IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2024-12-26 08:51:33 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access: Fetch fresh permissions for target GlobalOrgID in AuthorizeInOrgMiddleware (#76569)

Browse Source 
fetch fresh permissions for global in AuthorizeInOrgMiddleware

Update pkg/services/accesscontrol/authorize_in_org_test.go

do not load viewer permissions in global ID
This commit is contained in:
Jo 2023-10-13 20:01:47 +02:00 committed by GitHub
parent 335b73d9ae
commit 48ef88aed7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 50 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
pkg/api/org_test.go
View File

@ -249,11 +249,11 @@ func TestAPIEndpoint_GetOrg(t *testing.T) {
server := SetupAPITestServer(t, func(hs *HTTPServer) { server := SetupAPITestServer(t, func(hs *HTTPServer) {
hs.Cfg = setting.NewCfg() hs.Cfg = setting.NewCfg()
hs.orgService = &orgtest.FakeOrgService{ExpectedOrg: &org.Org{}} hs.orgService = &orgtest.FakeOrgService{ExpectedOrg: &org.Org{}}
hs.userService = &usertest.FakeUserService{ExpectedSignedInUser: &user.SignedInUser{OrgID: 0}} hs.userService = &usertest.FakeUserService{ExpectedSignedInUser: &user.SignedInUser{OrgID: 1}}
hs.accesscontrolService = &actest.FakeService{ExpectedPermissions: tt.permissions} hs.accesscontrolService = &actest.FakeService{ExpectedPermissions: tt.permissions}
}) })
verify := func(path string) { verify := func(path string) {
req := webtest.RequestWithSignedInUser(server.NewGetRequest(path), userWithPermissions(2, tt.permissions)) req := webtest.RequestWithSignedInUser(server.NewGetRequest(path), authedUserWithPermissions(1, 1, tt.permissions))
res, err := server.Send(req) res, err := server.Send(req)
require.NoError(t, err) require.NoError(t, err)
assert.Equal(t, tt.expectedCode, res.StatusCode) assert.Equal(t, tt.expectedCode, res.StatusCode)

32
pkg/services/accesscontrol/authorize_in_org_test.go
View File

@ -35,16 +35,18 @@ func TestAuthorizeInOrgMiddleware(t *testing.T) {
expectedStatus int expectedStatus int
}{ }{
{ {
name: "should authorize user with global org ID - no fetch", name: "should authorize user with global org ID - fetch",
orgIDGetter: func(c *contextmodel.ReqContext) (int64, error) { orgIDGetter: func(c *contextmodel.ReqContext) (int64, error) {
return accesscontrol.GlobalOrgID, nil return accesscontrol.GlobalOrgID, nil
}, },
evaluator: accesscontrol.EvalPermission("users:read", "users:*"), evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
accessControl: ac, accessControl: ac,
acService: &actest.FakeService{},
userCache: &usertest.FakeUserService{}, userCache: &usertest.FakeUserService{},
ctxSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{1: {"users:read": {"users:*"}}}}, ctxSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{1: {"users:read": {"users:*"}}}},
expectedStatus: http.StatusOK, acService: &actest.FakeService{
ExpectedPermissions: []accesscontrol.Permission{{Action: "users:read", Scope: "users:*"}},
},
expectedStatus: http.StatusOK,
}, },
{ {
name: "should authorize user with non-global org ID - no fetch", name: "should authorize user with non-global org ID - no fetch",
@ -70,6 +72,30 @@ func TestAuthorizeInOrgMiddleware(t *testing.T) {
acService: &actest.FakeService{}, acService: &actest.FakeService{},
expectedStatus: http.StatusForbidden, expectedStatus: http.StatusForbidden,
}, },
{
name: "should return 200 when user has permissions for a global org",
orgIDGetter: func(c *contextmodel.ReqContext) (int64, error) {
return accesscontrol.GlobalOrgID, nil
},
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
accessControl: ac,
userCache: &usertest.FakeUserService{},
ctxSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{accesscontrol.GlobalOrgID: {"users:read": {"users:*"}}}},
acService: &actest.FakeService{},
expectedStatus: http.StatusOK,
},
{
name: "should return 403 when user has no permissions for a global org",
orgIDGetter: func(c *contextmodel.ReqContext) (int64, error) {
return accesscontrol.GlobalOrgID, nil
},
evaluator: accesscontrol.EvalPermission("users:read", "users:*"),
accessControl: ac,
userCache: &usertest.FakeUserService{},
ctxSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{1: {"users:read": {"users:*"}}}},
acService: &actest.FakeService{},
expectedStatus: http.StatusForbidden,
},
{ {
name: "should return 403 when user org ID doesn't match and user does not exist in org 2", name: "should return 403 when user org ID doesn't match and user does not exist in org 2",
orgIDGetter: func(c *contextmodel.ReqContext) (int64, error) { orgIDGetter: func(c *contextmodel.ReqContext) (int64, error) {

31
pkg/services/accesscontrol/middleware.go
View File

@ -190,19 +190,26 @@ func AuthorizeInOrgMiddleware(ac AccessControl, service Service, cache userCache
return return
} }
if targetOrgID != GlobalOrgID && userCopy.Permissions[targetOrgID] == nil { if userCopy.OrgID != targetOrgID {
query := user.GetSignedInUserQuery{UserID: c.UserID, OrgID: targetOrgID} switch targetOrgID {
queryResult, err := cache.GetSignedInUserWithCacheCtx(c.Req.Context(), &query) case GlobalOrgID:
if err != nil { userCopy.OrgID = GlobalOrgID
deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err)) userCopy.OrgRole = org.RoleNone
return userCopy.OrgName = ""
default:
query := user.GetSignedInUserQuery{UserID: c.UserID, OrgID: targetOrgID}
queryResult, err := cache.GetSignedInUserWithCacheCtx(c.Req.Context(), &query)
if err != nil {
deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
return
}
userCopy.OrgID = queryResult.OrgID
userCopy.OrgName = queryResult.OrgName
userCopy.OrgRole = queryResult.OrgRole
} }
userCopy.OrgID = queryResult.OrgID
userCopy.OrgName = queryResult.OrgName
userCopy.OrgRole = queryResult.OrgRole
} }
if userCopy.Permissions[userCopy.OrgID] == nil { if userCopy.Permissions[targetOrgID] == nil {
permissions, err := service.GetUserPermissions(c.Req.Context(), &userCopy, Options{}) permissions, err := service.GetUserPermissions(c.Req.Context(), &userCopy, Options{})
if err != nil { if err != nil {
deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err)) deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
@ -212,7 +219,7 @@ func AuthorizeInOrgMiddleware(ac AccessControl, service Service, cache userCache
if userCopy.Permissions == nil { if userCopy.Permissions == nil {
userCopy.Permissions = make(map[int64]map[string][]string) userCopy.Permissions = make(map[int64]map[string][]string)
} }
userCopy.Permissions[userCopy.OrgID] = GroupScopesByAction(permissions) userCopy.Permissions[targetOrgID] = GroupScopesByAction(permissions)
} }
authorize(c, ac, &userCopy, evaluator) authorize(c, ac, &userCopy, evaluator)
@ -221,7 +228,7 @@ func AuthorizeInOrgMiddleware(ac AccessControl, service Service, cache userCache
if c.SignedInUser.Permissions == nil { if c.SignedInUser.Permissions == nil {
c.SignedInUser.Permissions = make(map[int64]map[string][]string) c.SignedInUser.Permissions = make(map[int64]map[string][]string)
} }
c.SignedInUser.Permissions[userCopy.OrgID] = userCopy.Permissions[userCopy.OrgID] c.SignedInUser.Permissions[targetOrgID] = userCopy.Permissions[targetOrgID]
} }
} }
} }