grafana/pkg/services/accesscontrol/errors.go

package accesscontrol

import (
	"errors"
	"fmt"
)

var (
	ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'")
	ErrInvalidBuiltinRole     = errors.New("built-in role is not valid")
	ErrInvalidScope           = errors.New("invalid scope")
	ErrResolverNotFound       = errors.New("no resolver found")
	ErrPluginIDRequired       = errors.New("plugin ID is required")
	ErrRoleNotFound           = errors.New("role not found")
)

type ErrorInvalidRole struct{}

func (e *ErrorInvalidRole) Error() string {
	return "role is invalid"
}

type ErrorRolePrefixMissing struct {
	Role     string
	Prefixes []string
}

func (e *ErrorRolePrefixMissing) Error() string {
	return fmt.Sprintf("expected role '%s' to be prefixed with any of '%v'", e.Role, e.Prefixes)
}

func (e *ErrorRolePrefixMissing) Unwrap() error {
	return &ErrorInvalidRole{}
}

type ErrorActionPrefixMissing struct {
	Action   string
	Prefixes []string
}

func (e *ErrorActionPrefixMissing) Error() string {
	return fmt.Sprintf("expected action '%s' to be prefixed with any of '%v'", e.Action, e.Prefixes)
}

func (e *ErrorActionPrefixMissing) Unwrap() error {
	return &ErrorInvalidRole{}
}

type ErrorScopeTarget struct {
	Action        string
	Scope         string
	ExpectedScope string
}

func (e *ErrorScopeTarget) Error() string {
	return fmt.Sprintf("expected action '%s' to be scoped with '%v', found '%v'", e.Action, e.ExpectedScope, e.Scope)
}

func (e *ErrorScopeTarget) Unwrap() error {
	return &ErrorInvalidRole{}
}
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 20:44:37 +08:00			`package accesscontrol`

RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 18:30:45 +08:00			`import (`
			`"errors"`
			`"fmt"`
			`)`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 20:44:37 +08:00
			`var (`
			`ErrFixedRolePrefixMissing = errors.New("fixed role should be prefixed with '" + FixedRolePrefix + "'")`
			`ErrInvalidBuiltinRole = errors.New("built-in role is not valid")`
AccessControl: Resolve `attribute` based scopes to `id` based scopes (#40742) * AccessControl: POC scope attribute resolution Refactor based on ScopeMutators test errors and calls to cache Add comments to tests Rename logger Create keywordMutator only once * AccessControl: Add AttributeScopeResolver registration Co-authored-by: gamab <gabriel.mabille@grafana.com> * AccessControl: Add AttributeScopeResolver to datasources Co-authored-by: gamab <gabriel.mabille@grafana.com> * Test evaluation with translation * fix imports * AccessControl: Test attribute resolver * Fix trailing white space * Make ScopeResolver public for enterprise redefine * Handle wildcard Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: jguer <joao.guerreiro@grafana.com> 2022-01-19 00:34:35 +08:00			`ErrInvalidScope = errors.New("invalid scope")`
RBAC: Fix resolver issue on wildcard resulting in wrong status code for endpoints (#54208) * RBAC: Test evaluation before attaching mutator * RBAC: Return error if no resolver is found for scope * RBAC: Sync changes to evaluation in mock * RBAC: Check for resolver not found error and just fail the evaluation in that case 2022-08-25 18:50:27 +08:00			`ErrResolverNotFound = errors.New("no resolver found")`
RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 18:30:45 +08:00			`ErrPluginIDRequired = errors.New("plugin ID is required")`
RBAC: Add a function to save external service roles (#66299) * AuthN: Save external services RBAC roles * Add missing test * Placing roles in the same group * Split function to gen role and assignment * add test case and comments * Ensure we check external service roles are assigned once only * Update pkg/services/accesscontrol/models_test.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> 2023-05-09 19:19:38 +08:00			`ErrRoleNotFound = errors.New("role not found")`
Revert "Revert "AccessControl: Implement a way to register fixed roles (#35641)" (#37397)" (#37535) This reverts commit 55efeb0c02ef5261eb8a75ea27adfdc6194de7ad. 2021-08-04 20:44:37 +08:00			`)`
RBAC: Allow role registration for plugins (#57387) * Picking role registration from OnCall POC branch * Fix test * Remove include actions from this PR * Removing unused permission * Adding test to DeclarePluginRoles * Add testcase to RegisterFixed role * Additional test case * Adding tests to validate plugins roles * Add test to plugin loader * Nit. * Scuemata validation * Changing the design to decouple accesscontrol from plugin management Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Fixing tests Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add missing files Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove feature toggle check from loader * Remove feature toggleimport * Feedback Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Fix test' * Make plugins.RoleRegistry interface typed * Remove comment question * No need for json tags anymore * Nit. log * Adding the schema validation * Remove group to take plugin Name instead * Revert sqlstore -> db * Nit. * Nit. on tests Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Update pkg/services/accesscontrol/plugins.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Log message Co-Authored-By: marefr <marcus.efraimsson@gmail.com> * Remove unecessary method. Update test name. Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> * Fix linting * Update cue descriptions * Fix test Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: marefr <marcus.efraimsson@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> 2022-11-07 18:30:45 +08:00
			`type ErrorInvalidRole struct{}`

			`func (e *ErrorInvalidRole) Error() string {`
			`return "role is invalid"`
			`}`

			`type ErrorRolePrefixMissing struct {`
			`Role string`
			`Prefixes []string`
			`}`

			`func (e *ErrorRolePrefixMissing) Error() string {`
			`return fmt.Sprintf("expected role '%s' to be prefixed with any of '%v'", e.Role, e.Prefixes)`
			`}`

			`func (e *ErrorRolePrefixMissing) Unwrap() error {`
			`return &ErrorInvalidRole{}`
			`}`

			`type ErrorActionPrefixMissing struct {`
			`Action string`
			`Prefixes []string`
			`}`

			`func (e *ErrorActionPrefixMissing) Error() string {`
			`return fmt.Sprintf("expected action '%s' to be prefixed with any of '%v'", e.Action, e.Prefixes)`
			`}`

			`func (e *ErrorActionPrefixMissing) Unwrap() error {`
			`return &ErrorInvalidRole{}`
			`}`
RBAC: Validate plugin app access permission targets the plugin (#59468) * RBAC: Validate plugin app access permission targets the plugin * Fix service test 2022-11-30 20:55:07 +08:00
			`type ErrorScopeTarget struct {`
			`Action string`
			`Scope string`
			`ExpectedScope string`
			`}`

			`func (e *ErrorScopeTarget) Error() string {`
			`return fmt.Sprintf("expected action '%s' to be scoped with '%v', found '%v'", e.Action, e.ExpectedScope, e.Scope)`
			`}`

			`func (e *ErrorScopeTarget) Unwrap() error {`
			`return &ErrorInvalidRole{}`
			`}`