APIKeys: Add AC controls for legacy API keys (#46255)

* APIKeys: Add AC controls for legacy API keys

* pluralize actions

pkg/api/accesscontrol.go

@@ -161,6 +161,30 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		Grants: []string{string(models.ROLE_VIEWER)},
 	}
 
+	apikeyWriterRole := ac.RoleRegistration{
+		Role: ac.RoleDTO{
+			Version:     1,
+			Name:        "fixed:apikeys:writer",
+			DisplayName: "APIKeys writer",
+			Description: "Gives access to add and delete api keys.",
+			Group:       "API Keys",
+			Permissions: []ac.Permission{
+				{
+					Action: ac.ActionAPIKeyCreate,
+				},
+				{
+					Action: ac.ActionAPIKeyRead,
+					Scope:  ac.ScopeAPIKeysAll,
+				},
+				{
+					Action: ac.ActionAPIKeyDelete,
+					Scope:  ac.ScopeAPIKeysAll,
+				},
+			},
+		},
+		Grants: []string{"Admin"},
+	}
+
 	orgReaderRole := ac.RoleRegistration{
 		Role: ac.RoleDTO{
 			Version:     5,
@@ -366,7 +390,7 @@ func (hs *HTTPServer) declareFixedRoles() error {
 		datasourcesCompatibilityReaderRole, orgReaderRole, orgWriterRole,
 		orgMaintainerRole, teamsCreatorRole, teamsWriterRole, datasourcesExplorerRole, annotationsReaderRole,
 		dashboardsCreatorRole, dashboardsReaderRole, dashboardsWriterRole,
-		foldersCreatorRole, foldersReaderRole, foldersWriterRole,
+		foldersCreatorRole, foldersReaderRole, foldersWriterRole, apikeyWriterRole,
 	)
 }
 

pkg/api/api.go

@@ -260,9 +260,10 @@ func (hs *HTTPServer) registerRoutes() {
 
 		// auth api keys
 		apiRoute.Group("/auth/keys", func(keysRoute routing.RouteRegister) {
-			keysRoute.Get("/", routing.Wrap(hs.GetAPIKeys))
+			apikeyIDScope := ac.Scope("apikeys", "id", ac.Parameter(":id"))
-			keysRoute.Post("/", quota("api_key"), routing.Wrap(hs.AddAPIKey))
+			keysRoute.Get("/", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionAPIKeyRead, ac.ScopeAPIKeysAll)), routing.Wrap(hs.GetAPIKeys))
-			keysRoute.Delete("/:id", routing.Wrap(hs.DeleteAPIKey))
+			keysRoute.Post("/", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionAPIKeyCreate)), quota("api_key"), routing.Wrap(hs.AddAPIKey))
+			keysRoute.Delete("/:id", authorize(reqOrgAdmin, ac.EvalPermission(ac.ActionAPIKeyDelete, apikeyIDScope)), routing.Wrap(hs.DeleteAPIKey))
 		}, reqOrgAdmin)
 
 		// Preferences

pkg/services/accesscontrol/models.go

@@ -250,6 +250,10 @@ const (
 	GlobalOrgID = 0
 	// Permission actions
 
+	ActionAPIKeyRead   = "apikeys:read"
+	ActionAPIKeyCreate = "apikeys:create"
+	ActionAPIKeyDelete = "apikeys:delete"
+
 	// Users actions
 	ActionUsersRead     = "users:read"
 	ActionUsersWrite    = "users:write"
@@ -299,6 +303,9 @@ const (
 	// Global Scopes
 	ScopeGlobalUsersAll = "global:users:*"
 
+	// APIKeys scope
+	ScopeAPIKeysAll = "apikeys:*"
+
 	// Users scope
 	ScopeUsersAll = "users:*"