Access control: Add logs to access control dashboard guardian (#46534)

* Add logs to access control dashboard guardian Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2025-02-25 18:55:37 -06:00 · 2022-03-14 17:12:09 +01:00
parent 8688073564
commit 544b6ab736
2 changed files with 29 additions and 14 deletions
--- a/pkg/services/guardian/accesscontrol_guardian.go
+++ b/pkg/services/guardian/accesscontrol_guardian.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"strconv"

+	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/dashboards"
@@ -25,6 +26,7 @@ func NewAccessControlDashboardGuardian(
 ) *AccessControlDashboardGuardian {
 	return &AccessControlDashboardGuardian{
 		ctx:                ctx,
+		log:                log.New("dashboard.permissions"),
 		dashboardID:        dashboardId,
 		user:               user,
 		store:              store,
@@ -35,6 +37,7 @@ func NewAccessControlDashboardGuardian(

 type AccessControlDashboardGuardian struct {
 	ctx                context.Context
+	log                log.Logger
 	dashboardID        int64
 	dashboard          *models.Dashboard
 	user               *models.SignedInUser
@@ -49,10 +52,10 @@ func (a *AccessControlDashboardGuardian) CanSave() (bool, error) {
 	}

 	if a.dashboard.IsFolder {
-		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
 	}

-	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
+	return a.evaluate(accesscontrol.EvalAny(
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),
 	))
@@ -68,10 +71,10 @@ func (a *AccessControlDashboardGuardian) CanEdit() (bool, error) {
 	}

 	if a.dashboard.IsFolder {
-		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersWrite, folderScope(a.dashboardID)))
 	}

-	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
+	return a.evaluate(accesscontrol.EvalAny(
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, dashboardScope(a.dashboard.Id)),
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsWrite, folderScope(a.dashboard.FolderId)),
 	))
@@ -83,10 +86,10 @@ func (a *AccessControlDashboardGuardian) CanView() (bool, error) {
 	}

 	if a.dashboard.IsFolder {
-		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboardID)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersRead, folderScope(a.dashboardID)))
 	}

-	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
+	return a.evaluate(accesscontrol.EvalAny(
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, dashboardScope(a.dashboard.Id)),
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsRead, folderScope(a.dashboard.FolderId)),
 	))
@@ -98,13 +101,13 @@ func (a *AccessControlDashboardGuardian) CanAdmin() (bool, error) {
 	}

 	if a.dashboard.IsFolder {
-		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAll(
+		return a.evaluate(accesscontrol.EvalAll(
 			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsRead, folderScope(a.dashboard.Id)),
 			accesscontrol.EvalPermission(dashboards.ActionFoldersPermissionsWrite, folderScope(a.dashboard.Id)),
 		))
 	}

-	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
+	return a.evaluate(accesscontrol.EvalAny(
 		accesscontrol.EvalAll(
 			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsRead, dashboardScope(a.dashboard.Id)),
 			accesscontrol.EvalPermission(accesscontrol.ActionDashboardsPermissionsWrite, dashboardScope(a.dashboard.Id)),
@@ -122,10 +125,10 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {
 	}

 	if a.dashboard.IsFolder {
-		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Id)))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersDelete, folderScope(a.dashboard.Id)))
 	}

-	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalAny(
+	return a.evaluate(accesscontrol.EvalAny(
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, dashboardScope(a.dashboard.Id)),
 		accesscontrol.EvalPermission(accesscontrol.ActionDashboardsDelete, folderScope(a.dashboard.FolderId)),
 	))
@@ -133,10 +136,23 @@ func (a *AccessControlDashboardGuardian) CanDelete() (bool, error) {

 func (a *AccessControlDashboardGuardian) CanCreate(folderID int64, isFolder bool) (bool, error) {
 	if isFolder {
-		return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(dashboards.ActionFoldersCreate))
+		return a.evaluate(accesscontrol.EvalPermission(dashboards.ActionFoldersCreate))
 	}

-	return a.ac.Evaluate(a.ctx, a.user, accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folderID)))
+	return a.evaluate(accesscontrol.EvalPermission(accesscontrol.ActionDashboardsCreate, folderScope(folderID)))
+}
+
+func (a *AccessControlDashboardGuardian) evaluate(evaluator accesscontrol.Evaluator) (bool, error) {
+	ok, err := a.ac.Evaluate(a.ctx, a.user, evaluator)
+	if err != nil {
+		a.log.Error("Failed to evaluate access control to folder or dashboard", "error", err, "userId", a.user.UserId, "id", a.dashboardID)
+	}
+
+	if !ok && err == nil {
+		a.log.Info("Access denied to folder or dashboard", "userId", a.user.UserId, "id", a.dashboardID, "permissions", evaluator.GoString())
+	}
+
+	return ok, err
 }

 func (a *AccessControlDashboardGuardian) CheckPermissionBeforeUpdate(permission models.PermissionType, updatePermissions []*models.DashboardAcl) (bool, error) {