APIKeys: Add AC controls for legacy API keys (#46255)

* APIKeys: Add AC controls for legacy API keys * pluralize actions
2024-11-26 02:40:26 -06:00 · 2022-03-04 18:01:03 +00:00 · 2022-03-04 18:01:03 +00:00 · 7f1e8cee2b
commit 7f1e8cee2b
parent b47f5433d7
3 changed files with 36 additions and 4 deletions
--- a/pkg/api/accesscontrol.go
+++ b/pkg/api/accesscontrol.go
@ -161,6 +161,30 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		Grants: []string{string(models.ROLE_VIEWER)},
 	}

+	apikeyWriterRole := ac.RoleRegistration{
+		Role: ac.RoleDTO{
+			Version:     1,
+			Name:        "fixed:apikeys:writer",
+			DisplayName: "APIKeys writer",
+			Description: "Gives access to add and delete api keys.",
+			Group:       "API Keys",
+			Permissions: []ac.Permission{
+				{
+					Action: ac.ActionAPIKeyCreate,
+				},
+				{
+					Action: ac.ActionAPIKeyRead,
+					Scope:  ac.ScopeAPIKeysAll,
+				},
+				{
+					Action: ac.ActionAPIKeyDelete,
+					Scope:  ac.ScopeAPIKeysAll,
+				},
+			},
+		},
+		Grants: []string{"Admin"},
+	}
+
 	orgReaderRole := ac.RoleRegistration{
 		Role: ac.RoleDTO{
 			Version:     5,
@ -366,7 +390,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole,
 		orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole, annotationsReaderRole,
 		dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
-		foldersCreatorRole, foldersReaderRole, foldersWriterRole,
+		foldersCreatorRole, foldersReaderRole, foldersWriterRole, apikeyWriterRole,
 	)
 }

--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@ -260,9 +260,10 @@ func (hs *HTTPServer) registerRoutes() {

 		// auth api keys
 		apiRoute.Group("/auth/keys", func(keysRoute routing.RouteRegister) {
-			keysRoute.Get("/", routing.Wrap(hs.GetAPIKeys))
-			keysRoute.Post("/", quota("api_key"), routing.Wrap(hs.AddAPIKey))
-			keysRoute.Delete("/:id", routing.Wrap(hs.DeleteAPIKey))
+			apikeyIDScope := ac.Scope("apikeys", "id", ac.Parameter(":id"))
+			keysRoute.Get("/", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionAPIKeyRead, ac.ScopeAPIKeysAll)), routing.Wrap(hs.GetAPIKeys))
+			keysRoute.Post("/", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionAPIKeyCreate)), quota("api_key"), routing.Wrap(hs.AddAPIKey))
+			keysRoute.Delete("/:id", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionAPIKeyDelete, apikeyIDScope)), routing.Wrap(hs.DeleteAPIKey))
 		}, reqOrgAdmin)

 		// Preferences
--- a/pkg/services/accesscontrol/models.go
+++ b/pkg/services/accesscontrol/models.go
@ -250,6 +250,10 @@ const (
 	GlobalOrgID = 0
 	// Permission actions

+	ActionAPIKeyRead   = "apikeys:read"
+	ActionAPIKeyCreate = "apikeys:create"
+	ActionAPIKeyDelete = "apikeys:delete"
+
 	// Users actions
 	ActionUsersRead     = "users:read"
 	ActionUsersWrite    = "users:write"
@ -299,6 +303,9 @@ const (
 	// Global Scopes
 	ScopeGlobalUsersAll = "global:users:*"

+	// APIKeys scope
+	ScopeAPIKeysAll = "apikeys:*"
+
 	// Users scope
 	ScopeUsersAll = "users:*"