Access control: Set default permissions for data sources when using access control (#45482)

* Rename interfaces and use then with wire injection

* Set default permissions when creating new data source

pkg/services/accesscontrol/accesscontrol.go

@@ -37,7 +37,12 @@ type PermissionsProvider interface {
 	GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]*Permission, error)
 }
 
-type ResourcePermissionsService interface {
+type PermissionsServices interface {
+	GetTeamService() PermissionsService
+	GetDataSourceService() PermissionsService
+}
+
+type PermissionsService interface {
 	// GetPermissions returns all permissions for given resourceID
 	GetPermissions(ctx context.Context, orgID int64, resourceID string) ([]ResourcePermission, error)
 	// SetUserPermission sets permission on resource for a user

pkg/services/accesscontrol/mock/permissions_services_mock.go

@@ -0,0 +1,27 @@
+package mock
+
+import (
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+)
+
+var _ accesscontrol.PermissionsServices = new(PermissionsServicesMock)
+
+func NewPermissionsServicesMock() *PermissionsServicesMock {
+	return &PermissionsServicesMock{
+		teams:       &MockPermissionsService{},
+		datasources: &MockPermissionsService{},
+	}
+}
+
+type PermissionsServicesMock struct {
+	teams       *MockPermissionsService
+	datasources *MockPermissionsService
+}
+
+func (p PermissionsServicesMock) GetTeamService() accesscontrol.PermissionsService {
+	return p.teams
+}
+
+func (p PermissionsServicesMock) GetDataSourceService() accesscontrol.PermissionsService {
+	return p.datasources
+}

pkg/services/accesscontrol/mock/service_mock.go

@@ -0,0 +1,40 @@
+package mock
+
+import (
+	"context"
+
+	"github.com/stretchr/testify/mock"
+
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
+)
+
+var _ accesscontrol.PermissionsService = new(MockPermissionsService)
+
+type MockPermissionsService struct {
+	mock.Mock
+}
+
+func (m *MockPermissionsService) GetPermissions(ctx context.Context, orgID int64, resourceID string) ([]accesscontrol.ResourcePermission, error) {
+	mockedArgs := m.Called(ctx, orgID, resourceID)
+	return mockedArgs.Get(0).([]accesscontrol.ResourcePermission), mockedArgs.Error(1)
+}
+
+func (m *MockPermissionsService) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
+	mockedArgs := m.Called(ctx, orgID, user, resourceID, permission)
+	return mockedArgs.Get(0).(*accesscontrol.ResourcePermission), mockedArgs.Error(1)
+}
+
+func (m *MockPermissionsService) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
+	mockedArgs := m.Called(ctx, orgID, teamID, resourceID, permission)
+	return mockedArgs.Get(0).(*accesscontrol.ResourcePermission), mockedArgs.Error(1)
+}
+
+func (m *MockPermissionsService) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
+	mockedArgs := m.Called(ctx, orgID, builtInRole, resourceID, permission)
+	return mockedArgs.Get(0).(*accesscontrol.ResourcePermission), mockedArgs.Error(1)
+}
+
+func (m *MockPermissionsService) SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand) ([]accesscontrol.ResourcePermission, error) {
+	mockedArgs := m.Called(ctx, orgID, resourceID, commands)
+	return mockedArgs.Get(0).([]accesscontrol.ResourcePermission), mockedArgs.Error(1)
+}

pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go

@@ -11,7 +11,6 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/api"
-	"github.com/grafana/grafana/pkg/services/accesscontrol/resourceservices"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/prometheus/client_golang/prometheus"
 )
@@ -116,7 +115,7 @@ func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user
 		OrgID:   user.OrgId,
 		UserID:  user.UserId,
 		Roles:   ac.GetUserBuiltInRoles(user),
-		Actions: resourceservices.TeamAdminActions,
+		Actions: TeamAdminActions,
 	})
 	if err != nil {
 		return nil, err

pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go

@@ -1,4 +1,4 @@
-package resourceservices
+package ossaccesscontrol
 
 import (
 	"context"
@@ -12,23 +12,26 @@ import (
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 )
 
-func ProvideResourceServices(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*ResourceServices, error) {
+func ProvidePermissionsServices(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*PermissionsService, error) {
 	teamPermissions, err := ProvideTeamPermissions(router, sql, ac, store)
 	if err != nil {
 		return nil, err
 	}
 
-	return &ResourceServices{services: map[string]*resourcepermissions.Service{
-		"teams": teamPermissions,
-	}}, nil
+	return &PermissionsService{teams: teamPermissions, datasources: provideEmptyPermissionsService()}, nil
 }
 
-type ResourceServices struct {
-	services map[string]*resourcepermissions.Service
+type PermissionsService struct {
+	teams       accesscontrol.PermissionsService
+	datasources accesscontrol.PermissionsService
 }
 
-func (s *ResourceServices) GetTeamService() *resourcepermissions.Service {
-	return s.services["teams"]
+func (s *PermissionsService) GetTeamService() accesscontrol.PermissionsService {
+	return s.teams
+}
+
+func (s *PermissionsService) GetDataSourceService() accesscontrol.PermissionsService {
+	return s.datasources
 }
 
 var (
@@ -101,3 +104,31 @@ func ProvideTeamPermissions(router routing.RouteRegister, sql *sqlstore.SQLStore
 
 	return resourcepermissions.New(options, router, ac, store, sql)
 }
+
+func provideEmptyPermissionsService() accesscontrol.PermissionsService {
+	return &emptyPermissionsService{}
+}
+
+var _ accesscontrol.PermissionsService = new(emptyPermissionsService)
+
+type emptyPermissionsService struct{}
+
+func (e emptyPermissionsService) GetPermissions(ctx context.Context, orgID int64, resourceID string) ([]accesscontrol.ResourcePermission, error) {
+	return nil, nil
+}
+
+func (e emptyPermissionsService) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
+	return nil, nil
+}
+
+func (e emptyPermissionsService) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
+	return nil, nil
+}
+
+func (e emptyPermissionsService) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole string, resourceID string, permission string) (*accesscontrol.ResourcePermission, error) {
+	return nil, nil
+}
+
+func (e emptyPermissionsService) SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand) ([]accesscontrol.ResourcePermission, error) {
+	return nil, nil
+}

pkg/services/accesscontrol/resourcepermissions/service_mock.go

@@ -1,40 +0,0 @@
-package resourcepermissions
-
-import (
-	"context"
-
-	"github.com/stretchr/testify/mock"
-
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
-)
-
-var _ accesscontrol.ResourcePermissionsService = new(MockService)
-
-type MockService struct {
-	mock.Mock
-}
-
-func (m *MockService) GetPermissions(ctx context.Context, orgID int64, resourceID string) ([]accesscontrol.ResourcePermission, error) {
-	mockedArgs := m.Called(ctx, orgID, resourceID)
-	return mockedArgs.Get(0).([]accesscontrol.ResourcePermission), mockedArgs.Error(1)
-}
-
-func (m *MockService) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
-	mockedArgs := m.Called(ctx, orgID, user, resourceID, permission)
-	return mockedArgs.Get(0).(*accesscontrol.ResourcePermission), mockedArgs.Error(1)
-}
-
-func (m *MockService) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
-	mockedArgs := m.Called(ctx, orgID, teamID, resourceID, permission)
-	return mockedArgs.Get(0).(*accesscontrol.ResourcePermission), mockedArgs.Error(1)
-}
-
-func (m *MockService) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
-	mockedArgs := m.Called(ctx, orgID, builtInRole, resourceID, permission)
-	return mockedArgs.Get(0).(*accesscontrol.ResourcePermission), mockedArgs.Error(1)
-}
-
-func (m *MockService) SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand) ([]accesscontrol.ResourcePermission, error) {
-	mockedArgs := m.Called(ctx, orgID, resourceID, commands)
-	return mockedArgs.Get(0).([]accesscontrol.ResourcePermission), mockedArgs.Error(1)
-}

pkg/services/datasources/service/datasource_service.go

@@ -16,6 +16,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/httpclient"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/secrets"
 	"github.com/grafana/grafana/pkg/services/sqlstore"
 	"github.com/grafana/grafana/pkg/setting"
@@ -23,9 +24,11 @@ import (
 )
 
 type Service struct {
-	Bus            bus.Bus
-	SQLStore       *sqlstore.SQLStore
-	SecretsService secrets.Service
+	Bus                bus.Bus
+	SQLStore           *sqlstore.SQLStore
+	SecretsService     secrets.Service
+	features           featuremgmt.FeatureToggles
+	permissionsService accesscontrol.PermissionsService
 
 	ptc               proxyTransportCache
 	dsDecryptionCache secureJSONDecryptionCache
@@ -51,7 +54,10 @@ type cachedDecryptedJSON struct {
 	json    map[string]string
 }
 
-func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, secretsService secrets.Service, ac accesscontrol.AccessControl) *Service {
+func ProvideService(
+	bus bus.Bus, store *sqlstore.SQLStore, secretsService secrets.Service, features featuremgmt.FeatureToggles,
+	ac accesscontrol.AccessControl, permissionsServices accesscontrol.PermissionsServices,
+) *Service {
 	s := &Service{
 		Bus:            bus,
 		SQLStore:       store,
@@ -62,6 +68,8 @@ func ProvideService(bus bus.Bus, store *sqlstore.SQLStore, secretsService secret
 		dsDecryptionCache: secureJSONDecryptionCache{
 			cache: make(map[int64]cachedDecryptedJSON),
 		},
+		features:           features,
+		permissionsService: permissionsServices.GetDataSourceService(),
 	}
 
 	s.Bus.AddHandler(s.GetDataSources)
@@ -128,7 +136,23 @@ func (s *Service) AddDataSource(ctx context.Context, cmd *models.AddDataSourceCo
 		return err
 	}
 
-	return s.SQLStore.AddDataSource(ctx, cmd)
+	if err := s.SQLStore.AddDataSource(ctx, cmd); err != nil {
+		return err
+	}
+
+	if s.features.IsEnabled(featuremgmt.FlagAccesscontrol) {
+		if _, err := s.permissionsService.SetPermissions(ctx, cmd.OrgId, strconv.FormatInt(cmd.Result.Id, 10), accesscontrol.SetResourcePermissionCommand{
+			BuiltinRole: "Viewer",
+			Permission:  "Query",
+		}, accesscontrol.SetResourcePermissionCommand{
+			BuiltinRole: "Editor",
+			Permission:  "Query",
+		}); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
 
 func (s *Service) DeleteDataSource(ctx context.Context, cmd *models.DeleteDataSourceCommand) error {

pkg/services/datasources/service/datasource_service_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	acmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/secrets"
 	"github.com/grafana/grafana/pkg/services/secrets/database"
 	"github.com/grafana/grafana/pkg/services/secrets/fakes"
@@ -36,7 +37,7 @@ func TestService(t *testing.T) {
 	})
 
 	secretsService := secretsManager.SetupTestService(t, database.ProvideSecretsStore(sqlStore))
-	s := ProvideService(bus.New(), sqlStore, secretsService, &acmock.Mock{})
+	s := ProvideService(bus.New(), sqlStore, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 	var ds *models.DataSource
 
@@ -151,7 +152,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		}
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		rt1, err := dsService.GetHTTPTransport(&ds, provider)
 		require.NoError(t, err)
@@ -184,7 +185,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		json.Set("tlsAuthWithCACert", true)
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		tlsCaCert, err := secretsService.Encrypt(context.Background(), []byte(caCert), secrets.WithoutScope())
 		require.NoError(t, err)
@@ -234,7 +235,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		json.Set("tlsAuth", true)
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		tlsClientCert, err := secretsService.Encrypt(context.Background(), []byte(clientCert), secrets.WithoutScope())
 		require.NoError(t, err)
@@ -277,7 +278,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		json.Set("serverName", "server-name")
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		tlsCaCert, err := secretsService.Encrypt(context.Background(), []byte(caCert), secrets.WithoutScope())
 		require.NoError(t, err)
@@ -314,7 +315,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		json.Set("tlsSkipVerify", true)
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		ds := models.DataSource{
 			Id:       1,
@@ -345,7 +346,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		})
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		encryptedData, err := secretsService.Encrypt(context.Background(), []byte(`Bearer xf5yhfkpsnmgo`), secrets.WithoutScope())
 		require.NoError(t, err)
@@ -404,7 +405,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		})
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		ds := models.DataSource{
 			Id:       1,
@@ -437,7 +438,7 @@ func TestService_GetHttpTransport(t *testing.T) {
 		require.NoError(t, err)
 
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		ds := models.DataSource{
 			Type:     models.DS_ES,
@@ -471,7 +472,7 @@ func TestService_getTimeout(t *testing.T) {
 	}
 
 	secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-	dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+	dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 	for _, tc := range testCases {
 		ds := &models.DataSource{
@@ -484,7 +485,7 @@ func TestService_getTimeout(t *testing.T) {
 func TestService_DecryptedValue(t *testing.T) {
 	t.Run("When datasource hasn't been updated, encrypted JSON should be fetched from cache", func(t *testing.T) {
 		secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		encryptedJsonData, err := secretsService.EncryptJsonData(
 			context.Background(),
@@ -538,7 +539,7 @@ func TestService_DecryptedValue(t *testing.T) {
 			SecureJsonData: encryptedJsonData,
 		}
 
-		dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+		dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 		// Populate cache
 		password, ok := dsService.DecryptedValue(&ds, "password")
@@ -574,7 +575,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
 			t.Cleanup(func() { ds.JsonData = emptyJsonData; ds.SecureJsonData = emptySecureJsonData })
 
 			secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-			dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+			dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 			opts, err := dsService.httpClientOptions(&ds)
 			require.NoError(t, err)
@@ -592,7 +593,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
 			})
 
 			secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-			dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+			dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 			opts, err := dsService.httpClientOptions(&ds)
 			require.NoError(t, err)
@@ -611,7 +612,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
 			})
 
 			secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-			dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+			dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 			_, err := dsService.httpClientOptions(&ds)
 			assert.Error(t, err)
@@ -625,7 +626,7 @@ func TestService_HTTPClientOptions(t *testing.T) {
 			})
 
 			secretsService := secretsManager.SetupTestService(t, fakes.NewFakeSecretsStore())
-			dsService := ProvideService(bus.New(), nil, secretsService, &acmock.Mock{})
+			dsService := ProvideService(bus.New(), nil, secretsService, featuremgmt.WithFeatures(), &acmock.Mock{}, acmock.NewPermissionsServicesMock())
 
 			opts, err := dsService.httpClientOptions(&ds)
 			require.NoError(t, err)