Alerting: Change getEvaluatorForAlertRule to checkDatasourcePermissionsForRule (#46887)

update method getEvaluatorForAlertRule to accept permissions evaluator and exit on the first negative result, which is more effective than returning an evaluator that in fact is a bunch of slices.
2025-02-25 18:55:37 -06:00 · 2022-03-23 13:11:30 -04:00 · 2022-03-23 13:11:30 -04:00 · acd7be1cb4
commit acd7be1cb4
parent 78c23d8dab
2 changed files with 51 additions and 29 deletions
--- a/pkg/services/ngalert/api/authorization.go
+++ b/pkg/services/ngalert/api/authorization.go
@ -172,16 +172,17 @@ func (api *API) authorize(method, path string) web.Handler {
 	panic(fmt.Sprintf("no authorization handler for method [%s] of endpoint [%s]", method, path))
 }

-// GetDatasourceScopesFromAlertRule extracts data source scopes from an alert rule
-func getEvaluatorForAlertRule(rule *ngmodels.AlertRule) ac.Evaluator {
-	scopes := make([]ac.Evaluator, 0, len(rule.Data))
+// authorizeDatasourceAccessForRule checks that user has access to all data sources declared by the rule
+func authorizeDatasourceAccessForRule(rule *ngmodels.AlertRule, evaluator func(evaluator ac.Evaluator) bool) bool {
 	for _, query := range rule.Data {
 		if query.QueryType == expr.DatasourceType || query.DatasourceUID == expr.OldDatasourceUID {
 			continue
 		}
-		scopes = append(scopes, ac.EvalPermission(datasources.ActionQuery, dashboards.ScopeFoldersProvider.GetResourceScopeUID(query.DatasourceUID)))
+		if !evaluator(ac.EvalPermission(datasources.ActionQuery, dashboards.ScopeFoldersProvider.GetResourceScopeUID(query.DatasourceUID))) {
+			return false
+		}
 	}
-	return ac.EvalAll(scopes...)
+	return true
 }

 // authorizeRuleChanges analyzes changes in the rule group, determines what actions the user is trying to perform and check whether those actions are authorized.
@ -203,7 +204,7 @@ func authorizeRuleChanges(namespace *models.Folder, changes *changes, evaluator
 			return fmt.Errorf("%w user cannot create alert rules in the folder %s", ErrAuthorization, namespace.Title)
 		}
 		for _, rule := range changes.New {
-			dsAllowed := evaluator(getEvaluatorForAlertRule(rule))
+			dsAllowed := authorizeDatasourceAccessForRule(rule, evaluator)
 			if !dsAllowed {
 				return fmt.Errorf("%w to create a new alert rule '%s' because the user does not have read permissions for one or many datasources the rule uses", ErrAuthorization, rule.Title)
 			}
@ -211,7 +212,7 @@ func authorizeRuleChanges(namespace *models.Folder, changes *changes, evaluator
 	}

 	for _, rule := range changes.Update {
-		dsAllowed := evaluator(getEvaluatorForAlertRule(rule.New))
+		dsAllowed := authorizeDatasourceAccessForRule(rule.New, evaluator)
 		if !dsAllowed {
 			return fmt.Errorf("%w to update alert rule '%s' (UID: %s) because the user does not have read permissions for one or many datasources the rule uses", ErrAuthorization, rule.Existing.Title, rule.Existing.UID)
 		}
--- a/pkg/services/ngalert/api/authorization_test.go
+++ b/pkg/services/ngalert/api/authorization_test.go
@ -228,37 +228,58 @@ func TestAuthorizeRuleChanges(t *testing.T) {
 	}
 }

-func TestGetEvaluatorForAlertRule(t *testing.T) {
-	t.Run("should not consider expressions", func(t *testing.T) {
-		rule := models.AlertRuleGen()()
+func TestCheckDatasourcePermissionsForRule(t *testing.T) {
+	rule := models.AlertRuleGen()()

-		expressionByType := models.GenerateAlertQuery()
-		expressionByType.QueryType = expr.DatasourceType
-		expressionByUID := models.GenerateAlertQuery()
-		expressionByUID.DatasourceUID = expr.OldDatasourceUID
+	expressionByType := models.GenerateAlertQuery()
+	expressionByType.QueryType = expr.DatasourceType
+	expressionByUID := models.GenerateAlertQuery()
+	expressionByUID.DatasourceUID = expr.OldDatasourceUID

-		var data []models.AlertQuery
-		var scopes []string
-		for i := 0; i < rand.Intn(3)+2; i++ {
-			q := models.GenerateAlertQuery()
-			scopes = append(scopes, dashboards.ScopeFoldersProvider.GetResourceScopeUID(q.DatasourceUID))
-			data = append(data, q)
+	var data []models.AlertQuery
+	var scopes []string
+	expectedExecutions := rand.Intn(3) + 2
+	for i := 0; i < expectedExecutions; i++ {
+		q := models.GenerateAlertQuery()
+		scopes = append(scopes, dashboards.ScopeFoldersProvider.GetResourceScopeUID(q.DatasourceUID))
+		data = append(data, q)
+	}
+
+	data = append(data, expressionByType, expressionByUID)
+	rand.Shuffle(len(data), func(i, j int) {
+		data[j], data[i] = data[i], data[j]
+	})
+
+	rule.Data = data
+
+	t.Run("should check only expressions", func(t *testing.T) {
+		permissions := map[string][]string{
+			datasources.ActionQuery: scopes,
 		}

-		data = append(data, expressionByType, expressionByUID)
-		rand.Shuffle(len(data), func(i, j int) {
-			data[j], data[i] = data[i], data[j]
+		executed := 0
+
+		eval := authorizeDatasourceAccessForRule(rule, func(evaluator ac.Evaluator) bool {
+			response, err := evaluator.Evaluate(permissions)
+			require.Truef(t, response, "provided permissions [%v] is not enough for requested permissions [%s]", permissions, evaluator.GoString())
+			require.NoError(t, err)
+			executed++
+			return true
 		})

-		rule.Data = data
+		require.True(t, eval)
+		require.Equal(t, expectedExecutions, executed)
+	})

-		eval := getEvaluatorForAlertRule(rule)
+	t.Run("should return on first negative evaluation", func(t *testing.T) {
+		executed := 0

-		allowed, err := eval.Evaluate(map[string][]string{
-			datasources.ActionQuery: scopes,
+		eval := authorizeDatasourceAccessForRule(rule, func(evaluator ac.Evaluator) bool {
+			executed++
+			return false
 		})

-		require.NoError(t, err)
-		require.True(t, allowed)
+		require.False(t, eval)
+		require.Equal(t, 1, executed)
 	})
 }