SAML: change the config option for making SAML UI accessible to org Admins (#67399)

* change from role grant overrides to SAML UI specific config option * update permissions needed to access SAML UI * PR feedback: change config name, change required perms to write, add a comment
2023-04-28 11:48:26 +01:00
parent 8b6160bc66
commit 533f8caafd
8 changed files with 22 additions and 111 deletions
@@ -36,7 +36,7 @@ func ProvideService(cfg *setting.Cfg, store db.DB, routeRegister routing.RouteRe

 	if !accesscontrol.IsDisabled(cfg) {
 		api.NewAccessControlAPI(routeRegister, accessControl, service, features).RegisterAPIEndpoints()
-		if err := accesscontrol.DeclareFixedRoles(service); err != nil {
+		if err := accesscontrol.DeclareFixedRoles(service, cfg); err != nil {
 			return nil, err
 		}
 	}
@@ -166,12 +166,7 @@ func (s *Service) DeclareFixedRoles(registrations ...accesscontrol.RoleRegistrat
 		return nil
 	}

-	for i := range registrations {
-		r := registrations[i]
-		if r.AllowGrantsOverride {
-			s.handleGrantOverrides(&r)
-		}
-
+	for _, r := range registrations {
 		err := accesscontrol.ValidateFixedRole(r.Role)
 		if err != nil {
 			return err
@@ -188,15 +183,6 @@ func (s *Service) DeclareFixedRoles(registrations ...accesscontrol.RoleRegistrat
 	return nil
 }

-func (s *Service) handleGrantOverrides(r *accesscontrol.RoleRegistration) {
-	// Replace ":" and "." with "_" to match the key in the config
-	key := strings.ReplaceAll(strings.ReplaceAll(r.Role.Name, ":", "_"), ".", "_")
-	if overrides, ok := s.cfg.RBACGrantOverrides[key]; ok {
-		r.Grants = overrides
-		s.log.Info("Overriding grants for role", "role", r.Role.Name, "overrides", overrides)
-	}
-}
-
 // RegisterFixedRoles registers all declared roles in RAM
 func (s *Service) RegisterFixedRoles(ctx context.Context) error {
 	// If accesscontrol is disabled no need to register roles
@@ -161,77 +161,6 @@ func TestService_DeclareFixedRoles(t *testing.T) {
 	}
 }

-func TestService_DeclareFixedRoles_Overrides(t *testing.T) {
-	tests := []struct {
-		name         string
-		registration accesscontrol.RoleRegistration
-		overrides    map[string][]string
-		wantGrants   []string
-		wantErr      bool
-	}{
-		{
-			name: "no grant override",
-			registration: accesscontrol.RoleRegistration{
-				Role:                accesscontrol.RoleDTO{Name: "fixed:test:test"},
-				Grants:              []string{"Admin"},
-				AllowGrantsOverride: true,
-			},
-			wantGrants: []string{"Admin"},
-			wantErr:    false,
-		},
-		{
-			name: "should account for grant overrides",
-			registration: accesscontrol.RoleRegistration{
-				Role:                accesscontrol.RoleDTO{Name: "fixed:test:test"},
-				Grants:              []string{"Admin"},
-				AllowGrantsOverride: true,
-			},
-			overrides:  map[string][]string{"fixed_test_test": {"Viewer", "Grafana Admin"}},
-			wantGrants: []string{"Viewer", "Grafana Admin"},
-			wantErr:    false,
-		},
-		{
-			name: "should not account for grant overrides",
-			registration: accesscontrol.RoleRegistration{
-				Role:                accesscontrol.RoleDTO{Name: "fixed:test:test"},
-				Grants:              []string{"Admin"},
-				AllowGrantsOverride: false,
-			},
-			overrides:  map[string][]string{"fixed_test_test": {"Viewer", "Grafana Admin"}},
-			wantGrants: []string{"Admin"},
-			wantErr:    false,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ac := setupTestEnv(t)
-
-			// Reset the registations
-			ac.registrations = accesscontrol.RegistrationList{}
-			ac.cfg.RBACGrantOverrides = tt.overrides
-
-			// Test
-			err := ac.DeclareFixedRoles(tt.registration)
-			if tt.wantErr {
-				require.Error(t, err)
-				return
-			}
-			require.NoError(t, err)
-
-			registrationCnt := 0
-			grants := []string{}
-			ac.registrations.Range(func(registration accesscontrol.RoleRegistration) bool {
-				registrationCnt++
-				grants = registration.Grants
-				return true
-			})
-			require.Equal(t, 1, registrationCnt,
-				"expected service registration list to contain the registration")
-			require.ElementsMatch(t, tt.wantGrants, grants)
-		})
-	}
-}
-
 func TestService_DeclarePluginRoles(t *testing.T) {
 	tests := []struct {
 		name          string
@@ -16,9 +16,8 @@ var ErrInternal = errutil.NewBase(errutil.StatusInternal, "accesscontrol.interna
 // RoleRegistration stores a role and its assignments to built-in roles
 // (Viewer, Editor, Admin, Grafana Admin)
 type RoleRegistration struct {
-	Role                RoleDTO
-	Grants              []string
-	AllowGrantsOverride bool
+	Role   RoleDTO
+	Grants []string
 }

 // Role is the model for Role in RBAC.
@@ -6,6 +6,7 @@ import (
 	"sync"

 	"github.com/grafana/grafana/pkg/services/org"
+	"github.com/grafana/grafana/pkg/setting"
 )

 // Roles definition
@@ -191,7 +192,7 @@ var (
 )

 // Declare OSS roles to the accesscontrol service
-func DeclareFixedRoles(service Service) error {
+func DeclareFixedRoles(service Service, cfg *setting.Cfg) error {
 	ldapReader := RoleRegistration{
 		Role:   ldapReaderRole,
 		Grants: []string{RoleGrafanaAdmin},
@@ -224,10 +225,15 @@ func DeclareFixedRoles(service Service) error {
 		Role:   usersWriterRole,
 		Grants: []string{RoleGrafanaAdmin},
 	}
+
+	// TODO: Move to own service when implemented
 	authenticationConfigWriter := RoleRegistration{
-		Role:                authenticationConfigWriterRole,
-		Grants:              []string{RoleGrafanaAdmin},
-		AllowGrantsOverride: true,
+		Role:   authenticationConfigWriterRole,
+		Grants: []string{RoleGrafanaAdmin},
+	}
+
+	if cfg.AuthConfigUIAdminAccess {
+		authenticationConfigWriter.Grants = append(authenticationConfigWriter.Grants, string(org.RoleAdmin))
 	}

 	return service.DeclareFixedRoles(ldapReader, ldapWriter, orgUsersReader, orgUsersWriter,