mirror of
https://github.com/grafana/grafana.git
synced 2024-12-02 13:39:19 -06:00
4982ca3b1d
* Add actions and scopes * add resource service for dashboard and folder * Add dashboard guardian with fgac permission evaluation * Add CanDelete function to guardian interface * Add CanDelete property to folder and dashboard dto and set values * change to correct function name * Add accesscontrol to folder endpoints * add access control to dashboard endpoints * check access for nav links * Add fixed roles for dashboard and folders * use correct package * add hack to override guardian Constructor if accesscontrol is enabled * Add services * Add function to handle api backward compatability * Add permissionServices to HttpServer * Set permission when new dashboard is created * Add default permission when creating new dashboard * Set default permission when creating folder and dashboard * Add access control filter for dashboard search * Add to accept list * Add accesscontrol to dashboardimport * Disable access control in tests * Add check to see if user is allow to create a dashboard * Use SetPermissions * Use function to set several permissions at once * remove permissions for folder and dashboard on delete * update required permission * set permission for provisioning * Add CanCreate to dashboard guardian and set correct permisisons for provisioning * Dont set admin on folder / dashboard creation * Add dashboard and folder permission migrations * Add tests for CanCreate * Add roles and update descriptions * Solve uid to id for dashboard and folder permissions * Add folder and dashboard actions to permission filter * Handle viewer_can_edit flag * set folder and dashboard permissions services * Add dashboard permissions when importing a new dashboard * Set access control permissions on provisioning * Pass feature flags and only set permissions if access control is enabled * only add default permissions for folders and dashboards without folders * Batch create permissions in migrations * Remove `dashboards:edit` action * Remove unused function from interface * Update pkg/services/guardian/accesscontrol_guardian_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
195 lines
6.4 KiB
Go
195 lines
6.4 KiB
Go
package accesscontrol
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"github.com/grafana/grafana/pkg/models"
|
|
)
|
|
|
|
type Options struct {
|
|
ReloadCache bool
|
|
}
|
|
|
|
type AccessControl interface {
|
|
// Evaluate evaluates access to the given resources.
|
|
Evaluate(ctx context.Context, user *models.SignedInUser, evaluator Evaluator) (bool, error)
|
|
|
|
// GetUserPermissions returns user permissions.
|
|
GetUserPermissions(ctx context.Context, user *models.SignedInUser, options Options) ([]*Permission, error)
|
|
|
|
// GetUserRoles returns user roles.
|
|
GetUserRoles(ctx context.Context, user *models.SignedInUser) ([]*RoleDTO, error)
|
|
|
|
//IsDisabled returns if access control is enabled or not
|
|
IsDisabled() bool
|
|
|
|
// DeclareFixedRoles allows the caller to declare, to the service, fixed roles and their
|
|
// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
|
|
DeclareFixedRoles(...RoleRegistration) error
|
|
|
|
// RegisterAttributeScopeResolver allows the caller to register a scope resolver for a
|
|
// specific scope prefix (ex: datasources:name:)
|
|
RegisterAttributeScopeResolver(scopePrefix string, resolver AttributeScopeResolveFunc)
|
|
}
|
|
|
|
type PermissionsProvider interface {
|
|
GetUserPermissions(ctx context.Context, query GetUserPermissionsQuery) ([]*Permission, error)
|
|
}
|
|
|
|
type PermissionsServices interface {
|
|
GetTeamService() PermissionsService
|
|
GetFolderService() PermissionsService
|
|
GetDashboardService() PermissionsService
|
|
GetDataSourceService() PermissionsService
|
|
}
|
|
|
|
type PermissionsService interface {
|
|
// GetPermissions returns all permissions for given resourceID
|
|
GetPermissions(ctx context.Context, user *models.SignedInUser, resourceID string) ([]ResourcePermission, error)
|
|
// SetUserPermission sets permission on resource for a user
|
|
SetUserPermission(ctx context.Context, orgID int64, user User, resourceID, permission string) (*ResourcePermission, error)
|
|
// SetTeamPermission sets permission on resource for a team
|
|
SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*ResourcePermission, error)
|
|
// SetBuiltInRolePermission sets permission on resource for a built-in role (Admin, Editor, Viewer)
|
|
SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole string, resourceID string, permission string) (*ResourcePermission, error)
|
|
// SetPermissions sets several permissions on resource for either built-in role, team or user
|
|
SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...SetResourcePermissionCommand) ([]ResourcePermission, error)
|
|
// MapActions will map actions for a ResourcePermissions to it's "friendly" name configured in PermissionsToActions map.
|
|
MapActions(permission ResourcePermission) string
|
|
}
|
|
|
|
type User struct {
|
|
ID int64
|
|
IsExternal bool
|
|
}
|
|
|
|
// Metadata contains user accesses for a given resource
|
|
// Ex: map[string]bool{"create":true, "delete": true}
|
|
type Metadata map[string]bool
|
|
|
|
// HasGlobalAccess checks user access with globally assigned permissions only
|
|
func HasGlobalAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
|
|
return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
|
|
if ac.IsDisabled() {
|
|
return fallback(c)
|
|
}
|
|
|
|
userCopy := *c.SignedInUser
|
|
userCopy.OrgId = GlobalOrgID
|
|
userCopy.OrgRole = ""
|
|
userCopy.OrgName = ""
|
|
hasAccess, err := ac.Evaluate(c.Req.Context(), &userCopy, evaluator)
|
|
if err != nil {
|
|
c.Logger.Error("Error from access control system", "error", err)
|
|
return false
|
|
}
|
|
|
|
return hasAccess
|
|
}
|
|
}
|
|
|
|
func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
|
|
return func(fallback func(*models.ReqContext) bool, evaluator Evaluator) bool {
|
|
if ac.IsDisabled() {
|
|
return fallback(c)
|
|
}
|
|
|
|
hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, evaluator)
|
|
if err != nil {
|
|
c.Logger.Error("Error from access control system", "error", err)
|
|
return false
|
|
}
|
|
|
|
return hasAccess
|
|
}
|
|
}
|
|
|
|
var ReqSignedIn = func(c *models.ReqContext) bool {
|
|
return c.IsSignedIn
|
|
}
|
|
|
|
var ReqGrafanaAdmin = func(c *models.ReqContext) bool {
|
|
return c.IsGrafanaAdmin
|
|
}
|
|
|
|
var ReqOrgAdmin = func(c *models.ReqContext) bool {
|
|
return c.OrgRole == models.ROLE_ADMIN
|
|
}
|
|
|
|
var ReqOrgAdminOrEditor = func(c *models.ReqContext) bool {
|
|
return c.OrgRole == models.ROLE_ADMIN || c.OrgRole == models.ROLE_EDITOR
|
|
}
|
|
|
|
func BuildPermissionsMap(permissions []*Permission) map[string]bool {
|
|
permissionsMap := make(map[string]bool)
|
|
for _, p := range permissions {
|
|
permissionsMap[p.Action] = true
|
|
}
|
|
|
|
return permissionsMap
|
|
}
|
|
|
|
// GroupScopesByAction will group scopes on action
|
|
func GroupScopesByAction(permissions []*Permission) map[string][]string {
|
|
m := make(map[string][]string)
|
|
for _, p := range permissions {
|
|
m[p.Action] = append(m[p.Action], p.Scope)
|
|
}
|
|
return m
|
|
}
|
|
|
|
func ValidateScope(scope string) bool {
|
|
prefix, last := scope[:len(scope)-1], scope[len(scope)-1]
|
|
// verify that last char is either ':' or '/' if last character of scope is '*'
|
|
if len(prefix) > 0 && last == '*' {
|
|
lastChar := prefix[len(prefix)-1]
|
|
if lastChar != ':' && lastChar != '/' {
|
|
return false
|
|
}
|
|
}
|
|
return !strings.ContainsAny(prefix, "*?")
|
|
}
|
|
|
|
func addActionToMetadata(allMetadata map[string]Metadata, action, id string) map[string]Metadata {
|
|
metadata, initialized := allMetadata[id]
|
|
if !initialized {
|
|
metadata = Metadata{action: true}
|
|
} else {
|
|
metadata[action] = true
|
|
}
|
|
allMetadata[id] = metadata
|
|
return allMetadata
|
|
}
|
|
|
|
// GetResourcesMetadata returns a map of accesscontrol metadata, listing for each resource, users available actions
|
|
func GetResourcesMetadata(ctx context.Context, permissions map[string][]string, resource string, ids map[string]bool) map[string]Metadata {
|
|
allScope := GetResourceAllScope(resource)
|
|
allIDScope := GetResourceAllIDScope(resource)
|
|
|
|
// prefix of ID based scopes (resource:id)
|
|
idPrefix := Scope(resource, "id")
|
|
// index of the ID in the scope
|
|
idIndex := len(idPrefix) + 1
|
|
|
|
// Loop through permissions once
|
|
result := map[string]Metadata{}
|
|
for action, scopes := range permissions {
|
|
for _, scope := range scopes {
|
|
if scope == "*" || scope == allScope || scope == allIDScope {
|
|
// Add global action to all resources
|
|
for id := range ids {
|
|
result = addActionToMetadata(result, action, id)
|
|
}
|
|
} else {
|
|
if len(scope) > idIndex && strings.HasPrefix(scope, idPrefix) && ids[scope[idIndex:]] {
|
|
// Add action to a specific resource
|
|
result = addActionToMetadata(result, action, scope[idIndex:])
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return result
|
|
}
|