public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Access Control: Store permissions on SignedInUser (#43040)

Browse Source 
* add permission structure to signedinuser

* add middleware to load user permissions into signedinuser struct

* apply LoadPermissionsMiddleware to http server

* check for permissions in signedinuser struct

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
This commit is contained in:
Karl Persson
2021-12-14 16:05:59 +01:00
committed by GitHub
parent f1101efcec
commit 9558c09a7c
7 changed files with 105 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/services/accesscontrol/evaluator_test.go
+63 -107
View File
@@ -10,15 +10,7 @@ type evaluateTestCase struct {
desc string
expected bool
evaluator Evaluator
permissions map[string]map[string]struct{}
}
type injectTestCase struct {
desc string
expected bool
evaluator Evaluator
params ScopeParams
permissions map[string]map[string]struct{}
permissions map[string][]string
}
func TestPermission_Evaluate(t *testing.T) {
@@ -27,41 +19,32 @@ func TestPermission_Evaluate(t *testing.T) {
desc: "should evaluate to true",
expected: true,
evaluator: EvalPermission("reports:read", "reports:1"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
desc: "should evaluate to true when allEvaluator required scopes matches",
expected: true,
evaluator: EvalPermission("reports:read", "reports:1", "reports:2"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
"reports:2": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1", "reports:2"},
},
},
{
desc: "should evaluate to true for empty scope",
expected: true,
evaluator: EvalPermission("reports:read"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
desc: "should evaluate to false when only one of required scopes exists",
expected: false,
evaluator: EvalPermission("reports:read", "reports:1", "reports:2"),
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
}
@@ -75,6 +58,14 @@ func TestPermission_Evaluate(t *testing.T) {
}
}
type injectTestCase struct {
desc string
expected bool
evaluator Evaluator
params ScopeParams
permissions map[string][]string
}
func TestPermission_Inject(t *testing.T) {
tests := []injectTestCase{
{
@@ -84,10 +75,8 @@ func TestPermission_Inject(t *testing.T) {
params: ScopeParams{
OrgID: 3,
},
permissions: map[string]map[string]struct{}{
"orgs:read": {
"orgs:3": struct{}{},
},
permissions: map[string][]string{
"orgs:read": {"orgs:3"},
},
},
{
@@ -100,10 +89,8 @@ func TestPermission_Inject(t *testing.T) {
":reportId": "1",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
@@ -111,10 +98,8 @@ func TestPermission_Inject(t *testing.T) {
expected: false,
evaluator: EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
params: ScopeParams{},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
},
},
{
@@ -127,10 +112,8 @@ func TestPermission_Inject(t *testing.T) {
":reportId2": "report2",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:report:report2": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:report:report2"},
},
},
}
@@ -153,8 +136,8 @@ func TestAll_Evaluate(t *testing.T) {
evaluator: EvalAll(
EvalPermission("settings:write", Scope("settings", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
expected: true,
},
@@ -164,9 +147,9 @@ func TestAll_Evaluate(t *testing.T) {
EvalPermission("settings:write", Scope("settings", "*")),
EvalPermission("settings:read", Scope("settings", "auth.saml", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
"settings:read": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
"settings:read": {"settings:*"},
},
expected: true,
},
@@ -177,10 +160,10 @@ func TestAll_Evaluate(t *testing.T) {
EvalPermission("settings:read", Scope("settings", "auth.saml", "*")),
EvalPermission("report:read", Scope("reports", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
"settings:read": {"settings:*": struct{}{}},
"report:read": {"report:1": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
"settings:read": {"settings:*"},
"report:read": {"report:1"},
},
expected: false,
},
@@ -211,13 +194,9 @@ func TestAll_Inject(t *testing.T) {
":reportId": "1",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
{
@@ -233,11 +212,8 @@ func TestAll_Inject(t *testing.T) {
":orgId": "4",
},
},
permissions: map[string]map[string]struct{}{
"orgs:read": {
"orgs:3": struct{}{},
"orgs:4": struct{}{},
},
permissions: map[string][]string{
"orgs:read": {"orgs:3", "orgs:4"},
},
},
{
@@ -248,13 +224,9 @@ func TestAll_Inject(t *testing.T) {
EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
),
params: ScopeParams{},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
}
@@ -277,8 +249,8 @@ func TestAny_Evaluate(t *testing.T) {
evaluator: EvalAny(
EvalPermission("settings:write", Scope("settings", "*")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
expected: true,
},
@@ -289,8 +261,8 @@ func TestAny_Evaluate(t *testing.T) {
EvalPermission("report:read", Scope("reports", "1")),
EvalPermission("report:write", Scope("reports", "10")),
),
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
expected: true,
},
@@ -301,8 +273,8 @@ func TestAny_Evaluate(t *testing.T) {
EvalPermission("report:read", Scope("reports", "1")),
EvalPermission("report:write", Scope("reports", "10")),
),
permissions: map[string]map[string]struct{}{
"permissions:write": {"permissions:delegate": struct{}{}},
permissions: map[string][]string{
"permissions:write": {"permissions:delegate"},
},
expected: false,
},
@@ -333,13 +305,9 @@ func TestAny_Inject(t *testing.T) {
":reportId": "1",
},
},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
{
@@ -355,11 +323,8 @@ func TestAny_Inject(t *testing.T) {
":orgId": "4",
},
},
permissions: map[string]map[string]struct{}{
"orgs:read": {
"orgs:3": struct{}{},
"orgs:4": struct{}{},
},
permissions: map[string][]string{
"orgs:read": {"orgs:3", "orgs:4"},
},
},
{
@@ -370,13 +335,9 @@ func TestAny_Inject(t *testing.T) {
EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
),
params: ScopeParams{},
permissions: map[string]map[string]struct{}{
"reports:read": {
"reports:1": struct{}{},
},
"settings:read": {
"settings:3": struct{}{},
},
permissions: map[string][]string{
"reports:read": {"reports:1"},
"settings:read": {"settings:3"},
},
},
}
@@ -396,7 +357,7 @@ type combinedTestCase struct {
desc string
evaluator Evaluator
expected bool
permissions map[string]map[string]struct{}
permissions map[string][]string
}
func TestEval(t *testing.T) {
@@ -411,8 +372,8 @@ func TestEval(t *testing.T) {
),
),
expected: true,
permissions: map[string]map[string]struct{}{
"settings:write": {"settings:*": struct{}{}},
permissions: map[string][]string{
"settings:write": {"settings:*"},
},
},
{
@@ -425,11 +386,8 @@ func TestEval(t *testing.T) {
),
),
expected: true,
permissions: map[string]map[string]struct{}{
"settings:write": {
"settings:auth.saml:enabled": struct{}{},
"settings:auth.saml:max_issue_delay": struct{}{},
},
permissions: map[string][]string{
"settings:write": {"settings:auth.saml:enabled", "settings:auth.saml:max_issue_delay"},
},
},
{
@@ -442,10 +400,8 @@ func TestEval(t *testing.T) {
),
),
expected: false,
permissions: map[string]map[string]struct{}{
"settings:write": {
"settings:auth.saml:enabled": struct{}{},
},
permissions: map[string][]string{
"settings:write": {"settings:auth.saml:enabled"},
},
},
}