Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258)

* migrate licensing + access control * update package name
2025-02-25 18:55:37 -06:00 · 2023-03-27 10:15:37 +01:00
parent 3b00d2c273
commit 31d6416157
14 changed files with 47 additions and 42 deletions
--- a/pkg/services/pluginsintegration/pluginaccesscontrol/accesscontrol.go
+++ b/pkg/services/pluginsintegration/pluginaccesscontrol/accesscontrol.go
@@ -0,0 +1,75 @@
+package pluginaccesscontrol
+
+import (
+	ac "github.com/grafana/grafana/pkg/services/accesscontrol"
+	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
+	"github.com/grafana/grafana/pkg/services/org"
+	"github.com/grafana/grafana/pkg/setting"
+)
+
+const (
+	// Plugins actions
+	ActionInstall = "plugins:install"
+	ActionWrite   = "plugins:write"
+
+	// App Plugins actions
+	ActionAppAccess = "plugins.app:access"
+)
+
+var (
+	ScopeProvider = ac.NewScopeProvider("plugins")
+	// Protects access to the Configuration > Plugins page
+	AdminAccessEvaluator = ac.EvalAny(ac.EvalPermission(ActionWrite), ac.EvalPermission(ActionInstall))
+)
+
+func ReqCanAdminPlugins(cfg *setting.Cfg) func(rc *contextmodel.ReqContext) bool {
+	// Legacy handler that protects access to the Configuration > Plugins page
+	return func(rc *contextmodel.ReqContext) bool {
+		return rc.OrgRole == org.RoleAdmin || cfg.PluginAdminEnabled && rc.IsGrafanaAdmin
+	}
+}
+
+func DeclareRBACRoles(service ac.Service, cfg *setting.Cfg) error {
+	AppPluginsReader := ac.RoleRegistration{
+		Role: ac.RoleDTO{
+			Name:        ac.FixedRolePrefix + "plugins.app:reader",
+			DisplayName: "Application Plugins Access",
+			Description: "Access application plugins (still enforcing the organization role)",
+			Group:       "Plugins",
+			Permissions: []ac.Permission{
+				{Action: ActionAppAccess, Scope: ScopeProvider.GetResourceAllScope()},
+			},
+		},
+		Grants: []string{string(org.RoleViewer)},
+	}
+	PluginsWriter := ac.RoleRegistration{
+		Role: ac.RoleDTO{
+			Name:        ac.FixedRolePrefix + "plugins:writer",
+			DisplayName: "Plugin Writer",
+			Description: "Enable and disable plugins and edit plugins' settings",
+			Group:       "Plugins",
+			Permissions: []ac.Permission{
+				{Action: ActionWrite, Scope: ScopeProvider.GetResourceAllScope()},
+			},
+		},
+		Grants: []string{string(org.RoleAdmin)},
+	}
+	PluginsMaintainer := ac.RoleRegistration{
+		Role: ac.RoleDTO{
+			Name:        ac.FixedRolePrefix + "plugins:maintainer",
+			DisplayName: "Plugin Maintainer",
+			Description: "Install, uninstall plugins",
+			Group:       "Plugins",
+			Permissions: []ac.Permission{
+				{Action: ActionInstall},
+			},
+		},
+		Grants: []string{ac.RoleGrafanaAdmin},
+	}
+
+	if !cfg.PluginAdminEnabled || cfg.PluginAdminExternalManageEnabled {
+		PluginsMaintainer.Grants = []string{}
+	}
+
+	return service.DeclareFixedRoles(AppPluginsReader, PluginsWriter, PluginsMaintainer)
+}