feat: Add new read filtering to datasources guardian (grafana#91345)

Aaron Godin · eleijonmarck · web-flow · commit 0176ead11766 · 2024-08-22T11:26:46.000+01:00
* feat: Add new read filtering to datasources guardian

* Apply suggestion to use datasources read guardian check for frontend settings

---------

Co-authored-by: Eric Leijonmarck &lt;eric.leijonmarck@gmail.com&gt;
diff --git a/pkg/api/datasources.go b/pkg/api/datasources.go
@@ -54,7 +54,7 @@ func (hs *HTTPServer) GetDataSources(c *contextmodel.ReqContext) response.Respon
 		return response.Error(http.StatusInternalServerError, "Failed to query datasources", err)
 	}
 
-	filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByQueryPermissions(dataSources)
+	filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByReadPermissions(dataSources)
 	if err != nil {
 		return response.Error(http.StatusInternalServerError, "Failed to query datasources", err)
 	}
diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go
@@ -410,7 +410,7 @@ func (hs *HTTPServer) getFSDataSources(c *contextmodel.ReqContext, availablePlug
 			// If RBAC is enabled, it will filter out all datasources for a public user, so we need to skip it
 			orgDataSources = dataSources
 		} else {
-			filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByQueryPermissions(dataSources)
+			filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByReadPermissions(dataSources)
 			if err != nil {
 				return nil, err
 			}
diff --git a/pkg/services/datasources/guardian/allow_guardian.go b/pkg/services/datasources/guardian/allow_guardian.go
@@ -17,3 +17,7 @@ func (n AllowGuardian) CanQuery(datasourceID int64) (bool, error) {
 func (n AllowGuardian) FilterDatasourcesByQueryPermissions(ds []*datasources.DataSource) ([]*datasources.DataSource, error) {
 	return ds, nil
 }
+
+func (n AllowGuardian) FilterDatasourcesByReadPermissions(ds []*datasources.DataSource) ([]*datasources.DataSource, error) {
+	return ds, nil
+}
diff --git a/pkg/services/datasources/guardian/provider.go b/pkg/services/datasources/guardian/provider.go
@@ -11,6 +11,7 @@ type DatasourceGuardianProvider interface {
 
 type DatasourceGuardian interface {
 	CanQuery(datasourceID int64) (bool, error)
+	FilterDatasourcesByReadPermissions([]*datasources.DataSource) ([]*datasources.DataSource, error)
 	FilterDatasourcesByQueryPermissions([]*datasources.DataSource) ([]*datasources.DataSource, error)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ func (hs HTTPServer) GetDataSources(c contextmodel.ReqContext) response.Respon`
`54`	`54`	`return response.Error(http.StatusInternalServerError, "Failed to query datasources", err)`
`55`	`55`	`}`
`56`	`56`
`57`		`- filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByQueryPermissions(dataSources)`
	`57`	`+ filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByReadPermissions(dataSources)`
`58`	`58`	`if err != nil {`
`59`	`59`	`return response.Error(http.StatusInternalServerError, "Failed to query datasources", err)`
`60`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -410,7 +410,7 @@ func (hs HTTPServer) getFSDataSources(c contextmodel.ReqContext, availablePlug`
`410`	`410`	`// If RBAC is enabled, it will filter out all datasources for a public user, so we need to skip it`
`411`	`411`	`orgDataSources = dataSources`
`412`	`412`	`} else {`
`413`		`- filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByQueryPermissions(dataSources)`
	`413`	`+ filtered, err := hs.dsGuardian.New(c.SignedInUser.OrgID, c.SignedInUser).FilterDatasourcesByReadPermissions(dataSources)`
`414`	`414`	`if err != nil {`
`415`	`415`	`return nil, err`
`416`	`416`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,3 +17,7 @@ func (n AllowGuardian) CanQuery(datasourceID int64) (bool, error) {`
`17`	`17`	`func (n AllowGuardian) FilterDatasourcesByQueryPermissions(ds []datasources.DataSource) ([]datasources.DataSource, error) {`
`18`	`18`	`return ds, nil`
`19`	`19`	`}`
	`20`	`+`
	`21`	`+func (n AllowGuardian) FilterDatasourcesByReadPermissions(ds []datasources.DataSource) ([]datasources.DataSource, error) {`
	`22`	`+ return ds, nil`
	`23`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ type DatasourceGuardianProvider interface {`
`11`	`11`
`12`	`12`	`type DatasourceGuardian interface {`
`13`	`13`	`CanQuery(datasourceID int64) (bool, error)`
	`14`	`+ FilterDatasourcesByReadPermissions([]datasources.DataSource) ([]datasources.DataSource, error)`
`14`	`15`	`FilterDatasourcesByQueryPermissions([]datasources.DataSource) ([]datasources.DataSource, error)`
`15`	`16`	`}`
`16`	`17`