grafana/pkg/services/guardian/accesscontrol_guardian.go

package guardian

import (
	"context"
	"strconv"

	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/sqlstore"
	"github.com/grafana/grafana/pkg/setting"
)

var permissionMap = map[string]models.PermissionType{
	"View":  models.PERMISSION_VIEW,
	"Edit":  models.PERMISSION_EDIT,
	"Admin": models.PERMISSION_ADMIN,
}

var _ DashboardGuardian = new(AccessControlDashboardGuardian)

func NewAccessControlDashboardGuardian(
	ctx context.Context, dashboardId int64, user *models.SignedInUser,
	store *sqlstore.SQLStore, ac accesscontrol.AccessControl, permissionsServices accesscontrol.PermissionsServices,
) *AccessControlDashboardGuardian {
	return &AccessControlDashboardGuardian{
		ctx:                ctx,
		dashboardID:        dashboardId,
		user:               user,
		store:              store,
		ac:                 ac,
		permissionServices: permissionsServices,
	}
}

type AccessControlDashboardGuardian struct {
	ctx                context.Context
	dashboardID        int64
	dashboard          *models.Dashboard
	user               *models.SignedInUser
	store              *sqlstore.SQLStore
	ac                 accesscontrol.AccessControl
	permissionServices accesscontrol.PermissionsServices
}

func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
	if err := a.loadDashboard(); err != nil {
		return false, err
	}

	if a.dashboard.IsFolder {
		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersWrite, folderScope(a.dashboardID)))
	}

	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),
	))
}

func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
	if err := a.loadDashboard(); err != nil {
		return false, err
	}

	if setting.ViewersCanEdit {
		return a.CanView()
	}

	if a.dashboard.IsFolder {
		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersWrite, folderScope(a.dashboardID)))
	}

	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),
	))
}

func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
	if err := a.loadDashboard(); err != nil {
		return false, err
	}

	if a.dashboard.IsFolder {
		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersRead, folderScope(a.dashboardID)))
	}

	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Id)),
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.dashboard.FolderId)),
	))
}

func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
	if err := a.loadDashboard(); err != nil {
		return false, err
	}

	if a.dashboard.IsFolder {
		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAll(
			accesscontrol.EvalPermission(accesscontrol.ActionFoldersPermissionsRead, folderScope(a.dashboard.Id)),
			accesscontrol.EvalPermission(accesscontrol.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Id)),
		))
	}

	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
		accesscontrol.EvalAll(
			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Id)),
			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Id)),
		),
		accesscontrol.EvalAll(
			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, folderScope(a.dashboard.FolderId)),
			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, folderScope(a.dashboard.FolderId)),
		),
	))
}

func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
	if err := a.loadDashboard(); err != nil {
		return false, err
	}

	if a.dashboard.IsFolder {
		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersDelete, folderScope(a.dashboard.Id)))
	}

	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Id)),
		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.dashboard.FolderId)),
	))
}

func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) {
	if isFolder {
		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersCreate))
	}

	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folderID)))
}

func (a *AccessControlDashboardGuardian) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardAcl) (bool, error) {
	// always true for access control
	return true, nil
}

// GetAcl translate access control permissions to dashboard acl info
func (a *AccessControlDashboardGuardian) GetAcl() ([]*models.DashboardAclInfoDTO, error) {
	if err := a.loadDashboard(); err != nil {
		return nil, err
	}

	svc := a.permissionServices.GetDashboardService()
	if a.dashboard.IsFolder {
		svc = a.permissionServices.GetFolderService()
	}

	permissions, err := svc.GetPermissions(a.ctx, a.user, strconv.FormatInt(a.dashboard.Id, 10))
	if err != nil {
		return nil, err
	}

	acl := make([]*models.DashboardAclInfoDTO, 0, len(permissions))
	for _, p := range permissions {
		if !p.IsManaged() {
			continue
		}

		var role *models.RoleType
		if p.BuiltInRole != "" {
			tmp := models.RoleType(p.BuiltInRole)
			role = &tmp
		}

		acl = append(acl, &models.DashboardAclInfoDTO{
			OrgId:          a.dashboard.OrgId,
			DashboardId:    a.dashboard.Id,
			FolderId:       a.dashboard.FolderId,
			Created:        p.Created,
			Updated:        p.Updated,
			UserId:         p.UserId,
			UserLogin:      p.UserLogin,
			UserEmail:      p.UserEmail,
			TeamId:         p.TeamId,
			TeamEmail:      p.TeamEmail,
			Team:           p.Team,
			Role:           role,
			Permission:     permissionMap[svc.MapActions(p)],
			PermissionName: permissionMap[svc.MapActions(p)].String(),
			Uid:            a.dashboard.Uid,
			Title:          a.dashboard.Title,
			Slug:           a.dashboard.Slug,
			IsFolder:       a.dashboard.IsFolder,
			Url:            a.dashboard.GetUrl(),
			Inherited:      false,
		})
	}

	return acl, nil
}

func (a *AccessControlDashboardGuardian) GetACLWithoutDuplicates() ([]*models.DashboardAclInfoDTO, error) {
	return a.GetAcl()
}

func (a *AccessControlDashboardGuardian) GetHiddenACL(cfg *setting.Cfg) ([]*models.DashboardAcl, error) {
	// not used with access control
	return nil, nil
}

func (a *AccessControlDashboardGuardian) loadDashboard() error {
	if a.dashboard == nil {
		query := &models.GetDashboardQuery{Id: a.dashboardID, OrgId: a.user.OrgId}
		if err := a.store.GetDashboard(a.ctx, query); err != nil {
			return err
		}
		a.dashboard = query.Result
	}
	return nil
}

func dashboardScope(dashboardID int64) string {
	return accesscontrol.Scope("dashboards", "id", strconv.FormatInt(dashboardID, 10))
}

func folderScope(folderID int64) string {
	return accesscontrol.Scope("folders", "id", strconv.FormatInt(folderID, 10))
}
Access control: Use access control for dashboard and folder (#44702) * Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2022-03-03 08:05:47 -06:00			`package guardian`

			`import (`
			`"context"`
			`"strconv"`

			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`"github.com/grafana/grafana/pkg/services/sqlstore"`
			`"github.com/grafana/grafana/pkg/setting"`
			`)`

			`var permissionMap = map[string]models.PermissionType{`
			`"View": models.PERMISSION_VIEW,`
			`"Edit": models.PERMISSION_EDIT,`
			`"Admin": models.PERMISSION_ADMIN,`
			`}`

			`var _ DashboardGuardian = new(AccessControlDashboardGuardian)`

			`func NewAccessControlDashboardGuardian(`
			`ctx context.Context, dashboardId int64, user *models.SignedInUser,`
			`store *sqlstore.SQLStore, ac accesscontrol.AccessControl, permissionsServices accesscontrol.PermissionsServices,`
			`) *AccessControlDashboardGuardian {`
			`return &AccessControlDashboardGuardian{`
			`ctx: ctx,`
			`dashboardID: dashboardId,`
			`user: user,`
			`store: store,`
			`ac: ac,`
			`permissionServices: permissionsServices,`
			`}`
			`}`

			`type AccessControlDashboardGuardian struct {`
			`ctx context.Context`
			`dashboardID int64`
			`dashboard *models.Dashboard`
			`user *models.SignedInUser`
			`store *sqlstore.SQLStore`
			`ac accesscontrol.AccessControl`
			`permissionServices accesscontrol.PermissionsServices`
			`}`

			`func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {`
			`if err := a.loadDashboard(); err != nil {`
			`return false, err`
			`}`

			`if a.dashboard.IsFolder {`
			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersWrite, folderScope(a.dashboardID)))`
			`}`

			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),`
			`))`
			`}`

			`func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {`
			`if err := a.loadDashboard(); err != nil {`
			`return false, err`
			`}`

			`if setting.ViewersCanEdit {`
			`return a.CanView()`
			`}`

			`if a.dashboard.IsFolder {`
			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersWrite, folderScope(a.dashboardID)))`
			`}`

			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),`
			`))`
			`}`

			`func (a *AccessControlDashboardGuardian) CanView() (bool, error) {`
			`if err := a.loadDashboard(); err != nil {`
			`return false, err`
			`}`

			`if a.dashboard.IsFolder {`
			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersRead, folderScope(a.dashboardID)))`
			`}`

			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Id)),`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.dashboard.FolderId)),`
			`))`
			`}`

			`func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {`
			`if err := a.loadDashboard(); err != nil {`
			`return false, err`
			`}`

			`if a.dashboard.IsFolder {`
			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAll(`
			`accesscontrol.EvalPermission(accesscontrol.ActionFoldersPermissionsRead, folderScope(a.dashboard.Id)),`
			`accesscontrol.EvalPermission(accesscontrol.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Id)),`
			`))`
			`}`

			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(`
			`accesscontrol.EvalAll(`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Id)),`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Id)),`
			`),`
			`accesscontrol.EvalAll(`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, folderScope(a.dashboard.FolderId)),`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, folderScope(a.dashboard.FolderId)),`
			`),`
			`))`
			`}`

			`func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {`
			`if err := a.loadDashboard(); err != nil {`
			`return false, err`
			`}`

			`if a.dashboard.IsFolder {`
			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersDelete, folderScope(a.dashboard.Id)))`
			`}`

			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Id)),`
			`accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.dashboard.FolderId)),`
			`))`
			`}`

			`func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) {`
			`if isFolder {`
			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionFoldersCreate))`
			`}`

			`return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folderID)))`
			`}`

			`func (a AccessControlDashboardGuardian) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []models.DashboardAcl) (bool, error) {`
			`// always true for access control`
			`return true, nil`
			`}`

			`// GetAcl translate access control permissions to dashboard acl info`
			`func (a AccessControlDashboardGuardian) GetAcl() ([]models.DashboardAclInfoDTO, error) {`
			`if err := a.loadDashboard(); err != nil {`
			`return nil, err`
			`}`

			`svc := a.permissionServices.GetDashboardService()`
			`if a.dashboard.IsFolder {`
			`svc = a.permissionServices.GetFolderService()`
			`}`

			`permissions, err := svc.GetPermissions(a.ctx, a.user, strconv.FormatInt(a.dashboard.Id, 10))`
			`if err != nil {`
			`return nil, err`
			`}`

			`acl := make([]*models.DashboardAclInfoDTO, 0, len(permissions))`
			`for _, p := range permissions {`
			`if !p.IsManaged() {`
			`continue`
			`}`

			`var role *models.RoleType`
			`if p.BuiltInRole != "" {`
			`tmp := models.RoleType(p.BuiltInRole)`
			`role = &tmp`
			`}`

			`acl = append(acl, &models.DashboardAclInfoDTO{`
			`OrgId: a.dashboard.OrgId,`
			`DashboardId: a.dashboard.Id,`
			`FolderId: a.dashboard.FolderId,`
			`Created: p.Created,`
			`Updated: p.Updated,`
			`UserId: p.UserId,`
			`UserLogin: p.UserLogin,`
			`UserEmail: p.UserEmail,`
			`TeamId: p.TeamId,`
			`TeamEmail: p.TeamEmail,`
			`Team: p.Team,`
			`Role: role,`
			`Permission: permissionMap[svc.MapActions(p)],`
			`PermissionName: permissionMap[svc.MapActions(p)].String(),`
			`Uid: a.dashboard.Uid,`
			`Title: a.dashboard.Title,`
			`Slug: a.dashboard.Slug,`
			`IsFolder: a.dashboard.IsFolder,`
			`Url: a.dashboard.GetUrl(),`
			`Inherited: false,`
			`})`
			`}`

			`return acl, nil`
			`}`

			`func (a AccessControlDashboardGuardian) GetACLWithoutDuplicates() ([]models.DashboardAclInfoDTO, error) {`
			`return a.GetAcl()`
			`}`

			`func (a AccessControlDashboardGuardian) GetHiddenACL(cfg setting.Cfg) ([]*models.DashboardAcl, error) {`
			`// not used with access control`
			`return nil, nil`
			`}`

			`func (a *AccessControlDashboardGuardian) loadDashboard() error {`
			`if a.dashboard == nil {`
			`query := &models.GetDashboardQuery{Id: a.dashboardID, OrgId: a.user.OrgId}`
			`if err := a.store.GetDashboard(a.ctx, query); err != nil {`
			`return err`
			`}`
			`a.dashboard = query.Result`
			`}`
			`return nil`
			`}`

			`func dashboardScope(dashboardID int64) string {`
			`return accesscontrol.Scope("dashboards", "id", strconv.FormatInt(dashboardID, 10))`
			`}`

			`func folderScope(folderID int64) string {`
			`return accesscontrol.Scope("folders", "id", strconv.FormatInt(folderID, 10))`
			`}`