Add auth spans and remove deduplication code for scopes (#89804)

Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2025-02-25 18:55:37 -06:00 · 2024-07-02 22:08:57 -08:00
parent 5b6edc96d9
commit cfe8317d45
36 changed files with 279 additions and 97 deletions
--- a/pkg/api/common_test.go
+++ b/pkg/api/common_test.go
@@ -250,12 +250,12 @@ func setupScenarioContextSamlLogout(t *testing.T, url string) *scenarioContext {

 // FIXME: This user should not be anonymous
 func authedUserWithPermissions(userID, orgID int64, permissions []accesscontrol.Permission) *user.SignedInUser {
-	return &user.SignedInUser{UserID: userID, OrgID: orgID, OrgRole: org.RoleViewer, Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByAction(permissions)}}
+	return &user.SignedInUser{UserID: userID, OrgID: orgID, OrgRole: org.RoleViewer, Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByActionContext(context.Background(), permissions)}}
 }

 // FIXME: This user should not be anonymous
 func userWithPermissions(orgID int64, permissions []accesscontrol.Permission) *user.SignedInUser {
-	return &user.SignedInUser{IsAnonymous: true, OrgID: orgID, OrgRole: org.RoleViewer, Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByAction(permissions)}}
+	return &user.SignedInUser{IsAnonymous: true, OrgID: orgID, OrgRole: org.RoleViewer, Permissions: map[int64]map[string][]string{orgID: accesscontrol.GroupScopesByActionContext(context.Background(), permissions)}}
 }

 func setupSimpleHTTPServer(features featuremgmt.FeatureToggles) *HTTPServer {
--- a/pkg/api/folder_test.go
+++ b/pkg/api/folder_test.go
@@ -1,6 +1,7 @@
 package api

 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
@@ -282,7 +283,7 @@ func TestHTTPServer_FolderMetadata(t *testing.T) {

 		req := server.NewGetRequest("/api/folders/folderUid?accesscontrol=true")
 		webtest.RequestWithSignedInUser(req, &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{
-			1: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
+			1: accesscontrol.GroupScopesByActionContext(context.Background(), []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll},
 				{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID("folderUid")},
 			}),
@@ -311,7 +312,7 @@ func TestHTTPServer_FolderMetadata(t *testing.T) {

 		req := server.NewGetRequest("/api/folders/folderUid?accesscontrol=true")
 		webtest.RequestWithSignedInUser(req, &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{
-			1: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
+			1: accesscontrol.GroupScopesByActionContext(context.Background(), []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll},
 				{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID("parentUid")},
 				{Action: dashboards.ActionDashboardsCreate, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID("folderUid")},
@@ -336,7 +337,7 @@ func TestHTTPServer_FolderMetadata(t *testing.T) {

 		req := server.NewGetRequest("/api/folders/folderUid")
 		webtest.RequestWithSignedInUser(req, &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{
-			1: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
+			1: accesscontrol.GroupScopesByActionContext(context.Background(), []accesscontrol.Permission{
 				{Action: dashboards.ActionFoldersRead, Scope: dashboards.ScopeFoldersAll},
 				{Action: dashboards.ActionFoldersWrite, Scope: dashboards.ScopeFoldersProvider.GetResourceScopeUID("folderUid")},
 			}),
--- a/pkg/api/org_test.go
+++ b/pkg/api/org_test.go
@@ -1,6 +1,7 @@
 package api

 import (
+	"context"
 	"net/http"
 	"strings"
 	"testing"
@@ -220,7 +221,7 @@ func TestAPIEndpoint_DeleteOrgs(t *testing.T) {
 			expectedIdentity := &authn.Identity{
 				OrgID: 1,
 				Permissions: map[int64]map[string][]string{
-					1: accesscontrol.GroupScopesByAction(tt.permission),
+					1: accesscontrol.GroupScopesByActionContext(context.Background(), tt.permission),
 				},
 			}

@@ -269,8 +270,8 @@ func TestAPIEndpoint_GetOrg(t *testing.T) {
 				ID:    authn.MustParseNamespaceID("user:1"),
 				OrgID: 1,
 				Permissions: map[int64]map[string][]string{
-					0: accesscontrol.GroupScopesByAction(tt.permissions),
-					1: accesscontrol.GroupScopesByAction(tt.permissions),
+					0: accesscontrol.GroupScopesByActionContext(context.Background(), tt.permissions),
+					1: accesscontrol.GroupScopesByActionContext(context.Background(), tt.permissions),
 				},
 			}

--- a/pkg/api/plugin_resource_test.go
+++ b/pkg/api/plugin_resource_test.go
@@ -70,7 +70,7 @@ func TestCallResource(t *testing.T) {
 	t.Run("Test successful response is received for valid request", func(t *testing.T) {
 		req := srv.NewPostRequest("/api/plugins/grafana-testdata-datasource/resources/test", strings.NewReader(`{"test": "true"}`))
 		webtest.RequestWithSignedInUser(req, &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{
-			1: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
+			1: accesscontrol.GroupScopesByActionContext(context.Background(), []accesscontrol.Permission{
 				{Action: pluginaccesscontrol.ActionAppAccess, Scope: pluginaccesscontrol.ScopeProvider.GetResourceAllScope()},
 			}),
 		}})
@@ -92,7 +92,7 @@ func TestCallResource(t *testing.T) {
 	t.Run("Test successful response is received for valid request with the colon character", func(t *testing.T) {
 		req := srv.NewPostRequest("/api/plugins/grafana-testdata-datasource/resources/test-*,*:test-*/_mapping", strings.NewReader(`{"test": "true"}`))
 		webtest.RequestWithSignedInUser(req, &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{
-			1: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
+			1: accesscontrol.GroupScopesByActionContext(context.Background(), []accesscontrol.Permission{
 				{Action: pluginaccesscontrol.ActionAppAccess, Scope: pluginaccesscontrol.ScopeProvider.GetResourceAllScope()},
 			}),
 		}})
@@ -146,7 +146,7 @@ func TestCallResource(t *testing.T) {
 			t.Run(tc.name, func(t *testing.T) {
 				req := srv.NewPostRequest(tc.url, strings.NewReader(`{"test": "true"}`))
 				webtest.RequestWithSignedInUser(req, &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{
-					1: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
+					1: accesscontrol.GroupScopesByActionContext(context.Background(), []accesscontrol.Permission{
 						{Action: pluginaccesscontrol.ActionAppAccess, Scope: pluginaccesscontrol.ScopeProvider.GetResourceAllScope()},
 					}),
 				}})
@@ -192,7 +192,7 @@ func TestCallResource(t *testing.T) {
 	t.Run("Test error is properly propagated to API response", func(t *testing.T) {
 		req := srv.NewGetRequest("/api/plugins/grafana-testdata-datasource/resources/scenarios")
 		webtest.RequestWithSignedInUser(req, &user.SignedInUser{UserID: 1, OrgID: 1, Permissions: map[int64]map[string][]string{
-			1: accesscontrol.GroupScopesByAction([]accesscontrol.Permission{
+			1: accesscontrol.GroupScopesByActionContext(context.Background(), []accesscontrol.Permission{
 				{Action: pluginaccesscontrol.ActionAppAccess, Scope: pluginaccesscontrol.ScopeProvider.GetResourceAllScope()},
 			}),
 		}})
--- a/pkg/api/plugins_test.go
+++ b/pkg/api/plugins_test.go
@@ -104,7 +104,7 @@ func Test_PluginsInstallAndUninstall(t *testing.T) {
 				Permissions: map[int64]map[string][]string{},
 				OrgRoles:    map[int64]org.RoleType{},
 			}
-			expectedIdentity.Permissions[tc.permissionOrg] = ac.GroupScopesByAction(tc.permissions)
+			expectedIdentity.Permissions[tc.permissionOrg] = ac.GroupScopesByActionContext(context.Background(), tc.permissions)
 			hs.authnService = &authntest.FakeService{
 				ExpectedIdentity: expectedIdentity,
 			}
--- a/pkg/api/quota_test.go
+++ b/pkg/api/quota_test.go
@@ -1,6 +1,7 @@
 package api

 import (
+	"context"
 	"fmt"
 	"net/http"
 	"strings"
@@ -156,7 +157,7 @@ func TestAPIEndpoint_PutOrgQuotas(t *testing.T) {
 				Permissions: map[int64]map[string][]string{},
 			}
 			for orgID, permissions := range tt.permissions {
-				expectedIdentity.Permissions[orgID] = accesscontrol.GroupScopesByAction(permissions)
+				expectedIdentity.Permissions[orgID] = accesscontrol.GroupScopesByActionContext(context.Background(), permissions)
 			}

 			server := SetupAPITestServer(t, func(hs *HTTPServer) {