grafana/pkg/services/accesscontrol/accesscontrol.go

package accesscontrol

import (
	"context"
	"strings"

	"github.com/grafana/grafana/pkg/models"
)

type AccessControl interface {
	// Evaluate evaluates access to the given resource.
	Evaluate(ctx context.Context, user *models.SignedInUser, permission string, scope ...string) (bool, error)

	// GetUserPermissions returns user permissions.
	GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*Permission, error)

	// Middleware checks if service disabled or not to switch to fallback authorization.
	IsDisabled() bool

	// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their
	// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
	DeclareFixedRoles(...RoleRegistration) error
}

func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, permission string, scopes ...string) bool {
	return func(fallback func(*models.ReqContext) bool, permission string, scopes ...string) bool {
		if ac.IsDisabled() {
			return fallback(c)
		}

		hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, scopes...)
		if err != nil {
			c.Logger.Error("Error from access control system", "error", err)
			return false
		}

		return hasAccess
	}
}

var ReqGrafanaAdmin = func(c *models.ReqContext) bool {
	return c.IsGrafanaAdmin
}

var ReqOrgAdmin = func(c *models.ReqContext) bool {
	return c.OrgRole == models.ROLE_ADMIN
}

func BuildPermissionsMap(permissions []*Permission) map[string]bool {
	permissionsMap := make(map[string]bool)
	for _, p := range permissions {
		permissionsMap[p.Action] = true
	}

	return permissionsMap
}

func ValidateScope(scope string) bool {
	prefix, last := scope[:len(scope)-1], scope[len(scope)-1]
	// verify that last char is either ':' or '/' if last character of scope is '*'
	if len(prefix) > 0 && last == '*' {
		lastChar := prefix[len(prefix)-1]
		if lastChar != ':' && lastChar != '/' {
			return false
		}
	}
	return !strings.ContainsAny(prefix, "*?")
}
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`package accesscontrol`

			`import (`
			`"context"`
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-08-23 07:03:20 -05:00			`"strings"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00
			`"github.com/grafana/grafana/pkg/models"`
			`)`

			`type AccessControl interface {`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`// Evaluate evaluates access to the given resource.`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`Evaluate(ctx context.Context, user *models.SignedInUser, permission string, scope ...string) (bool, error)`

Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`// GetUserPermissions returns user permissions.`
Access Control: Move database-related models to enterprise (#32907) * Move database-related models to enterprise * Chore: use GetUserBuiltInRoles() method * Rename permission to action 2021-04-13 08:28:11 -05:00			`GetUserPermissions(ctx context.Context, user models.SignedInUser) ([]Permission, error)`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`// Middleware checks if service disabled or not to switch to fallback authorization.`
			`IsDisabled() bool`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 07:44:37 -05:00
			`// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their`
			`// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"`
			`DeclareFixedRoles(...RoleRegistration) error`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`}`
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission() 2021-04-16 08:02:16 -05:00
Access control: Build navigation links with access control (#33024) * Build nav links with access control * Break up getNavTree (reduce cyclomatic complexity) * Fix tests * Use only ActionUsersRead permissions * Remove unused permissions definitions * Chore: remove unused fallbacks * Fix linter error 2021-04-19 04:23:29 -05:00			`func HasAccess(ac AccessControl, c models.ReqContext) func(fallback func(models.ReqContext) bool, permission string, scopes ...string) bool {`
			`return func(fallback func(*models.ReqContext) bool, permission string, scopes ...string) bool {`
			`if ac.IsDisabled() {`
			`return fallback(c)`
			`}`

			`hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, scopes...)`
			`if err != nil {`
			`c.Logger.Error("Error from access control system", "error", err)`
			`return false`
			`}`

			`return hasAccess`
			`}`
			`}`

			`var ReqGrafanaAdmin = func(c *models.ReqContext) bool {`
			`return c.IsGrafanaAdmin`
			`}`

Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`var ReqOrgAdmin = func(c *models.ReqContext) bool {`
			`return c.OrgRole == models.ROLE_ADMIN`
			`}`

			`func BuildPermissionsMap(permissions []*Permission) map[string]bool {`
			`permissionsMap := make(map[string]bool)`
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission() 2021-04-16 08:02:16 -05:00			`for _, p := range permissions {`
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`permissionsMap[p.Action] = true`
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission() 2021-04-16 08:02:16 -05:00			`}`

			`return permissionsMap`
			`}`
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-08-23 07:03:20 -05:00
			`func ValidateScope(scope string) bool {`
			`prefix, last := scope[:len(scope)-1], scope[len(scope)-1]`
			`// verify that last char is either ':' or '/' if last character of scope is '*'`
			`if len(prefix) > 0 && last == '*' {`
			`lastChar := prefix[len(prefix)-1]`
			`if lastChar != ':' && lastChar != '/' {`
			`return false`
			`}`
			`}`
			`return !strings.ContainsAny(prefix, "*?")`
			`}`