grafana/pkg/services/accesscontrol/resolvers.go

package accesscontrol

import (
	"context"
	"fmt"
	"time"

	"github.com/grafana/grafana/pkg/infra/localcache"
	"github.com/grafana/grafana/pkg/infra/log"
)

// ScopeAttributeResolver is used to resolve attributes in scopes to one or more scopes that are
// evaluated by logical or. E.g. "dashboards:id:1" -> "dashboards:uid:test-dashboard" or "folder:uid:test-folder"
type ScopeAttributeResolver interface {
	Resolve(ctx context.Context, orgID int64, scope string) ([]string, error)
}

type ActionResolver interface {
	// ExpandActionSets takes a set of permissions that might include some action set permissions, and returns a set of permissions with action sets expanded into underlying permissions
	ExpandActionSets(permissions []Permission) []Permission
	// ExpandActionSetsWithFilter works like ExpandActionSets, but it also takes a function for action filtering. When action sets are expanded into the underlying permissions,
	// only those permissions whose action is matched by actionMatcher are included.
	ExpandActionSetsWithFilter(permissions []Permission, actionMatcher func(action string) bool) []Permission
	// ResolveAction returns all action sets that include the given action
	ResolveAction(action string) []string
	// ResolveActionPrefix returns all action sets that include at least one action with the specified prefix
	ResolveActionPrefix(prefix string) []string
}

// ScopeAttributeResolverFunc is an adapter to allow functions to implement ScopeAttributeResolver interface
type ScopeAttributeResolverFunc func(ctx context.Context, orgID int64, scope string) ([]string, error)

func (f ScopeAttributeResolverFunc) Resolve(ctx context.Context, orgID int64, scope string) ([]string, error) {
	return f(ctx, orgID, scope)
}

type ScopeAttributeMutator func(context.Context, string) ([]string, error)

const (
	ttl           = 30 * time.Second
	cleanInterval = 2 * time.Minute
)

func NewResolvers(log log.Logger) Resolvers {
	return Resolvers{
		log:                log,
		cache:              localcache.New(ttl, cleanInterval),
		attributeResolvers: map[string]ScopeAttributeResolver{},
	}
}

type Resolvers struct {
	log                log.Logger
	cache              *localcache.CacheService
	attributeResolvers map[string]ScopeAttributeResolver
}

func (s *Resolvers) AddScopeAttributeResolver(prefix string, resolver ScopeAttributeResolver) {
	s.log.Debug("Adding scope attribute resolver", "prefix", prefix)
	s.attributeResolvers[prefix] = resolver
}

func (s *Resolvers) GetScopeAttributeMutator(orgID int64) ScopeAttributeMutator {
	return func(ctx context.Context, scope string) ([]string, error) {
		ctx, span := tracer.Start(ctx, "accesscontrol.GetScopeAttributeMutator")
		defer span.End()

		key := getScopeCacheKey(orgID, scope)
		// Check cache before computing the scope
		if cachedScope, ok := s.cache.Get(key); ok {
			scopes := cachedScope.([]string)
			s.log.Debug("Used cache to resolve scope", "scope", scope, "resolved_scopes", scopes)
			return scopes, nil
		}

		prefix := ScopePrefix(scope)
		if resolver, ok := s.attributeResolvers[prefix]; ok {
			scopes, err := resolver.Resolve(ctx, orgID, scope)
			if err != nil {
				return nil, fmt.Errorf("could not resolve %v: %w", scope, err)
			}
			// Cache result
			s.cache.Set(key, scopes, ttl)
			s.log.Debug("Resolved scope", "scope", scope, "resolved_scopes", scopes)
			return scopes, nil
		}
		return nil, ErrResolverNotFound
	}
}

// getScopeCacheKey creates an identifier to fetch and store resolution of scopes in the cache
func getScopeCacheKey(orgID int64, scope string) string {
	return fmt.Sprintf("%s-%v", scope, orgID)
}
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`package accesscontrol`

			`import (`
			`"context"`
			`"fmt"`
			`"time"`

			`"github.com/grafana/grafana/pkg/infra/localcache"`
			`"github.com/grafana/grafana/pkg/infra/log"`
			`)`

RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`// ScopeAttributeResolver is used to resolve attributes in scopes to one or more scopes that are`
			`// evaluated by logical or. E.g. "dashboards:id:1" -> "dashboards:uid:test-dashboard" or "folder:uid:test-folder"`
			`type ScopeAttributeResolver interface {`
			`Resolve(ctx context.Context, orgID int64, scope string) ([]string, error)`
			`}`

RBAC: Adding action set resolver for RBAC evaluation (#86801) * add action set resolver * rename variables * some fixes and some tests * more tests * more tests, and put action set storing behind a feature toggle * undo change from cfg to feature mgmt - will cover it in a separate PR due to the amount of test changes * fix dependency cycle, update some tests * add one more test * fix for feature toggle check not being set on test configs * linting fixes * check that action set name can be split nicely * clean up tests by turning GetActionSetNames into a function * undo accidental change * test fix * more test fixes 2024-05-09 04:18:03 -05:00			`type ActionResolver interface {`
RBAC: Add and resolve action sets when searching user's permissions (#88694) * include and resolve action sets when fetching user's permissions * expand both action and action prefix (returns an empty set for the one that isn't specified) Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * if action is specified, check for exact match; also extend tests 2024-06-12 03:20:19 -05:00			`// ExpandActionSets takes a set of permissions that might include some action set permissions, and returns a set of permissions with action sets expanded into underlying permissions`
RBAC: Expand action sets when fetching permissions (#87967) * logic to expand action set to the underlying actions when permissions are fetched from the DB * updates needed for dependency injection * clean up some code, also deduplicate scopes when grouping scopes and actions * expand on a comment * rename a method 2024-05-21 09:09:26 -05:00			`ExpandActionSets(permissions []Permission) []Permission`
RBAC: Add and resolve action sets when searching user's permissions (#88694) * include and resolve action sets when fetching user's permissions * expand both action and action prefix (returns an empty set for the one that isn't specified) Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * if action is specified, check for exact match; also extend tests 2024-06-12 03:20:19 -05:00			`// ExpandActionSetsWithFilter works like ExpandActionSets, but it also takes a function for action filtering. When action sets are expanded into the underlying permissions,`
			`// only those permissions whose action is matched by actionMatcher are included.`
			`ExpandActionSetsWithFilter(permissions []Permission, actionMatcher func(action string) bool) []Permission`
			`// ResolveAction returns all action sets that include the given action`
			`ResolveAction(action string) []string`
			`// ResolveActionPrefix returns all action sets that include at least one action with the specified prefix`
			`ResolveActionPrefix(prefix string) []string`
RBAC: Adding action set resolver for RBAC evaluation (#86801) * add action set resolver * rename variables * some fixes and some tests * more tests * more tests, and put action set storing behind a feature toggle * undo change from cfg to feature mgmt - will cover it in a separate PR due to the amount of test changes * fix dependency cycle, update some tests * add one more test * fix for feature toggle check not being set on test configs * linting fixes * check that action set name can be split nicely * clean up tests by turning GetActionSetNames into a function * undo accidental change * test fix * more test fixes 2024-05-09 04:18:03 -05:00			`}`

RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`// ScopeAttributeResolverFunc is an adapter to allow functions to implement ScopeAttributeResolver interface`
			`type ScopeAttributeResolverFunc func(ctx context.Context, orgID int64, scope string) ([]string, error)`

			`func (f ScopeAttributeResolverFunc) Resolve(ctx context.Context, orgID int64, scope string) ([]string, error) {`
			`return f(ctx, orgID, scope)`
			`}`

			`type ScopeAttributeMutator func(context.Context, string) ([]string, error)`

Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`const (`
			`ttl = 30 * time.Second`
			`cleanInterval = 2 * time.Minute`
			`)`

RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`func NewResolvers(log log.Logger) Resolvers {`
			`return Resolvers{`
			`log: log,`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`cache: localcache.New(ttl, cleanInterval),`
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`attributeResolvers: map[string]ScopeAttributeResolver{},`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`}`
			`}`

RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`type Resolvers struct {`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`log log.Logger`
			`cache *localcache.CacheService`
			`attributeResolvers map[string]ScopeAttributeResolver`
			`}`

RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`func (s *Resolvers) AddScopeAttributeResolver(prefix string, resolver ScopeAttributeResolver) {`
Chore: capitalise log message for auth packages (#74332) 2023-09-04 11:49:47 -05:00			`s.log.Debug("Adding scope attribute resolver", "prefix", prefix)`
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`s.attributeResolvers[prefix] = resolver`
			`}`

			`func (s *Resolvers) GetScopeAttributeMutator(orgID int64) ScopeAttributeMutator {`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`return func(ctx context.Context, scope string) ([]string, error) {`
Instrument tracing across accesscontrol (#91864) Instrument tracing across accesscontrol --------- Co-authored-by: Dave Henderson <dave.henderson@grafana.com> 2024-08-16 17:08:19 -05:00			`ctx, span := tracer.Start(ctx, "accesscontrol.GetScopeAttributeMutator")`
			`defer span.End()`

Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`key := getScopeCacheKey(orgID, scope)`
			`// Check cache before computing the scope`
			`if cachedScope, ok := s.cache.Get(key); ok {`
			`scopes := cachedScope.([]string)`
Chore: capitalise log message for auth packages (#74332) 2023-09-04 11:49:47 -05:00			`s.log.Debug("Used cache to resolve scope", "scope", scope, "resolved_scopes", scopes)`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`return scopes, nil`
			`}`

			`prefix := ScopePrefix(scope)`
			`if resolver, ok := s.attributeResolvers[prefix]; ok {`
			`scopes, err := resolver.Resolve(ctx, orgID, scope)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not resolve %v: %w", scope, err)`
			`}`
			`// Cache result`
			`s.cache.Set(key, scopes, ttl)`
Chore: capitalise log message for auth packages (#74332) 2023-09-04 11:49:47 -05:00			`s.log.Debug("Resolved scope", "scope", scope, "resolved_scopes", scopes)`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`return scopes, nil`
			`}`
RBAC: Fix resolver issue on wildcard resulting in wrong status code for endpoints (#54208) * RBAC: Test evaluation before attaching mutator * RBAC: Return error if no resolver is found for scope * RBAC: Sync changes to evaluation in mock * RBAC: Check for resolver not found error and just fail the evaluation in that case 2022-08-25 05:50:27 -05:00			`return nil, ErrResolverNotFound`
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes 2022-05-02 02:29:30 -05:00			`}`
			`}`

			`// getScopeCacheKey creates an identifier to fetch and store resolution of scopes in the cache`
			`func getScopeCacheKey(orgID int64, scope string) string {`
			`return fmt.Sprintf("%s-%v", scope, orgID)`
			`}`