IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

resolve merge conflicts (#55503)

Browse Source
This commit is contained in:
Ieva
2022-09-20 18:31:08 +01:00
committed by GitHub
parent 064a9ccd6e
commit 6d5bdf12e8
6 changed files with 210 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/services/datasources/service/datasource.go
View File

@@ -527,8 +527,9 @@ func (s *Service) getCustomHeaders(jsonData *simplejson.Json, decryptedValues ma
return headers
}
index := 1
index := 0
for {
index++
headerNameSuffix := fmt.Sprintf("httpHeaderName%d", index)
headerValueSuffix := fmt.Sprintf("httpHeaderValue%d", index)
@@ -538,10 +539,16 @@ func (s *Service) getCustomHeaders(jsonData *simplejson.Json, decryptedValues ma
break
}
// skip a header with name that corresponds to auth proxy header's name
// to make sure that data source proxy isn't used to circumvent auth proxy.
// For more context take a look at CVE-2022-35957
if s.cfg.AuthProxyEnabled && http.CanonicalHeaderKey(key) == http.CanonicalHeaderKey(s.cfg.AuthProxyHeaderName) {
continue
}
if val, ok := decryptedValues[headerValueSuffix]; ok {
headers[key] = val
}
index++
}
return headers

100
pkg/services/sqlstore/migrations/accesscontrol/admin_only.go Normal file
View File

@@ -0,0 +1,100 @@
package accesscontrol
import (
"strings"
"xorm.io/xorm"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/sqlstore/migrator"
)
func AddAdminOnlyMigration(mg *migrator.Migrator) {
mg.AddMigration("admin only folder/dashboard permission", &adminOnlyMigrator{})
}
type adminOnlyMigrator struct {
migrator.MigrationBase
}
func (m *adminOnlyMigrator) SQL(dialect migrator.Dialect) string {
return CodeMigrationSQL
}
func (m *adminOnlyMigrator) Exec(sess *xorm.Session, mg *migrator.Migrator) error {
logger := log.New("admin-permissions-only-migrator")
type model struct {
UID string `xorm:"uid"`
OrgID int64 `xorm:"org_id"`
IsFolder bool `xorm:"is_folder"`
}
var models []model
// Find all dashboards and folders that should have only admin permission in acl
// When a dashboard or folder only has admin permission the acl table should be empty and the has_acl set to true
sql := `
SELECT res.uid, res.is_folder, res.org_id
FROM (SELECT dashboard.id, dashboard.uid, dashboard.is_folder, dashboard.org_id, count(dashboard_acl.id) as count
FROM dashboard
LEFT JOIN dashboard_acl ON dashboard.id = dashboard_acl.dashboard_id
WHERE dashboard.has_acl IS TRUE
GROUP BY dashboard.id) as res
WHERE res.count = 0
`
if err := sess.SQL(sql).Find(&models); err != nil {
return err
}
for _, model := range models {
var scope string
// set scope based on type
if model.IsFolder {
scope = "folders:uid:" + model.UID
} else {
scope = "dashboards:uid:" + model.UID
}
// Find all managed editor and viewer permissions with scopes to folder or dashboard
sql = `
SELECT r.id
FROM role r
LEFT JOIN permission p on r.id = p.role_id
WHERE p.scope = ?
AND r.org_id = ?
AND r.name IN ('managed:builtins:editor:permissions', 'managed:builtins:viewer:permissions')
GROUP BY r.id
`
var roleIDS []int64
if err := sess.SQL(sql, scope, model.OrgID).Find(&roleIDS); err != nil {
return err
}
if len(roleIDS) == 0 {
continue
}
msg := "removing viewer and editor permissions on "
if model.IsFolder {
msg += "folder"
} else {
msg += "dashboard"
}
logger.Info(msg, "uid", model.UID)
// Remove managed permission for editors and viewers if there was any
removeSQL := `DELETE FROM permission WHERE scope = ? AND role_id IN(?` + strings.Repeat(", ?", len(roleIDS)-1) + `) `
params := []interface{}{removeSQL, scope}
for _, id := range roleIDS {
params = append(params, id)
}
if _, err := sess.Exec(params...); err != nil {
return err
}
}
return nil
}

5
pkg/services/sqlstore/migrations/accesscontrol/dashboard_permissions.go
View File

@@ -69,6 +69,7 @@ type dashboard struct {
FolderID int64 `xorm:"folder_id"`
OrgID int64 `xorm:"org_id"`
IsFolder bool
HasAcl bool `xorm:"has_acl"`
}
func (m dashboardPermissionsMigrator) Exec(sess *xorm.Session, migrator *migrator.Migrator) error {
@@ -76,7 +77,7 @@ func (m dashboardPermissionsMigrator) Exec(sess *xorm.Session, migrator *migrato
m.dialect = migrator.Dialect
var dashboards []dashboard
if err := m.sess.SQL("SELECT id, is_folder, folder_id, org_id FROM dashboard").Find(&dashboards); err != nil {
if err := m.sess.SQL("SELECT id, is_folder, folder_id, org_id, has_acl FROM dashboard").Find(&dashboards); err != nil {
return fmt.Errorf("failed to list dashboards: %w", err)
}
@@ -108,7 +109,7 @@ func (m dashboardPermissionsMigrator) migratePermissions(dashboards []dashboard,
permissionMap[d.OrgID] = map[string][]*ac.Permission{}
}
if (d.IsFolder || d.FolderID == 0) && len(acls) == 0 {
if (d.IsFolder || d.FolderID == 0) && len(acls) == 0 && !d.HasAcl {
permissionMap[d.OrgID]["managed:builtins:editor:permissions"] = append(
permissionMap[d.OrgID]["managed:builtins:editor:permissions"],
m.mapPermission(d.ID, models.PERMISSION_EDIT, d.IsFolder)...,

1
pkg/services/sqlstore/migrations/migrations.go
View File

@@ -97,6 +97,7 @@ func (*OSSMigrations) AddMigration(mg *Migrator) {
ualert.UpdateRuleGroupIndexMigration(mg)
accesscontrol.AddManagedFolderAlertActionsRepeatMigration(mg)
accesscontrol.AddAdminOnlyMigration(mg)
}
func addMigrationLogMigrations(mg *Migrator) {