Preferences: refactor experimental apiserver and improve tests (grafana#111596)

Author: ryantxu

apps/preferences/kinds/preferences.cue

@@ -40,21 +40,21 @@ preferencesV1alpha1: {
 
 			// Navigation preferences
 			navbar?: #NavbarPreference
-		} @cuetsy(kind="interface")
+		}
 
 		#QueryHistoryPreference: {
 			// one of: '' | 'query' | 'starred';
 			homeTab?: string
-		} @cuetsy(kind="interface")
+		}
 
 		#CookiePreferences: {
 			analytics?: {}
 			performance?: {}
 			functional?: {}
-		} @cuetsy(kind="interface")
+		}
 
 		#NavbarPreference: {
 			bookmarkUrls: [...string]
-		} @cuetsy(kind="interface")
+		} 
 	}
 }

apps/preferences/pkg/apis/preferences/v1alpha1/preferences_client_gen.go

@@ -76,14 +76,16 @@ func (c *PreferencesClient) Patch(ctx context.Context, identifier resource.Ident
 	return c.client.Patch(ctx, identifier, req, opts)
 }
 
-func (c *PreferencesClient) UpdateStatus(ctx context.Context, newStatus PreferencesStatus, opts resource.UpdateOptions) (*Preferences, error) {
+func (c *PreferencesClient) UpdateStatus(ctx context.Context, identifier resource.Identifier, newStatus PreferencesStatus, opts resource.UpdateOptions) (*Preferences, error) {
 	return c.client.Update(ctx, &Preferences{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       PreferencesKind().Kind(),
 			APIVersion: GroupVersion.Identifier(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			ResourceVersion: opts.ResourceVersion,
+			Namespace:       identifier.Namespace,
+			Name:            identifier.Name,
 		},
 		Status: newStatus,
 	}, resource.UpdateOptions{

apps/preferences/pkg/apis/preferences/v1alpha1/stars_client_gen.go

@@ -76,14 +76,16 @@ func (c *StarsClient) Patch(ctx context.Context, identifier resource.Identifier,
 	return c.client.Patch(ctx, identifier, req, opts)
 }
 
-func (c *StarsClient) UpdateStatus(ctx context.Context, newStatus StarsStatus, opts resource.UpdateOptions) (*Stars, error) {
+func (c *StarsClient) UpdateStatus(ctx context.Context, identifier resource.Identifier, newStatus StarsStatus, opts resource.UpdateOptions) (*Stars, error) {
 	return c.client.Update(ctx, &Stars{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       StarsKind().Kind(),
 			APIVersion: GroupVersion.Identifier(),
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			ResourceVersion: opts.ResourceVersion,
+			Namespace:       identifier.Namespace,
+			Name:            identifier.Name,
 		},
 		Status: newStatus,
 	}, resource.UpdateOptions{

apps/preferences/pkg/apis/preferences_manifest.go

@@ -13,6 +13,7 @@ import (
 	"github.com/grafana/grafana-app-sdk/app"
 	"github.com/grafana/grafana-app-sdk/resource"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kube-openapi/pkg/spec3"
 
 	v1alpha1 "github.com/grafana/grafana/apps/preferences/pkg/apis/preferences/v1alpha1"
 )
@@ -66,6 +67,10 @@ var appManifestData = app.ManifestData{
 					Schema: &versionSchemaStarsv1alpha1,
 				},
 			},
+			Routes: app.ManifestVersionRoutes{
+				Namespaced: map[string]spec3.PathProps{},
+				Cluster:    map[string]spec3.PathProps{},
+			},
 		},
 	},
 }
@@ -95,6 +100,7 @@ var customRouteToGoResponseType = map[string]any{}
 // ManifestCustomRouteResponsesAssociator returns the associated response go type for a given kind, version, custom route path, and method, if one exists.
 // kind may be empty for custom routes which are not kind subroutes. Leading slashes are removed from subroute paths.
 // If there is no association for the provided kind, version, custom route path, and method, exists will return false.
+// Resource routes (those without a kind) should prefix their route with "<namespace>/" if the route is namespaced (otherwise the route is assumed to be cluster-scope)
 func ManifestCustomRouteResponsesAssociator(kind, version, path, verb string) (goType any, exists bool) {
 	if len(path) > 0 && path[0] == '/' {
 		path = path[1:]
@@ -113,8 +119,22 @@ func ManifestCustomRouteQueryAssociator(kind, version, path, verb string) (goTyp
 	return goType, exists
 }
 
+var customRouteToGoRequestBodyType = map[string]any{}
+
+func ManifestCustomRouteRequestBodyAssociator(kind, version, path, verb string) (goType any, exists bool) {
+	if len(path) > 0 && path[0] == '/' {
+		path = path[1:]
+	}
+	goType, exists = customRouteToGoRequestBodyType[fmt.Sprintf("%s|%s|%s|%s", version, kind, path, strings.ToUpper(verb))]
+	return goType, exists
+}
+
 type GoTypeAssociator struct{}
 
+func NewGoTypeAssociator() *GoTypeAssociator {
+	return &GoTypeAssociator{}
+}
+
 func (g *GoTypeAssociator) KindToGoType(kind, version string) (goType resource.Kind, exists bool) {
 	return ManifestGoTypeAssociator(kind, version)
 }
@@ -124,3 +144,6 @@ func (g *GoTypeAssociator) CustomRouteReturnGoType(kind, version, path, verb str
 func (g *GoTypeAssociator) CustomRouteQueryGoType(kind, version, path, verb string) (goType runtime.Object, exists bool) {
 	return ManifestCustomRouteQueryAssociator(kind, version, path, verb)
 }
+func (g *GoTypeAssociator) CustomRouteRequestBodyGoType(kind, version, path, verb string) (goType any, exists bool) {
+	return ManifestCustomRouteRequestBodyAssociator(kind, version, path, verb)
+}

pkg/apimachinery/identity/context.go

@@ -139,6 +139,7 @@ var serviceIdentityTokenPermissions = []string{
 	"secret.grafana.app:*",
 	"query.grafana.app:*",
 	"iam.grafana.app:*",
+	"preferences.grafana.app:*",
 
 	// Secrets Manager uses a custom verb for secret decryption, and its authorizer does not allow wildcard permissions.
 	"secret.grafana.app/securevalues:decrypt",

pkg/registry/apis/preferences/authorizer.go

@@ -6,55 +6,98 @@ import (
 
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 
+	"github.com/grafana/authlib/authz"
+	"github.com/grafana/grafana-app-sdk/logging"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
 	"github.com/grafana/grafana/pkg/registry/apis/preferences/utils"
 )
 
-func (b *APIBuilder) GetAuthorizer() authorizer.Authorizer {
-	return authorizer.AuthorizerFunc(
-		func(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
-			user, err := identity.GetRequester(ctx)
-			if err != nil {
-				return authorizer.DecisionDeny, "valid user is required", err
-			}
-
-			if !attr.IsResourceRequest() || user.GetIsGrafanaAdmin() || attr.GetName() == "" {
-				return authorizer.DecisionAllow, "", nil
-			}
-
-			name, found := utils.ParseOwnerFromName(attr.GetName())
-			if !found {
-				return authorizer.DecisionDeny, "invalid name", nil
-			}
-
-			if attr.GetResource() == "stars" && name.Owner != utils.UserResourceOwner {
-				return authorizer.DecisionDeny, "stars only support users", nil
-			}
-
-			switch name.Owner {
-			case utils.NamespaceResourceOwner:
-				return authorizer.DecisionAllow, "", nil
-
-			case utils.UserResourceOwner:
-				if user.GetUID() == name.Name {
-					return authorizer.DecisionAllow, "", nil
-				}
-				return authorizer.DecisionDeny, "you may only fetch your own preferences", nil
-
-			case utils.TeamResourceOwner:
-				admin := !attr.IsReadOnly() // we need admin to for non read only commands
-				teams, err := b.sql.GetTeams(ctx, user.GetOrgID(), user.GetUID(), admin)
-				if err != nil {
-					return authorizer.DecisionDeny, "error fetching teams", err
-				}
-				if slices.Contains(teams, name.Name) {
-					return authorizer.DecisionAllow, "", nil
-				}
-				return authorizer.DecisionDeny, "not a team member", nil
-
-			default:
-			}
-
-			return authorizer.DecisionDeny, "invalid name", nil
-		})
+type authorizeFromName struct {
+	teams    utils.TeamService
+	oknames  []string
+	resource map[string][]utils.ResourceOwner // may include unknown
+}
+
+func (a *authorizeFromName) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
+	user, err := identity.GetRequester(ctx)
+	if err != nil || user == nil {
+		return authorizer.DecisionDeny, "valid user is required", err
+	}
+
+	if !attr.IsResourceRequest() {
+		return authorizer.DecisionNoOpinion, "", nil
+	}
+
+	owners, ok := a.resource[attr.GetResource()]
+	if !ok {
+		return authorizer.DecisionDeny, "missing resource name", nil
+	}
+
+	// Check if the request includes explicit permissions
+	res := authz.CheckServicePermissions(user, attr.GetAPIGroup(), attr.GetResource(), attr.GetVerb())
+	if !res.Allowed {
+		log := logging.FromContext(ctx)
+		log.Info("calling service lacks required permissions",
+			"isServiceCall", res.ServiceCall,
+			"apiGroup", attr.GetAPIGroup(),
+			"resource", attr.GetResource(),
+			"verb", attr.GetVerb(),
+			"permissions", len(res.Permissions),
+		)
+		return authorizer.DecisionDeny, "calling service lacks required permissions", nil
+	}
+
+	if attr.GetName() == "" {
+		if attr.IsReadOnly() {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "mutating request without a name", nil
+	}
+
+	// the pseudo sub-resource
+	if a.oknames != nil && slices.Contains(a.oknames, attr.GetName()) {
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	info, _ := utils.ParseOwnerFromName(attr.GetName())
+	if !slices.Contains(owners, info.Owner) {
+		return authorizer.DecisionDeny, "unsupported owner type", nil
+	}
+
+	switch info.Owner {
+	case utils.NamespaceResourceOwner:
+		if attr.IsReadOnly() {
+			// Everyone can see the namespace
+			return authorizer.DecisionAllow, "", nil
+		}
+		if user.GetOrgRole() == identity.RoleAdmin {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "must be an org admin to edit", nil
+
+	case utils.UserResourceOwner:
+		if user.GetIdentifier() == info.Identifier {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "your are not the owner of the resource", nil
+
+	case utils.TeamResourceOwner:
+		if a.teams == nil {
+			return authorizer.DecisionDeny, "team checker not configured", err
+		}
+		ok, err := a.teams.InTeam(ctx, user, info.Identifier, !attr.IsReadOnly())
+		if err != nil {
+			return authorizer.DecisionDeny, "error fetching teams", err
+		}
+		if ok {
+			return authorizer.DecisionAllow, "", nil
+		}
+		return authorizer.DecisionDeny, "you are not a member of the referenced team", nil
+
+	case utils.UnknownResourceOwner:
+		return authorizer.DecisionAllow, "", nil
+	}
+
+	// the owner was not explicitly allowed
+	return authorizer.DecisionDeny, "", nil
 }