From 7714b65f32ecceb6badcdf7afa99818072a02c32 Mon Sep 17 00:00:00 2001 From: Gabriel MABILLE Date: Mon, 23 Sep 2024 16:50:11 +0200 Subject: [PATCH] Cfg: Deduplicate `DefaultOrgID` code (#93588) Cfg: Expose DefaultOrgID function --- pkg/login/social/connectors/org_role_mapper.go | 5 +---- pkg/services/authn/clients/ext_jwt.go | 16 ++++------------ pkg/services/authn/clients/utils.go | 6 +----- pkg/services/extsvcauth/models.go | 9 --------- .../serviceaccounts/extsvcaccounts/service.go | 2 +- pkg/setting/setting.go | 7 +++++++ 6 files changed, 14 insertions(+), 31 deletions(-) diff --git a/pkg/login/social/connectors/org_role_mapper.go b/pkg/login/social/connectors/org_role_mapper.go index af08ee7a514..dac4157ea4f 100644 --- a/pkg/login/social/connectors/org_role_mapper.go +++ b/pkg/login/social/connectors/org_role_mapper.go @@ -92,10 +92,7 @@ func (m *OrgRoleMapper) getDefaultOrgMapping(strictRoleMapping bool, directlyMap } orgRoles := make(map[int64]org.RoleType, 0) - orgID := int64(1) - if m.cfg.AutoAssignOrg && m.cfg.AutoAssignOrgId > 0 { - orgID = int64(m.cfg.AutoAssignOrgId) - } + orgID := m.cfg.DefaultOrgID() orgRoles[orgID] = directlyMappedRole if !directlyMappedRole.IsValid() { diff --git a/pkg/services/authn/clients/ext_jwt.go b/pkg/services/authn/clients/ext_jwt.go index 7d9b30f36c0..26f98338ec2 100644 --- a/pkg/services/authn/clients/ext_jwt.go +++ b/pkg/services/authn/clients/ext_jwt.go @@ -101,7 +101,7 @@ func (s *ExtendedJWT) authenticateAsUser( accessTokenClaims authlib.Claims[authlib.AccessTokenClaims], ) (*authn.Identity, error) { // Only allow id tokens signed for namespace configured for this instance. - if allowedNamespace := s.namespaceMapper(s.getDefaultOrgID()); !claims.NamespaceMatches(authlib.NewIdentityClaims(idTokenClaims), allowedNamespace) { + if allowedNamespace := s.namespaceMapper(s.cfg.DefaultOrgID()); !claims.NamespaceMatches(authlib.NewIdentityClaims(idTokenClaims), allowedNamespace) { return nil, errExtJWTDisallowedNamespaceClaim.Errorf("unexpected id token namespace: %s", idTokenClaims.Rest.Namespace) } @@ -138,7 +138,7 @@ func (s *ExtendedJWT) authenticateAsUser( return &authn.Identity{ ID: id, Type: t, - OrgID: s.getDefaultOrgID(), + OrgID: s.cfg.DefaultOrgID(), AccessTokenClaims: &accessTokenClaims, IDTokenClaims: &idTokenClaims, AuthenticatedBy: login.ExtendedJWTModule, @@ -155,7 +155,7 @@ func (s *ExtendedJWT) authenticateAsUser( func (s *ExtendedJWT) authenticateAsService(accessTokenClaims authlib.Claims[authlib.AccessTokenClaims]) (*authn.Identity, error) { // Allow access tokens with that has a wildcard namespace or a namespace matching this instance. - if allowedNamespace := s.namespaceMapper(s.getDefaultOrgID()); !claims.NamespaceMatches(authlib.NewAccessClaims(accessTokenClaims), allowedNamespace) { + if allowedNamespace := s.namespaceMapper(s.cfg.DefaultOrgID()); !claims.NamespaceMatches(authlib.NewAccessClaims(accessTokenClaims), allowedNamespace) { return nil, errExtJWTDisallowedNamespaceClaim.Errorf("unexpected access token namespace: %s", accessTokenClaims.Rest.Namespace) } @@ -186,7 +186,7 @@ func (s *ExtendedJWT) authenticateAsService(accessTokenClaims authlib.Claims[aut ID: id, UID: id, Type: t, - OrgID: s.getDefaultOrgID(), + OrgID: s.cfg.DefaultOrgID(), AccessTokenClaims: &accessTokenClaims, IDTokenClaims: nil, AuthenticatedBy: login.ExtendedJWTModule, @@ -247,11 +247,3 @@ func (s *ExtendedJWT) retrieveAuthorizationToken(httpRequest *http.Request) stri // Strip the 'Bearer' prefix if it exists. return strings.TrimPrefix(jwtToken, "Bearer ") } - -func (s *ExtendedJWT) getDefaultOrgID() int64 { - orgID := int64(1) - if s.cfg.AutoAssignOrg && s.cfg.AutoAssignOrgId > 0 { - orgID = int64(s.cfg.AutoAssignOrgId) - } - return orgID -} diff --git a/pkg/services/authn/clients/utils.go b/pkg/services/authn/clients/utils.go index 8941dec502d..85d088ba38c 100644 --- a/pkg/services/authn/clients/utils.go +++ b/pkg/services/authn/clients/utils.go @@ -20,11 +20,7 @@ func getRoles(cfg *setting.Cfg, extract roleExtractor) (map[int64]org.RoleType, return orgRoles, nil, nil } - orgID := int64(1) - if cfg.AutoAssignOrg && cfg.AutoAssignOrgId > 0 { - orgID = int64(cfg.AutoAssignOrgId) - } - orgRoles[orgID] = role + orgRoles[cfg.DefaultOrgID()] = role return orgRoles, isGrafanaAdmin, nil } diff --git a/pkg/services/extsvcauth/models.go b/pkg/services/extsvcauth/models.go index c86a6fa987e..5671c8ca4ef 100644 --- a/pkg/services/extsvcauth/models.go +++ b/pkg/services/extsvcauth/models.go @@ -4,21 +4,12 @@ import ( "context" "github.com/grafana/grafana/pkg/services/accesscontrol" - "github.com/grafana/grafana/pkg/setting" ) const ( ServiceAccounts AuthProvider = "ServiceAccounts" ) -func DefaultOrgID(cfg *setting.Cfg) int64 { - orgID := int64(1) - if cfg.AutoAssignOrg && cfg.AutoAssignOrgId > 0 { - orgID = int64(cfg.AutoAssignOrgId) - } - return orgID -} - type AuthProvider string //go:generate mockery --name ExternalServiceRegistry --structname ExternalServiceRegistryMock --output tests --outpkg tests --filename extsvcregmock.go diff --git a/pkg/services/serviceaccounts/extsvcaccounts/service.go b/pkg/services/serviceaccounts/extsvcaccounts/service.go index 78246693391..d4802d993cc 100644 --- a/pkg/services/serviceaccounts/extsvcaccounts/service.go +++ b/pkg/services/serviceaccounts/extsvcaccounts/service.go @@ -40,7 +40,7 @@ func ProvideExtSvcAccountsService(acSvc ac.Service, cfg *setting.Cfg, bus bus.Bu logger := log.New("serviceauth.extsvcaccounts") esa := &ExtSvcAccountsService{ acSvc: acSvc, - defaultOrgID: extsvcauth.DefaultOrgID(cfg), + defaultOrgID: cfg.DefaultOrgID(), logger: logger, saSvc: saSvc, features: features, diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go index ef476357815..805f36a160a 100644 --- a/pkg/setting/setting.go +++ b/pkg/setting/setting.go @@ -2051,3 +2051,10 @@ func (cfg *Cfg) readPublicDashboardsSettings() { publicDashboards := cfg.Raw.Section("public_dashboards") cfg.PublicDashboardsEnabled = publicDashboards.Key("enabled").MustBool(true) } + +func (cfg *Cfg) DefaultOrgID() int64 { + if cfg.AutoAssignOrg && cfg.AutoAssignOrgId > 0 { + return int64(cfg.AutoAssignOrgId) + } + return int64(1) +}