mirror of
https://github.com/grafana/grafana.git
synced 2024-12-26 08:51:33 -06:00
Auth: remove id token flag (#92209)
This commit is contained in:
Ryan McKinley
GitHub
parent
302bfe3edf
commit
2e60f28044
@ -151,7 +151,6 @@ Experimental features might be changed or removed without prior notice.
|
||||
| `wargamesTesting` | Placeholder feature flag for internal testing |
|
||||
| `externalCorePlugins` | Allow core plugins to be loaded as external |
|
||||
| `pluginsAPIMetrics` | Sends metrics of public grafana packages usage by plugins |
|
||||
| `idForwarding` | Generate signed id token for identity that can be forwarded to plugins and external services |
|
||||
| `enableNativeHTTPHistogram` | Enables native HTTP Histograms |
|
||||
| `disableClassicHTTPHistogram` | Disables classic HTTP Histogram (use with enableNativeHTTPHistogram) |
|
||||
| `kubernetesSnapshots` | Routes snapshot requests from /api to the /apis endpoint |
|
||||
|
||||
@ -106,7 +106,6 @@ export interface FeatureToggles {
|
||||
alertingInsights?: boolean;
|
||||
externalCorePlugins?: boolean;
|
||||
pluginsAPIMetrics?: boolean;
|
||||
idForwarding?: boolean;
|
||||
externalServiceAccounts?: boolean;
|
||||
panelMonitoring?: boolean;
|
||||
enableNativeHTTPHistogram?: boolean;
|
||||
|
||||
@ -271,9 +271,7 @@ func (proxy *DataSourceProxy) director(req *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
if proxy.features.IsEnabled(req.Context(), featuremgmt.FlagIdForwarding) {
|
||||
proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
|
||||
}
|
||||
proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
|
||||
}
|
||||
|
||||
func (proxy *DataSourceProxy) validateRequest() error {
|
||||
|
||||
@ -185,10 +185,7 @@ func (proxy PluginProxy) director(req *http.Request) {
|
||||
req.Header.Set("X-Grafana-Context", string(ctxJSON))
|
||||
|
||||
proxyutil.ApplyUserHeader(proxy.cfg.SendUserHeader, req, proxy.ctx.SignedInUser)
|
||||
|
||||
if proxy.features.IsEnabled(req.Context(), featuremgmt.FlagIdForwarding) {
|
||||
proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
|
||||
}
|
||||
proxyutil.ApplyForwardIDHeader(req, proxy.ctx.SignedInUser)
|
||||
|
||||
if err := addHeaders(&req.Header, proxy.matchedRoute, data); err != nil {
|
||||
proxy.ctx.JsonApiErr(500, "Failed to render plugin headers", err)
|
||||
|
||||
@ -73,7 +73,6 @@ type Requester interface {
|
||||
// HasUniqueId returns true if the entity has a unique id
|
||||
HasUniqueId() bool
|
||||
// GetIDToken returns a signed token representing the identity that can be forwarded to plugins and external services.
|
||||
// Will only be set when featuremgmt.FlagIdForwarding is enabled.
|
||||
GetIDToken() string
|
||||
}
|
||||
|
||||
|
||||
@ -18,7 +18,6 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
|
||||
"github.com/grafana/grafana/pkg/services/auth"
|
||||
"github.com/grafana/grafana/pkg/services/authn"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
@ -31,8 +30,9 @@ const (
|
||||
var _ auth.IDService = (*Service)(nil)
|
||||
|
||||
func ProvideService(
|
||||
cfg *setting.Cfg, signer auth.IDSigner, cache remotecache.CacheStorage,
|
||||
features featuremgmt.FeatureToggles, authnService authn.Service,
|
||||
cfg *setting.Cfg, signer auth.IDSigner,
|
||||
cache remotecache.CacheStorage,
|
||||
authnService authn.Service,
|
||||
reg prometheus.Registerer,
|
||||
) *Service {
|
||||
s := &Service{
|
||||
@ -42,9 +42,7 @@ func ProvideService(
|
||||
nsMapper: request.GetNamespaceMapper(cfg),
|
||||
}
|
||||
|
||||
if features.IsEnabledGlobally(featuremgmt.FlagIdForwarding) {
|
||||
authnService.RegisterPostAuthHook(s.hook, 140)
|
||||
}
|
||||
authnService.RegisterPostAuthHook(s.hook, 140)
|
||||
|
||||
return s
|
||||
}
|
||||
|
||||
@ -15,15 +15,12 @@ import (
|
||||
"github.com/grafana/grafana/pkg/services/auth/idtest"
|
||||
"github.com/grafana/grafana/pkg/services/authn"
|
||||
"github.com/grafana/grafana/pkg/services/authn/authntest"
|
||||
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
||||
"github.com/grafana/grafana/pkg/services/login"
|
||||
"github.com/grafana/grafana/pkg/setting"
|
||||
)
|
||||
|
||||
func Test_ProvideService(t *testing.T) {
|
||||
t.Run("should register post auth hook when feature flag is enabled", func(t *testing.T) {
|
||||
features := featuremgmt.WithFeatures(featuremgmt.FlagIdForwarding)
|
||||
|
||||
t.Run("should register post auth hook", func(t *testing.T) {
|
||||
var hookRegistered bool
|
||||
authnService := &authntest.MockService{
|
||||
RegisterPostAuthHookFunc: func(_ authn.PostAuthHookFn, _ uint) {
|
||||
@ -31,23 +28,9 @@ func Test_ProvideService(t *testing.T) {
|
||||
},
|
||||
}
|
||||
|
||||
_ = ProvideService(setting.NewCfg(), nil, nil, features, authnService, nil)
|
||||
_ = ProvideService(setting.NewCfg(), nil, nil, authnService, nil)
|
||||
assert.True(t, hookRegistered)
|
||||
})
|
||||
|
||||
t.Run("should not register post auth hook when feature flag is disabled", func(t *testing.T) {
|
||||
features := featuremgmt.WithFeatures()
|
||||
|
||||
var hookRegistered bool
|
||||
authnService := &authntest.MockService{
|
||||
RegisterPostAuthHookFunc: func(_ authn.PostAuthHookFn, _ uint) {
|
||||
hookRegistered = true
|
||||
},
|
||||
}
|
||||
|
||||
_ = ProvideService(setting.NewCfg(), nil, nil, features, authnService, nil)
|
||||
assert.False(t, hookRegistered)
|
||||
})
|
||||
}
|
||||
|
||||
func TestService_SignIdentity(t *testing.T) {
|
||||
@ -67,7 +50,6 @@ func TestService_SignIdentity(t *testing.T) {
|
||||
t.Run("should sign identity", func(t *testing.T) {
|
||||
s := ProvideService(
|
||||
setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
|
||||
featuremgmt.WithFeatures(featuremgmt.FlagIdForwarding),
|
||||
&authntest.FakeService{}, nil,
|
||||
)
|
||||
token, _, err := s.SignIdentity(context.Background(), &authn.Identity{ID: "1", Type: claims.TypeUser})
|
||||
@ -78,7 +60,6 @@ func TestService_SignIdentity(t *testing.T) {
|
||||
t.Run("should sign identity with authenticated by if user is externally authenticated", func(t *testing.T) {
|
||||
s := ProvideService(
|
||||
setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
|
||||
featuremgmt.WithFeatures(featuremgmt.FlagIdForwarding),
|
||||
&authntest.FakeService{}, nil,
|
||||
)
|
||||
token, _, err := s.SignIdentity(context.Background(), &authn.Identity{
|
||||
@ -104,7 +85,6 @@ func TestService_SignIdentity(t *testing.T) {
|
||||
t.Run("should sign identity with authenticated by if user is externally authenticated", func(t *testing.T) {
|
||||
s := ProvideService(
|
||||
setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
|
||||
featuremgmt.WithFeatures(featuremgmt.FlagIdForwarding),
|
||||
&authntest.FakeService{}, nil,
|
||||
)
|
||||
_, gotClaims, err := s.SignIdentity(context.Background(), &authn.Identity{
|
||||
|
||||
@ -28,10 +28,6 @@ type LocalSigner struct {
|
||||
}
|
||||
|
||||
func (s *LocalSigner) SignIDToken(ctx context.Context, claims *auth.IDClaims) (string, error) {
|
||||
if !s.features.IsEnabled(ctx, featuremgmt.FlagIdForwarding) {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
signer, err := s.getSigner(ctx)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
||||
@ -72,7 +72,6 @@ type Identity struct {
|
||||
// Permissions is the list of permissions the entity has.
|
||||
Permissions map[int64]map[string][]string
|
||||
// IDToken is a signed token representing the identity that can be forwarded to plugins and external services.
|
||||
// Will only be set when featuremgmt.FlagIdForwarding is enabled.
|
||||
IDToken string
|
||||
IDTokenClaims *authn.Claims[authn.IDTokenClaims]
|
||||
}
|
||||
|
||||
@ -664,12 +664,6 @@ var (
|
||||
Stage: FeatureStageExperimental,
|
||||
Owner: grafanaPluginsPlatformSquad,
|
||||
},
|
||||
{
|
||||
Name: "idForwarding",
|
||||
Description: "Generate signed id token for identity that can be forwarded to plugins and external services",
|
||||
Stage: FeatureStageExperimental,
|
||||
Owner: identityAccessTeam,
|
||||
},
|
||||
{
|
||||
Name: "externalServiceAccounts",
|
||||
Description: "Automatic service account and token setup for plugins",
|
||||
|
||||
@ -87,7 +87,6 @@ wargamesTesting,experimental,@grafana/hosted-grafana-team,false,false,false
|
||||
alertingInsights,GA,@grafana/alerting-squad,false,false,true
|
||||
externalCorePlugins,experimental,@grafana/plugins-platform-backend,false,false,false
|
||||
pluginsAPIMetrics,experimental,@grafana/plugins-platform-backend,false,false,true
|
||||
idForwarding,experimental,@grafana/identity-access-team,false,false,false
|
||||
externalServiceAccounts,preview,@grafana/identity-access-team,false,false,false
|
||||
panelMonitoring,GA,@grafana/dataviz-squad,false,false,true
|
||||
enableNativeHTTPHistogram,experimental,@grafana/grafana-backend-services-squad,false,true,false
|
||||
|
||||
|
@ -359,10 +359,6 @@ const (
|
||||
// Sends metrics of public grafana packages usage by plugins
|
||||
FlagPluginsAPIMetrics = "pluginsAPIMetrics"
|
||||
|
||||
// FlagIdForwarding
|
||||
// Generate signed id token for identity that can be forwarded to plugins and external services
|
||||
FlagIdForwarding = "idForwarding"
|
||||
|
||||
// FlagExternalServiceAccounts
|
||||
// Automatic service account and token setup for plugins
|
||||
FlagExternalServiceAccounts = "externalServiceAccounts"
|
||||
|
||||
@ -1320,7 +1320,8 @@
|
||||
"metadata": {
|
||||
"name": "idForwarding",
|
||||
"resourceVersion": "1718727528075",
|
||||
"creationTimestamp": "2023-09-25T15:21:28Z"
|
||||
"creationTimestamp": "2023-09-25T15:21:28Z",
|
||||
"deletionTimestamp": "2024-08-21T11:35:56Z"
|
||||
},
|
||||
"spec": {
|
||||
"description": "Generate signed id token for identity that can be forwarded to plugins and external services",
|
||||
|
||||
@ -12,8 +12,7 @@ import (
|
||||
const forwardIDHeaderName = "X-Grafana-Id"
|
||||
|
||||
// NewForwardIDMiddleware creates a new plugins.ClientMiddleware that will
|
||||
// set grafana id header on outgoing plugins.Client requests if the
|
||||
// feature toggle FlagIdForwarding is enabled
|
||||
// set grafana id header on outgoing plugins.Client requests
|
||||
func NewForwardIDMiddleware() plugins.ClientMiddleware {
|
||||
return plugins.ClientMiddlewareFunc(func(next plugins.Client) plugins.Client {
|
||||
return &ForwardIDMiddleware{
|
||||
@ -35,7 +34,6 @@ func (m *ForwardIDMiddleware) applyToken(ctx context.Context, pCtx backend.Plugi
|
||||
return nil
|
||||
}
|
||||
|
||||
// token will only be present if faeturemgmt.FlagIdForwarding is enabled
|
||||
if token := reqCtx.SignedInUser.GetIDToken(); token != "" {
|
||||
req.SetHTTPHeader(forwardIDHeaderName, token)
|
||||
}
|
||||
|
||||
@ -187,12 +187,9 @@ func CreateMiddlewares(cfg *setting.Cfg, oAuthTokenService oauthtoken.OAuthToken
|
||||
clientmiddleware.NewCookiesMiddleware(skipCookiesNames),
|
||||
clientmiddleware.NewResourceResponseMiddleware(),
|
||||
clientmiddleware.NewCachingMiddlewareWithFeatureManager(cachingService, features),
|
||||
clientmiddleware.NewForwardIDMiddleware(),
|
||||
)
|
||||
|
||||
if features.IsEnabledGlobally(featuremgmt.FlagIdForwarding) {
|
||||
middlewares = append(middlewares, clientmiddleware.NewForwardIDMiddleware())
|
||||
}
|
||||
|
||||
if cfg.SendUserHeader {
|
||||
middlewares = append(middlewares, clientmiddleware.NewUserHeaderMiddleware())
|
||||
}
|
||||
|
||||
@ -45,7 +45,6 @@ type SignedInUser struct {
|
||||
Permissions map[int64]map[string][]string `json:"-"`
|
||||
|
||||
// IDToken is a signed token representing the identity that can be forwarded to plugins and external services.
|
||||
// Will only be set when featuremgmt.FlagIdForwarding is enabled.
|
||||
IDToken string `json:"-" xorm:"-"`
|
||||
IDTokenClaims *authnlib.Claims[authnlib.IDTokenClaims] `json:"-" xorm:"-"`
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user