Storage: use static access rules (#52334)

* Storage: use static access rules * Storage: use static access rules * Storage: add tests
2025-02-25 18:55:37 -06:00 · 2022-07-17 22:41:54 +04:00
parent e6a5b9ee7f
commit 6188526e1d
8 changed files with 319 additions and 52 deletions
--- a/pkg/services/store/static_auth.go
+++ b/pkg/services/store/static_auth.go
@@ -0,0 +1,41 @@
+package store
+
+import (
+	"context"
+
+	"github.com/grafana/grafana/pkg/infra/filestorage"
+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/models"
+)
+
+type createPathFilterByAction func(ctx context.Context, user *models.SignedInUser, storageName string) map[string]filestorage.PathFilter
+
+func newStaticStorageAuthService(createPathFilterByAction createPathFilterByAction) storageAuthService {
+	return &staticStorageAuth{
+		denyAllFileGuardian:      &denyAllFileGuardian{},
+		createPathFilterByAction: createPathFilterByAction,
+		log:                      log.New("staticStorageAuthService"),
+	}
+}
+
+type staticStorageAuth struct {
+	log                      log.Logger
+	denyAllFileGuardian      fileGuardian
+	createPathFilterByAction createPathFilterByAction
+}
+
+func (a *staticStorageAuth) newGuardian(ctx context.Context, user *models.SignedInUser, storageName string) fileGuardian {
+	pathFilter := a.createPathFilterByAction(ctx, user, storageName)
+
+	if pathFilter == nil {
+		return a.denyAllFileGuardian
+	}
+
+	return &pathFilterFileGuardian{
+		ctx:                ctx,
+		user:               user,
+		log:                a.log,
+		prefix:             storageName,
+		pathFilterByAction: pathFilter,
+	}
+}