AccessControl: Make the built-in role definitions public (#47525)

* AccessControl: Make the built-in role definitions public

* Add context to RegisterFixedRoles

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

* Making BuiltInRolesWithParents public to the AccessControl package

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go

@@ -33,43 +33,6 @@ func ProvideService(features featuremgmt.FeatureToggles, usageStats usagestats.S
 	return s, errDeclareRoles
 }
 
-func macroRoles() map[string]*accesscontrol.RoleDTO {
-	return map[string]*accesscontrol.RoleDTO{
-		string(models.ROLE_ADMIN): {
-			Name:        "fixed:builtins:admin",
-			DisplayName: string(models.ROLE_ADMIN),
-			Description: "Admin role",
-			Group:       "Basic",
-			Version:     1,
-			Permissions: []accesscontrol.Permission{},
-		},
-		string(models.ROLE_EDITOR): {
-			Name:        "fixed:builtins:editor",
-			DisplayName: string(models.ROLE_EDITOR),
-			Description: "Editor role",
-			Group:       "Basic",
-			Version:     1,
-			Permissions: []accesscontrol.Permission{},
-		},
-		string(models.ROLE_VIEWER): {
-			Name:        "fixed:builtins:viewer",
-			DisplayName: string(models.ROLE_VIEWER),
-			Description: "Viewer role",
-			Group:       "Basic",
-			Version:     1,
-			Permissions: []accesscontrol.Permission{},
-		},
-		accesscontrol.RoleGrafanaAdmin: {
-			Name:        "fixed:builtins:grafana_admin",
-			DisplayName: accesscontrol.RoleGrafanaAdmin,
-			Description: "Grafana Admin role",
-			Group:       "Basic",
-			Version:     1,
-			Permissions: []accesscontrol.Permission{},
-		},
-	}
-}
-
 // ProvideOSSAccessControl creates an oss implementation of access control without usage stats registration
 func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, provider accesscontrol.PermissionsProvider) *OSSAccessControlService {
 	s := &OSSAccessControlService{
@@ -77,7 +40,7 @@ func ProvideOSSAccessControl(features featuremgmt.FeatureToggles, provider acces
 		provider:      provider,
 		log:           log.New("accesscontrol"),
 		scopeResolver: accesscontrol.NewScopeResolver(),
-		roles:         macroRoles(),
+		roles:         accesscontrol.BuildMacroRoleDefinitions(),
 	}
 
 	return s
@@ -211,7 +174,7 @@ func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser
 }
 
 // RegisterFixedRoles registers all declared roles in RAM
-func (ac *OSSAccessControlService) RegisterFixedRoles() error {
+func (ac *OSSAccessControlService) RegisterFixedRoles(ctx context.Context) error {
 	// If accesscontrol is disabled no need to register roles
 	if ac.IsDisabled() {
 		return nil
@@ -225,18 +188,7 @@ func (ac *OSSAccessControlService) RegisterFixedRoles() error {
 
 // RegisterFixedRole saves a fixed role and assigns it to built-in roles
 func (ac *OSSAccessControlService) registerFixedRole(role accesscontrol.RoleDTO, builtInRoles []string) {
-	// Inheritance
-	brs := map[string]struct{}{}
-	for _, builtInRole := range builtInRoles {
-		brs[builtInRole] = struct{}{}
-		if builtInRole != accesscontrol.RoleGrafanaAdmin {
-			for _, parent := range models.RoleType(builtInRole).Parents() {
-				brs[string(parent)] = struct{}{}
-			}
-		}
-	}
-
-	for br := range brs {
+	for br := range accesscontrol.BuiltInRolesWithParents(builtInRoles) {
 		if macroRole, ok := ac.roles[br]; ok {
 			macroRole.Permissions = append(macroRole.Permissions, role.Permissions...)
 		} else {

pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol_test.go

@@ -26,9 +26,9 @@ func setupTestEnv(t testing.TB) *OSSAccessControlService {
 		registrations: accesscontrol.RegistrationList{},
 		scopeResolver: accesscontrol.NewScopeResolver(),
 		provider:      database.ProvideService(sqlstore.InitTestDB(t)),
-		roles:         macroRoles(),
+		roles:         accesscontrol.BuildMacroRoleDefinitions(),
 	}
-	require.NoError(t, ac.RegisterFixedRoles())
+	require.NoError(t, ac.RegisterFixedRoles(context.Background()))
 	return ac
 }
 
@@ -94,7 +94,7 @@ func TestEvaluatingPermissions(t *testing.T) {
 			err := accesscontrol.DeclareFixedRoles(ac)
 			require.NoError(t, err)
 
-			errRegisterRoles := ac.RegisterFixedRoles()
+			errRegisterRoles := ac.RegisterFixedRoles(context.Background())
 			require.NoError(t, errRegisterRoles)
 
 			user := &models.SignedInUser{
@@ -341,7 +341,7 @@ func TestOSSAccessControlService_RegisterFixedRoles(t *testing.T) {
 			ac.registrations.Append(tt.registrations...)
 
 			// Test
-			err := ac.RegisterFixedRoles()
+			err := ac.RegisterFixedRoles(context.Background())
 			if tt.wantErr {
 				require.Error(t, err)
 				return
@@ -350,19 +350,8 @@ func TestOSSAccessControlService_RegisterFixedRoles(t *testing.T) {
 
 			// Check
 			for _, registration := range tt.registrations {
-				// Prepare list of builtin roles to check
-				brAndParents := map[string]struct{}{}
-				for _, br := range registration.Grants {
-					brAndParents[br] = struct{}{}
-					if br != accesscontrol.RoleGrafanaAdmin {
-						for _, parent := range models.RoleType(br).Parents() {
-							brAndParents[string(parent)] = struct{}{}
-						}
-					}
-				}
-
 				// Check builtin roles (parents included) have been granted with the permissions
-				for br := range brAndParents {
+				for br := range accesscontrol.BuiltInRolesWithParents(registration.Grants) {
 					builtinRole, ok := ac.roles[br]
 					assert.True(t, ok)
 					for _, expectedPermission := range registration.Role.Permissions {
@@ -418,7 +407,7 @@ func TestOSSAccessControlService_GetUserPermissions(t *testing.T) {
 			err := ac.DeclareFixedRoles(registration)
 			require.NoError(t, err)
 
-			err = ac.RegisterFixedRoles()
+			err = ac.RegisterFixedRoles(context.Background())
 			require.NoError(t, err)
 
 			// Test
@@ -499,7 +488,7 @@ func TestOSSAccessControlService_Evaluate(t *testing.T) {
 			err := ac.DeclareFixedRoles(registration)
 			require.NoError(t, err)
 
-			err = ac.RegisterFixedRoles()
+			err = ac.RegisterFixedRoles(context.Background())
 			require.NoError(t, err)
 
 			// Test