From 64ed77ddce79009ce05f43801cc578c135f05b6b Mon Sep 17 00:00:00 2001
From: linoman <2051016+linoman@users.noreply.github.com>
Date: Fri, 4 Aug 2023 11:08:14 +0200
Subject: [PATCH] Auth: Add no role frontend feature flag (#72823)

* Add 'noBasicRole' feature flag

* Hide role options and tooltip with feature flag

* Add feature flag to registry
---
 .../configure-grafana/feature-toggles/index.md   |  1 +
 .../grafana-data/src/types/featureToggles.gen.ts |  1 +
 pkg/services/featuremgmt/registry.go             |  8 ++++++++
 pkg/services/featuremgmt/toggles_gen.csv         |  1 +
 pkg/services/featuremgmt/toggles_gen.go          |  4 ++++
 .../RolePicker/BuiltinRoleSelector.tsx           | 16 ++++++++++++----
 .../components/RolePicker/RolePickerMenu.tsx     |  3 ++-
 public/app/features/org/UserInviteForm.tsx       |  4 ++--
 8 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md b/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md
index 5dedb32e362..ccc4fe635f4 100644
--- a/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md
+++ b/docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md
@@ -129,6 +129,7 @@ Experimental features might be changed or removed without prior notice.
 | `permissionsFilterRemoveSubquery`           | Alternative permission filter implementation that does not use subqueries for fetching the dashboard folder                                                                              |
 | `prometheusConfigOverhaulAuth`              | Update the Prometheus configuration page with the new auth component                                                                                                                     |
 | `influxdbSqlSupport`                        | Enable InfluxDB SQL query language support with new querying UI                                                                                                                          |
+| `noBasicRole`                               | Enables a new role that has no permissions by default                                                                                                                                    |
 
 ## Development feature toggles
 
diff --git a/packages/grafana-data/src/types/featureToggles.gen.ts b/packages/grafana-data/src/types/featureToggles.gen.ts
index e38b8f06230..db38f708392 100644
--- a/packages/grafana-data/src/types/featureToggles.gen.ts
+++ b/packages/grafana-data/src/types/featureToggles.gen.ts
@@ -118,4 +118,5 @@ export interface FeatureToggles {
   prometheusConfigOverhaulAuth?: boolean;
   configurableSchedulerTick?: boolean;
   influxdbSqlSupport?: boolean;
+  noBasicRole?: boolean;
 }
diff --git a/pkg/services/featuremgmt/registry.go b/pkg/services/featuremgmt/registry.go
index d92b97687d8..d8403824de8 100644
--- a/pkg/services/featuremgmt/registry.go
+++ b/pkg/services/featuremgmt/registry.go
@@ -691,5 +691,13 @@ var (
 			Owner:           grafanaObservabilityMetricsSquad,
 			RequiresRestart: false,
 		},
+		{
+			Name:            "noBasicRole",
+			Description:     "Enables a new role that has no permissions by default",
+			Stage:           FeatureStageExperimental,
+			FrontendOnly:    true,
+			Owner:           grafanaAuthnzSquad,
+			RequiresRestart: true,
+		},
 	}
 )
diff --git a/pkg/services/featuremgmt/toggles_gen.csv b/pkg/services/featuremgmt/toggles_gen.csv
index 5f58f36c507..f5d9a8ba35e 100644
--- a/pkg/services/featuremgmt/toggles_gen.csv
+++ b/pkg/services/featuremgmt/toggles_gen.csv
@@ -99,3 +99,4 @@ permissionsFilterRemoveSubquery,experimental,@grafana/backend-platform,false,fal
 prometheusConfigOverhaulAuth,experimental,@grafana/observability-metrics,false,false,false,false
 configurableSchedulerTick,experimental,@grafana/alerting-squad,false,false,true,false
 influxdbSqlSupport,experimental,@grafana/observability-metrics,false,false,false,false
+noBasicRole,experimental,@grafana/grafana-authnz-team,false,false,true,true
diff --git a/pkg/services/featuremgmt/toggles_gen.go b/pkg/services/featuremgmt/toggles_gen.go
index b176102f9d6..b7e3fcfb4e2 100644
--- a/pkg/services/featuremgmt/toggles_gen.go
+++ b/pkg/services/featuremgmt/toggles_gen.go
@@ -406,4 +406,8 @@ const (
 	// FlagInfluxdbSqlSupport
 	// Enable InfluxDB SQL query language support with new querying UI
 	FlagInfluxdbSqlSupport = "influxdbSqlSupport"
+
+	// FlagNoBasicRole
+	// Enables a new role that has no permissions by default
+	FlagNoBasicRole = "noBasicRole"
 )
diff --git a/public/app/core/components/RolePicker/BuiltinRoleSelector.tsx b/public/app/core/components/RolePicker/BuiltinRoleSelector.tsx
index 2362d613e3a..e9e5d02386b 100644
--- a/public/app/core/components/RolePicker/BuiltinRoleSelector.tsx
+++ b/public/app/core/components/RolePicker/BuiltinRoleSelector.tsx
@@ -1,15 +1,23 @@
 import React from 'react';
 
 import { SelectableValue } from '@grafana/data';
+import { config } from '@grafana/runtime';
 import { Icon, RadioButtonList, Tooltip, useStyles2, useTheme2 } from '@grafana/ui';
+import { contextSrv } from 'app/core/core';
 import { OrgRole } from 'app/types';
 
 import { getStyles } from './styles';
 
-const BasicRoleOption: Array<SelectableValue<OrgRole>> = Object.values(OrgRole).map((r) => ({
-  label: r === OrgRole.None ? 'No basic role' : r,
-  value: r,
-}));
+const noBasicRoleFlag = contextSrv.licensedAccessControlEnabled();
+
+const noBasicRole = config.featureToggles.noBasicRole && noBasicRoleFlag;
+
+const BasicRoleOption: Array<SelectableValue<OrgRole>> = Object.values(OrgRole)
+  .filter((r) => noBasicRole || r !== OrgRole.None)
+  .map((r) => ({
+    label: r === OrgRole.None ? 'No basic role' : r,
+    value: r,
+  }));
 
 interface Props {
   value?: OrgRole;
diff --git a/public/app/core/components/RolePicker/RolePickerMenu.tsx b/public/app/core/components/RolePicker/RolePickerMenu.tsx
index 42b9ce49ab9..be4d481df99 100644
--- a/public/app/core/components/RolePicker/RolePickerMenu.tsx
+++ b/public/app/core/components/RolePicker/RolePickerMenu.tsx
@@ -1,6 +1,7 @@
 import { css, cx } from '@emotion/css';
 import React, { useEffect, useRef, useState } from 'react';
 
+import { config } from '@grafana/runtime';
 import { Button, CustomScrollbar, HorizontalGroup, useStyles2, useTheme2 } from '@grafana/ui';
 import { getSelectStyles } from '@grafana/ui/src/components/Select/getSelectStyles';
 import { contextSrv } from 'app/core/core';
@@ -35,7 +36,7 @@ const fixedRoleGroupNames: Record<string, string> = {
   current: 'Current org',
 };
 
-const noBasicRoleFlag = contextSrv.licensedAccessControlEnabled();
+const noBasicRoleFlag = contextSrv.licensedAccessControlEnabled() && config.featureToggles.noBasicRole;
 const tooltipMessage = noBasicRoleFlag
   ? 'You can now select the "No basic role" option and add permissions to your custom needs.'
   : undefined;
diff --git a/public/app/features/org/UserInviteForm.tsx b/public/app/features/org/UserInviteForm.tsx
index e2c4e263bca..8863516e421 100644
--- a/public/app/features/org/UserInviteForm.tsx
+++ b/public/app/features/org/UserInviteForm.tsx
@@ -2,7 +2,7 @@ import React from 'react';
 
 import { locationUtil, SelectableValue } from '@grafana/data';
 import { Stack } from '@grafana/experimental';
-import { locationService } from '@grafana/runtime';
+import { config, locationService } from '@grafana/runtime';
 import {
   Button,
   LinkButton,
@@ -23,7 +23,7 @@ import { OrgRole, useDispatch } from 'app/types';
 
 import { addInvitee } from '../invites/state/actions';
 
-const noBasicRoleFlag = contextSrv.licensedAccessControlEnabled();
+const noBasicRoleFlag = contextSrv.licensedAccessControlEnabled() && config.featureToggles.noBasicRole;
 
 const tooltipMessage = noBasicRoleFlag
   ? 'You can now select the "No basic role" option and add permissions to your custom needs.'