RBAC: Add OAuth provider scopes separately to fixed:authentication.config:writer (#78202)

Add OAuth provider setting scopes to fixed:authentication writer * Change SSO Settings api scopes * Remove unused RBAC Action
2025-02-25 18:55:37 -06:00 · 2023-11-16 09:15:51 +01:00 · 2023-11-16 09:15:51 +01:00 · 7ae0ff1309
commit 7ae0ff1309
parent d641f9153e
3 changed files with 51 additions and 10 deletions
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@ -396,7 +396,6 @@ const (

 	// Settings scope
 	ScopeSettingsAll  = "settings:*"
-	ScopeSettingsAuth = "settings:auth:*"
 	ScopeSettingsSAML = "settings:auth.saml:*"

 	// Team related actions
@ -467,6 +466,10 @@ var (
 	// Team scope
 	ScopeTeamsID = Scope("teams", "id", Parameter(":teamId"))

+	ScopeSettingsOAuth = func(provider string) string {
+		return Scope("settings", "auth."+provider, "*")
+	}
+
 	// Annotation scopes
 	ScopeAnnotationsRoot             = "annotations"
 	ScopeAnnotationsProvider         = NewScopeProvider(ScopeAnnotationsRoot)
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@ -202,19 +202,59 @@ var (
 		Permissions: []Permission{
 			{
 				Action: ActionSettingsRead,
-				Scope:  ScopeSettingsAuth,
+				Scope:  ScopeSettingsSAML,
 			},
 			{
 				Action: ActionSettingsWrite,
-				Scope:  ScopeSettingsAuth,
+				Scope:  ScopeSettingsSAML,
 			},
 			{
 				Action: ActionSettingsRead,
-				Scope:  ScopeSettingsSAML,
+				Scope:  ScopeSettingsOAuth("azuread"),
 			},
 			{
 				Action: ActionSettingsWrite,
-				Scope:  ScopeSettingsSAML,
+				Scope:  ScopeSettingsOAuth("azuread"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("okta"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("okta"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("github"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("github"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("gitlab"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("gitlab"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("google"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("google"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("generic_oauth"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("generic_oauth"),
 			},
 		},
 	}
--- a/pkg/services/ssosettings/api/api.go
+++ b/pkg/services/ssosettings/api/api.go
@ -43,13 +43,11 @@ func (api *Api) RegisterAPIEndpoints() {
 		auth := ac.Middleware(api.AccessControl)

 		scopeKey := ac.Parameter(":key")
-		settingsScope := ac.Scope("settings", "auth."+scopeKey, "*")
+		settingsScope := ac.ScopeSettingsOAuth(scopeKey)

-		reqWriteAccess := auth(ac.EvalAny(
-			ac.EvalPermission(ac.ActionSettingsWrite, ac.ScopeSettingsAuth),
-			ac.EvalPermission(ac.ActionSettingsWrite, settingsScope)))
+		reqWriteAccess := auth(ac.EvalPermission(ac.ActionSettingsWrite, settingsScope))

-		router.Get("/", auth(ac.EvalPermission(ac.ActionSettingsRead, ac.ScopeSettingsAuth)), routing.Wrap(api.listAllProvidersSettings))
+		router.Get("/", auth(ac.EvalPermission(ac.ActionSettingsRead)), routing.Wrap(api.listAllProvidersSettings))
 		router.Get("/:key", auth(ac.EvalPermission(ac.ActionSettingsRead, settingsScope)), routing.Wrap(api.getProviderSettings))
 		router.Put("/:key", reqWriteAccess, routing.Wrap(api.updateProviderSettings))
 		router.Delete("/:key", reqWriteAccess, routing.Wrap(api.removeProviderSettings))