RBAC sync: Fix removal of roles which need to be added (#91152)

* RBAC sync: Fix removal of roles which need to be added * Optimize code * cleanup: appease the linter --------- Co-authored-by: Victor Cinaglia <victor@grafana.com>
2025-02-25 18:55:37 -06:00 · 2024-07-30 09:00:47 +02:00
parent 728150bdbd
commit e20f8c566d
2 changed files with 15 additions and 16 deletions
--- a/pkg/services/authn/authnimpl/sync/rbac_sync.go
+++ b/pkg/services/authn/authnimpl/sync/rbac_sync.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"golang.org/x/exp/maps"
 	"github.com/grafana/grafana/pkg/apimachinery/errutil"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
 	"github.com/grafana/grafana/pkg/infra/log"
@@ -99,10 +101,6 @@ func (s *RBACSync) fetchPermissions(ctx context.Context, ident *authn.Identity)
 }
 func cloudRolesToAddAndRemove(ident *authn.Identity) ([]string, []string, error) {
 	const (
 		expectedRolesToAddCount = 2
 		rolesToRemoveInitialCap = 4
 	)
 	// Since Cloud Admin/Editor/Viewer roles are not yet implemented one-to-one in the Grafana, it becomes a confusing experience for users,
 	// therefore we are doing granular mapping of all available functionality in the Grafana temporary.
 	var fixedCloudRoles = map[org.RoleType][]string{
@@ -111,8 +109,8 @@ func cloudRolesToAddAndRemove(ident *authn.Identity) ([]string, []string, error)
 		org.RoleAdmin:  {accesscontrol.FixedCloudAdminRole, accesscontrol.FixedCloudSupportTicketAdmin},
 	}
-	rolesToAdd := make([]string, 0, expectedRolesToAddCount)
+	rolesToAdd := make(map[string]bool)
-	rolesToRemove := make([]string, 0, rolesToRemoveInitialCap)
+	rolesToRemove := make([]string, 0, 4)
 	currentRole := ident.GetOrgRole()
 	_, validRole := fixedCloudRoles[currentRole]
@@ -121,21 +119,24 @@ func cloudRolesToAddAndRemove(ident *authn.Identity) ([]string, []string, error)
 		return nil, nil, errInvalidCloudRole.Errorf("invalid role: %s", currentRole)
 	}
 	// Add roles for the current role and track them
 	for _, fixedRole := range fixedCloudRoles[currentRole] {
 		rolesToAdd[fixedRole] = true
 	}
 	// Add roles to remove, ensuring we don't remove any that have been added
 	for role, fixedRoles := range fixedCloudRoles {
 		if role == currentRole {
 			continue
 		}
 		for _, fixedRole := range fixedRoles {
-			if role == currentRole {
+			if _, ok := rolesToAdd[fixedRole]; !ok {
 				rolesToAdd = append(rolesToAdd, fixedRole)
 			} else {
 				rolesToRemove = append(rolesToRemove, fixedRole)
 			}
 		}
 	}
-	if len(rolesToAdd) != expectedRolesToAddCount {
+	return maps.Keys(rolesToAdd), rolesToRemove, nil
 		return nil, nil, errInvalidCloudRole.Errorf("invalid role: %s", currentRole)
 	}
 	return rolesToAdd, rolesToRemove, nil
 }
 func (s *RBACSync) SyncCloudRoles(ctx context.Context, ident *authn.Identity, r *authn.Request) error {
--- a/pkg/services/authn/authnimpl/sync/rbac_sync_test.go
+++ b/pkg/services/authn/authnimpl/sync/rbac_sync_test.go
@@ -189,7 +189,6 @@ func TestRBACSync_cloudRolesToAddAndRemove(t *testing.T) {
 				accesscontrol.FixedCloudViewerRole,
 				accesscontrol.FixedCloudSupportTicketReader,
 				accesscontrol.FixedCloudAdminRole,
 				accesscontrol.FixedCloudSupportTicketAdmin,
 			},
 		},
 		{
@@ -208,7 +207,6 @@ func TestRBACSync_cloudRolesToAddAndRemove(t *testing.T) {
 				accesscontrol.FixedCloudViewerRole,
 				accesscontrol.FixedCloudSupportTicketReader,
 				accesscontrol.FixedCloudEditorRole,
 				accesscontrol.FixedCloudSupportTicketAdmin,
 			},
 		},
 		{