Move datasource scopes and actions to access control package (#46334)

* create scope provider * move datasource actions and scopes to datasource package + add provider * change usages to use datasource scopes and update data source name resolver to use provider * move folder permissions to dashboard package and update usages
2025-02-25 18:55:37 -06:00 · 2022-03-09 11:57:50 -05:00
parent 6670257c5e
commit 314be36a7c
16 changed files with 243 additions and 158 deletions
--- a/pkg/api/datasources_test.go
+++ b/pkg/api/datasources_test.go
@@ -10,16 +10,17 @@ import (
 	"net/http/httptest"
 	"testing"

+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
 	"github.com/grafana/grafana/pkg/api/response"
 	"github.com/grafana/grafana/pkg/api/routing"
 	"github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/datasources/permissions"
 	"github.com/grafana/grafana/pkg/services/sqlstore/mockstore"
 	"github.com/grafana/grafana/pkg/setting"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )

 const (
@@ -238,10 +239,10 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 404 if datasource not found",
 				url:          fmt.Sprintf("/api/datasources/%v", "12345678"),
 				method:       http.MethodPut,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesWrite,
-						Scope:  ScopeDatasourcesAll,
+						Action: datasources.ActionDatasourcesWrite,
+						Scope:  datasources.ScopeDatasourcesAll,
 					},
 				},
 			},
@@ -253,7 +254,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGet should return 200 for user with correct permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodGet,
-				permissions:  []*accesscontrol.Permission{{Action: ActionDatasourcesRead, Scope: ScopeDatasourcesAll}},
+				permissions:  []*ac.Permission{{Action: datasources.ActionDatasourcesRead, Scope: datasources.ScopeDatasourcesAll}},
 			},
 		},
 		{
@@ -262,7 +263,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGet should return 403 for user without required permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodGet,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -272,7 +273,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPost should return 200 for user with correct permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodPost,
-				permissions:  []*accesscontrol.Permission{{Action: ActionDatasourcesCreate}},
+				permissions:  []*ac.Permission{{Action: datasources.ActionDatasourcesCreate}},
 			},
 			expectedDS: &testDatasource,
 		},
@@ -282,7 +283,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPost should return 403 for user without required permissions",
 				url:          "/api/datasources/",
 				method:       http.MethodPost,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -292,9 +293,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodPut,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesWrite,
+						Action: datasources.ActionDatasourcesWrite,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasource.Id),
 					},
 				},
@@ -307,7 +308,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodPut,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -317,9 +318,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesPut should return 403 for read only datasource",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasourceReadOnly.Id),
 				method:       http.MethodPut,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesWrite,
+						Action: datasources.ActionDatasourcesWrite,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasourceReadOnly.Id),
 					},
 				},
@@ -332,9 +333,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodDelete,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesDelete,
+						Action: datasources.ActionDatasourcesDelete,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasource.Id),
 					},
 				},
@@ -347,7 +348,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodDelete,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -356,9 +357,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByUID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodDelete,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesDelete,
+						Action: datasources.ActionDatasourcesDelete,
 						Scope:  fmt.Sprintf("datasources:uid:%v", testDatasource.Uid),
 					},
 				},
@@ -371,7 +372,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByUID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodDelete,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -380,9 +381,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByName should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodDelete,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesDelete,
+						Action: datasources.ActionDatasourcesDelete,
 						Scope:  fmt.Sprintf("datasources:name:%v", testDatasource.Name),
 					},
 				},
@@ -395,7 +396,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesDeleteByName should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodDelete,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -404,9 +405,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodGet,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesRead,
+						Action: datasources.ActionDatasourcesRead,
 						Scope:  fmt.Sprintf("datasources:id:%v", testDatasource.Id),
 					},
 				},
@@ -419,7 +420,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/%v", testDatasource.Id),
 				method:       http.MethodGet,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -428,9 +429,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByUID should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodGet,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesRead,
+						Action: datasources.ActionDatasourcesRead,
 						Scope:  fmt.Sprintf("datasources:uid:%v", testDatasource.Uid),
 					},
 				},
@@ -443,7 +444,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByUID should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/uid/%v", testDatasource.Uid),
 				method:       http.MethodGet,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 		},
 		{
@@ -452,9 +453,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByName should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesRead,
+						Action: datasources.ActionDatasourcesRead,
 						Scope:  fmt.Sprintf("datasources:name:%v", testDatasource.Name),
 					},
 				},
@@ -467,7 +468,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetByName should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/name/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 			expectedDS: &testDatasource,
 		},
@@ -477,9 +478,9 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetIdByName should return 200 for user with correct permissions",
 				url:          fmt.Sprintf("/api/datasources/id/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions: []*accesscontrol.Permission{
+				permissions: []*ac.Permission{
 					{
-						Action: ActionDatasourcesIDRead,
+						Action: datasources.ActionDatasourcesIDRead,
 						Scope:  fmt.Sprintf("datasources:name:%v", testDatasource.Name),
 					},
 				},
@@ -492,7 +493,7 @@ func TestAPI_Datasources_AccessControl(t *testing.T) {
 				desc:         "DatasourcesGetIdByName should return 403 for user without required permissions",
 				url:          fmt.Sprintf("/api/datasources/id/%v", testDatasource.Name),
 				method:       http.MethodGet,
-				permissions:  []*accesscontrol.Permission{{Action: "wrong"}},
+				permissions:  []*ac.Permission{{Action: "wrong"}},
 			},
 			expectedDS: &testDatasource,
 		},