grafana/pkg/services/comments/commentmodel/permissions.go

package commentmodel

import (
	"context"
	"strconv"

	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/annotations"
	"github.com/grafana/grafana/pkg/services/dashboards"
	"github.com/grafana/grafana/pkg/services/featuremgmt"
	"github.com/grafana/grafana/pkg/services/guardian"
	"github.com/grafana/grafana/pkg/services/sqlstore"
)

type PermissionChecker struct {
	sqlStore         *sqlstore.SQLStore
	features         featuremgmt.FeatureToggles
	accessControl    accesscontrol.AccessControl
	dashboardService dashboards.DashboardService
}

func NewPermissionChecker(sqlStore *sqlstore.SQLStore, features featuremgmt.FeatureToggles,
	accessControl accesscontrol.AccessControl, dashboardService dashboards.DashboardService,
) *PermissionChecker {
	return &PermissionChecker{sqlStore: sqlStore, features: features, accessControl: accessControl}
}

func (c *PermissionChecker) getDashboardByUid(ctx context.Context, orgID int64, uid string) (*models.Dashboard, error) {
	query := models.GetDashboardQuery{Uid: uid, OrgId: orgID}
	if err := c.dashboardService.GetDashboard(ctx, &query); err != nil {
		return nil, err
	}
	return query.Result, nil
}

func (c *PermissionChecker) getDashboardById(ctx context.Context, orgID int64, id int64) (*models.Dashboard, error) {
	query := models.GetDashboardQuery{Id: id, OrgId: orgID}
	if err := c.dashboardService.GetDashboard(ctx, &query); err != nil {
		return nil, err
	}
	return query.Result, nil
}

func (c *PermissionChecker) CheckReadPermissions(ctx context.Context, orgId int64, signedInUser *models.SignedInUser, objectType string, objectID string) (bool, error) {
	switch objectType {
	case ObjectTypeOrg:
		return false, nil
	case ObjectTypeDashboard:
		if !c.features.IsEnabled(featuremgmt.FlagDashboardComments) {
			return false, nil
		}
		dash, err := c.getDashboardByUid(ctx, orgId, objectID)
		if err != nil {
			return false, err
		}
		guard := guardian.New(ctx, dash.Id, orgId, signedInUser)
		if ok, err := guard.CanView(); err != nil || !ok {
			return false, nil
		}
	case ObjectTypeAnnotation:
		if !c.features.IsEnabled(featuremgmt.FlagAnnotationComments) {
			return false, nil
		}
		repo := annotations.GetRepository()
		annotationID, err := strconv.ParseInt(objectID, 10, 64)
		if err != nil {
			return false, nil
		}
		items, err := repo.Find(ctx, &annotations.ItemQuery{AnnotationId: annotationID, OrgId: orgId, SignedInUser: signedInUser})
		if err != nil || len(items) != 1 {
			return false, nil
		}
		dashboardID := items[0].DashboardId
		if dashboardID == 0 {
			return false, nil
		}
		dash, err := c.getDashboardById(ctx, orgId, dashboardID)
		if err != nil {
			return false, err
		}
		guard := guardian.New(ctx, dash.Id, orgId, signedInUser)
		if ok, err := guard.CanView(); err != nil || !ok {
			return false, nil
		}
	default:
		return false, nil
	}
	return true, nil
}

func (c *PermissionChecker) CheckWritePermissions(ctx context.Context, orgId int64, signedInUser *models.SignedInUser, objectType string, objectID string) (bool, error) {
	switch objectType {
	case ObjectTypeOrg:
		return false, nil
	case ObjectTypeDashboard:
		if !c.features.IsEnabled(featuremgmt.FlagDashboardComments) {
			return false, nil
		}
		dash, err := c.getDashboardByUid(ctx, orgId, objectID)
		if err != nil {
			return false, err
		}
		guard := guardian.New(ctx, dash.Id, orgId, signedInUser)
		if ok, err := guard.CanEdit(); err != nil || !ok {
			return false, nil
		}
	case ObjectTypeAnnotation:
		if !c.features.IsEnabled(featuremgmt.FlagAnnotationComments) {
			return false, nil
		}
		if !c.accessControl.IsDisabled() {
			evaluator := accesscontrol.EvalPermission(accesscontrol.ActionAnnotationsWrite, accesscontrol.ScopeAnnotationsTypeDashboard)
			if canEdit, err := c.accessControl.Evaluate(ctx, signedInUser, evaluator); err != nil || !canEdit {
				return canEdit, err
			}
		}
		repo := annotations.GetRepository()
		annotationID, err := strconv.ParseInt(objectID, 10, 64)
		if err != nil {
			return false, nil
		}
		items, err := repo.Find(ctx, &annotations.ItemQuery{AnnotationId: annotationID, OrgId: orgId, SignedInUser: signedInUser})
		if err != nil || len(items) != 1 {
			return false, nil
		}
		dashboardID := items[0].DashboardId
		if dashboardID == 0 {
			return false, nil
		}
		dash, err := c.getDashboardById(ctx, orgId, dashboardID)
		if err != nil {
			return false, nil
		}
		guard := guardian.New(ctx, dash.Id, orgId, signedInUser)
		if ok, err := guard.CanEdit(); err != nil || !ok {
			return false, nil
		}
	default:
		return false, nil
	}
	return true, nil
}
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`package commentmodel`

			`import (`
			`"context"`
			`"strconv"`

			`"github.com/grafana/grafana/pkg/models"`
Annotation FGAC checks for comments (#47468) * typo * remove unwanted change * remove unwanted change 2022-04-12 11:30:50 -05:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`"github.com/grafana/grafana/pkg/services/annotations"`
backend/services: Move GetDashboard from sqlstore to dashboard service (#48971) * rename folder to match package name * backend/sqlstore: move GetDashboard into DashboardService This is a stepping-stone commit which copies the GetDashboard function - which lets us remove the sqlstore from the interfaces in dashboards - without changing any other callers. * checkpoint: moving GetDashboard calls into dashboard service * finish refactoring api tests for dashboardService.GetDashboard 2022-05-17 13:52:22 -05:00			`"github.com/grafana/grafana/pkg/services/dashboards"`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`"github.com/grafana/grafana/pkg/services/featuremgmt"`
			`"github.com/grafana/grafana/pkg/services/guardian"`
Annotation FGAC checks for comments (#47468) * typo * remove unwanted change * remove unwanted change 2022-04-12 11:30:50 -05:00			`"github.com/grafana/grafana/pkg/services/sqlstore"`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`)`

			`type PermissionChecker struct {`
backend/services: Move GetDashboard from sqlstore to dashboard service (#48971) * rename folder to match package name * backend/sqlstore: move GetDashboard into DashboardService This is a stepping-stone commit which copies the GetDashboard function - which lets us remove the sqlstore from the interfaces in dashboards - without changing any other callers. * checkpoint: moving GetDashboard calls into dashboard service * finish refactoring api tests for dashboardService.GetDashboard 2022-05-17 13:52:22 -05:00			`sqlStore *sqlstore.SQLStore`
			`features featuremgmt.FeatureToggles`
			`accessControl accesscontrol.AccessControl`
			`dashboardService dashboards.DashboardService`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`}`

backend/services: Move GetDashboard from sqlstore to dashboard service (#48971) * rename folder to match package name * backend/sqlstore: move GetDashboard into DashboardService This is a stepping-stone commit which copies the GetDashboard function - which lets us remove the sqlstore from the interfaces in dashboards - without changing any other callers. * checkpoint: moving GetDashboard calls into dashboard service * finish refactoring api tests for dashboardService.GetDashboard 2022-05-17 13:52:22 -05:00			`func NewPermissionChecker(sqlStore *sqlstore.SQLStore, features featuremgmt.FeatureToggles,`
			`accessControl accesscontrol.AccessControl, dashboardService dashboards.DashboardService,`
			`) *PermissionChecker {`
Annotation FGAC checks for comments (#47468) * typo * remove unwanted change * remove unwanted change 2022-04-12 11:30:50 -05:00			`return &PermissionChecker{sqlStore: sqlStore, features: features, accessControl: accessControl}`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`}`

			`func (c PermissionChecker) getDashboardByUid(ctx context.Context, orgID int64, uid string) (models.Dashboard, error) {`
			`query := models.GetDashboardQuery{Uid: uid, OrgId: orgID}`
backend/services: Move GetDashboard from sqlstore to dashboard service (#48971) * rename folder to match package name * backend/sqlstore: move GetDashboard into DashboardService This is a stepping-stone commit which copies the GetDashboard function - which lets us remove the sqlstore from the interfaces in dashboards - without changing any other callers. * checkpoint: moving GetDashboard calls into dashboard service * finish refactoring api tests for dashboardService.GetDashboard 2022-05-17 13:52:22 -05:00			`if err := c.dashboardService.GetDashboard(ctx, &query); err != nil {`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`return nil, err`
			`}`
			`return query.Result, nil`
			`}`

			`func (c PermissionChecker) getDashboardById(ctx context.Context, orgID int64, id int64) (models.Dashboard, error) {`
			`query := models.GetDashboardQuery{Id: id, OrgId: orgID}`
backend/services: Move GetDashboard from sqlstore to dashboard service (#48971) * rename folder to match package name * backend/sqlstore: move GetDashboard into DashboardService This is a stepping-stone commit which copies the GetDashboard function - which lets us remove the sqlstore from the interfaces in dashboards - without changing any other callers. * checkpoint: moving GetDashboard calls into dashboard service * finish refactoring api tests for dashboardService.GetDashboard 2022-05-17 13:52:22 -05:00			`if err := c.dashboardService.GetDashboard(ctx, &query); err != nil {`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`return nil, err`
			`}`
			`return query.Result, nil`
			`}`

			`func (c PermissionChecker) CheckReadPermissions(ctx context.Context, orgId int64, signedInUser models.SignedInUser, objectType string, objectID string) (bool, error) {`
			`switch objectType {`
			`case ObjectTypeOrg:`
			`return false, nil`
			`case ObjectTypeDashboard:`
			`if !c.features.IsEnabled(featuremgmt.FlagDashboardComments) {`
			`return false, nil`
			`}`
			`dash, err := c.getDashboardByUid(ctx, orgId, objectID)`
			`if err != nil {`
			`return false, err`
			`}`
			`guard := guardian.New(ctx, dash.Id, orgId, signedInUser)`
			`if ok, err := guard.CanView(); err != nil \|\| !ok {`
			`return false, nil`
			`}`
			`case ObjectTypeAnnotation:`
			`if !c.features.IsEnabled(featuremgmt.FlagAnnotationComments) {`
			`return false, nil`
			`}`
			`repo := annotations.GetRepository()`
			`annotationID, err := strconv.ParseInt(objectID, 10, 64)`
			`if err != nil {`
			`return false, nil`
			`}`
Access control: SQL filtering for annotation listing (#47467) * pass in user to attribute scope resolver * add SQL filter to annotation listing * check annotation FGAC permissions before exposing them for commenting * remove the requirement to be able to list all annotations from annotation listing endpoint * adding tests for annotation listing * remove changes that got moved to a different PR * unused var * Update pkg/services/sqlstore/annotation.go Co-authored-by: Ezequiel Victorero <evictorero@gmail.com> * remove unneeded check * remove unneeded check * undo accidental change * undo accidental change * doc update * move tests * redo the approach for passing the user in for scope resolution * accidental change * cleanup * error handling Co-authored-by: Ezequiel Victorero <evictorero@gmail.com> 2022-04-11 07:18:38 -05:00			`items, err := repo.Find(ctx, &annotations.ItemQuery{AnnotationId: annotationID, OrgId: orgId, SignedInUser: signedInUser})`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`if err != nil \|\| len(items) != 1 {`
			`return false, nil`
			`}`
			`dashboardID := items[0].DashboardId`
			`if dashboardID == 0 {`
			`return false, nil`
			`}`
			`dash, err := c.getDashboardById(ctx, orgId, dashboardID)`
			`if err != nil {`
			`return false, err`
			`}`
			`guard := guardian.New(ctx, dash.Id, orgId, signedInUser)`
			`if ok, err := guard.CanView(); err != nil \|\| !ok {`
			`return false, nil`
			`}`
			`default:`
			`return false, nil`
			`}`
			`return true, nil`
			`}`

			`func (c PermissionChecker) CheckWritePermissions(ctx context.Context, orgId int64, signedInUser models.SignedInUser, objectType string, objectID string) (bool, error) {`
			`switch objectType {`
			`case ObjectTypeOrg:`
			`return false, nil`
			`case ObjectTypeDashboard:`
			`if !c.features.IsEnabled(featuremgmt.FlagDashboardComments) {`
			`return false, nil`
			`}`
			`dash, err := c.getDashboardByUid(ctx, orgId, objectID)`
			`if err != nil {`
			`return false, err`
			`}`
			`guard := guardian.New(ctx, dash.Id, orgId, signedInUser)`
			`if ok, err := guard.CanEdit(); err != nil \|\| !ok {`
			`return false, nil`
			`}`
			`case ObjectTypeAnnotation:`
			`if !c.features.IsEnabled(featuremgmt.FlagAnnotationComments) {`
			`return false, nil`
			`}`
Access control: refactor RBAC checks (#48107) * refactor RBAC checks * fix a test * another test fix * and another 2022-04-25 03:42:09 -05:00			`if !c.accessControl.IsDisabled() {`
Annotation FGAC checks for comments (#47468) * typo * remove unwanted change * remove unwanted change 2022-04-12 11:30:50 -05:00			`evaluator := accesscontrol.EvalPermission(accesscontrol.ActionAnnotationsWrite, accesscontrol.ScopeAnnotationsTypeDashboard)`
			`if canEdit, err := c.accessControl.Evaluate(ctx, signedInUser, evaluator); err != nil \|\| !canEdit {`
			`return canEdit, err`
			`}`
			`}`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`repo := annotations.GetRepository()`
			`annotationID, err := strconv.ParseInt(objectID, 10, 64)`
			`if err != nil {`
			`return false, nil`
			`}`
Access control: SQL filtering for annotation listing (#47467) * pass in user to attribute scope resolver * add SQL filter to annotation listing * check annotation FGAC permissions before exposing them for commenting * remove the requirement to be able to list all annotations from annotation listing endpoint * adding tests for annotation listing * remove changes that got moved to a different PR * unused var * Update pkg/services/sqlstore/annotation.go Co-authored-by: Ezequiel Victorero <evictorero@gmail.com> * remove unneeded check * remove unneeded check * undo accidental change * undo accidental change * doc update * move tests * redo the approach for passing the user in for scope resolution * accidental change * cleanup * error handling Co-authored-by: Ezequiel Victorero <evictorero@gmail.com> 2022-04-11 07:18:38 -05:00			`items, err := repo.Find(ctx, &annotations.ItemQuery{AnnotationId: annotationID, OrgId: orgId, SignedInUser: signedInUser})`
Comments: support live comments in dashboards and annotations (#44980) 2022-02-22 01:47:42 -06:00			`if err != nil \|\| len(items) != 1 {`
			`return false, nil`
			`}`
			`dashboardID := items[0].DashboardId`
			`if dashboardID == 0 {`
			`return false, nil`
			`}`
			`dash, err := c.getDashboardById(ctx, orgId, dashboardID)`
			`if err != nil {`
			`return false, nil`
			`}`
			`guard := guardian.New(ctx, dash.Id, orgId, signedInUser)`
			`if ok, err := guard.CanEdit(); err != nil \|\| !ok {`
			`return false, nil`
			`}`
			`default:`
			`return false, nil`
			`}`
			`return true, nil`
			`}`