grafana/pkg/services/accesscontrol/scope.go

package accesscontrol

import (
	"fmt"
	"strconv"
	"strings"
)

const (
	maxPrefixParts = 2
)

func ParseScopeID(scope string) (int64, error) {
	id, err := strconv.ParseInt(ScopeSuffix(scope), 10, 64)
	if err != nil {
		return 0, ErrInvalidScope
	}
	return id, nil
}

func ParseScopeUID(scope string) (string, error) {
	uid := ScopeSuffix(scope)
	if len(uid) == 0 {
		return "", ErrInvalidScope
	}
	return uid, nil
}

func ScopeSuffix(scope string) string {
	return scope[len(ScopePrefix(scope)):]
}

func GetResourceScope(resource string, resourceID string) string {
	return Scope(resource, "id", resourceID)
}

func GetResourceScopeUID(resource string, resourceID string) string {
	return Scope(resource, "uid", resourceID)
}

func GetResourceScopeName(resource string, resourceID string) string {
	return Scope(resource, "name", resourceID)
}

func GetResourceScopeType(resource string, typeName string) string {
	return Scope(resource, "type", typeName)
}

func GetResourceAllScope(resource string) string {
	return Scope(resource, "*")
}

func GetResourceAllIDScope(resource string) string {
	return Scope(resource, "id", "*")
}

// Scope builds scope from parts
// e.g. Scope("users", "*") return "users:*"
func Scope(parts ...string) string {
	b := strings.Builder{}
	for i, c := range parts {
		if i != 0 {
			b.WriteRune(':')
		}
		b.WriteString(c)
	}
	return b.String()
}

// Parameter returns injectable scope part, based on URL parameters.
// e.g. Scope("users", Parameter(":id")) or "users:" + Parameter(":id")
func Parameter(key string) string {
	return fmt.Sprintf(`{{ index .URLParams "%s" }}`, key)
}

// Field returns an injectable scope part for selected fields from the request's context available in accesscontrol.ScopeParams.
// e.g. Scope("orgs", Parameter("OrgID")) or "orgs:" + Parameter("OrgID")
func Field(key string) string {
	return fmt.Sprintf(`{{ .%s }}`, key)
}

// ScopePrefix returns the prefix associated to a given scope
// we assume prefixes are all in the form <resource>:<attribute>:<value>
// ex: "datasources:name:test" returns "datasources:name:"
func ScopePrefix(scope string) string {
	parts := strings.Split(scope, ":")
	// We assume prefixes don't have more than maxPrefixParts parts
	if len(parts) > maxPrefixParts {
		parts = append(parts[:maxPrefixParts], "")
	}
	return strings.Join(parts, ":")
}

// ScopeProvider provides methods that construct scopes
type ScopeProvider interface {
	GetResourceScope(resourceID string) string
	GetResourceScopeUID(resourceID string) string
	GetResourceScopeName(resourceID string) string
	GetResourceScopeType(typeName string) string
	GetResourceAllScope() string
	GetResourceAllIDScope() string
}

type scopeProviderImpl struct {
	root string
}

// NewScopeProvider creates a new ScopeProvider that is configured with specific root scope
func NewScopeProvider(root string) ScopeProvider {
	return &scopeProviderImpl{
		root: root,
	}
}

// GetResourceScope returns scope that has the format "<rootScope>:id:<resourceID>"
func (s scopeProviderImpl) GetResourceScope(resourceID string) string {
	return GetResourceScope(s.root, resourceID)
}

// GetResourceScopeUID returns scope that has the format "<rootScope>:uid:<resourceID>"
func (s scopeProviderImpl) GetResourceScopeUID(resourceID string) string {
	return GetResourceScopeUID(s.root, resourceID)
}

// GetResourceScopeName returns scope that has the format "<rootScope>:name:<resourceID>"
func (s scopeProviderImpl) GetResourceScopeName(resourceID string) string {
	return GetResourceScopeName(s.root, resourceID)
}

// GetResourceScopeType returns scope that has the format "<rootScope>:type:<typeName>"
func (s scopeProviderImpl) GetResourceScopeType(typeName string) string {
	return GetResourceScopeType(s.root, typeName)
}

// GetResourceAllScope returns scope that has the format "<rootScope>:*"
func (s scopeProviderImpl) GetResourceAllScope() string {
	return GetResourceAllScope(s.root)
}

// GetResourceAllIDScope returns scope that has the format "<rootScope>:id:*"
func (s scopeProviderImpl) GetResourceAllIDScope() string {
	return GetResourceAllIDScope(s.root)
}

// WildcardsFromPrefix generates valid wildcards from prefix
// datasource:uid: => "*", "datasource:*", "datasource:uid:*"
func WildcardsFromPrefix(prefix string) Wildcards {
	var b strings.Builder
	wildcards := Wildcards{"*"}
	parts := strings.Split(prefix, ":")
	for _, p := range parts {
		if p == "" {
			continue
		}
		b.WriteString(p)
		b.WriteRune(':')
		wildcards = append(wildcards, b.String()+"*")
	}
	return wildcards
}

type Wildcards []string

// Contains check if wildcards contains scope
func (wildcards Wildcards) Contains(scope string) bool {
	for _, w := range wildcards {
		if scope == w {
			return true
		}
	}
	return false
}
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`package accesscontrol`

			`import (`
			`"fmt"`
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-06-07 04:02:20 -05:00			`"strconv"`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`"strings"`
			`)`

AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`const (`
AccessControl: Handle ':' in attribute resolution (#46742) * AccessControl: Handle ':' in attribute resolution * Simplify based on assumption that prefixes will have maximum 2 parts 2022-03-23 02:48:32 -05:00			`maxPrefixParts = 2`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`)`

RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-06-07 04:02:20 -05:00			`func ParseScopeID(scope string) (int64, error) {`
			`id, err := strconv.ParseInt(ScopeSuffix(scope), 10, 64)`
			`if err != nil {`
			`return 0, ErrInvalidScope`
			`}`
			`return id, nil`
			`}`

			`func ParseScopeUID(scope string) (string, error) {`
			`uid := ScopeSuffix(scope)`
			`if len(uid) == 0 {`
			`return "", ErrInvalidScope`
			`}`
			`return uid, nil`
			`}`

			`func ScopeSuffix(scope string) string {`
			`return scope[len(ScopePrefix(scope)):]`
			`}`

AccessControl: Add accesscontrol metadata to datasources DTOs (#42675) * AccessControl: Provide scope to frontend * Covering datasources with accesscontrol metadata * Write benchmark tests for GetResourcesMetadata * Add accesscontrol util and interface * Add the hasPermissionInMetadata function in the frontend access control code * Use IsDisabled rather that performing a feature toggle check Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-12-15 05:08:15 -06:00			`func GetResourceScope(resource string, resourceID string) string {`
			`return Scope(resource, "id", resourceID)`
			`}`

Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages 2022-03-09 10:57:50 -06:00			`func GetResourceScopeUID(resource string, resourceID string) string {`
			`return Scope(resource, "uid", resourceID)`
			`}`

			`func GetResourceScopeName(resource string, resourceID string) string {`
			`return Scope(resource, "name", resourceID)`
			`}`

Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com> 2022-03-18 11:33:21 -05:00			`func GetResourceScopeType(resource string, typeName string) string {`
			`return Scope(resource, "type", typeName)`
			`}`

AccessControl: Add accesscontrol metadata to datasources DTOs (#42675) * AccessControl: Provide scope to frontend * Covering datasources with accesscontrol metadata * Write benchmark tests for GetResourcesMetadata * Add accesscontrol util and interface * Add the hasPermissionInMetadata function in the frontend access control code * Use IsDisabled rather that performing a feature toggle check Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-12-15 05:08:15 -06:00			`func GetResourceAllScope(resource string) string {`
			`return Scope(resource, "*")`
			`}`

			`func GetResourceAllIDScope(resource string) string {`
			`return Scope(resource, "id", "*")`
			`}`

Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`// Scope builds scope from parts`
			`// e.g. Scope("users", "") return "users:"`
			`func Scope(parts ...string) string {`
			`b := strings.Builder{}`
			`for i, c := range parts {`
			`if i != 0 {`
			`b.WriteRune(':')`
			`}`
			`b.WriteString(c)`
			`}`
			`return b.String()`
			`}`

AccessControl: Extend scope parameters with extra params from context (#39722) * AccessControl: Extend scope parameters with extra params from context Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-10-06 06:15:09 -05:00			`// Parameter returns injectable scope part, based on URL parameters.`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`// e.g. Scope("users", Parameter(":id")) or "users:" + Parameter(":id")`
			`func Parameter(key string) string {`
AccessControl: Extend scope parameters with extra params from context (#39722) * AccessControl: Extend scope parameters with extra params from context Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-10-06 06:15:09 -05:00			return fmt.Sprintf(`{{ index .URLParams "%s" }}`, key)
			`}`

			`// Field returns an injectable scope part for selected fields from the request's context available in accesscontrol.ScopeParams.`
			`// e.g. Scope("orgs", Parameter("OrgID")) or "orgs:" + Parameter("OrgID")`
			`func Field(key string) string {`
			return fmt.Sprintf(`{{ .%s }}`, key)
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`}`
AccessControl: tidy scope resolution (#40677) * AccessControl: tidy scope resolution 2021-10-20 10:11:22 -05:00
Dashboard/Folder permission fix session (#47174) * Fix inherited scopes for dashboard to use folder uid * Add inherited evaluators * Slight modification of the commments * Add test for inheritance * Nit. * extract shared function from tests * Nit. Extra line * Remove unused comment Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com> 2022-04-05 07:28:23 -05:00			`// ScopePrefix returns the prefix associated to a given scope`
AccessControl: Handle ':' in attribute resolution (#46742) * AccessControl: Handle ':' in attribute resolution * Simplify based on assumption that prefixes will have maximum 2 parts 2022-03-23 02:48:32 -05:00			`// we assume prefixes are all in the form <resource>:<attribute>:<value>`
			`// ex: "datasources:name:test" returns "datasources:name:"`
Dashboard/Folder permission fix session (#47174) * Fix inherited scopes for dashboard to use folder uid * Add inherited evaluators * Slight modification of the commments * Add test for inheritance * Nit. * extract shared function from tests * Nit. Extra line * Remove unused comment Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: gamab <gabi.mabs@gmail.com> 2022-04-05 07:28:23 -05:00			`func ScopePrefix(scope string) string {`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`parts := strings.Split(scope, ":")`
AccessControl: Handle ':' in attribute resolution (#46742) * AccessControl: Handle ':' in attribute resolution * Simplify based on assumption that prefixes will have maximum 2 parts 2022-03-23 02:48:32 -05:00			`// We assume prefixes don't have more than maxPrefixParts parts`
			`if len(parts) > maxPrefixParts {`
			`parts = append(parts[:maxPrefixParts], "")`
			`}`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 10:34:35 -06:00			`return strings.Join(parts, ":")`
			`}`

Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages 2022-03-09 10:57:50 -06:00			`// ScopeProvider provides methods that construct scopes`
			`type ScopeProvider interface {`
			`GetResourceScope(resourceID string) string`
			`GetResourceScopeUID(resourceID string) string`
			`GetResourceScopeName(resourceID string) string`
Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com> 2022-03-18 11:33:21 -05:00			`GetResourceScopeType(typeName string) string`
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages 2022-03-09 10:57:50 -06:00			`GetResourceAllScope() string`
			`GetResourceAllIDScope() string`
			`}`

			`type scopeProviderImpl struct {`
			`root string`
			`}`

			`// NewScopeProvider creates a new ScopeProvider that is configured with specific root scope`
			`func NewScopeProvider(root string) ScopeProvider {`
			`return &scopeProviderImpl{`
			`root: root,`
			`}`
			`}`

			`// GetResourceScope returns scope that has the format "<rootScope>:id:<resourceID>"`
			`func (s scopeProviderImpl) GetResourceScope(resourceID string) string {`
			`return GetResourceScope(s.root, resourceID)`
			`}`

			`// GetResourceScopeUID returns scope that has the format "<rootScope>:uid:<resourceID>"`
			`func (s scopeProviderImpl) GetResourceScopeUID(resourceID string) string {`
			`return GetResourceScopeUID(s.root, resourceID)`
			`}`

			`// GetResourceScopeName returns scope that has the format "<rootScope>:name:<resourceID>"`
			`func (s scopeProviderImpl) GetResourceScopeName(resourceID string) string {`
			`return GetResourceScopeName(s.root, resourceID)`
			`}`

Access control: FGAC for annotation updates (#46462) * proposal * PR feedback * fix canSave bug * update scope naming * linting * linting Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com> 2022-03-18 11:33:21 -05:00			`// GetResourceScopeType returns scope that has the format "<rootScope>:type:<typeName>"`
			`func (s scopeProviderImpl) GetResourceScopeType(typeName string) string {`
			`return GetResourceScopeType(s.root, typeName)`
			`}`

Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages 2022-03-09 10:57:50 -06:00			`// GetResourceAllScope returns scope that has the format "<rootScope>:*"`
			`func (s scopeProviderImpl) GetResourceAllScope() string {`
			`return GetResourceAllScope(s.root)`
			`}`

			`// GetResourceAllIDScope returns scope that has the format "<rootScope>:id:*"`
			`func (s scopeProviderImpl) GetResourceAllIDScope() string {`
			`return GetResourceAllIDScope(s.root)`
			`}`
RBAC: Add function to generate wildcards from prefix (#54275) * RBAC: Move metadata to own file * RBAC: Rename test files * RBAC: Add wildcard structure and helper function to generate wildcards from prefix * RBAC: Refactor filter to use WildcardsFromPrefix * RBAC: Refactor GetResourceMetadata to use WildcardsFromPrefix 2022-08-26 10:10:35 -05:00
			`// WildcardsFromPrefix generates valid wildcards from prefix`
			`// datasource:uid: => "", "datasource:", "datasource:uid:*"`
			`func WildcardsFromPrefix(prefix string) Wildcards {`
			`var b strings.Builder`
			`wildcards := Wildcards{"*"}`
			`parts := strings.Split(prefix, ":")`
			`for _, p := range parts {`
			`if p == "" {`
			`continue`
			`}`
			`b.WriteString(p)`
			`b.WriteRune(':')`
			`wildcards = append(wildcards, b.String()+"*")`
			`}`
			`return wildcards`
			`}`

			`type Wildcards []string`

			`// Contains check if wildcards contains scope`
			`func (wildcards Wildcards) Contains(scope string) bool {`
			`for _, w := range wildcards {`
			`if scope == w {`
			`return true`
			`}`
			`}`
			`return false`
			`}`