From 9ed7e484543c22a7f3f0037577d52faf8da3c2aa Mon Sep 17 00:00:00 2001 From: Gabriel MABILLE Date: Thu, 21 Apr 2022 14:14:45 +0200 Subject: [PATCH] AccessControl: Modify provisioning to prevent built-in role assignment (#48031) * Add basic and managed prefixes to avoid magic strings For now let's stick with grafana_builtins add function isBasic to RoleDTO add function isBasic to Role Co-authored-by: Jguer * Add team store to wire Co-authored-by: Jguer Co-authored-by: Jguer --- pkg/server/wire.go | 2 ++ .../database/resource_permissions.go | 2 +- pkg/services/accesscontrol/models.go | 17 ++++++++++++++--- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/pkg/server/wire.go b/pkg/server/wire.go index 7c22a7dc356..83233cf0170 100644 --- a/pkg/server/wire.go +++ b/pkg/server/wire.go @@ -253,6 +253,7 @@ var wireSet = wire.NewSet( wireBasicSet, sqlstore.ProvideService, wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)), + wire.Bind(new(sqlstore.TeamStore), new(*sqlstore.SQLStore)), ngmetrics.ProvideService, wire.Bind(new(notifications.TempUserStore), new(*sqlstore.SQLStore)), wire.Bind(new(notifications.Service), new(*notifications.NotificationService)), @@ -268,6 +269,7 @@ var wireTestSet = wire.NewSet( sqlstore.ProvideServiceForTests, ngmetrics.ProvideServiceForTest, wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)), + wire.Bind(new(sqlstore.TeamStore), new(*sqlstore.SQLStore)), notifications.MockNotificationService, wire.Bind(new(notifications.TempUserStore), new(*mockstore.SQLStoreMock)), diff --git a/pkg/services/accesscontrol/database/resource_permissions.go b/pkg/services/accesscontrol/database/resource_permissions.go index f54c9584bd9..12e564886bb 100644 --- a/pkg/services/accesscontrol/database/resource_permissions.go +++ b/pkg/services/accesscontrol/database/resource_permissions.go @@ -32,7 +32,7 @@ type flatResourcePermission struct { } func (p *flatResourcePermission) IsManaged() bool { - return strings.HasPrefix(p.RoleName, "managed:") && !p.IsInherited() + return strings.HasPrefix(p.RoleName, accesscontrol.ManagedRolePrefix) && !p.IsInherited() } func (p *flatResourcePermission) IsInherited() bool { diff --git a/pkg/services/accesscontrol/models.go b/pkg/services/accesscontrol/models.go index 0d4a2fc6f36..f3036c9710b 100644 --- a/pkg/services/accesscontrol/models.go +++ b/pkg/services/accesscontrol/models.go @@ -41,6 +41,10 @@ func (r *Role) IsFixed() bool { return strings.HasPrefix(r.Name, FixedRolePrefix) } +func (r *Role) IsBasic() bool { + return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix) +} + func (r *Role) GetDisplayName() string { if r.IsFixed() && r.DisplayName == "" { r.DisplayName = fallbackDisplayName(r.Name) @@ -118,6 +122,10 @@ func (r *RoleDTO) IsFixed() bool { return strings.HasPrefix(r.Name, FixedRolePrefix) } +func (r *RoleDTO) IsBasic() bool { + return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix) +} + func (r *RoleDTO) GetDisplayName() string { if r.IsFixed() && r.DisplayName == "" { r.DisplayName = fallbackDisplayName(r.Name) @@ -261,9 +269,12 @@ type SetResourcePermissionCommand struct { } const ( - GlobalOrgID = 0 - FixedRolePrefix = "fixed:" - RoleGrafanaAdmin = "Grafana Admin" + GlobalOrgID = 0 + FixedRolePrefix = "fixed:" + ManagedRolePrefix = "managed:" + BasicRolePrefix = "grafana:builtins:" + BasicRoleUIDPrefix = "grafana_builtins_" + RoleGrafanaAdmin = "Grafana Admin" GeneralFolderUID = "general"