grafana/pkg/api/admin.go

package api

import (
	"context"
	"net/http"

	"github.com/grafana/grafana/pkg/api/response"
	"github.com/grafana/grafana/pkg/models"
	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/setting"
)

// swagger:route GET /admin/settings admin adminGetSettings
//
// Fetch settings.
//
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `settings:read` and scopes: `settings:*`, `settings:auth.saml:` and `settings:auth.saml:enabled` (property level).
//
// Security:
// - basic:
//
// Responses:
// 200: adminGetSettingsResponse
// 401: unauthorisedError
// 403: forbiddenError
func (hs *HTTPServer) AdminGetSettings(c *models.ReqContext) response.Response {
	settings, err := hs.getAuthorizedSettings(c.Req.Context(), c.SignedInUser, hs.SettingsProvider.Current())
	if err != nil {
		return response.Error(http.StatusForbidden, "Failed to authorize settings", err)
	}
	return response.JSON(http.StatusOK, settings)
}

// swagger:route GET /admin/stats admin adminGetStats
//
// Fetch Grafana Stats.
//
// Only works with Basic Authentication (username and password). See introduction for an explanation.
// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `server:stats:read`.
//
// Responses:
// 200: adminGetStatsResponse
// 401: unauthorisedError
// 403: forbiddenError
// 500: internalServerError
func (hs *HTTPServer) AdminGetStats(c *models.ReqContext) response.Response {
	statsQuery := models.GetAdminStatsQuery{}

	if err := hs.statsService.GetAdminStats(c.Req.Context(), &statsQuery); err != nil {
		return response.Error(500, "Failed to get admin stats from database", err)
	}

	return response.JSON(http.StatusOK, statsQuery.Result)
}

func (hs *HTTPServer) getAuthorizedSettings(ctx context.Context, user *user.SignedInUser, bag setting.SettingsBag) (setting.SettingsBag, error) {
	if hs.AccessControl.IsDisabled() {
		return bag, nil
	}

	eval := func(scope string) (bool, error) {
		return hs.AccessControl.Evaluate(ctx, user, ac.EvalPermission(ac.ActionSettingsRead, scope))
	}

	ok, err := eval(ac.ScopeSettingsAll)
	if err != nil {
		return nil, err
	}
	if ok {
		return bag, nil
	}

	authorizedBag := make(setting.SettingsBag)

	for section, keys := range bag {
		ok, err := eval(ac.Scope("settings", section, "*"))
		if err != nil {
			return nil, err
		}
		if ok {
			authorizedBag[section] = keys
			continue
		}

		for key := range keys {
			ok, err := eval(ac.Scope("settings", section, key))
			if err != nil {
				return nil, err
			}
			if ok {
				if _, exists := authorizedBag[section]; !exists {
					authorizedBag[section] = make(map[string]string)
				}
				authorizedBag[section][key] = bag[section][key]
			}
		}
	}
	return authorizedBag, nil
}

// swagger:response adminGetSettingsResponse
type GetSettingsResponse struct {
	// in:body
	Body setting.SettingsBag `json:"body"`
}

// swagger:response adminGetStatsResponse
type GetStatsResponse struct {
	// in:body
	Body models.AdminStats `json:"body"`
}
added an inital admin settings view, very basic right now only displays all config options in grafana.ini 2015-02-12 08:46:14 -06:00			`package api`

			`import (`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`"context"`
			`"net/http"`

Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2021-01-15 07:43:20 -06:00			`"github.com/grafana/grafana/pkg/api/response"`
Chore: Avoid aliasing importing models in api package (#22492) 2020-03-04 05:57:20 -06:00			`"github.com/grafana/grafana/pkg/models"`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`ac "github.com/grafana/grafana/pkg/services/accesscontrol"`
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`"github.com/grafana/grafana/pkg/services/user"`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`"github.com/grafana/grafana/pkg/setting"`
added an inital admin settings view, very basic right now only displays all config options in grafana.ini 2015-02-12 08:46:14 -06:00			`)`

Chore: Move swagger definitions to the handlers (#52643) 2022-07-27 08:54:37 -05:00			`// swagger:route GET /admin/settings admin adminGetSettings`
			`//`
			`// Fetch settings.`
			`//`
			// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `settings:read` and scopes: `settings:*`, `settings:auth.saml:` and `settings:auth.saml:enabled` (property level).
			`//`
			`// Security:`
			`// - basic:`
			`//`
			`// Responses:`
			`// 200: adminGetSettingsResponse`
			`// 401: unauthorisedError`
			`// 403: forbiddenError`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`func (hs HTTPServer) AdminGetSettings(c models.ReqContext) response.Response {`
			`settings, err := hs.getAuthorizedSettings(c.Req.Context(), c.SignedInUser, hs.SettingsProvider.Current())`
			`if err != nil {`
			`return response.Error(http.StatusForbidden, "Failed to authorize settings", err)`
			`}`
			`return response.JSON(http.StatusOK, settings)`
added an inital admin settings view, very basic right now only displays all config options in grafana.ini 2015-02-12 08:46:14 -06:00			`}`
Added backend API for stats 2016-01-24 13:01:33 -06:00
Chore: Move swagger definitions to the handlers (#52643) 2022-07-27 08:54:37 -05:00			`// swagger:route GET /admin/stats admin adminGetStats`
			`//`
			`// Fetch Grafana Stats.`
			`//`
			`// Only works with Basic Authentication (username and password). See introduction for an explanation.`
			// If you are running Grafana Enterprise and have Fine-grained access control enabled, you need to have a permission with action `server:stats:read`.
			`//`
			`// Responses:`
			`// 200: adminGetStatsResponse`
			`// 401: unauthorisedError`
			`// 403: forbiddenError`
			`// 500: internalServerError`
Chore: Remove bus from admin (#44920) * Chore: Remove bus from admin * fix test Co-authored-by: Ying WANG <ying.wang@grafana.com> 2022-02-04 10:53:58 -06:00			`func (hs HTTPServer) AdminGetStats(c models.ReqContext) response.Response {`
Chore: Avoid aliasing importing models in api package (#22492) 2020-03-04 05:57:20 -06:00			`statsQuery := models.GetAdminStatsQuery{}`
Added backend API for stats 2016-01-24 13:01:33 -06:00
Chore: Move stats service into a standalone packge from sqlstore (#59574) * move original stats service into a separate package * add stats service to wire * move GetAdminStats * switch to using stats.Service * add missing package * fix api tests 2022-11-30 11:11:07 -06:00			`if err := hs.statsService.GetAdminStats(c.Req.Context(), &statsQuery); err != nil {`
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2021-01-15 07:43:20 -06:00			`return response.Error(500, "Failed to get admin stats from database", err)`
Fixed api bugs, stats endpoint working 2016-01-24 23:18:17 -06:00			`}`

fix status code 200 (#47818) 2022-04-15 07:01:58 -05:00			`return response.JSON(http.StatusOK, statsQuery.Result)`
Added backend API for stats 2016-01-24 13:01:33 -06:00			`}`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2 2022-08-10 04:56:48 -05:00			`func (hs HTTPServer) getAuthorizedSettings(ctx context.Context, user user.SignedInUser, bag setting.SettingsBag) (setting.SettingsBag, error) {`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`if hs.AccessControl.IsDisabled() {`
			`return bag, nil`
			`}`

Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`eval := func(scope string) (bool, error) {`
			`return hs.AccessControl.Evaluate(ctx, user, ac.EvalPermission(ac.ActionSettingsRead, scope))`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`}`

Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`ok, err := eval(ac.ScopeSettingsAll)`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`if err != nil {`
			`return nil, err`
			`}`
			`if ok {`
			`return bag, nil`
			`}`

			`authorizedBag := make(setting.SettingsBag)`

			`for section, keys := range bag {`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`ok, err := eval(ac.Scope("settings", section, "*"))`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`if err != nil {`
			`return nil, err`
			`}`
			`if ok {`
			`authorizedBag[section] = keys`
			`continue`
			`}`

			`for key := range keys {`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`ok, err := eval(ac.Scope("settings", section, key))`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 10:36:48 -05:00			`if err != nil {`
			`return nil, err`
			`}`
			`if ok {`
			`if _, exists := authorizedBag[section]; !exists {`
			`authorizedBag[section] = make(map[string]string)`
			`}`
			`authorizedBag[section][key] = bag[section][key]`
			`}`
			`}`
			`}`
			`return authorizedBag, nil`
			`}`
Chore: Move swagger definitions to the handlers (#52643) 2022-07-27 08:54:37 -05:00
			`// swagger:response adminGetSettingsResponse`
			`type GetSettingsResponse struct {`
			`// in:body`
			Body setting.SettingsBag `json:"body"`
			`}`

			`// swagger:response adminGetStatsResponse`
			`type GetStatsResponse struct {`
			`// in:body`
			Body models.AdminStats `json:"body"`
			`}`