RBAC: Return the underlying error instead of internal server or bad request for managed permission endpoints (#80974)

* return not found instead of an internal server error when listing/updating permissions * openapi gen
2025-02-25 18:55:37 -06:00 · 2024-01-25 16:24:52 +00:00 · 2024-01-25 16:24:52 +00:00 · dc9e590b7b
commit dc9e590b7b
parent 25dd8d5ceb
6 changed files with 61 additions and 7 deletions
--- a/pkg/services/accesscontrol/resourcepermissions/api.go
+++ b/pkg/services/accesscontrol/resourcepermissions/api.go
@ -137,13 +137,14 @@ type getResourcePermissionsResponse []resourcePermissionDTO
 // Responses:
 // 200: getResourcePermissionsResponse
 // 403: forbiddenError
+// 404: notFoundError
 // 500: internalServerError
 func (a *api) getPermissions(c *contextmodel.ReqContext) response.Response {
 	resourceID := web.Params(c.Req)[":resourceID"]

 	permissions, err := a.service.GetPermissions(c.Req.Context(), c.SignedInUser, resourceID)
 	if err != nil {
-		return response.Error(http.StatusInternalServerError, "failed to get permissions", err)
+		return response.ErrOrFallback(http.StatusInternalServerError, "failed to get permissions", err)
 	}

 	if a.service.options.Assignments.BuiltInRoles && !a.service.license.FeatureEnabled("accesscontrol.enforcement") {
@ -223,6 +224,7 @@ type SetResourcePermissionsForUserParams struct {
 // 200: okResponse
 // 400: badRequestError
 // 403: forbiddenError
+// 404: notFoundError
 // 500: internalServerError
 func (a *api) setUserPermission(c *contextmodel.ReqContext) response.Response {
 	userID, err := strconv.ParseInt(web.Params(c.Req)[":userID"], 10, 64)
@ -238,7 +240,7 @@ func (a *api) setUserPermission(c *contextmodel.ReqContext) response.Response {

 	_, err = a.service.SetUserPermission(c.Req.Context(), c.SignedInUser.GetOrgID(), accesscontrol.User{ID: userID}, resourceID, cmd.Permission)
 	if err != nil {
-		return response.Error(http.StatusBadRequest, "failed to set user permission", err)
+		return response.ErrOrFallback(http.StatusBadRequest, "failed to set user permission", err)
 	}

 	return permissionSetResponse(cmd)
@ -275,6 +277,7 @@ type SetResourcePermissionsForTeamParams struct {
 // 200: okResponse
 // 400: badRequestError
 // 403: forbiddenError
+// 404: notFoundError
 // 500: internalServerError
 func (a *api) setTeamPermission(c *contextmodel.ReqContext) response.Response {
 	teamID, err := strconv.ParseInt(web.Params(c.Req)[":teamID"], 10, 64)
@ -290,7 +293,7 @@ func (a *api) setTeamPermission(c *contextmodel.ReqContext) response.Response {

 	_, err = a.service.SetTeamPermission(c.Req.Context(), c.SignedInUser.GetOrgID(), teamID, resourceID, cmd.Permission)
 	if err != nil {
-		return response.Error(http.StatusBadRequest, "failed to set team permission", err)
+		return response.ErrOrFallback(http.StatusBadRequest, "failed to set team permission", err)
 	}

 	return permissionSetResponse(cmd)
@ -327,6 +330,7 @@ type SetResourcePermissionsForBuiltInRoleParams struct {
 // 200: okResponse
 // 400: badRequestError
 // 403: forbiddenError
+// 404: notFoundError
 // 500: internalServerError
 func (a *api) setBuiltinRolePermission(c *contextmodel.ReqContext) response.Response {
 	builtInRole := web.Params(c.Req)[":builtInRole"]
@ -339,7 +343,7 @@ func (a *api) setBuiltinRolePermission(c *contextmodel.ReqContext) response.Resp

 	_, err := a.service.SetBuiltInRolePermission(c.Req.Context(), c.SignedInUser.GetOrgID(), builtInRole, resourceID, cmd.Permission)
 	if err != nil {
-		return response.Error(http.StatusBadRequest, "failed to set role permission", err)
+		return response.ErrOrFallback(http.StatusBadRequest, "failed to set role permission", err)
 	}

 	return permissionSetResponse(cmd)
@ -372,6 +376,7 @@ type SetResourcePermissionsParams struct {
 // 200: okResponse
 // 400: badRequestError
 // 403: forbiddenError
+// 404: notFoundError
 // 500: internalServerError
 func (a *api) setPermissions(c *contextmodel.ReqContext) response.Response {
 	resourceID := web.Params(c.Req)[":resourceID"]
@ -383,7 +388,7 @@ func (a *api) setPermissions(c *contextmodel.ReqContext) response.Response {

 	_, err := a.service.SetPermissions(c.Req.Context(), c.SignedInUser.GetOrgID(), resourceID, cmd.Permissions...)
 	if err != nil {
-		return response.Error(http.StatusBadRequest, "failed to set permissions", err)
+		return response.ErrOrFallback(http.StatusBadRequest, "failed to set permission", err)
 	}

 	return response.Success("Permissions updated")
--- a/pkg/services/dashboards/accesscontrol.go
+++ b/pkg/services/dashboards/accesscontrol.go
@ -2,6 +2,7 @@ package dashboards

 import (
 	"context"
+	"errors"
 	"strings"

 	"github.com/grafana/grafana/pkg/infra/metrics"
@ -212,6 +213,9 @@ func GetInheritedScopes(ctx context.Context, orgID int64, folderUID string, fold
 	})

 	if err != nil {
+		if errors.Is(err, folder.ErrFolderNotFound) {
+			return nil, err
+		}
 		return nil, ac.ErrInternal.Errorf("could not retrieve folder parents: %w", err)
 	}

--- a/pkg/services/folder/folderimpl/sqlstore.go
+++ b/pkg/services/folder/folderimpl/sqlstore.go
@ -245,7 +245,7 @@ func (ss *sqlStore) GetParents(ctx context.Context, q folder.GetParentsQuery) ([
 	if len(folders) < 1 {
 		// the query is expected to return at least the same folder
 		// if it's empty it means that the folder does not exist
-		return nil, folder.ErrFolderNotFound
+		return nil, folder.ErrFolderNotFound.Errorf("folder not found")
 	}

 	return util.Reverse(folders[1:]), nil
@ -308,7 +308,7 @@ func (ss *sqlStore) getParentsMySQL(ctx context.Context, q folder.GetParentsQuer
 			return err
 		}
 		if !ok {
-			return folder.ErrFolderNotFound
+			return folder.ErrFolderNotFound.Errorf("folder not found")
 		}
 		for {
 			f := &folder.Folder{}
--- a/public/api-enterprise-spec.json
+++ b/public/api-enterprise-spec.json
@ -8994,6 +8994,12 @@
        "$ref": "#/definitions/RoleDTO"
      }
    },
+    "getSSOSettingsResponse": {
+      "description": "",
+      "schema": {
+        "$ref": "#/definitions/SSOSettings"
+      }
+    },
    "getSharingOptionsResponse": {
      "description": "",
      "schema": {
@ -9172,6 +9178,15 @@
        }
      }
    },
+    "listSSOSettingsResponse": {
+      "description": "",
+      "schema": {
+        "type": "array",
+        "items": {
+          "$ref": "#/definitions/SSOSettings"
+        }
+      }
+    },
    "listSortOptionsResponse": {
      "description": "",
      "schema": {
--- a/public/api-merged.json
+++ b/public/api-merged.json
@ -765,6 +765,9 @@
          "403": {
            "$ref": "#/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/responses/internalServerError"
          }
@ -809,6 +812,9 @@
          "403": {
            "$ref": "#/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/responses/internalServerError"
          }
@ -861,6 +867,9 @@
          "403": {
            "$ref": "#/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/responses/internalServerError"
          }
@ -914,6 +923,9 @@
          "403": {
            "$ref": "#/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/responses/internalServerError"
          }
@ -967,6 +979,9 @@
          "403": {
            "$ref": "#/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/responses/internalServerError"
          }
--- a/public/openapi3.json
+++ b/public/openapi3.json
@ -13492,6 +13492,9 @@
          "403": {
            "$ref": "#/components/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/components/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/components/responses/internalServerError"
          }
@ -13543,6 +13546,9 @@
          "403": {
            "$ref": "#/components/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/components/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/components/responses/internalServerError"
          }
@ -13604,6 +13610,9 @@
          "403": {
            "$ref": "#/components/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/components/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/components/responses/internalServerError"
          }
@ -13666,6 +13675,9 @@
          "403": {
            "$ref": "#/components/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/components/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/components/responses/internalServerError"
          }
@ -13728,6 +13740,9 @@
          "403": {
            "$ref": "#/components/responses/forbiddenError"
          },
+          "404": {
+            "$ref": "#/components/responses/notFoundError"
+          },
          "500": {
            "$ref": "#/components/responses/internalServerError"
          }