mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
RBAC: Split up service into several components (#54002)
* RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
This commit is contained in:
Karl Persson
GitHub
@@ -366,6 +366,7 @@ func setupHTTPServerWithCfgDb(
|
||||
|
||||
var acmock *accesscontrolmock.Mock
|
||||
var ac accesscontrol.AccessControl
|
||||
var acService accesscontrol.Service
|
||||
|
||||
// Defining the accesscontrol service has to be done before registering routes
|
||||
if useFakeAccessControl {
|
||||
@@ -374,13 +375,15 @@ func setupHTTPServerWithCfgDb(
|
||||
acmock = acmock.WithDisabled()
|
||||
}
|
||||
ac = acmock
|
||||
acService = acmock
|
||||
} else {
|
||||
var err error
|
||||
ac, err = ossaccesscontrol.ProvideService(cfg, database.ProvideService(db), routeRegister)
|
||||
acService, err = ossaccesscontrol.ProvideService(cfg, database.ProvideService(db), routeRegister)
|
||||
require.NoError(t, err)
|
||||
ac = ossaccesscontrol.ProvideAccessControl(cfg, acService)
|
||||
}
|
||||
|
||||
teamPermissionService, err := ossaccesscontrol.ProvideTeamPermissions(cfg, routeRegister, db, ac, license)
|
||||
teamPermissionService, err := ossaccesscontrol.ProvideTeamPermissions(cfg, routeRegister, db, ac, license, acService)
|
||||
require.NoError(t, err)
|
||||
|
||||
// Create minimal HTTP Server
|
||||
@@ -395,6 +398,7 @@ func setupHTTPServerWithCfgDb(
|
||||
SQLStore: store,
|
||||
License: &licensing.OSSLicensingService{},
|
||||
AccessControl: ac,
|
||||
accesscontrolService: acService,
|
||||
teamPermissionsService: teamPermissionService,
|
||||
searchUsersService: searchusers.ProvideUsersService(filters.ProvideOSSSearchUserFilter(), usertest.NewUserServiceFake()),
|
||||
DashboardService: dashboardservice.ProvideDashboardService(
|
||||
@@ -410,7 +414,7 @@ func setupHTTPServerWithCfgDb(
|
||||
}
|
||||
|
||||
require.NoError(t, hs.declareFixedRoles())
|
||||
require.NoError(t, hs.AccessControl.(accesscontrol.RoleRegistry).RegisterFixedRoles(context.Background()))
|
||||
require.NoError(t, hs.accesscontrolService.(accesscontrol.RoleRegistry).RegisterFixedRoles(context.Background()))
|
||||
|
||||
// Instantiate a new Server
|
||||
m := web.New()
|
||||
@@ -423,7 +427,7 @@ func setupHTTPServerWithCfgDb(
|
||||
c.Req = c.Req.WithContext(ctxkey.Set(c.Req.Context(), initCtx))
|
||||
})
|
||||
|
||||
m.Use(accesscontrol.LoadPermissionsMiddleware(hs.AccessControl))
|
||||
m.Use(accesscontrol.LoadPermissionsMiddleware(hs.accesscontrolService))
|
||||
|
||||
// Register all routes
|
||||
hs.registerRoutes()
|
||||
|
||||
@@ -182,6 +182,7 @@ type HTTPServer struct {
|
||||
tempUserService tempUser.Service
|
||||
loginAttemptService loginAttempt.Service
|
||||
orgService org.Service
|
||||
accesscontrolService accesscontrol.Service
|
||||
}
|
||||
|
||||
type ServerOptions struct {
|
||||
@@ -217,7 +218,9 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi
|
||||
dashboardPermissionsService accesscontrol.DashboardPermissionsService, dashboardVersionService dashver.Service,
|
||||
starService star.Service, csrfService csrf.Service, coremodels *registry.Base,
|
||||
playlistService playlist.Service, apiKeyService apikey.Service, kvStore kvstore.KVStore, secretsMigrator secrets.Migrator, secretsPluginManager plugins.SecretsPluginManager,
|
||||
publicDashboardsApi *publicdashboardsApi.Api, userService user.Service, tempUserService tempUser.Service, loginAttemptService loginAttempt.Service, orgService org.Service) (*HTTPServer, error) {
|
||||
publicDashboardsApi *publicdashboardsApi.Api, userService user.Service, tempUserService tempUser.Service, loginAttemptService loginAttempt.Service, orgService org.Service,
|
||||
accesscontrolService accesscontrol.Service,
|
||||
) (*HTTPServer, error) {
|
||||
web.Env = cfg.Env
|
||||
m := web.New()
|
||||
|
||||
@@ -308,6 +311,7 @@ func ProvideHTTPServer(opts ServerOptions, cfg *setting.Cfg, routeRegister routi
|
||||
tempUserService: tempUserService,
|
||||
loginAttemptService: loginAttemptService,
|
||||
orgService: orgService,
|
||||
accesscontrolService: accesscontrolService,
|
||||
}
|
||||
if hs.Listener != nil {
|
||||
hs.log.Debug("Using provided listener")
|
||||
@@ -560,7 +564,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() {
|
||||
|
||||
m.Use(hs.ContextHandler.Middleware)
|
||||
m.Use(middleware.OrgRedirect(hs.Cfg, hs.SQLStore))
|
||||
m.Use(accesscontrol.LoadPermissionsMiddleware(hs.AccessControl))
|
||||
m.Use(accesscontrol.LoadPermissionsMiddleware(hs.accesscontrolService))
|
||||
|
||||
// needs to be after context handler
|
||||
if hs.Cfg.EnforceDomain {
|
||||
|
||||
@@ -813,7 +813,7 @@ func (hs *HTTPServer) setIndexViewData(c *models.ReqContext) (*dtos.IndexViewDat
|
||||
}
|
||||
|
||||
if !hs.AccessControl.IsDisabled() {
|
||||
userPermissions, err := hs.AccessControl.GetUserPermissions(c.Req.Context(), c.SignedInUser, ac.Options{ReloadCache: false})
|
||||
userPermissions, err := hs.accesscontrolService.GetUserPermissions(c.Req.Context(), c.SignedInUser, ac.Options{ReloadCache: false})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -411,14 +411,14 @@ func (hs *HTTPServer) removeOrgUserHelper(ctx context.Context, cmd *models.Remov
|
||||
|
||||
if cmd.UserWasDeleted {
|
||||
// This should be called from appropriate service when moved
|
||||
if err := hs.AccessControl.DeleteUserPermissions(ctx, accesscontrol.GlobalOrgID, cmd.UserId); err != nil {
|
||||
if err := hs.accesscontrolService.DeleteUserPermissions(ctx, accesscontrol.GlobalOrgID, cmd.UserId); err != nil {
|
||||
hs.log.Warn("failed to delete permissions for user", "userID", cmd.UserId, "orgID", accesscontrol.GlobalOrgID, "err", err)
|
||||
}
|
||||
return response.Success("User deleted")
|
||||
}
|
||||
|
||||
// This should be called from appropriate service when moved
|
||||
if err := hs.AccessControl.DeleteUserPermissions(ctx, cmd.OrgId, cmd.UserId); err != nil {
|
||||
if err := hs.accesscontrolService.DeleteUserPermissions(ctx, cmd.OrgId, cmd.UserId); err != nil {
|
||||
hs.log.Warn("failed to delete permissions for user", "userID", cmd.UserId, "orgID", cmd.OrgId, "err", err)
|
||||
}
|
||||
|
||||
|
||||
@@ -960,7 +960,7 @@ func TestDeleteOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
|
||||
assert.Len(t, getUsersQuery.Result, tc.expectedUserCount)
|
||||
|
||||
// check all permissions for user is removed in org
|
||||
permission, err := sc.hs.AccessControl.GetUserPermissions(context.Background(), &user.SignedInUser{UserID: tc.targetUserId, OrgID: tc.targetOrg}, accesscontrol.Options{})
|
||||
permission, err := sc.hs.accesscontrolService.GetUserPermissions(context.Background(), &user.SignedInUser{UserID: tc.targetUserId, OrgID: tc.targetOrg}, accesscontrol.Options{})
|
||||
require.NoError(t, err)
|
||||
assert.Len(t, permission, 0)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user