Access Control: Store permissions on SignedInUser (#43040)

* add permission structure to signedinuser * add middleware to load user permissions into signedinuser struct * apply LoadPermissionsMiddleware to http server * check for permissions in signedinuser struct Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago · 9558c09a7c
parent f1101efcec
commit 9558c09a7c
7 changed files with 105 additions and 123 deletions
--- a/pkg/api/http_server.go
+++ b/pkg/api/http_server.go
@ -29,6 +29,7 @@ import (
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/plugins/plugincontext"
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
+	acmiddleware "github.com/grafana/grafana/pkg/services/accesscontrol/middleware"
 	"github.com/grafana/grafana/pkg/services/alerting"
 	"github.com/grafana/grafana/pkg/services/cleanup"
 	"github.com/grafana/grafana/pkg/services/contexthandler"
@ -440,6 +441,7 @@ func (hs *HTTPServer) addMiddlewaresAndStaticRoutes() {

 	m.Use(hs.ContextHandler.Middleware)
 	m.Use(middleware.OrgRedirect(hs.Cfg))
+	m.Use(acmiddleware.LoadPermissionsMiddleware(hs.AccessControl))

 	// needs to be after context handler
 	if hs.Cfg.EnforceDomain {
--- a/pkg/models/user.go
+++ b/pkg/models/user.go
@ -183,6 +183,8 @@ type SignedInUser struct {
 	HelpFlags1     HelpFlags1
 	LastSeenAt     time.Time
 	Teams          []int64
+	// Permissions grouped by orgID and actions
+	Permissions map[int64]map[string][]string
 }

 func (u *SignedInUser) ShouldUpdateLastSeenAt() bool {
--- a/pkg/services/accesscontrol/accesscontrol.go
+++ b/pkg/services/accesscontrol/accesscontrol.go
@ -97,14 +97,10 @@ func BuildPermissionsMap(permissions []*Permission) map[string]bool {
 }

 // GroupScopesByAction will group scopes on action
-func GroupScopesByAction(permissions []*Permission) map[string]map[string]struct{} {
-	m := make(map[string]map[string]struct{})
+func GroupScopesByAction(permissions []*Permission) map[string][]string {
+	m := make(map[string][]string)
 	for _, p := range permissions {
-		if _, ok := m[p.Action]; ok {
-			m[p.Action][p.Scope] = struct{}{}
-		} else {
-			m[p.Action] = map[string]struct{}{p.Scope: {}}
-		}
+		m[p.Action] = append(m[p.Action], p.Scope)
 	}
 	return m
 }
--- a/pkg/services/accesscontrol/evaluator.go
+++ b/pkg/services/accesscontrol/evaluator.go
@ -13,7 +13,7 @@ var logger = log.New("accesscontrol.evaluator")

 type Evaluator interface {
 	// Evaluate permissions that are grouped by action
-	Evaluate(permissions map[string]map[string]struct{}) (bool, error)
+	Evaluate(permissions map[string][]string) (bool, error)
 	// Inject params into the evaluator's templated scopes. e.g. "settings:" + eval.Parameters(":id") and returns a new Evaluator
 	Inject(params ScopeParams) (Evaluator, error)
 	// String returns a string representation of permission required by the evaluator
@ -32,7 +32,7 @@ type permissionEvaluator struct {
 	Scopes []string
 }

-func (p permissionEvaluator) Evaluate(permissions map[string]map[string]struct{}) (bool, error) {
+func (p permissionEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
 	userScopes, ok := permissions[p.Action]
 	if !ok {
 		return false, nil
@ -46,7 +46,7 @@ func (p permissionEvaluator) Evaluate(permissions map[string]map[string]struct{}
 		var err error
 		var matches bool

-		for scope := range userScopes {
+		for _, scope := range userScopes {
 			matches, err = match(scope, target)
 			if err != nil {
 				return false, err
@ -120,7 +120,7 @@ type allEvaluator struct {
 	allOf []Evaluator
 }

-func (a allEvaluator) Evaluate(permissions map[string]map[string]struct{}) (bool, error) {
+func (a allEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
 	for _, e := range a.allOf {
 		if ok, err := e.Evaluate(permissions); !ok || err != nil {
 			return false, err
@ -160,7 +160,7 @@ type anyEvaluator struct {
 	anyOf []Evaluator
 }

-func (a anyEvaluator) Evaluate(permissions map[string]map[string]struct{}) (bool, error) {
+func (a anyEvaluator) Evaluate(permissions map[string][]string) (bool, error) {
 	for _, e := range a.anyOf {
 		ok, err := e.Evaluate(permissions)
 		if err != nil {
--- a/pkg/services/accesscontrol/evaluator_test.go
+++ b/pkg/services/accesscontrol/evaluator_test.go
@ -10,15 +10,7 @@ type evaluateTestCase struct {
 	desc        string
 	expected    bool
 	evaluator   Evaluator
-	permissions map[string]map[string]struct{}
-}
-
-type injectTestCase struct {
-	desc        string
-	expected    bool
-	evaluator   Evaluator
-	params      ScopeParams
-	permissions map[string]map[string]struct{}
+	permissions map[string][]string
 }

 func TestPermission_Evaluate(t *testing.T) {
@ -27,41 +19,32 @@ func TestPermission_Evaluate(t *testing.T) {
 			desc:      "should evaluate to true",
 			expected:  true,
 			evaluator: EvalPermission("reports:read", "reports:1"),
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read": {"reports:1"},
 			},
 		},
 		{
 			desc:      "should evaluate to true when allEvaluator required scopes matches",
 			expected:  true,
 			evaluator: EvalPermission("reports:read", "reports:1", "reports:2"),
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-					"reports:2": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read": {"reports:1", "reports:2"},
 			},
 		},
 		{
 			desc:      "should evaluate to true for empty scope",
 			expected:  true,
 			evaluator: EvalPermission("reports:read"),
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read": {"reports:1"},
 			},
 		},
 		{
 			desc:      "should evaluate to false when only one of required scopes exists",
 			expected:  false,
 			evaluator: EvalPermission("reports:read", "reports:1", "reports:2"),
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read": {"reports:1"},
 			},
 		},
 	}
@ -75,6 +58,14 @@ func TestPermission_Evaluate(t *testing.T) {
 	}
 }

+type injectTestCase struct {
+	desc        string
+	expected    bool
+	evaluator   Evaluator
+	params      ScopeParams
+	permissions map[string][]string
+}
+
 func TestPermission_Inject(t *testing.T) {
 	tests := []injectTestCase{
 		{
@ -84,10 +75,8 @@ func TestPermission_Inject(t *testing.T) {
 			params: ScopeParams{
 				OrgID: 3,
 			},
-			permissions: map[string]map[string]struct{}{
-				"orgs:read": {
-					"orgs:3": struct{}{},
-				},
+			permissions: map[string][]string{
+				"orgs:read": {"orgs:3"},
 			},
 		},
 		{
@ -100,10 +89,8 @@ func TestPermission_Inject(t *testing.T) {
 					":reportId": "1",
 				},
 			},
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read": {"reports:1"},
 			},
 		},
 		{
@ -111,10 +98,8 @@ func TestPermission_Inject(t *testing.T) {
 			expected:  false,
 			evaluator: EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
 			params:    ScopeParams{},
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read": {"reports:1"},
 			},
 		},
 		{
@ -127,10 +112,8 @@ func TestPermission_Inject(t *testing.T) {
 					":reportId2": "report2",
 				},
 			},
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:report:report2": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read": {"reports:report:report2"},
 			},
 		},
 	}
@ -153,8 +136,8 @@ func TestAll_Evaluate(t *testing.T) {
 			evaluator: EvalAll(
 				EvalPermission("settings:write", Scope("settings", "*")),
 			),
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {"settings:*": struct{}{}},
+			permissions: map[string][]string{
+				"settings:write": {"settings:*"},
 			},
 			expected: true,
 		},
@ -164,9 +147,9 @@ func TestAll_Evaluate(t *testing.T) {
 				EvalPermission("settings:write", Scope("settings", "*")),
 				EvalPermission("settings:read", Scope("settings", "auth.saml", "*")),
 			),
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {"settings:*": struct{}{}},
-				"settings:read":  {"settings:*": struct{}{}},
+			permissions: map[string][]string{
+				"settings:write": {"settings:*"},
+				"settings:read":  {"settings:*"},
 			},
 			expected: true,
 		},
@ -177,10 +160,10 @@ func TestAll_Evaluate(t *testing.T) {
 				EvalPermission("settings:read", Scope("settings", "auth.saml", "*")),
 				EvalPermission("report:read", Scope("reports", "*")),
 			),
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {"settings:*": struct{}{}},
-				"settings:read":  {"settings:*": struct{}{}},
-				"report:read":    {"report:1": struct{}{}},
+			permissions: map[string][]string{
+				"settings:write": {"settings:*"},
+				"settings:read":  {"settings:*"},
+				"report:read":    {"report:1"},
 			},
 			expected: false,
 		},
@ -211,13 +194,9 @@ func TestAll_Inject(t *testing.T) {
 					":reportId":   "1",
 				},
 			},
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
-				"settings:read": {
-					"settings:3": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read":  {"reports:1"},
+				"settings:read": {"settings:3"},
 			},
 		},
 		{
@ -233,11 +212,8 @@ func TestAll_Inject(t *testing.T) {
 					":orgId": "4",
 				},
 			},
-			permissions: map[string]map[string]struct{}{
-				"orgs:read": {
-					"orgs:3": struct{}{},
-					"orgs:4": struct{}{},
-				},
+			permissions: map[string][]string{
+				"orgs:read": {"orgs:3", "orgs:4"},
 			},
 		},
 		{
@ -248,13 +224,9 @@ func TestAll_Inject(t *testing.T) {
 				EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
 			),
 			params: ScopeParams{},
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
-				"settings:read": {
-					"settings:3": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read":  {"reports:1"},
+				"settings:read": {"settings:3"},
 			},
 		},
 	}
@ -277,8 +249,8 @@ func TestAny_Evaluate(t *testing.T) {
 			evaluator: EvalAny(
 				EvalPermission("settings:write", Scope("settings", "*")),
 			),
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {"settings:*": struct{}{}},
+			permissions: map[string][]string{
+				"settings:write": {"settings:*"},
 			},
 			expected: true,
 		},
@ -289,8 +261,8 @@ func TestAny_Evaluate(t *testing.T) {
 				EvalPermission("report:read", Scope("reports", "1")),
 				EvalPermission("report:write", Scope("reports", "10")),
 			),
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {"settings:*": struct{}{}},
+			permissions: map[string][]string{
+				"settings:write": {"settings:*"},
 			},
 			expected: true,
 		},
@ -301,8 +273,8 @@ func TestAny_Evaluate(t *testing.T) {
 				EvalPermission("report:read", Scope("reports", "1")),
 				EvalPermission("report:write", Scope("reports", "10")),
 			),
-			permissions: map[string]map[string]struct{}{
-				"permissions:write": {"permissions:delegate": struct{}{}},
+			permissions: map[string][]string{
+				"permissions:write": {"permissions:delegate"},
 			},
 			expected: false,
 		},
@ -333,13 +305,9 @@ func TestAny_Inject(t *testing.T) {
 					":reportId":   "1",
 				},
 			},
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
-				"settings:read": {
-					"settings:3": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read":  {"reports:1"},
+				"settings:read": {"settings:3"},
 			},
 		},
 		{
@ -355,11 +323,8 @@ func TestAny_Inject(t *testing.T) {
 					":orgId": "4",
 				},
 			},
-			permissions: map[string]map[string]struct{}{
-				"orgs:read": {
-					"orgs:3": struct{}{},
-					"orgs:4": struct{}{},
-				},
+			permissions: map[string][]string{
+				"orgs:read": {"orgs:3", "orgs:4"},
 			},
 		},
 		{
@ -370,13 +335,9 @@ func TestAny_Inject(t *testing.T) {
 				EvalPermission("reports:read", Scope("reports", Parameter(":reportId"))),
 			),
 			params: ScopeParams{},
-			permissions: map[string]map[string]struct{}{
-				"reports:read": {
-					"reports:1": struct{}{},
-				},
-				"settings:read": {
-					"settings:3": struct{}{},
-				},
+			permissions: map[string][]string{
+				"reports:read":  {"reports:1"},
+				"settings:read": {"settings:3"},
 			},
 		},
 	}
@ -396,7 +357,7 @@ type combinedTestCase struct {
 	desc        string
 	evaluator   Evaluator
 	expected    bool
-	permissions map[string]map[string]struct{}
+	permissions map[string][]string
 }

 func TestEval(t *testing.T) {
@ -411,8 +372,8 @@ func TestEval(t *testing.T) {
 				),
 			),
 			expected: true,
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {"settings:*": struct{}{}},
+			permissions: map[string][]string{
+				"settings:write": {"settings:*"},
 			},
 		},
 		{
@ -425,11 +386,8 @@ func TestEval(t *testing.T) {
 				),
 			),
 			expected: true,
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {
-					"settings:auth.saml:enabled":         struct{}{},
-					"settings:auth.saml:max_issue_delay": struct{}{},
-				},
+			permissions: map[string][]string{
+				"settings:write": {"settings:auth.saml:enabled", "settings:auth.saml:max_issue_delay"},
 			},
 		},
 		{
@ -442,10 +400,8 @@ func TestEval(t *testing.T) {
 				),
 			),
 			expected: false,
-			permissions: map[string]map[string]struct{}{
-				"settings:write": {
-					"settings:auth.saml:enabled": struct{}{},
-				},
+			permissions: map[string][]string{
+				"settings:write": {"settings:auth.saml:enabled"},
 			},
 		},
 	}
--- a/pkg/services/accesscontrol/middleware/middleware.go
+++ b/pkg/services/accesscontrol/middleware/middleware.go
@ -137,3 +137,22 @@ func UseOrgFromContextParams(c *models.ReqContext) (int64, error) {
 func UseGlobalOrg(c *models.ReqContext) (int64, error) {
 	return accesscontrol.GlobalOrgID, nil
 }
+
+func LoadPermissionsMiddleware(ac accesscontrol.AccessControl) web.Handler {
+	return func(c *models.ReqContext) {
+		if ac.IsDisabled() {
+			return
+		}
+
+		permissions, err := ac.GetUserPermissions(c.Req.Context(), c.SignedInUser)
+		if err != nil {
+			c.JsonApiErr(http.StatusForbidden, "", err)
+			return
+		}
+
+		if c.SignedInUser.Permissions == nil {
+			c.SignedInUser.Permissions = make(map[int64]map[string][]string)
+		}
+		c.SignedInUser.Permissions[c.OrgId] = accesscontrol.GroupScopesByAction(permissions)
+	}
+}
--- a/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
+++ b/pkg/services/accesscontrol/ossaccesscontrol/ossaccesscontrol.go
@ -64,12 +64,19 @@ func (ac *OSSAccessControlService) Evaluate(ctx context.Context, user *models.Si
 	defer timer.ObserveDuration()
 	metrics.MAccessEvaluationCount.Inc()

-	permissions, err := ac.GetUserPermissions(ctx, user)
-	if err != nil {
-		return false, err
+	if user.Permissions == nil {
+		user.Permissions = map[int64]map[string][]string{}
 	}

-	return evaluator.Evaluate(accesscontrol.GroupScopesByAction(permissions))
+	if _, ok := user.Permissions[user.OrgId]; !ok {
+		permissions, err := ac.GetUserPermissions(ctx, user)
+		if err != nil {
+			return false, err
+		}
+		user.Permissions[user.OrgId] = accesscontrol.GroupScopesByAction(permissions)
+	}
+
+	return evaluator.Evaluate(user.Permissions[user.OrgId])
 }

 // GetUserRoles returns user permissions based on built-in roles