mirror of
https://github.com/grafana/grafana.git
synced 2025-02-14 01:23:32 -06:00
Access control: Support uids for resource permissions (#45226)
* add middleware to solve uid -> id for requests
This commit is contained in:
parent
89a0c0fc37
commit
d2b9da9dde
@ -32,15 +32,16 @@ func newApi(ac accesscontrol.AccessControl, router routing.RouteRegister, manage
|
||||
|
||||
func (a *api) registerEndpoints() {
|
||||
auth := middleware.Middleware(a.ac)
|
||||
uidSolver := solveUID(a.service.options.UidSolver)
|
||||
disable := middleware.Disable(a.ac.IsDisabled())
|
||||
a.router.Group(fmt.Sprintf("/api/access-control/%s", a.service.options.Resource), func(r routing.RouteRegister) {
|
||||
idScope := accesscontrol.Scope(a.service.options.Resource, "id", accesscontrol.Parameter(":resourceID"))
|
||||
actionWrite, actionRead := fmt.Sprintf("%s.permissions:write", a.service.options.Resource), fmt.Sprintf("%s.permissions:read", a.service.options.Resource)
|
||||
r.Get("/description", auth(disable, accesscontrol.EvalPermission(actionRead)), routing.Wrap(a.getDescription))
|
||||
r.Get("/:resourceID", auth(disable, accesscontrol.EvalPermission(actionRead, idScope)), routing.Wrap(a.getPermissions))
|
||||
r.Post("/:resourceID/users/:userID", auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setUserPermission))
|
||||
r.Post("/:resourceID/teams/:teamID", auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setTeamPermission))
|
||||
r.Post("/:resourceID/builtInRoles/:builtInRole", auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setBuiltinRolePermission))
|
||||
r.Get("/:resourceID", uidSolver, auth(disable, accesscontrol.EvalPermission(actionRead, idScope)), routing.Wrap(a.getPermissions))
|
||||
r.Post("/:resourceID/users/:userID", uidSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setUserPermission))
|
||||
r.Post("/:resourceID/teams/:teamID", uidSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setTeamPermission))
|
||||
r.Post("/:resourceID/builtInRoles/:builtInRole", uidSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setBuiltinRolePermission))
|
||||
})
|
||||
}
|
||||
|
||||
|
@ -3,6 +3,7 @@ package resourcepermissions
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
@ -17,6 +18,7 @@ import (
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
)
|
||||
@ -152,20 +154,7 @@ func TestApi_getPermissions(t *testing.T) {
|
||||
service, sql := setupTestEnvironment(t, tt.permissions, testOptions)
|
||||
server := setupTestServer(t, &models.SignedInUser{OrgId: 1}, service)
|
||||
|
||||
// seed team 1 with "Edit" permission on dashboard 1
|
||||
team, err := sql.CreateTeam("test", "test@test.com", 1)
|
||||
require.NoError(t, err)
|
||||
_, err = service.SetTeamPermission(context.Background(), team.OrgId, team.Id, tt.resourceID, "Edit")
|
||||
require.NoError(t, err)
|
||||
// seed user 1 with "View" permission on dashboard 1
|
||||
u, err := sql.CreateUser(context.Background(), models.CreateUserCommand{Login: "test", OrgId: 1})
|
||||
require.NoError(t, err)
|
||||
_, err = service.SetUserPermission(context.Background(), u.OrgId, accesscontrol.User{ID: u.Id}, tt.resourceID, "View")
|
||||
require.NoError(t, err)
|
||||
|
||||
// seed built in role Admin with "Edit" permission on dashboard 1
|
||||
_, err = service.SetBuiltInRolePermission(context.Background(), 1, "Admin", tt.resourceID, "Edit")
|
||||
require.NoError(t, err)
|
||||
seedPermissions(t, tt.resourceID, sql, service)
|
||||
|
||||
permissions, recorder := getPermission(t, server, testOptions.Resource, tt.resourceID)
|
||||
assert.Equal(t, tt.expectedStatus, recorder.Code)
|
||||
@ -418,6 +407,62 @@ func TestApi_setUserPermission(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
type uidSolverTestCase struct {
|
||||
desc string
|
||||
uid string
|
||||
resourceID string
|
||||
expectedStatus int
|
||||
}
|
||||
|
||||
func TestApi_UidSolver(t *testing.T) {
|
||||
tests := []uidSolverTestCase{
|
||||
{
|
||||
desc: "expect uid to be mapped to id",
|
||||
uid: "resourceUID",
|
||||
resourceID: "1",
|
||||
expectedStatus: http.StatusOK,
|
||||
},
|
||||
{
|
||||
desc: "expect 404 when uid is not mapped to an id",
|
||||
uid: "notfound",
|
||||
resourceID: "1",
|
||||
expectedStatus: http.StatusNotFound,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.desc, func(t *testing.T) {
|
||||
userPermissions := []*accesscontrol.Permission{{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"}}
|
||||
service, sql := setupTestEnvironment(t, userPermissions, withSolver(testOptions, testSolver))
|
||||
server := setupTestServer(t, &models.SignedInUser{OrgId: 1}, service)
|
||||
seedPermissions(t, tt.resourceID, sql, service)
|
||||
|
||||
permissions, recorder := getPermission(t, server, testOptions.Resource, tt.uid)
|
||||
assert.Equal(t, tt.expectedStatus, recorder.Code)
|
||||
|
||||
if tt.expectedStatus == http.StatusOK {
|
||||
assert.Len(t, permissions, 3, "expected three assignments: user, team, builtin")
|
||||
for _, p := range permissions {
|
||||
if p.UserID != 0 {
|
||||
assert.Equal(t, "View", p.Permission)
|
||||
} else if p.TeamID != 0 {
|
||||
assert.Equal(t, "Edit", p.Permission)
|
||||
} else {
|
||||
assert.Equal(t, "Edit", p.Permission)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
assert.Equal(t, tt.expectedStatus, recorder.Code)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func withSolver(options Options, solver uidSolver) Options {
|
||||
options.UidSolver = solver
|
||||
return options
|
||||
}
|
||||
|
||||
func setupTestServer(t *testing.T, user *models.SignedInUser, service *Service) *web.Mux {
|
||||
server := web.New()
|
||||
server.UseMiddleware(web.Renderer(path.Join(setting.StaticRootPath, "views"), "[[", "]]"))
|
||||
@ -457,6 +502,13 @@ var testOptions = Options{
|
||||
},
|
||||
}
|
||||
|
||||
var testSolver = func(ctx context.Context, orgID int64, uid string) (int64, error) {
|
||||
if uid == "resourceUID" {
|
||||
return 1, nil
|
||||
}
|
||||
return 0, errors.New("not found")
|
||||
}
|
||||
|
||||
func getPermission(t *testing.T, server *web.Mux, resource, resourceID string) ([]resourcePermissionDTO, *httptest.ResponseRecorder) {
|
||||
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("/api/access-control/%s/%s", resource, resourceID), nil)
|
||||
require.NoError(t, err)
|
||||
@ -480,3 +532,20 @@ func setPermission(t *testing.T, server *web.Mux, resource, resourceID, permissi
|
||||
|
||||
return recorder
|
||||
}
|
||||
|
||||
func seedPermissions(t *testing.T, resourceID string, sql *sqlstore.SQLStore, service *Service) {
|
||||
t.Helper()
|
||||
// seed team 1 with "Edit" permission on dashboard 1
|
||||
team, err := sql.CreateTeam("test", "test@test.com", 1)
|
||||
require.NoError(t, err)
|
||||
_, err = service.SetTeamPermission(context.Background(), team.OrgId, team.Id, resourceID, "Edit")
|
||||
require.NoError(t, err)
|
||||
// seed user 1 with "View" permission on dashboard 1
|
||||
u, err := sql.CreateUser(context.Background(), models.CreateUserCommand{Login: "test", OrgId: 1})
|
||||
require.NoError(t, err)
|
||||
_, err = service.SetUserPermission(context.Background(), u.OrgId, accesscontrol.User{ID: u.Id}, resourceID, "View")
|
||||
require.NoError(t, err)
|
||||
// seed built in role Admin with "Edit" permission on dashboard 1
|
||||
_, err = service.SetBuiltInRolePermission(context.Background(), 1, "Admin", resourceID, "Edit")
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
28
pkg/services/accesscontrol/resourcepermissions/middleware.go
Normal file
28
pkg/services/accesscontrol/resourcepermissions/middleware.go
Normal file
@ -0,0 +1,28 @@
|
||||
package resourcepermissions
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"strconv"
|
||||
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
)
|
||||
|
||||
type uidSolver func(ctx context.Context, orgID int64, uid string) (int64, error)
|
||||
|
||||
func solveUID(solve uidSolver) web.Handler {
|
||||
return func(c *models.ReqContext) {
|
||||
if solve != nil && util.IsValidShortUID(web.Params(c.Req)[":resourceID"]) {
|
||||
params := web.Params(c.Req)
|
||||
id, err := solve(c.Req.Context(), c.OrgId, params[":resourceID"])
|
||||
if err != nil {
|
||||
c.JsonApiErr(http.StatusNotFound, "Resource not found", err)
|
||||
return
|
||||
}
|
||||
params[":resourceID"] = strconv.FormatInt(id, 10)
|
||||
web.SetURLParams(c.Req, params)
|
||||
}
|
||||
}
|
||||
}
|
@ -34,4 +34,6 @@ type Options struct {
|
||||
OnSetTeam func(session *sqlstore.DBSession, orgID, teamID int64, resourceID, permission string) error
|
||||
// OnSetBuiltInRole if configured will be called each time a permission is set for a built-in role
|
||||
OnSetBuiltInRole func(session *sqlstore.DBSession, orgID int64, builtInRole, resourceID, permission string) error
|
||||
// UidSolver if configured will be used in a middleware to translate an uid to id for each request
|
||||
UidSolver uidSolver
|
||||
}
|
||||
|
@ -19,12 +19,15 @@ const INITIAL_DESCRIPTION: Description = {
|
||||
},
|
||||
};
|
||||
|
||||
type ResourceId = string | number;
|
||||
type Type = 'users' | 'teams' | 'builtInRoles';
|
||||
|
||||
export type Props = {
|
||||
title?: string;
|
||||
buttonLabel?: string;
|
||||
addPermissionTitle?: string;
|
||||
resource: string;
|
||||
resourceId: number;
|
||||
resourceId: ResourceId;
|
||||
|
||||
canListUsers: boolean;
|
||||
canSetPermissions: boolean;
|
||||
@ -183,23 +186,23 @@ const getDescription = async (resource: string): Promise<Description> => {
|
||||
}
|
||||
};
|
||||
|
||||
const getPermissions = (resource: string, resourceId: number): Promise<ResourcePermission[]> =>
|
||||
const getPermissions = (resource: string, resourceId: ResourceId): Promise<ResourcePermission[]> =>
|
||||
getBackendSrv().get(`/api/access-control/${resource}/${resourceId}`);
|
||||
|
||||
const setUserPermission = (resource: string, resourceId: number, userId: number, permission: string) =>
|
||||
const setUserPermission = (resource: string, resourceId: ResourceId, userId: number, permission: string) =>
|
||||
setPermission(resource, resourceId, 'users', userId, permission);
|
||||
|
||||
const setTeamPermission = (resource: string, resourceId: number, teamId: number, permission: string) =>
|
||||
const setTeamPermission = (resource: string, resourceId: ResourceId, teamId: number, permission: string) =>
|
||||
setPermission(resource, resourceId, 'teams', teamId, permission);
|
||||
|
||||
const setBuiltInRolePermission = (resource: string, resourceId: number, builtInRole: string, permission: string) =>
|
||||
const setBuiltInRolePermission = (resource: string, resourceId: ResourceId, builtInRole: string, permission: string) =>
|
||||
setPermission(resource, resourceId, 'builtInRoles', builtInRole, permission);
|
||||
|
||||
const setPermission = (
|
||||
resource: string,
|
||||
resourceId: number,
|
||||
type: 'users' | 'teams' | 'builtInRoles',
|
||||
resourceId: ResourceId,
|
||||
type: Type,
|
||||
typeId: number | string,
|
||||
permission: string
|
||||
): Promise<void> =>
|
||||
getBackendSrv().post(`/api/access-control/${resource}/${resourceId}/${type}/${typeId}/`, { permission });
|
||||
getBackendSrv().post(`/api/access-control/${resource}/${resourceId}/${type}/${typeId}`, { permission });
|
||||
|
@ -56,9 +56,9 @@ export function buildNavModel(dataSource: DataSourceSettings, plugin: GenericDat
|
||||
const dsPermissions = {
|
||||
active: false,
|
||||
icon: 'lock',
|
||||
id: `datasource-permissions-${dataSource.id}`,
|
||||
id: `datasource-permissions-${dataSource.uid}`,
|
||||
text: 'Permissions',
|
||||
url: `datasources/edit/${dataSource.id}/permissions`,
|
||||
url: `datasources/edit/${dataSource.uid}/permissions`,
|
||||
};
|
||||
|
||||
if (featureEnabled('dspermissions')) {
|
||||
|
Loading…
Reference in New Issue
Block a user