mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
Access Control: Move access control middlewares to domain package (#48322)
* Move access control middleware to domain package
This commit is contained in:
Karl Persson
GitHub
parent
6edefe5147
commit
e9a93ebfc9
@ -10,7 +10,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/middleware"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
@ -33,8 +32,8 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
reqCanAccessTeams := middleware.AdminOrEditorAndFeatureEnabled(hs.Cfg.EditorsCanAdmin)
|
||||
reqSnapshotPublicModeOrSignedIn := middleware.SnapshotPublicModeOrSignedIn(hs.Cfg)
|
||||
redirectFromLegacyPanelEditURL := middleware.RedirectFromLegacyPanelEditURL(hs.Cfg)
|
||||
authorize := acmiddleware.Middleware(hs.AccessControl)
|
||||
authorizeInOrg := acmiddleware.AuthorizeInOrgMiddleware(hs.AccessControl, hs.SQLStore)
|
||||
authorize := ac.Middleware(hs.AccessControl)
|
||||
authorizeInOrg := ac.AuthorizeInOrgMiddleware(hs.AccessControl, hs.SQLStore)
|
||||
quota := middleware.Quota(hs.QuotaService)
|
||||
|
||||
r := hs.RouteRegister
|
||||
@ -53,7 +52,7 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
r.Get("/.well-known/change-password", redirectToChangePassword)
|
||||
r.Get("/profile/switch-org/:id", reqSignedInNoAnonymous, hs.ChangeActiveOrgAndRedirectToHome)
|
||||
r.Get("/org/", authorize(reqOrgAdmin, orgPreferencesAccessEvaluator), hs.Index)
|
||||
r.Get("/org/new", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, orgsCreateAccessEvaluator), hs.Index)
|
||||
r.Get("/org/new", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, orgsCreateAccessEvaluator), hs.Index)
|
||||
r.Get("/datasources/", authorize(reqOrgAdmin, datasources.ConfigurationPageAccess), hs.Index)
|
||||
r.Get("/datasources/new", authorize(reqOrgAdmin, datasources.NewPageAccess), hs.Index)
|
||||
r.Get("/datasources/edit/*", authorize(reqOrgAdmin, datasources.EditPageAccess), hs.Index)
|
||||
@ -73,8 +72,8 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
r.Get("/admin/users", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead, ac.ScopeGlobalUsersAll)), hs.Index)
|
||||
r.Get("/admin/users/create", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersCreate)), hs.Index)
|
||||
r.Get("/admin/users/edit/:id", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionUsersRead)), hs.Index)
|
||||
r.Get("/admin/orgs", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, orgsAccessEvaluator), hs.Index)
|
||||
r.Get("/admin/orgs/edit/:id", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, orgsAccessEvaluator), hs.Index)
|
||||
r.Get("/admin/orgs", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, orgsAccessEvaluator), hs.Index)
|
||||
r.Get("/admin/orgs/edit/:id", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, orgsAccessEvaluator), hs.Index)
|
||||
r.Get("/admin/stats", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionServerStatsRead)), hs.Index)
|
||||
r.Get("/admin/ldap", authorize(reqGrafanaAdmin, ac.EvalPermission(ac.ActionLDAPStatusRead)), hs.Index)
|
||||
r.Get("/styleguide", reqSignedIn, hs.Index)
|
||||
@ -251,28 +250,28 @@ func (hs *HTTPServer) registerRoutes() {
|
||||
})
|
||||
|
||||
// create new org
|
||||
apiRoute.Post("/orgs", authorizeInOrg(reqSignedIn, acmiddleware.UseGlobalOrg, ac.EvalPermission(ActionOrgsCreate)), quota("org"), routing.Wrap(hs.CreateOrg))
|
||||
apiRoute.Post("/orgs", authorizeInOrg(reqSignedIn, ac.UseGlobalOrg, ac.EvalPermission(ActionOrgsCreate)), quota("org"), routing.Wrap(hs.CreateOrg))
|
||||
|
||||
// search all orgs
|
||||
apiRoute.Get("/orgs", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.SearchOrgs))
|
||||
apiRoute.Get("/orgs", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.SearchOrgs))
|
||||
|
||||
// orgs (admin routes)
|
||||
apiRoute.Group("/orgs/:orgId", func(orgsRoute routing.RouteRegister) {
|
||||
userIDScope := ac.Scope("users", "id", ac.Parameter(":userId"))
|
||||
orgsRoute.Get("/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByID))
|
||||
orgsRoute.Put("/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrg))
|
||||
orgsRoute.Put("/address", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrgAddress))
|
||||
orgsRoute.Delete("/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsDelete)), routing.Wrap(hs.DeleteOrgByID))
|
||||
orgsRoute.Get("/users", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRead, ac.ScopeUsersAll)), routing.Wrap(hs.GetOrgUsers))
|
||||
orgsRoute.Post("/users", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersAdd, ac.ScopeUsersAll)), routing.Wrap(hs.AddOrgUser))
|
||||
orgsRoute.Patch("/users/:userId", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRoleUpdate, userIDScope)), routing.Wrap(hs.UpdateOrgUser))
|
||||
orgsRoute.Delete("/users/:userId", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRemove, userIDScope)), routing.Wrap(hs.RemoveOrgUser))
|
||||
orgsRoute.Get("/quotas", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasRead)), routing.Wrap(hs.GetOrgQuotas))
|
||||
orgsRoute.Put("/quotas/:target", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasWrite)), routing.Wrap(hs.UpdateOrgQuota))
|
||||
orgsRoute.Get("/", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByID))
|
||||
orgsRoute.Put("/", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrg))
|
||||
orgsRoute.Put("/address", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsWrite)), routing.Wrap(hs.UpdateOrgAddress))
|
||||
orgsRoute.Delete("/", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsDelete)), routing.Wrap(hs.DeleteOrgByID))
|
||||
orgsRoute.Get("/users", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRead, ac.ScopeUsersAll)), routing.Wrap(hs.GetOrgUsers))
|
||||
orgsRoute.Post("/users", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersAdd, ac.ScopeUsersAll)), routing.Wrap(hs.AddOrgUser))
|
||||
orgsRoute.Patch("/users/:userId", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRoleUpdate, userIDScope)), routing.Wrap(hs.UpdateOrgUser))
|
||||
orgsRoute.Delete("/users/:userId", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ac.ActionOrgUsersRemove, userIDScope)), routing.Wrap(hs.RemoveOrgUser))
|
||||
orgsRoute.Get("/quotas", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasRead)), routing.Wrap(hs.GetOrgQuotas))
|
||||
orgsRoute.Put("/quotas/:target", authorizeInOrg(reqGrafanaAdmin, ac.UseOrgFromContextParams, ac.EvalPermission(ActionOrgsQuotasWrite)), routing.Wrap(hs.UpdateOrgQuota))
|
||||
})
|
||||
|
||||
// orgs (admin routes)
|
||||
apiRoute.Get("/orgs/name/:name/", authorizeInOrg(reqGrafanaAdmin, acmiddleware.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByName))
|
||||
apiRoute.Get("/orgs/name/:name/", authorizeInOrg(reqGrafanaAdmin, ac.UseGlobalOrg, ac.EvalPermission(ActionOrgsRead)), routing.Wrap(hs.GetOrgByName))
|
||||
|
||||
// auth api keys
|
||||
apiRoute.Group("/auth/keys", func(keysRoute routing.RouteRegister) {
|
||||
|
||||
@ -21,7 +21,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/database"
|
||||
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
|
||||
accesscontrolmock "github.com/grafana/grafana/pkg/services/accesscontrol/mock"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/ossaccesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/auth"
|
||||
@ -421,7 +420,7 @@ func setupHTTPServerWithCfgDb(t *testing.T, useFakeAccessControl, enableAccessCo
|
||||
c.Map(initCtx)
|
||||
})
|
||||
|
||||
m.Use(acmiddleware.LoadPermissionsMiddleware(hs.AccessControl))
|
||||
m.Use(accesscontrol.LoadPermissionsMiddleware(hs.AccessControl))
|
||||
|
||||
// Register all routes
|
||||
hs.registerRoutes()
|
||||
|
||||
@ -28,7 +28,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/plugins"
|
||||
"github.com/grafana/grafana/pkg/plugins/plugincontext"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
|
||||
"github.com/grafana/grafana/pkg/services/alerting"
|
||||
"github.com/grafana/grafana/pkg/services/cleanup"
|
||||
"github.com/grafana/grafana/pkg/services/comments"
|
||||
@ -513,7 +512,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() {
|
||||
|
||||
m.Use(hs.ContextHandler.Middleware)
|
||||
m.Use(middleware.OrgRedirect(hs.Cfg, hs.SQLStore))
|
||||
m.Use(acmiddleware.LoadPermissionsMiddleware(hs.AccessControl))
|
||||
m.Use(accesscontrol.LoadPermissionsMiddleware(hs.AccessControl))
|
||||
|
||||
// needs to be after context handler
|
||||
if hs.Cfg.EnforceDomain {
|
||||
|
||||
@ -1,35 +1,20 @@
|
||||
package middleware
|
||||
package accesscontrol
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/sqlstore"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
)
|
||||
|
||||
func authorize(c *models.ReqContext, ac accesscontrol.AccessControl, user *models.SignedInUser, evaluator accesscontrol.Evaluator) {
|
||||
injected, err := evaluator.MutateScopes(c.Req.Context(), accesscontrol.ScopeInjector(buildScopeParams(c)))
|
||||
if err != nil {
|
||||
c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)
|
||||
return
|
||||
}
|
||||
|
||||
hasAccess, err := ac.Evaluate(c.Req.Context(), user, injected)
|
||||
if !hasAccess || err != nil {
|
||||
Deny(c, injected, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func Middleware(ac accesscontrol.AccessControl) func(web.Handler, accesscontrol.Evaluator) web.Handler {
|
||||
return func(fallback web.Handler, evaluator accesscontrol.Evaluator) web.Handler {
|
||||
func Middleware(ac AccessControl) func(web.Handler, Evaluator) web.Handler {
|
||||
return func(fallback web.Handler, evaluator Evaluator) web.Handler {
|
||||
if ac.IsDisabled() {
|
||||
return fallback
|
||||
}
|
||||
@ -40,7 +25,24 @@ func Middleware(ac accesscontrol.AccessControl) func(web.Handler, accesscontrol.
|
||||
}
|
||||
}
|
||||
|
||||
func Deny(c *models.ReqContext, evaluator accesscontrol.Evaluator, err error) {
|
||||
func authorize(c *models.ReqContext, ac AccessControl, user *models.SignedInUser, evaluator Evaluator) {
|
||||
injected, err := evaluator.MutateScopes(c.Req.Context(), ScopeInjector(ScopeParams{
|
||||
OrgID: c.OrgId,
|
||||
URLParams: web.Params(c.Req),
|
||||
}))
|
||||
if err != nil {
|
||||
c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)
|
||||
return
|
||||
}
|
||||
|
||||
hasAccess, err := ac.Evaluate(c.Req.Context(), user, injected)
|
||||
if !hasAccess || err != nil {
|
||||
deny(c, injected, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
func deny(c *models.ReqContext, evaluator Evaluator, err error) {
|
||||
id := newID()
|
||||
if err != nil {
|
||||
c.Logger.Error("Error from access control system", "error", err, "accessErrorID", id)
|
||||
@ -59,13 +61,18 @@ func Deny(c *models.ReqContext, evaluator accesscontrol.Evaluator, err error) {
|
||||
return
|
||||
}
|
||||
|
||||
message := ""
|
||||
if evaluator != nil {
|
||||
message = evaluator.String()
|
||||
}
|
||||
|
||||
// If the user triggers an error in the access control system, we
|
||||
// don't want the user to be aware of that, so the user gets the
|
||||
// same information from the system regardless of if it's an
|
||||
// internal server error or access denied.
|
||||
c.JSON(http.StatusForbidden, map[string]string{
|
||||
"title": "Access denied", // the component needs to pick this up
|
||||
"message": fmt.Sprintf("You'll need additional permissions to perform this action. Permissions needed: %s", evaluator.String()),
|
||||
"message": fmt.Sprintf("You'll need additional permissions to perform this action. Permissions needed: %s", message),
|
||||
"accessErrorId": id,
|
||||
})
|
||||
}
|
||||
@ -82,17 +89,13 @@ func newID() string {
|
||||
return "ACE" + id
|
||||
}
|
||||
|
||||
func buildScopeParams(c *models.ReqContext) accesscontrol.ScopeParams {
|
||||
return accesscontrol.ScopeParams{
|
||||
OrgID: c.OrgId,
|
||||
URLParams: web.Params(c.Req),
|
||||
}
|
||||
type OrgIDGetter func(c *models.ReqContext) (int64, error)
|
||||
type userCache interface {
|
||||
GetSignedInUserWithCacheCtx(ctx context.Context, query *models.GetSignedInUserQuery) error
|
||||
}
|
||||
|
||||
type OrgIDGetter func(c *models.ReqContext) (int64, error)
|
||||
|
||||
func AuthorizeInOrgMiddleware(ac accesscontrol.AccessControl, db sqlstore.Store) func(web.Handler, OrgIDGetter, accesscontrol.Evaluator) web.Handler {
|
||||
return func(fallback web.Handler, getTargetOrg OrgIDGetter, evaluator accesscontrol.Evaluator) web.Handler {
|
||||
func AuthorizeInOrgMiddleware(ac AccessControl, cache userCache) func(web.Handler, OrgIDGetter, Evaluator) web.Handler {
|
||||
return func(fallback web.Handler, getTargetOrg OrgIDGetter, evaluator Evaluator) web.Handler {
|
||||
if ac.IsDisabled() {
|
||||
return fallback
|
||||
}
|
||||
@ -102,17 +105,17 @@ func AuthorizeInOrgMiddleware(ac accesscontrol.AccessControl, db sqlstore.Store)
|
||||
userCopy := *(c.SignedInUser)
|
||||
orgID, err := getTargetOrg(c)
|
||||
if err != nil {
|
||||
Deny(c, nil, fmt.Errorf("failed to get target org: %w", err))
|
||||
deny(c, nil, fmt.Errorf("failed to get target org: %w", err))
|
||||
return
|
||||
}
|
||||
if orgID == accesscontrol.GlobalOrgID {
|
||||
if orgID == GlobalOrgID {
|
||||
userCopy.OrgId = orgID
|
||||
userCopy.OrgName = ""
|
||||
userCopy.OrgRole = ""
|
||||
} else {
|
||||
query := models.GetSignedInUserQuery{UserId: c.UserId, OrgId: orgID}
|
||||
if err := db.GetSignedInUserWithCacheCtx(c.Req.Context(), &query); err != nil {
|
||||
Deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
|
||||
if err := cache.GetSignedInUserWithCacheCtx(c.Req.Context(), &query); err != nil {
|
||||
deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
|
||||
return
|
||||
}
|
||||
userCopy.OrgId = query.Result.OrgId
|
||||
@ -122,7 +125,7 @@ func AuthorizeInOrgMiddleware(ac accesscontrol.AccessControl, db sqlstore.Store)
|
||||
|
||||
authorize(c, ac, &userCopy, evaluator)
|
||||
|
||||
// Set the signed in user permissions in that org
|
||||
// Set the sign-ed in user permissions in that org
|
||||
c.SignedInUser.Permissions = userCopy.Permissions
|
||||
}
|
||||
}
|
||||
@ -140,27 +143,17 @@ func UseOrgFromContextParams(c *models.ReqContext) (int64, error) {
|
||||
}
|
||||
|
||||
func UseGlobalOrg(c *models.ReqContext) (int64, error) {
|
||||
return accesscontrol.GlobalOrgID, nil
|
||||
return GlobalOrgID, nil
|
||||
}
|
||||
|
||||
// Disable returns http 404 if shouldDisable is set to true
|
||||
func Disable(shouldDisable bool) web.Handler {
|
||||
return func(c *models.ReqContext) {
|
||||
if shouldDisable {
|
||||
c.Resp.WriteHeader(http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func LoadPermissionsMiddleware(ac accesscontrol.AccessControl) web.Handler {
|
||||
func LoadPermissionsMiddleware(ac AccessControl) web.Handler {
|
||||
return func(c *models.ReqContext) {
|
||||
if ac.IsDisabled() {
|
||||
return
|
||||
}
|
||||
|
||||
permissions, err := ac.GetUserPermissions(c.Req.Context(), c.SignedInUser,
|
||||
accesscontrol.Options{ReloadCache: false})
|
||||
Options{ReloadCache: false})
|
||||
if err != nil {
|
||||
c.JsonApiErr(http.StatusForbidden, "", err)
|
||||
return
|
||||
@ -169,6 +162,6 @@ func LoadPermissionsMiddleware(ac accesscontrol.AccessControl) web.Handler {
|
||||
if c.SignedInUser.Permissions == nil {
|
||||
c.SignedInUser.Permissions = make(map[int64]map[string][]string)
|
||||
}
|
||||
c.SignedInUser.Permissions[c.OrgId] = accesscontrol.GroupScopesByAction(permissions)
|
||||
c.SignedInUser.Permissions[c.OrgId] = GroupScopesByAction(permissions)
|
||||
}
|
||||
}
|
||||
@ -1,17 +1,17 @@
|
||||
package middleware
|
||||
package accesscontrol_test
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
||||
"github.com/grafana/grafana/pkg/infra/log"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/mock"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
)
|
||||
|
||||
type middlewareTestCase struct {
|
||||
@ -61,7 +61,7 @@ func TestMiddleware(t *testing.T) {
|
||||
server.UseMiddleware(web.Renderer("../../public/views", "[[", "]]"))
|
||||
|
||||
server.Use(contextProvider())
|
||||
server.Use(Middleware(test.ac)(fallback, test.evaluator))
|
||||
server.Use(accesscontrol.Middleware(test.ac)(fallback, test.evaluator))
|
||||
|
||||
endpointCalled := false
|
||||
server.Get("/", func(c *models.ReqContext) {
|
||||
@ -10,7 +10,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/api/routing"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
)
|
||||
|
||||
@ -55,10 +54,10 @@ func (a *api) getEvaluators(actionRead, actionWrite, scope string) (read, write
|
||||
}
|
||||
|
||||
func (a *api) registerEndpoints() {
|
||||
auth := middleware.Middleware(a.ac)
|
||||
auth := accesscontrol.Middleware(a.ac)
|
||||
disable := disableMiddleware(a.ac.IsDisabled())
|
||||
uidSolver := solveUID(a.service.options.UidSolver)
|
||||
inheritanceSolver := solveInheritedScopes(a.service.options.InheritedScopesSolver)
|
||||
disable := middleware.Disable(a.ac.IsDisabled())
|
||||
a.router.Group(fmt.Sprintf("/api/access-control/%s", a.service.options.Resource), func(r routing.RouteRegister) {
|
||||
actionRead := fmt.Sprintf("%s.permissions:read", a.service.options.Resource)
|
||||
actionWrite := fmt.Sprintf("%s.permissions:write", a.service.options.Resource)
|
||||
|
||||
@ -43,3 +43,12 @@ func solveInheritedScopes(solve InheritedScopesSolver) web.Handler {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func disableMiddleware(shouldDisable bool) web.Handler {
|
||||
return func(c *models.ReqContext) {
|
||||
if shouldDisable {
|
||||
c.Resp.WriteHeader(http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -11,7 +11,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/plugins"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
|
||||
"github.com/grafana/grafana/pkg/services/dashboardimport"
|
||||
"github.com/grafana/grafana/pkg/web"
|
||||
)
|
||||
@ -36,7 +35,7 @@ func New(dashboardImportService dashboardimport.Service, quotaService QuotaServi
|
||||
}
|
||||
|
||||
func (api *ImportDashboardAPI) RegisterAPIEndpoints(routeRegister routing.RouteRegister) {
|
||||
authorize := acmiddleware.Middleware(api.ac)
|
||||
authorize := accesscontrol.Middleware(api.ac)
|
||||
routeRegister.Group("/api/dashboards", func(route routing.RouteRegister) {
|
||||
route.Post(
|
||||
"/import",
|
||||
|
||||
@ -10,7 +10,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/middleware"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
|
||||
"github.com/grafana/grafana/pkg/services/dashboards"
|
||||
"github.com/grafana/grafana/pkg/services/datasources"
|
||||
ngmodels "github.com/grafana/grafana/pkg/services/ngalert/models"
|
||||
@ -23,7 +22,7 @@ var (
|
||||
|
||||
//nolint:gocyclo
|
||||
func (api *API) authorize(method, path string) web.Handler {
|
||||
authorize := acmiddleware.Middleware(api.AccessControl)
|
||||
authorize := ac.Middleware(api.AccessControl)
|
||||
var eval ac.Evaluator = nil
|
||||
|
||||
// Most routes follow this general authorization approach as a fallback. Exceptions are overridden directly in the below block.
|
||||
|
||||
@ -12,7 +12,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/middleware"
|
||||
"github.com/grafana/grafana/pkg/models"
|
||||
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
||||
acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
||||
"github.com/grafana/grafana/pkg/services/serviceaccounts/database"
|
||||
@ -53,7 +52,7 @@ func (api *ServiceAccountsAPI) RegisterAPIEndpoints(
|
||||
return
|
||||
}
|
||||
|
||||
auth := acmiddleware.Middleware(api.accesscontrol)
|
||||
auth := accesscontrol.Middleware(api.accesscontrol)
|
||||
api.RouterRegister.Group("/api/serviceaccounts", func(serviceAccountsRoute routing.RouteRegister) {
|
||||
serviceAccountsRoute.Get("/search", auth(middleware.ReqOrgAdmin,
|
||||
accesscontrol.EvalPermission(serviceaccounts.ActionRead)), routing.Wrap(api.SearchOrgServiceAccountsWithPaging))
|
||||
|
||||
Loading…
Reference in New Issue
Block a user