Karl Persson
cdc08105c2
* Rename interfaces and use then with wire injection * Set default permissions when creating new data source
135 lines
4.3 KiB
Go
135 lines
4.3 KiB
Go
package ossaccesscontrol
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"strconv"
|
|
|
|
"github.com/grafana/grafana/pkg/api/routing"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
|
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
|
)
|
|
|
|
func ProvidePermissionsServices(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*PermissionsService, error) {
|
|
teamPermissions, err := ProvideTeamPermissions(router, sql, ac, store)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &PermissionsService{teams: teamPermissions, datasources: provideEmptyPermissionsService()}, nil
|
|
}
|
|
|
|
type PermissionsService struct {
|
|
teams accesscontrol.PermissionsService
|
|
datasources accesscontrol.PermissionsService
|
|
}
|
|
|
|
func (s *PermissionsService) GetTeamService() accesscontrol.PermissionsService {
|
|
return s.teams
|
|
}
|
|
|
|
func (s *PermissionsService) GetDataSourceService() accesscontrol.PermissionsService {
|
|
return s.datasources
|
|
}
|
|
|
|
var (
|
|
TeamMemberActions = []string{
|
|
accesscontrol.ActionTeamsRead,
|
|
}
|
|
|
|
TeamAdminActions = []string{
|
|
accesscontrol.ActionTeamsRead,
|
|
accesscontrol.ActionTeamsDelete,
|
|
accesscontrol.ActionTeamsWrite,
|
|
accesscontrol.ActionTeamsPermissionsRead,
|
|
accesscontrol.ActionTeamsPermissionsWrite,
|
|
}
|
|
)
|
|
|
|
func ProvideTeamPermissions(router routing.RouteRegister, sql *sqlstore.SQLStore, ac accesscontrol.AccessControl, store resourcepermissions.Store) (*resourcepermissions.Service, error) {
|
|
options := resourcepermissions.Options{
|
|
Resource: "teams",
|
|
OnlyManaged: true,
|
|
ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
|
|
id, err := strconv.ParseInt(resourceID, 10, 64)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
err = sql.GetTeamById(context.Background(), &models.GetTeamByIdQuery{
|
|
OrgId: orgID,
|
|
Id: id,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
},
|
|
Assignments: resourcepermissions.Assignments{
|
|
Users: true,
|
|
Teams: false,
|
|
BuiltInRoles: false,
|
|
},
|
|
PermissionsToActions: map[string][]string{
|
|
"Member": TeamMemberActions,
|
|
"Admin": TeamAdminActions,
|
|
},
|
|
ReaderRoleName: "Team permission reader",
|
|
WriterRoleName: "Team permission writer",
|
|
RoleGroup: "Teams",
|
|
OnSetUser: func(session *sqlstore.DBSession, orgID int64, user accesscontrol.User, resourceID, permission string) error {
|
|
teamId, err := strconv.ParseInt(resourceID, 10, 64)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
switch permission {
|
|
case "Member":
|
|
return sqlstore.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, 0)
|
|
case "Admin":
|
|
return sqlstore.AddOrUpdateTeamMemberHook(session, user.ID, orgID, teamId, user.IsExternal, models.PERMISSION_ADMIN)
|
|
case "":
|
|
return sqlstore.RemoveTeamMemberHook(session, &models.RemoveTeamMemberCommand{
|
|
OrgId: orgID,
|
|
UserId: user.ID,
|
|
TeamId: teamId,
|
|
})
|
|
default:
|
|
return fmt.Errorf("invalid team permission type %s", permission)
|
|
}
|
|
},
|
|
}
|
|
|
|
return resourcepermissions.New(options, router, ac, store, sql)
|
|
}
|
|
|
|
func provideEmptyPermissionsService() accesscontrol.PermissionsService {
|
|
return &emptyPermissionsService{}
|
|
}
|
|
|
|
var _ accesscontrol.PermissionsService = new(emptyPermissionsService)
|
|
|
|
type emptyPermissionsService struct{}
|
|
|
|
func (e emptyPermissionsService) GetPermissions(ctx context.Context, orgID int64, resourceID string) ([]accesscontrol.ResourcePermission, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (e emptyPermissionsService) SetUserPermission(ctx context.Context, orgID int64, user accesscontrol.User, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (e emptyPermissionsService) SetTeamPermission(ctx context.Context, orgID, teamID int64, resourceID, permission string) (*accesscontrol.ResourcePermission, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (e emptyPermissionsService) SetBuiltInRolePermission(ctx context.Context, orgID int64, builtInRole string, resourceID string, permission string) (*accesscontrol.ResourcePermission, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (e emptyPermissionsService) SetPermissions(ctx context.Context, orgID int64, resourceID string, commands ...accesscontrol.SetResourcePermissionCommand) ([]accesscontrol.ResourcePermission, error) {
|
|
return nil, nil
|
|
}
|