grafana/pkg/services/accesscontrol/errors.go

package accesscontrol

import (
	"errors"
	"fmt"

	"github.com/grafana/grafana/pkg/apimachinery/errutil"
)

const (
	invalidBuiltInRoleMessage       = `built-in role [{{ .Public.builtInRole }}] is not valid`
	assignmentEntityNotFoundMessage = `{{ .Public.assignment }} not found`
)

var (
	ErrInvalidBuiltinRole = errutil.BadRequest("accesscontrol.invalidBuiltInRole").
				MustTemplate(invalidBuiltInRoleMessage, errutil.WithPublic(invalidBuiltInRoleMessage))
	ErrNoneRoleAssignment       = errutil.BadRequest("accesscontrol.noneRoleAssignment", errutil.WithPublicMessage("none role cannot receive permissions"))
	ErrAssignmentEntityNotFound = errutil.BadRequest("accesscontrol.assignmentEntityNotFound").
					MustTemplate(assignmentEntityNotFoundMessage, errutil.WithPublic(assignmentEntityNotFoundMessage))

	// Note: these are intended to be replaced by equivalent errutil implementations.
	// Avoid creating new errors with errors.New and prefer errutil
	ErrInvalidRequestBody     = errors.New("invalid request body")
	ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'")
	ErrInvalidScope           = errors.New("invalid scope")
	ErrResolverNotFound       = errors.New("no resolver found")
	ErrPluginIDRequired       = errors.New("plugin ID is required")
	ErrRoleNotFound           = errors.New("role not found")
)

func ErrInvalidBuiltinRoleData(builtInRole string) errutil.TemplateData {
	return errutil.TemplateData{
		Public: map[string]any{
			"builtInRole": builtInRole,
		},
	}
}

func ErrAssignmentEntityNotFoundData(assignment string) errutil.TemplateData {
	return errutil.TemplateData{
		Public: map[string]any{
			"assignment": assignment,
		},
	}
}

type ErrorInvalidRole struct{}

func (e *ErrorInvalidRole) Error() string {
	return "role is invalid"
}

type ErrorRoleNameMissing struct{}

func (e *ErrorRoleNameMissing) Error() string {
	return "role has been defined without a name"
}

func (e *ErrorRoleNameMissing) Unwrap() error {
	return &ErrorInvalidRole{}
}

type ErrorRolePrefixMissing struct {
	Role     string
	Prefixes []string
}

func (e *ErrorRolePrefixMissing) Error() string {
	return fmt.Sprintf("expected role '%s' to be prefixed with any of '%v'", e.Role, e.Prefixes)
}

func (e *ErrorRolePrefixMissing) Unwrap() error {
	return &ErrorInvalidRole{}
}

type ErrorActionPrefixMissing struct {
	Action   string
	Prefixes []string
}

func (e *ErrorActionPrefixMissing) Error() string {
	return fmt.Sprintf("expected action '%s' to be prefixed with any of '%v'", e.Action, e.Prefixes)
}

func (e *ErrorActionPrefixMissing) Unwrap() error {
	return &ErrorInvalidRole{}
}

type ErrorScopeTarget struct {
	Action        string
	Scope         string
	ExpectedScope string
}

func (e *ErrorScopeTarget) Error() string {
	return fmt.Sprintf("expected action '%s' to be scoped with '%v', found '%v'", e.Action, e.ExpectedScope, e.Scope)
}

func (e *ErrorScopeTarget) Unwrap() error {
	return &ErrorInvalidRole{}
}
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 14:44:37 +02:00			`package accesscontrol`

RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 11:30:45 +01:00			`import (`
			`"errors"`
			`"fmt"`
IAM - Fix error messages for resource permissions endpoints (#85773) * IAM: fix many error messages in access-related code to provide more information * Remove debug statement * Refactor resourcepermissions package to use errutil * Replace a few more errors with errutil and wrap errors found in users and teams services * Apply diff of openAPI spec 2024-04-17 08:53:28 -05:00
Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 07:11:35 +03:00			`"github.com/grafana/grafana/pkg/apimachinery/errutil"`
IAM - Fix error messages for resource permissions endpoints (#85773) * IAM: fix many error messages in access-related code to provide more information * Remove debug statement * Refactor resourcepermissions package to use errutil * Replace a few more errors with errutil and wrap errors found in users and teams services * Apply diff of openAPI spec 2024-04-17 08:53:28 -05:00			`)`

			`const (`
			invalidBuiltInRoleMessage = `built-in role [{{ .Public.builtInRole }}] is not valid`
			assignmentEntityNotFoundMessage = `{{ .Public.assignment }} not found`
RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 11:30:45 +01:00			`)`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 14:44:37 +02:00
			`var (`
IAM - Fix error messages for resource permissions endpoints (#85773) * IAM: fix many error messages in access-related code to provide more information * Remove debug statement * Refactor resourcepermissions package to use errutil * Replace a few more errors with errutil and wrap errors found in users and teams services * Apply diff of openAPI spec 2024-04-17 08:53:28 -05:00			`ErrInvalidBuiltinRole = errutil.BadRequest("accesscontrol.invalidBuiltInRole").`
			`MustTemplate(invalidBuiltInRoleMessage, errutil.WithPublic(invalidBuiltInRoleMessage))`
			`ErrNoneRoleAssignment = errutil.BadRequest("accesscontrol.noneRoleAssignment", errutil.WithPublicMessage("none role cannot receive permissions"))`
			`ErrAssignmentEntityNotFound = errutil.BadRequest("accesscontrol.assignmentEntityNotFound").`
			`MustTemplate(assignmentEntityNotFoundMessage, errutil.WithPublic(assignmentEntityNotFoundMessage))`

			`// Note: these are intended to be replaced by equivalent errutil implementations.`
			`// Avoid creating new errors with errors.New and prefer errutil`
			`ErrInvalidRequestBody = errors.New("invalid request body")`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 14:44:37 +02:00			`ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'")`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-18 17:34:35 +01:00			`ErrInvalidScope = errors.New("invalid scope")`
RBAC: Fix resolver issue on wildcard resulting in wrong status code for endpoints (#54208) * RBAC: Test evaluation before attaching mutator * RBAC: Return error if no resolver is found for scope * RBAC: Sync changes to evaluation in mock * RBAC: Check for resolver not found error and just fail the evaluation in that case 2022-08-25 12:50:27 +02:00			`ErrResolverNotFound = errors.New("no resolver found")`
RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 11:30:45 +01:00			`ErrPluginIDRequired = errors.New("plugin ID is required")`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 13:19:38 +02:00			`ErrRoleNotFound = errors.New("role not found")`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 14:44:37 +02:00			`)`
RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 11:30:45 +01:00
IAM - Fix error messages for resource permissions endpoints (#85773) * IAM: fix many error messages in access-related code to provide more information * Remove debug statement * Refactor resourcepermissions package to use errutil * Replace a few more errors with errutil and wrap errors found in users and teams services * Apply diff of openAPI spec 2024-04-17 08:53:28 -05:00			`func ErrInvalidBuiltinRoleData(builtInRole string) errutil.TemplateData {`
			`return errutil.TemplateData{`
			`Public: map[string]any{`
			`"builtInRole": builtInRole,`
			`},`
			`}`
			`}`

			`func ErrAssignmentEntityNotFoundData(assignment string) errutil.TemplateData {`
			`return errutil.TemplateData{`
			`Public: map[string]any{`
			`"assignment": assignment,`
			`},`
			`}`
			`}`

RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 11:30:45 +01:00			`type ErrorInvalidRole struct{}`

			`func (e *ErrorInvalidRole) Error() string {`
			`return "role is invalid"`
			`}`

RBAC: Reject plugin registrations without a name (#81719) * RBAC: Reject plugin registrations without a name * Lint' 2024-02-02 11:12:00 +01:00			`type ErrorRoleNameMissing struct{}`

			`func (e *ErrorRoleNameMissing) Error() string {`
			`return "role has been defined without a name"`
			`}`

			`func (e *ErrorRoleNameMissing) Unwrap() error {`
			`return &ErrorInvalidRole{}`
			`}`

RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 11:30:45 +01:00			`type ErrorRolePrefixMissing struct {`
			`Role string`
			`Prefixes []string`
			`}`

			`func (e *ErrorRolePrefixMissing) Error() string {`
			`return fmt.Sprintf("expected role '%s' to be prefixed with any of '%v'", e.Role, e.Prefixes)`
			`}`

			`func (e *ErrorRolePrefixMissing) Unwrap() error {`
			`return &ErrorInvalidRole{}`
			`}`

			`type ErrorActionPrefixMissing struct {`
			`Action string`
			`Prefixes []string`
			`}`

			`func (e *ErrorActionPrefixMissing) Error() string {`
			`return fmt.Sprintf("expected action '%s' to be prefixed with any of '%v'", e.Action, e.Prefixes)`
			`}`

			`func (e *ErrorActionPrefixMissing) Unwrap() error {`
			`return &ErrorInvalidRole{}`
			`}`
RBAC: Validate plugin app access permission targets the plugin (#59468) * RBAC: Validate plugin app access permission targets the plugin * Fix service test 2022-11-30 13:55:07 +01:00
			`type ErrorScopeTarget struct {`
			`Action string`
			`Scope string`
			`ExpectedScope string`
			`}`

			`func (e *ErrorScopeTarget) Error() string {`
			`return fmt.Sprintf("expected action '%s' to be scoped with '%v', found '%v'", e.Action, e.ExpectedScope, e.Scope)`
			`}`

			`func (e *ErrorScopeTarget) Unwrap() error {`
			`return &ErrorInvalidRole{}`
			`}`