From 896a101f48d8750de62244ef00872b53278ce5a6 Mon Sep 17 00:00:00 2001 From: Karl Persson Date: Thu, 2 Jun 2022 16:10:41 +0200 Subject: [PATCH] RBAC: Extract method from access control impl to a function in domain packge (#49947) * Remove GetUserBuiltInRoles and create it as a util function in accesscontrol domain package --- pkg/services/accesscontrol/accesscontrol.go | 18 ++++++++++++++++ .../ossaccesscontrol/ossaccesscontrol.go | 21 ++----------------- 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/pkg/services/accesscontrol/accesscontrol.go b/pkg/services/accesscontrol/accesscontrol.go index ebfb137eaf5..edb5c70d05b 100644 --- a/pkg/services/accesscontrol/accesscontrol.go +++ b/pkg/services/accesscontrol/accesscontrol.go @@ -259,3 +259,21 @@ func extractPrefixes(prefix string) (string, string, bool) { func IsDisabled(cfg *setting.Cfg) bool { return !cfg.RBACEnabled } + +// GetOrgRoles returns legacy org roles for a user +func GetOrgRoles(cfg *setting.Cfg, user *models.SignedInUser) []string { + roles := []string{string(user.OrgRole)} + + // With built-in role simplifying, inheritance is performed upon role registration. + if cfg.RBACBuiltInRoleAssignmentEnabled { + for _, br := range user.OrgRole.Children() { + roles = append(roles, string(br)) + } + } + + if user.IsGrafanaAdmin { + roles = append(roles, RoleGrafanaAdmin) + } + + return roles +} diff --git a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go index 13c55cda240..042f4f2f090 100644 --- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go +++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go @@ -112,7 +112,7 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user dbPermissions, err := ac.store.GetUserPermissions(ctx, accesscontrol.GetUserPermissionsQuery{ OrgID: user.OrgId, UserID: user.UserId, - Roles: ac.GetUserBuiltInRoles(user), + Roles: accesscontrol.GetOrgRoles(ac.cfg, user), Actions: append(TeamAdminActions, append(DashboardAdminActions, FolderAdminActions...)...), }) if err != nil { @@ -137,7 +137,7 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user func (ac *OSSAccessControlService) getFixedPermissions(ctx context.Context, user *models.SignedInUser) []*accesscontrol.Permission { permissions := make([]*accesscontrol.Permission, 0) - for _, builtin := range ac.GetUserBuiltInRoles(user) { + for _, builtin := range accesscontrol.GetOrgRoles(ac.cfg, user) { if basicRole, ok := ac.roles[builtin]; ok { for i := range basicRole.Permissions { permissions = append(permissions, &basicRole.Permissions[i]) @@ -148,23 +148,6 @@ func (ac *OSSAccessControlService) getFixedPermissions(ctx context.Context, user return permissions } -func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser) []string { - builtInRoles := []string{string(user.OrgRole)} - - // With built-in role simplifying, inheritance is performed upon role registration. - if ac.cfg.RBACBuiltInRoleAssignmentEnabled { - for _, br := range user.OrgRole.Children() { - builtInRoles = append(builtInRoles, string(br)) - } - } - - if user.IsGrafanaAdmin { - builtInRoles = append(builtInRoles, accesscontrol.RoleGrafanaAdmin) - } - - return builtInRoles -} - // RegisterFixedRoles registers all declared roles in RAM func (ac *OSSAccessControlService) RegisterFixedRoles(ctx context.Context) error { // If accesscontrol is disabled no need to register roles