Access Control: Move dashboard actions and create scope provider (#48618)

* Move dashboard actions and create scope provider

pkg/services/guardian/accesscontrol_guardian.go

@@ -53,12 +53,12 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
 	}
 
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
 
@@ -71,12 +71,12 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
 	}
 
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
 
@@ -86,12 +86,12 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
 	}
 
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
 
@@ -102,19 +102,19 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
 
 	if a.dashboard.IsFolder {
 		return a.evaluate(accesscontrol.EvalAll(
-			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, folderScope(a.dashboard.Uid)),
-			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)),
 		))
 	}
 
 	return a.evaluate(accesscontrol.EvalAny(
 		accesscontrol.EvalAll(
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Uid)),
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
 		),
 		accesscontrol.EvalAll(
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, folderScope(a.parentFolderUID)),
-			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, folderScope(a.parentFolderUID)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsRead, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
+			accesscontrol.EvalPermission(dashboards.ActionDashboardsPermissionsWrite, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 		),
 	))
 }
@@ -125,12 +125,12 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
 	}
 
 	if a.dashboard.IsFolder {
-		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Uid)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.dashboard.Uid)))
 	}
 
 	return a.evaluate(accesscontrol.EvalAny(
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Uid)),
-		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.parentFolderUID)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeDashboardsProvider.GetResourceScopeUID(a.dashboard.Uid)),
+		accesscontrol.EvalPermission(dashboards.ActionDashboardsDelete, dashboards.ScopeFoldersProvider.GetResourceScopeUID(a.parentFolderUID)),
 	))
 }
 
@@ -142,7 +142,7 @@ func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool
 	if err != nil {
 		return false, err
 	}
-	return a.evaluate(accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folder.Uid)))
+	return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionDashboardsCreate, dashboards.ScopeFoldersProvider.GetResourceScopeUID(folder.Uid)))
 }
 
 func (a *AccessControlDashboardGuardian) evaluate(evaluator accesscontrol.Evaluator) (bool, error) {
@@ -283,11 +283,3 @@ func (a *AccessControlDashboardGuardian) loadParentFolder(folderID int64) (*mode
 	}
 	return folderQuery.Result, nil
 }
-
-func dashboardScope(uid string) string {
-	return accesscontrol.GetResourceScopeUID("dashboards", uid)
-}
-
-func folderScope(uid string) string {
-	return dashboards.ScopeFoldersProvider.GetResourceScopeUID(uid)
-}

pkg/services/guardian/accesscontrol_guardian_test.go

@@ -36,7 +36,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:*",
 				},
 			},
@@ -47,7 +47,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:*",
 				},
 			},
@@ -58,7 +58,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@@ -69,7 +69,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:general",
 				},
 			},
@@ -80,7 +80,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@@ -91,7 +91,7 @@ func TestAccessControlDashboardGuardian_CanSave(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:100",
 				},
 			},
@@ -116,7 +116,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:*",
 				},
 			},
@@ -127,7 +127,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:*",
 				},
 			},
@@ -138,7 +138,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@@ -149,7 +149,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:general",
 				},
 			},
@@ -160,7 +160,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@@ -171,7 +171,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsWrite,
+					Action: dashboards.ActionDashboardsWrite,
 					Scope:  "folders:uid:10",
 				},
 			},
@@ -182,7 +182,7 @@ func TestAccessControlDashboardGuardian_CanEdit(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@@ -212,7 +212,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:*",
 				},
 			},
@@ -223,7 +223,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:*",
 				},
 			},
@@ -234,7 +234,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@@ -245,7 +245,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:uid:general",
 				},
 			},
@@ -256,7 +256,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@@ -267,7 +267,7 @@ func TestAccessControlDashboardGuardian_CanView(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsRead,
+					Action: dashboards.ActionDashboardsRead,
 					Scope:  "folders:uid:10",
 				},
 			},
@@ -292,11 +292,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:*",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "dashboards:*",
 				},
 			},
@@ -307,11 +307,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:*",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "folders:*",
 				},
 			},
@@ -322,11 +322,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:uid:1",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@@ -337,11 +337,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:uid:general",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "folders:uid:general",
 				},
 			},
@@ -352,11 +352,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "dashboards:uid:10",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@@ -367,11 +367,11 @@ func TestAccessControlDashboardGuardian_CanAdmin(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsRead,
+					Action: dashboards.ActionDashboardsPermissionsRead,
 					Scope:  "folders:uid:10",
 				},
 				{
-					Action: accesscontrol.ActionDashboardsPermissionsWrite,
+					Action: dashboards.ActionDashboardsPermissionsWrite,
 					Scope:  "folders:uid:10",
 				},
 			},
@@ -396,7 +396,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:*",
 				},
 			},
@@ -407,7 +407,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:*",
 				},
 			},
@@ -418,7 +418,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:uid:1",
 				},
 			},
@@ -429,7 +429,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:uid:general",
 				},
 			},
@@ -440,7 +440,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "dashboards:uid:10",
 				},
 			},
@@ -451,7 +451,7 @@ func TestAccessControlDashboardGuardian_CanDelete(t *testing.T) {
 			dashUID: "1",
 			permissions: []*accesscontrol.Permission{
 				{
-					Action: accesscontrol.ActionDashboardsDelete,
+					Action: dashboards.ActionDashboardsDelete,
 					Scope:  "folders:uid:10",
 				},
 			},
@@ -485,7 +485,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			isFolder: false,
 			folderID: 0,
 			permissions: []*accesscontrol.Permission{
-				{Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:uid:general"},
+				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:uid:general"},
 			},
 			expected: true,
 		},
@@ -494,7 +494,7 @@ func TestAccessControlDashboardGuardian_CanCreate(t *testing.T) {
 			isFolder: false,
 			folderID: 0,
 			permissions: []*accesscontrol.Permission{
-				{Action: accesscontrol.ActionDashboardsCreate, Scope: "folders:*"},
+				{Action: dashboards.ActionDashboardsCreate, Scope: "folders:*"},
 			},
 			expected: true,
 		},