AuthN: Use fetch user sync hook for render keys connected to a user (#84080)

* Use fetch user sync hook for render keys connected to a user
2024-11-28 19:54:10 -06:00 · 2024-03-12 09:15:14 +01:00 · 2024-03-12 09:15:14 +01:00 · 6ea9f0c447
commit 6ea9f0c447
parent f50624d257
3 changed files with 20 additions and 38 deletions
--- a/pkg/services/authn/authnimpl/service.go
+++ b/pkg/services/authn/authnimpl/service.go
@ -89,7 +89,7 @@ func ProvideService(

 	usageStats.RegisterMetricsFunc(s.getUsageStats)

-	s.RegisterClient(clients.ProvideRender(userService, renderService))
+	s.RegisterClient(clients.ProvideRender(renderService))
 	s.RegisterClient(clients.ProvideAPIKey(apikeyService))

 	if cfg.LoginCookieName != "" {
--- a/pkg/services/authn/clients/render.go
+++ b/pkg/services/authn/clients/render.go
@ -8,7 +8,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/rendering"
-	"github.com/grafana/grafana/pkg/services/user"
 	"github.com/grafana/grafana/pkg/util/errutil"
 )

@ -22,12 +21,11 @@ const (

 var _ authn.ContextAwareClient = new(Render)

-func ProvideRender(userService user.Service, renderService rendering.Service) *Render {
-	return &Render{userService, renderService}
+func ProvideRender(renderService rendering.Service) *Render {
+	return &Render{renderService}
 }

 type Render struct {
-	userService   user.Service
 	renderService rendering.Service
 }

@ -42,26 +40,23 @@ func (c *Render) Authenticate(ctx context.Context, r *authn.Request) (*authn.Ide
 		return nil, errInvalidRenderKey.Errorf("found no render user for key: %s", key)
 	}

-	var identity *authn.Identity
 	if renderUsr.UserID <= 0 {
-		identity = &authn.Identity{
-			ID:           authn.NamespacedID(authn.NamespaceRenderService, 0),
-			OrgID:        renderUsr.OrgID,
-			OrgRoles:     map[int64]org.RoleType{renderUsr.OrgID: org.RoleType(renderUsr.OrgRole)},
-			ClientParams: authn.ClientParams{SyncPermissions: true},
-		}
-	} else {
-		usr, err := c.userService.GetSignedInUserWithCacheCtx(ctx, &user.GetSignedInUserQuery{UserID: renderUsr.UserID, OrgID: renderUsr.OrgID})
-		if err != nil {
-			return nil, err
-		}
-
-		identity = authn.IdentityFromSignedInUser(authn.NamespacedID(authn.NamespaceUser, usr.UserID), usr, authn.ClientParams{SyncPermissions: true}, login.RenderModule)
+		return &authn.Identity{
+			ID:              authn.NamespacedID(authn.NamespaceRenderService, 0),
+			OrgID:           renderUsr.OrgID,
+			OrgRoles:        map[int64]org.RoleType{renderUsr.OrgID: org.RoleType(renderUsr.OrgRole)},
+			ClientParams:    authn.ClientParams{SyncPermissions: true},
+			LastSeenAt:      time.Now(),
+			AuthenticatedBy: login.RenderModule,
+		}, nil
 	}

-	identity.LastSeenAt = time.Now()
-	identity.AuthenticatedBy = login.RenderModule
-	return identity, nil
+	return &authn.Identity{
+		ID:              authn.NamespacedID(authn.NamespaceUser, renderUsr.UserID),
+		LastSeenAt:      time.Now(),
+		AuthenticatedBy: login.RenderModule,
+		ClientParams:    authn.ClientParams{FetchSyncedUser: true, SyncPermissions: true},
+	}, nil
 }

 func (c *Render) Test(ctx context.Context, r *authn.Request) bool {
--- a/pkg/services/authn/clients/render_test.go
+++ b/pkg/services/authn/clients/render_test.go
@ -13,8 +13,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/org"
 	"github.com/grafana/grafana/pkg/services/rendering"
-	"github.com/grafana/grafana/pkg/services/user"
-	"github.com/grafana/grafana/pkg/services/user/usertest"
 )

 func TestRender_Authenticate(t *testing.T) {
@ -23,7 +21,6 @@ func TestRender_Authenticate(t *testing.T) {
 		renderKey         string
 		req               *authn.Request
 		expectedErr       error
-		expectedUsr       *user.SignedInUser
 		expectedIdentity  *authn.Identity
 		expectedRenderUsr *rendering.RenderUser
 	}
@ -60,23 +57,13 @@ func TestRender_Authenticate(t *testing.T) {
 			},
 			expectedIdentity: &authn.Identity{
 				ID:              "user:1",
-				OrgID:           1,
-				OrgName:         "test",
-				OrgRoles:        map[int64]org.RoleType{1: org.RoleAdmin},
-				IsGrafanaAdmin:  boolPtr(false),
 				AuthenticatedBy: login.RenderModule,
-				ClientParams:    authn.ClientParams{SyncPermissions: true},
+				ClientParams:    authn.ClientParams{FetchSyncedUser: true, SyncPermissions: true},
 			},
 			expectedRenderUsr: &rendering.RenderUser{
 				OrgID:  1,
 				UserID: 1,
 			},
-			expectedUsr: &user.SignedInUser{
-				UserID:  1,
-				OrgID:   1,
-				OrgName: "test",
-				OrgRole: "Admin",
-			},
 		},
 		{
 			desc:      "expect error when render key is invalid",
@ -97,7 +84,7 @@ func TestRender_Authenticate(t *testing.T) {
 			renderService := rendering.NewMockService(ctrl)
 			renderService.EXPECT().GetRenderUser(gomock.Any(), tt.renderKey).Return(tt.expectedRenderUsr, tt.expectedRenderUsr != nil)

-			c := ProvideRender(&usertest.FakeUserService{ExpectedSignedInUser: tt.expectedUsr}, renderService)
+			c := ProvideRender(renderService)
 			identity, err := c.Authenticate(context.Background(), tt.req)
 			if tt.expectedErr != nil {
 				assert.ErrorIs(t, tt.expectedErr, err)
@ -141,7 +128,7 @@ func TestRender_Test(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			c := ProvideRender(&usertest.FakeUserService{}, &rendering.MockService{})
+			c := ProvideRender(&rendering.MockService{})
 			assert.Equal(t, tt.expected, c.Test(context.Background(), tt.req))
 		})
 	}