Chore: clean up access control for data sources (#73010)

* move DS guardian interfaces to OSS, move allow guardian to OSS

* update codeowner file

pkg/services/datasources/guardian/allow_guardian.go

@@ -0,0 +1,19 @@
+package guardian
+
+import (
+	"github.com/grafana/grafana/pkg/services/datasources"
+)
+
+var _ DatasourceGuardian = new(AllowGuardian)
+
+// AllowGuardian is used whenever an enterprise build is running without a license.
+// It allows every one to Query all data sources and will not filter out any of them
+type AllowGuardian struct{}
+
+func (n AllowGuardian) CanQuery(datasourceID int64) (bool, error) {
+	return true, nil
+}
+
+func (n AllowGuardian) FilterDatasourcesByQueryPermissions(ds []*datasources.DataSource) ([]*datasources.DataSource, error) {
+	return ds, nil
+}

pkg/services/datasources/guardian/provider.go

@@ -0,0 +1,25 @@
+package guardian
+
+import (
+	"github.com/grafana/grafana/pkg/services/datasources"
+	"github.com/grafana/grafana/pkg/services/user"
+)
+
+type DatasourceGuardianProvider interface {
+	New(orgID int64, user *user.SignedInUser, dataSources ...datasources.DataSource) DatasourceGuardian
+}
+
+type DatasourceGuardian interface {
+	CanQuery(datasourceID int64) (bool, error)
+	FilterDatasourcesByQueryPermissions([]*datasources.DataSource) ([]*datasources.DataSource, error)
+}
+
+func ProvideGuardian() *OSSProvider {
+	return &OSSProvider{}
+}
+
+type OSSProvider struct{}
+
+func (p *OSSProvider) New(orgID int64, user *user.SignedInUser, dataSources ...datasources.DataSource) DatasourceGuardian {
+	return &AllowGuardian{}
+}

pkg/services/datasources/permissions/datasource_permissions.go

@@ -1,25 +0,0 @@
-package permissions
-
-import (
-	"context"
-	"errors"
-
-	"github.com/grafana/grafana/pkg/services/datasources"
-)
-
-var ErrNotImplemented = errors.New("not implemented")
-
-type DatasourcePermissionsService interface {
-	FilterDatasourcesBasedOnQueryPermissions(ctx context.Context, cmd *datasources.DatasourcesPermissionFilterQuery) ([]*datasources.DataSource, error)
-}
-
-// dummy method
-func (hs *OSSDatasourcePermissionsService) FilterDatasourcesBasedOnQueryPermissions(ctx context.Context, cmd *datasources.DatasourcesPermissionFilterQuery) ([]*datasources.DataSource, error) {
-	return nil, ErrNotImplemented
-}
-
-type OSSDatasourcePermissionsService struct{}
-
-func ProvideDatasourcePermissionsService() *OSSDatasourcePermissionsService {
-	return &OSSDatasourcePermissionsService{}
-}

pkg/services/datasources/permissions/datasource_permissions_mocks.go

@@ -1,21 +0,0 @@
-package permissions
-
-import (
-	"context"
-
-	"github.com/grafana/grafana/pkg/services/datasources"
-)
-
-type mockDatasourcePermissionService struct {
-	DsResult    []*datasources.DataSource
-	DsUidResult []string
-	ErrResult   error
-}
-
-func (m *mockDatasourcePermissionService) FilterDatasourcesBasedOnQueryPermissions(ctx context.Context, cmd *datasources.DatasourcesPermissionFilterQuery) ([]*datasources.DataSource, error) {
-	return m.DsResult, m.ErrResult
-}
-
-func NewMockDatasourcePermissionService() *mockDatasourcePermissionService {
-	return &mockDatasourcePermissionService{}
-}

pkg/services/datasources/service/cache.go

@@ -9,6 +9,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/localcache"
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/services/datasources"
+	"github.com/grafana/grafana/pkg/services/datasources/guardian"
 	"github.com/grafana/grafana/pkg/services/user"
 )
 
@@ -16,12 +17,13 @@ const (
 	DefaultCacheTTL = 5 * time.Second
 )
 
-func ProvideCacheService(cacheService *localcache.CacheService, sqlStore db.DB) *CacheServiceImpl {
+func ProvideCacheService(cacheService *localcache.CacheService, sqlStore db.DB, dsGuardian guardian.DatasourceGuardianProvider) *CacheServiceImpl {
 	return &CacheServiceImpl{
 		logger:       log.New("datasources"),
 		cacheTTL:     DefaultCacheTTL,
 		CacheService: cacheService,
 		SQLStore:     sqlStore,
+		dsGuardian:   dsGuardian,
 	}
 }
 
@@ -30,6 +32,7 @@ type CacheServiceImpl struct {
 	cacheTTL     time.Duration
 	CacheService *localcache.CacheService
 	SQLStore     db.DB
+	dsGuardian   guardian.DatasourceGuardianProvider
 }
 
 func (dc *CacheServiceImpl) GetDatasource(
@@ -44,6 +47,9 @@ func (dc *CacheServiceImpl) GetDatasource(
 		if cached, found := dc.CacheService.Get(cacheKey); found {
 			ds := cached.(*datasources.DataSource)
 			if ds.OrgID == user.OrgID {
+				if err := dc.canQuery(user, ds); err != nil {
+					return nil, err
+				}
 				return ds, nil
 			}
 		}
@@ -62,6 +68,11 @@ func (dc *CacheServiceImpl) GetDatasource(
 		dc.CacheService.Set(uidKey(ds.OrgID, ds.UID), ds, time.Second*5)
 	}
 	dc.CacheService.Set(cacheKey, ds, dc.cacheTTL)
+
+	if err = dc.canQuery(user, ds); err != nil {
+		return nil, err
+	}
+
 	return ds, nil
 }
 
@@ -83,6 +94,9 @@ func (dc *CacheServiceImpl) GetDatasourceByUID(
 		if cached, found := dc.CacheService.Get(uidCacheKey); found {
 			ds := cached.(*datasources.DataSource)
 			if ds.OrgID == user.OrgID {
+				if err := dc.canQuery(user, ds); err != nil {
+					return nil, err
+				}
 				return ds, nil
 			}
 		}
@@ -98,6 +112,11 @@ func (dc *CacheServiceImpl) GetDatasourceByUID(
 
 	dc.CacheService.Set(uidCacheKey, ds, dc.cacheTTL)
 	dc.CacheService.Set(idKey(ds.ID), ds, dc.cacheTTL)
+
+	if err = dc.canQuery(user, ds); err != nil {
+		return nil, err
+	}
+
 	return ds, nil
 }
 
@@ -108,3 +127,14 @@ func idKey(id int64) string {
 func uidKey(orgID int64, uid string) string {
 	return fmt.Sprintf("ds-orgid-uid-%d-%s", orgID, uid)
 }
+
+func (dc *CacheServiceImpl) canQuery(user *user.SignedInUser, ds *datasources.DataSource) error {
+	guardian := dc.dsGuardian.New(user.OrgID, user, *ds)
+	if canQuery, err := guardian.CanQuery(ds.ID); err != nil || !canQuery {
+		if err != nil {
+			return err
+		}
+		return datasources.ErrDataSourceAccessDenied
+	}
+	return nil
+}