IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-16 18:34:52 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access control: Add logs to access control dashboard guardian (#46534)

Browse Source 
* Add logs to access control dashboard guardian

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This commit is contained in:
Karl Persson 2022-03-14 17:12:09 +01:00 committed by GitHub
parent 8688073564
commit 544b6ab736
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
pkg/services/guardian/accesscontrol_guardian.go
View File

@ -4,6 +4,7 @@ import (
"context"
"strconv"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/dashboards"
@ -25,6 +26,7 @@ func NewAccessControlDashboardGuardian(
) *AccessControlDashboardGuardian {
return &AccessControlDashboardGuardian{
ctx: ctx,
log: log.New("dashboard.permissions"),
dashboardID: dashboardId,
user: user,
store: store,
@ -35,6 +37,7 @@ func NewAccessControlDashboardGuardian(
type AccessControlDashboardGuardian struct {
ctx context.Context
log log.Logger
dashboardID int64
dashboard *models.Dashboard
user *models.SignedInUser
@ -49,10 +52,10 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
}
if a.dashboard.IsFolder {
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
}
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
return a.evaluate(accesscontrol.EvalAny(
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),
))
@ -68,10 +71,10 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
}
if a.dashboard.IsFolder {
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
}
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
return a.evaluate(accesscontrol.EvalAny(
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),
))
@ -83,10 +86,10 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
}
if a.dashboard.IsFolder {
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboardID)))
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboardID)))
}
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
return a.evaluate(accesscontrol.EvalAny(
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Id)),
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.dashboard.FolderId)),
))
@ -98,13 +101,13 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
}
if a.dashboard.IsFolder {
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAll(
return a.evaluate(accesscontrol.EvalAll(
accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, folderScope(a.dashboard.Id)),
accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Id)),
))
}
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
return a.evaluate(accesscontrol.EvalAny(
accesscontrol.EvalAll(
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Id)),
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Id)),
@ -122,10 +125,10 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
}
if a.dashboard.IsFolder {
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Id)))
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Id)))
}
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
return a.evaluate(accesscontrol.EvalAny(
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Id)),
accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.dashboard.FolderId)),
))
@ -133,10 +136,23 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) {
if isFolder {
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersCreate))
return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersCreate))
}
return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folderID)))
return a.evaluate(accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folderID)))
}
func (a *AccessControlDashboardGuardian) evaluate(evaluator accesscontrol.Evaluator) (bool, error) {
ok, err := a.ac.Evaluate(a.ctx, a.user, evaluator)
if err != nil {
a.log.Error("Failed to evaluate access control to folder or dashboard", "error", err, "userId", a.user.UserId, "id", a.dashboardID)
}
if !ok && err == nil {
a.log.Info("Access denied to folder or dashboard", "userId", a.user.UserId, "id", a.dashboardID, "permissions", evaluator.GoString())
}
return ok, err
}
func (a *AccessControlDashboardGuardian) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardAcl) (bool, error) {

3
pkg/services/guardian/accesscontrol_guardian_test.go
View File

@ -5,9 +5,8 @@ import (
"fmt"
"testing"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/api/routing"