AccessControl: frontend changes for adding FGAC to licensing (#39484)

* refactor licenseURL function to use context and export permission evaluation fction

* remove provisioning file

* refactor licenseURL to take in a bool to avoid circular dependencies

* remove function for appending nav link, as it was only used once and move the function to create admin node

* better argument names

* create a function for permission checking

* extend permission checking when displaying server stats

* enable the use of enterprise access control actions when evaluating permissions

* import ordering

* move licensing FGAC action definitions to models package to allow access from oss

* move evaluatePermissions for routes to context serve

* change permission evaluator to take in more permissions

* move licensing FGAC actions again to appease wire

* avoid index out of bounds issue in case no children are passed in when creating server admin node

* simplify syntax for permission checking

Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>

* update loading state for server stats

* linting

* more linting

* fix test

* fix a frontend test

* update "licensing.reports:read" action naming

* UI doesn't allow reading only licensing reports and not the rest of licensing info

Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
This commit is contained in:
Ieva 2021-10-05 14:54:26 +01:00 committed by GitHub
parent f384288183
commit 52220b2470
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 92 additions and 57 deletions

View File

@ -4,16 +4,15 @@ import (
"errors" "errors"
"strconv" "strconv"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/tsdb/grafanads"
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/bus" "github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins" "github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/tsdb/grafanads"
"github.com/grafana/grafana/pkg/util"
) )
func (hs *HTTPServer) getFSDataSources(c *models.ReqContext, enabledPlugins *plugins.EnabledPlugins) (map[string]interface{}, error) { func (hs *HTTPServer) getFSDataSources(c *models.ReqContext, enabledPlugins *plugins.EnabledPlugins) (map[string]interface{}, error) {
@ -196,6 +195,8 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
buildstamp = 0 buildstamp = 0
} }
hasAccess := accesscontrol.HasAccess(hs.AccessControl, c)
jsonObj := map[string]interface{}{ jsonObj := map[string]interface{}{
"defaultDatasource": defaultDS, "defaultDatasource": defaultDS,
"datasources": dataSources, "datasources": dataSources,
@ -247,7 +248,7 @@ func (hs *HTTPServer) getFrontendSettingsMap(c *models.ReqContext) (map[string]i
"hasValidLicense": hs.License.HasValidLicense(), "hasValidLicense": hs.License.HasValidLicense(),
"expiry": hs.License.Expiry(), "expiry": hs.License.Expiry(),
"stateInfo": hs.License.StateInfo(), "stateInfo": hs.License.StateInfo(),
"licenseUrl": hs.License.LicenseURL(c.SignedInUser), "licenseUrl": hs.License.LicenseURL(hasAccess(accesscontrol.ReqGrafanaAdmin, accesscontrol.LicensingPageReaderAccess)),
"edition": hs.License.Edition(), "edition": hs.License.Edition(),
}, },
"featureToggles": hs.Cfg.FeatureToggles, "featureToggles": hs.Cfg.FeatureToggles,

View File

@ -8,19 +8,15 @@ import (
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/plugins/manager"
"github.com/grafana/grafana/pkg/services/rendering"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/services/sqlstore"
"gopkg.in/macaron.v1" "gopkg.in/macaron.v1"
"github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/plugins/manager"
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
"github.com/grafana/grafana/pkg/services/licensing"
"github.com/grafana/grafana/pkg/services/rendering"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
) )
@ -54,6 +50,7 @@ func setupTestEnvironment(t *testing.T, cfg *setting.Cfg) (*macaron.Macaron, *HT
RenderService: r, RenderService: r,
SQLStore: sqlStore, SQLStore: sqlStore,
PluginManager: pm, PluginManager: pm,
AccessControl: accesscontrolmock.New().WithDisabled(),
} }
m := macaron.New() m := macaron.New()

View File

@ -6,6 +6,7 @@ import (
"strings" "strings"
"github.com/grafana/grafana/pkg/api/dtos" "github.com/grafana/grafana/pkg/api/dtos"
"github.com/grafana/grafana/pkg/api/navlinks"
"github.com/grafana/grafana/pkg/bus" "github.com/grafana/grafana/pkg/bus"
"github.com/grafana/grafana/pkg/models" "github.com/grafana/grafana/pkg/models"
ac "github.com/grafana/grafana/pkg/services/accesscontrol" ac "github.com/grafana/grafana/pkg/services/accesscontrol"
@ -347,16 +348,8 @@ func (hs *HTTPServer) getNavTree(c *models.ReqContext, hasEditPerm bool) ([]*dto
adminNavLinks := hs.buildAdminNavLinks(c) adminNavLinks := hs.buildAdminNavLinks(c)
if len(adminNavLinks) > 0 { if len(adminNavLinks) > 0 {
navTree = append(navTree, &dtos.NavLink{ serverAdminNode := navlinks.GetServerAdminNode(adminNavLinks)
Text: "Server Admin", navTree = append(navTree, serverAdminNode)
SubTitle: "Manage all users and orgs",
HideFromTabs: true,
Id: "admin",
Icon: "shield",
Url: adminNavLinks[0].Url,
SortWeight: dtos.WeightAdmin,
Children: adminNavLinks,
})
} }
helpVersion := fmt.Sprintf(`%s v%s (%s)`, setting.ApplicationName, setting.BuildVersion, setting.BuildCommit) helpVersion := fmt.Sprintf(`%s v%s (%s)`, setting.ApplicationName, setting.BuildVersion, setting.BuildCommit)

View File

@ -0,0 +1,20 @@
package navlinks
import "github.com/grafana/grafana/pkg/api/dtos"
func GetServerAdminNode(children []*dtos.NavLink) *dtos.NavLink {
url := ""
if len(children) > 0 {
url = children[0].Url
}
return &dtos.NavLink{
Text: "Server Admin",
SubTitle: "Manage all users and orgs",
HideFromTabs: true,
Id: "admin",
Icon: "shield",
Url: url,
SortWeight: dtos.WeightAdmin,
Children: children,
}
}

View File

@ -16,7 +16,7 @@ type Licensing interface {
// Used to build content delivery URL // Used to build content delivery URL
ContentDeliveryPrefix() string ContentDeliveryPrefix() string
LicenseURL(user *SignedInUser) string LicenseURL(showAdminLicensingPage bool) string
StateInfo() string StateInfo() string
} }

View File

@ -13,7 +13,6 @@ import (
"github.com/grafana/grafana-aws-sdk/pkg/awsds" "github.com/grafana/grafana-aws-sdk/pkg/awsds"
"github.com/grafana/grafana-plugin-sdk-go/backend" "github.com/grafana/grafana-plugin-sdk-go/backend"
"github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins/backendplugin" "github.com/grafana/grafana/pkg/plugins/backendplugin"
"github.com/grafana/grafana/pkg/setting" "github.com/grafana/grafana/pkg/setting"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
@ -493,7 +492,7 @@ func (t *testLicensingService) ContentDeliveryPrefix() string {
return "" return ""
} }
func (t *testLicensingService) LicenseURL(user *models.SignedInUser) string { func (t *testLicensingService) LicenseURL(showAdminLicensingPage bool) string {
return "" return ""
} }

View File

@ -197,8 +197,20 @@ const (
// Settings scope // Settings scope
ScopeSettingsAll = "settings:*" ScopeSettingsAll = "settings:*"
// Licensing related actions
ActionLicensingRead = "licensing:read"
ActionLicensingUpdate = "licensing:update"
ActionLicensingDelete = "licensing:delete"
ActionLicensingReportsRead = "licensing.reports:read"
) )
const RoleGrafanaAdmin = "Grafana Admin" const RoleGrafanaAdmin = "Grafana Admin"
const FixedRolePrefix = "fixed:" const FixedRolePrefix = "fixed:"
// LicensingPageReaderAccess defines permissions that grant access to the licensing and stats page
var LicensingPageReaderAccess = EvalAny(
EvalPermission(ActionLicensingRead),
EvalPermission(ActionServerStatsRead),
)

View File

@ -36,8 +36,8 @@ func (*OSSLicensingService) ContentDeliveryPrefix() string {
return "grafana-oss" return "grafana-oss"
} }
func (l *OSSLicensingService) LicenseURL(user *models.SignedInUser) string { func (l *OSSLicensingService) LicenseURL(showAdminLicensingPage bool) string {
if user.IsGrafanaAdmin { if showAdminLicensingPage {
return l.Cfg.AppSubURL + "/admin/upgrading" return l.Cfg.AppSubURL + "/admin/upgrading"
} }
@ -59,7 +59,7 @@ func ProvideService(cfg *setting.Cfg, hooksService *hooks.HooksService) *OSSLice
node.Children = append(node.Children, &dtos.NavLink{ node.Children = append(node.Children, &dtos.NavLink{
Text: "Stats and license", Text: "Stats and license",
Id: "upgrading", Id: "upgrading",
Url: l.LicenseURL(req.SignedInUser), Url: l.LicenseURL(req.IsGrafanaAdmin),
Icon: "unlock", Icon: "unlock",
}) })
} }

View File

@ -89,7 +89,7 @@ export class ContextSrv {
} }
isGrafanaVisible() { isGrafanaVisible() {
return !!(document.visibilityState === undefined || document.visibilityState === 'visible'); return document.visibilityState === undefined || document.visibilityState === 'visible';
} }
// checks whether the passed interval is longer than the configured minimum refresh rate // checks whether the passed interval is longer than the configured minimum refresh rate
@ -113,6 +113,25 @@ export class ContextSrv {
} }
return (this.isEditor || config.viewersCanEdit) && config.exploreEnabled; return (this.isEditor || config.viewersCanEdit) && config.exploreEnabled;
} }
hasAccess(action: string, fallBack: boolean) {
if (!config.featureToggles['accesscontrol']) {
return fallBack;
}
return this.hasPermission(action);
}
// evaluates access control permissions, granting access if the user has any of them; uses fallback if access control is disabled
evaluatePermission(fallback: () => string[], actions: string[]) {
if (!config.featureToggles['accesscontrol']) {
return fallback();
}
if (actions.some((action) => this.hasPermission(action))) {
return [];
}
// Hack to reject when user does not have permission
return ['Reject'];
}
} }
let contextSrv = new ContextSrv(); let contextSrv = new ContextSrv();

View File

@ -26,6 +26,11 @@ const stats: ServerStat = {
jest.mock('./state/apis', () => ({ jest.mock('./state/apis', () => ({
getServerStats: async () => stats, getServerStats: async () => stats,
})); }));
jest.mock('../../core/services/context_srv', () => ({
contextSrv: {
hasAccess: () => true,
},
}));
describe('ServerStats', () => { describe('ServerStats', () => {
it('Should render page with stats', async () => { it('Should render page with stats', async () => {

View File

@ -9,17 +9,20 @@ import { Loader } from '../plugins/admin/components/Loader';
export const ServerStats = () => { export const ServerStats = () => {
const [stats, setStats] = useState<ServerStat | null>(null); const [stats, setStats] = useState<ServerStat | null>(null);
const [isLoading, setIsLoading] = useState(true); const [isLoading, setIsLoading] = useState(false);
const styles = useStyles2(getStyles); const styles = useStyles2(getStyles);
useEffect(() => { useEffect(() => {
getServerStats().then((stats) => { if (contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
setStats(stats); setIsLoading(true);
setIsLoading(false); getServerStats().then((stats) => {
}); setStats(stats);
setIsLoading(false);
});
}
}, []); }, []);
if (!contextSrv.hasPermission(AccessControlAction.ActionServerStatsRead)) { if (!contextSrv.hasAccess(AccessControlAction.ActionServerStatsRead, contextSrv.isGrafanaAdmin)) {
return null; return null;
} }

View File

@ -139,10 +139,9 @@ export function getAppRoutes(): RouteDescriptor[] {
path: '/explore', path: '/explore',
pageClass: 'page-explore', pageClass: 'page-explore',
roles: () => roles: () =>
evaluatePermission( contextSrv.evaluatePermission(() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']), [
() => (config.viewersCanEdit ? [] : ['Editor', 'Admin']), AccessControlAction.DataSourcesExplore,
AccessControlAction.DataSourcesExplore ]),
),
component: SafeDynamicImport(() => import(/* webpackChunkName: "explore" */ 'app/features/explore/Wrapper')), component: SafeDynamicImport(() => import(/* webpackChunkName: "explore" */ 'app/features/explore/Wrapper')),
}, },
{ {
@ -526,16 +525,3 @@ export function getAppRoutes(): RouteDescriptor[] {
// ...playlistRoutes, // ...playlistRoutes,
]; ];
} }
// evaluates access control permission, using fallback if access control is disabled
const evaluatePermission = (fallback: () => string[], action: AccessControlAction): string[] => {
if (!config.featureToggles['accesscontrol']) {
return fallback();
}
if (contextSrv.hasPermission(action)) {
return [];
} else {
// Hack to reject when user does not have permission
return ['Reject'];
}
};