grafana/pkg/services/accesscontrol/middleware/middleware.go

package middleware

import (
	"bytes"
	"net/http"
	"text/template"

	macaron "gopkg.in/macaron.v1"

	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
)

func Middleware(ac accesscontrol.AccessControl) func(string, ...string) macaron.Handler {
	return func(permission string, scopes ...string) macaron.Handler {
		return func(c *models.ReqContext) {
			for i, scope := range scopes {
				var buf bytes.Buffer

				tmpl, err := template.New("scope").Parse(scope)
				if err != nil {
					c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)
					return
				}
				err = tmpl.Execute(&buf, c.AllParams())
				if err != nil {
					c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)
					return
				}
				scopes[i] = buf.String()
			}

			hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, scopes...)
			if err != nil {
				c.Logger.Error("Error from access control system", "error", err)
				c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)
				return
			}
			if !hasAccess {
				c.Logger.Info("Access denied", "error", err, "userID", c.UserId, "permission", permission, "scopes", scopes)
				c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)
				return
			}
		}
	}
}
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`package middleware`

			`import (`
			`"bytes"`
			`"net/http"`
			`"text/template"`

			`macaron "gopkg.in/macaron.v1"`

			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`)`

			`func Middleware(ac accesscontrol.AccessControl) func(string, ...string) macaron.Handler {`
			`return func(permission string, scopes ...string) macaron.Handler {`
			`return func(c *models.ReqContext) {`
			`for i, scope := range scopes {`
			`var buf bytes.Buffer`

			`tmpl, err := template.New("scope").Parse(scope)`
			`if err != nil {`
			`c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)`
			`return`
			`}`
			`err = tmpl.Execute(&buf, c.AllParams())`
			`if err != nil {`
			`c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)`
			`return`
			`}`
			`scopes[i] = buf.String()`
			`}`

			`hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, scopes...)`
			`if err != nil {`
			`c.Logger.Error("Error from access control system", "error", err)`
			`c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)`
			`return`
			`}`
			`if !hasAccess {`
			`c.Logger.Info("Access denied", "error", err, "userID", c.UserId, "permission", permission, "scopes", scopes)`
			`c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)`
			`return`
			`}`
			`}`
			`}`
			`}`