Auth: Load oauth_allow_insecure_email_lookup using the SettingsProvider (#82460)

* wip * Introduce fixed:server.config:writer role * Fix tests * Update name
2025-02-25 18:55:37 -06:00 · 2024-02-16 12:05:00 +01:00
parent ac84069071
commit bb9d5799cf
4 changed files with 38 additions and 13 deletions
--- a/pkg/services/accesscontrol/roles.go
+++ b/pkg/services/accesscontrol/roles.go
@@ -263,6 +263,19 @@ var (
 			},
 		},
 	}
+
+	generalAuthConfigWriterRole = RoleDTO{
+		Name:        "fixed:general.auth.config:writer",
+		DisplayName: "General authentication config writer",
+		Description: "Read and update the Grafana instance's general authentication configuration.",
+		Group:       "Settings",
+		Permissions: []Permission{
+			{
+				Action: ActionSettingsWrite,
+				Scope:  "settings:auth:oauth_allow_insecure_email_lookup",
+			},
+		},
+	}
 )

 // Declare OSS roles to the accesscontrol service
@@ -299,6 +312,10 @@ func DeclareFixedRoles(service Service, cfg *setting.Cfg) error {
 		Role:   usersWriterRole,
 		Grants: []string{RoleGrafanaAdmin},
 	}
+	generalAuthConfigWriter := RoleRegistration{
+		Role:   generalAuthConfigWriterRole,
+		Grants: []string{RoleGrafanaAdmin},
+	}

 	// TODO: Move to own service when implemented
 	authenticationConfigWriter := RoleRegistration{
@@ -311,7 +328,7 @@ func DeclareFixedRoles(service Service, cfg *setting.Cfg) error {
 	}

 	return service.DeclareFixedRoles(ldapReader, ldapWriter, orgUsersReader, orgUsersWriter,
-		settingsReader, statsReader, usersReader, usersWriter, authenticationConfigWriter)
+		settingsReader, statsReader, usersReader, usersWriter, authenticationConfigWriter, generalAuthConfigWriter)
 }

 func ConcatPermissions(permissions ...[]Permission) []Permission {