Access Control: Pass db session to hooks (#44428)

* Move hook calls to database and pass session
2025-02-25 18:55:37 -06:00 · 2022-01-25 17:12:00 +01:00
parent 9ab9fd802b
commit de2c5783fa
13 changed files with 138 additions and 127 deletions
--- a/pkg/services/accesscontrol/database/database_test.go
+++ b/pkg/services/accesscontrol/database/database_test.go
@@ -64,7 +64,7 @@ func TestAccessControlStore_GetUserPermissions(t *testing.T) {
 					Actions:    []string{"dashboards:read"},
 					Resource:   "dashboards",
 					ResourceID: id,
-				})
+				}, nil)
 				require.NoError(t, err)
 			}

@@ -73,7 +73,7 @@ func TestAccessControlStore_GetUserPermissions(t *testing.T) {
 					Actions:    []string{"dashboards:read"},
 					Resource:   "dashboards",
 					ResourceID: id,
-				})
+				}, nil)
 				require.NoError(t, err)
 			}

@@ -82,7 +82,7 @@ func TestAccessControlStore_GetUserPermissions(t *testing.T) {
 					Actions:    []string{"dashboards:read"},
 					Resource:   "dashboards",
 					ResourceID: id,
-				})
+				}, nil)
 				require.NoError(t, err)
 			}

--- a/pkg/services/accesscontrol/database/resource_permissions.go
+++ b/pkg/services/accesscontrol/database/resource_permissions.go
@@ -32,7 +32,11 @@ func (p *flatResourcePermission) Managed() bool {
 	return strings.HasPrefix(p.RoleName, "managed:")
 }

-func (s *AccessControlStore) SetUserResourcePermission(ctx context.Context, orgID, userID int64, cmd accesscontrol.SetResourcePermissionCommand) (*accesscontrol.ResourcePermission, error) {
+func (s *AccessControlStore) SetUserResourcePermission(
+	ctx context.Context, orgID, userID int64,
+	cmd accesscontrol.SetResourcePermissionCommand,
+	hook func(session *sqlstore.DBSession, orgID, userID int64, resourceID, permission string) error,
+) (*accesscontrol.ResourcePermission, error) {
 	if userID == 0 {
 		return nil, models.ErrUserNotFound
 	}
@@ -44,6 +48,9 @@ func (s *AccessControlStore) SetUserResourcePermission(ctx context.Context, orgI
 		if err != nil {
 			return err
 		}
+		if hook != nil {
+			return hook(sess, orgID, userID, cmd.ResourceID, cmd.Permission)
+		}
 		return nil
 	})

@@ -54,7 +61,11 @@ func (s *AccessControlStore) SetUserResourcePermission(ctx context.Context, orgI
 	return permission, nil
 }

-func (s *AccessControlStore) SetTeamResourcePermission(ctx context.Context, orgID, teamID int64, cmd accesscontrol.SetResourcePermissionCommand) (*accesscontrol.ResourcePermission, error) {
+func (s *AccessControlStore) SetTeamResourcePermission(
+	ctx context.Context, orgID, teamID int64,
+	cmd accesscontrol.SetResourcePermissionCommand,
+	hook func(session *sqlstore.DBSession, orgID, teamID int64, resourceID, permission string) error,
+) (*accesscontrol.ResourcePermission, error) {
 	if teamID == 0 {
 		return nil, models.ErrTeamNotFound
 	}
@@ -67,6 +78,9 @@ func (s *AccessControlStore) SetTeamResourcePermission(ctx context.Context, orgI
 		if err != nil {
 			return err
 		}
+		if hook != nil {
+			return hook(sess, orgID, teamID, cmd.ResourceID, cmd.Permission)
+		}
 		return nil
 	})

@@ -77,7 +91,11 @@ func (s *AccessControlStore) SetTeamResourcePermission(ctx context.Context, orgI
 	return permission, nil
 }

-func (s *AccessControlStore) SetBuiltInResourcePermission(ctx context.Context, orgID int64, builtInRole string, cmd accesscontrol.SetResourcePermissionCommand) (*accesscontrol.ResourcePermission, error) {
+func (s *AccessControlStore) SetBuiltInResourcePermission(
+	ctx context.Context, orgID int64, builtInRole string,
+	cmd accesscontrol.SetResourcePermissionCommand,
+	hook func(session *sqlstore.DBSession, orgID int64, builtInRole, resourceID, permission string) error,
+) (*accesscontrol.ResourcePermission, error) {
 	if !models.RoleType(builtInRole).IsValid() || builtInRole == accesscontrol.RoleGrafanaAdmin {
 		return nil, fmt.Errorf("invalid role: %s", builtInRole)
 	}
@@ -87,6 +105,12 @@ func (s *AccessControlStore) SetBuiltInResourcePermission(ctx context.Context, o

 	err = s.sql.WithTransactionalDbSession(ctx, func(sess *sqlstore.DBSession) error {
 		permission, err = s.setResourcePermission(sess, orgID, managedBuiltInRoleName(builtInRole), s.builtInRoleAdder(sess, orgID, builtInRole), cmd)
+		if err != nil {
+			return err
+		}
+		if hook != nil {
+			return hook(sess, orgID, builtInRole, cmd.ResourceID, cmd.Permission)
+		}
 		return err
 	})

--- a/pkg/services/accesscontrol/database/resource_permissions_bench_test.go
+++ b/pkg/services/accesscontrol/database/resource_permissions_bench_test.go
@@ -51,7 +51,7 @@ func benchmarkDSPermissions(b *testing.B, dsNum, usersNum int) {
 	}
 }

-func getDSPermissions(b *testing.B, store accesscontrol.ResourcePermissionsStore, dataSources []int64) {
+func getDSPermissions(b *testing.B, store *AccessControlStore, dataSources []int64) {
 	dsId := dataSources[0]

 	permissions, err := store.GetResourcesPermissions(context.Background(), accesscontrol.GlobalOrgID, accesscontrol.GetResourcesPermissionsQuery{
@@ -99,6 +99,7 @@ func GenerateDatasourcePermissions(b *testing.B, db *sqlstore.SQLStore, ac *Acce
 					Resource:   dsResource,
 					ResourceID: strconv.Itoa(int(dsID)),
 				},
+				nil,
 			)
 			require.NoError(b, err)
 		}
@@ -115,6 +116,7 @@ func GenerateDatasourcePermissions(b *testing.B, db *sqlstore.SQLStore, ac *Acce
 					Resource:   "datasources",
 					ResourceID: strconv.Itoa(int(dsID)),
 				},
+				nil,
 			)
 			require.NoError(b, err)
 		}
--- a/pkg/services/accesscontrol/database/resource_permissions_test.go
+++ b/pkg/services/accesscontrol/database/resource_permissions_test.go
@@ -70,7 +70,7 @@ func TestAccessControlStore_SetUserResourcePermission(t *testing.T) {
 			store, _ := setupTestEnv(t)

 			for _, s := range test.seeds {
-				_, err := store.SetUserResourcePermission(context.Background(), test.orgID, test.userID, s)
+				_, err := store.SetUserResourcePermission(context.Background(), test.orgID, test.userID, s, nil)
 				require.NoError(t, err)
 			}

@@ -78,7 +78,7 @@ func TestAccessControlStore_SetUserResourcePermission(t *testing.T) {
 				Actions:    test.actions,
 				Resource:   test.resource,
 				ResourceID: test.resourceID,
-			})
+			}, nil)

 			require.NoError(t, err)
 			if len(test.actions) == 0 {
@@ -148,7 +148,7 @@ func TestAccessControlStore_SetTeamResourcePermission(t *testing.T) {
 			store, _ := setupTestEnv(t)

 			for _, s := range test.seeds {
-				_, err := store.SetTeamResourcePermission(context.Background(), test.orgID, test.teamID, s)
+				_, err := store.SetTeamResourcePermission(context.Background(), test.orgID, test.teamID, s, nil)
 				require.NoError(t, err)
 			}

@@ -156,7 +156,7 @@ func TestAccessControlStore_SetTeamResourcePermission(t *testing.T) {
 				Actions:    test.actions,
 				Resource:   test.resource,
 				ResourceID: test.resourceID,
-			})
+			}, nil)

 			require.NoError(t, err)
 			if len(test.actions) == 0 {
@@ -226,7 +226,7 @@ func TestAccessControlStore_SetBuiltInResourcePermission(t *testing.T) {
 			store, _ := setupTestEnv(t)

 			for _, s := range test.seeds {
-				_, err := store.SetBuiltInResourcePermission(context.Background(), test.orgID, test.builtInRole, s)
+				_, err := store.SetBuiltInResourcePermission(context.Background(), test.orgID, test.builtInRole, s, nil)
 				require.NoError(t, err)
 			}

@@ -234,7 +234,7 @@ func TestAccessControlStore_SetBuiltInResourcePermission(t *testing.T) {
 				Actions:    test.actions,
 				Resource:   test.resource,
 				ResourceID: test.resourceID,
-			})
+			}, nil)

 			require.NoError(t, err)
 			if len(test.actions) == 0 {
@@ -356,7 +356,7 @@ func seedResourcePermissions(t *testing.T, store *AccessControlStore, sql *sqlst
 			Actions:    actions,
 			Resource:   resource,
 			ResourceID: resourceID,
-		})
+		}, nil)
 		require.NoError(t, err)
 	}
 }