From c3a0b7535747c4d354ffc636ec7fd3187bac7c07 Mon Sep 17 00:00:00 2001 From: Eric Leijonmarck Date: Thu, 11 May 2023 09:04:22 +0100 Subject: [PATCH] RBAC: refactoring alertingQuery to remove OrgRole check (#67808) * WIP * tests passing --- pkg/services/alerting/store.go | 5 +-- pkg/services/alerting/store_test.go | 59 +++++++++++++++++++++++++---- 2 files changed, 53 insertions(+), 11 deletions(-) diff --git a/pkg/services/alerting/store.go b/pkg/services/alerting/store.go index 26613090fb4..a60b1591ffa 100644 --- a/pkg/services/alerting/store.go +++ b/pkg/services/alerting/store.go @@ -12,7 +12,6 @@ import ( alertmodels "github.com/grafana/grafana/pkg/services/alerting/models" "github.com/grafana/grafana/pkg/services/dashboards" "github.com/grafana/grafana/pkg/services/featuremgmt" - "github.com/grafana/grafana/pkg/services/org" "github.com/grafana/grafana/pkg/services/tag" "github.com/grafana/grafana/pkg/setting" ) @@ -168,9 +167,7 @@ func (ss *sqlStore) HandleAlertsQuery(ctx context.Context, query *alertmodels.Ge builder.Write(")") } - if query.User.OrgRole != org.RoleAdmin { - builder.WriteDashboardPermissionFilter(query.User, dashboards.PERMISSION_VIEW) - } + builder.WriteDashboardPermissionFilter(query.User, dashboards.PERMISSION_VIEW) builder.Write(" ORDER BY name ASC") diff --git a/pkg/services/alerting/store_test.go b/pkg/services/alerting/store_test.go index b612398922d..11368a75229 100644 --- a/pkg/services/alerting/store_test.go +++ b/pkg/services/alerting/store_test.go @@ -84,6 +84,13 @@ func TestIntegrationAlertingDataAccess(t *testing.T) { // Get alert so we can use its ID in tests signedInUser := &user.SignedInUser{ OrgRole: org.RoleAdmin, + OrgID: 1, + Permissions: map[int64]map[string][]string{ + 1: { + dashboards.ActionFoldersRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + }, + }, } alertQuery := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, PanelID: 1, OrgID: 1, User: signedInUser} result, err2 := store.HandleAlertsQuery(context.Background(), &alertQuery) @@ -142,7 +149,16 @@ func TestIntegrationAlertingDataAccess(t *testing.T) { t.Run("Can read properties", func(t *testing.T) { setup(t) - alertQuery := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, PanelID: 1, OrgID: 1, User: &user.SignedInUser{OrgRole: org.RoleAdmin}} + signedInUser := &user.SignedInUser{ + OrgRole: org.RoleAdmin, + OrgID: 1, + Permissions: map[int64]map[string][]string{ + 1: { + dashboards.ActionFoldersRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + }, + }} + alertQuery := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, PanelID: 1, OrgID: 1, User: signedInUser} result, err2 := store.HandleAlertsQuery(context.Background(), &alertQuery) alert := result[0] @@ -189,7 +205,16 @@ func TestIntegrationAlertingDataAccess(t *testing.T) { }) t.Run("Alerts should be updated", func(t *testing.T) { - query := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, OrgID: 1, User: &user.SignedInUser{OrgRole: org.RoleAdmin}} + signedInUser := &user.SignedInUser{ + OrgRole: org.RoleAdmin, + OrgID: 1, + Permissions: map[int64]map[string][]string{ + 1: { + dashboards.ActionFoldersRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + }, + }} + query := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, OrgID: 1, User: signedInUser} res, err2 := store.HandleAlertsQuery(context.Background(), &query) require.Nil(t, err2) @@ -209,6 +234,16 @@ func TestIntegrationAlertingDataAccess(t *testing.T) { t.Run("Multiple alerts per dashboard", func(t *testing.T) { setup(t) + signedInUser := &user.SignedInUser{ + OrgRole: org.RoleAdmin, + OrgID: 1, + Permissions: map[int64]map[string][]string{ + 1: { + dashboards.ActionFoldersRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + }, + }, + } multipleItems := []*models.Alert{ { DashboardID: testDash.ID, @@ -238,7 +273,7 @@ func TestIntegrationAlertingDataAccess(t *testing.T) { t.Run("Should save 3 dashboards", func(t *testing.T) { require.Nil(t, err) - queryForDashboard := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, OrgID: 1, User: &user.SignedInUser{OrgRole: org.RoleAdmin}} + queryForDashboard := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, OrgID: 1, User: signedInUser} res, err2 := store.HandleAlertsQuery(context.Background(), &queryForDashboard) require.Nil(t, err2) @@ -251,7 +286,7 @@ func TestIntegrationAlertingDataAccess(t *testing.T) { err = store.SaveAlerts(context.Background(), testDash.ID, missingOneAlert) t.Run("should delete the missing alert", func(t *testing.T) { - query := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, OrgID: 1, User: &user.SignedInUser{OrgRole: org.RoleAdmin}} + query := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, OrgID: 1, User: signedInUser} res, err2 := store.HandleAlertsQuery(context.Background(), &query) require.Nil(t, err2) require.Equal(t, 2, len(res)) @@ -299,7 +334,8 @@ func TestIntegrationPausingAlerts(t *testing.T) { t.Run("Given an alert", func(t *testing.T) { ss := db.InitTestDB(t) - sqlStore := sqlStore{db: ss, log: log.New(), tagService: tagimpl.ProvideService(ss, ss.Cfg)} + cfg := setting.NewCfg() + sqlStore := sqlStore{db: ss, cfg: cfg, log: log.New(), tagService: tagimpl.ProvideService(ss, ss.Cfg)} testDash := insertTestDashboard(t, sqlStore.db, "dashboard with alerts", 1, 0, false, "alert") alert, err := insertTestAlert("Alerting title", "Alerting message", testDash.OrgID, testDash.ID, simplejson.New(), sqlStore) @@ -307,9 +343,18 @@ func TestIntegrationPausingAlerts(t *testing.T) { stateDateBeforePause := alert.NewStateDate stateDateAfterPause := stateDateBeforePause - + signedInUser := &user.SignedInUser{ + OrgRole: org.RoleAdmin, + OrgID: testDash.OrgID, + Permissions: map[int64]map[string][]string{ + testDash.OrgID: { + dashboards.ActionFoldersRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + dashboards.ActionDashboardsRead: {dashboards.ScopeDashboardsAll, dashboards.ScopeFoldersAll}, + }, + }, + } // Get alert so we can use its ID in tests - alertQuery := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, PanelID: 1, OrgID: 1, User: &user.SignedInUser{OrgRole: org.RoleAdmin}} + alertQuery := models.GetAlertsQuery{DashboardIDs: []int64{testDash.ID}, PanelID: 1, OrgID: 1, User: signedInUser} res, err2 := sqlStore.HandleAlertsQuery(context.Background(), &alertQuery) require.Nil(t, err2)