IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
d4f682190f1f1076809fa64ae51766c29678f5d7
grafana/pkg/services/accesscontrol/resourceservices/resource_services.go
Gabriel MABILLE d4f682190f AccessControl: Implement teams resource service (#43951) 
* AccessControl: cover team permissions

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Define actions in roles.go

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Remove action from accesscontrol model

 Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* As suggested by kalle

* move some changes from branch to the skeleton PR

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* moving resourceservice to the main wire file pt2

* move team related actions so that they can be reused

* PR feedback

* fix

* typo

* Access Control: adding hooks for team member endpoints (#43991)

* AccessControl: cover team permissions

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Define actions in roles.go

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Remove action from accesscontrol model

 Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* As suggested by kalle

* add access control to list and add team member endpoint, and hooks for adding team members

* member permission type is 0

* add ID scope for team permission checks

* add more team actions, use Member for member permission name

* protect team member update endpoint with FGAC permissions

* update SQL functions for teams and the corresponding tests

* also protect team member removal endpoint with FGAC permissions and add a hook to permission service

* a few small fixes, provide team permission service to test setup

* AccessControl: cover team permissions

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Add background service as a consumer to resource_services

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Define actions in roles.go

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* Remove action from accesscontrol model

 Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>

* As suggested by kalle

* move some changes from branch to the skeleton PR

* remove resource services from wireexts

* remove unneeded actions

* linting fix

* remove comments

* feedback fixes

* feedback

* simplifying

* remove team member within the same transaction

* fix a mistake with the error

* call the correct sql fction

* linting

* Access control: tests for team member endpoints (#44177)

* tests for team member endpoints

* clean up and fix the tests

* fixing tests take 2

* don't import enterprise test license

* don't import enterprise test license

* remove unused variable

Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
2022-01-26 14:48:41 +00:00

104 lines
2.9 KiB
Go
Raw Blame History

package resourceservices
import (
"context"
"fmt"
"strconv"
"github.com/grafana/grafana/pkg/api/routing"
"github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
"github.com/grafana/grafana/pkg/services/sqlstore"
)
func ProvideResourceServices(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*ResourceServices, error) {
teamPermissions, err := ProvideTeamPermissions(router, sql, ac, store)
if err != nil {
return nil, err
}
return &ResourceServices{services: map[string]*resourcepermissions.Service{
"teams": teamPermissions,
}}, nil
}
type ResourceServices struct {
services map[string]*resourcepermissions.Service
}
func (s *ResourceServices) GetTeamService() *resourcepermissions.Service {
return s.services["teams"]
}
var (
TeamMemberActions = []string{
accesscontrol.ActionTeamsRead,
}
TeamAdminActions = []string{
accesscontrol.ActionTeamsRead,
accesscontrol.ActionTeamsDelete,
accesscontrol.ActionTeamsWrite,
accesscontrol.ActionTeamsPermissionsRead,
accesscontrol.ActionTeamsPermissionsWrite,
}
)
func ProvideTeamPermissions(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*resourcepermissions.Service, error) {
options := resourcepermissions.Options{
Resource: "teams",
OnlyManaged: true,
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
id, err := strconv.ParseInt(resourceID, 10, 64)
if err != nil {
return err
}
err = sql.GetTeamById(context.Background(), &models.GetTeamByIdQuery{
OrgId: orgID,
Id: id,
})
if err != nil {
return err
}
return nil
},
Assignments: resourcepermissions.Assignments{
Users: true,
Teams: false,
BuiltInRoles: false,
},
PermissionsToActions: map[string][]string{
"Member": TeamMemberActions,
"Admin": TeamAdminActions,
},
ReaderRoleName: "Team permission reader",
WriterRoleName: "Team permission writer",
RoleGroup: "Teams",
OnSetUser: func(session *sqlstore.DBSession, orgID, userID int64, resourceID, permission string) error {
teamId, err := strconv.ParseInt(resourceID, 10, 64)
if err != nil {
return err
}
switch permission {
case "Member":
return sqlstore.AddOrUpdateTeamMemberHook(session, userID, orgID, teamId, false, 0)
case "Admin":
return sqlstore.AddOrUpdateTeamMemberHook(session, userID, orgID, teamId, false, models.PERMISSION_ADMIN)
case "":
return sqlstore.RemoveTeamMemberHook(session, &models.RemoveTeamMemberCommand{
OrgId: orgID,
UserId: userID,
TeamId: teamId,
})
default:
return fmt.Errorf("invalid team permission type %s", permission)
}
},
}
return resourcepermissions.New(options, router, ac, store, sql)
}
Reference in New Issue View Git Blame Copy Permalink