grafana/pkg/services/accesscontrol/checker.go

package accesscontrol

import (
	"github.com/grafana/grafana/pkg/services/user"
)

func Checker(user *user.SignedInUser, action string) func(scopes ...string) bool {
	if user.Permissions == nil || user.Permissions[user.OrgID] == nil {
		return func(scopes ...string) bool { return false }
	}

	userScopes, ok := user.Permissions[user.OrgID][action]
	if !ok {
		return func(scopes ...string) bool { return false }
	}

	lookup := make(map[string]bool, len(userScopes))
	for i := range userScopes {
		lookup[userScopes[i]] = true
	}

	var checkedWildcards bool
	var hasWildcard bool

	return func(scopes ...string) bool {
		if !checkedWildcards {
			wildcards := wildcardsFromScopes(scopes...)
			for _, w := range wildcards {
				if _, ok := lookup[w]; ok {
					hasWildcard = true
					break
				}
			}
			checkedWildcards = true
		}

		if hasWildcard {
			return true
		}

		for _, s := range scopes {
			if lookup[s] {
				return true
			}
		}
		return false
	}
}

func wildcardsFromScopes(scopes ...string) Wildcards {
	prefixes := make([]string, len(scopes))
	for _, scope := range scopes {
		prefixes = append(prefixes, ScopePrefix(scope))
	}

	return WildcardsFromPrefixes(prefixes)
}
RBAC: Permission check performance improvements for the new search (#60729) * Add checker and update the resource filter function for new search * Add tests for checker * small fixes * handle location for panels correctly * clean up checker code and extend the tests for it * more fixes, but tests don't quite work yet * a small change to return error * cleanup * more simplification * fix tests * correct wrong argument ordering & use constant * Apply suggestions from code review Co-authored-by: Artur Wierzbicki <artur.wierzbicki@grafana.com> * import * check general folder from permission checker function * handle root folder aka general folder properly * update tests * clean up * lint * add fix from main Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Artur Wierzbicki <artur.wierzbicki@grafana.com> 2023-01-27 06:12:30 -06:00			`package accesscontrol`

			`import (`
			`"github.com/grafana/grafana/pkg/services/user"`
			`)`

			`func Checker(user *user.SignedInUser, action string) func(scopes ...string) bool {`
			`if user.Permissions == nil \|\| user.Permissions[user.OrgID] == nil {`
			`return func(scopes ...string) bool { return false }`
			`}`

			`userScopes, ok := user.Permissions[user.OrgID][action]`
			`if !ok {`
			`return func(scopes ...string) bool { return false }`
			`}`

			`lookup := make(map[string]bool, len(userScopes))`
			`for i := range userScopes {`
			`lookup[userScopes[i]] = true`
			`}`

			`var checkedWildcards bool`
			`var hasWildcard bool`

			`return func(scopes ...string) bool {`
			`if !checkedWildcards {`
			`wildcards := wildcardsFromScopes(scopes...)`
			`for _, w := range wildcards {`
			`if _, ok := lookup[w]; ok {`
			`hasWildcard = true`
			`break`
			`}`
			`}`
			`checkedWildcards = true`
			`}`

			`if hasWildcard {`
			`return true`
			`}`

			`for _, s := range scopes {`
			`if lookup[s] {`
			`return true`
			`}`
			`}`
			`return false`
			`}`
			`}`

			`func wildcardsFromScopes(scopes ...string) Wildcards {`
			`prefixes := make([]string, len(scopes))`
			`for _, scope := range scopes {`
			`prefixes = append(prefixes, ScopePrefix(scope))`
			`}`

			`return WildcardsFromPrefixes(prefixes)`
			`}`