Access control: Add access control based permissions to admins/users (#32409)

Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-04-14 16:31:27 +02:00
parent cdb4785496
commit 9f82eac833
10 changed files with 230 additions and 81 deletions
@@ -20,7 +20,6 @@ func Evaluate(ctx context.Context, ac accesscontrol.AccessControl, user *models.
 	if !ok {
 		return false, nil
 	}
-
 	for _, s := range scope {
 		var match bool
 		for dbScope := range dbScopes {
@@ -18,6 +18,8 @@ func Middleware(ac accesscontrol.AccessControl) func(macaron.Handler, string, ..
 		}

 		return func(c *models.ReqContext) {
+			// We need this otherwise templated scopes get initialized only once, during the first call
+			runtimeScope := make([]string, len(scopes))
 			for i, scope := range scopes {
 				var buf bytes.Buffer

@@ -31,17 +33,17 @@ func Middleware(ac accesscontrol.AccessControl) func(macaron.Handler, string, ..
 					c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)
 					return
 				}
-				scopes[i] = buf.String()
+				runtimeScope[i] = buf.String()
 			}

-			hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, scopes...)
+			hasAccess, err := ac.Evaluate(c.Req.Context(), c.SignedInUser, permission, runtimeScope...)
 			if err != nil {
 				c.Logger.Error("Error from access control system", "error", err)
 				c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)
 				return
 			}
 			if !hasAccess {
-				c.Logger.Info("Access denied", "userID", c.UserId, "permission", permission, "scopes", scopes)
+				c.Logger.Info("Access denied", "userID", c.UserId, "permission", permission, "scopes", runtimeScope)
 				c.JsonApiErr(http.StatusForbidden, "Forbidden", nil)
 				return
 			}
@@ -38,3 +38,34 @@ func (p RoleDTO) Role() Role {
 		Description: p.Description,
 	}
 }
+
+const (
+	// Permission actions
+
+	ActionUsersRead     = "users:read"
+	ActionUsersWrite    = "users:write"
+	ActionUsersTeamRead = "users.teams:read"
+	// We can ignore gosec G101 since this does not contain any credentials
+	// nolint:gosec
+	ActionUsersAuthTokenList = "users.authtoken:list"
+	// We can ignore gosec G101 since this does not contain any credentials
+	// nolint:gosec
+	ActionUsersAuthTokenUpdate = "users.authtoken:update"
+	// We can ignore gosec G101 since this does not contain any credentials
+	// nolint:gosec
+	ActionUsersPasswordUpdate    = "users.password:update"
+	ActionUsersDelete            = "users:delete"
+	ActionUsersCreate            = "users:create"
+	ActionUsersEnable            = "users:enable"
+	ActionUsersDisable           = "users:disable"
+	ActionUsersPermissionsUpdate = "users.permissions:update"
+	ActionUsersLogout            = "users:logout"
+	ActionUsersQuotasList        = "users.quotas:list"
+	ActionUsersQuotasUpdate      = "users.quotas:update"
+
+	// Global Scopes
+	ScopeUsersAll  = "users:*"
+	ScopeUsersSelf = "users:self"
+)
+
+const RoleGrafanaAdmin = "Grafana Admin"
@@ -1,44 +0,0 @@
-package ossaccesscontrol
-
-import (
-	"github.com/grafana/grafana/pkg/services/accesscontrol"
-)
-
-const roleGrafanaAdmin = "Grafana Admin"
-
-var builtInRolesMap = map[string]accesscontrol.RoleDTO{
-	"grafana:builtin:users:read:self": {
-		Name:    "grafana:builtin:users:read:self",
-		Version: 1,
-		Permissions: []accesscontrol.Permission{
-			{
-				Action: "users:read",
-				Scope:  "users:self",
-			},
-			{
-				Action: "users.tokens:list",
-				Scope:  "users:self",
-			},
-			{
-				Action: "users.teams:read",
-				Scope:  "users:self",
-			},
-		},
-	},
-}
-
-var builtInRoleGrants = map[string][]string{
-	"Viewer": {
-		"grafana:builtin:users:read:self",
-	},
-}
-
-func getBuiltInRole(role string) *accesscontrol.RoleDTO {
-	var builtInRole accesscontrol.RoleDTO
-	if r, ok := builtInRolesMap[role]; ok {
-		// Do not modify builtInRoles
-		builtInRole = r
-		return &builtInRole
-	}
-	return nil
-}
@@ -39,16 +39,16 @@ func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.Si

 // GetUserPermissions returns user permissions based on built-in roles
 func (ac *OSSAccessControlService) GetUserPermissions(ctx context.Context, user *models.SignedInUser) ([]*accesscontrol.Permission, error) {
-	roles := ac.GetUserBuiltInRoles(user)
+	builtinRoles := ac.GetUserBuiltInRoles(user)
 	permissions := make([]*accesscontrol.Permission, 0)
-	for _, legacyRole := range roles {
-		if builtInRoleNames, ok := builtInRoleGrants[legacyRole]; ok {
-			for _, builtInRoleName := range builtInRoleNames {
-				builtInRole := getBuiltInRole(builtInRoleName)
-				if builtInRole == nil {
+	for _, builtin := range builtinRoles {
+		if roleNames, ok := accesscontrol.PredefinedRoleGrants[builtin]; ok {
+			for _, name := range roleNames {
+				r, exists := accesscontrol.PredefinedRoles[name]
+				if !exists {
 					continue
 				}
-				for _, p := range builtInRole.Permissions {
+				for _, p := range r.Permissions {
 					permission := p
 					permissions = append(permissions, &permission)
 				}
@@ -65,7 +65,7 @@ func (ac *OSSAccessControlService) GetUserBuiltInRoles(user *models.SignedInUser
 		roles = append(roles, string(role))
 	}
 	if user.IsGrafanaAdmin {
-		roles = append(roles, roleGrafanaAdmin)
+		roles = append(roles, accesscontrol.RoleGrafanaAdmin)
 	}

 	return roles
@@ -10,6 +10,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/registry"
+	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/setting"
 )

@@ -53,12 +54,12 @@ func TestEvaluatingPermissions(t *testing.T) {
 			desc: "should successfully evaluate access to the endpoint",
 			user: userTestCase{
 				name:           "testuser",
-				orgRole:        models.ROLE_EDITOR,
+				orgRole:        "Grafana Admin",
 				isGrafanaAdmin: false,
 			},
 			endpoints: []endpointTestCase{
-				{permission: "users.teams:read", scope: []string{"users:self"}},
-				{permission: "users:read", scope: []string{"users:self"}},
+				{permission: accesscontrol.ActionUsersDisable, scope: []string{accesscontrol.ScopeUsersAll}},
+				{permission: accesscontrol.ActionUsersEnable, scope: []string{accesscontrol.ScopeUsersAll}},
 			},
 			evalResult: true,
 		},
@@ -70,7 +71,7 @@ func TestEvaluatingPermissions(t *testing.T) {
 				isGrafanaAdmin: false,
 			},
 			endpoints: []endpointTestCase{
-				{permission: "users:create", scope: []string{"users"}},
+				{permission: accesscontrol.ActionUsersCreate, scope: []string{accesscontrol.ScopeUsersAll}},
 			},
 			evalResult: false,
 		},
@@ -0,0 +1,113 @@
+package accesscontrol
+
+// PredefinedRoles provides a map of permission sets/roles which can be
+// assigned to a set of users. When adding a new resource protected by
+// Grafana access control the default permissions should be added to a
+// new predefined role in this set so that users can access the new
+// resource. PredefinedRoleGrants lists which organization roles are
+// assigned which predefined roles in this list.
+var PredefinedRoles = map[string]RoleDTO{
+	// TODO: Add support for inheritance between the predefined roles to
+	// make the admin ⊃ editor ⊃ viewer property hold.
+	usersAdminRead: {
+		Name:    usersAdminRead,
+		Version: 1,
+		Permissions: []Permission{
+			{
+				Action: ActionUsersRead,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersTeamRead,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersAuthTokenList,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersQuotasList,
+				Scope:  ScopeUsersAll,
+			},
+		},
+	},
+	usersAdminEdit: {
+		Name:    usersAdminEdit,
+		Version: 1,
+		Permissions: []Permission{
+			{
+				// Inherited from grafana:roles:users:admin:read
+				Action: ActionUsersRead,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				// Inherited from grafana:roles:users:admin:read
+				Action: ActionUsersTeamRead,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				// Inherited from grafana:roles:users:admin:read
+				Action: ActionUsersAuthTokenList,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersPasswordUpdate,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersCreate,
+			},
+			{
+				Action: ActionUsersWrite,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersDelete,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersEnable,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersDisable,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersPermissionsUpdate,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersLogout,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersAuthTokenUpdate,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				// Inherited from grafana:roles:users:admin:read
+				Action: ActionUsersQuotasList,
+				Scope:  ScopeUsersAll,
+			},
+			{
+				Action: ActionUsersQuotasUpdate,
+				Scope:  ScopeUsersAll,
+			},
+		},
+	},
+}
+
+const (
+	usersAdminEdit = "grafana:roles:users:admin:edit"
+	usersAdminRead = "grafana:roles:users:admin:read"
+)
+
+// PredefinedRoleGrants specifies which organization roles are assigned
+// to which set of PredefinedRoles by default. Alphabetically sorted.
+var PredefinedRoleGrants = map[string][]string{
+	RoleGrafanaAdmin: {
+		usersAdminEdit,
+		usersAdminRead,
+	},
+}
@@ -0,0 +1,35 @@
+package accesscontrol
+
+import (
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestPredefinedRoles(t *testing.T) {
+	for name, r := range PredefinedRoles {
+		assert.Truef(t,
+			strings.HasPrefix(name, "grafana:roles:"),
+			"expected all predefined roles to be prefixed by 'grafana:roles:', found role '%s'", name,
+		)
+		assert.Equal(t, name, r.Name)
+		assert.NotZero(t, r.Version)
+		// assert.NotEmpty(t, r.Description)
+	}
+}
+
+func TestPredefinedRoleGrants(t *testing.T) {
+	for _, v := range PredefinedRoleGrants {
+		assert.True(t,
+			sort.SliceIsSorted(v, func(i, j int) bool {
+				return v[i] < v[j]
+			}),
+			"require role grant lists to be sorted",
+		)
+		for _, r := range v {
+			assert.Contains(t, PredefinedRoles, r)
+		}
+	}
+}