Advisor: Implement authorizer (#99440)

2025-02-25 18:55:37 -06:00 · 2025-01-23 17:00:02 +01:00 · 2025-01-23 17:00:02 +01:00 · 3993d691f4
commit 3993d691f4
parent a540c2fe7c
5 changed files with 113 additions and 3 deletions
--- a/apps/advisor/pkg/app/authorizer.go
+++ b/apps/advisor/pkg/app/authorizer.go
@ -0,0 +1,31 @@
+package app
+
+import (
+	"context"
+
+	"github.com/grafana/grafana/pkg/apimachinery/identity"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+func GetAuthorizer() authorizer.Authorizer {
+	return authorizer.AuthorizerFunc(func(
+		ctx context.Context, attr authorizer.Attributes,
+	) (authorized authorizer.Decision, reason string, err error) {
+		if !attr.IsResourceRequest() {
+			return authorizer.DecisionNoOpinion, "", nil
+		}
+
+		// require a user
+		u, err := identity.GetRequester(ctx)
+		if err != nil {
+			return authorizer.DecisionDeny, "valid user is required", err
+		}
+
+		// check if is admin
+		if u.GetIsGrafanaAdmin() {
+			return authorizer.DecisionAllow, "", nil
+		}
+
+		return authorizer.DecisionDeny, "forbidden", nil
+	})
+}
--- a/apps/advisor/pkg/app/authorizer_test.go
+++ b/apps/advisor/pkg/app/authorizer_test.go
@ -0,0 +1,78 @@
+package app
+
+import (
+	"context"
+	"testing"
+
+	"github.com/grafana/grafana/pkg/apimachinery/identity"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apiserver/pkg/authorization/authorizer"
+)
+
+func TestGetAuthorizer(t *testing.T) {
+	tests := []struct {
+		name             string
+		ctx              context.Context
+		attr             authorizer.Attributes
+		expectedDecision authorizer.Decision
+		expectedReason   string
+		expectedErr      error
+	}{
+		{
+			name:             "non-resource request",
+			ctx:              context.TODO(),
+			attr:             &mockAttributes{resourceRequest: false},
+			expectedDecision: authorizer.DecisionNoOpinion,
+			expectedReason:   "",
+			expectedErr:      nil,
+		},
+		{
+			name:             "user is admin",
+			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: true}),
+			attr:             &mockAttributes{resourceRequest: true},
+			expectedDecision: authorizer.DecisionAllow,
+			expectedReason:   "",
+			expectedErr:      nil,
+		},
+		{
+			name:             "user is not admin",
+			ctx:              identity.WithRequester(context.TODO(), &mockUser{isGrafanaAdmin: false}),
+			attr:             &mockAttributes{resourceRequest: true},
+			expectedDecision: authorizer.DecisionDeny,
+			expectedReason:   "forbidden",
+			expectedErr:      nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			auth := GetAuthorizer()
+			decision, reason, err := auth.Authorize(tt.ctx, tt.attr)
+			assert.Equal(t, tt.expectedDecision, decision)
+			assert.Equal(t, tt.expectedReason, reason)
+			assert.Equal(t, tt.expectedErr, err)
+		})
+	}
+}
+
+type mockAttributes struct {
+	authorizer.Attributes
+	resourceRequest bool
+}
+
+func (m *mockAttributes) IsResourceRequest() bool {
+	return m.resourceRequest
+}
+
+// Implement other methods of authorizer.Attributes as needed
+
+type mockUser struct {
+	identity.Requester
+	isGrafanaAdmin bool
+}
+
+func (m *mockUser) GetIsGrafanaAdmin() bool {
+	return m.isGrafanaAdmin
+}
+
+// Implement other methods of identity.Requester as needed
--- a/go.mod
+++ b/go.mod
@ -198,7 +198,7 @@ require (
 )

 require (
-	github.com/grafana/grafana/apps/advisor v0.0.0-20250121115006-c1eac9f9973f // @grafana/plugins-platform-backend
+	github.com/grafana/grafana/apps/advisor v0.0.0-20250123151950-b066a6313173 // @grafana/plugins-platform-backend
 	github.com/grafana/grafana/apps/alerting/notifications v0.0.0-20250121113133-e747350fee2d // @grafana/alerting-backend
 	github.com/grafana/grafana/apps/investigation v0.0.0-20250121113133-e747350fee2d // @fcjack @matryer
 	github.com/grafana/grafana/apps/playlist v0.0.0-20250121113133-e747350fee2d // @grafana/grafana-app-platform-squad
--- a/go.sum
+++ b/go.sum
@ -1532,8 +1532,8 @@ github.com/grafana/grafana-openapi-client-go v0.0.0-20231213163343-bd475d63fb79
 github.com/grafana/grafana-openapi-client-go v0.0.0-20231213163343-bd475d63fb79/go.mod h1:wc6Hbh3K2TgCUSfBC/BOzabItujtHMESZeFk5ZhdxhQ=
 github.com/grafana/grafana-plugin-sdk-go v0.262.0 h1:R2DV6lwBQE5zaogxX3PorD9Seo8CXA8YuStf84oqwkk=
 github.com/grafana/grafana-plugin-sdk-go v0.262.0/go.mod h1:U43Cnrj/9DNYyvFcNdeUWNjMXTKNB0jcTcQGpWKd2gw=
-github.com/grafana/grafana/apps/advisor v0.0.0-20250121115006-c1eac9f9973f h1:c8IkbxPvM6+lscVOLgtbt8Gnro4Liltd+E2eqkoAeZA=
-github.com/grafana/grafana/apps/advisor v0.0.0-20250121115006-c1eac9f9973f/go.mod h1:goSDiy3jtC2cp8wjpPZdUHRENcoSUHae1/Px/MDfddA=
+github.com/grafana/grafana/apps/advisor v0.0.0-20250123151950-b066a6313173 h1:uOM89HiWVVOTls0LrD4coHTckb2lA4U0sIJwCYdbhbw=
+github.com/grafana/grafana/apps/advisor v0.0.0-20250123151950-b066a6313173/go.mod h1:goSDiy3jtC2cp8wjpPZdUHRENcoSUHae1/Px/MDfddA=
 github.com/grafana/grafana/apps/alerting/notifications v0.0.0-20250121113133-e747350fee2d h1:NRVOtiG1aUwOazBj9KM7X2o2shsM6TchqisezzoH1gw=
 github.com/grafana/grafana/apps/alerting/notifications v0.0.0-20250121113133-e747350fee2d/go.mod h1:AvleS6icyPmcBjihtx5jYEvdzLmHGBp66NuE0AMR57A=
 github.com/grafana/grafana/apps/investigation v0.0.0-20250121113133-e747350fee2d h1:oNc/aDfDucQxLbRZK25yz3Cwc+dGo1C0Xmm2LaliWUQ=
--- a/pkg/registry/apps/advisor/register.go
+++ b/pkg/registry/apps/advisor/register.go
@ -21,6 +21,7 @@ func RegisterApp(
 	appCfg := &runner.AppBuilderConfig{
 		OpenAPIDefGetter: advisorv0alpha1.GetOpenAPIDefinitions,
 		ManagedKinds:     advisorapp.GetKinds(),
+		Authorizer:       advisorapp.GetAuthorizer(),
 		CustomConfig:     any(checkRegistry),
 	}
 	provider.Provider = simple.NewAppProvider(apis.LocalManifest(), appCfg, advisorapp.New)