Auth: Add SyncPermissions post auth hook (#64205)

* Add SyncPermissionsFromDB post auth hook * Delete FromDB prefix * Align tests * Fixes * Change SyncPermissionsHook prio
2025-02-25 18:55:37 -06:00 · 2023-03-08 13:35:54 +01:00
parent aa123e0d50
commit 6543259a7d
20 changed files with 177 additions and 18 deletions
--- a/pkg/services/authn/authnimpl/service.go
+++ b/pkg/services/authn/authnimpl/service.go
@@ -155,6 +155,7 @@ func ProvideService(
 	}

 	s.RegisterPostAuthHook(userSyncService.FetchSyncedUserHook, 100)
+	s.RegisterPostAuthHook(sync.ProvidePermissionsSync(accessControlService).SyncPermissionsHook, 110)

 	return s
 }
--- a/pkg/services/authn/authnimpl/sync/permission_sync.go
+++ b/pkg/services/authn/authnimpl/sync/permission_sync.go
@@ -0,0 +1,45 @@
+package sync
+
+import (
+	"context"
+
+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/authn"
+	"github.com/grafana/grafana/pkg/util/errutil"
+)
+
+var (
+	errSyncPermissionsForbidden = errutil.NewBase(errutil.StatusForbidden, "permissions.sync.forbidden")
+)
+
+func ProvidePermissionsSync(acService accesscontrol.Service) *PermissionsSync {
+	return &PermissionsSync{
+		ac:  acService,
+		log: log.New("permissions.sync"),
+	}
+}
+
+type PermissionsSync struct {
+	ac  accesscontrol.Service
+	log log.Logger
+}
+
+func (s *PermissionsSync) SyncPermissionsHook(ctx context.Context, identity *authn.Identity, _ *authn.Request) error {
+	if s.ac.IsDisabled() || !identity.ClientParams.SyncPermissions {
+		return nil
+	}
+
+	permissions, err := s.ac.GetUserPermissions(ctx, identity.SignedInUser(),
+		accesscontrol.Options{ReloadCache: false})
+	if err != nil {
+		s.log.FromContext(ctx).Error("failed to fetch permissions from db", "error", err, "user_id", identity.ID)
+		return errSyncPermissionsForbidden
+	}
+
+	if identity.Permissions == nil {
+		identity.Permissions = make(map[int64]map[string][]string)
+	}
+	identity.Permissions[identity.OrgID] = accesscontrol.GroupScopesByAction(permissions)
+	return nil
+}
--- a/pkg/services/authn/authnimpl/sync/permission_sync_test.go
+++ b/pkg/services/authn/authnimpl/sync/permission_sync_test.go
@@ -0,0 +1,81 @@
+package sync
+
+import (
+	"context"
+	"testing"
+
+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	acmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
+	"github.com/grafana/grafana/pkg/services/authn"
+	"github.com/grafana/grafana/pkg/services/user"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPermissionsSync_SyncPermission(t *testing.T) {
+	type testCase struct {
+		name                string
+		identity            *authn.Identity
+		rbacDisabled        bool
+		expectedPermissions []accesscontrol.Permission
+	}
+	testCases := []testCase{
+		{
+			name:         "enriches the identity successfully when SyncPermissions is true",
+			identity:     &authn.Identity{ID: "user:2", OrgID: 1, ClientParams: authn.ClientParams{SyncPermissions: true}},
+			rbacDisabled: false,
+			expectedPermissions: []accesscontrol.Permission{
+				{Action: accesscontrol.ActionUsersRead},
+			},
+		},
+		{
+			name:         "does not load the permissions when SyncPermissions is false",
+			identity:     &authn.Identity{ID: "user:2", OrgID: 1, ClientParams: authn.ClientParams{SyncPermissions: true}},
+			rbacDisabled: false,
+			expectedPermissions: []accesscontrol.Permission{
+				{Action: accesscontrol.ActionUsersRead},
+			},
+		},
+		{
+			name:                "does not load the permissions when RBAC is disabled",
+			rbacDisabled:        true,
+			identity:            &authn.Identity{ID: "user:2", OrgID: 1, ClientParams: authn.ClientParams{SyncPermissions: true}},
+			expectedPermissions: []accesscontrol.Permission{},
+		},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			s := setupTestEnv(tt.rbacDisabled)
+
+			err := s.SyncPermissionsHook(context.Background(), tt.identity, &authn.Request{})
+			require.NoError(t, err)
+
+			if !tt.rbacDisabled {
+				assert.Equal(t, 1, len(tt.identity.Permissions))
+				assert.Equal(t, accesscontrol.GroupScopesByAction(tt.expectedPermissions), tt.identity.Permissions[tt.identity.OrgID])
+			} else {
+				assert.Equal(t, 0, len(tt.identity.Permissions))
+			}
+		})
+	}
+}
+
+func setupTestEnv(rbacDisabled bool) *PermissionsSync {
+	acMock := &acmock.Mock{
+		IsDisabledFunc: func() bool {
+			return rbacDisabled
+		},
+		GetUserPermissionsFunc: func(ctx context.Context, siu *user.SignedInUser, o accesscontrol.Options) ([]accesscontrol.Permission, error) {
+			return []accesscontrol.Permission{
+				{Action: accesscontrol.ActionUsersRead},
+			}, nil
+		},
+	}
+	s := &PermissionsSync{
+		ac:  acMock,
+		log: log.NewNopLogger(),
+	}
+	return s
+}