RBAC: Default to plugins.app:access for plugin includes (#90969)

* Default to app access for includes

* Check plugin type

pkg/plugins/manager/loader/finder/local_test.go

@@ -153,19 +153,21 @@ func TestFinder_Find(t *testing.T) {
 							},
 							Includes: []*plugins.Includes{
 								{
-									Name: "Nginx Connections",
-									Path: "dashboards/connections.json",
-									Type: "dashboard",
-									Role: "Viewer",
+									Name:   "Nginx Connections",
+									Path:   "dashboards/connections.json",
+									Type:   "dashboard",
+									Role:   "Viewer",
+									Action: "plugins.app:access",
 								},
 								{
-									Name: "Nginx Memory",
-									Path: "dashboards/memory.json",
-									Type: "dashboard",
-									Role: "Viewer",
+									Name:   "Nginx Memory",
+									Path:   "dashboards/memory.json",
+									Type:   "dashboard",
+									Role:   "Viewer",
+									Action: "plugins.app:access",
 								},
-								{Name: "Nginx Panel", Type: "panel", Role: "Viewer"},
-								{Name: "Nginx Datasource", Type: "datasource", Role: "Viewer"},
+								{Name: "Nginx Panel", Type: "panel", Role: "Viewer", Action: "plugins.app:access"},
+								{Name: "Nginx Datasource", Type: "datasource", Role: "Viewer", Action: "plugins.app:access"},
 							},
 						},
 						FS: mustNewStaticFSForTests(t, filepath.Join(testData, "includes-symlinks")),

pkg/plugins/manager/loader/loader_test.go

@@ -198,30 +198,34 @@ func TestLoader_Load(t *testing.T) {
 						},
 						Includes: []*plugins.Includes{
 							{
-								Name: "Nginx Connections",
-								Path: "dashboards/connections.json",
-								Type: "dashboard",
-								Role: org.RoleViewer,
-								Slug: "nginx-connections",
+								Name:   "Nginx Connections",
+								Path:   "dashboards/connections.json",
+								Type:   "dashboard",
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-connections",
 							},
 							{
-								Name: "Nginx Memory",
-								Path: "dashboards/memory.json",
-								Type: "dashboard",
-								Role: org.RoleViewer,
-								Slug: "nginx-memory",
+								Name:   "Nginx Memory",
+								Path:   "dashboards/memory.json",
+								Type:   "dashboard",
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-memory",
 							},
 							{
-								Name: "Nginx Panel",
-								Type: string(plugins.TypePanel),
-								Role: org.RoleViewer,
-								Slug: "nginx-panel",
+								Name:   "Nginx Panel",
+								Type:   string(plugins.TypePanel),
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-panel",
 							},
 							{
-								Name: "Nginx Datasource",
-								Type: string(plugins.TypeDataSource),
-								Role: org.RoleViewer,
-								Slug: "nginx-datasource",
+								Name:   "Nginx Datasource",
+								Type:   string(plugins.TypeDataSource),
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-datasource",
 							},
 						},
 					},
@@ -391,8 +395,8 @@ func TestLoader_Load(t *testing.T) {
 							Plugins:           []plugins.Dependency{},
 						},
 						Includes: []*plugins.Includes{
-							{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Slug: "nginx-memory"},
-							{Name: "Root Page (react)", Type: "page", Role: org.RoleViewer, Path: "/a/my-simple-app", DefaultNav: true, AddToNav: true, Slug: "root-page-react"},
+							{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-memory"},
+							{Name: "Root Page (react)", Type: "page", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Path: "/a/my-simple-app", DefaultNav: true, AddToNav: true, Slug: "root-page-react"},
 						},
 						Backend: false,
 					},

pkg/plugins/models.go

@@ -9,6 +9,8 @@ import (
 
 const (
 	TypeDashboard = "dashboard"
+
+	ActionAppAccess = "plugins.app:access"
 )
 
 var (

pkg/plugins/plugins.go

@@ -175,6 +175,11 @@ func ReadPluginJSON(reader io.Reader) (JSONData, error) {
 		if include.Role == "" {
 			include.Role = org.RoleViewer
 		}
+
+		// Default to app access for app plugins
+		if plugin.Type == TypeApp && include.Role == org.RoleViewer && include.Action == "" {
+			include.Action = ActionAppAccess
+		}
 	}
 
 	return plugin, nil

pkg/plugins/plugins_test.go

@@ -60,10 +60,10 @@ func Test_ReadPluginJSON(t *testing.T) {
 					},
 				},
 				Includes: []*Includes{
-					{Name: "Nginx Connections", Path: "dashboards/connections.json", Type: "dashboard", Role: org.RoleViewer},
-					{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer},
-					{Name: "Nginx Panel", Type: "panel", Role: org.RoleViewer},
-					{Name: "Nginx Datasource", Type: "datasource", Role: org.RoleViewer},
+					{Name: "Nginx Connections", Path: "dashboards/connections.json", Type: "dashboard", Role: org.RoleViewer, Action: ActionAppAccess},
+					{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Action: ActionAppAccess},
+					{Name: "Nginx Panel", Type: "panel", Role: org.RoleViewer, Action: ActionAppAccess},
+					{Name: "Nginx Datasource", Type: "datasource", Role: org.RoleViewer, Action: ActionAppAccess},
 				},
 				Backend: false,
 			},

pkg/services/pluginsintegration/loader/loader_test.go

@@ -198,30 +198,34 @@ func TestLoader_Load(t *testing.T) {
 						},
 						Includes: []*plugins.Includes{
 							{
-								Name: "Nginx Connections",
-								Path: "dashboards/connections.json",
-								Type: "dashboard",
-								Role: org.RoleViewer,
-								Slug: "nginx-connections",
+								Name:   "Nginx Connections",
+								Path:   "dashboards/connections.json",
+								Type:   "dashboard",
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-connections",
 							},
 							{
-								Name: "Nginx Memory",
-								Path: "dashboards/memory.json",
-								Type: "dashboard",
-								Role: org.RoleViewer,
-								Slug: "nginx-memory",
+								Name:   "Nginx Memory",
+								Path:   "dashboards/memory.json",
+								Type:   "dashboard",
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-memory",
 							},
 							{
-								Name: "Nginx Panel",
-								Type: string(plugins.TypePanel),
-								Role: org.RoleViewer,
-								Slug: "nginx-panel",
+								Name:   "Nginx Panel",
+								Type:   string(plugins.TypePanel),
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-panel",
 							},
 							{
-								Name: "Nginx Datasource",
-								Type: string(plugins.TypeDataSource),
-								Role: org.RoleViewer,
-								Slug: "nginx-datasource",
+								Name:   "Nginx Datasource",
+								Type:   string(plugins.TypeDataSource),
+								Role:   org.RoleViewer,
+								Action: plugins.ActionAppAccess,
+								Slug:   "nginx-datasource",
 							},
 						},
 					},
@@ -421,8 +425,8 @@ func TestLoader_Load(t *testing.T) {
 							Plugins:           []plugins.Dependency{},
 						},
 						Includes: []*plugins.Includes{
-							{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Slug: "nginx-memory"},
-							{Name: "Root Page (react)", Type: "page", Role: org.RoleViewer, Path: "/a/my-simple-app", DefaultNav: true, AddToNav: true, Slug: "root-page-react"},
+							{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-memory"},
+							{Name: "Root Page (react)", Type: "page", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Path: "/a/my-simple-app", DefaultNav: true, AddToNav: true, Slug: "root-page-react"},
 						},
 						Backend: false,
 					},
@@ -911,10 +915,10 @@ func TestLoader_Load_DuplicatePlugins(t *testing.T) {
 						},
 					},
 					Includes: []*plugins.Includes{
-						{Name: "Nginx Connections", Path: "dashboards/connections.json", Type: "dashboard", Role: org.RoleViewer, Slug: "nginx-connections"},
-						{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Slug: "nginx-memory"},
-						{Name: "Nginx Panel", Type: "panel", Role: org.RoleViewer, Slug: "nginx-panel"},
-						{Name: "Nginx Datasource", Type: "datasource", Role: org.RoleViewer, Slug: "nginx-datasource"},
+						{Name: "Nginx Connections", Path: "dashboards/connections.json", Type: "dashboard", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-connections"},
+						{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-memory"},
+						{Name: "Nginx Panel", Type: "panel", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-panel"},
+						{Name: "Nginx Datasource", Type: "datasource", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-datasource"},
 					},
 					Backend: false,
 				},
@@ -992,10 +996,10 @@ func TestLoader_Load_SkipUninitializedPlugins(t *testing.T) {
 						},
 					},
 					Includes: []*plugins.Includes{
-						{Name: "Nginx Connections", Path: "dashboards/connections.json", Type: "dashboard", Role: org.RoleViewer, Slug: "nginx-connections"},
-						{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Slug: "nginx-memory"},
-						{Name: "Nginx Panel", Type: "panel", Role: org.RoleViewer, Slug: "nginx-panel"},
-						{Name: "Nginx Datasource", Type: "datasource", Role: org.RoleViewer, Slug: "nginx-datasource"},
+						{Name: "Nginx Connections", Path: "dashboards/connections.json", Type: "dashboard", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-connections"},
+						{Name: "Nginx Memory", Path: "dashboards/memory.json", Type: "dashboard", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-memory"},
+						{Name: "Nginx Panel", Type: "panel", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-panel"},
+						{Name: "Nginx Datasource", Type: "datasource", Role: org.RoleViewer, Action: plugins.ActionAppAccess, Slug: "nginx-datasource"},
 					},
 					Backend: false,
 				},
@@ -1339,6 +1343,7 @@ func TestLoader_Load_NestedPlugins(t *testing.T) {
 						Path:       "/a/myorgid-simple-app",
 						Type:       "page",
 						Role:       org.RoleViewer,
+						Action:     plugins.ActionAppAccess,
 						AddToNav:   true,
 						DefaultNav: true,
 						Slug:       "root-page-react",
@@ -1348,6 +1353,7 @@ func TestLoader_Load_NestedPlugins(t *testing.T) {
 						Path:     "/a/myorgid-simple-app/?tab=b",
 						Type:     "page",
 						Role:     org.RoleViewer,
+						Action:   plugins.ActionAppAccess,
 						AddToNav: true,
 						Slug:     "root-page-tab-b",
 					},
@@ -1360,18 +1366,20 @@ func TestLoader_Load_NestedPlugins(t *testing.T) {
 						Slug:     "react-config",
 					},
 					{
-						Name: "Streaming Example",
-						Path: "dashboards/streaming.json",
-						Type: "dashboard",
-						Role: org.RoleViewer,
-						Slug: "streaming-example",
+						Name:   "Streaming Example",
+						Path:   "dashboards/streaming.json",
+						Type:   "dashboard",
+						Role:   org.RoleViewer,
+						Action: plugins.ActionAppAccess,
+						Slug:   "streaming-example",
 					},
 					{
-						Name: "Lots of Stats",
-						Path: "dashboards/stats.json",
-						Type: "dashboard",
-						Role: org.RoleViewer,
-						Slug: "lots-of-stats",
+						Name:   "Lots of Stats",
+						Path:   "dashboards/stats.json",
+						Type:   "dashboard",
+						Role:   org.RoleViewer,
+						Action: plugins.ActionAppAccess,
+						Slug:   "lots-of-stats",
 					},
 				},
 				Backend: false,