AuthN: Add IsAuthenticatedBy to identity interface and replace checks (#85262)

Add IsAuthenticatedBy to identity interface and replace checks

pkg/api/login.go

@@ -129,7 +129,7 @@ func (hs *HTTPServer) LoginView(c *contextmodel.ReqContext) {
 		// LDAP users authenticated by auth proxy are also assigned login token but their auth module is LDAP
 		if hs.Cfg.AuthProxy.Enabled &&
 			hs.Cfg.AuthProxy.EnableLoginToken &&
-			(c.SignedInUser.AuthenticatedBy == loginservice.AuthProxyAuthModule || c.SignedInUser.AuthenticatedBy == loginservice.LDAPAuthModule) {
+			c.SignedInUser.IsAuthenticatedBy(loginservice.AuthProxyAuthModule, loginservice.LDAPAuthModule) {
 			user := &user.User{ID: c.SignedInUser.UserID, Email: c.SignedInUser.Email, Login: c.SignedInUser.Login}
 			err := hs.loginUserWithUser(user, c)
 			if err != nil {

pkg/services/auth/identity/requester.go

@@ -50,6 +50,8 @@ type Requester interface {
 	// DEPRECATED: GetOrgName returns the name of the active organization.
 	// Retrieve the organization name from the organization service instead of using this method.
 	GetOrgName() string
+	// IsAuthenticatedBy returns true if entity was authenticated by any of supplied providers.
+	IsAuthenticatedBy(providers ...string) bool
 
 	// IsNil returns true if the identity is nil
 	// FIXME: remove this method once all services are using an interface

pkg/services/authn/identity.go

@@ -197,6 +197,15 @@ func (i *Identity) HasUniqueId() bool {
 	return namespace == NamespaceUser || namespace == NamespaceServiceAccount || namespace == NamespaceAPIKey
 }
 
+func (i *Identity) IsAuthenticatedBy(providers ...string) bool {
+	for _, p := range providers {
+		if i.AuthenticatedBy == p {
+			return true
+		}
+	}
+	return false
+}
+
 func (i *Identity) IsNil() bool {
 	return i == nil
 }

pkg/services/contexthandler/contexthandler.go

@@ -120,7 +120,7 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
 			reqContext.UserToken = identity.SessionToken
 			reqContext.IsSignedIn = !reqContext.SignedInUser.IsAnonymous
 			reqContext.AllowAnonymous = reqContext.SignedInUser.IsAnonymous
-			reqContext.IsRenderCall = identity.GetAuthenticatedBy() == login.RenderModule
+			reqContext.IsRenderCall = identity.IsAuthenticatedBy(login.RenderModule)
 		}
 
 		reqContext.Logger = reqContext.Logger.New("userId", reqContext.UserID, "orgId", reqContext.OrgID, "uname", reqContext.Login)

pkg/services/sqlstore/permissions/dashboard.go

@@ -141,7 +141,7 @@ func (f *accessControlDashboardPermissionFilter) buildClauses() {
 
 	// useSelfContainedPermissions is true if the user's permissions are stored and set from the JWT token
 	// currently it's used for the extended JWT module (when the user is authenticated via a JWT token generated by Grafana)
-	useSelfContainedPermissions := f.user.GetAuthenticatedBy() == login.ExtendedJWTModule
+	useSelfContainedPermissions := f.user.IsAuthenticatedBy(login.ExtendedJWTModule)
 
 	if len(f.dashboardActions) > 0 {
 		toCheck := actionsToCheck(f.dashboardActions, f.user.GetPermissions(), dashWildcards, folderWildcards)

pkg/services/user/identity.go

@@ -217,6 +217,15 @@ func (u *SignedInUser) GetNamespacedID() (string, string) {
 	return parts[0], parts[1]
 }
 
+func (u *SignedInUser) IsAuthenticatedBy(providers ...string) bool {
+	for _, p := range providers {
+		if u.AuthenticatedBy == p {
+			return true
+		}
+	}
+	return false
+}
+
 // FIXME: remove this method once all services are using an interface
 func (u *SignedInUser) IsNil() bool {
 	return u == nil