IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

RBAC: Fix SearchUsersPermissions when the filter is empty (#68176)

Browse Source 
Fix SearchUsersPermission action filter
This commit is contained in:
Misi 2023-05-10 11:24:37 +02:00 committed by GitHub
parent 047763978d
commit 23d8f7c2fe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/services/accesscontrol/acimpl/service.go
View File

@ -252,15 +252,8 @@ func (s *Service) SearchUsersPermissions(ctx context.Context, user *user.SignedI
basicPermissions := map[string][]accesscontrol.Permission{} basicPermissions := map[string][]accesscontrol.Permission{}
for role, basicRole := range s.roles { for role, basicRole := range s.roles {
for i := range basicRole.Permissions { for i := range basicRole.Permissions {
if options.ActionPrefix != "" { if PermissionMatchesSearchOptions(basicRole.Permissions[i], options) {
if strings.HasPrefix(basicRole.Permissions[i].Action, options.ActionPrefix) { basicPermissions[role] = append(basicPermissions[role], basicRole.Permissions[i])
basicPermissions[role] = append(basicPermissions[role], basicRole.Permissions[i])
}
}
if options.Action != "" {
if basicRole.Permissions[i].Action == options.Action {
basicPermissions[role] = append(basicPermissions[role], basicRole.Permissions[i])
}
} }
} }
} }

29
pkg/services/accesscontrol/acimpl/service_test.go
View File

@ -384,6 +384,7 @@ func TestService_SearchUsersPermissions(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
siuPermissions map[string][]string siuPermissions map[string][]string
searchOption accesscontrol.SearchOptions
ramRoles map[string]*accesscontrol.RoleDTO // BasicRole => RBAC BasicRole ramRoles map[string]*accesscontrol.RoleDTO // BasicRole => RBAC BasicRole
storedPerms map[int64][]accesscontrol.Permission // UserID => Permissions storedPerms map[int64][]accesscontrol.Permission // UserID => Permissions
storedRoles map[int64][]string // UserID => Roles storedRoles map[int64][]string // UserID => Roles
@ -393,6 +394,7 @@ func TestService_SearchUsersPermissions(t *testing.T) {
{ {
name: "ram only", name: "ram only",
siuPermissions: listAllPerms, siuPermissions: listAllPerms,
searchOption: searchOption,
ramRoles: map[string]*accesscontrol.RoleDTO{ ramRoles: map[string]*accesscontrol.RoleDTO{
string(roletype.RoleAdmin): {Permissions: []accesscontrol.Permission{ string(roletype.RoleAdmin): {Permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"},
@ -413,6 +415,7 @@ func TestService_SearchUsersPermissions(t *testing.T) {
{ {
name: "stored only", name: "stored only",
siuPermissions: listAllPerms, siuPermissions: listAllPerms,
searchOption: searchOption,
storedPerms: map[int64][]accesscontrol.Permission{ storedPerms: map[int64][]accesscontrol.Permission{
1: {{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}}, 1: {{Action: accesscontrol.ActionTeamsRead, Scope: "teams:id:1"}},
2: {{Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"}, 2: {{Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"},
@ -431,6 +434,7 @@ func TestService_SearchUsersPermissions(t *testing.T) {
{ {
name: "ram and stored", name: "ram and stored",
siuPermissions: listAllPerms, siuPermissions: listAllPerms,
searchOption: searchOption,
ramRoles: map[string]*accesscontrol.RoleDTO{ ramRoles: map[string]*accesscontrol.RoleDTO{
string(roletype.RoleAdmin): {Permissions: []accesscontrol.Permission{ string(roletype.RoleAdmin): {Permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"}, {Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"},
@ -459,6 +463,7 @@ func TestService_SearchUsersPermissions(t *testing.T) {
{ {
name: "view permission on subset of users only", name: "view permission on subset of users only",
siuPermissions: listSomePerms, siuPermissions: listSomePerms,
searchOption: searchOption,
ramRoles: map[string]*accesscontrol.RoleDTO{ ramRoles: map[string]*accesscontrol.RoleDTO{
accesscontrol.RoleGrafanaAdmin: {Permissions: []accesscontrol.Permission{ accesscontrol.RoleGrafanaAdmin: {Permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsPermissionsRead, Scope: "teams:*"}, {Action: accesscontrol.ActionTeamsPermissionsRead, Scope: "teams:*"},
@ -482,6 +487,7 @@ func TestService_SearchUsersPermissions(t *testing.T) {
{ {
name: "check action filter on RAM permissions works correctly", name: "check action filter on RAM permissions works correctly",
siuPermissions: listAllPerms, siuPermissions: listAllPerms,
searchOption: searchOption,
ramRoles: map[string]*accesscontrol.RoleDTO{ ramRoles: map[string]*accesscontrol.RoleDTO{
accesscontrol.RoleGrafanaAdmin: {Permissions: []accesscontrol.Permission{ accesscontrol.RoleGrafanaAdmin: {Permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionUsersCreate}, {Action: accesscontrol.ActionUsersCreate},
@ -493,6 +499,27 @@ func TestService_SearchUsersPermissions(t *testing.T) {
1: {{Action: accesscontrol.ActionTeamsPermissionsRead, Scope: "teams:*"}}, 1: {{Action: accesscontrol.ActionTeamsPermissionsRead, Scope: "teams:*"}},
}, },
}, },
{
name: "check empty action filter on RAM permissions works correctly",
siuPermissions: listAllPerms,
searchOption: accesscontrol.SearchOptions{},
ramRoles: map[string]*accesscontrol.RoleDTO{
accesscontrol.RoleGrafanaAdmin: {Permissions: []accesscontrol.Permission{
{Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"},
{Action: accesscontrol.ActionUsersCreate},
{Action: accesscontrol.ActionTeamsPermissionsRead, Scope: "teams:*"},
{Action: accesscontrol.ActionAnnotationsRead, Scope: "annotations:*"},
}},
},
storedRoles: map[int64][]string{1: {accesscontrol.RoleGrafanaAdmin}},
want: map[int64][]accesscontrol.Permission{
1: {{Action: accesscontrol.ActionTeamsRead, Scope: "teams:*"},
{Action: accesscontrol.ActionUsersCreate},
{Action: accesscontrol.ActionTeamsPermissionsRead, Scope: "teams:*"},
{Action: accesscontrol.ActionAnnotationsRead, Scope: "annotations:*"},
},
},
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
@ -505,7 +532,7 @@ func TestService_SearchUsersPermissions(t *testing.T) {
} }
siu := &user.SignedInUser{OrgID: 2, Permissions: map[int64]map[string][]string{2: tt.siuPermissions}} siu := &user.SignedInUser{OrgID: 2, Permissions: map[int64]map[string][]string{2: tt.siuPermissions}}
got, err := ac.SearchUsersPermissions(ctx, siu, 2, searchOption) got, err := ac.SearchUsersPermissions(ctx, siu, 2, tt.searchOption)
if tt.wantErr { if tt.wantErr {
require.NotNil(t, err) require.NotNil(t, err)
return return