grafana/pkg/services/oauthtoken/oauth_token.go

package oauthtoken

import (
	"context"
	"errors"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/login/social"
	"github.com/grafana/grafana/pkg/models"
	"golang.org/x/oauth2"
)

var (
	logger = log.New("oauthtoken")
)

type Service struct {
	SocialService social.Service
}

type OAuthTokenService interface {
	GetCurrentOAuthToken(context.Context, *models.SignedInUser) *oauth2.Token
	IsOAuthPassThruEnabled(*models.DataSource) bool
}

func ProvideService(socialService social.Service) *Service {
	return &Service{
		SocialService: socialService,
	}
}

// GetCurrentOAuthToken returns the OAuth token, if any, for the authenticated user. Will try to refresh the token if it has expired.
func (o *Service) GetCurrentOAuthToken(ctx context.Context, user *models.SignedInUser) *oauth2.Token {
	if user == nil {
		// No user, therefore no token
		return nil
	}

	authInfoQuery := &models.GetAuthInfoQuery{UserId: user.UserId}
	if err := bus.DispatchCtx(ctx, authInfoQuery); err != nil {
		if errors.Is(err, models.ErrUserNotFound) {
			// Not necessarily an error.  User may be logged in another way.
			logger.Debug("no OAuth token for user found", "userId", user.UserId, "username", user.Login)
		} else {
			logger.Error("failed to get OAuth token for user", "userId", user.UserId, "username", user.Login, "error", err)
		}
		return nil
	}

	authProvider := authInfoQuery.Result.AuthModule
	connect, err := o.SocialService.GetConnector(authProvider)
	if err != nil {
		logger.Error("failed to get OAuth connector", "provider", authProvider, "error", err)
		return nil
	}

	client, err := o.SocialService.GetOAuthHttpClient(authProvider)
	if err != nil {
		logger.Error("failed to get OAuth http client", "provider", authProvider, "error", err)
		return nil
	}
	ctx = context.WithValue(ctx, oauth2.HTTPClient, client)

	persistedToken := &oauth2.Token{
		AccessToken:  authInfoQuery.Result.OAuthAccessToken,
		Expiry:       authInfoQuery.Result.OAuthExpiry,
		RefreshToken: authInfoQuery.Result.OAuthRefreshToken,
		TokenType:    authInfoQuery.Result.OAuthTokenType,
	}
	// TokenSource handles refreshing the token if it has expired
	token, err := connect.TokenSource(ctx, persistedToken).Token()
	if err != nil {
		logger.Error("failed to retrieve OAuth access token", "provider", authInfoQuery.Result.AuthModule, "userId", user.UserId, "username", user.Login, "error", err)
		return nil
	}

	// If the tokens are not the same, update the entry in the DB
	if !tokensEq(persistedToken, token) {
		updateAuthCommand := &models.UpdateAuthInfoCommand{
			UserId:     authInfoQuery.Result.UserId,
			AuthModule: authInfoQuery.Result.AuthModule,
			AuthId:     authInfoQuery.Result.AuthId,
			OAuthToken: token,
		}
		if err := bus.Dispatch(updateAuthCommand); err != nil {
			logger.Error("failed to update auth info during token refresh", "userId", user.UserId, "username", user.Login, "error", err)
			return nil
		}
		logger.Debug("updated OAuth info for user", "userId", user.UserId, "username", user.Login)
	}
	return token
}

// IsOAuthPassThruEnabled returns true if Forward OAuth Identity (oauthPassThru) is enabled for the provided data source.
func (o *Service) IsOAuthPassThruEnabled(ds *models.DataSource) bool {
	return ds.JsonData != nil && ds.JsonData.Get("oauthPassThru").MustBool()
}

// tokensEq checks for OAuth2 token equivalence given the fields of the struct Grafana is interested in
func tokensEq(t1, t2 *oauth2.Token) bool {
	return t1.AccessToken == t2.AccessToken &&
		t1.RefreshToken == t2.RefreshToken &&
		t1.Expiry.Equal(t2.Expiry) &&
		t1.TokenType == t2.TokenType
}
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`package oauthtoken`

			`import (`
			`"context"`
Chore: Enable errorlint linter (#29227) * Enable errorlint linter * Handle wrapped errors Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2020-11-19 07:47:17 -06:00			`"errors"`
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00
			`"github.com/grafana/grafana/pkg/bus"`
			`"github.com/grafana/grafana/pkg/infra/log"`
			`"github.com/grafana/grafana/pkg/login/social"`
			`"github.com/grafana/grafana/pkg/models"`
			`"golang.org/x/oauth2"`
			`)`

			`var (`
			`logger = log.New("oauthtoken")`
			`)`

Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase 2021-07-07 01:54:17 -05:00			`type Service struct {`
Migrate to Wire for dependency injection (#32289) Fixes #30144 Co-authored-by: dsotirakis <sotirakis.dim@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com> Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> Co-authored-by: Leon Sorokin <leeoniya@gmail.com> Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com> Co-authored-by: spinillos <selenepinillos@gmail.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com> 2021-08-25 08:11:22 -05:00			`SocialService social.Service`
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase 2021-07-07 01:54:17 -05:00			`}`

			`type OAuthTokenService interface {`
			`GetCurrentOAuthToken(context.Context, models.SignedInUser) oauth2.Token`
			`IsOAuthPassThruEnabled(*models.DataSource) bool`
			`}`

Migrate to Wire for dependency injection (#32289) Fixes #30144 Co-authored-by: dsotirakis <sotirakis.dim@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com> Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> Co-authored-by: Leon Sorokin <leeoniya@gmail.com> Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com> Co-authored-by: spinillos <selenepinillos@gmail.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com> Co-authored-by: Leonard Gram <leo@xlson.com> 2021-08-25 08:11:22 -05:00			`func ProvideService(socialService social.Service) *Service {`
			`return &Service{`
			`SocialService: socialService,`
			`}`
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase 2021-07-07 01:54:17 -05:00			`}`

OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`// GetCurrentOAuthToken returns the OAuth token, if any, for the authenticated user. Will try to refresh the token if it has expired.`
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase 2021-07-07 01:54:17 -05:00			`func (o Service) GetCurrentOAuthToken(ctx context.Context, user models.SignedInUser) *oauth2.Token {`
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`if user == nil {`
			`// No user, therefore no token`
			`return nil`
			`}`

			`authInfoQuery := &models.GetAuthInfoQuery{UserId: user.UserId}`
Chore: add context to login (#41316) * Chore: add context to login attempt file and tests * Chore: add context * Chore: add context to login and login tests * Chore: continue adding context to login * Chore: add context to login query 2021-11-08 08:53:51 -06:00			`if err := bus.DispatchCtx(ctx, authInfoQuery); err != nil {`
Chore: Enable errorlint linter (#29227) * Enable errorlint linter * Handle wrapped errors Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> 2020-11-19 07:47:17 -06:00			`if errors.Is(err, models.ErrUserNotFound) {`
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`// Not necessarily an error. User may be logged in another way.`
			`logger.Debug("no OAuth token for user found", "userId", user.UserId, "username", user.Login)`
			`} else {`
			`logger.Error("failed to get OAuth token for user", "userId", user.UserId, "username", user.Login, "error", err)`
			`}`
			`return nil`
			`}`

			`authProvider := authInfoQuery.Result.AuthModule`
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase 2021-07-07 01:54:17 -05:00			`connect, err := o.SocialService.GetConnector(authProvider)`
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`if err != nil {`
			`logger.Error("failed to get OAuth connector", "provider", authProvider, "error", err)`
			`return nil`
			`}`

Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase 2021-07-07 01:54:17 -05:00			`client, err := o.SocialService.GetOAuthHttpClient(authProvider)`
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`if err != nil {`
			`logger.Error("failed to get OAuth http client", "provider", authProvider, "error", err)`
			`return nil`
			`}`
			`ctx = context.WithValue(ctx, oauth2.HTTPClient, client)`

			`persistedToken := &oauth2.Token{`
			`AccessToken: authInfoQuery.Result.OAuthAccessToken,`
			`Expiry: authInfoQuery.Result.OAuthExpiry,`
			`RefreshToken: authInfoQuery.Result.OAuthRefreshToken,`
			`TokenType: authInfoQuery.Result.OAuthTokenType,`
			`}`
			`// TokenSource handles refreshing the token if it has expired`
			`token, err := connect.TokenSource(ctx, persistedToken).Token()`
			`if err != nil {`
			`logger.Error("failed to retrieve OAuth access token", "provider", authInfoQuery.Result.AuthModule, "userId", user.UserId, "username", user.Login, "error", err)`
			`return nil`
			`}`

			`// If the tokens are not the same, update the entry in the DB`
			`if !tokensEq(persistedToken, token) {`
			`updateAuthCommand := &models.UpdateAuthInfoCommand{`
			`UserId: authInfoQuery.Result.UserId,`
			`AuthModule: authInfoQuery.Result.AuthModule,`
			`AuthId: authInfoQuery.Result.AuthId,`
			`OAuthToken: token,`
			`}`
			`if err := bus.Dispatch(updateAuthCommand); err != nil {`
			`logger.Error("failed to update auth info during token refresh", "userId", user.UserId, "username", user.Login, "error", err)`
			`return nil`
			`}`
			`logger.Debug("updated OAuth info for user", "userId", user.UserId, "username", user.Login)`
			`}`
			`return token`
			`}`

			`// IsOAuthPassThruEnabled returns true if Forward OAuth Identity (oauthPassThru) is enabled for the provided data source.`
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase 2021-07-07 01:54:17 -05:00			`func (o Service) IsOAuthPassThruEnabled(ds models.DataSource) bool {`
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`return ds.JsonData != nil && ds.JsonData.Get("oauthPassThru").MustBool()`
			`}`

			`// tokensEq checks for OAuth2 token equivalence given the fields of the struct Grafana is interested in`
			`func tokensEq(t1, t2 *oauth2.Token) bool {`
			`return t1.AccessToken == t2.AccessToken &&`
			`t1.RefreshToken == t2.RefreshToken &&`
Chore: Configure go-ruleguard via golangci-lint (#28419) * Chore: Configure go-ruleguard via golangci-lint Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-11 04:45:17 -06:00			`t1.Expiry.Equal(t2.Expiry) &&`
OAuth: Support Forward OAuth Identity for backend data source plugins (#27055) Adds support for the Forward OAuth Identity feature in backend data source plugins. Earlier this feature has only been supported for non-backend data source plugins. Fixes #26023 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-10-23 18:34:38 -05:00			`t1.TokenType == t2.TokenType`
			`}`