mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
authz: Clean up acl endpoints and dashboard guardian (#73746)
* RBAC: remove unnessisary guardian construction and update tests * RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test * RBAC: remove usage of guardian in update and get permissions for dashboards
This commit is contained in:
Karl Persson
GitHub
@@ -9,17 +9,10 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/folder"
|
||||
"github.com/grafana/grafana/pkg/services/org"
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
var permissionMap = map[string]dashboards.PermissionType{
|
||||
"View": dashboards.PERMISSION_VIEW,
|
||||
"Edit": dashboards.PERMISSION_EDIT,
|
||||
"Admin": dashboards.PERMISSION_ADMIN,
|
||||
}
|
||||
|
||||
var _ DashboardGuardian = new(accessControlDashboardGuardian)
|
||||
|
||||
// NewAccessControlDashboardGuardianByDashboard creates a dashboard guardian by the provided dashboardId.
|
||||
@@ -390,189 +383,6 @@ func (a *accessControlFolderGuardian) evaluate(evaluator accesscontrol.Evaluator
|
||||
return ok, err
|
||||
}
|
||||
|
||||
func (a *accessControlBaseGuardian) CheckPermissionBeforeUpdate(permission dashboards.PermissionType, updatePermissions []*dashboards.DashboardACL) (bool, error) {
|
||||
// always true for access control
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// GetACL translate access control permissions to dashboard acl info
|
||||
func (a *accessControlDashboardGuardian) GetACL() ([]*dashboards.DashboardACLInfoDTO, error) {
|
||||
if a.dashboard == nil {
|
||||
return nil, ErrGuardianGetDashboardFailure.Errorf("failed to translate access control permissions to dashboard acl info")
|
||||
}
|
||||
|
||||
svc := a.dashboardPermissionsService
|
||||
|
||||
permissions, err := svc.GetPermissions(a.ctx, a.user, a.dashboard.UID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
acl := make([]*dashboards.DashboardACLInfoDTO, 0, len(permissions))
|
||||
for _, p := range permissions {
|
||||
if !p.IsManaged {
|
||||
continue
|
||||
}
|
||||
|
||||
var role *org.RoleType
|
||||
if p.BuiltInRole != "" {
|
||||
tmp := org.RoleType(p.BuiltInRole)
|
||||
role = &tmp
|
||||
}
|
||||
|
||||
acl = append(acl, &dashboards.DashboardACLInfoDTO{
|
||||
OrgID: a.dashboard.OrgID,
|
||||
DashboardID: a.dashboard.ID,
|
||||
FolderID: a.dashboard.FolderID,
|
||||
Created: p.Created,
|
||||
Updated: p.Updated,
|
||||
UserID: p.UserId,
|
||||
UserLogin: p.UserLogin,
|
||||
UserEmail: p.UserEmail,
|
||||
TeamID: p.TeamId,
|
||||
TeamEmail: p.TeamEmail,
|
||||
Team: p.Team,
|
||||
Role: role,
|
||||
Permission: permissionMap[svc.MapActions(p)],
|
||||
PermissionName: permissionMap[svc.MapActions(p)].String(),
|
||||
UID: a.dashboard.UID,
|
||||
Title: a.dashboard.Title,
|
||||
Slug: a.dashboard.Slug,
|
||||
IsFolder: a.dashboard.IsFolder,
|
||||
URL: a.dashboard.GetURL(),
|
||||
Inherited: false,
|
||||
})
|
||||
}
|
||||
|
||||
return acl, nil
|
||||
}
|
||||
|
||||
// GetACL translate access control permissions to dashboard acl info
|
||||
func (a *accessControlFolderGuardian) GetACL() ([]*dashboards.DashboardACLInfoDTO, error) {
|
||||
if a.folder == nil {
|
||||
return nil, ErrGuardianGetFolderFailure.Errorf("failed to translate access control permissions to dashboard acl info")
|
||||
}
|
||||
|
||||
svc := a.folderPermissionsService
|
||||
|
||||
permissions, err := svc.GetPermissions(a.ctx, a.user, a.folder.UID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
acl := make([]*dashboards.DashboardACLInfoDTO, 0, len(permissions))
|
||||
for _, p := range permissions {
|
||||
if !p.IsManaged {
|
||||
continue
|
||||
}
|
||||
|
||||
var role *org.RoleType
|
||||
if p.BuiltInRole != "" {
|
||||
tmp := org.RoleType(p.BuiltInRole)
|
||||
role = &tmp
|
||||
}
|
||||
|
||||
acl = append(acl, &dashboards.DashboardACLInfoDTO{
|
||||
OrgID: a.folder.OrgID,
|
||||
DashboardID: a.folder.ID,
|
||||
FolderUID: a.folder.ParentUID,
|
||||
Created: p.Created,
|
||||
Updated: p.Updated,
|
||||
UserID: p.UserId,
|
||||
UserLogin: p.UserLogin,
|
||||
UserEmail: p.UserEmail,
|
||||
TeamID: p.TeamId,
|
||||
TeamEmail: p.TeamEmail,
|
||||
Team: p.Team,
|
||||
Role: role,
|
||||
Permission: permissionMap[svc.MapActions(p)],
|
||||
PermissionName: permissionMap[svc.MapActions(p)].String(),
|
||||
UID: a.folder.UID,
|
||||
Title: a.folder.Title,
|
||||
//Slug: a.folder.Slug,
|
||||
IsFolder: true,
|
||||
URL: a.folder.WithURL().URL,
|
||||
Inherited: false,
|
||||
})
|
||||
}
|
||||
|
||||
return acl, nil
|
||||
}
|
||||
|
||||
func (a *accessControlDashboardGuardian) GetACLWithoutDuplicates() ([]*dashboards.DashboardACLInfoDTO, error) {
|
||||
return a.GetACL()
|
||||
}
|
||||
|
||||
func (a *accessControlFolderGuardian) GetACLWithoutDuplicates() ([]*dashboards.DashboardACLInfoDTO, error) {
|
||||
return a.GetACL()
|
||||
}
|
||||
|
||||
func (a *accessControlDashboardGuardian) GetHiddenACL(cfg *setting.Cfg) ([]*dashboards.DashboardACL, error) {
|
||||
var hiddenACL []*dashboards.DashboardACL
|
||||
if a.user.IsGrafanaAdmin {
|
||||
return hiddenACL, nil
|
||||
}
|
||||
|
||||
existingPermissions, err := a.GetACL()
|
||||
if err != nil {
|
||||
return hiddenACL, err
|
||||
}
|
||||
|
||||
for _, item := range existingPermissions {
|
||||
if item.Inherited || item.UserLogin == a.user.Login {
|
||||
continue
|
||||
}
|
||||
|
||||
if _, hidden := cfg.HiddenUsers[item.UserLogin]; hidden {
|
||||
hiddenACL = append(hiddenACL, &dashboards.DashboardACL{
|
||||
OrgID: item.OrgID,
|
||||
DashboardID: item.DashboardID,
|
||||
UserID: item.UserID,
|
||||
TeamID: item.TeamID,
|
||||
Role: item.Role,
|
||||
Permission: item.Permission,
|
||||
Created: item.Created,
|
||||
Updated: item.Updated,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
return hiddenACL, nil
|
||||
}
|
||||
|
||||
func (a *accessControlFolderGuardian) GetHiddenACL(cfg *setting.Cfg) ([]*dashboards.DashboardACL, error) {
|
||||
var hiddenACL []*dashboards.DashboardACL
|
||||
if a.user.IsGrafanaAdmin {
|
||||
return hiddenACL, nil
|
||||
}
|
||||
|
||||
existingPermissions, err := a.GetACL()
|
||||
if err != nil {
|
||||
return hiddenACL, err
|
||||
}
|
||||
|
||||
for _, item := range existingPermissions {
|
||||
if item.Inherited || item.UserLogin == a.user.Login {
|
||||
continue
|
||||
}
|
||||
|
||||
if _, hidden := cfg.HiddenUsers[item.UserLogin]; hidden {
|
||||
hiddenACL = append(hiddenACL, &dashboards.DashboardACL{
|
||||
OrgID: item.OrgID,
|
||||
DashboardID: item.DashboardID,
|
||||
UserID: item.UserID,
|
||||
TeamID: item.TeamID,
|
||||
Role: item.Role,
|
||||
Permission: item.Permission,
|
||||
Created: item.Created,
|
||||
Updated: item.Updated,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
return hiddenACL, nil
|
||||
}
|
||||
|
||||
func (a *accessControlDashboardGuardian) loadParentFolder(folderID int64) (*dashboards.Dashboard, error) {
|
||||
if folderID == 0 {
|
||||
return &dashboards.Dashboard{UID: accesscontrol.GeneralFolderUID}, nil
|
||||
|
||||
Reference in New Issue
Block a user