Render analytics identifiers (#67860)

* Append analytics identifier upon authenticate session

* Add id and module upon syncing user to identity

* Add authModule & id to `IdentityFromSignedInUser`

* Allow req calls in test to use basic auth

* Add `intercom_secret` to grafana config in tests

* Add test for analytics render in html view
This commit is contained in:
linoman 2023-05-05 17:17:18 +02:00 committed by GitHub
parent ae1a85b5ad
commit 15e34505e2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 78 additions and 6 deletions

View File

@ -326,6 +326,8 @@ func IdentityFromSignedInUser(id string, usr *user.SignedInUser, params ClientPa
Teams: usr.Teams,
ClientParams: params,
Permissions: usr.Permissions,
AuthModule: usr.ExternalAuthModule,
AuthID: usr.ExternalAuthID,
}
}

View File

@ -392,6 +392,8 @@ func syncSignedInUserToIdentity(usr *user.SignedInUser, identity *authn.Identity
identity.LastSeenAt = usr.LastSeenAt
identity.IsDisabled = usr.IsDisabled
identity.IsGrafanaAdmin = &usr.IsGrafanaAdmin
identity.AuthID = usr.ExternalAuthID
identity.AuthModule = usr.ExternalAuthModule
}
func shouldUpdateLastSeen(t time.Time) bool {

View File

@ -3,6 +3,9 @@ package contexthandler
import (
"context"
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"errors"
"fmt"
"net/http"
@ -110,6 +113,25 @@ func FromContext(c context.Context) *contextmodel.ReqContext {
return nil
}
func hashUserIdentifier(identifier string, secret string) string {
key := []byte(secret)
h := hmac.New(sha256.New, key)
h.Write([]byte(identifier))
return hex.EncodeToString(h.Sum(nil))
}
func setSignedInUser(reqContext *contextmodel.ReqContext, identity *authn.Identity, intercomSecret string) {
reqContext.SignedInUser = identity.SignedInUser()
if identity.AuthID != "" {
reqContext.SignedInUser.Analytics.Identifier = identity.AuthID
} else {
reqContext.SignedInUser.Analytics.Identifier = identity.Email + "@" + setting.AppUrl
}
if intercomSecret != "" {
reqContext.SignedInUser.Analytics.IntercomIdentifier = hashUserIdentifier(identity.AuthID, intercomSecret)
}
}
// Middleware provides a middleware to initialize the request context.
func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -151,7 +173,7 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
reqContext.LookupTokenErr = err
} else {
reqContext.UserToken = identity.SessionToken
reqContext.SignedInUser = identity.SignedInUser()
setSignedInUser(reqContext, identity, h.Cfg.IntercomSecret)
reqContext.IsSignedIn = !identity.IsAnonymous
reqContext.AllowAnonymous = identity.IsAnonymous
reqContext.IsRenderCall = identity.AuthModule == login.RenderModule

View File

@ -216,6 +216,11 @@ func CreateGrafDir(t *testing.T, opts ...GrafanaOpts) (string, string) {
_, err = rbacSect.NewKey("permission_cache", "false")
require.NoError(t, err)
analyticsSect, err := cfg.NewSection("analytics")
require.NoError(t, err)
_, err = analyticsSect.NewKey("intercom_secret", "intercom_secret_at_config")
require.NoError(t, err)
getOrCreateSection := func(name string) (*ini.Section, error) {
section, err := cfg.GetSection(name)
if err != nil {

View File

@ -1,6 +1,7 @@
package web
import (
"encoding/json"
"fmt"
"io"
"net/http"
@ -10,6 +11,7 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/tests/testinfra"
)
@ -27,7 +29,7 @@ func TestIntegrationIndexView(t *testing.T) {
addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)
// nolint:bodyclose
resp, html := makeRequest(t, addr)
resp, html := makeRequest(t, addr, "", "")
assert.Regexp(t, `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'nonce-[^']+';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src \* data:;base-uri 'self';connect-src 'self' grafana.com ws://localhost:3000/ wss://localhost:3000/;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy"))
assert.Regexp(t, `<script nonce="[^"]+"`, html)
})
@ -37,20 +39,59 @@ func TestIntegrationIndexView(t *testing.T) {
addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)
// nolint:bodyclose
resp, html := makeRequest(t, addr)
resp, html := makeRequest(t, addr, "", "")
assert.Empty(t, resp.Header.Get("Content-Security-Policy"))
assert.Regexp(t, `<script nonce=""`, html)
})
t.Run("Test the exposed user data contains the analytics identifiers", func(t *testing.T) {
grafDir, cfgPath := testinfra.CreateGrafDir(t, testinfra.GrafanaOpts{
EnableFeatureToggles: []string{"authnService"},
})
addr, store := testinfra.StartGrafana(t, grafDir, cfgPath)
createdUser := testinfra.CreateUser(t, store, user.CreateUserCommand{
Login: "admin",
Password: "admin",
Email: "admin@grafana.com",
OrgID: 1,
})
// insert user_auth relationship
query := fmt.Sprintf(`INSERT INTO "user_auth" ("user_id", "auth_module", "auth_id", "created") VALUES ('%d', 'oauth_grafana_com', 'test-id-oauth-grafana', '2023-03-13 14:08:11')`, createdUser.ID)
_, err := store.GetEngine().Exec(query)
require.NoError(t, err)
// nolint:bodyclose
response, html := makeRequest(t, addr, "admin", "admin")
assert.Equal(t, 200, response.StatusCode)
// parse User.Analytics HTML view into user.AnalyticsSettings model
parsedHTML := strings.Split(html, "analytics\":")[1]
parsedHTML = strings.Split(parsedHTML, "},\n")[0]
var analyticsSettings user.AnalyticsSettings
require.NoError(t, json.Unmarshal([]byte(parsedHTML), &analyticsSettings))
require.Equal(t, "test-id-oauth-grafana", analyticsSettings.Identifier)
})
}
func makeRequest(t *testing.T, addr string) (*http.Response, string) {
func makeRequest(t *testing.T, addr, username, passwowrd string) (*http.Response, string) {
t.Helper()
u := fmt.Sprintf("http://%s", addr)
t.Logf("Making GET request to %s", u)
// nolint:gosec
resp, err := http.Get(u)
request, err := http.NewRequest("GET", u, nil)
require.NoError(t, err)
if username != "" && passwowrd != "" {
request.SetBasicAuth(username, passwowrd)
}
resp, err := http.DefaultClient.Do(request)
require.NoError(t, err)
require.NotNil(t, resp)
t.Cleanup(func() {