From 6a3ce8bd381466e329157149d4a8e443d38cb810 Mon Sep 17 00:00:00 2001 From: Gabriel MABILLE Date: Wed, 20 Oct 2021 17:11:22 +0200 Subject: [PATCH] AccessControl: tidy scope resolution (#40677) * AccessControl: tidy scope resolution --- pkg/services/accesscontrol/scope.go | 38 ++++++++++++++++ ...{scoperesolution_test.go => scope_test.go} | 0 pkg/services/accesscontrol/scoperesolution.go | 43 ------------------- 3 files changed, 38 insertions(+), 43 deletions(-) rename pkg/services/accesscontrol/{scoperesolution_test.go => scope_test.go} (100%) delete mode 100644 pkg/services/accesscontrol/scoperesolution.go diff --git a/pkg/services/accesscontrol/scope.go b/pkg/services/accesscontrol/scope.go index 30c8ae877a2..e7f10bba45f 100644 --- a/pkg/services/accesscontrol/scope.go +++ b/pkg/services/accesscontrol/scope.go @@ -3,6 +3,8 @@ package accesscontrol import ( "fmt" "strings" + + "github.com/grafana/grafana/pkg/models" ) // Scope builds scope from parts @@ -29,3 +31,39 @@ func Parameter(key string) string { func Field(key string) string { return fmt.Sprintf(`{{ .%s }}`, key) } + +type KeywordScopeResolveFunc func(*models.SignedInUser) (string, error) + +// ScopeResolver contains a map of functions to resolve scope keywords such as `self` or `current` into `id` based scopes +type ScopeResolver struct { + keywordResolvers map[string]KeywordScopeResolveFunc +} + +func NewScopeResolver() ScopeResolver { + return ScopeResolver{ + keywordResolvers: map[string]KeywordScopeResolveFunc{ + "orgs:current": resolveCurrentOrg, + "users:self": resolveUserSelf, + }, + } +} + +func resolveCurrentOrg(u *models.SignedInUser) (string, error) { + return Scope("orgs", "id", fmt.Sprintf("%v", u.OrgId)), nil +} + +func resolveUserSelf(u *models.SignedInUser) (string, error) { + return Scope("users", "id", fmt.Sprintf("%v", u.UserId)), nil +} + +// ResolveKeyword resolves scope with keywords such as `self` or `current` into `id` based scopes +func (s *ScopeResolver) ResolveKeyword(user *models.SignedInUser, permission Permission) (*Permission, error) { + if fn, ok := s.keywordResolvers[permission.Scope]; ok { + resolvedScope, err := fn(user) + if err != nil { + return nil, fmt.Errorf("could not resolve %v: %v", permission.Scope, err) + } + permission.Scope = resolvedScope + } + return &permission, nil +} diff --git a/pkg/services/accesscontrol/scoperesolution_test.go b/pkg/services/accesscontrol/scope_test.go similarity index 100% rename from pkg/services/accesscontrol/scoperesolution_test.go rename to pkg/services/accesscontrol/scope_test.go diff --git a/pkg/services/accesscontrol/scoperesolution.go b/pkg/services/accesscontrol/scoperesolution.go deleted file mode 100644 index 144e7e00b02..00000000000 --- a/pkg/services/accesscontrol/scoperesolution.go +++ /dev/null @@ -1,43 +0,0 @@ -package accesscontrol - -import ( - "fmt" - - "github.com/grafana/grafana/pkg/models" -) - -type KeywordScopeResolveFunc func(*models.SignedInUser) (string, error) - -// ScopeResolver contains a map of functions to resolve scope keywords such as `self` or `current` into `id` based scopes -type ScopeResolver struct { - keywordResolvers map[string]KeywordScopeResolveFunc -} - -func NewScopeResolver() ScopeResolver { - return ScopeResolver{ - keywordResolvers: map[string]KeywordScopeResolveFunc{ - "orgs:current": resolveCurrentOrg, - "users:self": resolveUserSelf, - }, - } -} - -func resolveCurrentOrg(u *models.SignedInUser) (string, error) { - return Scope("orgs", "id", fmt.Sprintf("%v", u.OrgId)), nil -} - -func resolveUserSelf(u *models.SignedInUser) (string, error) { - return Scope("users", "id", fmt.Sprintf("%v", u.UserId)), nil -} - -// ResolveKeyword resolves scope with keywords such as `self` or `current` into `id` based scopes -func (s *ScopeResolver) ResolveKeyword(user *models.SignedInUser, permission Permission) (*Permission, error) { - if fn, ok := s.keywordResolvers[permission.Scope]; ok { - resolvedScope, err := fn(user) - if err != nil { - return nil, fmt.Errorf("could not resolve %v: %v", permission.Scope, err) - } - permission.Scope = resolvedScope - } - return &permission, nil -}