AccessControl: frontend changes for adding FGAC to licensing (#39484)

* refactor licenseURL function to use context and export permission evaluation fction

* remove provisioning file

* refactor licenseURL to take in a bool to avoid circular dependencies

* remove function for appending nav link, as it was only used once and move the function to create admin node

* better argument names

* create a function for permission checking

* extend permission checking when displaying server stats

* enable the use of enterprise access control actions when evaluating permissions

* import ordering

* move licensing FGAC action definitions to models package to allow access from oss

* move evaluatePermissions for routes to context serve

* change permission evaluator to take in more permissions

* move licensing FGAC actions again to appease wire

* avoid index out of bounds issue in case no children are passed in when creating server admin node

* simplify syntax for permission checking

Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>

* update loading state for server stats

* linting

* more linting

* fix test

* fix a frontend test

* update "licensing.reports:read" action naming

* UI doesn't allow reading only licensing reports and not the rest of licensing info

Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
This commit is contained in:
Ieva 2021-10-05 14:54:26 +01:00 committed by GitHub
parent f384288183
commit 52220b2470
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 92 additions and 57 deletions

View File

@ -4,16 +4,15 @@ import (
"errors"
"strconv"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/tsdb/grafanads"
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/tsdb/grafanads"
"github.com/grafana/grafana/pkg/util"
)
func (hs *HTTPServer) getFSDataSources(c *models.ReqContext, enabledPlugins *plugins.EnabledPlugins) (map[string]interface{}, error) {
@ -196,6 +195,8 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
buildstamp = 0
}
hasAccess := accesscontrol.HasAccess(hs.AccessControl, c)
jsonObj := map[string]interface{}{
"defaultDatasource": defaultDS,
"datasources": dataSources,
@ -247,7 +248,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
"hasValidLicense": hs.License.HasValidLicense(),
"expiry": hs.License.Expiry(),
"stateInfo": hs.License.StateInfo(),
"licenseUrl": hs.License.LicenseURL(c.SignedInUser),
"licenseUrl": hs.License.LicenseURL(hasAccess(accesscontrol.ReqGrafanaAdmin, accesscontrol.LicensingPageReaderAccess)),
"edition": hs.License.Edition(),
},
"featureToggles": hs.Cfg.FeatureToggles,

View File

@ -8,19 +8,15 @@ import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/plugins/manager"
"github.com/grafana/grafana/pkg/services/rendering"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/services/sqlstore"
"gopkg.in/macaron.v1"
"github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/plugins/manager"
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/services/rendering"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/setting"
)
@ -54,6 +50,7 @@ func setupTestEnvironment(t *testing.T, cfg *setting.Cfg) (*macaron.Macaron, *HT
RenderService: r,
SQLStore: sqlStore,
PluginManager: pm,
AccessControl: accesscontrolmock.New().WithDisabled(),
}
m := macaron.New()

View File

@ -6,6 +6,7 @@ import (
"strings"
"github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/api/navlinks"
"github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
@ -347,16 +348,8 @@ func (hs *HTTPServer) getNavTree(c *models.ReqContext, hasEditPerm bool) ([]*dto
adminNavLinks := hs.buildAdminNavLinks(c)
if len(adminNavLinks) > 0 {
navTree = append(navTree, &dtos.NavLink{
Text: "Server Admin",
SubTitle: "Manage all users and orgs",
HideFromTabs: true,
Id: "admin",
Icon: "shield",
Url: adminNavLinks[0].Url,
SortWeight: dtos.WeightAdmin,
Children: adminNavLinks,
})
serverAdminNode := navlinks.GetServerAdminNode(adminNavLinks)
navTree = append(navTree, serverAdminNode)
}
helpVersion := fmt.Sprintf(`%s v%s (%s)`, setting.ApplicationName, setting.BuildVersion, setting.BuildCommit)

View File

@ -0,0 +1,20 @@
package navlinks
import "github.com/grafana/grafana/pkg/api/dtos"
func GetServerAdminNode(children []*dtos.NavLink) *dtos.NavLink {
url := ""
if len(children) > 0 {
url = children[0].Url
}
return &dtos.NavLink{
Text: "Server Admin",
SubTitle: "Manage all users and orgs",
HideFromTabs: true,
Id: "admin",
Icon: "shield",
Url: url,
SortWeight: dtos.WeightAdmin,
Children: children,
}
}

View File

@ -16,7 +16,7 @@ type Licensing interface {
// Used to build content delivery URL
ContentDeliveryPrefix() string
LicenseURL(user *SignedInUser) string
LicenseURL(showAdminLicensingPage bool) string
StateInfo() string
}

View File

@ -13,7 +13,6 @@ import (
"github.com/grafana/grafana-aws-sdk/pkg/awsds"
"github.com/grafana/grafana-plugin-sdk-go/backend"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins/backendplugin"
"github.com/grafana/grafana/pkg/setting"
"github.com/stretchr/testify/require"
@ -493,7 +492,7 @@ func (t *testLicensingService) ContentDeliveryPrefix() string {
return ""
}
func (t *testLicensingService) LicenseURL(user *models.SignedInUser) string {
func (t *testLicensingService) LicenseURL(showAdminLicensingPage bool) string {
return ""
}

View File

@ -197,8 +197,20 @@ const (
// Settings scope
ScopeSettingsAll = "settings:*"
// Licensing related actions
ActionLicensingRead = "licensing:read"
ActionLicensingUpdate = "licensing:update"
ActionLicensingDelete = "licensing:delete"
ActionLicensingReportsRead = "licensing.reports:read"
)
const RoleGrafanaAdmin = "Grafana Admin"
const FixedRolePrefix = "fixed:"
// LicensingPageReaderAccess defines permissions that grant access to the licensing and stats page
var LicensingPageReaderAccess = EvalAny(
EvalPermission(ActionLicensingRead),
EvalPermission(ActionServerStatsRead),
)

View File

@ -36,8 +36,8 @@ func (*OSSLicensingService) ContentDeliveryPrefix() string {
return "grafana-oss"
}
func (l *OSSLicensingService) LicenseURL(user *models.SignedInUser) string {
if user.IsGrafanaAdmin {
func (l *OSSLicensingService) LicenseURL(showAdminLicensingPage bool) string {
if showAdminLicensingPage {
return l.Cfg.AppSubURL + "/admin/upgrading"
}
@ -59,7 +59,7 @@ func ProvideService(cfg *setting.Cfg, hooksService *hooks.HooksService) *OSSLice
node.Children = append(node.Children, &dtos.NavLink{
Text: "Stats and license",
Id: "upgrading",
Url: l.LicenseURL(req.SignedInUser),
Url: l.LicenseURL(req.IsGrafanaAdmin),
Icon: "unlock",
})
}

View File

@ -89,7 +89,7 @@ export class ContextSrv {
}
isGrafanaVisible() {
return !!(document.visibilityState === undefined || document.visibilityState === 'visible');
return document.visibilityState === undefined || document.visibilityState === 'visible';
}
// checks whether the passed interval is longer than the configured minimum refresh rate
@ -113,6 +113,25 @@ export class ContextSrv {
}
return (this.isEditor || config.viewersCanEdit) && config.exploreEnabled;
}
hasAccess(action: string, fallBack: boolean) {
if (!config.featureToggles['accesscontrol']) {
return fallBack;
}
return this.hasPermission(action);
}
// evaluates access control permissions, granting access if the user has any of them; uses fallback if access control is disabled
evaluatePermission(fallback: () => string[], actions: string[]) {
if (!config.featureToggles['accesscontrol']) {
return fallback();
}
if (actions.some((action) => this.hasPermission(action))) {
return [];
}
// Hack to reject when user does not have permission
return ['Reject'];
}
}
let contextSrv = new ContextSrv();

View File

@ -26,6 +26,11 @@ const stats: ServerStat = {
jest.mock('./state/apis', () => ({
getServerStats: async () => stats,
}));
jest.mock('../../core/services/context_srv', () => ({
contextSrv: {
hasAccess: () => true,
},
}));
describe('ServerStats', () => {
it('Should render page with stats', async () => {

View File

@ -9,17 +9,20 @@ import { Loader } from '../plugins/admin/components/Loader';
export const ServerStats = () => {
const [stats, setStats] = useState<ServerStat | null>(null);
const [isLoading, setIsLoading] = useState(true);
const [isLoading, setIsLoading] = useState(false);
const styles = useStyles2(getStyles);
useEffect(() => {
getServerStats().then((stats) => {
setStats(stats);
setIsLoading(false);
});
if (contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
setIsLoading(true);
getServerStats().then((stats) => {
setStats(stats);
setIsLoading(false);
});
}
}, []);
if (!contextSrv.hasPermission(AccessControlAction.ActionServerStatsRead)) {
if (!contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
return null;
}

View File

@ -139,10 +139,9 @@ export function getAppRoutes(): RouteDescriptor[] {
path: '/explore',
pageClass: 'page-explore',
roles: () =>
evaluatePermission(
() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']),
AccessControlAction.DataSourcesExplore
),
contextSrv.evaluatePermission(() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']), [
AccessControlAction.DataSourcesExplore,
]),
component: SafeDynamicImport(() => import(/* webpackChunkName: "explore" */ 'app/features/explore/Wrapper')),
},
{
@ -526,16 +525,3 @@ export function getAppRoutes(): RouteDescriptor[] {
// ...playlistRoutes,
];
}
// evaluates access control permission, using fallback if access control is disabled
const evaluatePermission = (fallback: () => string[], action: AccessControlAction): string[] => {
if (!config.featureToggles['accesscontrol']) {
return fallback();
}
if (contextSrv.hasPermission(action)) {
return [];
} else {
// Hack to reject when user does not have permission
return ['Reject'];
}
};