Separate authn flow from analytics (#68327)

* separate authn flow from analytics * lint fix
2025-02-25 18:55:37 -06:00 · 2023-05-15 18:38:54 +02:00
parent ab5a3820d5
commit 5ec0f82baa
9 changed files with 169 additions and 135 deletions
--- a/pkg/services/authn/authn.go
+++ b/pkg/services/authn/authn.go
@@ -262,23 +262,21 @@ func (i *Identity) SignedInUser() *user.SignedInUser {
 	}

 	u := &user.SignedInUser{
-		UserID:             0,
-		OrgID:              i.OrgID,
-		OrgName:            i.OrgName,
-		OrgRole:            i.Role(),
-		ExternalAuthModule: i.AuthModule,
-		ExternalAuthID:     i.AuthID,
-		Login:              i.Login,
-		Name:               i.Name,
-		Email:              i.Email,
-		OrgCount:           i.OrgCount,
-		IsGrafanaAdmin:     isGrafanaAdmin,
-		IsAnonymous:        i.IsAnonymous,
-		IsDisabled:         i.IsDisabled,
-		HelpFlags1:         i.HelpFlags1,
-		LastSeenAt:         i.LastSeenAt,
-		Teams:              i.Teams,
-		Permissions:        i.Permissions,
+		UserID:         0,
+		OrgID:          i.OrgID,
+		OrgName:        i.OrgName,
+		OrgRole:        i.Role(),
+		Login:          i.Login,
+		Name:           i.Name,
+		Email:          i.Email,
+		OrgCount:       i.OrgCount,
+		IsGrafanaAdmin: isGrafanaAdmin,
+		IsAnonymous:    i.IsAnonymous,
+		IsDisabled:     i.IsDisabled,
+		HelpFlags1:     i.HelpFlags1,
+		LastSeenAt:     i.LastSeenAt,
+		Teams:          i.Teams,
+		Permissions:    i.Permissions,
 	}

 	namespace, id := i.NamespacedID()
@@ -327,8 +325,6 @@ func IdentityFromSignedInUser(id string, usr *user.SignedInUser, params ClientPa
 		Teams:          usr.Teams,
 		ClientParams:   params,
 		Permissions:    usr.Permissions,
-		AuthModule:     usr.ExternalAuthModule,
-		AuthID:         usr.ExternalAuthID,
 	}
 }

--- a/pkg/services/authn/authnimpl/sync/user_sync.go
+++ b/pkg/services/authn/authnimpl/sync/user_sync.go
@@ -392,8 +392,6 @@ func syncSignedInUserToIdentity(usr *user.SignedInUser, identity *authn.Identity
 	identity.LastSeenAt = usr.LastSeenAt
 	identity.IsDisabled = usr.IsDisabled
 	identity.IsGrafanaAdmin = &usr.IsGrafanaAdmin
-	identity.AuthID = usr.ExternalAuthID
-	identity.AuthModule = usr.ExternalAuthModule
 }

 func shouldUpdateLastSeen(t time.Time) bool {
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@@ -3,9 +3,6 @@ package contexthandler

 import (
 	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/hex"
 	"errors"
 	"fmt"
 	"net/http"
@@ -113,25 +110,6 @@ func FromContext(c context.Context) *contextmodel.ReqContext {
 	return nil
 }

-func hashUserIdentifier(identifier string, secret string) string {
-	key := []byte(secret)
-	h := hmac.New(sha256.New, key)
-	h.Write([]byte(identifier))
-	return hex.EncodeToString(h.Sum(nil))
-}
-
-func setSignedInUser(reqContext *contextmodel.ReqContext, identity *authn.Identity, intercomSecret string) {
-	reqContext.SignedInUser = identity.SignedInUser()
-	if identity.AuthID != "" {
-		reqContext.SignedInUser.Analytics.Identifier = identity.AuthID
-	} else {
-		reqContext.SignedInUser.Analytics.Identifier = identity.Email + "@" + setting.AppUrl
-	}
-	if intercomSecret != "" {
-		reqContext.SignedInUser.Analytics.IntercomIdentifier = hashUserIdentifier(identity.AuthID, intercomSecret)
-	}
-}
-
 // Middleware provides a middleware to initialize the request context.
 func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -172,8 +150,8 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
 				// Hack: set all errors on LookupTokenErr, so we can check it in auth middlewares
 				reqContext.LookupTokenErr = err
 			} else {
+				reqContext.SignedInUser = identity.SignedInUser()
 				reqContext.UserToken = identity.SessionToken
-				setSignedInUser(reqContext, identity, h.Cfg.IntercomSecret)
 				reqContext.IsSignedIn = !identity.IsAnonymous
 				reqContext.AllowAnonymous = identity.IsAnonymous
 				reqContext.IsRenderCall = identity.AuthModule == login.RenderModule
--- a/pkg/services/user/model.go
+++ b/pkg/services/user/model.go
@@ -199,25 +199,22 @@ type AnalyticsSettings struct {
 }

 type SignedInUser struct {
-	UserID             int64 `xorm:"user_id"`
-	OrgID              int64 `xorm:"org_id"`
-	OrgName            string
-	OrgRole            roletype.RoleType
-	ExternalAuthModule string
-	ExternalAuthID     string `xorm:"external_auth_id"`
-	Login              string
-	Name               string
-	Email              string
-	ApiKeyID           int64 `xorm:"api_key_id"`
-	IsServiceAccount   bool  `xorm:"is_service_account"`
-	OrgCount           int
-	IsGrafanaAdmin     bool
-	IsAnonymous        bool
-	IsDisabled         bool
-	HelpFlags1         HelpFlags1
-	LastSeenAt         time.Time
-	Teams              []int64
-	Analytics          AnalyticsSettings
+	UserID           int64 `xorm:"user_id"`
+	OrgID            int64 `xorm:"org_id"`
+	OrgName          string
+	OrgRole          roletype.RoleType
+	Login            string
+	Name             string
+	Email            string
+	ApiKeyID         int64 `xorm:"api_key_id"`
+	IsServiceAccount bool  `xorm:"is_service_account"`
+	OrgCount         int
+	IsGrafanaAdmin   bool
+	IsAnonymous      bool
+	IsDisabled       bool
+	HelpFlags1       HelpFlags1
+	LastSeenAt       time.Time
+	Teams            []int64
 	// Permissions grouped by orgID and actions
 	Permissions map[int64]map[string][]string `json:"-"`
 }
--- a/pkg/services/user/userimpl/store.go
+++ b/pkg/services/user/userimpl/store.go
@@ -397,14 +397,11 @@ func (ss *sqlStore) GetSignedInUser(ctx context.Context, query *user.GetSignedIn
 		u.help_flags1         as help_flags1,
 		u.last_seen_at        as last_seen_at,
 		(SELECT COUNT(*) FROM org_user where org_user.user_id = u.id) as org_count,
-		user_auth.auth_module as external_auth_module,
-		user_auth.auth_id     as external_auth_id,
 		org.name              as org_name,
 		org_user.role         as org_role,
 		org.id                as org_id,
 		u.is_service_account  as is_service_account
 		FROM ` + ss.dialect.Quote("user") + ` as u
-		LEFT OUTER JOIN user_auth on user_auth.user_id = u.id
 		LEFT OUTER JOIN org_user on org_user.org_id = ` + orgId + ` and org_user.user_id = u.id
 		LEFT OUTER JOIN org on org.id = org_user.org_id `

@@ -438,11 +435,6 @@ func (ss *sqlStore) GetSignedInUser(ctx context.Context, query *user.GetSignedIn
 			signedInUser.OrgName = "Org missing"
 		}

-		if signedInUser.ExternalAuthModule != "oauth_grafana_com" {
-			signedInUser.ExternalAuthID = ""
-		}
-
-		signedInUser.Analytics = buildUserAnalyticsSettings(signedInUser, ss.cfg.IntercomSecret)
 		return nil
 	})
 	return &signedInUser, err
--- a/pkg/services/user/userimpl/user.go
+++ b/pkg/services/user/userimpl/user.go
@@ -2,9 +2,6 @@ package userimpl

 import (
 	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"strings"
@@ -466,25 +463,3 @@ func (s *Service) supportBundleCollector() supportbundles.Collector {
 		Fn:                collectorFn,
 	}
 }
-
-func hashUserIdentifier(identifier string, secret string) string {
-	key := []byte(secret)
-	h := hmac.New(sha256.New, key)
-	h.Write([]byte(identifier))
-	return hex.EncodeToString(h.Sum(nil))
-}
-
-func buildUserAnalyticsSettings(signedInUser user.SignedInUser, intercomSecret string) user.AnalyticsSettings {
-	var settings user.AnalyticsSettings
-
-	if signedInUser.ExternalAuthID != "" {
-		settings.Identifier = signedInUser.ExternalAuthID
-	} else {
-		settings.Identifier = signedInUser.Email + "@" + setting.AppUrl
-	}
-
-	if intercomSecret != "" {
-		settings.IntercomIdentifier = hashUserIdentifier(settings.Identifier, intercomSecret)
-	}
-	return settings
-}