AccessControl: Modify provisioning to prevent built-in role assignment (#48031)

* Add basic and managed prefixes to avoid magic strings
For now let's stick with grafana_builtins
add function isBasic to RoleDTO
add function isBasic to Role

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

* Add team store to wire

Co-authored-by: Jguer <joao.guerreiro@grafana.com>

Co-authored-by: Jguer <joao.guerreiro@grafana.com>
This commit is contained in:
Gabriel MABILLE 2022-04-21 14:14:45 +02:00 committed by GitHub
parent b727c324b8
commit 9ed7e48454
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 4 deletions

View File

@ -253,6 +253,7 @@ var wireSet = wire.NewSet(
wireBasicSet, wireBasicSet,
sqlstore.ProvideService, sqlstore.ProvideService,
wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)), wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)),
wire.Bind(new(sqlstore.TeamStore), new(*sqlstore.SQLStore)),
ngmetrics.ProvideService, ngmetrics.ProvideService,
wire.Bind(new(notifications.TempUserStore), new(*sqlstore.SQLStore)), wire.Bind(new(notifications.TempUserStore), new(*sqlstore.SQLStore)),
wire.Bind(new(notifications.Service), new(*notifications.NotificationService)), wire.Bind(new(notifications.Service), new(*notifications.NotificationService)),
@ -268,6 +269,7 @@ var wireTestSet = wire.NewSet(
sqlstore.ProvideServiceForTests, sqlstore.ProvideServiceForTests,
ngmetrics.ProvideServiceForTest, ngmetrics.ProvideServiceForTest,
wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)), wire.Bind(new(alerting.AlertStore), new(*sqlstore.SQLStore)),
wire.Bind(new(sqlstore.TeamStore), new(*sqlstore.SQLStore)),
notifications.MockNotificationService, notifications.MockNotificationService,
wire.Bind(new(notifications.TempUserStore), new(*mockstore.SQLStoreMock)), wire.Bind(new(notifications.TempUserStore), new(*mockstore.SQLStoreMock)),

View File

@ -32,7 +32,7 @@ type flatResourcePermission struct {
} }
func (p *flatResourcePermission) IsManaged() bool { func (p *flatResourcePermission) IsManaged() bool {
return strings.HasPrefix(p.RoleName, "managed:") && !p.IsInherited() return strings.HasPrefix(p.RoleName, accesscontrol.ManagedRolePrefix) && !p.IsInherited()
} }
func (p *flatResourcePermission) IsInherited() bool { func (p *flatResourcePermission) IsInherited() bool {

View File

@ -41,6 +41,10 @@ func (r *Role) IsFixed() bool {
return strings.HasPrefix(r.Name, FixedRolePrefix) return strings.HasPrefix(r.Name, FixedRolePrefix)
} }
func (r *Role) IsBasic() bool {
return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
}
func (r *Role) GetDisplayName() string { func (r *Role) GetDisplayName() string {
if r.IsFixed() && r.DisplayName == "" { if r.IsFixed() && r.DisplayName == "" {
r.DisplayName = fallbackDisplayName(r.Name) r.DisplayName = fallbackDisplayName(r.Name)
@ -118,6 +122,10 @@ func (r *RoleDTO) IsFixed() bool {
return strings.HasPrefix(r.Name, FixedRolePrefix) return strings.HasPrefix(r.Name, FixedRolePrefix)
} }
func (r *RoleDTO) IsBasic() bool {
return strings.HasPrefix(r.Name, BasicRolePrefix) || strings.HasPrefix(r.UID, BasicRoleUIDPrefix)
}
func (r *RoleDTO) GetDisplayName() string { func (r *RoleDTO) GetDisplayName() string {
if r.IsFixed() && r.DisplayName == "" { if r.IsFixed() && r.DisplayName == "" {
r.DisplayName = fallbackDisplayName(r.Name) r.DisplayName = fallbackDisplayName(r.Name)
@ -261,9 +269,12 @@ type SetResourcePermissionCommand struct {
} }
const ( const (
GlobalOrgID = 0 GlobalOrgID = 0
FixedRolePrefix = "fixed:" FixedRolePrefix = "fixed:"
RoleGrafanaAdmin = "Grafana Admin" ManagedRolePrefix = "managed:"
BasicRolePrefix = "grafana:builtins:"
BasicRoleUIDPrefix = "grafana_builtins_"
RoleGrafanaAdmin = "Grafana Admin"
GeneralFolderUID = "general" GeneralFolderUID = "general"