mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Service accounts: fix usage of errutil errors and convert more errors to errutil (#64299)
* fix usage of errutil errors and convert more errors to errutil * fix tests
This commit is contained in:
Ieva
GitHub
@@ -2,7 +2,6 @@ package api
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
"strconv"
|
||||
|
||||
@@ -114,22 +113,12 @@ func (api *ServiceAccountsAPI) CreateServiceAccount(c *contextmodel.ReqContext)
|
||||
}
|
||||
|
||||
if err := api.validateRole(cmd.Role, &c.OrgRole); err != nil {
|
||||
switch {
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountInvalidRole):
|
||||
return response.Error(http.StatusBadRequest, err.Error(), err)
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountRolePrivilegeDenied):
|
||||
return response.Error(http.StatusForbidden, err.Error(), err)
|
||||
default:
|
||||
return response.Error(http.StatusInternalServerError, "failed to create service account", err)
|
||||
}
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "failed to create service account", err)
|
||||
}
|
||||
|
||||
serviceAccount, err := api.service.CreateServiceAccount(c.Req.Context(), c.OrgID, &cmd)
|
||||
switch {
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountAlreadyExists):
|
||||
return response.Error(http.StatusBadRequest, "Failed to create service account", err)
|
||||
case err != nil:
|
||||
return response.Error(http.StatusInternalServerError, "Failed to create service account", err)
|
||||
if err != nil {
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "Failed to create service account", err)
|
||||
}
|
||||
|
||||
if !api.accesscontrol.IsDisabled() {
|
||||
@@ -169,12 +158,7 @@ func (api *ServiceAccountsAPI) RetrieveServiceAccount(ctx *contextmodel.ReqConte
|
||||
|
||||
serviceAccount, err := api.service.RetrieveServiceAccount(ctx.Req.Context(), ctx.OrgID, scopeID)
|
||||
if err != nil {
|
||||
switch {
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):
|
||||
return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)
|
||||
default:
|
||||
return response.Error(http.StatusInternalServerError, "Failed to retrieve service account", err)
|
||||
}
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "Failed to retrieve service account", err)
|
||||
}
|
||||
|
||||
saIDString := strconv.FormatInt(serviceAccount.Id, 10)
|
||||
@@ -220,24 +204,12 @@ func (api *ServiceAccountsAPI) UpdateServiceAccount(c *contextmodel.ReqContext)
|
||||
}
|
||||
|
||||
if err := api.validateRole(cmd.Role, &c.OrgRole); err != nil {
|
||||
switch {
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountInvalidRole):
|
||||
return response.Error(http.StatusBadRequest, err.Error(), err)
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountRolePrivilegeDenied):
|
||||
return response.Error(http.StatusForbidden, err.Error(), err)
|
||||
default:
|
||||
return response.Error(http.StatusInternalServerError, "failed to update service account", err)
|
||||
}
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "failed to update service account", err)
|
||||
}
|
||||
|
||||
resp, err := api.service.UpdateServiceAccount(c.Req.Context(), c.OrgID, scopeID, &cmd)
|
||||
if err != nil {
|
||||
switch {
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):
|
||||
return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)
|
||||
default:
|
||||
return response.Error(http.StatusInternalServerError, "Failed update service account", err)
|
||||
}
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "Failed update service account", err)
|
||||
}
|
||||
|
||||
saIDString := strconv.FormatInt(resp.Id, 10)
|
||||
@@ -255,10 +227,10 @@ func (api *ServiceAccountsAPI) UpdateServiceAccount(c *contextmodel.ReqContext)
|
||||
|
||||
func (api *ServiceAccountsAPI) validateRole(r *org.RoleType, orgRole *org.RoleType) error {
|
||||
if r != nil && !r.IsValid() {
|
||||
return serviceaccounts.ErrServiceAccountInvalidRole
|
||||
return serviceaccounts.ErrServiceAccountInvalidRole.Errorf("invalid role specified")
|
||||
}
|
||||
if r != nil && !orgRole.Includes(*r) {
|
||||
return serviceaccounts.ErrServiceAccountRolePrivilegeDenied
|
||||
return serviceaccounts.ErrServiceAccountRolePrivilegeDenied.Errorf("can not assign a role higher than user's role")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"time"
|
||||
@@ -9,7 +8,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/api/dtos"
|
||||
"github.com/grafana/grafana/pkg/api/response"
|
||||
apikeygenprefix "github.com/grafana/grafana/pkg/components/apikeygenprefixed"
|
||||
"github.com/grafana/grafana/pkg/services/apikey"
|
||||
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
||||
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
@@ -133,17 +131,12 @@ func (api *ServiceAccountsAPI) CreateToken(c *contextmodel.ReqContext) response.
|
||||
}
|
||||
|
||||
// confirm service account exists
|
||||
if _, err := api.service.RetrieveServiceAccount(c.Req.Context(), c.OrgID, saID); err != nil {
|
||||
switch {
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):
|
||||
return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)
|
||||
default:
|
||||
return response.Error(http.StatusInternalServerError, "Failed to retrieve service account", err)
|
||||
}
|
||||
if _, err = api.service.RetrieveServiceAccount(c.Req.Context(), c.OrgID, saID); err != nil {
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "Failed to retrieve service account", err)
|
||||
}
|
||||
|
||||
cmd := serviceaccounts.AddServiceAccountTokenCommand{}
|
||||
if err := web.Bind(c.Req, &cmd); err != nil {
|
||||
if err = web.Bind(c.Req, &cmd); err != nil {
|
||||
return response.Error(http.StatusBadRequest, "Bad request data", err)
|
||||
}
|
||||
|
||||
@@ -176,13 +169,7 @@ func (api *ServiceAccountsAPI) CreateToken(c *contextmodel.ReqContext) response.
|
||||
|
||||
apiKey, err := api.service.AddServiceAccountToken(c.Req.Context(), saID, &cmd)
|
||||
if err != nil {
|
||||
if errors.Is(err, serviceaccounts.ErrInvalidTokenExpiration) {
|
||||
return response.Error(http.StatusBadRequest, err.Error(), nil)
|
||||
}
|
||||
if errors.Is(err, serviceaccounts.ErrDuplicateToken) {
|
||||
return response.Error(http.StatusConflict, err.Error(), nil)
|
||||
}
|
||||
return response.Error(http.StatusInternalServerError, "Failed to add service account token", err)
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "failed to add service account token", err)
|
||||
}
|
||||
|
||||
result := &dtos.NewApiKeyResult{
|
||||
@@ -218,12 +205,7 @@ func (api *ServiceAccountsAPI) DeleteToken(c *contextmodel.ReqContext) response.
|
||||
|
||||
// confirm service account exists
|
||||
if _, err := api.service.RetrieveServiceAccount(c.Req.Context(), c.OrgID, saID); err != nil {
|
||||
switch {
|
||||
case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):
|
||||
return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)
|
||||
default:
|
||||
return response.Error(http.StatusInternalServerError, "Failed to retrieve service account", err)
|
||||
}
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, "Failed to retrieve service account", err)
|
||||
}
|
||||
|
||||
tokenID, err := strconv.ParseInt(web.Params(c.Req)[":tokenId"], 10, 64)
|
||||
@@ -232,14 +214,7 @@ func (api *ServiceAccountsAPI) DeleteToken(c *contextmodel.ReqContext) response.
|
||||
}
|
||||
|
||||
if err = api.service.DeleteServiceAccountToken(c.Req.Context(), c.OrgID, saID, tokenID); err != nil {
|
||||
status := http.StatusNotFound
|
||||
if err != nil && !errors.Is(err, apikey.ErrNotFound) {
|
||||
status = http.StatusInternalServerError
|
||||
} else {
|
||||
err = apikey.ErrNotFound
|
||||
}
|
||||
|
||||
return response.Error(status, failedToDeleteMsg, err)
|
||||
return response.ErrOrFallback(http.StatusInternalServerError, failedToDeleteMsg, err)
|
||||
}
|
||||
|
||||
return response.Success("Service account token deleted")
|
||||
|
||||
@@ -92,7 +92,7 @@ func TestServiceAccountsAPI_CreateToken(t *testing.T) {
|
||||
body: `{"name": "test"}`,
|
||||
tokenTTL: -1,
|
||||
permissions: []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}},
|
||||
expectedErr: serviceaccounts.ErrServiceAccountNotFound,
|
||||
expectedErr: serviceaccounts.ErrServiceAccountNotFound.Errorf(""),
|
||||
expectedCode: http.StatusNotFound,
|
||||
},
|
||||
{
|
||||
@@ -155,7 +155,7 @@ func TestServiceAccountsAPI_DeleteToken(t *testing.T) {
|
||||
saID: 1,
|
||||
apikeyID: 1,
|
||||
permissions: []accesscontrol.Permission{{Action: serviceaccounts.ActionWrite, Scope: "serviceaccounts:id:1"}},
|
||||
expectedErr: serviceaccounts.ErrServiceAccountNotFound,
|
||||
expectedErr: serviceaccounts.ErrServiceAccountNotFound.Errorf(""),
|
||||
expectedCode: http.StatusNotFound,
|
||||
},
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user