Render analytics identifiers (#67860)

* Append analytics identifier upon authenticate session * Add id and module upon syncing user to identity * Add authModule & id to `IdentityFromSignedInUser` * Allow req calls in test to use basic auth * Add `intercom_secret` to grafana config in tests * Add test for analytics render in html view
2025-02-25 18:55:37 -06:00 · 2023-05-05 17:17:18 +02:00 · 2023-05-05 17:17:18 +02:00 · 15e34505e2
commit 15e34505e2
parent ae1a85b5ad
5 changed files with 78 additions and 6 deletions
--- a/pkg/services/authn/authn.go
+++ b/pkg/services/authn/authn.go
@ -326,6 +326,8 @@ func IdentityFromSignedInUser(id string, usr *user.SignedInUser, params ClientPa
 		Teams:          usr.Teams,
 		ClientParams:   params,
 		Permissions:    usr.Permissions,
+		AuthModule:     usr.ExternalAuthModule,
+		AuthID:         usr.ExternalAuthID,
 	}
 }

--- a/pkg/services/authn/authnimpl/sync/user_sync.go
+++ b/pkg/services/authn/authnimpl/sync/user_sync.go
@ -392,6 +392,8 @@ func syncSignedInUserToIdentity(usr *user.SignedInUser, identity *authn.Identity
 	identity.LastSeenAt = usr.LastSeenAt
 	identity.IsDisabled = usr.IsDisabled
 	identity.IsGrafanaAdmin = &usr.IsGrafanaAdmin
+	identity.AuthID = usr.ExternalAuthID
+	identity.AuthModule = usr.ExternalAuthModule
 }

 func shouldUpdateLastSeen(t time.Time) bool {
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@ -3,6 +3,9 @@ package contexthandler

 import (
 	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
@ -110,6 +113,25 @@ func FromContext(c context.Context) *contextmodel.ReqContext {
 	return nil
 }

+func hashUserIdentifier(identifier string, secret string) string {
+	key := []byte(secret)
+	h := hmac.New(sha256.New, key)
+	h.Write([]byte(identifier))
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+func setSignedInUser(reqContext *contextmodel.ReqContext, identity *authn.Identity, intercomSecret string) {
+	reqContext.SignedInUser = identity.SignedInUser()
+	if identity.AuthID != "" {
+		reqContext.SignedInUser.Analytics.Identifier = identity.AuthID
+	} else {
+		reqContext.SignedInUser.Analytics.Identifier = identity.Email + "@" + setting.AppUrl
+	}
+	if intercomSecret != "" {
+		reqContext.SignedInUser.Analytics.IntercomIdentifier = hashUserIdentifier(identity.AuthID, intercomSecret)
+	}
+}
+
 // Middleware provides a middleware to initialize the request context.
 func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -151,7 +173,7 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
 				reqContext.LookupTokenErr = err
 			} else {
 				reqContext.UserToken = identity.SessionToken
-				reqContext.SignedInUser = identity.SignedInUser()
+				setSignedInUser(reqContext, identity, h.Cfg.IntercomSecret)
 				reqContext.IsSignedIn = !identity.IsAnonymous
 				reqContext.AllowAnonymous = identity.IsAnonymous
 				reqContext.IsRenderCall = identity.AuthModule == login.RenderModule
--- a/pkg/tests/testinfra/testinfra.go
+++ b/pkg/tests/testinfra/testinfra.go
@ -216,6 +216,11 @@ func CreateGrafDir(t *testing.T, opts ...GrafanaOpts) (string, string) {
 	_, err = rbacSect.NewKey("permission_cache", "false")
 	require.NoError(t, err)

+	analyticsSect, err := cfg.NewSection("analytics")
+	require.NoError(t, err)
+	_, err = analyticsSect.NewKey("intercom_secret", "intercom_secret_at_config")
+	require.NoError(t, err)
+
 	getOrCreateSection := func(name string) (*ini.Section, error) {
 		section, err := cfg.GetSection(name)
 		if err != nil {
--- a/pkg/tests/web/index_view_test.go
+++ b/pkg/tests/web/index_view_test.go
@ -1,6 +1,7 @@
 package web

 import (
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@ -10,6 +11,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"github.com/grafana/grafana/pkg/services/user"
 	"github.com/grafana/grafana/pkg/tests/testinfra"
 )

@ -27,7 +29,7 @@ func TestIntegrationIndexView(t *testing.T) {
 		addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)

 		// nolint:bodyclose
-		resp, html := makeRequest(t, addr)
+		resp, html := makeRequest(t, addr, "", "")
 		assert.Regexp(t, `script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' 'nonce-[^']+';object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src \* data:;base-uri 'self';connect-src 'self' grafana.com ws://localhost:3000/ wss://localhost:3000/;manifest-src 'self';media-src 'none';form-action 'self';`, resp.Header.Get("Content-Security-Policy"))
 		assert.Regexp(t, `<script nonce="[^"]+"`, html)
 	})
@ -37,20 +39,59 @@ func TestIntegrationIndexView(t *testing.T) {
 		addr, _ := testinfra.StartGrafana(t, grafDir, cfgPath)

 		// nolint:bodyclose
-		resp, html := makeRequest(t, addr)
+		resp, html := makeRequest(t, addr, "", "")

 		assert.Empty(t, resp.Header.Get("Content-Security-Policy"))
 		assert.Regexp(t, `<script nonce=""`, html)
 	})
+
+	t.Run("Test the exposed user data contains the analytics identifiers", func(t *testing.T) {
+		grafDir, cfgPath := testinfra.CreateGrafDir(t, testinfra.GrafanaOpts{
+			EnableFeatureToggles: []string{"authnService"},
+		})
+
+		addr, store := testinfra.StartGrafana(t, grafDir, cfgPath)
+		createdUser := testinfra.CreateUser(t, store, user.CreateUserCommand{
+			Login:    "admin",
+			Password: "admin",
+			Email:    "admin@grafana.com",
+			OrgID:    1,
+		})
+
+		// insert user_auth relationship
+		query := fmt.Sprintf(`INSERT INTO "user_auth" ("user_id", "auth_module", "auth_id", "created") VALUES ('%d', 'oauth_grafana_com', 'test-id-oauth-grafana', '2023-03-13 14:08:11')`, createdUser.ID)
+		_, err := store.GetEngine().Exec(query)
+		require.NoError(t, err)
+
+		// nolint:bodyclose
+		response, html := makeRequest(t, addr, "admin", "admin")
+		assert.Equal(t, 200, response.StatusCode)
+
+		// parse User.Analytics HTML view into user.AnalyticsSettings model
+		parsedHTML := strings.Split(html, "analytics\":")[1]
+		parsedHTML = strings.Split(parsedHTML, "},\n")[0]
+
+		var analyticsSettings user.AnalyticsSettings
+		require.NoError(t, json.Unmarshal([]byte(parsedHTML), &analyticsSettings))
+
+		require.Equal(t, "test-id-oauth-grafana", analyticsSettings.Identifier)
+	})
 }

-func makeRequest(t *testing.T, addr string) (*http.Response, string) {
+func makeRequest(t *testing.T, addr, username, passwowrd string) (*http.Response, string) {
 	t.Helper()

 	u := fmt.Sprintf("http://%s", addr)
 	t.Logf("Making GET request to %s", u)
-	// nolint:gosec
-	resp, err := http.Get(u)
+
+	request, err := http.NewRequest("GET", u, nil)
+	require.NoError(t, err)
+
+	if username != "" && passwowrd != "" {
+		request.SetBasicAuth(username, passwowrd)
+	}
+
+	resp, err := http.DefaultClient.Do(request)
 	require.NoError(t, err)
 	require.NotNil(t, resp)
 	t.Cleanup(func() {