IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Apply plugin route ReqAction to ds_proxy authorization (#86466)

Browse Source 
* Apply plugin route ReqAction to ds_proxy authorization

Co-authored-by: Eric Leijonmarck <eleijonmarck@users.noreply.github.com>

* fix: move ds_proxy route Evaluator out of plugins pkg

* move DataSourceProxy route authorization to method

---------

Co-authored-by: Eric Leijonmarck <eleijonmarck@users.noreply.github.com>
This commit is contained in:
Aaron Godin 2024-04-30 09:19:34 -05:00 committed by GitHub
parent 5c89b8fe12
commit 53f94ac50d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkg/api/pluginproxy/ds_proxy.go
View File

@ -19,6 +19,7 @@ import (
glog "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/services/accesscontrol"
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/featuremgmt"
@ -304,10 +305,8 @@ func (proxy *DataSourceProxy) validateRequest() error {
continue
}
if route.ReqRole.IsValid() {
if !proxy.ctx.HasUserRole(route.ReqRole) {
return errors.New("plugin proxy route access denied")
}
if !proxy.hasAccessToRoute(route) {
return errors.New("plugin proxy route access denied")
}
proxy.matchedRoute = route
@ -330,6 +329,22 @@ func (proxy *DataSourceProxy) validateRequest() error {
return nil
}
func (proxy *DataSourceProxy) hasAccessToRoute(route *plugins.Route) bool {
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
if useRBAC {
routeEval := accesscontrol.EvalPermission(route.ReqAction)
ok := routeEval.Evaluate(proxy.ctx.GetPermissions())
if !ok {
proxy.ctx.Logger.Debug("plugin route is covered by RBAC, user doesn't have access", "route", proxy.ctx.Req.URL.Path)
}
return ok
}
if route.ReqRole.IsValid() {
return proxy.ctx.HasUserRole(route.ReqRole)
}
return true
}
func (proxy *DataSourceProxy) logRequest() {
if !proxy.cfg.DataProxyLogging {
return

2
pkg/api/pluginproxy/pluginproxy.go
View File

@ -122,7 +122,7 @@ func (proxy *PluginProxy) HandleRequest() {
}
func (proxy *PluginProxy) hasAccessToRoute(route *plugins.Route) bool {
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.RequiresRBACAction()
useRBAC := proxy.features.IsEnabled(proxy.ctx.Req.Context(), featuremgmt.FlagAccessControlOnCall) && route.ReqAction != ""
if useRBAC {
hasAccess := ac.HasAccess(proxy.accessControl, proxy.ctx)(ac.EvalPermission(route.ReqAction))
if !hasAccess {

4
pkg/plugins/plugins.go
View File

@ -204,10 +204,6 @@ type Route struct {
Body json.RawMessage `json:"body"`
}
func (r *Route) RequiresRBACAction() bool {
return r.ReqAction != ""
}
// Header describes an HTTP header that is forwarded with
// the proxied request for a plugin route
type Header struct {