LDAP: Fix LDAP users authenticated via auth proxy not being able to use LDAP active sync (#83715)

* fix LDAP users authenticated via auth proxy not being able to use ldap sync * simplify id resolution at the cost of no fallthrough * remove unused services * remove unused cache key
2024-11-21 16:38:03 -06:00 · 2024-03-01 10:14:32 +01:00 · 2024-03-01 10:14:32 +01:00 · 2182cc47ac
commit 2182cc47ac
parent 4dc8094514
4 changed files with 17 additions and 25 deletions
--- a/pkg/services/authn/authnimpl/service.go
+++ b/pkg/services/authn/authnimpl/service.go
@ -123,7 +123,7 @@ func ProvideService(
 	}

 	if s.cfg.AuthProxyEnabled && len(proxyClients) > 0 {
-		proxy, err := clients.ProvideProxy(cfg, cache, userService, proxyClients...)
+		proxy, err := clients.ProvideProxy(cfg, cache, proxyClients...)
 		if err != nil {
 			s.log.Error("Failed to configure auth proxy", "err", err)
 		} else {
--- a/pkg/services/authn/clients/proxy.go
+++ b/pkg/services/authn/clients/proxy.go
@ -15,7 +15,6 @@ import (
 	authidentity "github.com/grafana/grafana/pkg/services/auth/identity"
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/login"
-	"github.com/grafana/grafana/pkg/services/user"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/util/errutil"
@ -43,12 +42,12 @@ var (
 	_ authn.ContextAwareClient = new(Proxy)
 )

-func ProvideProxy(cfg *setting.Cfg, cache proxyCache, userSrv user.Service, clients ...authn.ProxyClient) (*Proxy, error) {
+func ProvideProxy(cfg *setting.Cfg, cache proxyCache, clients ...authn.ProxyClient) (*Proxy, error) {
 	list, err := parseAcceptList(cfg.AuthProxyWhitelist)
 	if err != nil {
 		return nil, err
 	}
-	return &Proxy{log.New(authn.ClientProxy), cfg, cache, userSrv, clients, list}, nil
+	return &Proxy{log.New(authn.ClientProxy), cfg, cache, clients, list}, nil
 }

 type proxyCache interface {
@ -61,7 +60,6 @@ type Proxy struct {
 	log         log.Logger
 	cfg         *setting.Cfg
 	cache       proxyCache
-	userSrv     user.Service
 	clients     []authn.ProxyClient
 	acceptedIPs []*net.IPNet
 }
@ -91,21 +89,17 @@ func (c *Proxy) Authenticate(ctx context.Context, r *authn.Request) (*authn.Iden
 			if err != nil {
 				c.log.FromContext(ctx).Warn("Failed to parse user id from cache", "error", err, "userId", string(entry))
 			} else {
-				usr, err := c.userSrv.GetSignedInUserWithCacheCtx(ctx, &user.GetSignedInUserQuery{
-					UserID: uid,
-					OrgID:  r.OrgID,
-				})
-
-				if err != nil {
-					c.log.FromContext(ctx).Warn("Could not resolved cached user", "error", err, "userId", string(entry))
-				}
-
-				// if we for some reason cannot find the user we proceed with the normal flow, authenticate with ProxyClient
-				// and perform syncs
-				if usr != nil {
-					c.log.FromContext(ctx).Debug("User was loaded from cache, skip syncs", "userId", usr.UserID)
-					return authn.IdentityFromSignedInUser(authn.NamespacedID(authn.NamespaceUser, usr.UserID), usr, authn.ClientParams{SyncPermissions: true}, login.AuthProxyAuthModule), nil
-				}
+				return &authn.Identity{
+					ID:    authn.NamespacedID(authn.NamespaceUser, uid),
+					OrgID: r.OrgID,
+					// FIXME: This does not match the actual auth module used, but should not have any impact
+					// Maybe caching the auth module used with the user ID would be a good idea
+					AuthenticatedBy: login.AuthProxyAuthModule,
+					ClientParams: authn.ClientParams{
+						FetchSyncedUser: true,
+						SyncPermissions: true,
+					},
+				}, nil
 			}
 		}
 	}
@ -116,7 +110,6 @@ func (c *Proxy) Authenticate(ctx context.Context, r *authn.Request) (*authn.Iden
 		identity, clientErr = proxyClient.AuthenticateProxy(ctx, r, username, additional)
 		if identity != nil {
 			identity.ClientParams.CacheAuthProxyKey = cacheKey
-			identity.AuthenticatedBy = login.AuthProxyAuthModule
 			return identity, nil
 		}
 	}
--- a/pkg/services/authn/clients/proxy_test.go
+++ b/pkg/services/authn/clients/proxy_test.go
@ -13,7 +13,6 @@ import (

 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/authn/authntest"
-	"github.com/grafana/grafana/pkg/services/user/usertest"
 	"github.com/grafana/grafana/pkg/setting"
 )

@ -113,7 +112,7 @@ func TestProxy_Authenticate(t *testing.T) {
 				calledAdditional = additional
 				return nil, nil
 			}}
-			c, err := ProvideProxy(cfg, &fakeCache{expectedErr: errors.New("")}, usertest.NewUserServiceFake(), proxyClient)
+			c, err := ProvideProxy(cfg, &fakeCache{expectedErr: errors.New("")}, proxyClient)
 			require.NoError(t, err)

 			_, err = c.Authenticate(context.Background(), tt.req)
@ -210,7 +209,7 @@ func TestProxy_Hook(t *testing.T) {
 	withRole := func(role string) func(t *testing.T) {
 		cacheKey := fmt.Sprintf("users:johndoe-%s", role)
 		return func(t *testing.T) {
-			c, err := ProvideProxy(cfg, cache, usertest.NewUserServiceFake(), authntest.MockProxyClient{})
+			c, err := ProvideProxy(cfg, cache, authntest.MockProxyClient{})
 			require.NoError(t, err)
 			userIdentity := &authn.Identity{
 				ID: userID,
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@ -120,7 +120,7 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
 			reqContext.UserToken = identity.SessionToken
 			reqContext.IsSignedIn = !reqContext.SignedInUser.IsAnonymous
 			reqContext.AllowAnonymous = reqContext.SignedInUser.IsAnonymous
-			reqContext.IsRenderCall = identity.AuthenticatedBy == login.RenderModule
+			reqContext.IsRenderCall = identity.GetAuthenticatedBy() == login.RenderModule
 		}

 		reqContext.Logger = reqContext.Logger.New("userId", reqContext.UserID, "orgId", reqContext.OrgID, "uname", reqContext.Login)