grafana/pkg/api/admin.go

package api

import (
	"context"
	"fmt"
	"net/http"

	"github.com/grafana/grafana/pkg/api/response"
	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/setting"
)

func (hs *HTTPServer) AdminGetSettings(c *models.ReqContext) response.Response {
	settings, err := hs.getAuthorizedSettings(c.Req.Context(), c.SignedInUser, hs.SettingsProvider.Current())
	if err != nil {
		return response.Error(http.StatusForbidden, "Failed to authorize settings", err)
	}
	return response.JSON(http.StatusOK, settings)
}

func AdminGetStats(c *models.ReqContext) response.Response {
	statsQuery := models.GetAdminStatsQuery{}

	if err := bus.Dispatch(&statsQuery); err != nil {
		return response.Error(500, "Failed to get admin stats from database", err)
	}

	return response.JSON(200, statsQuery.Result)
}

func (hs *HTTPServer) getAuthorizedSettings(ctx context.Context, user *models.SignedInUser, bag setting.SettingsBag) (setting.SettingsBag, error) {
	if hs.AccessControl.IsDisabled() {
		return bag, nil
	}

	eval := func(scopes ...string) (bool, error) {
		return hs.AccessControl.Evaluate(ctx, user, accesscontrol.ActionSettingsRead, scopes...)
	}

	ok, err := eval(accesscontrol.ScopeSettingsAll)
	if err != nil {
		return nil, err
	}
	if ok {
		return bag, nil
	}

	authorizedBag := make(setting.SettingsBag)

	for section, keys := range bag {
		ok, err := eval(getSettingsScope(section, "*"))
		if err != nil {
			return nil, err
		}
		if ok {
			authorizedBag[section] = keys
			continue
		}

		for key := range keys {
			ok, err := eval(getSettingsScope(section, key))
			if err != nil {
				return nil, err
			}
			if ok {
				if _, exists := authorizedBag[section]; !exists {
					authorizedBag[section] = make(map[string]string)
				}
				authorizedBag[section][key] = bag[section][key]
			}
		}
	}
	return authorizedBag, nil
}

func getSettingsScope(section, key string) string {
	return fmt.Sprintf("settings:%s:%s", section, key)
}
added an inital admin settings view, very basic right now only displays all config options in grafana.ini 2015-02-12 22:46:14 +08:00			`package api`

			`import (`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`"context"`
			`"fmt"`
			`"net/http"`

Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2021-01-15 21:43:20 +08:00			`"github.com/grafana/grafana/pkg/api/response"`
Fixed api bugs, stats endpoint working 2016-01-25 13:18:17 +08:00			`"github.com/grafana/grafana/pkg/bus"`
Chore: Avoid aliasing importing models in api package (#22492) 2020-03-04 19:57:20 +08:00			`"github.com/grafana/grafana/pkg/models"`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`"github.com/grafana/grafana/pkg/setting"`
added an inital admin settings view, very basic right now only displays all config options in grafana.ini 2015-02-12 22:46:14 +08:00			`)`

Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00			`func (hs HTTPServer) AdminGetSettings(c models.ReqContext) response.Response {`
			`settings, err := hs.getAuthorizedSettings(c.Req.Context(), c.SignedInUser, hs.SettingsProvider.Current())`
			`if err != nil {`
			`return response.Error(http.StatusForbidden, "Failed to authorize settings", err)`
			`}`
			`return response.JSON(http.StatusOK, settings)`
added an inital admin settings view, very basic right now only displays all config options in grafana.ini 2015-02-12 22:46:14 +08:00			`}`
Added backend API for stats 2016-01-25 03:01:33 +08:00
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2021-01-15 21:43:20 +08:00			`func AdminGetStats(c *models.ReqContext) response.Response {`
Chore: Avoid aliasing importing models in api package (#22492) 2020-03-04 19:57:20 +08:00			`statsQuery := models.GetAdminStatsQuery{}`
Added backend API for stats 2016-01-25 03:01:33 +08:00
Fixed api bugs, stats endpoint working 2016-01-25 13:18:17 +08:00			`if err := bus.Dispatch(&statsQuery); err != nil {`
Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2021-01-15 21:43:20 +08:00			`return response.Error(500, "Failed to get admin stats from database", err)`
Fixed api bugs, stats endpoint working 2016-01-25 13:18:17 +08:00			`}`

Chore: Moves common and response into separate packages (#30298) * Chore: moves common and response into separate packages * Chore: moves common and response into separate packages * Update pkg/api/utils/common.go Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: changes after PR comments * Chore: move wrap to routing package * Chore: move functions in common to response package * Chore: move functions in common to response package * Chore: formats imports Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> 2021-01-15 21:43:20 +08:00			`return response.JSON(200, statsQuery.Result)`
Added backend API for stats 2016-01-25 03:01:33 +08:00			`}`
Access Control: Add fine-grained access control to GET stats and settings handlers (#35622) * add accesscontrol action for stats read * use accesscontrol middleware for stats route * add fixed role with permissions to read sever stats * add accesscontrol action for settings read * use accesscontrol middleware for settings route * add fixed role with permissions to read settings * add accesscontrol tests for AdminGetSettings and AdminGetStats * add ability to scope settings * add tests for AdminGetSettings 2021-06-14 23:36:48 +08:00
			`func (hs HTTPServer) getAuthorizedSettings(ctx context.Context, user models.SignedInUser, bag setting.SettingsBag) (setting.SettingsBag, error) {`
			`if hs.AccessControl.IsDisabled() {`
			`return bag, nil`
			`}`

			`eval := func(scopes ...string) (bool, error) {`
			`return hs.AccessControl.Evaluate(ctx, user, accesscontrol.ActionSettingsRead, scopes...)`
			`}`

			`ok, err := eval(accesscontrol.ScopeSettingsAll)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if ok {`
			`return bag, nil`
			`}`

			`authorizedBag := make(setting.SettingsBag)`

			`for section, keys := range bag {`
			`ok, err := eval(getSettingsScope(section, "*"))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if ok {`
			`authorizedBag[section] = keys`
			`continue`
			`}`

			`for key := range keys {`
			`ok, err := eval(getSettingsScope(section, key))`
			`if err != nil {`
			`return nil, err`
			`}`
			`if ok {`
			`if _, exists := authorizedBag[section]; !exists {`
			`authorizedBag[section] = make(map[string]string)`
			`}`
			`authorizedBag[section][key] = bag[section][key]`
			`}`
			`}`
			`}`
			`return authorizedBag, nil`
			`}`

			`func getSettingsScope(section, key string) string {`
			`return fmt.Sprintf("settings:%s:%s", section, key)`
			`}`