IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

AccessControl: Resolve attribute based scopes to id based scopes (#40742)

Browse Source 
* AccessControl: POC scope attribute resolution

Refactor based on ScopeMutators

test errors and calls to cache

Add comments to tests

Rename logger

Create keywordMutator only once

* AccessControl: Add AttributeScopeResolver registration

Co-authored-by: gamab <gabriel.mabille@grafana.com>

* AccessControl: Add AttributeScopeResolver to datasources

Co-authored-by: gamab <gabriel.mabille@grafana.com>

* Test evaluation with translation

* fix imports

* AccessControl: Test attribute resolver

* Fix trailing white space

* Make ScopeResolver public for enterprise redefine

* Handle wildcard

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

Co-authored-by: jguer <joao.guerreiro@grafana.com>
This commit is contained in:
Gabriel MABILLE 2022-01-18 17:34:35 +01:00 committed by GitHub
parent 7a622422a9
commit 54280fc9d7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 548 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
pkg/api/pluginproxy/ds_proxy_test.go
View File

@ -18,6 +18,7 @@ import (
"github.com/grafana/grafana/pkg/infra/httpclient"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
acmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/oauthtoken"
"github.com/grafana/grafana/pkg/services/secrets"
@ -125,7 +126,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
t.Run("When matching route path", func(t *testing.T) {
ctx, req := setUp()
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/v4/some/method", cfg, httpClientProvider,
&oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -138,7 +139,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
t.Run("When matching route path and has dynamic url", func(t *testing.T) {
ctx, req := setUp()
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/common/some/method", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
proxy.matchedRoute = routes[3]
@ -150,7 +151,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
t.Run("When matching route path with no url", func(t *testing.T) {
ctx, req := setUp()
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
proxy.matchedRoute = routes[4]
@ -161,7 +162,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
t.Run("When matching route path and has dynamic body", func(t *testing.T) {
ctx, req := setUp()
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/body", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
proxy.matchedRoute = routes[5]
@ -175,7 +176,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
t.Run("Validating request", func(t *testing.T) {
t.Run("plugin route with valid role", func(t *testing.T) {
ctx, _ := setUp()
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/v4/some/method", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
err = proxy.validateRequest()
@ -184,7 +185,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
t.Run("plugin route with admin role and user is editor", func(t *testing.T) {
ctx, _ := setUp()
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/admin", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
err = proxy.validateRequest()
@ -194,7 +195,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
t.Run("plugin route with admin role and user is admin", func(t *testing.T) {
ctx, _ := setUp()
ctx.SignedInUser.OrgRole = models.ROLE_ADMIN
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "api/admin", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
err = proxy.validateRequest()
@ -285,7 +286,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
},
}
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "pathwithtoken1", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[0], dsInfo, cfg)
@ -301,7 +302,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
req, err := http.NewRequest("GET", "http://localhost/asd", nil)
require.NoError(t, err)
client = newFakeHTTPClient(t, json2)
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "pathwithtoken2", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[1], dsInfo, cfg)
@ -318,7 +319,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
require.NoError(t, err)
client = newFakeHTTPClient(t, []byte{})
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "pathwithtoken1", cfg, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
ApplyRoute(proxy.ctx.Req.Context(), req, proxy.proxyPath, routes[0], dsInfo, cfg)
@ -340,7 +341,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
ctx := &models.ReqContext{}
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{BuildVersion: "5.3.0"}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@ -366,7 +367,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
ctx := &models.ReqContext{}
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -390,7 +391,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
ctx := &models.ReqContext{}
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -418,7 +419,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
ctx := &models.ReqContext{}
var pluginRoutes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, pluginRoutes, ctx, "", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -441,7 +442,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
ctx := &models.ReqContext{}
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/path/to/folder/", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@ -505,7 +506,7 @@ func TestDataSourceProxy_routeRule(t *testing.T) {
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/path/to/folder/", &setting.Cfg{}, httpClientProvider, &mockAuthToken, dsService)
require.NoError(t, err)
req, err = http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@ -635,7 +636,7 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
ctx, ds := setUp(t)
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -653,7 +654,7 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
})
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -675,7 +676,7 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
})
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/render", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -700,7 +701,7 @@ func TestDataSourceProxy_requestHandling(t *testing.T) {
ctx.Req = httptest.NewRequest("GET", "/api/datasources/proxy/1/path/%2Ftest%2Ftest%2F?query=%2Ftest%2Ftest%2F", nil)
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "/path/%2Ftest%2Ftest%2F", &setting.Cfg{}, httpClientProvider, &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -724,7 +725,7 @@ func TestNewDataSourceProxy_InvalidURL(t *testing.T) {
cfg := setting.Cfg{}
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
_, err := NewDataSourceProxy(&ds, routes, &ctx, "api/method", &cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
require.Error(t, err)
assert.True(t, strings.HasPrefix(err.Error(), `validation of data source URL "://host/root" failed`))
@ -743,7 +744,7 @@ func TestNewDataSourceProxy_ProtocolLessURL(t *testing.T) {
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
_, err := NewDataSourceProxy(&ds, routes, &ctx, "api/method", &cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -783,7 +784,7 @@ func TestNewDataSourceProxy_MSSQL(t *testing.T) {
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
p, err := NewDataSourceProxy(&ds, routes, &ctx, "api/method", &cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
if tc.err == nil {
require.NoError(t, err)
@ -808,7 +809,7 @@ func getDatasourceProxiedRequest(t *testing.T, ctx *models.ReqContext, cfg *sett
var routes []*plugins.Route
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(ds, routes, ctx, "", cfg, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
require.NoError(t, err)
req, err := http.NewRequest(http.MethodGet, "http://grafana.com/sub", nil)
@ -928,7 +929,7 @@ func createAuthTest(t *testing.T, secretsService secrets.Service, dsType string,
func runDatasourceAuthTest(t *testing.T, secretsService secrets.Service, test *testCase) {
ctx := &models.ReqContext{}
var routes []*plugins.Route
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(test.datasource, routes, ctx, "", &setting.Cfg{}, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
require.NoError(t, err)
@ -968,7 +969,7 @@ func Test_PathCheck(t *testing.T) {
}
ctx, _ := setUp()
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
proxy, err := NewDataSourceProxy(&models.DataSource{}, routes, ctx, "b", &setting.Cfg{}, httpclient.NewProvider(), &oauthtoken.Service{}, dsService)
require.NoError(t, err)

6
pkg/services/accesscontrol/accesscontrol.go
View File

@ -20,9 +20,13 @@ type AccessControl interface {
//IsDisabled returns if access control is enabled or not
IsDisabled() bool
// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their
// DeclareFixedRoles allows the caller to declare, to the service, fixed roles and their
// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
DeclareFixedRoles(...RoleRegistration) error
// RegisterAttributeScopeResolver allows the caller to register a scope resolver for a
// specific scope prefix (ex: datasources:name:)
RegisterAttributeScopeResolver(scopePrefix string, resolver AttributeScopeResolveFunc)
}
type PermissionsProvider interface {

1
pkg/services/accesscontrol/errors.go
View File

@ -5,4 +5,5 @@ import "errors"
var (
ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'")
ErrInvalidBuiltinRole = errors.New("built-in role is not valid")
ErrInvalidScope = errors.New("invalid scope")
)

49
pkg/services/accesscontrol/evaluator.go
View File

@ -1,9 +1,8 @@
package accesscontrol
import (
"bytes"
"context"
"fmt"
"html/template"
"strings"
"github.com/grafana/grafana/pkg/infra/log"
@ -14,8 +13,8 @@ var logger = log.New("accesscontrol.evaluator")
type Evaluator interface {
// Evaluate permissions that are grouped by action
Evaluate(permissions map[string][]string) (bool, error)
// Inject params into the evaluator's templated scopes. e.g. "settings:" + eval.Parameters(":id") and returns a new Evaluator
Inject(params ScopeParams) (Evaluator, error)
// MutateScopes executes a sequence of ScopeModifier functions on all embedded scopes of an evaluator and returns a new Evaluator
MutateScopes(context.Context, ...ScopeMutator) (Evaluator, error)
// String returns a string representation of permission required by the evaluator
String() string
}
@ -89,18 +88,22 @@ func match(scope, target string) (bool, error) {
return scope == target, nil
}
func (p permissionEvaluator) Inject(params ScopeParams) (Evaluator, error) {
func (p permissionEvaluator) MutateScopes(ctx context.Context, modifiers ...ScopeMutator) (Evaluator, error) {
var err error
if p.Scopes == nil {
return EvalPermission(p.Action), nil
}
scopes := make([]string, 0, len(p.Scopes))
for _, scope := range p.Scopes {
tmpl, err := template.New("scope").Parse(scope)
if err != nil {
return nil, err
modified := scope
for _, modifier := range modifiers {
modified, err = modifier(ctx, modified)
if err != nil {
return nil, err
}
}
var buf bytes.Buffer
if err = tmpl.Execute(&buf, params); err != nil {
return nil, err
}
scopes = append(scopes, buf.String())
scopes = append(scopes, modified)
}
return EvalPermission(p.Action, scopes...), nil
}
@ -129,16 +132,16 @@ func (a allEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
return true, nil
}
func (a allEvaluator) Inject(params ScopeParams) (Evaluator, error) {
var injected []Evaluator
func (a allEvaluator) MutateScopes(ctx context.Context, modifiers ...ScopeMutator) (Evaluator, error) {
var modified []Evaluator
for _, e := range a.allOf {
i, err := e.Inject(params)
i, err := e.MutateScopes(ctx, modifiers...)
if err != nil {
return nil, err
}
injected = append(injected, i)
modified = append(modified, i)
}
return EvalAll(injected...), nil
return EvalAll(modified...), nil
}
func (a allEvaluator) String() string {
@ -173,16 +176,16 @@ func (a anyEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
return false, nil
}
func (a anyEvaluator) Inject(params ScopeParams) (Evaluator, error) {
var injected []Evaluator
func (a anyEvaluator) MutateScopes(ctx context.Context, modifiers ...ScopeMutator) (Evaluator, error) {
var modified []Evaluator
for _, e := range a.anyOf {
i, err := e.Inject(params)
i, err := e.MutateScopes(ctx, modifiers...)
if err != nil {
return nil, err
}
injected = append(injected, i)
modified = append(modified, i)
}
return EvalAny(injected...), nil
return EvalAny(modified...), nil
}
func (a anyEvaluator) String() string {

7
pkg/services/accesscontrol/evaluator_test.go
View File

@ -1,6 +1,7 @@
package accesscontrol
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
@ -120,7 +121,7 @@ func TestPermission_Inject(t *testing.T) {
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
injected, err := test.evaluator.Inject(test.params)
injected, err := test.evaluator.MutateScopes(context.TODO(), ScopeInjector(test.params))
assert.NoError(t, err)
ok, err := injected.Evaluate(test.permissions)
assert.NoError(t, err)
@ -233,7 +234,7 @@ func TestAll_Inject(t *testing.T) {
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
injected, err := test.evaluator.Inject(test.params)
injected, err := test.evaluator.MutateScopes(context.TODO(), ScopeInjector(test.params))
assert.NoError(t, err)
ok, err := injected.Evaluate(test.permissions)
assert.NoError(t, err)
@ -344,7 +345,7 @@ func TestAny_Inject(t *testing.T) {
for _, test := range tests {
t.Run(test.desc, func(t *testing.T) {
injected, err := test.evaluator.Inject(test.params)
injected, err := test.evaluator.MutateScopes(context.TODO(), ScopeInjector(test.params))
assert.NoError(t, err)
ok, err := injected.Evaluate(test.permissions)
assert.NoError(t, err)

2
pkg/services/accesscontrol/middleware/middleware.go
View File

@ -15,7 +15,7 @@ import (
)
func authorize(c *models.ReqContext, ac accesscontrol.AccessControl, user *models.SignedInUser, evaluator accesscontrol.Evaluator) {
injected, err := evaluator.Inject(buildScopeParams(c))
injected, err := evaluator.MutateScopes(c.Req.Context(), accesscontrol.ScopeInjector(buildScopeParams(c)))
if err != nil {
c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)
return

40
pkg/services/accesscontrol/mock/mock.go
View File

@ -14,13 +14,14 @@ type fullAccessControl interface {
}
type Calls struct {
Evaluate []interface{}
GetUserPermissions []interface{}
GetUserRoles []interface{}
IsDisabled []interface{}
DeclareFixedRoles []interface{}
GetUserBuiltInRoles []interface{}
RegisterFixedRoles []interface{}
Evaluate []interface{}
GetUserPermissions []interface{}
GetUserRoles []interface{}
IsDisabled []interface{}
DeclareFixedRoles []interface{}
GetUserBuiltInRoles []interface{}
RegisterFixedRoles []interface{}
RegisterAttributeScopeResolver []interface{}
}
type Mock struct {
@ -37,13 +38,14 @@ type Mock struct {
Calls Calls
// Override functions
EvaluateFunc func(context.Context, *models.SignedInUser, accesscontrol.Evaluator) (bool, error)
GetUserPermissionsFunc func(context.Context, *models.SignedInUser) ([]*accesscontrol.Permission, error)
GetUserRolesFunc func(context.Context, *models.SignedInUser) ([]*accesscontrol.RoleDTO, error)
IsDisabledFunc func() bool
DeclareFixedRolesFunc func(...accesscontrol.RoleRegistration) error
GetUserBuiltInRolesFunc func(user *models.SignedInUser) []string
RegisterFixedRolesFunc func() error
EvaluateFunc func(context.Context, *models.SignedInUser, accesscontrol.Evaluator) (bool, error)
GetUserPermissionsFunc func(context.Context, *models.SignedInUser) ([]*accesscontrol.Permission, error)
GetUserRolesFunc func(context.Context, *models.SignedInUser) ([]*accesscontrol.RoleDTO, error)
IsDisabledFunc func() bool
DeclareFixedRolesFunc func(...accesscontrol.RoleRegistration) error
GetUserBuiltInRolesFunc func(user *models.SignedInUser) []string
RegisterFixedRolesFunc func() error
RegisterAttributeScopeResolverFunc func(string, accesscontrol.AttributeScopeResolveFunc)
}
// Ensure the mock stays in line with the interface
@ -162,3 +164,13 @@ func (m *Mock) RegisterFixedRoles() error {
}
return nil
}
// RegisterAttributeScopeResolver allows the caller to register a scope resolver for a
// specific scope prefix (ex: datasources:name:)
func (m *Mock) RegisterAttributeScopeResolver(scopePrefix string, resolver accesscontrol.AttributeScopeResolveFunc) {
m.Calls.RegisterAttributeScopeResolver = append(m.Calls.RegisterAttributeScopeResolver, []struct{}{})
// Use override if provided
if m.RegisterAttributeScopeResolverFunc != nil {
m.RegisterAttributeScopeResolverFunc(scopePrefix, resolver)
}
}

27
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
View File

@ -18,7 +18,7 @@ func ProvideService(cfg *setting.Cfg, usageStats usagestats.Service) *OSSAccessC
Cfg: cfg,
UsageStats: usageStats,
Log: log.New("accesscontrol"),
scopeResolver: accesscontrol.NewScopeResolver(),
ScopeResolver: accesscontrol.NewScopeResolver(),
}
s.registerUsageMetrics()
return s
@ -30,7 +30,7 @@ type OSSAccessControlService struct {
UsageStats usagestats.Service
Log log.Logger
registrations accesscontrol.RegistrationList
scopeResolver accesscontrol.ScopeResolver
ScopeResolver accesscontrol.ScopeResolver
}
func (ac *OSSAccessControlService) IsDisabled() bool {
@ -74,7 +74,12 @@ func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.Si
user.Permissions[user.OrgId] = accesscontrol.GroupScopesByAction(permissions)
}
return evaluator.Evaluate(user.Permissions[user.OrgId])
attributeMutator := ac.ScopeResolver.GetResolveAttributeScopeMutator(user.OrgId)
resolvedEvaluator, err := evaluator.MutateScopes(ctx, attributeMutator)
if err != nil {
return false, err
}
return resolvedEvaluator.Evaluate(user.Permissions[user.OrgId])
}
// GetUserRoles returns user permissions based on built-in roles
@ -87,6 +92,9 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user
timer := prometheus.NewTimer(metrics.MAccessPermissionsSummary)
defer timer.ObserveDuration()
var err error
keywordMutator := ac.ScopeResolver.GetResolveKeywordScopeMutator(user)
builtinRoles := ac.GetUserBuiltInRoles(user)
permissions := make([]*accesscontrol.Permission, 0)
for _, builtin := range builtinRoles {
@ -96,13 +104,14 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user
if !exists {
continue
}
for _, p := range role.Permissions {
for i := range role.Permissions {
// if the permission has a keyword in its scope it will be resolved
permission, err := ac.scopeResolver.ResolveKeyword(user, p)
p := (role.Permissions[i])
p.Scope, err = keywordMutator(ctx, p.Scope)
if err != nil {
return nil, err
}
permissions = append(permissions, permission)
permissions = append(permissions, &p)
}
}
}
@ -201,3 +210,9 @@ func (ac *OSSAccessControlService) DeclareFixedRoles(registrations ...accesscont
return nil
}
// RegisterAttributeScopeResolver allows the caller to register scope resolvers for a
// specific scope prefix (ex: datasources:name:)
func (ac *OSSAccessControlService) RegisterAttributeScopeResolver(scopePrefix string, resolver accesscontrol.AttributeScopeResolveFunc) {
ac.ScopeResolver.AddAttributeResolver(scopePrefix, resolver)
}

86
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go
View File

@ -26,7 +26,7 @@ func setupTestEnv(t testing.TB) *OSSAccessControlService {
UsageStats: &usagestats.UsageStatsMock{T: t},
Log: log.New("accesscontrol"),
registrations: accesscontrol.RegistrationList{},
scopeResolver: accesscontrol.NewScopeResolver(),
ScopeResolver: accesscontrol.NewScopeResolver(),
}
return ac
}
@ -576,3 +576,87 @@ func TestOSSAccessControlService_GetUserPermissions(t *testing.T) {
})
}
}
func TestOSSAccessControlService_Evaluate(t *testing.T) {
testUser := models.SignedInUser{
UserId: 2,
OrgId: 3,
OrgName: "TestOrg",
OrgRole: models.ROLE_VIEWER,
Login: "testUser",
Name: "Test User",
Email: "testuser@example.org",
}
registration := accesscontrol.RoleRegistration{
Role: accesscontrol.RoleDTO{
Version: 1,
UID: "fixed:test:test",
Name: "fixed:test:test",
Description: "Test role",
Permissions: []accesscontrol.Permission{},
},
Grants: []string{"Viewer"},
}
userLoginScopeSolver := func(ctx context.Context, orgID int64, initialScope string) (string, error) {
if initialScope == "users:login:testUser" {
return "users:id:2", nil
}
return initialScope, nil
}
tests := []struct {
name string
user models.SignedInUser
rawPerm accesscontrol.Permission
evaluator accesscontrol.Evaluator
wantAccess bool
wantErr bool
}{
{
name: "Should translate users:self",
user: testUser,
rawPerm: accesscontrol.Permission{Action: "users:read", Scope: "users:self"},
evaluator: accesscontrol.EvalPermission("users:read", "users:id:2"),
wantAccess: true,
wantErr: false,
},
{
name: "Should translate users:login:testUser",
user: testUser,
rawPerm: accesscontrol.Permission{Action: "users:read", Scope: "users:id:2"},
evaluator: accesscontrol.EvalPermission("users:read", "users:login:testUser"),
wantAccess: true,
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
// Remove any inserted role after the test case has been run
t.Cleanup(func() {
removeRoleHelper(registration.Role.Name)
})
// Setup
ac := setupTestEnv(t)
ac.Cfg.FeatureToggles = map[string]bool{"accesscontrol": true}
ac.RegisterAttributeScopeResolver("users:login:", userLoginScopeSolver)
registration.Role.Permissions = []accesscontrol.Permission{tt.rawPerm}
err := ac.DeclareFixedRoles(registration)
require.NoError(t, err)
err = ac.RegisterFixedRoles()
require.NoError(t, err)
// Test
hasAccess, err := ac.Evaluate(context.TODO(), &tt.user, tt.evaluator)
if tt.wantErr {
assert.Error(t, err)
return
}
assert.NoError(t, err)
assert.Equal(t, tt.wantAccess, hasAccess)
})
}
}

111
pkg/services/accesscontrol/scope.go
View File

@ -1,12 +1,23 @@
package accesscontrol
import (
"bytes"
"context"
"fmt"
"html/template"
"strings"
"time"
"github.com/grafana/grafana/pkg/infra/localcache"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
)
const (
ttl = 30 * time.Second
cleanInterval = 2 * time.Minute
)
func GetResourceScope(resource string, resourceID string) string {
return Scope(resource, "id", resourceID)
}
@ -44,11 +55,17 @@ func Field(key string) string {
return fmt.Sprintf(`{{ .%s }}`, key)
}
// ScopeMutator alters a Scope to return a new modified Scope
type ScopeMutator func(context.Context, string) (string, error)
type KeywordScopeResolveFunc func(*models.SignedInUser) (string, error)
// ScopeResolver contains a map of functions to resolve scope keywords such as `self` or `current` into `id` based scopes
// ScopeResolver is used to resolve scope keywords such as `self` or `current` into `id` based scopes and scope attributes such as `name` or `uid` into `id` based scopes.
type ScopeResolver struct {
keywordResolvers map[string]KeywordScopeResolveFunc
keywordResolvers map[string]KeywordScopeResolveFunc
attributeResolvers map[string]AttributeScopeResolveFunc
cache *localcache.CacheService
log log.Logger
}
func NewScopeResolver() ScopeResolver {
@ -56,21 +73,95 @@ func NewScopeResolver() ScopeResolver {
keywordResolvers: map[string]KeywordScopeResolveFunc{
"users:self": resolveUserSelf,
},
attributeResolvers: map[string]AttributeScopeResolveFunc{},
cache: localcache.New(ttl, cleanInterval),
log: log.New("accesscontrol.scoperesolution"),
}
}
func (s *ScopeResolver) AddKeywordResolver(keyword string, fn KeywordScopeResolveFunc) {
s.log.Debug("adding keyword resolution for '%v'", keyword)
s.keywordResolvers[keyword] = fn
}
func (s *ScopeResolver) AddAttributeResolver(prefix string, fn AttributeScopeResolveFunc) {
s.log.Debug("adding attribute resolution for '%v'", prefix)
s.attributeResolvers[prefix] = fn
}
func resolveUserSelf(u *models.SignedInUser) (string, error) {
return Scope("users", "id", fmt.Sprintf("%v", u.UserId)), nil
}
// ResolveKeyword resolves scope with keywords such as `self` or `current` into `id` based scopes
func (s *ScopeResolver) ResolveKeyword(user *models.SignedInUser, permission Permission) (*Permission, error) {
if fn, ok := s.keywordResolvers[permission.Scope]; ok {
resolvedScope, err := fn(user)
if err != nil {
return nil, fmt.Errorf("could not resolve %v: %v", permission.Scope, err)
// GetResolveKeywordScopeMutator returns a function to resolve scope with keywords such as `self` or `current` into `id` based scopes
func (s *ScopeResolver) GetResolveKeywordScopeMutator(user *models.SignedInUser) ScopeMutator {
return func(_ context.Context, scope string) (string, error) {
var err error
// By default the scope remains unchanged
resolvedScope := scope
if fn, ok := s.keywordResolvers[scope]; ok {
resolvedScope, err = fn(user)
if err != nil {
return "", fmt.Errorf("could not resolve %v: %w", scope, err)
}
s.log.Debug("resolved '%v' to '%v'", scope, resolvedScope)
}
permission.Scope = resolvedScope
return resolvedScope, nil
}
}
type AttributeScopeResolveFunc func(ctx context.Context, orgID int64, initialScope string) (string, error)
// getCacheKey creates an identifier to fetch and store resolution of scopes in the cache
func getCacheKey(orgID int64, scope string) string {
return fmt.Sprintf("%s-%v", scope, orgID)
}
// GetResolveAttributeScopeMutator returns a function to resolve scopes with attributes such as `name` or `uid` into `id` based scopes
func (s *ScopeResolver) GetResolveAttributeScopeMutator(orgID int64) ScopeMutator {
return func(ctx context.Context, scope string) (string, error) {
// Check cache before computing the scope
if cachedScope, ok := s.cache.Get(getCacheKey(orgID, scope)); ok {
resolvedScope := cachedScope.(string)
s.log.Debug("used cache to resolve '%v' to '%v'", scope, resolvedScope)
return resolvedScope, nil
}
var err error
// By default the scope remains unchanged
resolvedScope := scope
prefix := scopePrefix(scope)
if fn, ok := s.attributeResolvers[prefix]; ok {
resolvedScope, err = fn(ctx, orgID, scope)
if err != nil {
return "", fmt.Errorf("could not resolve %v: %w", scope, err)
}
// Cache result
s.cache.Set(getCacheKey(orgID, scope), resolvedScope, ttl)
s.log.Debug("resolved '%v' to '%v'", scope, resolvedScope)
}
return resolvedScope, nil
}
}
func scopePrefix(scope string) string {
parts := strings.Split(scope, ":")
n := len(parts) - 1
parts[n] = ""
return strings.Join(parts, ":")
}
//Inject params into the evaluator's templated scopes. e.g. "settings:" + eval.Parameters(":id")
func ScopeInjector(params ScopeParams) ScopeMutator {
return func(_ context.Context, scope string) (string, error) {
tmpl, err := template.New("scope").Parse(scope)
if err != nil {
return "", err
}
var buf bytes.Buffer
if err = tmpl.Execute(&buf, params); err != nil {
return "", err
}
return buf.String(), nil
}
return &permission, nil
}

133
pkg/services/accesscontrol/scope_test.go
View File

@ -1,6 +1,7 @@
package accesscontrol
import (
"context"
"testing"
"github.com/grafana/grafana/pkg/models"
@ -22,34 +23,156 @@ func TestResolveKeywordedScope(t *testing.T) {
name string
user *models.SignedInUser
permission Permission
want *Permission
want Permission
wantErr bool
}{
{
name: "no scope",
user: testUser,
permission: Permission{Action: "users:read"},
want: &Permission{Action: "users:read"},
want: Permission{Action: "users:read"},
wantErr: false,
},
{
name: "user if resolution",
user: testUser,
permission: Permission{Action: "users:read", Scope: "users:self"},
want: &Permission{Action: "users:read", Scope: "users:id:2"},
want: Permission{Action: "users:read", Scope: "users:id:2"},
wantErr: false,
},
}
for _, tt := range tests {
var err error
t.Run(tt.name, func(t *testing.T) {
resolver := NewScopeResolver()
resolved, err := resolver.ResolveKeyword(tt.user, tt.permission)
scopeModifier := resolver.GetResolveKeywordScopeMutator(tt.user)
tt.permission.Scope, err = scopeModifier(context.TODO(), tt.permission.Scope)
if tt.wantErr {
assert.Error(t, err, "expected an error during the resolution of the scope")
return
}
assert.NoError(t, err)
assert.EqualValues(t, tt.want, resolved, "permission did not match expected resolution")
assert.EqualValues(t, tt.want, tt.permission, "permission did not match expected resolution")
})
}
}
func TestScopeResolver_ResolveAttribute(t *testing.T) {
// Calls allow us to see how many times the fakeDataSourceResolution has been called
calls := 0
fakeDataSourceResolution := func(ctx context.Context, orgID int64, initialScope string) (string, error) {
calls++
if initialScope == "datasources:name:testds" {
return Scope("datasources", "id", "1"), nil
} else if initialScope == "datasources:name:testds2" {
return Scope("datasources", "id", "2"), nil
} else {
return "", models.ErrDataSourceNotFound
}
}
tests := []struct {
name string
orgID int64
evaluator Evaluator
wantEvaluator Evaluator
wantCalls int
wantErr error
}{
{
name: "should work with scope less permissions",
evaluator: EvalPermission("datasources:read"),
wantEvaluator: EvalPermission("datasources:read"),
wantCalls: 0,
},
{
name: "should handle an error",
orgID: 1,
evaluator: EvalPermission("datasources:read", Scope("datasources", "name", "testds3")),
wantErr: models.ErrDataSourceNotFound,
wantCalls: 1,
},
{
name: "should resolve a scope",
orgID: 1,
evaluator: EvalPermission("datasources:read", Scope("datasources", "name", "testds")),
wantEvaluator: EvalPermission("datasources:read", Scope("datasources", "id", "1")),
wantCalls: 1,
},
{
name: "should resolve nested scopes with cache",
orgID: 1,
evaluator: EvalAll(
EvalPermission("datasources:read", Scope("datasources", "name", "testds")),
EvalAny(
EvalPermission("datasources:read", Scope("datasources", "name", "testds")),
EvalPermission("datasources:read", Scope("datasources", "name", "testds2")),
),
),
wantEvaluator: EvalAll(
EvalPermission("datasources:read", Scope("datasources", "id", "1")),
EvalAny(
EvalPermission("datasources:read", Scope("datasources", "id", "1")),
EvalPermission("datasources:read", Scope("datasources", "id", "2")),
),
),
wantCalls: 2,
},
}
for _, tt := range tests {
resolver := NewScopeResolver()
// Reset calls counter
calls = 0
// Register a resolution method
resolver.AddAttributeResolver("datasources:name:", fakeDataSourceResolution)
// Test
scopeModifier := resolver.GetResolveAttributeScopeMutator(tt.orgID)
resolvedEvaluator, err := tt.evaluator.MutateScopes(context.TODO(), scopeModifier)
if tt.wantErr != nil {
assert.ErrorAs(t, err, &tt.wantErr, "expected an error during the resolution of the scope")
return
}
assert.NoError(t, err)
assert.EqualValues(t, tt.wantEvaluator, resolvedEvaluator, "permission did not match expected resolution")
assert.Equal(t, tt.wantCalls, calls, "cache has not been used")
}
}
func Test_scopePrefix(t *testing.T) {
tests := []struct {
name string
scope string
want string
}{
{
name: "empty",
scope: "",
want: "",
},
{
name: "minimal",
scope: ":",
want: ":",
},
{
name: "datasources",
scope: "datasources:",
want: "datasources:",
},
{
name: "datasources name",
scope: "datasources:name:testds",
want: "datasources:name:",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
prefix := scopePrefix(tt.scope)
assert.Equal(t, tt.want, prefix)
})
}
}

36
pkg/services/datasources/service.go
View File

@ -6,6 +6,7 @@ import (
"fmt"
"net/http"
"strconv"
"strings"
"sync"
"time"
@ -14,6 +15,7 @@ import (
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/httpclient"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/secrets"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/setting"
@ -49,7 +51,7 @@ type cachedDecryptedJSON struct {
json map[string]string
}
func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, secretsService secrets.Service) *Service {
func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, secretsService secrets.Service, ac accesscontrol.AccessControl) *Service {
s := &Service{
Bus: bus,
SQLStore: store,
@ -70,9 +72,41 @@ func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, secretsService secret
s.Bus.AddHandler(s.UpdateDataSource)
s.Bus.AddHandler(s.GetDefaultDataSource)
ac.RegisterAttributeScopeResolver(NewNameScopeResolver(store))
return s
}
type DataSourceRetriever interface {
GetDataSource(ctx context.Context, query *models.GetDataSourceQuery) error
}
// NewNameScopeResolver provides an AttributeScopeResolver able to
// translate a scope prefixed with "datasources:name:" into an id based scope.
func NewNameScopeResolver(db DataSourceRetriever) (string, accesscontrol.AttributeScopeResolveFunc) {
dsNameResolver := func(ctx context.Context, orgID int64, initialScope string) (string, error) {
dsNames := strings.Split(initialScope, ":")
if dsNames[0] != "datasources" || len(dsNames) != 3 {
return "", accesscontrol.ErrInvalidScope
}
dsName := dsNames[2]
// Special wildcard case
if dsName == "*" {
return accesscontrol.Scope("datasources", "id", "*"), nil
}
query := models.GetDataSourceQuery{Name: dsName, OrgId: orgID}
if err := db.GetDataSource(ctx, &query); err != nil {
return "", err
}
return accesscontrol.Scope("datasources", "id", fmt.Sprintf("%v", query.Result.Id)), nil
}
return "datasources:name:", dsNameResolver
}
func (s *Service) GetDataSource(ctx context.Context, query *models.GetDataSourceQuery) error {
return s.SQLStore.GetDataSource(ctx, query)
}

104
pkg/services/datasources/service_test.go
View File

@ -13,6 +13,8 @@ import (
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/infra/httpclient"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
acmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
"github.com/grafana/grafana/pkg/services/secrets"
"github.com/grafana/grafana/pkg/services/secrets/database"
"github.com/grafana/grafana/pkg/services/secrets/fakes"
@ -34,7 +36,7 @@ func TestService(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, database.ProvideSecretsStore(sqlStore))
s := ProvideService(bus.New(), sqlStore, secretsService)
s := ProvideService(bus.New(), sqlStore, secretsService, &acmock.Mock{})
var ds *models.DataSource
@ -66,6 +68,72 @@ func TestService(t *testing.T) {
})
}
type dataSourceMockRetriever struct {
res *models.DataSource
}
func (d *dataSourceMockRetriever) GetDataSource(ctx context.Context, query *models.GetDataSourceQuery) error {
if query.Name == d.res.Name {
query.Result = d.res
return nil
}
return models.ErrDataSourceNotFound
}
func TestService_NameScopeResolver(t *testing.T) {
type testCaseResolver struct {
desc string
given string
want string
wantErr error
}
testCases := []testCaseResolver{
{
desc: "correct",
given: "datasources:name:test-datasource",
want: "datasources:id:1",
wantErr: nil,
},
{
desc: "correct",
given: "datasources:name:*",
want: "datasources:id:*",
wantErr: nil,
},
{
desc: "unknown datasource",
given: "datasources:name:unknown-datasource",
want: "",
wantErr: models.ErrDataSourceNotFound,
},
{
desc: "malformed scope",
given: "datasources:unknown-datasource",
want: "",
wantErr: accesscontrol.ErrInvalidScope,
},
}
testDataSource := &models.DataSource{Id: 1, Name: "test-datasource"}
prefix, resolver := NewNameScopeResolver(&dataSourceMockRetriever{testDataSource})
require.Equal(t, "datasources:name:", prefix)
for _, tc := range testCases {
t.Run(tc.desc, func(t *testing.T) {
resolved, err := resolver(context.Background(), 1, tc.given)
if tc.wantErr != nil {
require.Error(t, err)
require.Equal(t, tc.wantErr, err)
} else {
require.NoError(t, err)
require.Equal(t, tc.want, resolved)
}
})
}
}
//nolint:goconst
func TestService_GetHttpTransport(t *testing.T) {
t.Run("Should use cached proxy", func(t *testing.T) {
@ -83,7 +151,7 @@ func TestService_GetHttpTransport(t *testing.T) {
}
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
rt1, err := dsService.GetHTTPTransport(&ds, provider)
require.NoError(t, err)
@ -116,7 +184,7 @@ func TestService_GetHttpTransport(t *testing.T) {
json.Set("tlsAuthWithCACert", true)
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
tlsCaCert, err := secretsService.Encrypt(context.Background(), []byte(caCert), secrets.WithoutScope())
require.NoError(t, err)
@ -166,7 +234,7 @@ func TestService_GetHttpTransport(t *testing.T) {
json.Set("tlsAuth", true)
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
tlsClientCert, err := secretsService.Encrypt(context.Background(), []byte(clientCert), secrets.WithoutScope())
require.NoError(t, err)
@ -209,7 +277,7 @@ func TestService_GetHttpTransport(t *testing.T) {
json.Set("serverName", "server-name")
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
tlsCaCert, err := secretsService.Encrypt(context.Background(), []byte(caCert), secrets.WithoutScope())
require.NoError(t, err)
@ -246,7 +314,7 @@ func TestService_GetHttpTransport(t *testing.T) {
json.Set("tlsSkipVerify", true)
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
ds := models.DataSource{
Id: 1,
@ -277,7 +345,7 @@ func TestService_GetHttpTransport(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
encryptedData, err := secretsService.Encrypt(context.Background(), []byte(`Bearer xf5yhfkpsnmgo`), secrets.WithoutScope())
require.NoError(t, err)
@ -336,7 +404,7 @@ func TestService_GetHttpTransport(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
ds := models.DataSource{
Id: 1,
@ -369,7 +437,7 @@ func TestService_GetHttpTransport(t *testing.T) {
require.NoError(t, err)
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
ds := models.DataSource{
Type: models.DS_ES,
@ -403,7 +471,7 @@ func TestService_getTimeout(t *testing.T) {
}
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
for _, tc := range testCases {
ds := &models.DataSource{
@ -416,7 +484,7 @@ func TestService_getTimeout(t *testing.T) {
func TestService_DecryptedValue(t *testing.T) {
t.Run("When datasource hasn't been updated, encrypted JSON should be fetched from cache", func(t *testing.T) {
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
encryptedJsonData, err := secretsService.EncryptJsonData(
context.Background(),
@ -470,7 +538,7 @@ func TestService_DecryptedValue(t *testing.T) {
SecureJsonData: encryptedJsonData,
}
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
// Populate cache
password, ok := dsService.DecryptedValue(&ds, "password")
@ -506,7 +574,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
opts, err := dsService.httpClientOptions(&ds)
require.NoError(t, err)
@ -523,7 +591,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
opts, err := dsService.httpClientOptions(&ds)
require.NoError(t, err)
@ -543,7 +611,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
opts, err := dsService.httpClientOptions(&ds)
require.NoError(t, err)
@ -567,7 +635,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
opts, err := dsService.httpClientOptions(&ds)
require.NoError(t, err)
@ -585,7 +653,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
_, err := dsService.httpClientOptions(&ds)
assert.Error(t, err)
@ -599,7 +667,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
})
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := ProvideService(bus.New(), nil, secretsService)
dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
opts, err := dsService.httpClientOptions(&ds)
require.NoError(t, err)

3
pkg/tsdb/legacydata/service/service_test.go
View File

@ -9,6 +9,7 @@ import (
"github.com/grafana/grafana/pkg/components/simplejson"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/plugins"
acmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
"github.com/grafana/grafana/pkg/services/datasources"
"github.com/grafana/grafana/pkg/services/oauthtoken"
"github.com/grafana/grafana/pkg/services/secrets/fakes"
@ -35,7 +36,7 @@ func TestHandleRequest(t *testing.T) {
return backend.NewQueryDataResponse(), nil
}
secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
dsService := datasources.ProvideService(bus.New(), nil, secretsService)
dsService := datasources.ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
s := ProvideService(client, nil, dsService)
ds := &models.DataSource{Id: 12, Type: "unregisteredType", JsonData: simplejson.New()}