Auth: add a feature toggle for locking user roles for users synced through GCom (#72202)

* add a new feature toggle for locking down role sync for users managed by GCom * protect the frontend and the backend using the new feature toggle * fix merge
2025-02-25 18:55:37 -06:00 · 2023-07-25 13:27:02 +01:00
parent e03303997a
commit f7c6491f73
8 changed files with 54 additions and 8 deletions
--- a/pkg/api/org_users.go
+++ b/pkg/api/org_users.go
@@ -11,6 +11,7 @@ import (
 	"github.com/grafana/grafana/pkg/api/response"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/user"
@@ -401,7 +402,11 @@ func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.Up
 		}
 	}
 	if authInfo != nil && authInfo.AuthModule != "" && login.IsExternallySynced(hs.Cfg, authInfo.AuthModule) {
-		return response.Err(org.ErrCannotChangeRoleForExternallySyncedUser.Errorf("Cannot change role for externally synced user"))
+		// A GCom specific feature toggle for role locking has been introduced, as the previous implementation had a bug with locking down external users synced through GCom (https://github.com/grafana/grafana/pull/72044)
+		// Remove this conditional once FlagGcomOnlyExternalOrgRoleSync feature toggle has been removed
+		if authInfo.AuthModule != login.GrafanaComAuthModule || hs.Features.IsEnabled(featuremgmt.FlagGcomOnlyExternalOrgRoleSync) {
+			return response.Err(org.ErrCannotChangeRoleForExternallySyncedUser.Errorf("Cannot change role for externally synced user"))
+		}
 	}

 	if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil {
--- a/pkg/api/org_users_test.go
+++ b/pkg/api/org_users_test.go
@@ -202,11 +202,12 @@ func TestOrgUsersAPIEndpoint_userLoggedIn(t *testing.T) {

 func TestOrgUsersAPIEndpoint_updateOrgRole(t *testing.T) {
 	type testCase struct {
-		desc            string
-		SkipOrgRoleSync bool
-		AuthEnabled     bool
-		AuthModule      string
-		expectedCode    int
+		desc                        string
+		SkipOrgRoleSync             bool
+		GcomOnlyExternalOrgRoleSync bool
+		AuthEnabled                 bool
+		AuthModule                  string
+		expectedCode                int
 	}
 	permissions := []accesscontrol.Permission{
 		{Action: accesscontrol.ActionOrgUsersRead, Scope: "users:*"},
@@ -236,6 +237,22 @@ func TestOrgUsersAPIEndpoint_updateOrgRole(t *testing.T) {
 			AuthModule:      login.GenericOAuthModule,
 			expectedCode:    http.StatusForbidden,
 		},
+		{
+			desc:                        "should be able to change basicRole for a user synced through GCom if GcomOnlyExternalOrgRoleSync flag is set to false",
+			SkipOrgRoleSync:             false,
+			GcomOnlyExternalOrgRoleSync: false,
+			AuthEnabled:                 true,
+			AuthModule:                  login.GrafanaComAuthModule,
+			expectedCode:                http.StatusOK,
+		},
+		{
+			desc:                        "should not be able to change basicRole for a user synced through GCom if GcomOnlyExternalOrgRoleSync flag is set to true",
+			SkipOrgRoleSync:             false,
+			GcomOnlyExternalOrgRoleSync: true,
+			AuthEnabled:                 true,
+			AuthModule:                  login.GrafanaComAuthModule,
+			expectedCode:                http.StatusForbidden,
+		},
 		{
 			desc:            "should be able to change basicRole with a basic Auth",
 			SkipOrgRoleSync: false,
@@ -266,6 +283,9 @@ func TestOrgUsersAPIEndpoint_updateOrgRole(t *testing.T) {
 				} else if tt.AuthModule == login.GenericOAuthModule {
 					hs.Cfg.GenericOAuthAuthEnabled = tt.AuthEnabled
 					hs.Cfg.GenericOAuthSkipOrgRoleSync = tt.SkipOrgRoleSync
+				} else if tt.AuthModule == login.GrafanaComAuthModule {
+					hs.Cfg.GrafanaNetAuthEnabled = tt.AuthEnabled
+					hs.Cfg.GrafanaComSkipOrgRoleSync = tt.SkipOrgRoleSync
 				} else if tt.AuthModule == "" {
 					// authmodule empty means basic auth
 				} else {
@@ -275,6 +295,7 @@ func TestOrgUsersAPIEndpoint_updateOrgRole(t *testing.T) {
 				hs.authInfoService = &logintest.AuthInfoServiceFake{
 					ExpectedUserAuth: &login.UserAuth{AuthModule: tt.AuthModule},
 				}
+				hs.Features = featuremgmt.WithFeatures(featuremgmt.FlagGcomOnlyExternalOrgRoleSync, tt.GcomOnlyExternalOrgRoleSync)
 				hs.userService = &usertest.FakeUserService{ExpectedSignedInUser: userWithPermissions}
 				hs.orgService = &orgtest.FakeOrgService{}
 				hs.accesscontrolService = &actest.FakeService{