IDForwarding: Always forward id tokens to plugins (#81041)

* Always forward id tokens to plugins
2025-02-10 23:55:47 -06:00 · 2024-01-23 12:12:32 +01:00 · 2024-01-23 12:12:32 +01:00 · 147bf01745
commit 147bf01745
parent 5b6a4e880b
4 changed files with 6 additions and 60 deletions
--- a/pkg/api/pluginproxy/ds_proxy.go
+++ b/pkg/api/pluginproxy/ds_proxy.go
@ -19,7 +19,6 @@ import (
 	glog "github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/tracing"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/services/auth"
 	contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
 	"github.com/grafana/grafana/pkg/services/datasources"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@ -270,7 +269,7 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
 		}
 	}

-	if proxy.features.IsEnabled(req.Context(), featuremgmt.FlagIdForwarding) && auth.IsIDForwardingEnabledForDataSource(proxy.ds) {
+	if proxy.features.IsEnabled(req.Context(), featuremgmt.FlagIdForwarding) {
 		proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
 	}
 }
--- a/pkg/services/auth/id.go
+++ b/pkg/services/auth/id.go
@ -6,7 +6,6 @@ import (
 	"github.com/go-jose/go-jose/v3/jwt"

 	"github.com/grafana/grafana/pkg/services/auth/identity"
-	"github.com/grafana/grafana/pkg/services/datasources"
 )

 type IDService interface {
@ -22,9 +21,3 @@ type IDClaims struct {
 	jwt.Claims
 	AuthenticatedBy string `json:"authenticatedBy,omitempty"`
 }
-
-const settingsKey = "forwardGrafanaIdToken"
-
-func IsIDForwardingEnabledForDataSource(ds *datasources.DataSource) bool {
-	return ds.JsonData != nil && ds.JsonData.Get(settingsKey).MustBool()
-}
--- a/pkg/services/pluginsintegration/clientmiddleware/forward_id_middleware.go
+++ b/pkg/services/pluginsintegration/clientmiddleware/forward_id_middleware.go
@ -5,11 +5,8 @@ import (

 	"github.com/grafana/grafana-plugin-sdk-go/backend"

-	"github.com/grafana/grafana/pkg/components/simplejson"
 	"github.com/grafana/grafana/pkg/plugins"
-	"github.com/grafana/grafana/pkg/services/auth"
 	"github.com/grafana/grafana/pkg/services/contexthandler"
-	"github.com/grafana/grafana/pkg/services/datasources"
 )

 const forwardIDHeaderName = "X-Grafana-Id"
@ -36,15 +33,6 @@ func (m *ForwardIDMiddleware) applyToken(ctx context.Context, pCtx backend.Plugi
 		return nil
 	}

-	jsonDataBytes, err := simplejson.NewJson(pCtx.DataSourceInstanceSettings.JSONData)
-	if err != nil {
-		return err
-	}
-
-	if !auth.IsIDForwardingEnabledForDataSource(&datasources.DataSource{JsonData: jsonDataBytes}) {
-		return nil
-	}
-
 	// token will only be present if faeturemgmt.FlagIdForwarding is enabled
 	if token := reqCtx.SignedInUser.GetIDToken(); token != "" {
 		req.SetHTTPHeader(forwardIDHeaderName, token)
--- a/pkg/services/pluginsintegration/clientmiddleware/forward_id_middleware_test.go
+++ b/pkg/services/pluginsintegration/clientmiddleware/forward_id_middleware_test.go
@ -2,7 +2,6 @@ package clientmiddleware

 import (
 	"context"
-	"encoding/json"
 	"net/http"
 	"testing"

@ -17,15 +16,9 @@ import (
 )

 func TestForwardIDMiddleware(t *testing.T) {
-	settingWithEnabled, err := json.Marshal(map[string]any{
-		"forwardGrafanaIdToken": true,
-	})
-	require.NoError(t, err)
-
-	settingWithDisabled, err := json.Marshal(map[string]any{
-		"forwardGrafanaIdToken": false,
-	})
-	require.NoError(t, err)
+	pluginContext := backend.PluginContext{
+		DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{},
+	}

 	t.Run("Should set forwarded id header if present", func(t *testing.T) {
 		cdt := clienttest.NewClientDecoratorTest(t, clienttest.WithMiddlewares(NewForwardIDMiddleware()))
@ -36,36 +29,13 @@ func TestForwardIDMiddleware(t *testing.T) {
 		})

 		err := cdt.Decorator.CallResource(ctx, &backend.CallResourceRequest{
-			PluginContext: backend.PluginContext{
-				DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{
-					JSONData: settingWithEnabled,
-				},
-			},
+			PluginContext: pluginContext,
 		}, nopCallResourceSender)
 		require.NoError(t, err)

 		require.Equal(t, "some-token", cdt.CallResourceReq.Headers[forwardIDHeaderName][0])
 	})

-	t.Run("Should not set forwarded id header if setting is disabled", func(t *testing.T) {
-		cdt := clienttest.NewClientDecoratorTest(t, clienttest.WithMiddlewares(NewForwardIDMiddleware()))
-
-		ctx := context.WithValue(context.Background(), ctxkey.Key{}, &contextmodel.ReqContext{
-			Context:      &web.Context{Req: &http.Request{}},
-			SignedInUser: &user.SignedInUser{IDToken: "some-token"},
-		})
-
-		err := cdt.Decorator.CallResource(ctx, &backend.CallResourceRequest{
-			PluginContext: backend.PluginContext{
-				DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{
-					JSONData: settingWithDisabled,
-				},
-			},
-		}, nopCallResourceSender)
-		require.NoError(t, err)
-		require.Len(t, cdt.CallResourceReq.Headers[forwardIDHeaderName], 0)
-	})
-
 	t.Run("Should not set forwarded id header if not present", func(t *testing.T) {
 		cdt := clienttest.NewClientDecoratorTest(t, clienttest.WithMiddlewares(NewForwardIDMiddleware()))

@ -75,11 +45,7 @@ func TestForwardIDMiddleware(t *testing.T) {
 		})

 		err := cdt.Decorator.CallResource(ctx, &backend.CallResourceRequest{
-			PluginContext: backend.PluginContext{
-				DataSourceInstanceSettings: &backend.DataSourceInstanceSettings{
-					JSONData: settingWithEnabled,
-				},
-			},
+			PluginContext: pluginContext,
 		}, nopCallResourceSender)
 		require.NoError(t, err)