grafana/pkg/services/accesscontrol/ossaccesscontrol/folder.go

package ossaccesscontrol

import (
	"context"
	"errors"

	"github.com/grafana/grafana/pkg/api/routing"
	"github.com/grafana/grafana/pkg/infra/db"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"
	"github.com/grafana/grafana/pkg/services/dashboards"
	"github.com/grafana/grafana/pkg/services/featuremgmt"
	"github.com/grafana/grafana/pkg/services/folder"
	"github.com/grafana/grafana/pkg/services/libraryelements"
	"github.com/grafana/grafana/pkg/services/licensing"
	"github.com/grafana/grafana/pkg/services/team"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/setting"
)

type FolderPermissionsService struct {
	*resourcepermissions.Service
}

var FolderViewActions = []string{dashboards.ActionFoldersRead, accesscontrol.ActionAlertingRuleRead, libraryelements.ActionLibraryPanelsRead, accesscontrol.ActionAlertingSilencesRead}
var FolderEditActions = append(FolderViewActions, []string{
	dashboards.ActionFoldersWrite,
	dashboards.ActionFoldersDelete,
	dashboards.ActionDashboardsCreate,
	accesscontrol.ActionAlertingRuleCreate,
	accesscontrol.ActionAlertingRuleUpdate,
	accesscontrol.ActionAlertingRuleDelete,
	accesscontrol.ActionAlertingSilencesCreate,
	accesscontrol.ActionAlertingSilencesWrite,
	libraryelements.ActionLibraryPanelsCreate,
	libraryelements.ActionLibraryPanelsWrite,
	libraryelements.ActionLibraryPanelsDelete,
}...)
var FolderAdminActions = append(FolderEditActions, []string{dashboards.ActionFoldersPermissionsRead, dashboards.ActionFoldersPermissionsWrite}...)

func registerFolderRoles(cfg *setting.Cfg, features featuremgmt.FeatureToggles, service accesscontrol.Service) error {
	if !cfg.RBAC.PermissionsWildcardSeed("folder") {
		return nil
	}

	viewer := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:folders:viewer",
			DisplayName: "Viewer",
			Description: "View all folders and dashboards.",
			Group:       "Folders",
			Permissions: accesscontrol.PermissionsForActions(append(getDashboardViewActions(features), FolderViewActions...), dashboards.ScopeFoldersAll),
			Hidden:      true,
		},
		Grants: []string{"Viewer"},
	}

	editor := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:folders:editor",
			DisplayName: "Editor",
			Description: "Edit all folders and dashboards.",
			Group:       "Folders",
			Permissions: accesscontrol.PermissionsForActions(append(getDashboardEditActions(features), FolderEditActions...), dashboards.ScopeFoldersAll),
			Hidden:      true,
		},
		Grants: []string{"Editor"},
	}

	admin := accesscontrol.RoleRegistration{
		Role: accesscontrol.RoleDTO{
			Name:        "fixed:folders:admin",
			DisplayName: "Admin",
			Description: "Administer all folders and dashboards",
			Group:       "folders",
			Permissions: accesscontrol.PermissionsForActions(append(getDashboardAdminActions(features), FolderAdminActions...), dashboards.ScopeFoldersAll),
			Hidden:      true,
		},
		Grants: []string{"Admin"},
	}

	return service.DeclareFixedRoles(viewer, editor, admin)
}

func ProvideFolderPermissions(
	cfg *setting.Cfg, features featuremgmt.FeatureToggles, router routing.RouteRegister, sql db.DB, accesscontrol accesscontrol.AccessControl,
	license licensing.Licensing, dashboardStore dashboards.Store, folderService folder.Service, service accesscontrol.Service,
	teamService team.Service, userService user.Service, actionSetService resourcepermissions.ActionSetService,
) (*FolderPermissionsService, error) {
	if err := registerFolderRoles(cfg, features, service); err != nil {
		return nil, err
	}

	options := resourcepermissions.Options{
		Resource:          "folders",
		ResourceAttribute: "uid",
		ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {
			query := &dashboards.GetDashboardQuery{UID: resourceID, OrgID: orgID}
			queryResult, err := dashboardStore.GetDashboard(ctx, query)
			if err != nil {
				return err
			}

			if !queryResult.IsFolder {
				return errors.New("not found")
			}

			return nil
		},
		InheritedScopesSolver: func(ctx context.Context, orgID int64, resourceID string) ([]string, error) {
			return dashboards.GetInheritedScopes(ctx, orgID, resourceID, folderService)
		},
		Assignments: resourcepermissions.Assignments{
			Users:           true,
			Teams:           true,
			BuiltInRoles:    true,
			ServiceAccounts: true,
		},
		PermissionsToActions: map[string][]string{
			"View":  append(getDashboardViewActions(features), FolderViewActions...),
			"Edit":  append(getDashboardEditActions(features), FolderEditActions...),
			"Admin": append(getDashboardAdminActions(features), FolderAdminActions...),
		},
		ReaderRoleName: "Folder permission reader",
		WriterRoleName: "Folder permission writer",
		RoleGroup:      "Folders",
	}
	srv, err := resourcepermissions.New(cfg, options, features, router, license, accesscontrol, service, sql, teamService, userService, actionSetService)
	if err != nil {
		return nil, err
	}
	return &FolderPermissionsService{srv}, nil
}
RBAC: Allow omitting default permissions when a new resource is created (#90720) * Cfg: Move rbac settings to own struct * Cfg: Add setting to control if resource should generate managed permissions when created * Dashboards: Check if we should generate default permissions when dashboard is created * Folders: Check if we should generate default permissions when folder is created * Datasource: Check if we should generate default permissions when datasource is created * ServiceAccount: Check if we should generate default permissions when service account is created * Cfg: Add option to specify resources for wich we should default seed * ManagedPermissions: Move providers to their own files * Dashboards: Default seed all possible managed permissions if configured * Folders: Default seed all possible managed permissions if configured * Cfg: Remove service account from list * RBAC: Move utility function * remove managed permission settings from the config file examples, change the setting names * remove ini file changes from the PR * fix setting reading * fix linting errors * fix tests * fix wildcard role seeding --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: jguer <me@jguer.space> 2024-07-25 00:31:26 +08:00			`package ossaccesscontrol`

			`import (`
			`"context"`
			`"errors"`

			`"github.com/grafana/grafana/pkg/api/routing"`
			`"github.com/grafana/grafana/pkg/infra/db"`
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`"github.com/grafana/grafana/pkg/services/accesscontrol/resourcepermissions"`
			`"github.com/grafana/grafana/pkg/services/dashboards"`
			`"github.com/grafana/grafana/pkg/services/featuremgmt"`
			`"github.com/grafana/grafana/pkg/services/folder"`
			`"github.com/grafana/grafana/pkg/services/libraryelements"`
			`"github.com/grafana/grafana/pkg/services/licensing"`
			`"github.com/grafana/grafana/pkg/services/team"`
			`"github.com/grafana/grafana/pkg/services/user"`
			`"github.com/grafana/grafana/pkg/setting"`
			`)`

			`type FolderPermissionsService struct {`
			`*resourcepermissions.Service`
			`}`

			`var FolderViewActions = []string{dashboards.ActionFoldersRead, accesscontrol.ActionAlertingRuleRead, libraryelements.ActionLibraryPanelsRead, accesscontrol.ActionAlertingSilencesRead}`
			`var FolderEditActions = append(FolderViewActions, []string{`
			`dashboards.ActionFoldersWrite,`
			`dashboards.ActionFoldersDelete,`
			`dashboards.ActionDashboardsCreate,`
			`accesscontrol.ActionAlertingRuleCreate,`
			`accesscontrol.ActionAlertingRuleUpdate,`
			`accesscontrol.ActionAlertingRuleDelete,`
			`accesscontrol.ActionAlertingSilencesCreate,`
			`accesscontrol.ActionAlertingSilencesWrite,`
			`libraryelements.ActionLibraryPanelsCreate,`
			`libraryelements.ActionLibraryPanelsWrite,`
			`libraryelements.ActionLibraryPanelsDelete,`
			`}...)`
			`var FolderAdminActions = append(FolderEditActions, []string{dashboards.ActionFoldersPermissionsRead, dashboards.ActionFoldersPermissionsWrite}...)`

			`func registerFolderRoles(cfg *setting.Cfg, features featuremgmt.FeatureToggles, service accesscontrol.Service) error {`
			`if !cfg.RBAC.PermissionsWildcardSeed("folder") {`
			`return nil`
			`}`

			`viewer := accesscontrol.RoleRegistration{`
			`Role: accesscontrol.RoleDTO{`
			`Name: "fixed:folders:viewer",`
			`DisplayName: "Viewer",`
			`Description: "View all folders and dashboards.",`
			`Group: "Folders",`
			`Permissions: accesscontrol.PermissionsForActions(append(getDashboardViewActions(features), FolderViewActions...), dashboards.ScopeFoldersAll),`
			`Hidden: true,`
			`},`
			`Grants: []string{"Viewer"},`
			`}`

			`editor := accesscontrol.RoleRegistration{`
			`Role: accesscontrol.RoleDTO{`
			`Name: "fixed:folders:editor",`
			`DisplayName: "Editor",`
			`Description: "Edit all folders and dashboards.",`
			`Group: "Folders",`
			`Permissions: accesscontrol.PermissionsForActions(append(getDashboardEditActions(features), FolderEditActions...), dashboards.ScopeFoldersAll),`
			`Hidden: true,`
			`},`
			`Grants: []string{"Editor"},`
			`}`

			`admin := accesscontrol.RoleRegistration{`
			`Role: accesscontrol.RoleDTO{`
			`Name: "fixed:folders:admin",`
			`DisplayName: "Admin",`
			`Description: "Administer all folders and dashboards",`
			`Group: "folders",`
			`Permissions: accesscontrol.PermissionsForActions(append(getDashboardAdminActions(features), FolderAdminActions...), dashboards.ScopeFoldersAll),`
			`Hidden: true,`
			`},`
			`Grants: []string{"Admin"},`
			`}`

			`return service.DeclareFixedRoles(viewer, editor, admin)`
			`}`

			`func ProvideFolderPermissions(`
			`cfg *setting.Cfg, features featuremgmt.FeatureToggles, router routing.RouteRegister, sql db.DB, accesscontrol accesscontrol.AccessControl,`
			`license licensing.Licensing, dashboardStore dashboards.Store, folderService folder.Service, service accesscontrol.Service,`
			`teamService team.Service, userService user.Service, actionSetService resourcepermissions.ActionSetService,`
			`) (*FolderPermissionsService, error) {`
			`if err := registerFolderRoles(cfg, features, service); err != nil {`
			`return nil, err`
			`}`

			`options := resourcepermissions.Options{`
			`Resource: "folders",`
			`ResourceAttribute: "uid",`
			`ResourceValidator: func(ctx context.Context, orgID int64, resourceID string) error {`
			`query := &dashboards.GetDashboardQuery{UID: resourceID, OrgID: orgID}`
			`queryResult, err := dashboardStore.GetDashboard(ctx, query)`
			`if err != nil {`
			`return err`
			`}`

			`if !queryResult.IsFolder {`
			`return errors.New("not found")`
			`}`

			`return nil`
			`},`
			`InheritedScopesSolver: func(ctx context.Context, orgID int64, resourceID string) ([]string, error) {`
			`return dashboards.GetInheritedScopes(ctx, orgID, resourceID, folderService)`
			`},`
			`Assignments: resourcepermissions.Assignments{`
			`Users: true,`
			`Teams: true,`
			`BuiltInRoles: true,`
			`ServiceAccounts: true,`
			`},`
			`PermissionsToActions: map[string][]string{`
			`"View": append(getDashboardViewActions(features), FolderViewActions...),`
			`"Edit": append(getDashboardEditActions(features), FolderEditActions...),`
			`"Admin": append(getDashboardAdminActions(features), FolderAdminActions...),`
			`},`
			`ReaderRoleName: "Folder permission reader",`
			`WriterRoleName: "Folder permission writer",`
			`RoleGroup: "Folders",`
			`}`
			`srv, err := resourcepermissions.New(cfg, options, features, router, license, accesscontrol, service, sql, teamService, userService, actionSetService)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &FolderPermissionsService{srv}, nil`
			`}`