grafana/pkg/services/searchV2/auth.go

package searchV2

import (
	"context"

	"github.com/grafana/grafana/pkg/infra/db"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/sqlstore/permissions"
	"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"
	"github.com/grafana/grafana/pkg/services/user"
)

// ResourceFilter checks if a given a uid (resource identifier) check if we have the requested permission
type ResourceFilter func(uid string) bool

// FutureAuthService eventually implemented by the security service
type FutureAuthService interface {
	GetDashboardReadFilter(user *user.SignedInUser) (ResourceFilter, error)
}

var _ FutureAuthService = (*simpleSQLAuthService)(nil)

type simpleSQLAuthService struct {
	sql db.DB
	ac  accesscontrol.Service
}

type dashIdQueryResult struct {
	UID string `xorm:"uid"`
}

func (a *simpleSQLAuthService) getDashboardTableAuthFilter(user *user.SignedInUser) searchstore.FilterWhere {
	if a.ac.IsDisabled() {
		return permissions.DashboardPermissionFilter{
			OrgRole:         user.OrgRole,
			OrgId:           user.OrgID,
			Dialect:         a.sql.GetDialect(),
			UserId:          user.UserID,
			PermissionLevel: models.PERMISSION_VIEW,
		}
	}

	return permissions.NewAccessControlDashboardPermissionFilter(user, models.PERMISSION_VIEW, searchstore.TypeDashboard)
}

func (a *simpleSQLAuthService) GetDashboardReadFilter(user *user.SignedInUser) (ResourceFilter, error) {
	filter := a.getDashboardTableAuthFilter(user)
	rows := make([]*dashIdQueryResult, 0)

	err := a.sql.WithDbSession(context.Background(), func(sess *db.Session) error {
		sql, params := filter.Where()
		sess.Table("dashboard").
			Where(sql, params...).
			Where("org_id = ?", user.OrgID).
			Cols("uid")

		err := sess.Find(&rows)
		if err != nil {
			return err
		}

		return nil
	})

	if err != nil {
		return nil, err
	}

	uids := make(map[string]bool, len(rows)+1)
	for i := 0; i < len(rows); i++ {
		uids[rows[i].UID] = true
	}

	return func(uid string) bool {
		return uids[uid]
	}, err
}
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`package searchV2`

			`import (`
			`"context"`

chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible 2022-10-19 08:02:15 -05:00			`"github.com/grafana/grafana/pkg/infra/db"`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`"github.com/grafana/grafana/pkg/models"`
Search: support auth filter based on access control/rbac (#48350) * #45498: add rbac support in searchv2 * to revert: fix dependency cycle * Revert "to revert: fix dependency cycle" This reverts commit 1ffbee73ec6e57561889981b69d229e0b649720e. * added a TODO for caching user permissions * add orgId to `getDashboardReadFilter` * use orgId from signedInUser * goimport 2022-04-28 13:16:23 -05:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`"github.com/grafana/grafana/pkg/services/sqlstore/permissions"`
Search: support auth filter based on access control/rbac (#48350) * #45498: add rbac support in searchv2 * to revert: fix dependency cycle * Revert "to revert: fix dependency cycle" This reverts commit 1ffbee73ec6e57561889981b69d229e0b649720e. * added a TODO for caching user permissions * add orgId to `getDashboardReadFilter` * use orgId from signedInUser * goimport 2022-04-28 13:16:23 -05:00			`"github.com/grafana/grafana/pkg/services/sqlstore/searchstore"`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`"github.com/grafana/grafana/pkg/services/user"`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`)`

			`// ResourceFilter checks if a given a uid (resource identifier) check if we have the requested permission`
			`type ResourceFilter func(uid string) bool`

			`// FutureAuthService eventually implemented by the security service`
			`type FutureAuthService interface {`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`GetDashboardReadFilter(user *user.SignedInUser) (ResourceFilter, error)`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`}`

Search: support auth filter based on access control/rbac (#48350) * #45498: add rbac support in searchv2 * to revert: fix dependency cycle * Revert "to revert: fix dependency cycle" This reverts commit 1ffbee73ec6e57561889981b69d229e0b649720e. * added a TODO for caching user permissions * add orgId to `getDashboardReadFilter` * use orgId from signedInUser * goimport 2022-04-28 13:16:23 -05:00			`var _ FutureAuthService = (*simpleSQLAuthService)(nil)`

Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`type simpleSQLAuthService struct {`
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible 2022-10-19 08:02:15 -05:00			`sql db.DB`
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake 2022-08-24 06:29:17 -05:00			`ac accesscontrol.Service`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`}`

			`type dashIdQueryResult struct {`
			UID string `xorm:"uid"`
			`}`

Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`func (a simpleSQLAuthService) getDashboardTableAuthFilter(user user.SignedInUser) searchstore.FilterWhere {`
Search: support auth filter based on access control/rbac (#48350) * #45498: add rbac support in searchv2 * to revert: fix dependency cycle * Revert "to revert: fix dependency cycle" This reverts commit 1ffbee73ec6e57561889981b69d229e0b649720e. * added a TODO for caching user permissions * add orgId to `getDashboardReadFilter` * use orgId from signedInUser * goimport 2022-04-28 13:16:23 -05:00			`if a.ac.IsDisabled() {`
			`return permissions.DashboardPermissionFilter{`
			`OrgRole: user.OrgRole,`
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields 2022-08-11 06:28:55 -05:00			`OrgId: user.OrgID,`
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible 2022-10-19 08:02:15 -05:00			`Dialect: a.sql.GetDialect(),`
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields 2022-08-11 06:28:55 -05:00			`UserId: user.UserID,`
Search: support auth filter based on access control/rbac (#48350) * #45498: add rbac support in searchv2 * to revert: fix dependency cycle * Revert "to revert: fix dependency cycle" This reverts commit 1ffbee73ec6e57561889981b69d229e0b649720e. * added a TODO for caching user permissions * add orgId to `getDashboardReadFilter` * use orgId from signedInUser * goimport 2022-04-28 13:16:23 -05:00			`PermissionLevel: models.PERMISSION_VIEW,`
			`}`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`}`

Search: support auth filter based on access control/rbac (#48350) * #45498: add rbac support in searchv2 * to revert: fix dependency cycle * Revert "to revert: fix dependency cycle" This reverts commit 1ffbee73ec6e57561889981b69d229e0b649720e. * added a TODO for caching user permissions * add orgId to `getDashboardReadFilter` * use orgId from signedInUser * goimport 2022-04-28 13:16:23 -05:00			`return permissions.NewAccessControlDashboardPermissionFilter(user, models.PERMISSION_VIEW, searchstore.TypeDashboard)`
			`}`

Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`func (a simpleSQLAuthService) GetDashboardReadFilter(user user.SignedInUser) (ResourceFilter, error) {`
Search: support auth filter based on access control/rbac (#48350) * #45498: add rbac support in searchv2 * to revert: fix dependency cycle * Revert "to revert: fix dependency cycle" This reverts commit 1ffbee73ec6e57561889981b69d229e0b649720e. * added a TODO for caching user permissions * add orgId to `getDashboardReadFilter` * use orgId from signedInUser * goimport 2022-04-28 13:16:23 -05:00			`filter := a.getDashboardTableAuthFilter(user)`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`rows := make([]*dashIdQueryResult, 0)`

chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible 2022-10-19 08:02:15 -05:00			`err := a.sql.WithDbSession(context.Background(), func(sess *db.Session) error {`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`sql, params := filter.Where()`
			`sess.Table("dashboard").`
			`Where(sql, params...).`
Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields 2022-08-11 06:28:55 -05:00			`Where("org_id = ?", user.OrgID).`
Search: apply security in before returning results (#45430) Co-authored-by: Artur Wierzbicki <wierzbicki.artur.94@gmail.com> 2022-02-16 11:47:41 -06:00			`Cols("uid")`

			`err := sess.Find(&rows)`
			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`})`

			`if err != nil {`
			`return nil, err`
			`}`

			`uids := make(map[string]bool, len(rows)+1)`
			`for i := 0; i < len(rows); i++ {`
			`uids[rows[i].UID] = true`
			`}`

			`return func(uid string) bool {`
			`return uids[uid]`
			`}, err`
			`}`