diff --git a/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go b/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go index 3ec75d75541..a271c3bbd6f 100644 --- a/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go +++ b/pkg/services/accesscontrol/ossaccesscontrol/permissions_services.go @@ -134,7 +134,6 @@ func ProvideDashboardPermissions( return nil }, - InheritedScopePrefixes: []string{"folders:uid:"}, InheritedScopesSolver: func(ctx context.Context, orgID int64, resourceID string) ([]string, error) { dashboard, err := getDashboard(ctx, orgID, resourceID) if err != nil { diff --git a/pkg/services/accesscontrol/resourcepermissions/api.go b/pkg/services/accesscontrol/resourcepermissions/api.go index c89ff795af7..a1892130cfd 100644 --- a/pkg/services/accesscontrol/resourcepermissions/api.go +++ b/pkg/services/accesscontrol/resourcepermissions/api.go @@ -29,30 +29,6 @@ func newApi(ac accesscontrol.AccessControl, router routing.RouteRegister, manage return &api{ac, router, manager, permissions} } -func (a *api) getEvaluators(actionRead, actionWrite, scope string) (read, write accesscontrol.Evaluator) { - if a.service.options.InheritedScopesSolver == nil || a.service.options.InheritedScopePrefixes == nil { - read = accesscontrol.EvalPermission(actionRead, scope) - write = accesscontrol.EvalPermission(actionWrite, scope) - } else { - // Add inherited scopes to the evaluators protecting the endpoint. - // Scopes in the request context parameters are to be added by solveInheritedScopes. - // If a user got actionRead on any of the inherited scopes, they will be granted access to the endpoint. - // Ex: a user inherits dashboards:read from the containing folder (folders:uid:BCeknZL7k) - inheritedRead := []accesscontrol.Evaluator{accesscontrol.EvalPermission(actionRead, scope)} - inheritedWrite := []accesscontrol.Evaluator{accesscontrol.EvalPermission(actionWrite, scope)} - for _, scopePrefix := range a.service.options.InheritedScopePrefixes { - inheritedRead = append(inheritedRead, - accesscontrol.EvalPermission(actionRead, accesscontrol.Parameter(scopePrefix))) - inheritedWrite = append(inheritedWrite, - accesscontrol.EvalPermission(actionWrite, accesscontrol.Parameter(scopePrefix))) - } - - read = accesscontrol.EvalAny(inheritedRead...) - write = accesscontrol.EvalAny(inheritedWrite...) - } - return -} - func (a *api) registerEndpoints() { auth := accesscontrol.Middleware(a.ac) disable := disableMiddleware(a.ac.IsDisabled()) @@ -62,17 +38,16 @@ func (a *api) registerEndpoints() { actionRead := fmt.Sprintf("%s.permissions:read", a.service.options.Resource) actionWrite := fmt.Sprintf("%s.permissions:write", a.service.options.Resource) scope := accesscontrol.Scope(a.service.options.Resource, a.service.options.ResourceAttribute, accesscontrol.Parameter(":resourceID")) - readEvaluator, writeEvaluator := a.getEvaluators(actionRead, actionWrite, scope) r.Get("/description", auth(disable, accesscontrol.EvalPermission(actionRead)), routing.Wrap(a.getDescription)) - r.Get("/:resourceID", inheritanceSolver, auth(disable, readEvaluator), routing.Wrap(a.getPermissions)) + r.Get("/:resourceID", inheritanceSolver, auth(disable, accesscontrol.EvalPermission(actionRead, scope)), routing.Wrap(a.getPermissions)) if a.service.options.Assignments.Users { - r.Post("/:resourceID/users/:userID", inheritanceSolver, auth(disable, writeEvaluator), routing.Wrap(a.setUserPermission)) + r.Post("/:resourceID/users/:userID", inheritanceSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, scope)), routing.Wrap(a.setUserPermission)) } if a.service.options.Assignments.Teams { - r.Post("/:resourceID/teams/:teamID", inheritanceSolver, auth(disable, writeEvaluator), routing.Wrap(a.setTeamPermission)) + r.Post("/:resourceID/teams/:teamID", inheritanceSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, scope)), routing.Wrap(a.setTeamPermission)) } if a.service.options.Assignments.BuiltInRoles { - r.Post("/:resourceID/builtInRoles/:builtInRole", inheritanceSolver, auth(disable, writeEvaluator), routing.Wrap(a.setBuiltinRolePermission)) + r.Post("/:resourceID/builtInRoles/:builtInRole", inheritanceSolver, auth(disable, accesscontrol.EvalPermission(actionWrite, scope)), routing.Wrap(a.setBuiltinRolePermission)) } }) } diff --git a/pkg/services/accesscontrol/resourcepermissions/api_test.go b/pkg/services/accesscontrol/resourcepermissions/api_test.go index 38d25552d21..3eb4e2e5ec9 100644 --- a/pkg/services/accesscontrol/resourcepermissions/api_test.go +++ b/pkg/services/accesscontrol/resourcepermissions/api_test.go @@ -3,7 +3,6 @@ package resourcepermissions import ( "context" "encoding/json" - "errors" "fmt" "net/http" "net/http/httptest" @@ -418,66 +417,6 @@ func TestApi_setUserPermission(t *testing.T) { } } -type inheritSolverTestCase struct { - desc string - resourceID string - expectedStatus int -} - -func TestApi_InheritSolver(t *testing.T) { - tests := []inheritSolverTestCase{ - { - desc: "expect parents permission to apply", - resourceID: "resourceID", - expectedStatus: http.StatusOK, - }, - { - desc: "expect direct permissions to apply (no inheritance)", - resourceID: "orphanedID", - expectedStatus: http.StatusOK, - }, - { - desc: "expect 404 when resource is not found", - resourceID: "notfound", - expectedStatus: http.StatusNotFound, - }, - } - - for _, tt := range tests { - t.Run(tt.desc, func(t *testing.T) { - userPermissions := []*accesscontrol.Permission{ - {Action: "dashboards.permissions:read", Scope: "parents:id:parentID"}, // Inherited permission - {Action: "dashboards.permissions:read", Scope: "dashboards:id:orphanedID"}, // Direct permission - {Action: accesscontrol.ActionTeamsRead, Scope: accesscontrol.ScopeTeamsAll}, - {Action: accesscontrol.ActionOrgUsersRead, Scope: accesscontrol.ScopeUsersAll}, - } - // Add the inheritance solver "resourceID -> [parentID]" "orphanedID -> []" - service, sql := setupTestEnvironment(t, userPermissions, - withInheritance(testOptions, testInheritedScopeSolver, testInheritedScopePrefixes), - ) - server := setupTestServer(t, &models.SignedInUser{OrgId: 1, Permissions: map[int64]map[string][]string{ - 1: accesscontrol.GroupScopesByAction(userPermissions), - }}, service) - - // Seed permissions for users/teams/built-in roles specific to the test case resourceID - seedPermissions(t, tt.resourceID, sql, service) - - permissions, recorder := getPermission(t, server, testOptions.Resource, tt.resourceID) - require.Equal(t, tt.expectedStatus, recorder.Code) - - if tt.expectedStatus == http.StatusOK { - checkSeededPermissions(t, permissions) - } - }) - } -} - -func withInheritance(options Options, solver InheritedScopesSolver, inheritedPrefixes []string) Options { - options.InheritedScopesSolver = solver - options.InheritedScopePrefixes = inheritedPrefixes - return options -} - func setupTestServer(t *testing.T, user *models.SignedInUser, service *Service) *web.Mux { server := web.New() server.UseMiddleware(web.Renderer(path.Join(setting.StaticRootPath, "views"), "[[", "]]")) @@ -518,17 +457,6 @@ var testOptions = Options{ }, } -var testInheritedScopePrefixes = []string{"parents:id:"} -var testInheritedScopeSolver = func(ctx context.Context, orgID int64, id string) ([]string, error) { - if id == "resourceID" { // Has parent - return []string{"parents:id:parentID"}, nil - } - if id == "orphanedID" { // Exists but with no parent - return nil, nil - } - return nil, errors.New("not found") -} - func getPermission(t *testing.T, server *web.Mux, resource, resourceID string) ([]resourcePermissionDTO, *httptest.ResponseRecorder) { req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("/api/access-control/%s/%s", resource, resourceID), nil) require.NoError(t, err) diff --git a/pkg/services/accesscontrol/resourcepermissions/options.go b/pkg/services/accesscontrol/resourcepermissions/options.go index 12375cab2c9..f059700f100 100644 --- a/pkg/services/accesscontrol/resourcepermissions/options.go +++ b/pkg/services/accesscontrol/resourcepermissions/options.go @@ -39,6 +39,4 @@ type Options struct { OnSetBuiltInRole func(session *sqlstore.DBSession, orgID int64, builtInRole, resourceID, permission string) error // InheritedScopesSolver if configured can generate additional scopes that will be used when fetching permissions for a resource InheritedScopesSolver InheritedScopesSolver - // InheritedScopePrefixes if configured are used to create evaluators with the scopes returned by InheritedScopesSolver - InheritedScopePrefixes []string }