RBAC: Add OAuth provider scopes separately to fixed:authentication.config:writer (#78202)

Add OAuth provider setting scopes to fixed:authentication writer * Change SSO Settings api scopes * Remove unused RBAC Action
2025-02-25 18:55:37 -06:00 · 2023-11-16 09:15:51 +01:00
parent d641f9153e
commit 7ae0ff1309
3 changed files with 51 additions and 10 deletions
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@@ -202,19 +202,59 @@ var (
 		Permissions: []Permission{
 			{
 				Action: ActionSettingsRead,
-				Scope:  ScopeSettingsAuth,
+				Scope:  ScopeSettingsSAML,
 			},
 			{
 				Action: ActionSettingsWrite,
-				Scope:  ScopeSettingsAuth,
+				Scope:  ScopeSettingsSAML,
 			},
 			{
 				Action: ActionSettingsRead,
-				Scope:  ScopeSettingsSAML,
+				Scope:  ScopeSettingsOAuth("azuread"),
 			},
 			{
 				Action: ActionSettingsWrite,
-				Scope:  ScopeSettingsSAML,
+				Scope:  ScopeSettingsOAuth("azuread"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("okta"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("okta"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("github"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("github"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("gitlab"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("gitlab"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("google"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("google"),
+			},
+			{
+				Action: ActionSettingsRead,
+				Scope:  ScopeSettingsOAuth("generic_oauth"),
+			},
+			{
+				Action: ActionSettingsWrite,
+				Scope:  ScopeSettingsOAuth("generic_oauth"),
 			},
 		},
 	}