Accesscontrol: Apply FGAC to APIKey endpoints (#42659)

* Move definitions to serviceaccounts * Use constant names, add scope to delete * Add descriptions to roles * Rename roles
2025-02-25 18:55:37 -06:00 · 2022-01-04 15:37:40 +01:00
parent 6264bc966f
commit 42ccc44eca
3 changed files with 77 additions and 8 deletions
--- a/pkg/services/serviceaccounts/manager/roles.go
+++ b/pkg/services/serviceaccounts/manager/roles.go
@@ -6,7 +6,23 @@ import (
 )

 var (
-	role = accesscontrol.RoleRegistration{
+	ActionApikeyList          = "apikey:list"
+	ActionApikeyAdd           = "apikey:add"
+	ActionApikeyRemove        = "apikey:remove"
+	ActionApikeyAddAdditional = "apikey:addadditional"
+
+	apikeyWriter = "fixed:apikey:writer"
+	apikeyReader = "fixed:apikey:reader"
+
+	//API key actions
+	ActionApikeyListEv          = accesscontrol.EvalPermission(ActionApikeyList)
+	ActionApikeyAddEv           = accesscontrol.EvalPermission(ActionApikeyAdd)
+	ActionApikeyRemoveEv        = accesscontrol.EvalPermission(ActionApikeyRemove) //Improvement:Check here or in database layer that user has permissiono modify the service account attached to this api key
+	ActionApikeyAddAdditionalEv = accesscontrol.EvalPermission(ActionApikeyAddAdditional)
+)
+
+func RegisterRoles(ac accesscontrol.AccessControl) error {
+	role := accesscontrol.RoleRegistration{
 		Role: accesscontrol.RoleDTO{
 			Version:     3,
 			Name:        "fixed:serviceaccounts:writer",
@@ -29,4 +45,54 @@ var (
 		},
 		Grants: []string{"Admin"},
 	}
-)
+
+	if err := ac.DeclareFixedRoles(role); err != nil {
+		return err
+	}
+
+	apikeyAdminReadRole := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Version:     1,
+			Name:        apikeyReader,
+			DisplayName: "Apikeys reader",
+			Description: "Gives access to list apikeys.",
+			Group:       "Service accounts",
+			Permissions: []accesscontrol.Permission{
+				{
+					Action: ActionApikeyList,
+					Scope:  accesscontrol.ScopeUsersAll,
+				},
+			},
+		},
+		Grants: []string{"Admin"},
+	}
+	if err := ac.DeclareFixedRoles(apikeyAdminReadRole); err != nil {
+		return err
+	}
+
+	apikeyAdminEditRole := accesscontrol.RoleRegistration{
+		Role: accesscontrol.RoleDTO{
+			Version:     1,
+			Name:        apikeyWriter,
+			DisplayName: "Apikeys writer",
+			Description: "Gives access to add and delete api keys.",
+			Group:       "Service accounts",
+			Permissions: accesscontrol.ConcatPermissions(apikeyAdminReadRole.Role.Permissions, []accesscontrol.Permission{
+				{
+					Action: ActionApikeyAdd,
+					Scope:  accesscontrol.ScopeUsersAll,
+				},
+				{
+					Action: ActionApikeyRemove,
+					Scope:  accesscontrol.ScopeUsersAll,
+				},
+			}),
+		},
+		Grants: []string{"Admin"},
+	}
+	if err := ac.DeclareFixedRoles(apikeyAdminEditRole); err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/pkg/services/serviceaccounts/manager/service.go
+++ b/pkg/services/serviceaccounts/manager/service.go
@@ -35,9 +35,11 @@ func ProvideServiceAccountsService(
 		store: database.NewServiceAccountsStore(store),
 		log:   log.New("serviceaccounts"),
 	}
-	if err := ac.DeclareFixedRoles(role); err != nil {
-		return nil, err
+
+	if err := RegisterRoles(ac); err != nil {
+		s.log.Error("Failed to register roles", "error", err)
 	}
+
 	serviceaccountsAPI := api.NewServiceAccountsAPI(s, ac, routeRegister, s.store)
 	serviceaccountsAPI.RegisterAPIEndpoints(cfg)