IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
de50f39c12
grafana/pkg/services/dashboards/accesscontrol.go

75 lines
2.3 KiB
Go
Raw Normal View History

Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
package dashboards
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
import (
"context"
"strconv"
"strings"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
)
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
const (
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
ScopeFoldersRoot = "folders"
ScopeFoldersPrefix = "folders:uid:"
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
ActionFoldersCreate = "folders:create"
ActionFoldersRead = "folders:read"
ActionFoldersWrite = "folders:write"
ActionFoldersDelete = "folders:delete"
ActionFoldersPermissionsRead = "folders.permissions:read"
ActionFoldersPermissionsWrite = "folders.permissions:write"
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
ScopeDashboardsRoot = "dashboards"
ScopeDashboardsPrefix = "dashboards:uid:"
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
)
var (
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
ScopeFoldersAll = ac.GetResourceAllScope(ScopeFoldersRoot)
ScopeFoldersProvider = ac.NewScopeProvider(ScopeFoldersRoot)
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
)
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
// NewFolderNameScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:name:" into an uid based scope.
func NewFolderNameScopeResolver(db Store) (string, ac.ScopeAttributeResolver) {
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
prefix := ScopeFoldersProvider.GetResourceScopeName("")
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return prefix, ac.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
if !strings.HasPrefix(scope, prefix) {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, ac.ErrInvalidScope
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
nsName := scope[len(prefix):]
if len(nsName) == 0 {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, ac.ErrInvalidScope
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
Folder store (#46431) * create FolderStore * update usages to provide context * implement methods to get folder by ID and UID * update folder service to use store methods
2022-03-14 10:21:42 -05:00
folder, err := db.GetFolderByTitle(ctx, orgID, nsName)
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
if err != nil {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, err
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return []string{ScopeFoldersProvider.GetResourceScopeUID(folder.Uid)}, nil
})
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
// NewFolderIDScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:id:" into an uid based scope.
func NewFolderIDScopeResolver(db Store) (string, ac.ScopeAttributeResolver) {
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
prefix := ScopeFoldersProvider.GetResourceScope("")
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return prefix, ac.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
if !strings.HasPrefix(scope, prefix) {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, ac.ErrInvalidScope
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
id, err := strconv.ParseInt(scope[len(prefix):], 10, 64)
if err != nil {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, ac.ErrInvalidScope
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
if id == 0 {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return []string{ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)}, nil
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
}
folder, err := db.GetFolderByID(ctx, orgID, id)
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
if err != nil {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, err
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return []string{ScopeFoldersProvider.GetResourceScopeUID(folder.Uid)}, nil
})
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
Reference in New Issue Copy Permalink