public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dfd64ed4697ff0215cc43422ea9411eb93aa331b
grafana/pkg/services/authn/authnimpl/sync/rbac_sync.go
Gabriel MABILLE 8802282ebc RBAC: fix panic role not found permission sync (#87217)
2024-05-02 15:19:56 +02:00

133 lines
3.7 KiB
Go
Raw Blame History

package sync
import (
"context"
"errors"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/authn"
"github.com/grafana/grafana/pkg/services/login"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/util/errutil"
)
var (
errInvalidCloudRole = errutil.BadRequest("rbac.sync.invalid-cloud-role")
errSyncPermissionsForbidden = errutil.Forbidden("permissions.sync.forbidden")
)
func ProvideRBACSync(acService accesscontrol.Service) *RBACSync {
return &RBACSync{
ac: acService,
log: log.New("permissions.sync"),
}
}
type RBACSync struct {
ac accesscontrol.Service
log log.Logger
}
func (s *RBACSync) SyncPermissionsHook(ctx context.Context, ident *authn.Identity, _ *authn.Request) error {
if !ident.ClientParams.SyncPermissions {
return nil
}
// Populate permissions from roles
permissions, err := s.fetchPermissions(ctx, ident)
if err != nil {
return err
}
if ident.Permissions == nil {
ident.Permissions = make(map[int64]map[string][]string, 1)
}
grouped := accesscontrol.GroupScopesByAction(permissions)
// Restrict access to the list of actions
actionsLookup := ident.ClientParams.FetchPermissionsParams.ActionsLookup
if len(actionsLookup) > 0 {
filtered := make(map[string][]string, len(actionsLookup))
for _, action := range actionsLookup {
if scopes, ok := grouped[action]; ok {
filtered[action] = scopes
}
}
grouped = filtered
}
ident.Permissions[ident.OrgID] = grouped
return nil
}
func (s *RBACSync) fetchPermissions(ctx context.Context, ident *authn.Identity) ([]accesscontrol.Permission, error) {
permissions := make([]accesscontrol.Permission, 0, 8)
roles := ident.ClientParams.FetchPermissionsParams.Roles
if len(roles) > 0 {
for _, role := range roles {
roleDTO, err := s.ac.GetRoleByName(ctx, ident.GetOrgID(), role)
if err != nil && !errors.Is(err, accesscontrol.ErrRoleNotFound) {
s.log.FromContext(ctx).Error("Failed to fetch role from db", "error", err, "role", role)
return nil, errSyncPermissionsForbidden
}
if roleDTO != nil {
permissions = append(permissions, roleDTO.Permissions...)
}
}
return permissions, nil
}
permissions, err := s.ac.GetUserPermissions(ctx, ident, accesscontrol.Options{ReloadCache: false})
if err != nil {
s.log.FromContext(ctx).Error("Failed to fetch permissions from db", "error", err, "id", ident.ID)
return nil, errSyncPermissionsForbidden
}
return permissions, nil
}
var fixedCloudRoles = map[org.RoleType]string{
org.RoleViewer: accesscontrol.FixedCloudViewerRole,
org.RoleEditor: accesscontrol.FixedCloudEditorRole,
org.RoleAdmin: accesscontrol.FixedCloudAdminRole,
}
func (s *RBACSync) SyncCloudRoles(ctx context.Context, ident *authn.Identity, r *authn.Request) error {
// we only want to run this hook during login and if the module used is grafana com
if r.GetMeta(authn.MetaKeyAuthModule) != login.GrafanaComAuthModule {
return nil
}
if !ident.ID.IsNamespace(authn.NamespaceUser) {
s.log.FromContext(ctx).Debug("Skip syncing cloud role", "id", ident.ID)
return nil
}
userID, err := ident.ID.ParseInt()
if err != nil {
return err
}
rolesToAdd := make([]string, 0, 1)
rolesToRemove := make([]string, 0, 2)
for role, fixedRole := range fixedCloudRoles {
if role == ident.GetOrgRole() {
rolesToAdd = append(rolesToAdd, fixedRole)
} else {
rolesToRemove = append(rolesToRemove, fixedRole)
}
}
if len(rolesToAdd) != 1 {
return errInvalidCloudRole.Errorf("invalid role: %s", ident.GetOrgRole())
}
return s.ac.SyncUserRoles(ctx, ident.GetOrgID(), accesscontrol.SyncUserRolesCommand{
UserID: userID,
RolesToAdd: rolesToAdd,
RolesToRemove: rolesToRemove,
})
}
Reference in New Issue View Git Blame Copy Permalink