From 073ef930071ddabb8f349a76e75278aabcd145ce Mon Sep 17 00:00:00 2001 From: Ryan McKinley Date: Tue, 2 Jul 2024 09:50:35 +0300 Subject: [PATCH] Authn: Set requester in middleware (#89929) identify in context --- pkg/services/contexthandler/contexthandler.go | 10 +++++----- pkg/services/contexthandler/contexthandler_test.go | 11 ++++++++--- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/pkg/services/contexthandler/contexthandler.go b/pkg/services/contexthandler/contexthandler.go index c6bf3137864..fe8f810872e 100644 --- a/pkg/services/contexthandler/contexthandler.go +++ b/pkg/services/contexthandler/contexthandler.go @@ -112,16 +112,16 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler { reqContext.Logger = reqContext.Logger.New("traceID", traceID) } - identity, err := h.authnService.Authenticate(ctx, &authn.Request{HTTPRequest: reqContext.Req, Resp: reqContext.Resp}) + id, err := h.authnService.Authenticate(ctx, &authn.Request{HTTPRequest: reqContext.Req, Resp: reqContext.Resp}) if err != nil { // Hack: set all errors on LookupTokenErr, so we can check it in auth middlewares reqContext.LookupTokenErr = err } else { - reqContext.SignedInUser = identity.SignedInUser() - reqContext.UserToken = identity.SessionToken + reqContext.SignedInUser = id.SignedInUser() + reqContext.UserToken = id.SessionToken reqContext.IsSignedIn = !reqContext.SignedInUser.IsAnonymous reqContext.AllowAnonymous = reqContext.SignedInUser.IsAnonymous - reqContext.IsRenderCall = identity.IsAuthenticatedBy(login.RenderModule) + reqContext.IsRenderCall = id.IsAuthenticatedBy(login.RenderModule) } reqContext.Logger = reqContext.Logger.New("userId", reqContext.UserID, "orgId", reqContext.OrgID, "uname", reqContext.Login) @@ -138,7 +138,7 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler { // End the span to make next handlers not wrapped within middleware span span.End() - next.ServeHTTP(w, r) + next.ServeHTTP(w, r.WithContext(identity.WithRequester(ctx, id))) }) } diff --git a/pkg/services/contexthandler/contexthandler_test.go b/pkg/services/contexthandler/contexthandler_test.go index 87a95be3cfe..0dcdf896d61 100644 --- a/pkg/services/contexthandler/contexthandler_test.go +++ b/pkg/services/contexthandler/contexthandler_test.go @@ -9,6 +9,7 @@ import ( "github.com/stretchr/testify/require" "github.com/grafana/grafana/pkg/api/routing" + "github.com/grafana/grafana/pkg/apimachinery/identity" "github.com/grafana/grafana/pkg/infra/tracing" "github.com/grafana/grafana/pkg/services/authn" "github.com/grafana/grafana/pkg/services/authn/authntest" @@ -44,20 +45,24 @@ func TestContextHandler(t *testing.T) { }) t.Run("should set identity on successful authentication", func(t *testing.T) { - identity := &authn.Identity{ID: authn.NewNamespaceID(authn.NamespaceUser, 1), OrgID: 1} + id := &authn.Identity{ID: authn.NewNamespaceID(authn.NamespaceUser, 1), OrgID: 1} handler := contexthandler.ProvideService( setting.NewCfg(), tracing.InitializeTracerForTest(), featuremgmt.WithFeatures(), - &authntest.FakeService{ExpectedIdentity: identity}, + &authntest.FakeService{ExpectedIdentity: id}, ) server := webtest.NewServer(t, routing.NewRouteRegister()) server.Mux.Use(handler.Middleware) server.Mux.Get("/api/handler", func(c *contextmodel.ReqContext) { require.True(t, c.IsSignedIn) - require.EqualValues(t, identity.SignedInUser(), c.SignedInUser) + require.EqualValues(t, id.SignedInUser(), c.SignedInUser) require.NoError(t, c.LookupTokenErr) + + requester, err := identity.GetRequester(c.Req.Context()) + require.NoError(t, err) + require.Equal(t, id, requester) }) res, err := server.Send(server.NewGetRequest("/api/handler"))