IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-11-29 20:24:18 -06:00
Code Issues Packages Projects Releases Wiki Activity
f69fd3726b
grafana/pkg/services/dashboards/accesscontrol.go

218 lines
7.1 KiB
Go
Raw Normal View History

Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
package dashboards
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
import (
"context"
"strings"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
"github.com/grafana/grafana/pkg/services/folder"
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
)
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
const (
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
ScopeFoldersRoot = "folders"
ScopeFoldersPrefix = "folders:uid:"
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
ActionFoldersCreate = "folders:create"
ActionFoldersRead = "folders:read"
ActionFoldersWrite = "folders:write"
ActionFoldersDelete = "folders:delete"
ActionFoldersPermissionsRead = "folders.permissions:read"
ActionFoldersPermissionsWrite = "folders.permissions:write"
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
ScopeDashboardsRoot = "dashboards"
ScopeDashboardsPrefix = "dashboards:uid:"
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
2022-05-04 09:12:09 -05:00
ActionDashboardsCreate = "dashboards:create"
ActionDashboardsRead = "dashboards:read"
ActionDashboardsWrite = "dashboards:write"
ActionDashboardsDelete = "dashboards:delete"
ActionDashboardsPermissionsRead = "dashboards.permissions:read"
ActionDashboardsPermissionsWrite = "dashboards.permissions:write"
PublicDashboards: disable form if user does not has permissions (#54853)
2022-09-07 16:29:01 -05:00
ActionDashboardsPublicWrite = "dashboards.public:write"
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
)
var (
Access Control: Move dashboard actions and create scope provider (#48618) * Move dashboard actions and create scope provider
2022-05-04 09:12:09 -05:00
ScopeFoldersProvider = ac.NewScopeProvider(ScopeFoldersRoot)
ScopeFoldersAll = ScopeFoldersProvider.GetResourceAllScope()
ScopeDashboardsProvider = ac.NewScopeProvider(ScopeDashboardsRoot)
ScopeDashboardsAll = ScopeDashboardsProvider.GetResourceAllScope()
Move datasource scopes and actions to access control package (#46334) * create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2022-03-09 10:57:50 -06:00
)
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
// NewFolderNameScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:name:" into an uid based scope.
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
func NewFolderNameScopeResolver(folderDB folder.FolderStore, folderSvc folder.Service) (string, ac.ScopeAttributeResolver) {
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
prefix := ScopeFoldersProvider.GetResourceScopeName("")
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return prefix, ac.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
if !strings.HasPrefix(scope, prefix) {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, ac.ErrInvalidScope
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
nsName := scope[len(prefix):]
if len(nsName) == 0 {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, ac.ErrInvalidScope
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
folder, err := folderDB.GetFolderByTitle(ctx, orgID, nsName)
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
if err != nil {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, err
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
RBAC: inherit folder permissions when resolving managed permissions (#62244) * add nested folder scope inheritance to managed permission services * add a more specific erorr * remove circular dependencies * use errutil for returning erorr * fix tests * fix tests * define a new error in ac package
2023-01-30 08:19:42 -06:00
result, err := GetInheritedScopes(ctx, folder.OrgID, folder.UID, folderSvc)
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
if err != nil {
return nil, err
}
result = append([]string{ScopeFoldersProvider.GetResourceScopeUID(folder.UID)}, result...)
return result, nil
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
})
Folder name scope resolver (#46380) * move dashboard store mock to parent package to avoid cycle of dependencies * add scope resolver for folders that resolves names to id
2022-03-10 11:19:50 -06:00
}
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
// NewFolderIDScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:id:" into an uid based scope.
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
func NewFolderIDScopeResolver(folderDB folder.FolderStore, folderSvc folder.Service) (string, ac.ScopeAttributeResolver) {
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
prefix := ScopeFoldersProvider.GetResourceScope("")
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return prefix, ac.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
if !strings.HasPrefix(scope, prefix) {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, ac.ErrInvalidScope
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
id, err := ac.ParseScopeID(scope)
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
if err != nil {
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
return nil, err
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
if id == 0 {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return []string{ScopeFoldersProvider.GetResourceScopeUID(ac.GeneralFolderUID)}, nil
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
}
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
folder, err := folderDB.GetFolderByID(ctx, orgID, id)
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
if err != nil {
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
return nil, err
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
Access control: use uid for dashboard and folder scopes (#46807) * use uid:s for folder and dashboard permissions * evaluate folder and dashboard permissions based on uids * add dashboard.uid to accept list * Check for exact suffix * Check parent folder on create * update test * drop dashboard:create actions with dashboard scope * fix typo * AccessControl: test id 0 scope conversion * AccessControl: store only parent folder UID * AccessControl: extract general as a constant * FolderServices: Prevent creation of a folder uid'd general * FolderServices: Test folder creation prevention * Update pkg/services/guardian/accesscontrol_guardian.go * FolderServices: fix mock call expect * FolderServices: remove uneeded mocks Co-authored-by: jguer <joao.guerreiro@grafana.com>
2022-03-30 08:14:26 -05:00
RBAC: inherit folder permissions when resolving managed permissions (#62244) * add nested folder scope inheritance to managed permission services * add a more specific erorr * remove circular dependencies * use errutil for returning erorr * fix tests * fix tests * define a new error in ac package
2023-01-30 08:19:42 -06:00
result, err := GetInheritedScopes(ctx, folder.OrgID, folder.UID, folderSvc)
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
if err != nil {
return nil, err
}
result = append([]string{ScopeFoldersProvider.GetResourceScopeUID(folder.UID)}, result...)
return result, nil
Access Control: Refactor scope resolvers with support to resolve into several scopes (#48202) * Refactor Scope resolver to support resolving into several scopes * Change permission evaluator to match at least one of passed scopes
2022-05-02 02:29:30 -05:00
})
Folder UID scope resolver (#46426)
2022-03-15 09:37:16 -05:00
}
RBAC: add folder UID scope resolver (#62695) * add folder uid scope resolver * undo guardian change, move it to a separate PR * fix test + linting
2023-02-07 10:27:20 -06:00
// NewFolderUIDScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "folders:uid:"
// into uid based scopes for folder and its parents
chore(services): replace dependencies on dashboard store with dashboard service (#63937) * chore(services): replace dependencies on dashboard store with dashboard service This continues the backend service/store split by replacing dashboard store dependencies with service dependencies. the folder service remains the single exception for now; otherwise we'd have a dependency cycle between the folder and dashboard services. I have some ideas for that, but I'll take care of all the easy parts first. While doing this, I identified and removed a number of unused arguments from the following functions: NewFolderNameScopeResolver NewFolderIDScopeResolver NewFolderUIDScopeResolver NewDashboardIDScopeResolver NewDashboardUIDScopeResolver resolveDashboardScope I have a small enterprise PR to support this commit. * lingering fmt
2023-03-02 07:09:57 -06:00
func NewFolderUIDScopeResolver(folderSvc folder.Service) (string, ac.ScopeAttributeResolver) {
RBAC: add folder UID scope resolver (#62695) * add folder uid scope resolver * undo guardian change, move it to a separate PR * fix test + linting
2023-02-07 10:27:20 -06:00
prefix := ScopeFoldersProvider.GetResourceScopeUID("")
return prefix, ac.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
if !strings.HasPrefix(scope, prefix) {
return nil, ac.ErrInvalidScope
}
uid, err := ac.ParseScopeUID(scope)
if err != nil {
return nil, err
}
inheritedScopes, err := GetInheritedScopes(ctx, orgID, uid, folderSvc)
if err != nil {
return nil, err
}
return append(inheritedScopes, ScopeFoldersProvider.GetResourceScopeUID(uid)), nil
})
}
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
// NewDashboardIDScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "dashboards:id:"
// into uid based scopes for both dashboard and folder
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
func NewDashboardIDScopeResolver(folderDB folder.FolderStore, ds DashboardService, folderSvc folder.Service) (string, ac.ScopeAttributeResolver) {
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
prefix := ScopeDashboardsProvider.GetResourceScope("")
return prefix, ac.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
if !strings.HasPrefix(scope, prefix) {
return nil, ac.ErrInvalidScope
}
id, err := ac.ParseScopeID(scope)
if err != nil {
return nil, err
}
chore(services): replace dependencies on dashboard store with dashboard service (#63937) * chore(services): replace dependencies on dashboard store with dashboard service This continues the backend service/store split by replacing dashboard store dependencies with service dependencies. the folder service remains the single exception for now; otherwise we'd have a dependency cycle between the folder and dashboard services. I have some ideas for that, but I'll take care of all the easy parts first. While doing this, I identified and removed a number of unused arguments from the following functions: NewFolderNameScopeResolver NewFolderIDScopeResolver NewFolderUIDScopeResolver NewDashboardIDScopeResolver NewDashboardUIDScopeResolver resolveDashboardScope I have a small enterprise PR to support this commit. * lingering fmt
2023-03-02 07:09:57 -06:00
dashboard, err := ds.GetDashboard(ctx, &GetDashboardQuery{ID: id, OrgID: orgID})
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
if err != nil {
return nil, err
}
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
return resolveDashboardScope(ctx, folderDB, orgID, dashboard, folderSvc)
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
})
}
// NewDashboardUIDScopeResolver provides an ScopeAttributeResolver that is able to convert a scope prefixed with "dashboards:uid:"
// into uid based scopes for both dashboard and folder
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
func NewDashboardUIDScopeResolver(folderDB folder.FolderStore, ds DashboardService, folderSvc folder.Service) (string, ac.ScopeAttributeResolver) {
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
prefix := ScopeDashboardsProvider.GetResourceScopeUID("")
return prefix, ac.ScopeAttributeResolverFunc(func(ctx context.Context, orgID int64, scope string) ([]string, error) {
if !strings.HasPrefix(scope, prefix) {
return nil, ac.ErrInvalidScope
}
uid, err := ac.ParseScopeUID(scope)
if err != nil {
return nil, err
}
chore(services): replace dependencies on dashboard store with dashboard service (#63937) * chore(services): replace dependencies on dashboard store with dashboard service This continues the backend service/store split by replacing dashboard store dependencies with service dependencies. the folder service remains the single exception for now; otherwise we'd have a dependency cycle between the folder and dashboard services. I have some ideas for that, but I'll take care of all the easy parts first. While doing this, I identified and removed a number of unused arguments from the following functions: NewFolderNameScopeResolver NewFolderIDScopeResolver NewFolderUIDScopeResolver NewDashboardIDScopeResolver NewDashboardUIDScopeResolver resolveDashboardScope I have a small enterprise PR to support this commit. * lingering fmt
2023-03-02 07:09:57 -06:00
dashboard, err := ds.GetDashboard(ctx, &GetDashboardQuery{UID: uid, OrgID: orgID})
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
if err != nil {
return nil, err
}
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
return resolveDashboardScope(ctx, folderDB, orgID, dashboard, folderSvc)
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
})
}
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
func resolveDashboardScope(ctx context.Context, folderDB folder.FolderStore, orgID int64, dashboard *Dashboard, folderSvc folder.Service) ([]string, error) {
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
var folderUID string
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
if dashboard.FolderID < 0 {
return []string{ScopeDashboardsProvider.GetResourceScopeUID(dashboard.UID)}, nil
RBAC: Handle case when folder id is negative (#53438)
2022-08-09 03:14:08 -05:00
}
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
if dashboard.FolderID == 0 {
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
folderUID = ac.GeneralFolderUID
} else {
Access Control: revert to using folder store from the scope resolvers (#64132) * revert to using folder store from the resolvers * fixing tests after revert * api test fixes --------- Co-authored-by: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2023-03-03 09:56:33 -06:00
folder, err := folderDB.GetFolderByID(ctx, orgID, dashboard.FolderID)
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
if err != nil {
return nil, err
}
Nested Folders: Support getting of nested folder in folder service wh… (#58597) * Nested Folders: Support getting of nested folder in folder service when feature flag is set * Fix lint * Fix some tests * Fix ngalert test * ngalert fix * Fix API tests * Fix some tests and lint * Fix lint 2 * Fix library elements and panels * Add access control to get folder * Cleanup and minor test change
2022-11-11 07:28:24 -06:00
folderUID = folder.UID
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
}
RBAC: Handle case when folder id is negative (#53438)
2022-08-09 03:14:08 -05:00
RBAC: inherit folder permissions when resolving managed permissions (#62244) * add nested folder scope inheritance to managed permission services * add a more specific erorr * remove circular dependencies * use errutil for returning erorr * fix tests * fix tests * define a new error in ac package
2023-01-30 08:19:42 -06:00
result, err := GetInheritedScopes(ctx, orgID, folderUID, folderSvc)
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
if err != nil {
return nil, err
}
result = append([]string{
Chore: Move dashboard models to dashboard pkg (#61458) * Copy dashboard models to dashboard pkg * Use some models from current pkg instead of models * Adjust api pkg * Adjust pkg services * Fix lint
2023-01-16 09:33:55 -06:00
ScopeDashboardsProvider.GetResourceScopeUID(dashboard.UID),
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
ScopeFoldersProvider.GetResourceScopeUID(folderUID),
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
},
result...,
)
return result, nil
}
RBAC: inherit folder permissions when resolving managed permissions (#62244) * add nested folder scope inheritance to managed permission services * add a more specific erorr * remove circular dependencies * use errutil for returning erorr * fix tests * fix tests * define a new error in ac package
2023-01-30 08:19:42 -06:00
func GetInheritedScopes(ctx context.Context, orgID int64, folderUID string, folderSvc folder.Service) ([]string, error) {
RBAC: Do not search for parents of the root folder (#67746) do not search for parents of the general folder
2023-05-04 03:36:36 -05:00
if folderUID == ac.GeneralFolderUID {
return nil, nil
}
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
ancestors, err := folderSvc.GetParents(ctx, folder.GetParentsQuery{
UID: folderUID,
OrgID: orgID,
})
if err != nil {
RBAC: inherit folder permissions when resolving managed permissions (#62244) * add nested folder scope inheritance to managed permission services * add a more specific erorr * remove circular dependencies * use errutil for returning erorr * fix tests * fix tests * define a new error in ac package
2023-01-30 08:19:42 -06:00
return nil, ac.ErrInternal.Errorf("could not retrieve folder parents: %w", err)
Access control: Modify dashboard/folder resolvers so that return also the inherited scopes (#62025) * Access Control: Add folder service dependency to the dashboard/folder resolvers * Expose the function fetching parents to folder interface * Add generic prepend utility * Modify dashboard resolvers to return inherited scopes
2023-01-26 02:21:10 -06:00
}
result := make([]string, 0, len(ancestors))
for _, ff := range ancestors {
result = append(result, ScopeFoldersProvider.GetResourceScopeUID(ff.UID))
}
return result, nil
RBAC: Add scope resolvers for dashboards (#50110) * Inject access control into dashboard service * Add function to parse id scopes * Add dashboard as return value * Update mock * Return only err to keep service interface * Add scope resolvers for dashboard id scopes * Add function to parse uid scopes * Add dashboard uid scope resolver * Register scope resolvers for dashboards Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2022-06-07 04:02:20 -05:00
}
Reference in New Issue Copy Permalink