mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
54 lines
1.6 KiB
Go
54 lines
1.6 KiB
Go
package receiver
|
|
|
|
import (
|
|
"context"
|
|
|
|
"k8s.io/apiserver/pkg/authorization/authorizer"
|
|
|
|
"github.com/grafana/grafana/pkg/infra/appcontext"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
)
|
|
|
|
func Authorize(ctx context.Context, ac accesscontrol.AccessControl, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
|
|
if attr.GetResource() != resourceInfo.GroupResource().Resource {
|
|
return authorizer.DecisionNoOpinion, "", nil
|
|
}
|
|
user, err := appcontext.User(ctx)
|
|
if err != nil {
|
|
return authorizer.DecisionDeny, "valid user is required", err
|
|
}
|
|
|
|
var action accesscontrol.Evaluator
|
|
switch attr.GetVerb() {
|
|
case "patch":
|
|
fallthrough
|
|
case "create":
|
|
fallthrough // TODO: Add alert.notifications.receivers:create permission
|
|
case "update":
|
|
action = accesscontrol.EvalAny(
|
|
accesscontrol.EvalPermission(accesscontrol.ActionAlertingNotificationsWrite), // TODO: Add alert.notifications.receivers:write permission
|
|
)
|
|
case "deletecollection":
|
|
fallthrough
|
|
case "delete":
|
|
action = accesscontrol.EvalAny(
|
|
accesscontrol.EvalPermission(accesscontrol.ActionAlertingNotificationsWrite), // TODO: Add alert.notifications.receivers:delete permission
|
|
)
|
|
}
|
|
|
|
eval := accesscontrol.EvalAny(
|
|
accesscontrol.EvalPermission(accesscontrol.ActionAlertingReceiversRead),
|
|
accesscontrol.EvalPermission(accesscontrol.ActionAlertingReceiversReadSecrets),
|
|
accesscontrol.EvalPermission(accesscontrol.ActionAlertingNotificationsRead),
|
|
)
|
|
if action != nil {
|
|
eval = accesscontrol.EvalAll(eval, action)
|
|
}
|
|
|
|
ok, err := ac.Evaluate(ctx, user, eval)
|
|
if ok {
|
|
return authorizer.DecisionAllow, "", nil
|
|
}
|
|
return authorizer.DecisionDeny, "", err
|
|
}
|