grafana/pkg/services/accesscontrol/accesscontrol.go

package accesscontrol

import (
	"context"
	"strings"

	"github.com/grafana/grafana/pkg/models"
)

type AccessControl interface {
	// Evaluate evaluates access to the given resources.
	Evaluate(ctx context.Context, user *models.SignedInUser, evaluator Evaluator) (bool, error)

	// GetUserPermissions returns user permissions.
	GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*Permission, error)

	// GetUserRoles returns user roles.
	GetUserRoles(ctx context.Context, user *models.SignedInUser) ([]*RoleDTO, error)

	//IsDisabled returns if access control is enabled or not
	IsDisabled() bool

	// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their
	// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
	DeclareFixedRoles(...RoleRegistration) error
}

type PermissionsProvider interface {
	GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]*Permission, error)
}

type ResourceStore interface {
	// SetUserResourcePermissions sets permissions for managed user role on a resource
	SetUserResourcePermissions(ctx context.Context, orgID, userID int64, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)
	// SetTeamResourcePermissions sets permissions for managed team role on a resource
	SetTeamResourcePermissions(ctx context.Context, orgID, teamID int64, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)
	// SetBuiltinResourcePermissions sets permissions for managed builtin role on a resource
	SetBuiltinResourcePermissions(ctx context.Context, orgID int64, builtinRole string, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)
	// RemoveResourcePermission remove permission for resource
	RemoveResourcePermission(ctx context.Context, orgID int64, cmd RemoveResourcePermissionCommand) error
	// GetResourcesPermissions will return all permission for all supplied resource ids
	GetResourcesPermissions(ctx context.Context, orgID int64, query GetResourcesPermissionsQuery) ([]ResourcePermission, error)
}

// HasGlobalAccess checks user access with globally assigned permissions only
func HasGlobalAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
	return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
		if ac.IsDisabled() {
			return fallback(c)
		}

		userCopy := *c.SignedInUser
		userCopy.OrgId = GlobalOrgID
		userCopy.OrgRole = ""
		userCopy.OrgName = ""
		hasAccess, err := ac.Evaluate(c.Req.Context(), &userCopy, evaluator)
		if err != nil {
			c.Logger.Error("Error from access control system", "error", err)
			return false
		}

		return hasAccess
	}
}

func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
	return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
		if ac.IsDisabled() {
			return fallback(c)
		}

		hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, evaluator)
		if err != nil {
			c.Logger.Error("Error from access control system", "error", err)
			return false
		}

		return hasAccess
	}
}

var ReqGrafanaAdmin = func(c *models.ReqContext) bool {
	return c.IsGrafanaAdmin
}

var ReqOrgAdmin = func(c *models.ReqContext) bool {
	return c.OrgRole == models.ROLE_ADMIN
}

func BuildPermissionsMap(permissions []*Permission) map[string]bool {
	permissionsMap := make(map[string]bool)
	for _, p := range permissions {
		permissionsMap[p.Action] = true
	}

	return permissionsMap
}

// GroupScopesByAction will group scopes on action
func GroupScopesByAction(permissions []*Permission) map[string]map[string]struct{} {
	m := make(map[string]map[string]struct{})
	for _, p := range permissions {
		if _, ok := m[p.Action]; ok {
			m[p.Action][p.Scope] = struct{}{}
		} else {
			m[p.Action] = map[string]struct{}{p.Scope: {}}
		}
	}
	return m
}

func ValidateScope(scope string) bool {
	prefix, last := scope[:len(scope)-1], scope[len(scope)-1]
	// verify that last char is either ':' or '/' if last character of scope is '*'
	if len(prefix) > 0 && last == '*' {
		lastChar := prefix[len(prefix)-1]
		if lastChar != ':' && lastChar != '/' {
			return false
		}
	}
	return !strings.ContainsAny(prefix, "*?")
}
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`package accesscontrol`

			`import (`
			`"context"`
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-08-23 07:03:20 -05:00			`"strings"`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00
			`"github.com/grafana/grafana/pkg/models"`
			`)`

			`type AccessControl interface {`
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`// Evaluate evaluates access to the given resources.`
			`Evaluate(ctx context.Context, user *models.SignedInUser, evaluator Evaluator) (bool, error)`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`// GetUserPermissions returns user permissions.`
Access Control: Move database-related models to enterprise (#32907) * Move database-related models to enterprise * Chore: use GetUserBuiltInRoles() method * Rename permission to action 2021-04-13 08:28:11 -05:00			`GetUserPermissions(ctx context.Context, user models.SignedInUser) ([]Permission, error)`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00
Access Control: Add service accounts (#38994) * Add extra fields to OSS types to support enterprise * Create a service account at the same time as the API key * Use service account credentials when accessing API with APIkey * Add GetRole to service, merge RoleDTO and Role structs This patch merges the identical OSS and Enterprise data structures, which improves the code for two reasons: 1. Makes switching between OSS and Enterprise easier 2. Reduces the chance of incompatibilities developing between the same functions in OSS and Enterprise * If API key is not linked to a service account, continue login as usual * Fallback to old auth if no service account linked to key * Add CloneUserToServiceAccount * Adding LinkAPIKeyToServiceAccount * Handle api key link error * Better error messages for OSS accesscontrol * Set an invalid user id as default * Re-arrange field names * ServiceAccountId is integer * Better error messages Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com> Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2021-10-20 07:36:11 -05:00			`// GetUserRoles returns user roles.`
			`GetUserRoles(ctx context.Context, user models.SignedInUser) ([]RoleDTO, error)`

Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`//IsDisabled returns if access control is enabled or not`
Access Control: move features to Enterprise (#32640) * Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface 2021-04-06 08:49:09 -05:00			`IsDisabled() bool`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 07:44:37 -05:00
			`// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their`
			`// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"`
			`DeclareFixedRoles(...RoleRegistration) error`
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com> 2021-03-22 07:22:48 -05:00			`}`
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission() 2021-04-16 08:02:16 -05:00
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 07:02:53 -06:00			`type PermissionsProvider interface {`
			`GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]*Permission, error)`
			`}`

			`type ResourceStore interface {`
			`// SetUserResourcePermissions sets permissions for managed user role on a resource`
			`SetUserResourcePermissions(ctx context.Context, orgID, userID int64, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)`
			`// SetTeamResourcePermissions sets permissions for managed team role on a resource`
			`SetTeamResourcePermissions(ctx context.Context, orgID, teamID int64, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)`
			`// SetBuiltinResourcePermissions sets permissions for managed builtin role on a resource`
			`SetBuiltinResourcePermissions(ctx context.Context, orgID int64, builtinRole string, cmd SetResourcePermissionsCommand) ([]ResourcePermission, error)`
			`// RemoveResourcePermission remove permission for resource`
			`RemoveResourcePermission(ctx context.Context, orgID int64, cmd RemoveResourcePermissionCommand) error`
			`// GetResourcesPermissions will return all permission for all supplied resource ids`
			`GetResourcesPermissions(ctx context.Context, orgID int64, query GetResourcesPermissionsQuery) ([]ResourcePermission, error)`
			`}`

AccessControl: FGAC permissions for orgs endpoint on frontend (#41050) * AccessControl: FGAC permissions for orgs endpoint on frontend Protect org update endpoints add or refactor missing right messages cover org page * removing scopes from orgs * Perform permission control with global org * Perform the error handling in case of 403 * Simplify frontend code by requiring read access for sure * Remove roles I added to decrease the number of changes * Remove the check for server admin to reduce the number of changes * change error message * Cleaning todos * Remove unecessary changes * Fix tests * Update test snapshot * Update pkg/api/roles.go Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Format AdminEditOrgPage for linting * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Vardan Torosyan <vardants@gmail.com> * Update public/app/features/admin/AdminEditOrgPage.tsx Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Update public/app/features/admin/AdminListOrgsPage.tsx Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Commit suggestions * Commit suggestion canRead canWrite * fix typo Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> 2021-11-18 07:10:38 -06:00			`// HasGlobalAccess checks user access with globally assigned permissions only`
			`func HasGlobalAccess(ac AccessControl, c models.ReqContext) func(fallback func(models.ReqContext) bool, evaluator Evaluator) bool {`
			`return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {`
			`if ac.IsDisabled() {`
			`return fallback(c)`
			`}`

			`userCopy := *c.SignedInUser`
			`userCopy.OrgId = GlobalOrgID`
			`userCopy.OrgRole = ""`
			`userCopy.OrgName = ""`
			`hasAccess, err := ac.Evaluate(c.Req.Context(), &userCopy, evaluator)`
			`if err != nil {`
			`c.Logger.Error("Error from access control system", "error", err)`
			`return false`
			`}`

			`return hasAccess`
			`}`
			`}`

Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`func HasAccess(ac AccessControl, c models.ReqContext) func(fallback func(models.ReqContext) bool, evaluator Evaluator) bool {`
			`return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {`
Access control: Build navigation links with access control (#33024) * Build nav links with access control * Break up getNavTree (reduce cyclomatic complexity) * Fix tests * Use only ActionUsersRead permissions * Remove unused permissions definitions * Chore: remove unused fallbacks * Fix linter error 2021-04-19 04:23:29 -05:00			`if ac.IsDisabled() {`
			`return fallback(c)`
			`}`

Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, evaluator)`
Access control: Build navigation links with access control (#33024) * Build nav links with access control * Break up getNavTree (reduce cyclomatic complexity) * Fix tests * Use only ActionUsersRead permissions * Remove unused permissions definitions * Chore: remove unused fallbacks * Fix linter error 2021-04-19 04:23:29 -05:00			`if err != nil {`
			`c.Logger.Error("Error from access control system", "error", err)`
			`return false`
			`}`

			`return hasAccess`
			`}`
			`}`

			`var ReqGrafanaAdmin = func(c *models.ReqContext) bool {`
			`return c.IsGrafanaAdmin`
			`}`

Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`var ReqOrgAdmin = func(c *models.ReqContext) bool {`
			`return c.OrgRole == models.ROLE_ADMIN`
			`}`

			`func BuildPermissionsMap(permissions []*Permission) map[string]bool {`
			`permissionsMap := make(map[string]bool)`
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission() 2021-04-16 08:02:16 -05:00			`for _, p := range permissions {`
Access control: Make Admin/Users UI working with the permissions (#33176) * API: authorize admin/users views * Render admin/users components based on user's permissions * Add LDAP permissions (required by admin/user page) * Extend default admin role by LDAP permissions * Show/hide LDAP debug views * Render LDAP debug page if user has access * Authorize LDAP debug view * fix permissions definitions * Add LDAP page permissions * remove ambiguous permissions check * Hide logout buttons in sessions table * Add org/users permissions * Use org permissions for managing user roles in orgs * Apply permissions to org/users * Apply suggestions from review * Fix tests * remove scopes from the frontend * Tweaks according to review * Handle /invites endpoints 2021-04-22 05:19:41 -05:00			`permissionsMap[p.Action] = true`
Access control: expose permissions to the frontend (#32954) * Expose user permissions to the frontend * Do not include empty scope * Extend ContextSrv with hasPermission() method * Add access control types * Fix type error (make permissions optional) * Fallback if access control disabled * Move UserPermission to types * Simplify hasPermission() 2021-04-16 08:02:16 -05:00			`}`

			`return permissionsMap`
			`}`
Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-08-23 07:03:20 -05:00
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-08-24 04:36:28 -05:00			`// GroupScopesByAction will group scopes on action`
			`func GroupScopesByAction(permissions []*Permission) map[string]map[string]struct{} {`
			`m := make(map[string]map[string]struct{})`
			`for _, p := range permissions {`
			`if _, ok := m[p.Action]; ok {`
			`m[p.Action][p.Scope] = struct{}{}`
			`} else {`
			`m[p.Action] = map[string]struct{}{p.Scope: {}}`
			`}`
			`}`
			`return m`
			`}`

Access Control: Make the evaluator prefix match only (#38025) * Make the evaluator prefix match only * Handle empty scopes * Bump version of settings read role Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2021-08-23 07:03:20 -05:00			`func ValidateScope(scope string) bool {`
			`prefix, last := scope[:len(scope)-1], scope[len(scope)-1]`
			`// verify that last char is either ':' or '/' if last character of scope is '*'`
			`if len(prefix) > 0 && last == '*' {`
			`lastChar := prefix[len(prefix)-1]`
			`if lastChar != ':' && lastChar != '/' {`
			`return false`
			`}`
			`}`
			`return !strings.ContainsAny(prefix, "*?")`
			`}`