mirror of
https://github.com/grafana/grafana.git
synced 2025-02-20 11:48:34 -06:00
823f0bc460
* Move db package WIP * Implement OSS access control * Register OSS access control * Fix linter error in tests * Fix linter error in evaluator * Simplify OSS tests * Optimize builtin roles * Chore: add comments to the exported functions * Remove init from ossaccesscontrol package (moved to ext) * Add access control as a dependency for http server * Modify middleware to receive fallback function * Middleware: refactor fallback function call * Move unused models to enterprise * Simplify AccessControl type * Chore: use bool IsDisabled() method instead of CanBeDisabled interface
72 lines
1.4 KiB
Go
72 lines
1.4 KiB
Go
package evaluator
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/gobwas/glob"
|
|
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
)
|
|
|
|
const roleGrafanaAdmin = "Grafana Admin"
|
|
|
|
// Evaluate evaluates access to the given resource, using provided AccessControl instance
|
|
func Evaluate(ctx context.Context, ac accesscontrol.AccessControl, user *models.SignedInUser, permission string, scope ...string) (bool, error) {
|
|
roles := []string{string(user.OrgRole)}
|
|
for _, role := range user.OrgRole.Children() {
|
|
roles = append(roles, string(role))
|
|
}
|
|
if user.IsGrafanaAdmin {
|
|
roles = append(roles, roleGrafanaAdmin)
|
|
}
|
|
|
|
res, err := ac.GetUserPermissions(ctx, user, roles)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
ok, dbScopes := extractPermission(res, permission)
|
|
if !ok {
|
|
return false, nil
|
|
}
|
|
|
|
for _, s := range scope {
|
|
var match bool
|
|
for dbScope := range dbScopes {
|
|
rule, err := glob.Compile(dbScope, ':', '/')
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
match = rule.Match(s)
|
|
if match {
|
|
break
|
|
}
|
|
}
|
|
|
|
if !match {
|
|
return false, nil
|
|
}
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
func extractPermission(permissions []*accesscontrol.Permission, permission string) (bool, map[string]struct{}) {
|
|
scopes := map[string]struct{}{}
|
|
ok := false
|
|
|
|
for _, p := range permissions {
|
|
if p == nil {
|
|
continue
|
|
}
|
|
if p.Permission == permission {
|
|
ok = true
|
|
scopes[p.Scope] = struct{}{}
|
|
}
|
|
}
|
|
|
|
return ok, scopes
|
|
}
|