IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access-control: use role UID when adding/removing roles (#32438)

Browse Source
This commit is contained in:
Alexander Zobnin 2021-03-29 18:36:48 +03:00 committed by GitHub
parent c4d5a67b38
commit 20f6ba5ba4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 56 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
pkg/services/accesscontrol/database/database.go
View File

@ -449,44 +449,46 @@ func (*AccessControlStore) userRolesFilter(orgID, userID int64, roles []string)
func (ac *AccessControlStore) AddTeamRole(cmd *accesscontrol.AddTeamRoleCommand) error { func (ac *AccessControlStore) AddTeamRole(cmd *accesscontrol.AddTeamRoleCommand) error {
return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error { return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
if res, err := sess.Query("SELECT 1 from team_role WHERE org_id=? and team_id=? and role_id=?", cmd.OrgID, cmd.TeamID, cmd.RoleID); err != nil { role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
if err != nil {
return err return err
} else if len(res) == 1 {
return accesscontrol.ErrTeamRoleAlreadyAdded
} }
if _, err := teamExists(cmd.OrgID, cmd.TeamID, sess); err != nil { if _, err := teamExists(cmd.OrgID, cmd.TeamID, sess); err != nil {
return err return err
} }
if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil { if res, err := sess.Query("SELECT 1 from team_role WHERE org_id=? and team_id=? and role_id=?", cmd.OrgID, cmd.TeamID, role.ID); err != nil {
return err return err
} else if len(res) == 1 {
return accesscontrol.ErrTeamRoleAlreadyAdded
} }
teamRole := &accesscontrol.TeamRole{ teamRole := &accesscontrol.TeamRole{
OrgID: cmd.OrgID, OrgID: cmd.OrgID,
TeamID: cmd.TeamID, TeamID: cmd.TeamID,
RoleID: cmd.RoleID, RoleID: role.ID,
Created: TimeNow(), Created: TimeNow(),
} }
_, err := sess.Insert(teamRole) _, err = sess.Insert(teamRole)
return err return err
}) })
} }
func (ac *AccessControlStore) RemoveTeamRole(cmd *accesscontrol.RemoveTeamRoleCommand) error { func (ac *AccessControlStore) RemoveTeamRole(cmd *accesscontrol.RemoveTeamRoleCommand) error {
return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error { return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
if err != nil {
return err
}
if _, err := teamExists(cmd.OrgID, cmd.TeamID, sess); err != nil { if _, err := teamExists(cmd.OrgID, cmd.TeamID, sess); err != nil {
return err return err
} }
if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil {
return err
}
q := "DELETE FROM team_role WHERE org_id=? and team_id=? and role_id=?" q := "DELETE FROM team_role WHERE org_id=? and team_id=? and role_id=?"
res, err := sess.Exec(q, cmd.OrgID, cmd.TeamID, cmd.RoleID) res, err := sess.Exec(q, cmd.OrgID, cmd.TeamID, role.ID)
if err != nil { if err != nil {
return err return err
} }
@ -501,36 +503,38 @@ func (ac *AccessControlStore) RemoveTeamRole(cmd *accesscontrol.RemoveTeamRoleCo
func (ac *AccessControlStore) AddUserRole(cmd *accesscontrol.AddUserRoleCommand) error { func (ac *AccessControlStore) AddUserRole(cmd *accesscontrol.AddUserRoleCommand) error {
return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error { return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
if res, err := sess.Query("SELECT 1 from user_role WHERE org_id=? and user_id=? and role_id=?", cmd.OrgID, cmd.UserID, cmd.RoleID); err != nil { role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
if err != nil {
return err
}
if res, err := sess.Query("SELECT 1 from user_role WHERE org_id=? and user_id=? and role_id=?", cmd.OrgID, cmd.UserID, role.ID); err != nil {
return err return err
} else if len(res) == 1 { } else if len(res) == 1 {
return accesscontrol.ErrUserRoleAlreadyAdded return accesscontrol.ErrUserRoleAlreadyAdded
} }
if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil {
return err
}
userRole := &accesscontrol.UserRole{ userRole := &accesscontrol.UserRole{
OrgID: cmd.OrgID, OrgID: cmd.OrgID,
UserID: cmd.UserID, UserID: cmd.UserID,
RoleID: cmd.RoleID, RoleID: role.ID,
Created: TimeNow(), Created: TimeNow(),
} }
_, err := sess.Insert(userRole) _, err = sess.Insert(userRole)
return err return err
}) })
} }
func (ac *AccessControlStore) RemoveUserRole(cmd *accesscontrol.RemoveUserRoleCommand) error { func (ac *AccessControlStore) RemoveUserRole(cmd *accesscontrol.RemoveUserRoleCommand) error {
return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error { return ac.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
if _, err := roleExists(cmd.OrgID, cmd.RoleID, sess); err != nil { role, err := getRoleByUID(sess, cmd.RoleUID, cmd.OrgID)
if err != nil {
return err return err
} }
q := "DELETE FROM user_role WHERE org_id=? and user_id=? and role_id=?" q := "DELETE FROM user_role WHERE org_id=? and user_id=? and role_id=?"
res, err := sess.Exec(q, cmd.OrgID, cmd.UserID, cmd.RoleID) res, err := sess.Exec(q, cmd.OrgID, cmd.UserID, role.ID)
if err != nil { if err != nil {
return err return err
} }

24
pkg/services/accesscontrol/models.go
View File

@ -148,27 +148,27 @@ type DeleteRoleCommand struct {
} }
type AddTeamRoleCommand struct { type AddTeamRoleCommand struct {
OrgID int64 `json:"org_id"` OrgID int64 `json:"org_id"`
RoleID int64 `json:"role_id"` RoleUID string `json:"role_uid"`
TeamID int64 `json:"team_id"` TeamID int64 `json:"team_id"`
} }
type RemoveTeamRoleCommand struct { type RemoveTeamRoleCommand struct {
OrgID int64 `json:"org_id"` OrgID int64 `json:"org_id"`
RoleID int64 `json:"role_id"` RoleUID string `json:"role_uid"`
TeamID int64 `json:"team_id"` TeamID int64 `json:"team_id"`
} }
type AddUserRoleCommand struct { type AddUserRoleCommand struct {
OrgID int64 `json:"org_id"` OrgID int64 `json:"org_id"`
RoleID int64 `json:"role_id"` RoleUID string `json:"role_uid"`
UserID int64 `json:"user_id"` UserID int64 `json:"user_id"`
} }
type RemoveUserRoleCommand struct { type RemoveUserRoleCommand struct {
OrgID int64 `json:"org_id"` OrgID int64 `json:"org_id"`
RoleID int64 `json:"role_id"` RoleUID string `json:"role_uid"`
UserID int64 `json:"user_id"` UserID int64 `json:"user_id"`
} }
type EvaluationResult struct { type EvaluationResult struct {

22
pkg/services/accesscontrol/testing/common.go
View File

@ -59,13 +59,12 @@ func CreateUserWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
OrgID: 1, OrgID: 1,
Name: p.Name, Name: p.Name,
} }
res, err := ac.CreateRole(context.Background(), createRoleCmd) role, err := ac.CreateRole(context.Background(), createRoleCmd)
require.NoError(t, err) require.NoError(t, err)
roleId := res.ID
for _, perm := range p.Permissions { for _, perm := range p.Permissions {
permCmd := accesscontrol.CreatePermissionCommand{ permCmd := accesscontrol.CreatePermissionCommand{
RoleID: roleId, RoleID: role.ID,
Permission: perm.Permission, Permission: perm.Permission,
Scope: perm.Scope, Scope: perm.Scope,
} }
@ -75,9 +74,9 @@ func CreateUserWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
} }
addUserRoleCmd := accesscontrol.AddUserRoleCommand{ addUserRoleCmd := accesscontrol.AddUserRoleCommand{
OrgID: 1, OrgID: 1,
RoleID: roleId, RoleUID: role.UID,
UserID: userId, UserID: userId,
} }
err = ac.AddUserRole(&addUserRoleCmd) err = ac.AddUserRole(&addUserRoleCmd)
require.NoError(t, err) require.NoError(t, err)
@ -95,13 +94,12 @@ func CreateTeamWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
OrgID: orgID, OrgID: orgID,
Name: p.Name, Name: p.Name,
} }
res, err := ac.CreateRole(context.Background(), createRoleCmd) role, err := ac.CreateRole(context.Background(), createRoleCmd)
require.NoError(t, err) require.NoError(t, err)
roleId := res.ID
for _, perm := range p.Permissions { for _, perm := range p.Permissions {
permCmd := accesscontrol.CreatePermissionCommand{ permCmd := accesscontrol.CreatePermissionCommand{
RoleID: roleId, RoleID: role.ID,
Permission: perm.Permission, Permission: perm.Permission,
Scope: perm.Scope, Scope: perm.Scope,
} }
@ -111,9 +109,9 @@ func CreateTeamWithRole(t *testing.T, db *sqlstore.SQLStore, ac accesscontrol.St
} }
addTeamRoleCmd := accesscontrol.AddTeamRoleCommand{ addTeamRoleCmd := accesscontrol.AddTeamRoleCommand{
OrgID: 1, OrgID: 1,
RoleID: roleId, RoleUID: role.UID,
TeamID: teamId, TeamID: teamId,
} }
err = ac.AddTeamRole(&addTeamRoleCmd) err = ac.AddTeamRole(&addTeamRoleCmd)
require.NoError(t, err) require.NoError(t, err)

22
pkg/services/accesscontrol/testing/common_bench.go
View File

@ -35,15 +35,14 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
for j := 0; j < rolesPerUser; j++ { for j := 0; j < rolesPerUser; j++ {
roleName := fmt.Sprintf("role_%s_%v", teamName, j) roleName := fmt.Sprintf("role_%s_%v", teamName, j)
createRoleCmd := accesscontrol.CreateRoleCommand{OrgID: 1, Name: roleName} createRoleCmd := accesscontrol.CreateRoleCommand{OrgID: 1, Name: roleName}
res, err := ac.CreateRole(context.Background(), createRoleCmd) role, err := ac.CreateRole(context.Background(), createRoleCmd)
require.NoError(b, err) require.NoError(b, err)
roleId := res.ID
for k := 0; k < PermissionsPerRole; k++ { for k := 0; k < PermissionsPerRole; k++ {
permission := fmt.Sprintf("permission_%v", k) permission := fmt.Sprintf("permission_%v", k)
scope := fmt.Sprintf("scope_%v", k) scope := fmt.Sprintf("scope_%v", k)
permCmd := accesscontrol.CreatePermissionCommand{ permCmd := accesscontrol.CreatePermissionCommand{
RoleID: roleId, RoleID: role.ID,
Permission: permission, Permission: permission,
Scope: scope, Scope: scope,
} }
@ -53,9 +52,9 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
} }
addTeamRoleCmd := accesscontrol.AddTeamRoleCommand{ addTeamRoleCmd := accesscontrol.AddTeamRoleCommand{
OrgID: 1, OrgID: 1,
RoleID: roleId, RoleUID: role.UID,
TeamID: teamId, TeamID: teamId,
} }
err = ac.AddTeamRole(&addTeamRoleCmd) err = ac.AddTeamRole(&addTeamRoleCmd)
require.NoError(b, err) require.NoError(b, err)
@ -76,15 +75,14 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
for j := 0; j < rolesPerUser; j++ { for j := 0; j < rolesPerUser; j++ {
roleName := fmt.Sprintf("role_%s_%v", userName, j) roleName := fmt.Sprintf("role_%s_%v", userName, j)
createRoleCmd := accesscontrol.CreateRoleCommand{OrgID: 1, Name: roleName} createRoleCmd := accesscontrol.CreateRoleCommand{OrgID: 1, Name: roleName}
res, err := ac.CreateRole(context.Background(), createRoleCmd) role, err := ac.CreateRole(context.Background(), createRoleCmd)
require.NoError(b, err) require.NoError(b, err)
roleId := res.ID
for k := 0; k < PermissionsPerRole; k++ { for k := 0; k < PermissionsPerRole; k++ {
permission := fmt.Sprintf("permission_%v", k) permission := fmt.Sprintf("permission_%v", k)
scope := fmt.Sprintf("scope_%v", k) scope := fmt.Sprintf("scope_%v", k)
permCmd := accesscontrol.CreatePermissionCommand{ permCmd := accesscontrol.CreatePermissionCommand{
RoleID: roleId, RoleID: role.ID,
Permission: permission, Permission: permission,
Scope: scope, Scope: scope,
} }
@ -94,9 +92,9 @@ func GenerateRoles(b *testing.B, db *sqlstore.SQLStore, ac accesscontrol.Store,
} }
addUserRoleCmd := accesscontrol.AddUserRoleCommand{ addUserRoleCmd := accesscontrol.AddUserRoleCommand{
OrgID: 1, OrgID: 1,
RoleID: roleId, RoleUID: role.UID,
UserID: userId, UserID: userId,
} }
err = ac.AddUserRole(&addUserRoleCmd) err = ac.AddUserRole(&addUserRoleCmd)
require.NoError(b, err) require.NoError(b, err)