public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
42016dc359ad805ca29d45656ace8b454ae1e108
grafana/pkg/services/authz/server.go
T
Alexander Zobnin 9f1b584c85 Chore: Update authlib version (#94714) 
* Chore: Update authlib version

* update workspace

* use ParseNamespace()
2024-10-15 16:58:46 +02:00

85 lines
2.3 KiB
Go
Raw Blame History

package authz
import (
"context"
"fmt"
authzv1 "github.com/grafana/authlib/authz/proto/v1"
"github.com/grafana/authlib/claims"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/infra/tracing"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/featuremgmt"
"github.com/grafana/grafana/pkg/services/grpcserver"
)
var _ authzv1.AuthzServiceServer = (*legacyServer)(nil)
type legacyServer struct {
authzv1.UnimplementedAuthzServiceServer
acSvc accesscontrol.Service
logger log.Logger
tracer tracing.Tracer
}
func newLegacyServer(
acSvc accesscontrol.Service, features featuremgmt.FeatureToggles,
grpcServer grpcserver.Provider, tracer tracing.Tracer, cfg *Cfg,
) (*legacyServer, error) {
if !features.IsEnabledGlobally(featuremgmt.FlagAuthZGRPCServer) {
return nil, nil
}
s := &legacyServer{
acSvc: acSvc,
logger: log.New("authz-grpc-server"),
tracer: tracer,
}
if cfg.listen {
grpcServer.GetServer().RegisterService(&authzv1.AuthzService_ServiceDesc, s)
}
return s, nil
}
func (s *legacyServer) Read(ctx context.Context, req *authzv1.ReadRequest) (*authzv1.ReadResponse, error) {
ctx, span := s.tracer.Start(ctx, "authz.grpc.Read")
defer span.End()
// FIXME: once we have access tokens, we need to do namespace validation here
action := req.GetAction()
subject := req.GetSubject()
namespace := req.GetNamespace() // TODO can we consider the stackID as the orgID?
info, err := claims.ParseNamespace(namespace)
if err != nil || info.OrgID == 0 {
return nil, fmt.Errorf("invalid namespace: %s", namespace)
}
ctxLogger := s.logger.FromContext(ctx)
ctxLogger.Debug("Read", "action", action, "subject", subject, "namespace", namespace)
permissions, err := s.acSvc.SearchUserPermissions(
ctx,
info.OrgID,
accesscontrol.SearchOptions{Action: action, TypedID: subject},
)
if err != nil {
ctxLogger.Error("failed to search user permissions", "error", err)
return nil, tracing.Errorf(span, "failed to search user permissions: %w", err)
}
data := make([]*authzv1.ReadResponse_Data, 0, len(permissions))
for _, perm := range permissions {
data = append(data, &authzv1.ReadResponse_Data{Scope: perm.Scope})
}
return &authzv1.ReadResponse{
Data: data,
Found: len(data) > 0,
}, nil
}
Reference in New Issue View Git Blame Copy Permalink