mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Accesscontrol: Remove service account creation code from addapikey (#43900)
* Remove service account creation code from addapikey Co-authored-by: J Guerreiro <joao.guerreiro@grafana.com>
This commit is contained in:
parent
6409e761b5
commit
e894837b7e
@ -80,35 +80,8 @@ func (hs *HTTPServer) AddAPIKey(c *models.ReqContext) response.Response {
|
||||
cmd.OrgId = c.OrgId
|
||||
var err error
|
||||
if hs.Cfg.FeatureToggles["service-accounts"] {
|
||||
//Every new API key must have an associated service account
|
||||
if cmd.CreateNewServiceAccount {
|
||||
//Create a new service account for the new API key
|
||||
serviceAccount, err := hs.SQLStore.CloneUserToServiceAccount(c.Req.Context(), c.SignedInUser)
|
||||
if err != nil {
|
||||
hs.log.Warn("Unable to clone user to service account", "err", err)
|
||||
return response.Error(500, "Unable to clone user to service account", err)
|
||||
}
|
||||
cmd.ServiceAccountId = serviceAccount.Id
|
||||
} else {
|
||||
//Link the new API key to an existing service account
|
||||
|
||||
//Check if user and service account are in the same org
|
||||
query := models.GetUserByIdQuery{Id: cmd.ServiceAccountId}
|
||||
err = bus.Dispatch(c.Req.Context(), &query)
|
||||
if err != nil {
|
||||
hs.log.Warn("Unable to link new API key to existing service account", "err", err, "query", query)
|
||||
return response.Error(500, "Unable to link new API key to existing service account", err)
|
||||
}
|
||||
serviceAccountDetails := query.Result
|
||||
if serviceAccountDetails.OrgId != c.OrgId || serviceAccountDetails.OrgId != cmd.OrgId {
|
||||
hs.log.Warn("Target service is not in the same organisation as requesting user or api key", "err", err, "reqOrg", cmd.OrgId, "serviceAccId", serviceAccountDetails.OrgId, "userOrgId", c.OrgId)
|
||||
return response.Error(403, "Target service is not in the same organisation as requesting user or api key", err)
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if cmd.CreateNewServiceAccount {
|
||||
return response.Error(400, "Service accounts disabled. Retry create api request without service account flag.", err)
|
||||
}
|
||||
// Api keys should now be created with addadditionalapikey endpoint
|
||||
return response.Error(400, "API keys should now be added via the AdditionalAPIKey endpoint.", err)
|
||||
}
|
||||
|
||||
newKeyInfo, err := apikeygen.New(cmd.OrgId, cmd.Name)
|
||||
@ -146,9 +119,6 @@ func (hs *HTTPServer) AdditionalAPIKey(c *models.ReqContext) response.Response {
|
||||
if !hs.Cfg.FeatureToggles["service-accounts"] {
|
||||
return response.Error(500, "Requires services-accounts feature", errors.New("feature missing"))
|
||||
}
|
||||
if cmd.CreateNewServiceAccount {
|
||||
return response.Error(500, "Can't create service account while adding additional API key", nil)
|
||||
}
|
||||
|
||||
return hs.AddAPIKey(c)
|
||||
}
|
||||
|
@ -27,15 +27,13 @@ type ApiKey struct {
|
||||
// ---------------------
|
||||
// COMMANDS
|
||||
type AddApiKeyCommand struct {
|
||||
Name string `json:"name" binding:"Required"`
|
||||
Role RoleType `json:"role" binding:"Required"`
|
||||
OrgId int64 `json:"-"`
|
||||
Key string `json:"-"`
|
||||
SecondsToLive int64 `json:"secondsToLive"`
|
||||
ServiceAccountId int64 `json:"serviceAccount"`
|
||||
CreateNewServiceAccount bool `json:"createServiceAccount"`
|
||||
|
||||
Result *ApiKey `json:"-"`
|
||||
Name string `json:"name" binding:"Required"`
|
||||
Role RoleType `json:"role" binding:"Required"`
|
||||
OrgId int64 `json:"-"`
|
||||
Key string `json:"-"`
|
||||
SecondsToLive int64 `json:"secondsToLive"`
|
||||
ServiceAccountId int64 `json:"-"`
|
||||
Result *ApiKey `json:"-"`
|
||||
}
|
||||
|
||||
type DeleteApiKeyCommand struct {
|
||||
|
Loading…
Reference in New Issue
Block a user