grafana/pkg/services/accesscontrol/evaluator/evaluator.go

package evaluator

import (
	"context"

	"github.com/gobwas/glob"

	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
)

const roleGrafanaAdmin = "Grafana Admin"

// Evaluate evaluates access to the given resource, using provided AccessControl instance
func Evaluate(ctx context.Context, ac accesscontrol.AccessControl, user *models.SignedInUser, permission string, scope ...string) (bool, error) {
	roles := []string{string(user.OrgRole)}
	for _, role := range user.OrgRole.Children() {
		roles = append(roles, string(role))
	}
	if user.IsGrafanaAdmin {
		roles = append(roles, roleGrafanaAdmin)
	}

	res, err := ac.GetUserPermissions(ctx, user, roles)
	if err != nil {
		return false, err
	}

	ok, dbScopes := extractPermission(res, permission)
	if !ok {
		return false, nil
	}

	for _, s := range scope {
		var match bool
		for dbScope := range dbScopes {
			rule, err := glob.Compile(dbScope, ':', '/')
			if err != nil {
				return false, err
			}

			match = rule.Match(s)
			if match {
				break
			}
		}

		if !match {
			return false, nil
		}
	}

	return true, nil
}

func extractPermission(permissions []*accesscontrol.Permission, permission string) (bool, map[string]struct{}) {
	scopes := map[string]struct{}{}
	ok := false

	for _, p := range permissions {
		if p == nil {
			continue
		}
		if p.Permission == permission {
			ok = true
			scopes[p.Scope] = struct{}{}
		}
	}

	return ok, scopes
}
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`package evaluator`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00
			`import (`
			`"context"`

			`"github.com/gobwas/glob"`

			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`)`

			`const roleGrafanaAdmin = "Grafana Admin"`

Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`// Evaluate evaluates access to the given resource, using provided AccessControl instance`
			`func Evaluate(ctx context.Context, ac accesscontrol.AccessControl, user *models.SignedInUser, permission string, scope ...string) (bool, error) {`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`roles := []string{string(user.OrgRole)}`
			`for _, role := range user.OrgRole.Children() {`
			`roles = append(roles, string(role))`
			`}`
			`if user.IsGrafanaAdmin {`
			`roles = append(roles, roleGrafanaAdmin)`
			`}`

Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`res, err := ac.GetUserPermissions(ctx, user, roles)`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`if err != nil {`
			`return false, err`
			`}`

			`ok, dbScopes := extractPermission(res, permission)`
			`if !ok {`
			`return false, nil`
			`}`

			`for _, s := range scope {`
			`var match bool`
			`for dbScope := range dbScopes {`
			`rule, err := glob.Compile(dbScope, ':', '/')`
			`if err != nil {`
			`return false, err`
			`}`

			`match = rule.Match(s)`
			`if match {`
			`break`
			`}`
			`}`

			`if !match {`
			`return false, nil`
			`}`
			`}`

			`return true, nil`
			`}`

			`func extractPermission(permissions []*accesscontrol.Permission, permission string) (bool, map[string]struct{}) {`
			`scopes := map[string]struct{}{}`
			`ok := false`

			`for _, p := range permissions {`
			`if p == nil {`
			`continue`
			`}`
			`if p.Permission == permission {`
			`ok = true`
			`scopes[p.Scope] = struct{}{}`
			`}`
			`}`

			`return ok, scopes`
			`}`