grafana/pkg/services/serviceaccounts/api/token.go

package api

import (
	"errors"
	"net/http"
	"strconv"
	"time"

	"github.com/grafana/grafana/pkg/api/dtos"
	"github.com/grafana/grafana/pkg/api/response"
	"github.com/grafana/grafana/pkg/components/apikeygen"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/serviceaccounts"
	"github.com/grafana/grafana/pkg/web"
)

const failedToDeleteMsg = "Failed to delete API key"

func (api *ServiceAccountsAPI) ListTokens(ctx *models.ReqContext) response.Response {
	saID, err := strconv.ParseInt(web.Params(ctx.Req)[":serviceAccountId"], 10, 64)
	if err != nil {
		return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)
	}

	if saTokens, err := api.store.ListTokens(ctx.Req.Context(), ctx.OrgId, saID); err == nil {
		result := make([]*models.ApiKeyDTO, len(saTokens))
		for i, t := range saTokens {
			var expiration *time.Time = nil
			if t.Expires != nil {
				v := time.Unix(*t.Expires, 0)
				expiration = &v
			}
			result[i] = &models.ApiKeyDTO{
				Id:         t.Id,
				Name:       t.Name,
				Role:       t.Role,
				Expiration: expiration,
			}
		}

		return response.JSON(200, result)
	} else {
		return response.Error(500, "Internal server error", err)
	}
}

// CreateNewToken adds an API key to a service account
func (api *ServiceAccountsAPI) CreateToken(c *models.ReqContext) response.Response {
	saID, err := strconv.ParseInt(web.Params(c.Req)[":serviceAccountId"], 10, 64)
	if err != nil {
		return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)
	}

	// confirm service account exists
	if _, err := api.store.RetrieveServiceAccount(c.Req.Context(), c.OrgId, saID); err != nil {
		switch {
		case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):
			return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)
		default:
			return response.Error(http.StatusInternalServerError, "Failed to retrieve service account", err)
		}
	}

	cmd := models.AddApiKeyCommand{}
	if err := web.Bind(c.Req, &cmd); err != nil {
		return response.Error(http.StatusBadRequest, "bad request data", err)
	}

	// Force affected service account to be the one referenced in the URL
	cmd.ServiceAccountId = &saID
	cmd.OrgId = c.OrgId

	if !cmd.Role.IsValid() {
		return response.Error(400, "Invalid role specified", nil)
	}

	if api.cfg.ApiKeyMaxSecondsToLive != -1 {
		if cmd.SecondsToLive == 0 {
			return response.Error(400, "Number of seconds before expiration should be set", nil)
		}
		if cmd.SecondsToLive > api.cfg.ApiKeyMaxSecondsToLive {
			return response.Error(400, "Number of seconds before expiration is greater than the global limit", nil)
		}
	}

	newKeyInfo, err := apikeygen.New(cmd.OrgId, cmd.Name)
	if err != nil {
		return response.Error(500, "Generating API key failed", err)
	}

	cmd.Key = newKeyInfo.HashedKey

	if err := api.apiKeyStore.AddAPIKey(c.Req.Context(), &cmd); err != nil {
		if errors.Is(err, models.ErrInvalidApiKeyExpiration) {
			return response.Error(400, err.Error(), nil)
		}
		if errors.Is(err, models.ErrDuplicateApiKey) {
			return response.Error(409, err.Error(), nil)
		}
		return response.Error(500, "Failed to add API Key", err)
	}

	result := &dtos.NewApiKeyResult{
		ID:   cmd.Result.Id,
		Name: cmd.Result.Name,
		Key:  newKeyInfo.ClientSecret,
	}

	return response.JSON(200, result)
}

// DeleteToken deletes service account tokens
func (api *ServiceAccountsAPI) DeleteToken(c *models.ReqContext) response.Response {
	saID, err := strconv.ParseInt(web.Params(c.Req)[":serviceAccountId"], 10, 64)
	if err != nil {
		return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)
	}

	// confirm service account exists
	if _, err := api.store.RetrieveServiceAccount(c.Req.Context(), c.OrgId, saID); err != nil {
		switch {
		case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):
			return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)
		default:
			return response.Error(http.StatusInternalServerError, "Failed to retrieve service account", err)
		}
	}

	tokenID, err := strconv.ParseInt(web.Params(c.Req)[":tokenId"], 10, 64)
	if err != nil {
		return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)
	}

	// confirm API key belongs to service account. TODO: refactor get & delete to single call
	cmdGet := &models.GetApiKeyByIdQuery{ApiKeyId: tokenID}
	if err = api.apiKeyStore.GetApiKeyById(c.Req.Context(), cmdGet); err != nil {
		status := 404
		if err != nil && !errors.Is(err, models.ErrApiKeyNotFound) {
			status = 500
		} else {
			err = models.ErrApiKeyNotFound
		}

		return response.Error(status, failedToDeleteMsg, err)
	}

	// verify service account ID matches the URL
	if *cmdGet.Result.ServiceAccountId != saID {
		return response.Error(404, failedToDeleteMsg, err)
	}

	cmdDel := &models.DeleteApiKeyCommand{Id: tokenID, OrgId: c.OrgId}
	if err = api.apiKeyStore.DeleteApiKey(c.Req.Context(), cmdDel); err != nil {
		status := 404
		if err != nil && !errors.Is(err, models.ErrApiKeyNotFound) {
			status = 500
		} else {
			err = models.ErrApiKeyNotFound
		}

		return response.Error(status, failedToDeleteMsg, err)
	}

	return response.Success("API key deleted")
}
Add/Delete API keys to Service accounts (#44871) * ServiceAccounts: move token handlers to specific file * ServiceAccounts: move Add API key to Service account * APIKeys: api keys can still be used even when service accounts are enabled * APIKeys: legacy endpoint can't be used to add SA tokens * ServiceAccount: add tests for creation with nil and non-nil service account ids * ServiceAccounts: fix unnasigned cfg and AC typo * Test: test service account token adding * fix linting error * ServiceAccounts: Handle Token deletion * rename token funcs * rename token funcs and api wrapping * add token deletion tests * review Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> * remove bus * Update pkg/api/apikey.go Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com> 2022-02-07 07:51:54 -06:00			`package api`

			`import (`
			`"errors"`
			`"net/http"`
			`"strconv"`
			`"time"`

			`"github.com/grafana/grafana/pkg/api/dtos"`
			`"github.com/grafana/grafana/pkg/api/response"`
			`"github.com/grafana/grafana/pkg/components/apikeygen"`
			`"github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/services/serviceaccounts"`
			`"github.com/grafana/grafana/pkg/web"`
			`)`

			`const failedToDeleteMsg = "Failed to delete API key"`

			`func (api ServiceAccountsAPI) ListTokens(ctx models.ReqContext) response.Response {`
			`saID, err := strconv.ParseInt(web.Params(ctx.Req)[":serviceAccountId"], 10, 64)`
			`if err != nil {`
			`return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)`
			`}`

			`if saTokens, err := api.store.ListTokens(ctx.Req.Context(), ctx.OrgId, saID); err == nil {`
			`result := make([]*models.ApiKeyDTO, len(saTokens))`
			`for i, t := range saTokens {`
			`var expiration *time.Time = nil`
			`if t.Expires != nil {`
			`v := time.Unix(*t.Expires, 0)`
			`expiration = &v`
			`}`
			`result[i] = &models.ApiKeyDTO{`
			`Id: t.Id,`
			`Name: t.Name,`
			`Role: t.Role,`
			`Expiration: expiration,`
			`}`
			`}`

			`return response.JSON(200, result)`
			`} else {`
			`return response.Error(500, "Internal server error", err)`
			`}`
			`}`

			`// CreateNewToken adds an API key to a service account`
			`func (api ServiceAccountsAPI) CreateToken(c models.ReqContext) response.Response {`
			`saID, err := strconv.ParseInt(web.Params(c.Req)[":serviceAccountId"], 10, 64)`
			`if err != nil {`
			`return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)`
			`}`

			`// confirm service account exists`
			`if _, err := api.store.RetrieveServiceAccount(c.Req.Context(), c.OrgId, saID); err != nil {`
			`switch {`
			`case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):`
			`return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)`
			`default:`
			`return response.Error(http.StatusInternalServerError, "Failed to retrieve service account", err)`
			`}`
			`}`

			`cmd := models.AddApiKeyCommand{}`
			`if err := web.Bind(c.Req, &cmd); err != nil {`
			`return response.Error(http.StatusBadRequest, "bad request data", err)`
			`}`

			`// Force affected service account to be the one referenced in the URL`
			`cmd.ServiceAccountId = &saID`
			`cmd.OrgId = c.OrgId`

			`if !cmd.Role.IsValid() {`
			`return response.Error(400, "Invalid role specified", nil)`
			`}`

			`if api.cfg.ApiKeyMaxSecondsToLive != -1 {`
			`if cmd.SecondsToLive == 0 {`
			`return response.Error(400, "Number of seconds before expiration should be set", nil)`
			`}`
			`if cmd.SecondsToLive > api.cfg.ApiKeyMaxSecondsToLive {`
			`return response.Error(400, "Number of seconds before expiration is greater than the global limit", nil)`
			`}`
			`}`

			`newKeyInfo, err := apikeygen.New(cmd.OrgId, cmd.Name)`
			`if err != nil {`
			`return response.Error(500, "Generating API key failed", err)`
			`}`

			`cmd.Key = newKeyInfo.HashedKey`

			`if err := api.apiKeyStore.AddAPIKey(c.Req.Context(), &cmd); err != nil {`
			`if errors.Is(err, models.ErrInvalidApiKeyExpiration) {`
			`return response.Error(400, err.Error(), nil)`
			`}`
			`if errors.Is(err, models.ErrDuplicateApiKey) {`
			`return response.Error(409, err.Error(), nil)`
			`}`
			`return response.Error(500, "Failed to add API Key", err)`
			`}`

			`result := &dtos.NewApiKeyResult{`
			`ID: cmd.Result.Id,`
			`Name: cmd.Result.Name,`
			`Key: newKeyInfo.ClientSecret,`
			`}`

			`return response.JSON(200, result)`
			`}`

			`// DeleteToken deletes service account tokens`
			`func (api ServiceAccountsAPI) DeleteToken(c models.ReqContext) response.Response {`
			`saID, err := strconv.ParseInt(web.Params(c.Req)[":serviceAccountId"], 10, 64)`
			`if err != nil {`
			`return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)`
			`}`

			`// confirm service account exists`
			`if _, err := api.store.RetrieveServiceAccount(c.Req.Context(), c.OrgId, saID); err != nil {`
			`switch {`
			`case errors.Is(err, serviceaccounts.ErrServiceAccountNotFound):`
			`return response.Error(http.StatusNotFound, "Failed to retrieve service account", err)`
			`default:`
			`return response.Error(http.StatusInternalServerError, "Failed to retrieve service account", err)`
			`}`
			`}`

			`tokenID, err := strconv.ParseInt(web.Params(c.Req)[":tokenId"], 10, 64)`
			`if err != nil {`
			`return response.Error(http.StatusBadRequest, "serviceAccountId is invalid", err)`
			`}`

			`// confirm API key belongs to service account. TODO: refactor get & delete to single call`
			`cmdGet := &models.GetApiKeyByIdQuery{ApiKeyId: tokenID}`
			`if err = api.apiKeyStore.GetApiKeyById(c.Req.Context(), cmdGet); err != nil {`
			`status := 404`
			`if err != nil && !errors.Is(err, models.ErrApiKeyNotFound) {`
			`status = 500`
			`} else {`
			`err = models.ErrApiKeyNotFound`
			`}`

			`return response.Error(status, failedToDeleteMsg, err)`
			`}`

			`// verify service account ID matches the URL`
			`if *cmdGet.Result.ServiceAccountId != saID {`
			`return response.Error(404, failedToDeleteMsg, err)`
			`}`

			`cmdDel := &models.DeleteApiKeyCommand{Id: tokenID, OrgId: c.OrgId}`
			`if err = api.apiKeyStore.DeleteApiKey(c.Req.Context(), cmdDel); err != nil {`
			`status := 404`
			`if err != nil && !errors.Is(err, models.ErrApiKeyNotFound) {`
			`status = 500`
			`} else {`
			`err = models.ErrApiKeyNotFound`
			`}`

			`return response.Error(status, failedToDeleteMsg, err)`
			`}`

			`return response.Success("API key deleted")`
			`}`