2021-11-11 15:10:24 +00:00
|
|
|
package manager
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2022-12-13 14:56:10 +01:00
|
|
|
"errors"
|
2022-08-18 16:54:39 +02:00
|
|
|
"fmt"
|
|
|
|
|
"time"
|
2021-11-11 15:10:24 +00:00
|
|
|
|
2024-04-04 15:04:47 +02:00
|
|
|
"github.com/grafana/grafana/pkg/infra/db"
|
2022-12-13 14:56:10 +01:00
|
|
|
"github.com/grafana/grafana/pkg/infra/kvstore"
|
2021-11-11 15:10:24 +00:00
|
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
2022-03-16 15:54:34 +00:00
|
|
|
"github.com/grafana/grafana/pkg/infra/usagestats"
|
2021-11-11 15:10:24 +00:00
|
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
2022-12-13 14:56:10 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/apikey"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2021-11-11 15:10:24 +00:00
|
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
2022-12-13 14:56:10 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts/database"
|
2022-11-07 10:46:19 +00:00
|
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts/secretscan"
|
2022-12-13 14:56:10 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/user"
|
2022-02-07 13:51:54 +00:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2021-11-11 15:10:24 +00:00
|
|
|
)
|
|
|
|
|
|
2022-08-18 16:54:39 +02:00
|
|
|
const (
|
|
|
|
|
metricsCollectionInterval = time.Minute * 30
|
2022-11-07 10:46:19 +00:00
|
|
|
defaultSecretScanInterval = time.Minute * 5
|
2022-08-18 16:54:39 +02:00
|
|
|
)
|
|
|
|
|
|
2021-11-11 15:10:24 +00:00
|
|
|
type ServiceAccountsService struct {
|
2024-03-14 19:11:02 +01:00
|
|
|
acService accesscontrol.Service
|
2022-12-13 14:56:10 +01:00
|
|
|
store store
|
2022-11-07 10:46:19 +00:00
|
|
|
log log.Logger
|
|
|
|
|
backgroundLog log.Logger
|
|
|
|
|
secretScanService secretscan.Checker
|
|
|
|
|
|
|
|
|
|
secretScanEnabled bool
|
|
|
|
|
secretScanInterval time.Duration
|
2021-11-11 15:10:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func ProvideServiceAccountsService(
|
2022-02-07 13:51:54 +00:00
|
|
|
cfg *setting.Cfg,
|
2022-03-16 15:54:34 +00:00
|
|
|
usageStats usagestats.Service,
|
2024-04-04 15:04:47 +02:00
|
|
|
store db.DB,
|
2022-12-13 14:56:10 +01:00
|
|
|
apiKeyService apikey.Service,
|
|
|
|
|
kvStore kvstore.KVStore,
|
|
|
|
|
userService user.Service,
|
|
|
|
|
orgService org.Service,
|
2022-08-26 09:59:34 +02:00
|
|
|
accesscontrolService accesscontrol.Service,
|
2021-11-11 15:10:24 +00:00
|
|
|
) (*ServiceAccountsService, error) {
|
2022-12-13 14:56:10 +01:00
|
|
|
serviceAccountsStore := database.ProvideServiceAccountsStore(
|
|
|
|
|
cfg,
|
|
|
|
|
store,
|
|
|
|
|
apiKeyService,
|
|
|
|
|
kvStore,
|
|
|
|
|
userService,
|
|
|
|
|
orgService,
|
|
|
|
|
)
|
2021-11-11 15:10:24 +00:00
|
|
|
s := &ServiceAccountsService{
|
2024-03-14 19:11:02 +01:00
|
|
|
acService: accesscontrolService,
|
2022-08-18 16:54:39 +02:00
|
|
|
store: serviceAccountsStore,
|
2023-05-02 13:57:46 +02:00
|
|
|
log: log.New("serviceaccounts"),
|
2022-08-18 16:54:39 +02:00
|
|
|
backgroundLog: log.New("serviceaccounts.background"),
|
2021-11-11 15:10:24 +00:00
|
|
|
}
|
2022-01-04 15:37:40 +01:00
|
|
|
|
2022-08-26 09:59:34 +02:00
|
|
|
if err := RegisterRoles(accesscontrolService); err != nil {
|
2022-06-27 10:22:49 +02:00
|
|
|
s.log.Error("Failed to register roles", "error", err)
|
2021-11-11 15:10:24 +00:00
|
|
|
}
|
2022-01-04 15:37:40 +01:00
|
|
|
|
2022-08-23 14:24:55 +02:00
|
|
|
usageStats.RegisterMetricsFunc(s.getUsageMetrics)
|
2022-06-27 10:22:49 +02:00
|
|
|
|
2022-11-07 10:46:19 +00:00
|
|
|
s.secretScanEnabled = cfg.SectionWithEnvOverrides("secretscan").Key("enabled").MustBool(false)
|
2022-12-07 13:49:28 +00:00
|
|
|
s.secretScanInterval = cfg.SectionWithEnvOverrides("secretscan").
|
|
|
|
|
Key("interval").MustDuration(defaultSecretScanInterval)
|
2022-11-07 10:46:19 +00:00
|
|
|
if s.secretScanEnabled {
|
2023-01-19 17:33:27 +00:00
|
|
|
var errSecret error
|
|
|
|
|
s.secretScanService, errSecret = secretscan.NewService(s.store, cfg)
|
|
|
|
|
if errSecret != nil {
|
|
|
|
|
s.secretScanEnabled = false
|
2023-09-04 18:49:47 +02:00
|
|
|
s.log.Warn("Failed to initialize secret scan service. secret scan is disabled",
|
2023-01-19 17:33:27 +00:00
|
|
|
"error", errSecret.Error())
|
|
|
|
|
}
|
2022-11-07 10:46:19 +00:00
|
|
|
}
|
|
|
|
|
|
2021-11-11 15:10:24 +00:00
|
|
|
return s, nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-07 14:03:16 +00:00
|
|
|
func (sa *ServiceAccountsService) Run(ctx context.Context) error {
|
2023-09-04 18:49:47 +02:00
|
|
|
sa.backgroundLog.Debug("Service initialized")
|
2022-08-18 16:54:39 +02:00
|
|
|
|
2022-08-23 14:24:55 +02:00
|
|
|
if _, err := sa.getUsageMetrics(ctx); err != nil {
|
2022-08-18 16:54:39 +02:00
|
|
|
sa.log.Warn("Failed to get usage metrics", "error", err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
updateStatsTicker := time.NewTicker(metricsCollectionInterval)
|
|
|
|
|
defer updateStatsTicker.Stop()
|
|
|
|
|
|
2022-11-07 10:46:19 +00:00
|
|
|
// Enforce a minimum interval of 1 minute.
|
2022-12-07 13:49:28 +00:00
|
|
|
if sa.secretScanEnabled && sa.secretScanInterval < time.Minute {
|
2023-09-04 18:49:47 +02:00
|
|
|
sa.backgroundLog.Warn("Secret scan interval is too low, increasing to " +
|
2022-11-07 10:46:19 +00:00
|
|
|
defaultSecretScanInterval.String())
|
|
|
|
|
|
|
|
|
|
sa.secretScanInterval = defaultSecretScanInterval
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tokenCheckTicker := time.NewTicker(sa.secretScanInterval)
|
|
|
|
|
|
|
|
|
|
if !sa.secretScanEnabled {
|
|
|
|
|
tokenCheckTicker.Stop()
|
|
|
|
|
} else {
|
2023-09-04 18:49:47 +02:00
|
|
|
sa.backgroundLog.Debug("Enabled token secret check and executing first check")
|
2022-11-07 10:46:19 +00:00
|
|
|
if err := sa.secretScanService.CheckTokens(ctx); err != nil {
|
|
|
|
|
sa.backgroundLog.Warn("Failed to check for leaked tokens", "error", err.Error())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
defer tokenCheckTicker.Stop()
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-18 16:54:39 +02:00
|
|
|
for {
|
|
|
|
|
select {
|
|
|
|
|
case <-ctx.Done():
|
|
|
|
|
if err := ctx.Err(); err != nil {
|
|
|
|
|
return fmt.Errorf("context error in service account background service: %w", ctx.Err())
|
|
|
|
|
}
|
|
|
|
|
|
2023-09-04 18:49:47 +02:00
|
|
|
sa.backgroundLog.Debug("Stopped service account background service")
|
2022-08-18 16:54:39 +02:00
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
case <-updateStatsTicker.C:
|
2023-09-04 18:49:47 +02:00
|
|
|
sa.backgroundLog.Debug("Updating usage metrics")
|
2022-08-18 16:54:39 +02:00
|
|
|
|
2022-08-23 14:24:55 +02:00
|
|
|
if _, err := sa.getUsageMetrics(ctx); err != nil {
|
2022-08-18 16:54:39 +02:00
|
|
|
sa.backgroundLog.Warn("Failed to get usage metrics", "error", err.Error())
|
|
|
|
|
}
|
2022-11-07 10:46:19 +00:00
|
|
|
case <-tokenCheckTicker.C:
|
2023-09-04 18:49:47 +02:00
|
|
|
sa.backgroundLog.Debug("Checking for leaked tokens")
|
2022-11-07 10:46:19 +00:00
|
|
|
|
|
|
|
|
if err := sa.secretScanService.CheckTokens(ctx); err != nil {
|
|
|
|
|
sa.backgroundLog.Warn("Failed to check for leaked tokens", "error", err.Error())
|
|
|
|
|
}
|
2022-08-18 16:54:39 +02:00
|
|
|
}
|
|
|
|
|
}
|
2022-07-07 14:03:16 +00:00
|
|
|
}
|
|
|
|
|
|
2023-11-03 10:27:43 +01:00
|
|
|
var _ serviceaccounts.Service = (*ServiceAccountsService)(nil)
|
|
|
|
|
|
2022-07-07 17:32:56 +01:00
|
|
|
func (sa *ServiceAccountsService) CreateServiceAccount(ctx context.Context, orgID int64, saForm *serviceaccounts.CreateServiceAccountForm) (*serviceaccounts.ServiceAccountDTO, error) {
|
2022-12-13 14:56:10 +01:00
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-07-07 17:32:56 +01:00
|
|
|
return sa.store.CreateServiceAccount(ctx, orgID, saForm)
|
2021-12-14 14:39:25 +01:00
|
|
|
}
|
|
|
|
|
|
2022-12-13 14:56:10 +01:00
|
|
|
func (sa *ServiceAccountsService) RetrieveServiceAccount(ctx context.Context, orgID int64, serviceAccountID int64) (*serviceaccounts.ServiceAccountProfileDTO, error) {
|
|
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := validServiceAccountID(serviceAccountID); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return sa.store.RetrieveServiceAccount(ctx, orgID, serviceAccountID)
|
2021-11-11 15:10:24 +00:00
|
|
|
}
|
2022-04-12 19:34:04 +02:00
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) RetrieveServiceAccountIdByName(ctx context.Context, orgID int64, name string) (int64, error) {
|
2022-12-13 14:56:10 +01:00
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return 0, err
|
|
|
|
|
}
|
|
|
|
|
if name == "" {
|
|
|
|
|
return 0, errors.New("name is required")
|
|
|
|
|
}
|
2022-04-12 19:34:04 +02:00
|
|
|
return sa.store.RetrieveServiceAccountIdByName(ctx, orgID, name)
|
|
|
|
|
}
|
2022-12-13 14:56:10 +01:00
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) DeleteServiceAccount(ctx context.Context, orgID, serviceAccountID int64) error {
|
|
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := validServiceAccountID(serviceAccountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2024-03-14 19:11:02 +01:00
|
|
|
if err := sa.store.DeleteServiceAccount(ctx, orgID, serviceAccountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return sa.acService.DeleteUserPermissions(ctx, orgID, serviceAccountID)
|
2023-10-27 13:46:25 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) EnableServiceAccount(ctx context.Context, orgID, serviceAccountID int64, enable bool) error {
|
|
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := validServiceAccountID(serviceAccountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return sa.store.EnableServiceAccount(ctx, orgID, serviceAccountID, enable)
|
2022-12-13 14:56:10 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) UpdateServiceAccount(ctx context.Context, orgID int64, serviceAccountID int64, saForm *serviceaccounts.UpdateServiceAccountForm) (*serviceaccounts.ServiceAccountProfileDTO, error) {
|
|
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if err := validServiceAccountID(serviceAccountID); err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return sa.store.UpdateServiceAccount(ctx, orgID, serviceAccountID, saForm)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) SearchOrgServiceAccounts(ctx context.Context, query *serviceaccounts.SearchOrgServiceAccountsQuery) (*serviceaccounts.SearchOrgServiceAccountsResult, error) {
|
|
|
|
|
if query.Page <= 0 || query.Limit <= 0 {
|
|
|
|
|
query.SetDefaults()
|
|
|
|
|
// optional: logging
|
|
|
|
|
}
|
|
|
|
|
return sa.store.SearchOrgServiceAccounts(ctx, query)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) ListTokens(ctx context.Context, query *serviceaccounts.GetSATokensQuery) ([]apikey.APIKey, error) {
|
|
|
|
|
return sa.store.ListTokens(ctx, query)
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-31 09:51:55 +01:00
|
|
|
func (sa *ServiceAccountsService) AddServiceAccountToken(ctx context.Context, serviceAccountID int64, query *serviceaccounts.AddServiceAccountTokenCommand) (*apikey.APIKey, error) {
|
2022-12-13 14:56:10 +01:00
|
|
|
if err := validServiceAccountID(serviceAccountID); err != nil {
|
2023-01-31 09:51:55 +01:00
|
|
|
return nil, err
|
2022-12-13 14:56:10 +01:00
|
|
|
}
|
|
|
|
|
return sa.store.AddServiceAccountToken(ctx, serviceAccountID, query)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) DeleteServiceAccountToken(ctx context.Context, orgID, serviceAccountID int64, tokenID int64) error {
|
|
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := validServiceAccountID(serviceAccountID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := validServiceAccountTokenID(tokenID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return sa.store.DeleteServiceAccountToken(ctx, orgID, serviceAccountID, tokenID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (sa *ServiceAccountsService) MigrateApiKey(ctx context.Context, orgID, keyID int64) error {
|
|
|
|
|
if err := validOrgID(orgID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if err := validAPIKeyID(keyID); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
return sa.store.MigrateApiKey(ctx, orgID, keyID)
|
|
|
|
|
}
|
2023-06-08 10:09:30 +02:00
|
|
|
func (sa *ServiceAccountsService) MigrateApiKeysToServiceAccounts(ctx context.Context, orgID int64) (*serviceaccounts.MigrationResult, error) {
|
2022-12-13 14:56:10 +01:00
|
|
|
if err := validOrgID(orgID); err != nil {
|
2023-06-08 10:09:30 +02:00
|
|
|
return nil, err
|
2022-12-13 14:56:10 +01:00
|
|
|
}
|
|
|
|
|
return sa.store.MigrateApiKeysToServiceAccounts(ctx, orgID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func validOrgID(orgID int64) error {
|
|
|
|
|
if orgID == 0 {
|
2023-03-08 11:32:09 +00:00
|
|
|
return serviceaccounts.ErrServiceAccountInvalidOrgID.Errorf("invalid org ID 0 has been specified")
|
2022-12-13 14:56:10 +01:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
func validServiceAccountID(serviceaccountID int64) error {
|
|
|
|
|
if serviceaccountID == 0 {
|
2023-03-08 11:32:09 +00:00
|
|
|
return serviceaccounts.ErrServiceAccountInvalidID.Errorf("invalid service account ID 0 has been specified")
|
2022-12-13 14:56:10 +01:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
func validServiceAccountTokenID(tokenID int64) error {
|
|
|
|
|
if tokenID == 0 {
|
2023-03-08 11:32:09 +00:00
|
|
|
return serviceaccounts.ErrServiceAccountInvalidTokenID.Errorf("invalid service account token ID 0 has been specified")
|
2022-12-13 14:56:10 +01:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
func validAPIKeyID(apiKeyID int64) error {
|
|
|
|
|
if apiKeyID == 0 {
|
2023-03-08 11:32:09 +00:00
|
|
|
return serviceaccounts.ErrServiceAccountInvalidAPIKeyID.Errorf("invalid API key ID 0 has been specified")
|
2022-12-13 14:56:10 +01:00
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
