Auth: Add authed device tagging (#72442)

* add authed device tagging

* fix config

* implement feedback

* implement feedback

* add reverse untag behavior

* remove duplicate stat

* Update pkg/services/anonymous/anonimpl/impl.go

pkg/services/anonymous/anonimpl/impl.go

@@ -3,6 +3,7 @@ package anonimpl
 import (
 	"context"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
 	"hash/fnv"
 	"net/http"
@@ -14,28 +15,30 @@ import (
 	"github.com/grafana/grafana/pkg/infra/network"
 	"github.com/grafana/grafana/pkg/infra/remotecache"
 	"github.com/grafana/grafana/pkg/infra/usagestats"
+	"github.com/grafana/grafana/pkg/services/anonymous"
 	"github.com/grafana/grafana/pkg/web"
 )
 
 const thirtyDays = 30 * 24 * time.Hour
-const anonCachePrefix = "anon-session"
 
 type Device struct {
-	ip        string
+	Kind      anonymous.DeviceKind `json:"kind"`
-	userAgent string
+	IP        string               `json:"ip"`
+	UserAgent string               `json:"user_agent"`
+	LastSeen  time.Time            `json:"last_seen"`
 }
 
 func (a *Device) Key() (string, error) {
 	key := strings.Builder{}
-	key.WriteString(a.ip)
+	key.WriteString(a.IP)
-	key.WriteString(a.userAgent)
+	key.WriteString(a.UserAgent)
 
 	hash := fnv.New128a()
 	if _, err := hash.Write([]byte(key.String())); err != nil {
 		return "", fmt.Errorf("failed to write to hash: %w", err)
 	}
 
-	return strings.Join([]string{anonCachePrefix, hex.EncodeToString(hash.Sum(nil))}, ":"), nil
+	return strings.Join([]string{string(a.Kind), hex.EncodeToString(hash.Sum(nil))}, ":"), nil
 }
 
 type AnonDeviceService struct {
@@ -57,17 +60,36 @@ func ProvideAnonymousDeviceService(remoteCache remotecache.CacheStorage, usageSt
 }
 
 func (a *AnonDeviceService) usageStatFn(ctx context.Context) (map[string]interface{}, error) {
-	sessionCount, err := a.remoteCache.Count(ctx, anonCachePrefix)
+	anonDeviceCount, err := a.remoteCache.Count(ctx, string(anonymous.AnonDevice))
+	if err != nil {
+		return nil, nil
+	}
+
+	authedDeviceCount, err := a.remoteCache.Count(ctx, string(anonymous.AuthedDevice))
 	if err != nil {
 		return nil, nil
 	}
 
 	return map[string]interface{}{
-		"stats.anonymous.session.count": sessionCount,
+		"stats.anonymous.session.count": anonDeviceCount, // keep session for legacy data
+		"stats.users.device.count":      authedDeviceCount,
 	}, nil
 }
 
-func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request) error {
+func (a *AnonDeviceService) untagDevice(ctx context.Context, device *Device) error {
+	key, err := device.Key()
+	if err != nil {
+		return err
+	}
+
+	if err := a.remoteCache.Delete(ctx, key); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request, kind anonymous.DeviceKind) error {
 	addr := web.RemoteAddr(httpReq)
 	ip, err := network.GetIPFromAddress(addr)
 	if err != nil {
@@ -80,12 +102,14 @@ func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request
 		clientIPStr = ""
 	}
 
-	anonDevice := &Device{
+	taggedDevice := &Device{
-		ip:        clientIPStr,
+		Kind:      kind,
-		userAgent: httpReq.UserAgent(),
+		IP:        clientIPStr,
+		UserAgent: httpReq.UserAgent(),
+		LastSeen:  time.Now().UTC(),
 	}
 
-	key, err := anonDevice.Key()
+	key, err := taggedDevice.Key()
 	if err != nil {
 		return err
 	}
@@ -96,5 +120,27 @@ func (a *AnonDeviceService) TagDevice(ctx context.Context, httpReq *http.Request
 
 	a.localCache.SetDefault(key, struct{}{})
 
-	return a.remoteCache.Set(ctx, key, []byte(key), thirtyDays)
+	deviceJSON, err := json.Marshal(taggedDevice)
+	if err != nil {
+		return err
+	}
+
+	if err := a.remoteCache.Set(ctx, key, deviceJSON, thirtyDays); err != nil {
+		return err
+	}
+
+	// remove existing tag when device switches to another kind
+	untagKind := anonymous.AnonDevice
+	if kind == anonymous.AnonDevice {
+		untagKind = anonymous.AuthedDevice
+	}
+	if err := a.untagDevice(ctx, &Device{
+		Kind:      untagKind,
+		IP:        taggedDevice.IP,
+		UserAgent: taggedDevice.UserAgent,
+	}); err != nil {
+		return err
+	}
+
+	return nil
 }

pkg/services/anonymous/anonimpl/impl_test.go

@@ -2,14 +2,17 @@ package anonimpl
 
 import (
 	"context"
+	"encoding/json"
 	"net/http"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/grafana/grafana/pkg/infra/remotecache"
 	"github.com/grafana/grafana/pkg/infra/usagestats"
+	"github.com/grafana/grafana/pkg/services/anonymous"
 )
 
 func TestAnonDeviceKey(t *testing.T) {
@@ -21,24 +24,27 @@ func TestAnonDeviceKey(t *testing.T) {
 		{
 			name: "should hash correctly",
 			session: &Device{
-				ip:        "10.10.10.10",
+				Kind:      anonymous.AnonDevice,
-				userAgent: "test",
+				IP:        "10.10.10.10",
+				UserAgent: "test",
 			},
 			expected: "anon-session:ad9f5c6bf504a9fa77c37a3a6658c0cd",
 		},
 		{
 			name: "should hash correctly with different ip",
 			session: &Device{
-				ip:        "10.10.10.1",
+				Kind:      anonymous.AnonDevice,
-				userAgent: "test",
+				IP:        "10.10.10.1",
+				UserAgent: "test",
 			},
 			expected: "anon-session:580605320245e8289e0b301074a027c3",
 		},
 		{
 			name: "should hash correctly with different user agent",
 			session: &Device{
-				ip:        "10.10.10.1",
+				Kind:      anonymous.AnonDevice,
-				userAgent: "test2",
+				IP:        "10.10.10.1",
+				UserAgent: "test2",
 			},
 			expected: "anon-session:5fdd04b0bd04a9fa77c4243f8111258b",
 		},
@@ -58,75 +64,149 @@ func TestAnonDeviceKey(t *testing.T) {
 	}
 }
 
-func TestIntegrationAnonDeviceService_tag(t *testing.T) {
+func TestIntegrationDeviceService_tag(t *testing.T) {
+	type tagReq struct {
+		httpReq *http.Request
+		kind    anonymous.DeviceKind
+	}
 	testCases := []struct {
 		name                string
-		req           []*http.Request
+		req                 []tagReq
-		expectedCount int64
+		expectedAnonCount   int64
+		expectedAuthedCount int64
+		expectedDevice      *Device
 	}{
 		{
 			name:                "no requests",
-			req:           []*http.Request{},
+			req:                 []tagReq{{httpReq: &http.Request{}, kind: anonymous.AnonDevice}},
-			expectedCount: 0,
+			expectedAnonCount:   0,
+			expectedAuthedCount: 0,
 		},
 		{
 			name: "missing info should not tag",
-			req: []*http.Request{
+			req: []tagReq{{httpReq: &http.Request{
-				{
 				Header: http.Header{
 					"User-Agent": []string{"test"},
 				},
 			},
-			},
+				kind: anonymous.AnonDevice,
-			expectedCount: 0,
+			}},
+			expectedAnonCount:   0,
+			expectedAuthedCount: 0,
 		},
 		{
 			name: "should tag once",
-			req: []*http.Request{
+			req: []tagReq{{httpReq: &http.Request{
-				{
 				Header: http.Header{
 					"User-Agent":      []string{"test"},
 					"X-Forwarded-For": []string{"10.30.30.1"},
 				},
 			},
+				kind: anonymous.AnonDevice,
 			},
-			expectedCount: 1,
+			},
+			expectedAnonCount:   1,
+			expectedAuthedCount: 0,
+			expectedDevice: &Device{
+				Kind:      anonymous.AnonDevice,
+				IP:        "10.30.30.1",
+				UserAgent: "test"},
 		},
 		{
 			name: "repeat request should not tag",
-			req: []*http.Request{
+			req: []tagReq{{httpReq: &http.Request{
-				{
 				Header: http.Header{
 					"User-Agent":      []string{"test"},
 					"X-Forwarded-For": []string{"10.30.30.1"},
 				},
 			},
-				{
+				kind: anonymous.AnonDevice,
+			}, {httpReq: &http.Request{
 				Header: http.Header{
 					"User-Agent":      []string{"test"},
 					"X-Forwarded-For": []string{"10.30.30.1"},
 				},
 			},
+				kind: anonymous.AnonDevice,
 			},
-			expectedCount: 1,
 			},
-		{
+			expectedAnonCount:   1,
-			name: "tag 2 different requests",
+			expectedAuthedCount: 0,
-			req: []*http.Request{
+		}, {
-				{
+			name: "authed request should untag anon",
+			req: []tagReq{{httpReq: &http.Request{
 				Header: http.Header{
 					"User-Agent":      []string{"test"},
 					"X-Forwarded-For": []string{"10.30.30.1"},
 				},
+			},
+				kind: anonymous.AnonDevice,
+			}, {httpReq: &http.Request{
+				Header: http.Header{
+					"User-Agent":      []string{"test"},
+					"X-Forwarded-For": []string{"10.30.30.1"},
+				},
+			},
+				kind: anonymous.AuthedDevice,
+			},
+			},
+			expectedAnonCount:   0,
+			expectedAuthedCount: 1,
+		}, {
+			name: "anon request should untag authed",
+			req: []tagReq{{httpReq: &http.Request{
+				Header: http.Header{
+					"User-Agent":      []string{"test"},
+					"X-Forwarded-For": []string{"10.30.30.1"},
+				},
+			},
+				kind: anonymous.AuthedDevice,
+			}, {httpReq: &http.Request{
+				Header: http.Header{
+					"User-Agent":      []string{"test"},
+					"X-Forwarded-For": []string{"10.30.30.1"},
+				},
+			},
+				kind: anonymous.AnonDevice,
+			},
+			},
+			expectedAnonCount:   1,
+			expectedAuthedCount: 0,
 		},
 		{
+			name: "tag 4 different requests",
+			req: []tagReq{{httpReq: &http.Request{
+				Header: http.Header{
+					"User-Agent":      []string{"test"},
+					"X-Forwarded-For": []string{"10.30.30.1"},
+				},
+			},
+				kind: anonymous.AnonDevice,
+			}, {httpReq: &http.Request{
 				Header: http.Header{
 					"User-Agent":      []string{"test"},
 					"X-Forwarded-For": []string{"10.30.30.2"},
 				},
 			},
+				kind: anonymous.AnonDevice,
+			}, {httpReq: &http.Request{
+				Header: http.Header{
+					"User-Agent":      []string{"test"},
+					"X-Forwarded-For": []string{"10.30.30.3"},
 				},
-			expectedCount: 2,
+			},
+				kind: anonymous.AuthedDevice,
+			}, {httpReq: &http.Request{
+				Header: http.Header{
+					"User-Agent":      []string{"test"},
+					"X-Forwarded-For": []string{"10.30.30.4"},
+				},
+			},
+				kind: anonymous.AuthedDevice,
+			},
+			},
+			expectedAnonCount:   2,
+			expectedAuthedCount: 2,
 		},
 	}
 
@@ -137,14 +217,32 @@ func TestIntegrationAnonDeviceService_tag(t *testing.T) {
 			anonService := ProvideAnonymousDeviceService(fakeStore, &usagestats.UsageStatsMock{})
 
 			for _, req := range tc.req {
-				err := anonService.TagDevice(context.Background(), req)
+				err := anonService.TagDevice(context.Background(), req.httpReq, req.kind)
 				require.NoError(t, err)
 			}
 
 			stats, err := anonService.usageStatFn(context.Background())
 			require.NoError(t, err)
 
-			assert.Equal(t, tc.expectedCount, stats["stats.anonymous.session.count"].(int64))
+			assert.Equal(t, tc.expectedAnonCount, stats["stats.anonymous.session.count"].(int64))
+			assert.Equal(t, tc.expectedAuthedCount, stats["stats.users.device.count"].(int64))
+
+			if tc.expectedDevice != nil {
+				key, err := tc.expectedDevice.Key()
+				require.NoError(t, err)
+
+				k, err := fakeStore.Get(context.Background(), key)
+				require.NoError(t, err)
+
+				gotDevice := &Device{}
+				err = json.Unmarshal(k, gotDevice)
+				require.NoError(t, err)
+
+				assert.NotNil(t, gotDevice.LastSeen)
+				gotDevice.LastSeen = time.Time{}
+
+				assert.Equal(t, tc.expectedDevice, gotDevice)
+			}
 		})
 	}
 }
@@ -162,8 +260,10 @@ func TestIntegrationAnonDeviceService_localCacheSafety(t *testing.T) {
 	}
 
 	anonDevice := &Device{
-		ip:        "10.30.30.2",
+		Kind:      anonymous.AnonDevice,
-		userAgent: "test",
+		IP:        "10.30.30.2",
+		UserAgent: "test",
+		LastSeen:  time.Now().UTC(),
 	}
 
 	key, err := anonDevice.Key()
@@ -171,7 +271,7 @@ func TestIntegrationAnonDeviceService_localCacheSafety(t *testing.T) {
 
 	anonService.localCache.SetDefault(key, true)
 
-	err = anonService.TagDevice(context.Background(), req)
+	err = anonService.TagDevice(context.Background(), req, anonymous.AnonDevice)
 	require.NoError(t, err)
 
 	stats, err := anonService.usageStatFn(context.Background())

pkg/services/anonymous/anontest/fake.go

@@ -3,11 +3,13 @@ package anontest
 import (
 	"context"
 	"net/http"
+
+	"github.com/grafana/grafana/pkg/services/anonymous"
 )
 
 type FakeAnonymousSessionService struct {
 }
 
-func (f *FakeAnonymousSessionService) TagDevice(ctx context.Context, httpReq *http.Request) error {
+func (f *FakeAnonymousSessionService) TagDevice(ctx context.Context, httpReq *http.Request, kind anonymous.DeviceKind) error {
 	return nil
 }

pkg/services/anonymous/service.go

@@ -5,6 +5,13 @@ import (
 	"net/http"
 )
 
+type DeviceKind string
+
+const (
+	AnonDevice   DeviceKind = "anon-session"
+	AuthedDevice DeviceKind = "authed-session"
+)
+
 type Service interface {
-	TagDevice(context.Context, *http.Request) error
+	TagDevice(context.Context, *http.Request, DeviceKind) error
 }

pkg/services/authn/authnimpl/service.go

@@ -84,7 +84,7 @@ func ProvideService(
 	s.RegisterClient(clients.ProvideAPIKey(apikeyService, userService))
 
 	if cfg.LoginCookieName != "" {
-		s.RegisterClient(clients.ProvideSession(cfg, sessionService, features))
+		s.RegisterClient(clients.ProvideSession(cfg, sessionService, features, anonDeviceService))
 	}
 
 	if s.cfg.AnonymousEnabled {

pkg/services/authn/clients/anonymous.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/services/anonymous"
@@ -14,6 +15,8 @@ import (
 
 var _ authn.ContextAwareClient = new(Anonymous)
 
+const timeoutTag = 2 * time.Minute
+
 func ProvideAnonymous(cfg *setting.Cfg, orgService org.Service, anonDeviceService anonymous.Service) *Anonymous {
 	return &Anonymous{
 		cfg:               cfg,
@@ -54,7 +57,10 @@ func (a *Anonymous) Authenticate(ctx context.Context, r *authn.Request) (*authn.
 				a.log.Warn("tag anon session panic", "err", err)
 			}
 		}()
-		if err := a.anonDeviceService.TagDevice(context.Background(), httpReqCopy); err != nil {
+
+		newCtx, cancel := context.WithTimeout(context.Background(), timeoutTag)
+		defer cancel()
+		if err := a.anonDeviceService.TagDevice(newCtx, httpReqCopy, anonymous.AnonDevice); err != nil {
 			a.log.Warn("failed to tag anonymous session", "error", err)
 		}
 	}()

pkg/services/authn/clients/session.go

@@ -3,11 +3,13 @@ package clients
 import (
 	"context"
 	"errors"
+	"net/http"
 	"net/url"
 	"time"
 
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/network"
+	"github.com/grafana/grafana/pkg/services/anonymous"
 	"github.com/grafana/grafana/pkg/services/auth"
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
@@ -18,12 +20,15 @@ import (
 var _ authn.HookClient = new(Session)
 var _ authn.ContextAwareClient = new(Session)
 
-func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService, features *featuremgmt.FeatureManager) *Session {
+func ProvideSession(cfg *setting.Cfg, sessionService auth.UserTokenService,
+	features *featuremgmt.FeatureManager, anonDeviceService anonymous.Service) *Session {
 	return &Session{
 		cfg:               cfg,
 		features:          features,
 		sessionService:    sessionService,
 		log:               log.New(authn.ClientSession),
+		anonDeviceService: anonDeviceService,
+		tagDevices:        cfg.TagAuthedDevices,
 	}
 }
 
@@ -32,6 +37,8 @@ type Session struct {
 	features          *featuremgmt.FeatureManager
 	sessionService    auth.UserTokenService
 	log               log.Logger
+	tagDevices        bool
+	anonDeviceService anonymous.Service
 }
 
 func (s *Session) Name() string {
@@ -60,6 +67,29 @@ func (s *Session) Authenticate(ctx context.Context, r *authn.Request) (*authn.Id
 		}
 	}
 
+	if s.tagDevices {
+		// Tag authed devices
+		httpReqCopy := &http.Request{}
+		if r.HTTPRequest != nil && r.HTTPRequest.Header != nil {
+			// avoid r.HTTPRequest.Clone(context.Background()) as we do not require a full clone
+			httpReqCopy.Header = r.HTTPRequest.Header.Clone()
+			httpReqCopy.RemoteAddr = r.HTTPRequest.RemoteAddr
+		}
+		go func() {
+			defer func() {
+				if err := recover(); err != nil {
+					s.log.Warn("tag anon session panic", "err", err)
+				}
+			}()
+
+			newCtx, cancel := context.WithTimeout(context.Background(), timeoutTag)
+			defer cancel()
+			if err := s.anonDeviceService.TagDevice(newCtx, httpReqCopy, anonymous.AuthedDevice); err != nil {
+				s.log.Warn("failed to tag anonymous session", "error", err)
+			}
+		}()
+	}
+
 	return &authn.Identity{
 		ID:           authn.NamespacedID(authn.NamespaceUser, token.UserId),
 		SessionToken: token,

pkg/services/authn/clients/session_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/grafana/grafana/pkg/models/usertoken"
+	"github.com/grafana/grafana/pkg/services/anonymous/anontest"
 	"github.com/grafana/grafana/pkg/services/auth"
 	"github.com/grafana/grafana/pkg/services/auth/authtest"
 	"github.com/grafana/grafana/pkg/services/authn"
@@ -29,7 +30,7 @@ func TestSession_Test(t *testing.T) {
 	cfg := setting.NewCfg()
 	cfg.LoginCookieName = ""
 	cfg.LoginMaxLifetime = 20 * time.Second
-	s := ProvideSession(cfg, &authtest.FakeUserAuthTokenService{}, featuremgmt.WithFeatures())
+	s := ProvideSession(cfg, &authtest.FakeUserAuthTokenService{}, featuremgmt.WithFeatures(), &anontest.FakeAnonymousSessionService{})
 
 	disabled := s.Test(context.Background(), &authn.Request{HTTPRequest: validHTTPReq})
 	assert.False(t, disabled)
@@ -145,7 +146,7 @@ func TestSession_Authenticate(t *testing.T) {
 			cfg.LoginCookieName = cookieName
 			cfg.TokenRotationIntervalMinutes = 10
 			cfg.LoginMaxLifetime = 20 * time.Second
-			s := ProvideSession(cfg, tt.fields.sessionService, tt.fields.features)
+			s := ProvideSession(cfg, tt.fields.sessionService, tt.fields.features, &anontest.FakeAnonymousSessionService{})
 
 			got, err := s.Authenticate(context.Background(), tt.args.r)
 			require.True(t, (err != nil) == tt.wantErr, err)
@@ -185,7 +186,7 @@ func TestSession_Hook(t *testing.T) {
 				token.UnhashedToken = "new-token"
 				return true, token, nil
 			},
-		}, featuremgmt.WithFeatures())
+		}, featuremgmt.WithFeatures(), &anontest.FakeAnonymousSessionService{})
 
 		sampleID := &authn.Identity{
 			SessionToken: &auth.UserToken{
@@ -219,7 +220,7 @@ func TestSession_Hook(t *testing.T) {
 	})
 
 	t.Run("should not rotate token with feature flag", func(t *testing.T) {
-		s := ProvideSession(setting.NewCfg(), nil, featuremgmt.WithFeatures(featuremgmt.FlagClientTokenRotation))
+		s := ProvideSession(setting.NewCfg(), nil, featuremgmt.WithFeatures(featuremgmt.FlagClientTokenRotation), &anontest.FakeAnonymousSessionService{})
 
 		req := &authn.Request{}
 		identity := &authn.Identity{}

pkg/services/contexthandler/contexthandler.go

@@ -282,7 +282,8 @@ func (h *ContextHandler) initContextWithAnonymousUser(reqContext *contextmodel.R
 				reqContext.Logger.Warn("tag anon session panic", "err", err)
 			}
 		}()
-		if err := h.anonDeviceService.TagDevice(context.Background(), httpReqCopy); err != nil {
+
+		if err := h.anonDeviceService.TagDevice(context.Background(), httpReqCopy, anonymous.AnonDevice); err != nil {
 			reqContext.Logger.Warn("Failed to tag anonymous session", "error", err)
 		}
 	}()

pkg/setting/setting.go

@@ -282,6 +282,8 @@ type Cfg struct {
 	AuthConfigUIAdminAccess bool
 	// TO REMOVE: Not documented & not supported. Remove with legacy handlers in 10.2
 	AuthBrokerEnabled bool
+	// TO REMOVE: Not documented & not supported. Remove in 10.3
+	TagAuthedDevices bool
 
 	// AWS Plugin Auth
 	AWSAllowedAuthProviders []string
@@ -1528,6 +1530,7 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	// Do not use
 	cfg.AuthConfigUIAdminAccess = auth.Key("config_ui_admin_access").MustBool(false)
 	cfg.AuthBrokerEnabled = auth.Key("broker").MustBool(true)
+	cfg.TagAuthedDevices = auth.Key("tag_authed_devices").MustBool(true)
 
 	cfg.DisableLoginForm = auth.Key("disable_login_form").MustBool(false)
 	DisableSignoutMenu = auth.Key("disable_signout_menu").MustBool(false)