From 2d8570e85e850455e458ef50d7ce74e3e18abd23 Mon Sep 17 00:00:00 2001 From: Karl Persson Date: Tue, 7 May 2024 16:46:43 +0200 Subject: [PATCH] IDToken: Reuse claims from authlib (#87437) * bump authlib version * Reuse claims from authlib --- go.mod | 2 +- go.sum | 4 ++-- go.work.sum | 5 +---- pkg/apiserver/go.mod | 1 - pkg/apiserver/go.sum | 3 --- pkg/services/auth/id.go | 10 ++-------- pkg/services/auth/idimpl/service.go | 13 ++++++++----- pkg/services/auth/idimpl/service_test.go | 6 +++--- pkg/services/auth/idimpl/signer.go | 2 +- 9 files changed, 18 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index 49f8aeae575..b461f1f6f48 100644 --- a/go.mod +++ b/go.mod @@ -87,7 +87,7 @@ require ( github.com/gorilla/mux v1.8.1 // @grafana/grafana-backend-group github.com/gorilla/websocket v1.5.0 // @grafana/grafana-app-platform-squad github.com/grafana/alerting v0.0.0-20240424080142-bb4f4f429d36 // @grafana/alerting-squad-backend - github.com/grafana/authlib v0.0.0-20240503035720-d1f918d6254a // @grafana/identity-access-team + github.com/grafana/authlib v0.0.0-20240507113130-d374fd8d5977 // @grafana/identity-access-team github.com/grafana/codejen v0.0.3 // @grafana/dataviz-squad github.com/grafana/cuetsy v0.1.11 // @grafana/grafana-as-code github.com/grafana/dataplane/examples v0.0.1 // @grafana/observability-metrics diff --git a/go.sum b/go.sum index a9cecb11aa2..59c5d2d4701 100644 --- a/go.sum +++ b/go.sum @@ -2150,8 +2150,8 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grafana/alerting v0.0.0-20240424080142-bb4f4f429d36 h1:v4aQ0cde8SCzNRrD2RczzmFolEkXWriSY9tKakAD0ng= github.com/grafana/alerting v0.0.0-20240424080142-bb4f4f429d36/go.mod h1:8nOsn7PWmttOmWiR7bvYIl3VLl+tIq72ZF+1y54w36M= -github.com/grafana/authlib v0.0.0-20240503035720-d1f918d6254a h1:9I4HHhjS634CWcsCS82wGvpkveypCzMe+2DMuzKoW5A= -github.com/grafana/authlib v0.0.0-20240503035720-d1f918d6254a/go.mod h1:86rRD5P6u2JPWtNWTMOlqlU+YMv2fUvVz/DomA6L7w4= +github.com/grafana/authlib v0.0.0-20240507113130-d374fd8d5977 h1:OwoOGVogT4rpApeJIxlumwpSq03M+Mn0K/GfZxariBo= +github.com/grafana/authlib v0.0.0-20240507113130-d374fd8d5977/go.mod h1:86rRD5P6u2JPWtNWTMOlqlU+YMv2fUvVz/DomA6L7w4= github.com/grafana/codejen v0.0.3 h1:tAWxoTUuhgmEqxJPOLtJoxlPBbMULFwKFOcRsPRPXDw= github.com/grafana/codejen v0.0.3/go.mod h1:zmwwM/DRyQB7pfuBjTWII3CWtxcXh8LTwAYGfDfpR6s= github.com/grafana/cue v0.0.0-20230926092038-971951014e3f h1:TmYAMnqg3d5KYEAaT6PtTguL2GjLfvr6wnAX8Azw6tQ= diff --git a/go.work.sum b/go.work.sum index 08b659f334b..5cae7302776 100644 --- a/go.work.sum +++ b/go.work.sum @@ -718,8 +718,6 @@ github.com/grafana/e2e v0.1.1-0.20221018202458-cffd2bb71c7b h1:Ha+kSIoTutf4ytlVw github.com/grafana/e2e v0.1.1-0.20221018202458-cffd2bb71c7b/go.mod h1:3UsooRp7yW5/NJQBlXcTsAHOoykEhNUYXkQ3r6ehEEY= github.com/grafana/gomemcache v0.0.0-20231023152154-6947259a0586 h1:/of8Z8taCPftShATouOrBVy6GaTTjgQd/VfNiZp/VXQ= github.com/grafana/gomemcache v0.0.0-20231023152154-6947259a0586/go.mod h1:PGk3RjYHpxMM8HFPhKKo+vve3DdlPUELZLSDEFehPuU= -github.com/grafana/grafana-azure-sdk-go/v2 v2.0.2 h1:CWT7mOBPUht9n7F/NiBQnEM05pFmCP3Z8CZPGCVC1tM= -github.com/grafana/grafana-azure-sdk-go/v2 v2.0.2/go.mod h1:s8GLONgVh/svnSsO0Eo+OgXc/RZqozI5/0n+pNm3MEE= github.com/grafana/grafana-plugin-sdk-go v0.212.0/go.mod h1:qsI4ktDf0lig74u8SLPJf9zRdVxWV/W4Wi+Ox6gifgs= github.com/grafana/grafana-plugin-sdk-go v0.215.0/go.mod h1:nBsh3jRItKQUXDF2BQkiQCPxqrsSQeb+7hiFyJTO1RE= github.com/grafana/grafana-plugin-sdk-go v0.216.0/go.mod h1:FdvSvOliqpVLnytM7e89zCFyYPDE6VOn9SIjVQRvVxM= @@ -727,8 +725,6 @@ github.com/grafana/grafana-plugin-sdk-go v0.227.1-0.20240426134450-5fe9f7b9dfd4 github.com/grafana/grafana-plugin-sdk-go v0.227.1-0.20240426134450-5fe9f7b9dfd4/go.mod h1:UBDIuvdUGUI5fMDHDAl6yAVpFhfwl5ojMaw1N68775w= github.com/grafana/grafana-plugin-sdk-go v0.227.1-0.20240430073540-ce4d126ae8b8 h1:pyWJN79uW8QHZiQRasHGLCEkXSr3k6HCjdr0J2jZ3rU= github.com/grafana/grafana-plugin-sdk-go v0.227.1-0.20240430073540-ce4d126ae8b8/go.mod h1:u4K9vVN6eU86loO68977eTXGypC4brUCnk4sfDzutZU= -github.com/grafana/grafana-plugin-sdk-go v0.228.0 h1:LlPqyB+RZTtDy8RVYD7iQVJW5A0gMoGSI/+Ykz8HebQ= -github.com/grafana/grafana-plugin-sdk-go v0.228.0/go.mod h1:u4K9vVN6eU86loO68977eTXGypC4brUCnk4sfDzutZU= github.com/grafana/grafana/pkg/promlib v0.0.3/go.mod h1:3El4NlsfALz8QQCbEGHGFvJUG+538QLMuALRhZ3pcoo= github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7 h1:pdN6V1QBWetyv/0+wjACpqVH+eVULgEjkurDLq3goeM= github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1/go.mod h1:YvJ2f6MplWDhfxiUC3KpyTy76kYUZA4W3pTv/wdKQ9Y= @@ -1219,6 +1215,7 @@ k8s.io/component-base v0.0.0-20240417101527-62c04b35eff6 h1:WN8Lymy+dCTDHgn4vhUS k8s.io/component-base v0.0.0-20240417101527-62c04b35eff6/go.mod h1:l0ukbPS0lwFxOzSq5ZqjutzF+5IL2TLp495PswRPSZk= k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8= +k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/kms v0.29.0/go.mod h1:mB0f9HLxRXeXUfHfn1A7rpwOlzXI1gIWu86z6buNoYA= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= diff --git a/pkg/apiserver/go.mod b/pkg/apiserver/go.mod index 104d63af55c..b0d5d2d1863 100644 --- a/pkg/apiserver/go.mod +++ b/pkg/apiserver/go.mod @@ -13,7 +13,6 @@ require ( k8s.io/apiserver v0.29.2 k8s.io/client-go v0.29.2 k8s.io/component-base v0.29.2 - k8s.io/klog v1.0.0 k8s.io/klog/v2 v2.120.1 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 ) diff --git a/pkg/apiserver/go.sum b/pkg/apiserver/go.sum index 703e5d9c0ef..593c4bd2add 100644 --- a/pkg/apiserver/go.sum +++ b/pkg/apiserver/go.sum @@ -66,7 +66,6 @@ github.com/getkin/kin-openapi v0.124.0 h1:VSFNMB9C9rTKBnQ/fpyDU8ytMTr4dWI9QovSKj github.com/getkin/kin-openapi v0.124.0/go.mod h1:wb1aSZA/iWmorQP9KTAS/phLj/t17B5jT7+fS8ed9NM= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= @@ -459,8 +458,6 @@ k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= k8s.io/component-base v0.29.2 h1:lpiLyuvPA9yV1aQwGLENYyK7n/8t6l3nn3zAtFTJYe8= k8s.io/component-base v0.29.2/go.mod h1:BfB3SLrefbZXiBfbM+2H1dlat21Uewg/5qtKOl8degM= -k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag= diff --git a/pkg/services/auth/id.go b/pkg/services/auth/id.go index 4c66cabf4fe..d40f5d4db41 100644 --- a/pkg/services/auth/id.go +++ b/pkg/services/auth/id.go @@ -3,7 +3,7 @@ package auth import ( "context" - "github.com/go-jose/go-jose/v3/jwt" + authnlib "github.com/grafana/authlib/authn" "github.com/grafana/grafana/pkg/services/auth/identity" ) @@ -20,10 +20,4 @@ type IDSigner interface { SignIDToken(ctx context.Context, claims *IDClaims) (string, error) } -type IDClaims struct { - jwt.Claims - Email string `json:"email"` - EmailVerified bool `json:"email_verified"` - Namespace string `json:"namespace,omitempty"` - AuthenticatedBy string `json:"authenticatedBy,omitempty"` -} +type IDClaims = authnlib.Claims[authnlib.IDTokenClaims] diff --git a/pkg/services/auth/idimpl/service.go b/pkg/services/auth/idimpl/service.go index 8d05d88ca84..ea833d8f88c 100644 --- a/pkg/services/auth/idimpl/service.go +++ b/pkg/services/auth/idimpl/service.go @@ -7,6 +7,7 @@ import ( "time" "github.com/go-jose/go-jose/v3/jwt" + authnlib "github.com/grafana/authlib/authn" "github.com/prometheus/client_golang/prometheus" "golang.org/x/sync/singleflight" @@ -79,20 +80,22 @@ func (s *Service) SignIdentity(ctx context.Context, id identity.Requester) (stri now := time.Now() claims := &auth.IDClaims{ - Claims: jwt.Claims{ + Claims: &jwt.Claims{ Issuer: s.cfg.AppURL, Audience: getAudience(id.GetOrgID()), Subject: getSubject(namespace.String(), identifier), Expiry: jwt.NewNumericDate(now.Add(tokenTTL)), IssuedAt: jwt.NewNumericDate(now), }, - Namespace: s.nsMapper(id.GetOrgID()), + Rest: authnlib.IDTokenClaims{ + Namespace: s.nsMapper(id.GetOrgID()), + }, } if identity.IsNamespace(namespace, identity.NamespaceUser) { - claims.Email = id.GetEmail() - claims.EmailVerified = id.IsEmailVerified() - claims.AuthenticatedBy = id.GetAuthenticatedBy() + claims.Rest.Email = id.GetEmail() + claims.Rest.EmailVerified = id.IsEmailVerified() + claims.Rest.AuthenticatedBy = id.GetAuthenticatedBy() } token, err := s.signer.SignIDToken(ctx, claims) diff --git a/pkg/services/auth/idimpl/service_test.go b/pkg/services/auth/idimpl/service_test.go index 94495f54873..28830102e2a 100644 --- a/pkg/services/auth/idimpl/service_test.go +++ b/pkg/services/auth/idimpl/service_test.go @@ -56,7 +56,7 @@ func TestService_SignIdentity(t *testing.T) { s, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key}, nil) require.NoError(t, err) - token, err := jwt.Signed(s).Claims(claims).CompactSerialize() + token, err := jwt.Signed(s).Claims(claims.Claims).Claims(claims.Rest).CompactSerialize() require.NoError(t, err) return token, nil @@ -87,7 +87,7 @@ func TestService_SignIdentity(t *testing.T) { require.NoError(t, err) claims := &auth.IDClaims{} - require.NoError(t, parsed.UnsafeClaimsWithoutVerification(&claims)) - assert.Equal(t, login.AzureADAuthModule, claims.AuthenticatedBy) + require.NoError(t, parsed.UnsafeClaimsWithoutVerification(&claims.Claims, &claims.Rest)) + assert.Equal(t, login.AzureADAuthModule, claims.Rest.AuthenticatedBy) }) } diff --git a/pkg/services/auth/idimpl/signer.go b/pkg/services/auth/idimpl/signer.go index 0814d671f75..29d664e99b2 100644 --- a/pkg/services/auth/idimpl/signer.go +++ b/pkg/services/auth/idimpl/signer.go @@ -37,7 +37,7 @@ func (s *LocalSigner) SignIDToken(ctx context.Context, claims *auth.IDClaims) (s return "", err } - builder := jwt.Signed(signer).Claims(claims) + builder := jwt.Signed(signer).Claims(&claims.Rest).Claims(claims.Claims) token, err := builder.CompactSerialize() if err != nil {