RBAC: generated prefixed uids for external service role (#76601)

* Replace FixedRoleUID function with a common function to generate these prefixes * Use common function to generate prefixed uid for external service accounts Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com> --------- Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com>
2025-02-25 18:55:37 -06:00 · 2023-10-16 13:12:16 +02:00
parent bc98f3d139
commit ae5e03034b
4 changed files with 35 additions and 47 deletions
--- a/pkg/services/accesscontrol/database/externalservices.go
+++ b/pkg/services/accesscontrol/database/externalservices.go
@@ -2,9 +2,7 @@ package database

 import (
 	"context"
-	// #nosec G505 Used only for generating a 160 bit hash, it's not used for security purposes
-	"crypto/sha1"
-	"encoding/hex"
+
 	"errors"
 	"fmt"
 	"time"
@@ -13,24 +11,13 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 )

-// extServiceRoleUID generates a 160 bit unique ID using SHA-1 that fits within the 40 characters limit of the role UID.
-func extServiceRoleUID(externalServiceID string) string {
-	uid := fmt.Sprintf("%s%s_permissions", accesscontrol.ExternalServiceRoleUIDPrefix, externalServiceID)
-	// #nosec G505 Used only for generating a 160 bit hash, it's not used for security purposes
-	hasher := sha1.New()
-	hasher.Write([]byte(uid))
-
-	return hex.EncodeToString(hasher.Sum(nil))
-}
-
 func extServiceRoleName(externalServiceID string) string {
 	name := fmt.Sprintf("%s%s:permissions", accesscontrol.ExternalServiceRolePrefix, externalServiceID)
 	return name
 }

 func (s *AccessControlStore) DeleteExternalServiceRole(ctx context.Context, externalServiceID string) error {
-	uid := extServiceRoleUID(externalServiceID)
-
+	uid := accesscontrol.PrefixedRoleUID(extServiceRoleName(externalServiceID))
 	return s.sql.WithDbSession(ctx, func(sess *db.Session) error {
 		stored, errGet := getRoleByUID(ctx, sess, uid)
 		if errGet != nil {
@@ -90,11 +77,12 @@ func (s *AccessControlStore) SaveExternalServiceRole(ctx context.Context, cmd ac
 }

 func genExternalServiceRole(cmd accesscontrol.SaveExternalServiceRoleCommand) accesscontrol.Role {
+	name := extServiceRoleName(cmd.ExternalServiceID)
 	role := accesscontrol.Role{
 		OrgID:       cmd.OrgID,
 		Version:     1,
-		Name:        extServiceRoleName(cmd.ExternalServiceID),
-		UID:         extServiceRoleUID(cmd.ExternalServiceID),
+		Name:        name,
+		UID:         accesscontrol.PrefixedRoleUID(name),
 		DisplayName: fmt.Sprintf("External Service %s Permissions", cmd.ExternalServiceID),
 		Description: fmt.Sprintf("External Service %s permissions", cmd.ExternalServiceID),
 		Group:       "External Service",
--- a/pkg/services/accesscontrol/database/externalservices_test.go
+++ b/pkg/services/accesscontrol/database/externalservices_test.go
@@ -3,10 +3,8 @@ package database
 import (
 	"context"
 	// #nosec G505 Used only for generating a 160 bit hash, it's not used for security purposes
-	"crypto/sha1"
-	"encoding/hex"
+
 	"errors"
-	"fmt"
 	"testing"

 	"github.com/grafana/grafana/pkg/infra/db"
@@ -166,7 +164,7 @@ func TestAccessControlStore_SaveExternalServiceRole(t *testing.T) {
 				require.NoError(t, err)

 				errDBSession := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
-					storedRole, err := getRoleByUID(ctx, sess, sha1Hash(fmt.Sprintf("externalservice_%s_permissions", tt.runs[i].cmd.ExternalServiceID)))
+					storedRole, err := getRoleByUID(ctx, sess, accesscontrol.PrefixedRoleUID(extServiceRoleName(tt.runs[i].cmd.ExternalServiceID)))
 					require.NoError(t, err)
 					require.NotNil(t, storedRole)
 					require.Equal(t, tt.runs[i].cmd.Global, storedRole.Global(), "Incorrect global state of the role")
@@ -253,7 +251,7 @@ func TestAccessControlStore_DeleteExternalServiceRole(t *testing.T) {
 			}
 			roleID := int64(-1)
 			err := s.sql.WithDbSession(ctx, func(sess *db.Session) error {
-				role, err := getRoleByUID(ctx, sess, extServiceRoleUID(tt.id))
+				role, err := getRoleByUID(ctx, sess, accesscontrol.PrefixedRoleUID(extServiceRoleName(tt.id)))
 				if err != nil && !errors.Is(err, accesscontrol.ErrRoleNotFound) {
 					return err
 				}
@@ -295,7 +293,7 @@ func TestAccessControlStore_DeleteExternalServiceRole(t *testing.T) {

 			// Role should be deleted
 			_ = s.sql.WithDbSession(ctx, func(sess *db.Session) error {
-				storedRole, err := getRoleByUID(ctx, sess, extServiceRoleUID(tt.id))
+				storedRole, err := getRoleByUID(ctx, sess, accesscontrol.PrefixedRoleUID(extServiceRoleName(tt.id)))
 				require.ErrorIs(t, err, accesscontrol.ErrRoleNotFound)
 				require.Nil(t, storedRole)
 				return nil
@@ -303,9 +301,3 @@ func TestAccessControlStore_DeleteExternalServiceRole(t *testing.T) {
 		})
 	}
 }
-
-func sha1Hash(text string) string {
-	h := sha1.New()
-	_, _ = h.Write([]byte(text))
-	return hex.EncodeToString(h.Sum(nil))
-}