grafana/pkg/services/authn/clients/grafana_test.go

package clients

import (
	"context"
	"net/http"
	"testing"

	"github.com/stretchr/testify/assert"

	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/login"
	"github.com/grafana/grafana/pkg/services/org"
	"github.com/grafana/grafana/pkg/services/user"
	"github.com/grafana/grafana/pkg/services/user/usertest"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util"
)

func TestGrafana_AuthenticateProxy(t *testing.T) {
	type testCase struct {
		desc             string
		req              *authn.Request
		username         string
		proxyProperty    string
		additional       map[string]string
		expectedErr      error
		expectedIdentity *authn.Identity
	}

	tests := []testCase{
		{
			desc:          "expect valid identity",
			username:      "test",
			req:           &authn.Request{HTTPRequest: &http.Request{}},
			proxyProperty: "username",
			additional: map[string]string{
				proxyFieldName:   "name",
				proxyFieldRole:   "Viewer",
				proxyFieldGroups: "grp1,grp2",
				proxyFieldEmail:  "email@email.com",
			},
			expectedIdentity: &authn.Identity{
				OrgRoles:   map[int64]org.RoleType{1: org.RoleViewer},
				Login:      "test",
				Name:       "name",
				Email:      "email@email.com",
				AuthModule: "authproxy",
				AuthID:     "test",
				Groups:     []string{"grp1", "grp2"},
				ClientParams: authn.ClientParams{
					SyncUser:        true,
					SyncTeams:       true,
					AllowSignUp:     true,
					FetchSyncedUser: true,
					SyncOrgRoles:    true,
					LookUpParams: login.UserLookupParams{
						Email: strPtr("email@email.com"),
						Login: strPtr("test"),
					},
				},
			},
		},
		{
			desc:       "should set email as both email and login when configured proxy auth header property is email",
			username:   "test@test.com",
			req:        &authn.Request{HTTPRequest: &http.Request{Header: map[string][]string{}}},
			additional: map[string]string{},
			expectedIdentity: &authn.Identity{
				Login:      "test@test.com",
				Email:      "test@test.com",
				AuthModule: "authproxy",
				AuthID:     "test@test.com",
				ClientParams: authn.ClientParams{
					SyncUser:     true,
					SyncTeams:    true,
					AllowSignUp:  true,
					SyncOrgRoles: true,
					LookUpParams: login.UserLookupParams{
						Email: strPtr("test@test.com"),
						Login: strPtr("test@test.com"),
					},
				},
			},
			proxyProperty: "email",
		},
		{
			desc:          "should return error on invalid auth proxy header property",
			req:           &authn.Request{HTTPRequest: &http.Request{Header: map[string][]string{}}},
			proxyProperty: "other",
			expectedErr:   errInvalidProxyHeader,
		},
	}

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			cfg := setting.NewCfg()
			cfg.AuthProxyAutoSignUp = true
			cfg.AuthProxyHeaderProperty = tt.proxyProperty
			c := ProvideGrafana(cfg, usertest.NewUserServiceFake())

			identity, err := c.AuthenticateProxy(context.Background(), tt.req, tt.username, tt.additional)
			assert.ErrorIs(t, err, tt.expectedErr)
			if tt.expectedIdentity != nil {
				assert.Equal(t, tt.expectedIdentity.OrgID, identity.OrgID)
				assert.Equal(t, tt.expectedIdentity.Login, identity.Login)
				assert.Equal(t, tt.expectedIdentity.Name, identity.Name)
				assert.Equal(t, tt.expectedIdentity.Email, identity.Email)
				assert.Equal(t, tt.expectedIdentity.AuthID, identity.AuthID)
				assert.Equal(t, tt.expectedIdentity.AuthModule, identity.AuthModule)
				assert.Equal(t, tt.expectedIdentity.Groups, identity.Groups)

				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncUser, identity.ClientParams.SyncUser)
				assert.Equal(t, tt.expectedIdentity.ClientParams.AllowSignUp, identity.ClientParams.AllowSignUp)
				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncTeams, identity.ClientParams.SyncTeams)
				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableDisabledUsers, identity.ClientParams.EnableDisabledUsers)

				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Email, identity.ClientParams.LookUpParams.Email)
				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Login, identity.ClientParams.LookUpParams.Login)
				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.UserID, identity.ClientParams.LookUpParams.UserID)
			} else {
				assert.Nil(t, tt.expectedIdentity)
			}
		})
	}
}

func TestGrafana_AuthenticatePassword(t *testing.T) {
	type testCase struct {
		desc                 string
		username             string
		password             string
		findUser             bool
		expectedErr          error
		expectedIdentity     *authn.Identity
		expectedSignedInUser *user.SignedInUser
	}

	tests := []testCase{
		{
			desc:                 "should successfully authenticate user with correct password",
			username:             "user",
			password:             "password",
			findUser:             true,
			expectedSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, OrgRole: "Viewer"},
			expectedIdentity:     &authn.Identity{ID: "user:1", OrgID: 1, OrgRoles: map[int64]org.RoleType{1: "Viewer"}, IsGrafanaAdmin: boolPtr(false)},
		},
		{
			desc:        "should fail for incorrect password",
			username:    "user",
			password:    "wrong",
			findUser:    true,
			expectedErr: errInvalidPassword,
		},
		{
			desc:        "should fail if user is not found",
			username:    "user",
			password:    "password",
			expectedErr: errIdentityNotFound,
		},
	}

	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			hashed, _ := util.EncodePassword("password", "salt")
			userService := &usertest.FakeUserService{
				ExpectedSignedInUser: tt.expectedSignedInUser,
				ExpectedUser:         &user.User{Password: hashed, Salt: "salt"},
			}

			if !tt.findUser {
				userService.ExpectedUser = nil
				userService.ExpectedError = user.ErrUserNotFound
			}

			c := ProvideGrafana(setting.NewCfg(), userService)
			identity, err := c.AuthenticatePassword(context.Background(), &authn.Request{OrgID: 1}, tt.username, tt.password)
			assert.ErrorIs(t, err, tt.expectedErr)
			assert.EqualValues(t, tt.expectedIdentity, identity)
		})
	}
}
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`package clients`

			`import (`
			`"context"`
AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`"net/http"`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`"testing"`

chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service 2023-01-27 12:36:54 -06:00			`"github.com/stretchr/testify/assert"`

AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`"github.com/grafana/grafana/pkg/services/authn"`
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service 2023-01-27 12:36:54 -06:00			`"github.com/grafana/grafana/pkg/services/login"`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`"github.com/grafana/grafana/pkg/services/org"`
			`"github.com/grafana/grafana/pkg/services/user"`
			`"github.com/grafana/grafana/pkg/services/user/usertest"`
AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`"github.com/grafana/grafana/pkg/setting"`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`"github.com/grafana/grafana/pkg/util"`
			`)`

AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`func TestGrafana_AuthenticateProxy(t *testing.T) {`
			`type testCase struct {`
			`desc string`
			`req *authn.Request`
			`username string`
			`proxyProperty string`
			`additional map[string]string`
			`expectedErr error`
			`expectedIdentity *authn.Identity`
			`}`

			`tests := []testCase{`
			`{`
			`desc: "expect valid identity",`
			`username: "test",`
			`req: &authn.Request{HTTPRequest: &http.Request{}},`
			`proxyProperty: "username",`
			`additional: map[string]string{`
			`proxyFieldName: "name",`
			`proxyFieldRole: "Viewer",`
			`proxyFieldGroups: "grp1,grp2",`
			`proxyFieldEmail: "email@email.com",`
			`},`
			`expectedIdentity: &authn.Identity{`
			`OrgRoles: map[int64]org.RoleType{1: org.RoleViewer},`
			`Login: "test",`
			`Name: "name",`
			`Email: "email@email.com",`
			`AuthModule: "authproxy",`
			`AuthID: "test",`
			`Groups: []string{"grp1", "grp2"},`
			`ClientParams: authn.ClientParams{`
			`SyncUser: true,`
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead 2023-02-21 04:21:34 -06:00			`SyncTeams: true,`
AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`AllowSignUp: true,`
AuthN: fetch final state of signed in user (#62854) * AuthN: add a hook we can use to fetch final state of user 2023-02-03 07:14:38 -06:00			`FetchSyncedUser: true,`
AuthN: add flag for org roles sync (#63507) * AuthN: Add flag to control org role syncs * JWT: Only sync org roles if the skip flag for jwt is false * LDAP: Only sync org role if skip flag for ldap is false * OAuth: Skip org roles sync if no roles were provided by upstream service * Grafana: Set SyncOrgRoles to true for authentication through proxy with grafana as backend 2023-02-22 03:27:48 -06:00			`SyncOrgRoles: true,`
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service 2023-01-27 12:36:54 -06:00			`LookUpParams: login.UserLookupParams{`
AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`Email: strPtr("email@email.com"),`
			`Login: strPtr("test"),`
			`},`
			`},`
			`},`
			`},`
			`{`
			`desc: "should set email as both email and login when configured proxy auth header property is email",`
			`username: "test@test.com",`
			`req: &authn.Request{HTTPRequest: &http.Request{Header: map[string][]string{}}},`
			`additional: map[string]string{},`
			`expectedIdentity: &authn.Identity{`
			`Login: "test@test.com",`
			`Email: "test@test.com",`
			`AuthModule: "authproxy",`
			`AuthID: "test@test.com",`
			`ClientParams: authn.ClientParams{`
AuthN: add flag for org roles sync (#63507) * AuthN: Add flag to control org role syncs * JWT: Only sync org roles if the skip flag for jwt is false * LDAP: Only sync org role if skip flag for ldap is false * OAuth: Skip org roles sync if no roles were provided by upstream service * Grafana: Set SyncOrgRoles to true for authentication through proxy with grafana as backend 2023-02-22 03:27:48 -06:00			`SyncUser: true,`
			`SyncTeams: true,`
			`AllowSignUp: true,`
			`SyncOrgRoles: true,`
chore: move user_auth models to (mostly) login service (#62269) * chore: move user_auth models to (mostly) login service 2023-01-27 12:36:54 -06:00			`LookUpParams: login.UserLookupParams{`
AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`Email: strPtr("test@test.com"),`
			`Login: strPtr("test@test.com"),`
			`},`
			`},`
			`},`
			`proxyProperty: "email",`
			`},`
			`{`
			`desc: "should return error on invalid auth proxy header property",`
			`req: &authn.Request{HTTPRequest: &http.Request{Header: map[string][]string{}}},`
			`proxyProperty: "other",`
			`expectedErr: errInvalidProxyHeader,`
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`cfg := setting.NewCfg()`
			`cfg.AuthProxyAutoSignUp = true`
			`cfg.AuthProxyHeaderProperty = tt.proxyProperty`
			`c := ProvideGrafana(cfg, usertest.NewUserServiceFake())`

			`identity, err := c.AuthenticateProxy(context.Background(), tt.req, tt.username, tt.additional)`
			`assert.ErrorIs(t, err, tt.expectedErr)`
			`if tt.expectedIdentity != nil {`
			`assert.Equal(t, tt.expectedIdentity.OrgID, identity.OrgID)`
			`assert.Equal(t, tt.expectedIdentity.Login, identity.Login)`
			`assert.Equal(t, tt.expectedIdentity.Name, identity.Name)`
			`assert.Equal(t, tt.expectedIdentity.Email, identity.Email)`
			`assert.Equal(t, tt.expectedIdentity.AuthID, identity.AuthID)`
			`assert.Equal(t, tt.expectedIdentity.AuthModule, identity.AuthModule)`
			`assert.Equal(t, tt.expectedIdentity.Groups, identity.Groups)`

			`assert.Equal(t, tt.expectedIdentity.ClientParams.SyncUser, identity.ClientParams.SyncUser)`
			`assert.Equal(t, tt.expectedIdentity.ClientParams.AllowSignUp, identity.ClientParams.AllowSignUp)`
AuthN: Cleanup authn package (#63456) * AuthN: Update comments for ClientParams * AuthN: Update flag name from SyncTeamMembers to SyncTeams * UserSync: rename function and fix order of parameters so it is correct * UserSync: Fix so we skip check if no authModule or authID is passed * UserSync: move quota check to create user function * UserSync: Move FetchSyncedUserHook to UserSync * UserSync: Move last seen user hook to user sync service * ApiKey: Implement last seen hook as a client hook instead 2023-02-21 04:21:34 -06:00			`assert.Equal(t, tt.expectedIdentity.ClientParams.SyncTeams, identity.ClientParams.SyncTeams)`
AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`assert.Equal(t, tt.expectedIdentity.ClientParams.EnableDisabledUsers, identity.ClientParams.EnableDisabledUsers)`

			`assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Email, identity.ClientParams.LookUpParams.Email)`
			`assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Login, identity.ClientParams.LookUpParams.Login)`
			`assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.UserID, identity.ClientParams.LookUpParams.UserID)`
			`} else {`
			`assert.Nil(t, tt.expectedIdentity)`
			`}`
			`})`
			`}`
			`}`

AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`func TestGrafana_AuthenticatePassword(t *testing.T) {`
			`type testCase struct {`
			`desc string`
			`username string`
			`password string`
			`findUser bool`
			`expectedErr error`
			`expectedIdentity *authn.Identity`
			`expectedSignedInUser *user.SignedInUser`
			`}`

			`tests := []testCase{`
			`{`
			`desc: "should successfully authenticate user with correct password",`
			`username: "user",`
			`password: "password",`
			`findUser: true,`
			`expectedSignedInUser: &user.SignedInUser{UserID: 1, OrgID: 1, OrgRole: "Viewer"},`
			`expectedIdentity: &authn.Identity{ID: "user:1", OrgID: 1, OrgRoles: map[int64]org.RoleType{1: "Viewer"}, IsGrafanaAdmin: boolPtr(false)},`
			`},`
			`{`
			`desc: "should fail for incorrect password",`
			`username: "user",`
			`password: "wrong",`
			`findUser: true,`
			`expectedErr: errInvalidPassword,`
			`},`
			`{`
			`desc: "should fail if user is not found",`
			`username: "user",`
			`password: "password",`
			`expectedErr: errIdentityNotFound,`
			`},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.desc, func(t *testing.T) {`
			`hashed, _ := util.EncodePassword("password", "salt")`
			`userService := &usertest.FakeUserService{`
			`ExpectedSignedInUser: tt.expectedSignedInUser,`
			`ExpectedUser: &user.User{Password: hashed, Salt: "salt"},`
			`}`

			`if !tt.findUser {`
			`userService.ExpectedUser = nil`
			`userService.ExpectedError = user.ErrUserNotFound`
			`}`

AuthN: Add auth proxy client (#61555) * AuthN: set up boilerplate for proxy client * AuthN: Implement Test for proxy client * AuthN: parse accept list in constructor * AuthN: add proxy client interface * AuthN: handle error * AuthN: Implement the proxy client interface for ldap * AuthN: change reciever name * AuthN: add grafana as a proxy client * AuthN: for error returned * AuthN: add tests for grafana proxy auth * AuthN: swap order of grafan and ldap auth * AuthN: Parse additional proxy headers in proxy client and pass down 2023-01-17 03:07:46 -06:00			`c := ProvideGrafana(setting.NewCfg(), userService)`
AuthN: Post login hooks (#61287) * AuthN: add the ability to register post login hooks * AuthN: add a guard for the user id * AuthN: Add helper to create external user info from identity * AuthN: Pass auth request to password clients * AuthN: set auth module and username in metadata 2023-01-12 08:02:04 -06:00			`identity, err := c.AuthenticatePassword(context.Background(), &authn.Request{OrgID: 1}, tt.username, tt.password)`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`assert.ErrorIs(t, err, tt.expectedErr)`
			`assert.EqualValues(t, tt.expectedIdentity, identity)`
			`})`
			`}`
			`}`