IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Access Control: Store permissions on SignedInUser (#43040)

Browse Source 
* add permission structure to signedinuser

* add middleware to load user permissions into signedinuser struct

* apply LoadPermissionsMiddleware to http server

* check for permissions in signedinuser struct

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
This commit is contained in:
Karl Persson 2021-12-14 16:05:59 +01:00 committed by GitHub
parent f1101efcec
commit 9558c09a7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 105 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/api/http_server.go
View File

@ -29,6 +29,7 @@ import (
"github.com/grafana/grafana/pkg/plugins"
"github.com/grafana/grafana/pkg/plugins/plugincontext"
"github.com/grafana/grafana/pkg/services/accesscontrol"
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
"github.com/grafana/grafana/pkg/services/alerting"
"github.com/grafana/grafana/pkg/services/cleanup"
"github.com/grafana/grafana/pkg/services/contexthandler"
@ -440,6 +441,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() {
m.Use(hs.ContextHandler.Middleware)
m.Use(middleware.OrgRedirect(hs.Cfg))
m.Use(acmiddleware.LoadPermissionsMiddleware(hs.AccessControl))
// needs to be after context handler
if hs.Cfg.EnforceDomain {

2
pkg/models/user.go
View File

@ -183,6 +183,8 @@ type SignedInUser struct {
HelpFlags1 HelpFlags1
LastSeenAt time.Time
Teams []int64
// Permissions grouped by orgID and actions
Permissions map[int64]map[string][]string
}
func (u *SignedInUser) ShouldUpdateLastSeenAt() bool {

10
pkg/services/accesscontrol/accesscontrol.go
View File

@ -97,14 +97,10 @@ func BuildPermissionsMap(permissions []*Permission) map[string]bool {
}
// GroupScopesByAction will group scopes on action
func GroupScopesByAction(permissions []*Permission) map[string]map[string]struct{} {
m := make(map[string]map[string]struct{})
func GroupScopesByAction(permissions []*Permission) map[string][]string {
m := make(map[string][]string)
for _, p := range permissions {
if _, ok := m[p.Action]; ok {
m[p.Action][p.Scope] = struct{}{}
} else {
m[p.Action] = map[string]struct{}{p.Scope: {}}
}
m[p.Action] = append(m[p.Action], p.Scope)
}
return m
}

10
pkg/services/accesscontrol/evaluator.go
View File

@ -13,7 +13,7 @@ var logger = log.New("accesscontrol.evaluator")
type Evaluator interface {
// Evaluate permissions that are grouped by action
Evaluate(permissions map[string]map[string]struct{}) (bool, error)
Evaluate(permissions map[string][]string) (bool, error)
// Inject params into the evaluator's templated scopes. e.g. "settings:" + eval.Parameters(":id") and returns a new Evaluator
Inject(params ScopeParams) (Evaluator, error)
// String returns a string representation of permission required by the evaluator
@ -32,7 +32,7 @@ type permissionEvaluator struct {
Scopes []string
}
func (p permissionEvaluator) Evaluate(permissions map[string]map[string]struct{}) (bool, error) {
func (p permissionEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
userScopes, ok := permissions[p.Action]
if !ok {
return false, nil
@ -46,7 +46,7 @@ func (p permissionEvaluator) Evaluate(permissions map[string]map[string]struct{}
var err error
var matches bool
for scope := range userScopes {
for _, scope := range userScopes {
matches, err = match(scope, target)
if err != nil {
return false, err
@ -120,7 +120,7 @@ type allEvaluator struct {
allOf []Evaluator
}
func (a allEvaluator) Evaluate(permissions map[string]map[string]struct{}) (bool, error) {
func (a allEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
for _, e := range a.allOf {
if ok, err := e.Evaluate(permissions); !ok || err != nil {
return false, err
@ -160,7 +160,7 @@ type anyEvaluator struct {
anyOf []Evaluator
}
func (a anyEvaluator) Evaluate(permissions map[string]map[string]struct{}) (bool, error) {
func (a anyEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
for _, e := range a.anyOf {
ok, err := e.Evaluate(permissions)
if err != nil {

170
pkg/services/accesscontrol/evaluator_test.go
View File

@ -10,15 +10,7 @@ type evaluateTestCase struct {
desc string
expected bool
evaluator Evaluator
permissions map[string]map[string]struct{}
}
type injectTestCase struct {
desc string
expected bool
evaluator Evaluator
params ScopeParams
permissions map[string]map[string]struct{}
permissions map[string][]string
}
func TestPermission_Evaluate(t *testing.T) {
@ -27,41 +19,32 @@ func TestPermission_Evaluate(t *testing.T) {
desc: "should evaluate to true",
expected: true,
evaluator: EvalPermission("reports:read", "reports:1"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
desc: "should evaluate to true when allEvaluator required scopes matches",
expected: true,
evaluator: EvalPermission("reports:read", "reports:1", "reports:2"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
"reports:2": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1", "reports:2"},
},
},
{
desc: "should evaluate to true for empty scope",
expected: true,
evaluator: EvalPermission("reports:read"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
desc: "should evaluate to false when only one of required scopes exists",
expected: false,
evaluator: EvalPermission("reports:read", "reports:1", "reports:2"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
}
@ -75,6 +58,14 @@ func TestPermission_Evaluate(t *testing.T) {
}
}
type injectTestCase struct {
desc string
expected bool
evaluator Evaluator
params ScopeParams
permissions map[string][]string
}
func TestPermission_Inject(t *testing.T) {
tests := []injectTestCase{
{
@ -84,10 +75,8 @@ func TestPermission_Inject(t *testing.T) {
params: ScopeParams{
OrgID: 3,
},
permissions: map[string]map[string]struct{}{
"orgs:read": {
"orgs:3": struct{}{},
},
permissions: map[string][]string{
"orgs:read": {"orgs:3"},
},
},
{
@ -100,10 +89,8 @@ func TestPermission_Inject(t *testing.T) {
":reportId": "1",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
@ -111,10 +98,8 @@ func TestPermission_Inject(t *testing.T) {
expected: false,
evaluator: EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
params: ScopeParams{},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
@ -127,10 +112,8 @@ func TestPermission_Inject(t *testing.T) {
":reportId2": "report2",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:report:report2": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:report:report2"},
},
},
}
@ -153,8 +136,8 @@ func TestAll_Evaluate(t *testing.T) {
evaluator: EvalAll(
EvalPermission("settings:write", Scope("settings", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
expected: true,
},
@ -164,9 +147,9 @@ func TestAll_Evaluate(t *testing.T) {
EvalPermission("settings:write", Scope("settings", "*")),
EvalPermission("settings:read", Scope("settings", "auth.saml", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
"settings:read": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
"settings:read": {"settings:*"},
},
expected: true,
},
@ -177,10 +160,10 @@ func TestAll_Evaluate(t *testing.T) {
EvalPermission("settings:read", Scope("settings", "auth.saml", "*")),
EvalPermission("report:read", Scope("reports", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
"settings:read": {"settings:*": struct{}{}},
"report:read": {"report:1": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
"settings:read": {"settings:*"},
"report:read": {"report:1"},
},
expected: false,
},
@ -211,13 +194,9 @@ func TestAll_Inject(t *testing.T) {
":reportId": "1",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
{
@ -233,11 +212,8 @@ func TestAll_Inject(t *testing.T) {
":orgId": "4",
},
},
permissions: map[string]map[string]struct{}{
"orgs:read": {
"orgs:3": struct{}{},
"orgs:4": struct{}{},
},
permissions: map[string][]string{
"orgs:read": {"orgs:3", "orgs:4"},
},
},
{
@ -248,13 +224,9 @@ func TestAll_Inject(t *testing.T) {
EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
),
params: ScopeParams{},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
}
@ -277,8 +249,8 @@ func TestAny_Evaluate(t *testing.T) {
evaluator: EvalAny(
EvalPermission("settings:write", Scope("settings", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
expected: true,
},
@ -289,8 +261,8 @@ func TestAny_Evaluate(t *testing.T) {
EvalPermission("report:read", Scope("reports", "1")),
EvalPermission("report:write", Scope("reports", "10")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
expected: true,
},
@ -301,8 +273,8 @@ func TestAny_Evaluate(t *testing.T) {
EvalPermission("report:read", Scope("reports", "1")),
EvalPermission("report:write", Scope("reports", "10")),
),
permissions: map[string]map[string]struct{}{
"permissions:write": {"permissions:delegate": struct{}{}},
permissions: map[string][]string{
"permissions:write": {"permissions:delegate"},
},
expected: false,
},
@ -333,13 +305,9 @@ func TestAny_Inject(t *testing.T) {
":reportId": "1",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
{
@ -355,11 +323,8 @@ func TestAny_Inject(t *testing.T) {
":orgId": "4",
},
},
permissions: map[string]map[string]struct{}{
"orgs:read": {
"orgs:3": struct{}{},
"orgs:4": struct{}{},
},
permissions: map[string][]string{
"orgs:read": {"orgs:3", "orgs:4"},
},
},
{
@ -370,13 +335,9 @@ func TestAny_Inject(t *testing.T) {
EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
),
params: ScopeParams{},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
}
@ -396,7 +357,7 @@ type combinedTestCase struct {
desc string
evaluator Evaluator
expected bool
permissions map[string]map[string]struct{}
permissions map[string][]string
}
func TestEval(t *testing.T) {
@ -411,8 +372,8 @@ func TestEval(t *testing.T) {
),
),
expected: true,
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
},
{
@ -425,11 +386,8 @@ func TestEval(t *testing.T) {
),
),
expected: true,
permissions: map[string]map[string]struct{}{
"settings:write": {
"settings:auth.saml:enabled": struct{}{},
"settings:auth.saml:max_issue_delay": struct{}{},
},
permissions: map[string][]string{
"settings:write": {"settings:auth.saml:enabled", "settings:auth.saml:max_issue_delay"},
},
},
{
@ -442,10 +400,8 @@ func TestEval(t *testing.T) {
),
),
expected: false,
permissions: map[string]map[string]struct{}{
"settings:write": {
"settings:auth.saml:enabled": struct{}{},
},
permissions: map[string][]string{
"settings:write": {"settings:auth.saml:enabled"},
},
},
}

19
pkg/services/accesscontrol/middleware/middleware.go
View File

@ -137,3 +137,22 @@ func UseOrgFromContextParams(c *models.ReqContext) (int64, error) {
func UseGlobalOrg(c *models.ReqContext) (int64, error) {
return accesscontrol.GlobalOrgID, nil
}
func LoadPermissionsMiddleware(ac accesscontrol.AccessControl) web.Handler {
return func(c *models.ReqContext) {
if ac.IsDisabled() {
return
}
permissions, err := ac.GetUserPermissions(c.Req.Context(), c.SignedInUser)
if err != nil {
c.JsonApiErr(http.StatusForbidden, "", err)
return
}
if c.SignedInUser.Permissions == nil {
c.SignedInUser.Permissions = make(map[int64]map[string][]string)
}
c.SignedInUser.Permissions[c.OrgId] = accesscontrol.GroupScopesByAction(permissions)
}
}

15
pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
View File

@ -64,12 +64,19 @@ func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.Si
defer timer.ObserveDuration()
metrics.MAccessEvaluationCount.Inc()
permissions, err := ac.GetUserPermissions(ctx, user)
if err != nil {
return false, err
if user.Permissions == nil {
user.Permissions = map[int64]map[string][]string{}
}
return evaluator.Evaluate(accesscontrol.GroupScopesByAction(permissions))
if _, ok := user.Permissions[user.OrgId]; !ok {
permissions, err := ac.GetUserPermissions(ctx, user)
if err != nil {
return false, err
}
user.Permissions[user.OrgId] = accesscontrol.GroupScopesByAction(permissions)
}
return evaluator.Evaluate(user.Permissions[user.OrgId])
}
// GetUserRoles returns user permissions based on built-in roles