grafana/pkg/services/accesscontrol/database/database.go

package database

import (
	"context"
	"strconv"
	"strings"

	"github.com/grafana/grafana/pkg/infra/db"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
)

func ProvideService(sql db.DB) *AccessControlStore {
	return &AccessControlStore{sql}
}

type AccessControlStore struct {
	sql db.DB
}

func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query accesscontrol.GetUserPermissionsQuery) ([]accesscontrol.Permission, error) {
	result := make([]accesscontrol.Permission, 0)
	err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
		if query.UserID == 0 && len(query.TeamIDs) == 0 && len(query.Roles) == 0 {
			// no permission to fetch
			return nil
		}

		filter, params := accesscontrol.UserRolesFilter(query.OrgID, query.UserID, query.TeamIDs, query.Roles)

		q := `
		SELECT
			permission.action,
			permission.scope
			FROM permission
			INNER JOIN role ON role.id = permission.role_id
		` + filter

		if len(query.Actions) > 0 {
			q += " WHERE permission.action IN("
			if len(query.Actions) > 0 {
				q += "?" + strings.Repeat(",?", len(query.Actions)-1)
			}
			q += ")"
			for _, a := range query.Actions {
				params = append(params, a)
			}
		}
		if err := sess.SQL(q, params...).Find(&result); err != nil {
			return err
		}

		return nil
	})

	return result, err
}

func (s *AccessControlStore) DeleteUserPermissions(ctx context.Context, orgID, userID int64) error {
	err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
		roleDeleteQuery := "DELETE FROM user_role WHERE user_id = ?"
		roleDeleteParams := []interface{}{roleDeleteQuery, userID}
		if orgID != accesscontrol.GlobalOrgID {
			roleDeleteQuery += " AND org_id = ?"
			roleDeleteParams = []interface{}{roleDeleteQuery, userID, orgID}
		}

		// Delete user role assignments
		if _, err := sess.Exec(roleDeleteParams...); err != nil {
			return err
		}

		// only delete scopes to user if all permissions is removed (i.e. user is removed)
		if orgID == accesscontrol.GlobalOrgID {
			// Delete permissions that are scoped to user
			if _, err := sess.Exec("DELETE FROM permission WHERE scope = ?", accesscontrol.Scope("users", "id", strconv.FormatInt(userID, 10))); err != nil {
				return err
			}
		}

		roleQuery := "SELECT id FROM role WHERE name = ?"
		roleParams := []interface{}{accesscontrol.ManagedUserRoleName(userID)}
		if orgID != accesscontrol.GlobalOrgID {
			roleQuery += " AND org_id = ?"
			roleParams = []interface{}{accesscontrol.ManagedUserRoleName(userID), orgID}
		}

		var roleIDs []int64
		if err := sess.SQL(roleQuery, roleParams...).Find(&roleIDs); err != nil {
			return err
		}

		if len(roleIDs) == 0 {
			return nil
		}

		permissionDeleteQuery := "DELETE FROM permission WHERE role_id IN(? " + strings.Repeat(",?", len(roleIDs)-1) + ")"
		permissionDeleteParams := make([]interface{}, 0, len(roleIDs)+1)
		permissionDeleteParams = append(permissionDeleteParams, permissionDeleteQuery)
		for _, id := range roleIDs {
			permissionDeleteParams = append(permissionDeleteParams, id)
		}

		// Delete managed user permissions
		if _, err := sess.Exec(permissionDeleteParams...); err != nil {
			return err
		}

		managedRoleDeleteQuery := "DELETE FROM role WHERE id IN(? " + strings.Repeat(",?", len(roleIDs)-1) + ")"
		managedRoleDeleteParams := []interface{}{managedRoleDeleteQuery}
		for _, id := range roleIDs {
			managedRoleDeleteParams = append(managedRoleDeleteParams, id)
		}
		// Delete managed user roles
		if _, err := sess.Exec(managedRoleDeleteParams...); err != nil {
			return err
		}

		return nil
	})
	return err
}
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`package database`

			`import (`
			`"context"`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`"strconv"`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`"strings"`

chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible 2022-10-19 09:02:15 -04:00			`"github.com/grafana/grafana/pkg/infra/db"`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`)`

chore: replace sqlstore.Store with db.DB (#57010) * chore: replace sqlstore.SQLStore with db.DB * more post-sqlstore.SQLStore cleanup 2022-10-14 15:33:06 -04:00			`func ProvideService(sql db.DB) *AccessControlStore {`
RBAC: Initiate store in service (#55081) * RBAC: Dont inject store with wire * RBAC: Use Store interface * RBAC: Move store interface and initiate it from service 2022-09-15 11:34:15 +02:00			`return &AccessControlStore{sql}`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`}`

			`type AccessControlStore struct {`
chore: replace sqlstore.Store with db.DB (#57010) * chore: replace sqlstore.SQLStore with db.DB * more post-sqlstore.SQLStore cleanup 2022-10-14 15:33:06 -04:00			`sql db.DB`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`}`

RBAC: Refactor GetUserPermissions to use []accesscontrol.Permission (#50683) * Return slice of permissions instead of slice of pointers for permissions 2022-06-14 10:17:48 +02:00			`func (s *AccessControlStore) GetUserPermissions(ctx context.Context, query accesscontrol.GetUserPermissionsQuery) ([]accesscontrol.Permission, error) {`
			`result := make([]accesscontrol.Permission, 0)`
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible 2022-10-19 09:02:15 -04:00			`err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {`
RBAC: Update permission query to not join on team table (#53677) * RBAC: Add teamIDs to get permission query * RBAC: Remove join on team table and use team ids * RBAC: Pass team ids 2022-08-15 09:41:20 +02:00			`if query.UserID == 0 && len(query.TeamIDs) == 0 && len(query.Roles) == 0 {`
			`// no permission to fetch`
			`return nil`
			`}`

RBAC: Improve performance of dashboard filter query (#56813) * RBAC: Move UserRolesFilter to domain package * Dashboard Permissions: Rewrite rbac filter to check access in sql * RBAC: Add break when wildcard is found * RBAC: Add tests for dashboard filter * RBAC: Update tests * RBAC: Cover more test cases Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2022-10-25 11:14:27 +02:00			`filter, params := accesscontrol.UserRolesFilter(query.OrgID, query.UserID, query.TeamIDs, query.Roles)`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00
RBAC: Update permission query to not join on team table (#53677) * RBAC: Add teamIDs to get permission query * RBAC: Remove join on team table and use team ids * RBAC: Pass team ids 2022-08-15 09:41:20 +02:00			q := `
			`SELECT`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`permission.action,`
AccessControl: Only return action and scope for user permissions and make them unique (#48939) * Only return action and scope for user permissions and make them unique 2022-05-12 17:15:18 +02:00			`permission.scope`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`FROM permission`
			`INNER JOIN role ON role.id = permission.role_id`
			` + filter

RBAC: Update permission query to not join on team table (#53677) * RBAC: Add teamIDs to get permission query * RBAC: Remove join on team table and use team ids * RBAC: Pass team ids 2022-08-15 09:41:20 +02:00			`if len(query.Actions) > 0 {`
			`q += " WHERE permission.action IN("`
Access control: Load permissions from memory and database (#42080) * Load permission from both in memory and from database Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-01-28 16:11:18 +01:00			`if len(query.Actions) > 0 {`
			`q += "?" + strings.Repeat(",?", len(query.Actions)-1)`
			`}`
			`q += ")"`
			`for _, a := range query.Actions {`
			`params = append(params, a)`
			`}`
			`}`
Access Control: Move part of access control database (#40483) * Add accesscontrol migrations * Add ResourceStore interface and related structs * Add team/user/builtin-role * Add accesscontrol database with functions to handle managed roles and permissions * Add ResourceManager * Add GetUserPermissions * Update pkg/services/accesscontrol/accesscontrol.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2021-11-11 14:02:53 +01:00			`if err := sess.SQL(q, params...).Find(&result); err != nil {`
			`return err`
			`}`

			`return nil`
			`})`

			`return result, err`
			`}`

RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`func (s *AccessControlStore) DeleteUserPermissions(ctx context.Context, orgID, userID int64) error {`
chore: remove sqlstore & mockstore dependencies from (most) packages (#57087) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible 2022-10-19 09:02:15 -04:00			`err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {`
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`roleDeleteQuery := "DELETE FROM user_role WHERE user_id = ?"`
			`roleDeleteParams := []interface{}{roleDeleteQuery, userID}`
			`if orgID != accesscontrol.GlobalOrgID {`
			`roleDeleteQuery += " AND org_id = ?"`
			`roleDeleteParams = []interface{}{roleDeleteQuery, userID, orgID}`
			`}`

Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`// Delete user role assignments`
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`if _, err := sess.Exec(roleDeleteParams...); err != nil {`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`return err`
			`}`

RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`// only delete scopes to user if all permissions is removed (i.e. user is removed)`
			`if orgID == accesscontrol.GlobalOrgID {`
			`// Delete permissions that are scoped to user`
			`if _, err := sess.Exec("DELETE FROM permission WHERE scope = ?", accesscontrol.Scope("users", "id", strconv.FormatInt(userID, 10))); err != nil {`
			`return err`
			`}`
			`}`

			`roleQuery := "SELECT id FROM role WHERE name = ?"`
			`roleParams := []interface{}{accesscontrol.ManagedUserRoleName(userID)}`
			`if orgID != accesscontrol.GlobalOrgID {`
			`roleQuery += " AND org_id = ?"`
			`roleParams = []interface{}{accesscontrol.ManagedUserRoleName(userID), orgID}`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`}`

			`var roleIDs []int64`
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`if err := sess.SQL(roleQuery, roleParams...).Find(&roleIDs); err != nil {`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`return err`
			`}`

			`if len(roleIDs) == 0 {`
			`return nil`
			`}`

RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`permissionDeleteQuery := "DELETE FROM permission WHERE role_id IN(? " + strings.Repeat(",?", len(roleIDs)-1) + ")"`
			`permissionDeleteParams := make([]interface{}, 0, len(roleIDs)+1)`
			`permissionDeleteParams = append(permissionDeleteParams, permissionDeleteQuery)`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`for _, id := range roleIDs {`
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`permissionDeleteParams = append(permissionDeleteParams, id)`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`}`

			`// Delete managed user permissions`
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`if _, err := sess.Exec(permissionDeleteParams...); err != nil {`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`return err`
			`}`

RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`managedRoleDeleteQuery := "DELETE FROM role WHERE id IN(? " + strings.Repeat(",?", len(roleIDs)-1) + ")"`
			`managedRoleDeleteParams := []interface{}{managedRoleDeleteQuery}`
			`for _, id := range roleIDs {`
			`managedRoleDeleteParams = append(managedRoleDeleteParams, id)`
			`}`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`// Delete managed user roles`
RBAC: Remove user permissions in org when user is removed (#53782) * RBAC: Add orgID to DeleteUserPermissions * RBAC: Refactor query to delete all permissions in specified org, 0 deletes all permissions * Delete user permission in org when user is removed * Remove call to delete permissions in frontend * Remove user permissions if removed orgs is detected during oauth sync Co-authored-by: Jo <joao.guerreiro@grafana.com> 2022-08-17 16:32:02 +02:00			`if _, err := sess.Exec(managedRoleDeleteParams...); err != nil {`
Copy delete user permission to access control service (#51747) * Copy delete user permission to access control service * Update pkg/services/accesscontrol/database/database_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2022-07-05 18:05:56 +02:00			`return err`
			`}`

			`return nil`
			`})`
			`return err`
			`}`