IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

AccessControl: Add access control metadata to org user DTOs (#43362)

Browse Source 
* AccessControl: Add access control metadata to OrgUserDTO

* AccessControl: get User AC metadata

* AccessControl: return User Access Control metadata when requested
This commit is contained in:
J Guerreiro 2021-12-22 17:46:33 +00:00 committed by GitHub
parent 98bf9a6d2a
commit 3d4fafcf70
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 102 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
pkg/api/org_users.go
View File

@ -3,11 +3,13 @@ package api
import ( import (
"context" "context"
"errors" "errors"
"fmt"
"net/http" "net/http"
"github.com/grafana/grafana/pkg/api/dtos" "github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/api/response" "github.com/grafana/grafana/pkg/api/response"
"github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/util" "github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/web" "github.com/grafana/grafana/pkg/web"
) )
@ -65,7 +67,7 @@ func (hs *HTTPServer) addOrgUserHelper(ctx context.Context, cmd models.AddOrgUse
// GET /api/org/users // GET /api/org/users
func (hs *HTTPServer) GetOrgUsersForCurrentOrg(c *models.ReqContext) response.Response { func (hs *HTTPServer) GetOrgUsersForCurrentOrg(c *models.ReqContext) response.Response {
result, err := hs.getOrgUsersHelper(c.Req.Context(), &models.GetOrgUsersQuery{ result, err := hs.getOrgUsersHelper(c, &models.GetOrgUsersQuery{
OrgId: c.OrgId, OrgId: c.OrgId,
Query: c.Query("query"), Query: c.Query("query"),
Limit: c.QueryInt("limit"), Limit: c.QueryInt("limit"),
@ -80,7 +82,7 @@ func (hs *HTTPServer) GetOrgUsersForCurrentOrg(c *models.ReqContext) response.Re
// GET /api/org/users/lookup // GET /api/org/users/lookup
func (hs *HTTPServer) GetOrgUsersForCurrentOrgLookup(c *models.ReqContext) response.Response { func (hs *HTTPServer) GetOrgUsersForCurrentOrgLookup(c *models.ReqContext) response.Response {
orgUsers, err := hs.getOrgUsersHelper(c.Req.Context(), &models.GetOrgUsersQuery{ orgUsers, err := hs.getOrgUsersHelper(c, &models.GetOrgUsersQuery{
OrgId: c.OrgId, OrgId: c.OrgId,
Query: c.Query("query"), Query: c.Query("query"),
Limit: c.QueryInt("limit"), Limit: c.QueryInt("limit"),
@ -103,9 +105,30 @@ func (hs *HTTPServer) GetOrgUsersForCurrentOrgLookup(c *models.ReqContext) respo
return response.JSON(200, result) return response.JSON(200, result)
} }
func (hs *HTTPServer) getUserAccessControlMetadata(c *models.ReqContext, userID int64) (accesscontrol.Metadata, error) {
if hs.AccessControl == nil || hs.AccessControl.IsDisabled() || !c.QueryBool("accesscontrol") {
return nil, nil
}
userPermissions, err := hs.AccessControl.GetUserPermissions(c.Req.Context(), c.SignedInUser)
if err != nil || len(userPermissions) == 0 {
return nil, err
}
key := fmt.Sprintf("%d", userID)
userIDs := map[string]bool{key: true}
metadata, err := accesscontrol.GetResourcesMetadata(c.Req.Context(), userPermissions, "users", userIDs)
if err != nil {
return nil, err
}
return metadata[key], err
}
// GET /api/orgs/:orgId/users // GET /api/orgs/:orgId/users
func (hs *HTTPServer) GetOrgUsers(c *models.ReqContext) response.Response { func (hs *HTTPServer) GetOrgUsers(c *models.ReqContext) response.Response {
result, err := hs.getOrgUsersHelper(c.Req.Context(), &models.GetOrgUsersQuery{ result, err := hs.getOrgUsersHelper(c, &models.GetOrgUsersQuery{
OrgId: c.ParamsInt64(":orgId"), OrgId: c.ParamsInt64(":orgId"),
Query: "", Query: "",
Limit: 0, Limit: 0,
@ -118,8 +141,8 @@ func (hs *HTTPServer) GetOrgUsers(c *models.ReqContext) response.Response {
return response.JSON(200, result) return response.JSON(200, result)
} }
func (hs *HTTPServer) getOrgUsersHelper(ctx context.Context, query *models.GetOrgUsersQuery, signedInUser *models.SignedInUser) ([]*models.OrgUserDTO, error) { func (hs *HTTPServer) getOrgUsersHelper(c *models.ReqContext, query *models.GetOrgUsersQuery, signedInUser *models.SignedInUser) ([]*models.OrgUserDTO, error) {
if err := hs.SQLStore.GetOrgUsers(ctx, query); err != nil { if err := hs.SQLStore.GetOrgUsers(c.Req.Context(), query); err != nil {
return nil, err return nil, err
} }
@ -130,6 +153,13 @@ func (hs *HTTPServer) getOrgUsersHelper(ctx context.Context, query *models.GetOr
} }
user.AvatarUrl = dtos.GetGravatarUrl(user.Email) user.AvatarUrl = dtos.GetGravatarUrl(user.Email)
accessControlMetadata, errAC := hs.getUserAccessControlMetadata(c, user.UserId)
if errAC != nil {
hs.log.Error("Failed to get access control metadata", "error", errAC)
}
user.AccessControl = accessControlMetadata
filteredUsers = append(filteredUsers, user) filteredUsers = append(filteredUsers, user)
} }

57
pkg/api/org_users_test.go
View File

@ -297,6 +297,63 @@ func setupOrgUsersDBForAccessControlTests(t *testing.T, db sqlstore.SQLStore) {
require.NoError(t, err) require.NoError(t, err)
} }
func TestGetOrgUsersAPIEndpoint_AccessControlMetadata(t *testing.T) {
url := "/api/orgs/%v/users?accesscontrol=true"
type testCase struct {
name string
enableAccessControl bool
expectedCode int
expectedMetadata map[string]bool
user models.SignedInUser
targetOrg int64
}
tests := []testCase{
{
name: "access control metadata not requested",
enableAccessControl: false,
expectedCode: http.StatusOK,
expectedMetadata: nil,
user: testServerAdminViewer,
targetOrg: testServerAdminViewer.OrgId,
},
{
name: "access control metadata requested",
enableAccessControl: true,
expectedCode: http.StatusOK,
expectedMetadata: map[string]bool{
"org.users.role:update": true,
"org.users:add": true,
"org.users:read": true,
"org.users:remove": true},
user: testServerAdminViewer,
targetOrg: testServerAdminViewer.OrgId,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
sc := setupHTTPServer(t, false, tc.enableAccessControl)
setupOrgUsersDBForAccessControlTests(t, *sc.db)
setInitCtxSignedInUser(sc.initCtx, tc.user)
// Perform test
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(url, tc.targetOrg), nil, t)
require.Equal(t, tc.expectedCode, response.Code)
var userList []*models.OrgUserDTO
err := json.NewDecoder(response.Body).Decode(&userList)
require.NoError(t, err)
if tc.expectedMetadata != nil {
assert.Equal(t, tc.expectedMetadata, userList[0].AccessControl)
} else {
assert.Nil(t, userList[0].AccessControl)
}
})
}
}
func TestGetOrgUsersAPIEndpoint_AccessControl(t *testing.T) { func TestGetOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
url := "/api/orgs/%v/users/" url := "/api/orgs/%v/users/"
type testCase struct { type testCase struct {

19
pkg/models/org_user.go
View File

@ -134,13 +134,14 @@ type SearchOrgUsersQueryResult struct {
// Projections and DTOs // Projections and DTOs
type OrgUserDTO struct { type OrgUserDTO struct {
OrgId int64 `json:"orgId"` OrgId int64 `json:"orgId"`
UserId int64 `json:"userId"` UserId int64 `json:"userId"`
Email string `json:"email"` Email string `json:"email"`
Name string `json:"name"` Name string `json:"name"`
AvatarUrl string `json:"avatarUrl"` AvatarUrl string `json:"avatarUrl"`
Login string `json:"login"` Login string `json:"login"`
Role string `json:"role"` Role string `json:"role"`
LastSeenAt time.Time `json:"lastSeenAt"` LastSeenAt time.Time `json:"lastSeenAt"`
LastSeenAtAge string `json:"lastSeenAtAge"` LastSeenAtAge string `json:"lastSeenAtAge"`
AccessControl map[string]bool `json:"accessControl,omitempty"`
} }