IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

RBAC: Validate plugin app access permission targets the plugin (#59468)

Browse Source 
* RBAC: Validate plugin app access permission targets the plugin

* Fix service test
This commit is contained in:
Gabriel MABILLE 2022-11-30 13:55:07 +01:00 committed by GitHub
parent ddc3706f19
commit 32a498e04f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/services/accesscontrol/acimpl/service_test.go
View File

@ -189,7 +189,7 @@ func TestService_DeclarePluginRoles(t *testing.T) {
Role: plugins.Role{ Role: plugins.Role{
Name: "Tester", Name: "Tester",
Permissions: []plugins.Permission{ Permissions: []plugins.Permission{
{Action: "plugins.app:access"}, {Action: "plugins.app:access", Scope: "plugins:id:test-app"},
{Action: "test-app:read"}, {Action: "test-app:read"},
{Action: "test-app.resource:read"}, {Action: "test-app.resource:read"},
}, },

14
pkg/services/accesscontrol/errors.go
View File

@ -44,3 +44,17 @@ func (e *ErrorActionPrefixMissing) Error() string {
func (e *ErrorActionPrefixMissing) Unwrap() error { func (e *ErrorActionPrefixMissing) Unwrap() error {
return &ErrorInvalidRole{} return &ErrorInvalidRole{}
} }
type ErrorScopeTarget struct {
Action string
Scope string
ExpectedScope string
}
func (e *ErrorScopeTarget) Error() string {
return fmt.Sprintf("expected action '%s' to be scoped with '%v', found '%v'", e.Action, e.ExpectedScope, e.Scope)
}
func (e *ErrorScopeTarget) Unwrap() error {
return &ErrorInvalidRole{}
}

5
pkg/services/accesscontrol/pluginutils/utils.go
View File

@ -17,6 +17,11 @@ func ValidatePluginPermissions(pluginID string, permissions []ac.Permission) err
return &ac.ErrorActionPrefixMissing{Action: permissions[i].Action, return &ac.ErrorActionPrefixMissing{Action: permissions[i].Action,
Prefixes: []string{plugins.ActionAppAccess, pluginID + ":", pluginID + "."}} Prefixes: []string{plugins.ActionAppAccess, pluginID + ":", pluginID + "."}}
} }
if strings.HasPrefix(permissions[i].Action, plugins.ActionAppAccess) &&
permissions[i].Scope != plugins.ScopeProvider.GetResourceScope(pluginID) {
return &ac.ErrorScopeTarget{Action: permissions[i].Action, Scope: permissions[i].Scope,
ExpectedScope: plugins.ScopeProvider.GetResourceScope(pluginID)}
}
} }
return nil return nil

13
pkg/services/accesscontrol/pluginutils/utils_test.go
View File

@ -122,12 +122,23 @@ func TestValidatePluginRole(t *testing.T) {
role: ac.RoleDTO{ role: ac.RoleDTO{
Name: "plugins:test-app:reader", Name: "plugins:test-app:reader",
Permissions: []ac.Permission{ Permissions: []ac.Permission{
{Action: "plugins.app:access"}, {Action: "plugins.app:access", Scope: "plugins:id:test-app"},
{Action: "test-app:read"}, {Action: "test-app:read"},
{Action: "test-app.resources:read"}, {Action: "test-app.resources:read"},
}, },
}, },
}, },
{
name: "invalid permission targets other plugin",
pluginID: "test-app",
role: ac.RoleDTO{
Name: "plugins:test-app:reader",
Permissions: []ac.Permission{
{Action: "plugins.app:access", Scope: "plugins:id:other-app"},
},
},
wantErr: &ac.ErrorInvalidRole{},
},
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {