RBAC: Add actionsets struct and write path (#86108)

* Add actionsets struct and failing test * update from review * review comments * review comments update * refactor: create interface * actionset service * fix tests * move from wireoss to wire * Apply suggestions from code review remove unnecessary comments Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * nil for the actionsetservice * Revert "nil for the actionsetservice" This reverts commit e3d3cc8171. --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2025-02-25 18:55:37 -06:00 · 2024-04-19 15:38:14 +01:00
parent a057e8be06
commit ddabef9895
13 changed files with 165 additions and 29 deletions
--- a/pkg/tests/api/alerting/api_backtesting_test.go
+++ b/pkg/tests/api/alerting/api_backtesting_test.go
@@ -107,8 +107,9 @@ func TestBacktesting(t *testing.T) {
 			require.Equalf(t, http.StatusForbidden, status, "Response: %s", body)
 		})

+		asService := resourcepermissions.NewActionSetService()
 		// access control permissions store
-		permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures())
+		permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures(), &asService)
 		_, err := permissionsStore.SetUserResourcePermission(context.Background(),
 			accesscontrol.GlobalOrgID,
 			accesscontrol.User{ID: testUserId},
--- a/pkg/tests/api/alerting/api_prometheus_test.go
+++ b/pkg/tests/api/alerting/api_prometheus_test.go
@@ -668,8 +668,9 @@ func TestIntegrationPrometheusRulesPermissions(t *testing.T) {

 	apiClient := newAlertingApiClient(grafanaListedAddr, "grafana", "password")

+	asService := resourcepermissions.NewActionSetService()
 	// access control permissions store
-	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures())
+	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures(), &asService)

 	// Create the namespace we'll save our alerts to.
 	apiClient.CreateFolder(t, "folder1", "folder1")
--- a/pkg/tests/api/alerting/api_ruler_test.go
+++ b/pkg/tests/api/alerting/api_ruler_test.go
@@ -52,7 +52,8 @@ func TestIntegrationAlertRulePermissions(t *testing.T) {
 	})

 	grafanaListedAddr, env := testinfra.StartGrafanaEnv(t, dir, p)
-	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures())
+	asService := resourcepermissions.NewActionSetService()
+	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures(), &asService)

 	// Create a user to make authenticated requests
 	userID := createUser(t, env.SQLStore, env.Cfg, user.CreateUserCommand{
@@ -336,7 +337,8 @@ func TestIntegrationAlertRuleNestedPermissions(t *testing.T) {
 	})

 	grafanaListedAddr, env := testinfra.StartGrafanaEnv(t, dir, p)
-	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures())
+	asService := resourcepermissions.NewActionSetService()
+	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures(), &asService)

 	// Create a user to make authenticated requests
 	userID := createUser(t, env.SQLStore, env.Cfg, user.CreateUserCommand{
@@ -732,7 +734,8 @@ func TestAlertRulePostExport(t *testing.T) {
 	})

 	grafanaListedAddr, env := testinfra.StartGrafanaEnv(t, dir, p)
-	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures())
+	asService := resourcepermissions.NewActionSetService()
+	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures(), &asService)

 	// Create a user to make authenticated requests
 	userID := createUser(t, env.SQLStore, env.Cfg, user.CreateUserCommand{
@@ -1412,7 +1415,8 @@ func TestIntegrationRuleUpdate(t *testing.T) {
 		AppModeProduction:     true,
 	})
 	grafanaListedAddr, env := testinfra.StartGrafanaEnv(t, dir, path)
-	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures())
+	asService := resourcepermissions.NewActionSetService()
+	permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures(), &asService)

 	// Create a user to make authenticated requests
 	userID := createUser(t, env.SQLStore, env.Cfg, user.CreateUserCommand{
--- a/pkg/tests/api/alerting/api_testing_test.go
+++ b/pkg/tests/api/alerting/api_testing_test.go
@@ -275,7 +275,8 @@ func TestGrafanaRuleConfig(t *testing.T) {
 		})

 		// access control permissions store
-		permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures())
+		asService := resourcepermissions.NewActionSetService()
+		permissionsStore := resourcepermissions.NewStore(env.SQLStore, featuremgmt.WithFeatures(), &asService)
 		_, err := permissionsStore.SetUserResourcePermission(context.Background(),
 			accesscontrol.GlobalOrgID,
 			accesscontrol.User{ID: testUserId},
--- a/pkg/tests/api/folders/api_folders_test.go
+++ b/pkg/tests/api/folders/api_folders_test.go
@@ -65,7 +65,8 @@ func TestGetFolders(t *testing.T) {
 	viewerClient := tests.GetClient(grafanaListedAddr, "viewer", "viewer")

 	// access control permissions store
-	permissionsStore := resourcepermissions.NewStore(store, featuremgmt.WithFeatures())
+	actionSetService := resourcepermissions.NewActionSetService()
+	permissionsStore := resourcepermissions.NewStore(store, featuremgmt.WithFeatures(), &actionSetService)

 	numberOfFolders := 5
 	indexWithoutPermission := 3