Actionsets: Add ability for plugins to add actions for core actionsets (i.e. folders:edit) (#88776)

* initial commit * Action sets stored remove the dependancy for actionsets got the actionsets registered storing the permissions * fix golanglinting * remove unused struct field * wip * actionset registry for a plugin from the actionsetservice * update to make declareactionset the primary way of plugin registration and modification * declare actually extends actionsets * tests fixed * tests skipped * skip tests * skip tests * skip tests * skip tests * change to warning instead * remove step from pipeline to see if it fails due to plugin not registering * reintroduce step but remove features dependancy * add back the tests that were failing * remove comments and another skip test * fix a comment and remove unneeded changes * fix and clean up, put the behaviour behind a feature toggle * clean up * fixing tests * hard-code allowed action sets for plugins * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * small cleanup --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2025-07-31 16:02:46 +08:00 · 2024-07-19 16:16:23 +01:00
parent 96c3e9c550
commit 248af65f9c
18 changed files with 326 additions and 47 deletions
--- a/pkg/services/accesscontrol/pluginutils/utils.go
+++ b/pkg/services/accesscontrol/pluginutils/utils.go
@ -2,6 +2,7 @@ package pluginutils

 import (
 	"fmt"
+	"slices"
 	"strings"

 	"github.com/grafana/grafana/pkg/plugins"
@ -19,6 +20,8 @@ var (
 		"folders.permissions:read":  "folders:uid:",
 		"folders.permissions:write": "folders:uid:",
 	}
+
+	allowedActionSets = []string{"folders:view", "folders:edit", "folders:admin"}
 )

 // ValidatePluginPermissions errors when a permission does not match expected pattern for plugins
@ -34,10 +37,36 @@ func ValidatePluginPermissions(pluginID string, permissions []ac.Permission) err
 			permissions[i].Scope = scopePrefix + pluginID
 			continue
 		}
-		if !strings.HasPrefix(permissions[i].Action, pluginID+":") &&
-			!strings.HasPrefix(permissions[i].Action, pluginID+".") {
-			return &ac.ErrorActionPrefixMissing{Action: permissions[i].Action,
-				Prefixes: []string{pluginaccesscontrol.ActionAppAccess, pluginID + ":", pluginID + "."}}
+		if err := ValidatePluginAction(pluginID, permissions[i].Action); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func ValidatePluginAction(pluginID, action string) error {
+	if !strings.HasPrefix(action, pluginID+":") &&
+		!strings.HasPrefix(action, pluginID+".") {
+		return &ac.ErrorActionPrefixMissing{Action: action,
+			Prefixes: []string{pluginaccesscontrol.ActionAppAccess, pluginID + ":", pluginID + "."}}
+	}
+
+	return nil
+}
+
+// ValidatePluginActionSet errors when a actionset does not match expected pattern for plugins
+// - action set should be one of the allow-listed action sets (currently only folder action sets are supported for plugins)
+// - actions should have the pluginID prefix
+func ValidatePluginActionSet(pluginID string, actionSet plugins.ActionSet) error {
+	if !slices.Contains(allowedActionSets, actionSet.Action) {
+		return ac.ErrActionSetValidationFailed.Errorf("currently only folder and dashboard action sets are supported, provided action set %s is not a folder or dashboard action set", actionSet.Action)
+	}
+
+	// verify that actions have the pluginID prefix, plugins are only allowed to register actions for the plugin
+	for _, action := range actionSet.Actions {
+		if err := ValidatePluginAction(pluginID, action); err != nil {
+			return err
 		}
 	}