Access control: Support uids for resource permissions (#45226)

* add middleware to solve uid -> id for requests
This commit is contained in:
Karl Persson 2022-02-10 17:47:48 +01:00 committed by GitHub
parent 89a0c0fc37
commit d2b9da9dde
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 131 additions and 28 deletions

View File

@ -32,15 +32,16 @@ func newApi(ac accesscontrol.AccessControl, router routing.RouteRegister, manage
func (a *api) registerEndpoints() {
auth := middleware.Middleware(a.ac)
uidSolver := solveUID(a.service.options.UidSolver)
disable := middleware.Disable(a.ac.IsDisabled())
a.router.Group(fmt.Sprintf("/api/access-control/%s", a.service.options.Resource), func(r routing.RouteRegister) {
idScope := accesscontrol.Scope(a.service.options.Resource, "id", accesscontrol.Parameter(":resourceID"))
actionWrite, actionRead := fmt.Sprintf("%s.permissions:write", a.service.options.Resource), fmt.Sprintf("%s.permissions:read", a.service.options.Resource)
r.Get("/description", auth(disable, accesscontrol.EvalPermission(actionRead)), routing.Wrap(a.getDescription))
r.Get("/:resourceID", auth(disable, accesscontrol.EvalPermission(actionRead, idScope)), routing.Wrap(a.getPermissions))
r.Post("/:resourceID/users/:userID", auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setUserPermission))
r.Post("/:resourceID/teams/:teamID", auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setTeamPermission))
r.Post("/:resourceID/builtInRoles/:builtInRole", auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setBuiltinRolePermission))
r.Get("/:resourceID", uidSolver, auth(disable, accesscontrol.EvalPermission(actionRead, idScope)), routing.Wrap(a.getPermissions))
r.Post("/:resourceID/users/:userID", uidSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setUserPermission))
r.Post("/:resourceID/teams/:teamID", uidSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setTeamPermission))
r.Post("/:resourceID/builtInRoles/:builtInRole", uidSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, idScope)), routing.Wrap(a.setBuiltinRolePermission))
})
}

View File

@ -3,6 +3,7 @@ package resourcepermissions
import (
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/http/httptest"
@ -17,6 +18,7 @@ import (
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/sqlstore"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/web"
)
@ -152,20 +154,7 @@ func TestApi_getPermissions(t *testing.T) {
service, sql := setupTestEnvironment(t, tt.permissions, testOptions)
server := setupTestServer(t, &models.SignedInUser{OrgId: 1}, service)
// seed team 1 with "Edit" permission on dashboard 1
team, err := sql.CreateTeam("test", "test@test.com", 1)
require.NoError(t, err)
_, err = service.SetTeamPermission(context.Background(), team.OrgId, team.Id, tt.resourceID, "Edit")
require.NoError(t, err)
// seed user 1 with "View" permission on dashboard 1
u, err := sql.CreateUser(context.Background(), models.CreateUserCommand{Login: "test", OrgId: 1})
require.NoError(t, err)
_, err = service.SetUserPermission(context.Background(), u.OrgId, accesscontrol.User{ID: u.Id}, tt.resourceID, "View")
require.NoError(t, err)
// seed built in role Admin with "Edit" permission on dashboard 1
_, err = service.SetBuiltInRolePermission(context.Background(), 1, "Admin", tt.resourceID, "Edit")
require.NoError(t, err)
seedPermissions(t, tt.resourceID, sql, service)
permissions, recorder := getPermission(t, server, testOptions.Resource, tt.resourceID)
assert.Equal(t, tt.expectedStatus, recorder.Code)
@ -418,6 +407,62 @@ func TestApi_setUserPermission(t *testing.T) {
}
}
type uidSolverTestCase struct {
desc string
uid string
resourceID string
expectedStatus int
}
func TestApi_UidSolver(t *testing.T) {
tests := []uidSolverTestCase{
{
desc: "expect uid to be mapped to id",
uid: "resourceUID",
resourceID: "1",
expectedStatus: http.StatusOK,
},
{
desc: "expect 404 when uid is not mapped to an id",
uid: "notfound",
resourceID: "1",
expectedStatus: http.StatusNotFound,
},
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
userPermissions := []*accesscontrol.Permission{{Action: "dashboards.permissions:read", Scope: "dashboards:id:1"}}
service, sql := setupTestEnvironment(t, userPermissions, withSolver(testOptions, testSolver))
server := setupTestServer(t, &models.SignedInUser{OrgId: 1}, service)
seedPermissions(t, tt.resourceID, sql, service)
permissions, recorder := getPermission(t, server, testOptions.Resource, tt.uid)
assert.Equal(t, tt.expectedStatus, recorder.Code)
if tt.expectedStatus == http.StatusOK {
assert.Len(t, permissions, 3, "expected three assignments: user, team, builtin")
for _, p := range permissions {
if p.UserID != 0 {
assert.Equal(t, "View", p.Permission)
} else if p.TeamID != 0 {
assert.Equal(t, "Edit", p.Permission)
} else {
assert.Equal(t, "Edit", p.Permission)
}
}
} else {
assert.Equal(t, tt.expectedStatus, recorder.Code)
}
})
}
}
func withSolver(options Options, solver uidSolver) Options {
options.UidSolver = solver
return options
}
func setupTestServer(t *testing.T, user *models.SignedInUser, service *Service) *web.Mux {
server := web.New()
server.UseMiddleware(web.Renderer(path.Join(setting.StaticRootPath, "views"), "[[", "]]"))
@ -457,6 +502,13 @@ var testOptions = Options{
},
}
var testSolver = func(ctx context.Context, orgID int64, uid string) (int64, error) {
if uid == "resourceUID" {
return 1, nil
}
return 0, errors.New("not found")
}
func getPermission(t *testing.T, server *web.Mux, resource, resourceID string) ([]resourcePermissionDTO, *httptest.ResponseRecorder) {
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("/api/access-control/%s/%s", resource, resourceID), nil)
require.NoError(t, err)
@ -480,3 +532,20 @@ func setPermission(t *testing.T, server *web.Mux, resource, resourceID, permissi
return recorder
}
func seedPermissions(t *testing.T, resourceID string, sql *sqlstore.SQLStore, service *Service) {
t.Helper()
// seed team 1 with "Edit" permission on dashboard 1
team, err := sql.CreateTeam("test", "test@test.com", 1)
require.NoError(t, err)
_, err = service.SetTeamPermission(context.Background(), team.OrgId, team.Id, resourceID, "Edit")
require.NoError(t, err)
// seed user 1 with "View" permission on dashboard 1
u, err := sql.CreateUser(context.Background(), models.CreateUserCommand{Login: "test", OrgId: 1})
require.NoError(t, err)
_, err = service.SetUserPermission(context.Background(), u.OrgId, accesscontrol.User{ID: u.Id}, resourceID, "View")
require.NoError(t, err)
// seed built in role Admin with "Edit" permission on dashboard 1
_, err = service.SetBuiltInRolePermission(context.Background(), 1, "Admin", resourceID, "Edit")
require.NoError(t, err)
}

View File

@ -0,0 +1,28 @@
package resourcepermissions
import (
"context"
"net/http"
"strconv"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/util"
"github.com/grafana/grafana/pkg/web"
)
type uidSolver func(ctx context.Context, orgID int64, uid string) (int64, error)
func solveUID(solve uidSolver) web.Handler {
return func(c *models.ReqContext) {
if solve != nil && util.IsValidShortUID(web.Params(c.Req)[":resourceID"]) {
params := web.Params(c.Req)
id, err := solve(c.Req.Context(), c.OrgId, params[":resourceID"])
if err != nil {
c.JsonApiErr(http.StatusNotFound, "Resource not found", err)
return
}
params[":resourceID"] = strconv.FormatInt(id, 10)
web.SetURLParams(c.Req, params)
}
}
}

View File

@ -34,4 +34,6 @@ type Options struct {
OnSetTeam func(session *sqlstore.DBSession, orgID, teamID int64, resourceID, permission string) error
// OnSetBuiltInRole if configured will be called each time a permission is set for a built-in role
OnSetBuiltInRole func(session *sqlstore.DBSession, orgID int64, builtInRole, resourceID, permission string) error
// UidSolver if configured will be used in a middleware to translate an uid to id for each request
UidSolver uidSolver
}

View File

@ -19,12 +19,15 @@ const INITIAL_DESCRIPTION: Description = {
},
};
type ResourceId = string | number;
type Type = 'users' | 'teams' | 'builtInRoles';
export type Props = {
title?: string;
buttonLabel?: string;
addPermissionTitle?: string;
resource: string;
resourceId: number;
resourceId: ResourceId;
canListUsers: boolean;
canSetPermissions: boolean;
@ -183,23 +186,23 @@ const getDescription = async (resource: string): Promise<Description> => {
}
};
const getPermissions = (resource: string, resourceId: number): Promise<ResourcePermission[]> =>
const getPermissions = (resource: string, resourceId: ResourceId): Promise<ResourcePermission[]> =>
getBackendSrv().get(`/api/access-control/${resource}/${resourceId}`);
const setUserPermission = (resource: string, resourceId: number, userId: number, permission: string) =>
const setUserPermission = (resource: string, resourceId: ResourceId, userId: number, permission: string) =>
setPermission(resource, resourceId, 'users', userId, permission);
const setTeamPermission = (resource: string, resourceId: number, teamId: number, permission: string) =>
const setTeamPermission = (resource: string, resourceId: ResourceId, teamId: number, permission: string) =>
setPermission(resource, resourceId, 'teams', teamId, permission);
const setBuiltInRolePermission = (resource: string, resourceId: number, builtInRole: string, permission: string) =>
const setBuiltInRolePermission = (resource: string, resourceId: ResourceId, builtInRole: string, permission: string) =>
setPermission(resource, resourceId, 'builtInRoles', builtInRole, permission);
const setPermission = (
resource: string,
resourceId: number,
type: 'users' | 'teams' | 'builtInRoles',
resourceId: ResourceId,
type: Type,
typeId: number | string,
permission: string
): Promise<void> =>
getBackendSrv().post(`/api/access-control/${resource}/${resourceId}/${type}/${typeId}/`, { permission });
getBackendSrv().post(`/api/access-control/${resource}/${resourceId}/${type}/${typeId}`, { permission });

View File

@ -56,9 +56,9 @@ export function buildNavModel(dataSource: DataSourceSettings, plugin: GenericDat
const dsPermissions = {
active: false,
icon: 'lock',
id: `datasource-permissions-${dataSource.id}`,
id: `datasource-permissions-${dataSource.uid}`,
text: 'Permissions',
url: `datasources/edit/${dataSource.id}/permissions`,
url: `datasources/edit/${dataSource.uid}/permissions`,
};
if (featureEnabled('dspermissions')) {