mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
RBAC: Remove service dependency in Evaluator component (#54910)
* RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
This commit is contained in:
parent
e277ab0017
commit
bcd7afd1f5
@ -66,7 +66,7 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
reqSnapshotPublicModeOrSignedIn := middleware.SnapshotPublicModeOrSignedIn(hs.Cfg)
|
||||
redirectFromLegacyPanelEditURL := middleware.RedirectFromLegacyPanelEditURL(hs.Cfg)
|
||||
authorize := ac.Middleware(hs.AccessControl)
|
||||
authorizeInOrg := ac.AuthorizeInOrgMiddleware(hs.AccessControl, hs.userService)
|
||||
authorizeInOrg := ac.AuthorizeInOrgMiddleware(hs.AccessControl, hs.accesscontrolService, hs.userService)
|
||||
quota := middleware.Quota(hs.QuotaService)
|
||||
|
||||
r := hs.RouteRegister
|
||||
|
@ -381,7 +381,7 @@ func setupHTTPServerWithCfgDb(
|
||||
var err error
|
||||
acService, err = acimpl.ProvideService(cfg, database.ProvideService(db), routeRegister)
|
||||
require.NoError(t, err)
|
||||
ac = acimpl.ProvideAccessControl(cfg, acService)
|
||||
ac = acimpl.ProvideAccessControl(cfg)
|
||||
}
|
||||
|
||||
teamPermissionService, err := ossaccesscontrol.ProvideTeamPermissions(cfg, routeRegister, db, ac, license, acService)
|
||||
|
@ -714,7 +714,7 @@ func (hs *HTTPServer) buildDataConnectionsNavLink(c *models.ReqContext) *dtos.Na
|
||||
|
||||
func (hs *HTTPServer) buildAdminNavLinks(c *models.ReqContext) []*dtos.NavLink {
|
||||
hasAccess := ac.HasAccess(hs.AccessControl, c)
|
||||
hasGlobalAccess := ac.HasGlobalAccess(hs.AccessControl, c)
|
||||
hasGlobalAccess := ac.HasGlobalAccess(hs.AccessControl, hs.accesscontrolService, c)
|
||||
adminNavLinks := []*dtos.NavLink{}
|
||||
|
||||
if hasAccess(ac.ReqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)) {
|
||||
|
@ -238,12 +238,11 @@ func TestAPIEndpoint_CreateOrgs_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_CreateOrgs_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
setupOrgsDBForAccessControlTests(t, sc.db, sc, 0)
|
||||
|
||||
input := strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 2))
|
||||
t.Run("AccessControl allows creating Orgs with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsCreate}}, accesscontrol.GlobalOrgID)
|
||||
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
@ -251,6 +250,7 @@ func TestAPIEndpoint_CreateOrgs_AccessControl(t *testing.T) {
|
||||
|
||||
input = strings.NewReader(fmt.Sprintf(testCreateOrgCmd, 3))
|
||||
t.Run("AccessControl prevents creating Orgs with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
|
||||
response := callAPI(sc.server, http.MethodPost, createOrgsURL, input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
@ -282,16 +282,19 @@ func TestAPIEndpoint_DeleteOrgs_AccessControl(t *testing.T) {
|
||||
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
|
||||
|
||||
t.Run("AccessControl prevents deleting Orgs with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
|
||||
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents deleting Orgs with correct permissions in another org", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsDelete}}, 1)
|
||||
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
t.Run("AccessControl allows deleting Orgs with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsDelete}}, 2)
|
||||
response := callAPI(sc.server, http.MethodDelete, fmt.Sprintf(deleteOrgsURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
@ -318,19 +321,21 @@ func TestAPIEndpoint_SearchOrgs_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_SearchOrgs_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
t.Run("AccessControl allows listing Orgs with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
|
||||
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents listing Orgs with correct permissions not granted globally", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents listing Orgs with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
|
||||
response := callAPI(sc.server, http.MethodGet, searchOrgsURL, nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
@ -360,22 +365,24 @@ func TestAPIEndpoint_GetOrg_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_GetOrg_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
// Create two orgs, to fetch another one than the logged in one
|
||||
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
|
||||
|
||||
t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 2)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents viewing another org with correct permissions in another org", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
@ -405,17 +412,18 @@ func TestAPIEndpoint_GetOrgByName_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_GetOrgByName_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
// Create two orgs, to fetch another one than the logged in one
|
||||
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
|
||||
|
||||
t.Run("AccessControl allows viewing another org with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsRead}}, accesscontrol.GlobalOrgID)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents viewing another org with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, accesscontrol.GlobalOrgID)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsByNameURL, "TestOrg2"), nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
@ -447,25 +455,27 @@ func TestAPIEndpoint_PutOrg_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_PutOrg_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
sc.hs.orgService = orgimpl.ProvideService(sc.db, sc.cfg)
|
||||
// Create two orgs, to update another one than the logged in one
|
||||
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
|
||||
|
||||
input := strings.NewReader(testUpdateOrgNameForm)
|
||||
t.Run("AccessControl allows updating another org with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
})
|
||||
|
||||
t.Run("AccessControl prevents updating another org with correct permissions in another org", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
|
||||
t.Run("AccessControl prevents updating another org with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsURL, 2), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
@ -497,13 +507,13 @@ func TestAPIEndpoint_PutOrgAddress_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_PutOrgAddress_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
// Create two orgs, to update another one than the logged in one
|
||||
setupOrgsDBForAccessControlTests(t, sc.db, sc, 2)
|
||||
|
||||
input := strings.NewReader(testUpdateOrgAddressForm)
|
||||
t.Run("AccessControl allows updating another org address with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 2)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
@ -511,12 +521,14 @@ func TestAPIEndpoint_PutOrgAddress_AccessControl(t *testing.T) {
|
||||
|
||||
input = strings.NewReader(testUpdateOrgAddressForm)
|
||||
t.Run("AccessControl prevents updating another org address with correct permissions in the current org", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsWrite}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
|
||||
t.Run("AccessControl prevents updating another org address with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsAddressURL, 2), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
|
@ -106,21 +106,22 @@ func TestAPIEndpoint_GetOrgQuotas_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_GetOrgQuotas_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
setupDBAndSettingsForAccessControlQuotaTests(t, sc)
|
||||
|
||||
t.Run("AccessControl allows viewing another org quotas with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 2)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents viewing another org quotas with correct permissions in another org", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasRead}}, 1)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
})
|
||||
t.Run("AccessControl prevents viewing another org quotas with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
|
||||
response := callAPI(sc.server, http.MethodGet, fmt.Sprintf(getOrgsQuotasURL, 2), nil, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
@ -151,12 +152,11 @@ func TestAPIEndpoint_PutOrgQuotas_LegacyAccessControl(t *testing.T) {
|
||||
|
||||
func TestAPIEndpoint_PutOrgQuotas_AccessControl(t *testing.T) {
|
||||
sc := setupHTTPServer(t, true)
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
|
||||
setupDBAndSettingsForAccessControlQuotaTests(t, sc)
|
||||
|
||||
input := strings.NewReader(testUpdateOrgQuotaCmd)
|
||||
t.Run("AccessControl allows updating another org quotas with correct permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 2)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
|
||||
assert.Equal(t, http.StatusOK, response.Code)
|
||||
@ -164,6 +164,7 @@ func TestAPIEndpoint_PutOrgQuotas_AccessControl(t *testing.T) {
|
||||
|
||||
input = strings.NewReader(testUpdateOrgQuotaCmd)
|
||||
t.Run("AccessControl prevents updating another org quotas with correct permissions in another org", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: ActionOrgsQuotasWrite}}, 1)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
@ -171,6 +172,7 @@ func TestAPIEndpoint_PutOrgQuotas_AccessControl(t *testing.T) {
|
||||
|
||||
input = strings.NewReader(testUpdateOrgQuotaCmd)
|
||||
t.Run("AccessControl prevents updating another org quotas with incorrect permissions", func(t *testing.T) {
|
||||
setInitCtxSignedInViewer(sc.initCtx)
|
||||
setAccessControlPermissions(sc.acmock, []accesscontrol.Permission{{Action: "orgs:invalid"}}, 2)
|
||||
response := callAPI(sc.server, http.MethodPut, fmt.Sprintf(putOrgsQuotasURL, 2, "org_user"), input, t)
|
||||
assert.Equal(t, http.StatusForbidden, response.Code)
|
||||
|
@ -93,7 +93,7 @@ type User struct {
|
||||
}
|
||||
|
||||
// HasGlobalAccess checks user access with globally assigned permissions only
|
||||
func HasGlobalAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
|
||||
func HasGlobalAccess(ac AccessControl, service Service, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
|
||||
return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
|
||||
if ac.IsDisabled() {
|
||||
return fallback(c)
|
||||
@ -103,12 +103,23 @@ func HasGlobalAccess(ac AccessControl, c *models.ReqContext) func(fallback func(
|
||||
userCopy.OrgID = GlobalOrgID
|
||||
userCopy.OrgRole = ""
|
||||
userCopy.OrgName = ""
|
||||
if userCopy.Permissions[GlobalOrgID] == nil {
|
||||
permissions, err := service.GetUserPermissions(c.Req.Context(), &userCopy, Options{})
|
||||
if err != nil {
|
||||
c.Logger.Error("failed fetching permissions for user", "userID", userCopy.UserID, "error", err)
|
||||
}
|
||||
userCopy.Permissions[GlobalOrgID] = GroupScopesByAction(permissions)
|
||||
}
|
||||
|
||||
hasAccess, err := ac.Evaluate(c.Req.Context(), &userCopy, evaluator)
|
||||
if err != nil {
|
||||
c.Logger.Error("Error from access control system", "error", err)
|
||||
return false
|
||||
}
|
||||
|
||||
// set on user so we don't fetch global permissions every time this is called
|
||||
c.SignedInUser.Permissions[GlobalOrgID] = userCopy.Permissions[GlobalOrgID]
|
||||
|
||||
return hasAccess
|
||||
}
|
||||
}
|
||||
|
@ -15,10 +15,10 @@ import (
|
||||
|
||||
var _ accesscontrol.AccessControl = new(AccessControl)
|
||||
|
||||
func ProvideAccessControl(cfg *setting.Cfg, service accesscontrol.Service) *AccessControl {
|
||||
func ProvideAccessControl(cfg *setting.Cfg) *AccessControl {
|
||||
logger := log.New("accesscontrol")
|
||||
return &AccessControl{
|
||||
cfg, logger, accesscontrol.NewResolvers(logger), service,
|
||||
cfg, logger, accesscontrol.NewResolvers(logger),
|
||||
}
|
||||
}
|
||||
|
||||
@ -26,7 +26,6 @@ type AccessControl struct {
|
||||
cfg *setting.Cfg
|
||||
log log.Logger
|
||||
resolvers accesscontrol.Resolvers
|
||||
service accesscontrol.Service
|
||||
}
|
||||
|
||||
func (a *AccessControl) Evaluate(ctx context.Context, user *user.SignedInUser, evaluator accesscontrol.Evaluator) (bool, error) {
|
||||
@ -34,18 +33,10 @@ func (a *AccessControl) Evaluate(ctx context.Context, user *user.SignedInUser, e
|
||||
defer timer.ObserveDuration()
|
||||
metrics.MAccessEvaluationCount.Inc()
|
||||
|
||||
if user.Permissions == nil {
|
||||
user.Permissions = map[int64]map[string][]string{}
|
||||
if !verifyPermissions(user) {
|
||||
a.log.Warn("no permissions set for user", "userID", user.UserID, "orgID", user.OrgID)
|
||||
return false, nil
|
||||
}
|
||||
|
||||
if _, ok := user.Permissions[user.OrgID]; !ok {
|
||||
permissions, err := a.service.GetUserPermissions(ctx, user, accesscontrol.Options{ReloadCache: true})
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
user.Permissions[user.OrgID] = accesscontrol.GroupScopesByAction(permissions)
|
||||
}
|
||||
|
||||
// Test evaluation without scope resolver first, this will prevent 403 for wildcard scopes when resource does not exist
|
||||
if evaluator.Evaluate(user.Permissions[user.OrgID]) {
|
||||
return true, nil
|
||||
@ -69,3 +60,7 @@ func (a *AccessControl) RegisterScopeAttributeResolver(prefix string, resolver a
|
||||
func (a *AccessControl) IsDisabled() bool {
|
||||
return accesscontrol.IsDisabled(a.cfg)
|
||||
}
|
||||
|
||||
func verifyPermissions(u *user.SignedInUser) bool {
|
||||
return u.Permissions != nil || u.Permissions[u.OrgID] != nil
|
||||
}
|
||||
|
@ -4,8 +4,6 @@ import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
@ -65,8 +63,7 @@ func TestAccessControl_Evaluate(t *testing.T) {
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
fakeService := actest.FakeService{}
|
||||
ac := ProvideAccessControl(setting.NewCfg(), fakeService)
|
||||
ac := ProvideAccessControl(setting.NewCfg())
|
||||
|
||||
if tt.resolver != nil {
|
||||
ac.RegisterScopeAttributeResolver(tt.resolverPrefix, tt.resolver)
|
||||
|
@ -97,7 +97,7 @@ type userCache interface {
|
||||
GetSignedInUserWithCacheCtx(ctx context.Context, query *user.GetSignedInUserQuery) (*user.SignedInUser, error)
|
||||
}
|
||||
|
||||
func AuthorizeInOrgMiddleware(ac AccessControl, cache userCache) func(web.Handler, OrgIDGetter, Evaluator) web.Handler {
|
||||
func AuthorizeInOrgMiddleware(ac AccessControl, service Service, cache userCache) func(web.Handler, OrgIDGetter, Evaluator) web.Handler {
|
||||
return func(fallback web.Handler, getTargetOrg OrgIDGetter, evaluator Evaluator) web.Handler {
|
||||
if ac.IsDisabled() {
|
||||
return fallback
|
||||
@ -127,10 +127,18 @@ func AuthorizeInOrgMiddleware(ac AccessControl, cache userCache) func(web.Handle
|
||||
userCopy.OrgRole = queryResult.OrgRole
|
||||
}
|
||||
|
||||
if userCopy.Permissions[userCopy.OrgID] == nil {
|
||||
permissions, err := service.GetUserPermissions(c.Req.Context(), &userCopy, Options{})
|
||||
if err != nil {
|
||||
deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
|
||||
}
|
||||
userCopy.Permissions[userCopy.OrgID] = GroupScopesByAction(permissions)
|
||||
}
|
||||
|
||||
authorize(c, ac, &userCopy, evaluator)
|
||||
|
||||
// Set the sign-ed in user permissions in that org
|
||||
c.SignedInUser.Permissions = userCopy.Permissions
|
||||
c.SignedInUser.Permissions[userCopy.OrgID] = userCopy.Permissions[userCopy.OrgID]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -271,6 +271,7 @@ func (dr *DashboardServiceImpl) SaveFolderForProvisionedDashboards(ctx context.C
|
||||
dto.User = &user.SignedInUser{
|
||||
UserID: 0,
|
||||
OrgRole: org.RoleAdmin,
|
||||
OrgID: dto.OrgId,
|
||||
Permissions: map[int64]map[string][]string{dto.OrgId: provisionerPermissions},
|
||||
}
|
||||
cmd, err := dr.BuildSaveDashboardCommand(ctx, dto, false, false)
|
||||
|
@ -16,8 +16,9 @@ import (
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/plugins"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/database"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/actest"
|
||||
"github.com/grafana/grafana/pkg/services/contexthandler/ctxkey"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
@ -44,26 +45,27 @@ func setupTestServer(
|
||||
// build router to register routes
|
||||
rr := routing.NewRouteRegister()
|
||||
|
||||
// build access control - FIXME we should be able to mock this, but to get
|
||||
// tests going, we're going to instantiate full accesscontrol
|
||||
//ac := accesscontrolmock.New()
|
||||
//ac.WithDisabled()
|
||||
|
||||
// create a sqlstore for access control.
|
||||
if db == nil {
|
||||
db = sqlstore.InitTestDB(t)
|
||||
var permissions []accesscontrol.Permission
|
||||
if user != nil && user.Permissions != nil {
|
||||
for action, scopes := range user.Permissions[user.OrgID] {
|
||||
for _, scope := range scopes {
|
||||
permissions = append(permissions, accesscontrol.Permission{
|
||||
Action: action,
|
||||
Scope: scope,
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var err error
|
||||
acService, err := acimpl.ProvideService(cfg, database.ProvideService(db), rr)
|
||||
require.NoError(t, err)
|
||||
ac := acimpl.ProvideAccessControl(cfg, acService)
|
||||
acService := actest.FakeService{ExpectedPermissions: permissions, ExpectedDisabled: !cfg.RBACEnabled}
|
||||
ac := acimpl.ProvideAccessControl(cfg)
|
||||
|
||||
// build mux
|
||||
m := web.New()
|
||||
|
||||
// set initial context
|
||||
m.Use(contextProvider(&testContext{user}))
|
||||
m.Use(accesscontrol.LoadPermissionsMiddleware(acService))
|
||||
|
||||
// build api, this will mount the routes at the same time if
|
||||
// featuremgmt.FlagPublicDashboard is enabled
|
||||
|
Loading…
Reference in New Issue
Block a user