string]bool)
|
|
|
|
|
|
|
|
|
|
// helpers
|
|
|
|
|
add := func(scopesByAction map[string]map[string]bool, action, scope string) {
|
|
|
|
|
if _, ok := scopesByAction[action]; !ok {
|
|
|
|
|
scopesByAction[action] = map[string]bool{scope: true}
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
scopesByAction[action][scope] = true
|
|
|
|
|
}
|
|
|
|
|
includes := func(wildcardsSet map[string]bool, scope string) bool {
|
|
|
|
|
for wildcard := range wildcardsSet {
|
|
|
|
|
if wildcard == "*" || strings.HasPrefix(scope, wildcard[:len(wildcard)-1]) {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Sort permissions (scopeless, wildcard, specific)
|
|
|
|
|
for i := range ps {
|
|
|
|
|
if ps[i].Scope == "" {
|
|
|
|
|
if _, ok := reduced[ps[i].Action]; !ok {
|
|
|
|
|
reduced[ps[i].Action] = nil
|
|
|
|
|
}
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
if isWildcard(ps[i].Scope) {
|
|
|
|
|
add(wildcardsByAction, ps[i].Action, ps[i].Scope)
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
add(scopesByAction, ps[i].Action, ps[i].Scope)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Reduce wildcards
|
|
|
|
|
for action, wildcards := range wildcardsByAction {
|
|
|
|
|
for wildcard := range wildcards {
|
|
|
|
|
if wildcard == "*" {
|
|
|
|
|
reduced[action] = []string{wildcard}
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
if includes(wildcards, wildcard[:len(wildcard)-2]) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
reduced[action] = append(reduced[action], wildcard)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Reduce specific
|
|
|
|
|
for action, scopes := range scopesByAction {
|
|
|
|
|
for scope := range scopes {
|
|
|
|
|
if includes(wildcardsByAction[action], scope) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
reduced[action] = append(reduced[action], scope)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return reduced
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-23 07:03:20 -05:00
|
|
|
func ValidateScope(scope string) bool {
|
|
|
|
|
prefix, last := scope[:len(scope)-1], scope[len(scope)-1]
|
|
|
|
|
// verify that last char is either ':' or '/' if last character of scope is '*'
|
|
|
|
|
if len(prefix) > 0 && last == '*' {
|
|
|
|
|
lastChar := prefix[len(prefix)-1]
|
|
|
|
|
if lastChar != ':' && lastChar != '/' {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return !strings.ContainsAny(prefix, "*?")
|
|
|
|
|
}
|
2021-12-15 05:08:15 -06:00
|
|
|
|
2022-03-16 04:43:44 -05:00
|
|
|
func ManagedUserRoleName(userID int64) string {
|
|
|
|
|
return fmt.Sprintf("managed:users:%d:permissions", userID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func ManagedTeamRoleName(teamID int64) string {
|
|
|
|
|
return fmt.Sprintf("managed:teams:%d:permissions", teamID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func ManagedBuiltInRoleName(builtInRole string) string {
|
|
|
|
|
return fmt.Sprintf("managed:builtins:%s:permissions", strings.ToLower(builtInRole))
|
|
|
|
|
}
|
2022-03-21 11:58:18 -05:00
|
|
|
|
2022-05-05 10:31:14 -05:00
|
|
|
func IsDisabled(cfg *setting.Cfg) bool {
|
2022-05-16 05:45:41 -05:00
|
|
|
return !cfg.RBACEnabled
|
2022-05-05 10:31:14 -05:00
|
|
|
}
|
2022-06-02 09:10:41 -05:00
|
|
|
|
|
|
|
|
// GetOrgRoles returns legacy org roles for a user
|
2022-08-18 05:25:37 -05:00
|
|
|
func GetOrgRoles(user *user.SignedInUser) []string {
|
2022-06-02 09:10:41 -05:00
|
|
|
roles := []string{string(user.OrgRole)}
|
|
|
|
|
|
|
|
|
|
if user.IsGrafanaAdmin {
|
|
|
|
|
roles = append(roles, RoleGrafanaAdmin)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return roles
|
|
|
|
|
}
|
2022-09-14 04:26:05 -05:00
|
|
|
|
|
|
|
|
func BackgroundUser(name string, orgID int64, role org.RoleType, permissions []Permission) *user.SignedInUser {
|
|
|
|
|
return &user.SignedInUser{
|
|
|
|
|
OrgID: orgID,
|
|
|
|
|
OrgRole: role,
|
|
|
|
|
Login: "grafana_" + name,
|
|
|
|
|
Permissions: map[int64]map[string][]string{
|
|
|
|
|
orgID: GroupScopesByAction(permissions),
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
