Actionsets: Add ability for plugins to add actions for core actionsets (i.e. folders:edit) (#88776)

* initial commit * Action sets stored remove the dependancy for actionsets got the actionsets registered storing the permissions * fix golanglinting * remove unused struct field * wip * actionset registry for a plugin from the actionsetservice * update to make declareactionset the primary way of plugin registration and modification * declare actually extends actionsets * tests fixed * tests skipped * skip tests * skip tests * skip tests * skip tests * change to warning instead * remove step from pipeline to see if it fails due to plugin not registering * reintroduce step but remove features dependancy * add back the tests that were failing * remove comments and another skip test * fix a comment and remove unneeded changes * fix and clean up, put the behaviour behind a feature toggle * clean up * fixing tests * hard-code allowed action sets for plugins * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * small cleanup --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2024-07-19 16:16:23 +01:00
parent 96c3e9c550
commit 248af65f9c
18 changed files with 326 additions and 47 deletions
--- a/pkg/plugins/ifaces.go
+++ b/pkg/plugins/ifaces.go
@@ -134,6 +134,11 @@ type RoleRegistry interface {
 	DeclarePluginRoles(ctx context.Context, ID, name string, registrations []RoleRegistration) error
 }

+// ActionSetRegistry handles the plugin RBAC actionsets
+type ActionSetRegistry interface {
+	RegisterActionSets(ctx context.Context, ID string, registrations []ActionSet) error
+}
+
 // ClientMiddleware is an interface representing the ability to create a middleware
 // that implements the Client interface.
 type ClientMiddleware interface {
--- a/pkg/plugins/manager/fakes/fakes.go
+++ b/pkg/plugins/manager/fakes/fakes.go
@@ -391,6 +391,18 @@ func (f *FakeRoleRegistry) DeclarePluginRoles(_ context.Context, _ string, _ str
 	return f.ExpectedErr
 }

+type FakeActionSetRegistry struct {
+	ExpectedErr error
+}
+
+func NewFakeActionSetRegistry() *FakeActionSetRegistry {
+	return &FakeActionSetRegistry{}
+}
+
+func (f *FakeActionSetRegistry) RegisterActionSets(_ context.Context, _ string, _ []plugins.ActionSet) error {
+	return f.ExpectedErr
+}
+
 type FakePluginFiles struct {
 	OpenFunc   func(name string) (fs.File, error)
 	RemoveFunc func() error
--- a/pkg/plugins/models.go
+++ b/pkg/plugins/models.go
@@ -314,8 +314,6 @@ func (e Error) PublicMessage() string {
 	return "Plugin failed to load"
 }

-// Access-Control related definitions
-
 // RoleRegistration stores a role and its assignments to basic roles
 // (Viewer, Editor, Admin, Grafana Admin)
 type RoleRegistration struct {
@@ -335,6 +333,12 @@ type Permission struct {
 	Scope  string `json:"scope"`
 }

+// ActionSet is the model for ActionSet in RBAC.
+type ActionSet struct {
+	Action  string   `json:"action"`
+	Actions []string `json:"actions"`
+}
+
 type QueryCachingConfig struct {
 	Enabled bool  `json:"enabled"`
 	TTLMS   int64 `json:"TTLMs"`
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@@ -101,7 +101,8 @@ type JSONData struct {
 	Routes       []*Route     `json:"routes"`

 	// AccessControl settings
-	Roles []RoleRegistration `json:"roles,omitempty"`
+	Roles      []RoleRegistration `json:"roles,omitempty"`
+	ActionSets []ActionSet        `json:"actionSets,omitempty"`

 	// Panel settings
 	SkipDataQuery bool `json:"skipDataQuery"`