mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
88c11f1cc0
* AccessControl: Implement a way to register fixed roles * Add context to register func * Use FixedRoleGrantsMap instead of FixedRoleGrants * Removed FixedRoles map to sync.map * Wrote test for accesscontrol and provisioning * Use mutexes+map instead of sync maps * Create a sync map struct out of a Map and a Mutex * Create a sync map struct for grants as well * Validate builtin roles * Make validation public to access control * Handle errors consistently with what seeder does * Keep errors consistant amongst accesscontrol impl * Handle registration error * Reverse the registration direction thanks to a RoleRegistrant interface * Removed sync map in favor for simple maps since registration now happens during init * Work on the Registrant interface * Remove the Register Role from the interface to have services returning their registrations instead * Adding context to RegisterRegistrantsRoles and update descriptions * little bit of cosmetics * Making sure provisioning is ran after role registration * test for role registration * Change the accesscontrol interface to use a variadic * check if accesscontrol is enabled * Add a new test for RegisterFixedRoles and fix assign which was buggy * Moved RegistrationList def to roles.go * Change provisioning role's description * Better comment on RegisterFixedRoles * Correct comment on ValidateFixedRole * Simplify helper func to removeRoleHelper * Add log to saveFixedRole and assignFixedRole Co-authored-by: Vardan Torosyan <vardants@gmail.com> Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
56 lines
1.6 KiB
Go
56 lines
1.6 KiB
Go
package accesscontrol
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/grafana/grafana/pkg/models"
|
|
)
|
|
|
|
type AccessControl interface {
|
|
// Evaluate evaluates access to the given resource.
|
|
Evaluate(ctx context.Context, user *models.SignedInUser, permission string, scope ...string) (bool, error)
|
|
|
|
// GetUserPermissions returns user permissions.
|
|
GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*Permission, error)
|
|
|
|
// Middleware checks if service disabled or not to switch to fallback authorization.
|
|
IsDisabled() bool
|
|
|
|
// DeclareFixedRoles allow the caller to declare, to the service, fixed roles and their
|
|
// assignments to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
|
|
DeclareFixedRoles(...RoleRegistration) error
|
|
}
|
|
|
|
func HasAccess(ac AccessControl, c *models.ReqContext) func(fallback func(*models.ReqContext) bool, permission string, scopes ...string) bool {
|
|
return func(fallback func(*models.ReqContext) bool, permission string, scopes ...string) bool {
|
|
if ac.IsDisabled() {
|
|
return fallback(c)
|
|
}
|
|
|
|
hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, scopes...)
|
|
if err != nil {
|
|
c.Logger.Error("Error from access control system", "error", err)
|
|
return false
|
|
}
|
|
|
|
return hasAccess
|
|
}
|
|
}
|
|
|
|
var ReqGrafanaAdmin = func(c *models.ReqContext) bool {
|
|
return c.IsGrafanaAdmin
|
|
}
|
|
|
|
var ReqOrgAdmin = func(c *models.ReqContext) bool {
|
|
return c.OrgRole == models.ROLE_ADMIN
|
|
}
|
|
|
|
func BuildPermissionsMap(permissions []*Permission) map[string]bool {
|
|
permissionsMap := make(map[string]bool)
|
|
for _, p := range permissions {
|
|
permissionsMap[p.Action] = true
|
|
}
|
|
|
|
return permissionsMap
|
|
}
|