Chore: remove checks for whether RBAC is disabled (#73812)

* remove checks for whether access control is disabled, as it is always enabled now * linting
2 years ago · 6885b3d577
parent 972da629ab
commit 6885b3d577
9 changed files with 31 additions and 73 deletions
--- a/pkg/api/datasources.go
+++ b/pkg/api/datasources.go
@ -400,9 +400,7 @@ func (hs *HTTPServer) AddDataSource(c *contextmodel.ReqContext) response.Respons

 	// Clear permission cache for the user who's created the data source, so that new permissions are fetched for their next call
 	// Required for cases when caller wants to immediately interact with the newly created object
-	if !hs.AccessControl.IsDisabled() {
-		hs.accesscontrolService.ClearUserPermissionCache(c.SignedInUser)
-	}
+	hs.accesscontrolService.ClearUserPermissionCache(c.SignedInUser)

 	ds := hs.convertModelToDtos(c.Req.Context(), dataSource)
 	return response.JSON(http.StatusOK, util.DynMap{
--- a/pkg/services/accesscontrol/acimpl/service.go
+++ b/pkg/services/accesscontrol/acimpl/service.go
@ -202,10 +202,6 @@ func (s *Service) DeclareFixedRoles(registrations ...accesscontrol.RoleRegistrat

 // RegisterFixedRoles registers all declared roles in RAM
 func (s *Service) RegisterFixedRoles(ctx context.Context) error {
-	// If accesscontrol is disabled no need to register roles
-	if accesscontrol.IsDisabled(s.cfg) {
-		return nil
-	}
 	s.registrations.Range(func(registration accesscontrol.RoleRegistration) bool {
 		for br := range accesscontrol.BuiltInRolesWithParents(registration.Grants) {
 			if basicRole, ok := s.roles[br]; ok {
@ -234,11 +230,6 @@ func permissionCacheKey(user identity.Requester) (string, error) {
 // DeclarePluginRoles allow the caller to declare, to the service, plugin roles and their assignments
 // to organization roles ("Viewer", "Editor", "Admin") or "Grafana Admin"
 func (s *Service) DeclarePluginRoles(_ context.Context, ID, name string, regs []plugins.RoleRegistration) error {
-	// If accesscontrol is disabled no need to register roles
-	if accesscontrol.IsDisabled(s.cfg) {
-		return nil
-	}
-
 	// Protect behind feature toggle
 	if !s.features.IsEnabled(featuremgmt.FlagAccessControlOnCall) {
 		return nil
@ -426,11 +417,6 @@ func PermissionMatchesSearchOptions(permission accesscontrol.Permission, searchO
 }

 func (s *Service) SaveExternalServiceRole(ctx context.Context, cmd accesscontrol.SaveExternalServiceRoleCommand) error {
-	// If accesscontrol is disabled no need to save the external service role
-	if accesscontrol.IsDisabled(s.cfg) {
-		return nil
-	}
-
 	if !s.features.IsEnabled(featuremgmt.FlagExternalServiceAuth) {
 		s.log.Debug("registering an external service role is behind a feature flag, enable it to use this feature.")
 		return nil
@ -444,11 +430,6 @@ func (s *Service) SaveExternalServiceRole(ctx context.Context, cmd accesscontrol
 }

 func (s *Service) DeleteExternalServiceRole(ctx context.Context, externalServiceID string) error {
-	// If accesscontrol is disabled no need to delete the external service role
-	if accesscontrol.IsDisabled(s.cfg) {
-		return nil
-	}
-
 	if !s.features.IsEnabled(featuremgmt.FlagExternalServiceAuth) {
 		s.log.Debug("deleting an external service role is behind a feature flag, enable it to use this feature.")
 		return nil
--- a/pkg/services/annotations/annotationsimpl/xorm_store.go
+++ b/pkg/services/annotations/annotationsimpl/xorm_store.go
@ -339,16 +339,12 @@ func (r *xormRepositoryImpl) Get(ctx context.Context, query *annotations.ItemQue
 			}
 		}

-		var acFilter acFilter
-		if !ac.IsDisabled(r.cfg) {
-			var err error
-			acFilter, err = r.getAccessControlFilter(query.SignedInUser)
-			if err != nil {
-				return err
-			}
-			sql.WriteString(fmt.Sprintf(" AND (%s)", acFilter.where))
-			params = append(params, acFilter.whereParams...)
+		acFilter, err := r.getAccessControlFilter(query.SignedInUser)
+		if err != nil {
+			return err
 		}
+		sql.WriteString(fmt.Sprintf(" AND (%s)", acFilter.where))
+		params = append(params, acFilter.whereParams...)

 		if query.Limit == 0 {
 			query.Limit = 100
--- a/pkg/services/datasources/service/datasource.go
+++ b/pkg/services/datasources/service/datasource.go
@ -208,25 +208,20 @@ func (s *Service) AddDataSource(ctx context.Context, cmd *datasources.AddDataSou
 			return err
 		}

-		if !s.ac.IsDisabled() {
-			// This belongs in Data source permissions, and we probably want
-			// to do this with a hook in the store and rollback on fail.
-			// We can't use events, because there's no way to communicate
-			// failure, and we want "not being able to set default perms"
-			// to fail the creation.
-			permissions := []accesscontrol.SetResourcePermissionCommand{
-				{BuiltinRole: "Viewer", Permission: "Query"},
-				{BuiltinRole: "Editor", Permission: "Query"},
-			}
-			if cmd.UserID != 0 {
-				permissions = append(permissions, accesscontrol.SetResourcePermissionCommand{UserID: cmd.UserID, Permission: "Edit"})
-			}
-			if _, err := s.permissionsService.SetPermissions(ctx, cmd.OrgID, dataSource.UID, permissions...); err != nil {
-				return err
-			}
-		}
-
-		return nil
+		// This belongs in Data source permissions, and we probably want
+		// to do this with a hook in the store and rollback on fail.
+		// We can't use events, because there's no way to communicate
+		// failure, and we want "not being able to set default perms"
+		// to fail the creation.
+		permissions := []accesscontrol.SetResourcePermissionCommand{
+			{BuiltinRole: "Viewer", Permission: "Query"},
+			{BuiltinRole: "Editor", Permission: "Query"},
+		}
+		if cmd.UserID != 0 {
+			permissions = append(permissions, accesscontrol.SetResourcePermissionCommand{UserID: cmd.UserID, Permission: "Edit"})
+		}
+		_, err = s.permissionsService.SetPermissions(ctx, cmd.OrgID, dataSource.UID, permissions...)
+		return err
 	})
 }

--- a/pkg/services/org/orgimpl/store.go
+++ b/pkg/services/org/orgimpl/store.go
@ -560,7 +560,7 @@ func (ss *sqlStore) SearchOrgUsers(ctx context.Context, query *org.SearchOrgUser
 			ss.log.Warn("Query user not set for filtering.")
 		}

-		if !query.DontEnforceAccessControl && !accesscontrol.IsDisabled(ss.cfg) {
+		if !query.DontEnforceAccessControl {
 			acFilter, err := accesscontrol.Filter(query.User, "org_user.user_id", "users:id:", accesscontrol.ActionOrgUsersRead)
 			if err != nil {
 				return err
--- a/pkg/services/searchV2/allowed_actions.go
+++ b/pkg/services/searchV2/allowed_actions.go
@ -139,10 +139,6 @@ func (s *StandardSearchService) createAllowedActions(ctx context.Context, orgId

 func (s *StandardSearchService) getAllowedActionsByUid(ctx context.Context, user *user.SignedInUser,
 	orgID int64, prefix string, resourceIDs []string) map[string][]string {
-	if s.ac.IsDisabled() {
-		return map[string][]string{}
-	}
-
 	if user.Permissions == nil {
 		return map[string][]string{}
 	}
--- a/pkg/services/searchV2/service.go
+++ b/pkg/services/searchV2/service.go
@ -185,10 +185,6 @@ func (s *StandardSearchService) getUser(ctx context.Context, backendUser *backen
 		}
 	}

-	if s.ac.IsDisabled() {
-		return usr, nil
-	}
-
 	if usr.Permissions == nil {
 		usr.Permissions = make(map[int64]map[string][]string)
 	}
--- a/pkg/services/serviceaccounts/database/store.go
+++ b/pkg/services/serviceaccounts/database/store.go
@ -284,14 +284,12 @@ func (s *ServiceAccountsStoreImpl) SearchOrgServiceAccounts(ctx context.Context,
 				s.sqlStore.GetDialect().Quote("user"),
 				s.sqlStore.GetDialect().BooleanStr(true)))

-		if !accesscontrol.IsDisabled(s.cfg) {
-			acFilter, err := accesscontrol.Filter(query.SignedInUser, "org_user.user_id", "serviceaccounts:id:", serviceaccounts.ActionRead)
-			if err != nil {
-				return err
-			}
-			whereConditions = append(whereConditions, acFilter.Where)
-			whereParams = append(whereParams, acFilter.Args...)
+		acFilter, err := accesscontrol.Filter(query.SignedInUser, "org_user.user_id", "serviceaccounts:id:", serviceaccounts.ActionRead)
+		if err != nil {
+			return err
 		}
+		whereConditions = append(whereConditions, acFilter.Where)
+		whereParams = append(whereParams, acFilter.Args...)

 		if query.Query != "" {
 			queryWithWildcards := "%" + query.Query + "%"
--- a/pkg/services/user/userimpl/store.go
+++ b/pkg/services/user/userimpl/store.go
@ -635,14 +635,12 @@ func (ss *sqlStore) Search(ctx context.Context, query *user.SearchUsersQuery) (*
 		}

 		// user only sees the users for which it has read permissions
-		if !accesscontrol.IsDisabled(ss.cfg) {
-			acFilter, err := accesscontrol.Filter(query.SignedInUser, "u.id", "global.users:id:", accesscontrol.ActionUsersRead)
-			if err != nil {
-				return err
-			}
-			whereConditions = append(whereConditions, acFilter.Where)
-			whereParams = append(whereParams, acFilter.Args...)
+		acFilter, err := accesscontrol.Filter(query.SignedInUser, "u.id", "global.users:id:", accesscontrol.ActionUsersRead)
+		if err != nil {
+			return err
 		}
+		whereConditions = append(whereConditions, acFilter.Where)
+		whereParams = append(whereParams, acFilter.Args...)

 		if query.Query != "" {
 			whereConditions = append(whereConditions, "(email "+ss.dialect.LikeStr()+" ? OR name "+ss.dialect.LikeStr()+" ? OR login "+ss.dialect.LikeStr()+" ?)")