AuthN: Fix namespaces for anonymous and render (#75661)

* AuthN: remove IsAnonymous from identity struct and set correct namespace for anonymous and render * Don't parse user id for render namespace
2025-01-27 16:57:14 -06:00 · 2023-09-29 09:10:33 +02:00 · 2023-09-29 09:10:33 +02:00 · 7a38090bc0
commit 7a38090bc0
parent 0e2b741fc3
10 changed files with 20 additions and 17 deletions
--- a/pkg/api/common_test.go
+++ b/pkg/api/common_test.go
@ -188,7 +188,7 @@ func getContextHandler(t *testing.T, cfg *setting.Cfg) *contexthandler.ContextHa
 		cfg,
 		tracing.InitializeTracerForTest(),
 		featuremgmt.WithFeatures(),
-		&authntest.FakeService{ExpectedIdentity: &authn.Identity{IsAnonymous: true, SessionToken: &usertoken.UserToken{}}},
+		&authntest.FakeService{ExpectedIdentity: &authn.Identity{ID: authn.AnonymousNamespaceID, SessionToken: &usertoken.UserToken{}}},
 	)
 }

--- a/pkg/middleware/auth_test.go
+++ b/pkg/middleware/auth_test.go
@ -57,7 +57,7 @@ func TestAuth_Middleware(t *testing.T) {
 			desc:           "ReqSignedIn should return 200 for anonymous user",
 			path:           "/api/secure",
 			authMiddleware: ReqSignedIn,
-			identity:       &authn.Identity{IsAnonymous: true},
+			identity:       &authn.Identity{ID: authn.AnonymousNamespaceID},
 			expecedReached: true,
 			expectedCode:   http.StatusOK,
 		},
@ -65,7 +65,7 @@ func TestAuth_Middleware(t *testing.T) {
 			desc:           "ReqSignedIn should return redirect anonymous user with forceLogin query string",
 			path:           "/secure?forceLogin=true",
 			authMiddleware: ReqSignedIn,
-			identity:       &authn.Identity{IsAnonymous: true},
+			identity:       &authn.Identity{ID: authn.AnonymousNamespaceID},
 			expecedReached: false,
 			expectedCode:   http.StatusFound,
 		},
@ -73,7 +73,7 @@ func TestAuth_Middleware(t *testing.T) {
 			desc:           "ReqSignedIn should return redirect anonymous user when orgId in query string is different from currently used",
 			path:           "/secure?orgId=2",
 			authMiddleware: ReqSignedIn,
-			identity:       &authn.Identity{IsAnonymous: true, OrgID: 1},
+			identity:       &authn.Identity{ID: authn.AnonymousNamespaceID, OrgID: 1},
 			expecedReached: false,
 			expectedCode:   http.StatusFound,
 		},
@ -81,7 +81,7 @@ func TestAuth_Middleware(t *testing.T) {
 			desc:           "ReqSignedInNoAnonymous should return 401 for anonymous user",
 			path:           "/api/secure",
 			authMiddleware: ReqSignedInNoAnonymous,
-			identity:       &authn.Identity{IsAnonymous: true},
+			identity:       &authn.Identity{ID: authn.AnonymousNamespaceID},
 			expecedReached: false,
 			expectedCode:   http.StatusUnauthorized,
 		},
--- a/pkg/services/accesscontrol/acimpl/service.go
+++ b/pkg/services/accesscontrol/acimpl/service.go
@ -120,7 +120,7 @@ func (s *Service) getUserPermissions(ctx context.Context, user identity.Requeste

 	var userID int64
 	switch namespace {
-	case authn.NamespaceUser, authn.NamespaceServiceAccount, identity.NamespaceRenderService:
+	case authn.NamespaceUser, authn.NamespaceServiceAccount:
 		var err error
 		userID, err = strconv.ParseInt(identifier, 10, 64)
 		if err != nil {
--- a/pkg/services/anonymous/anonimpl/client.go
+++ b/pkg/services/anonymous/anonimpl/client.go
@ -57,7 +57,7 @@ func (a *Anonymous) Authenticate(ctx context.Context, r *authn.Request) (*authn.
 	}()

 	return &authn.Identity{
-		IsAnonymous:  true,
+		ID:           authn.AnonymousNamespaceID,
 		OrgID:        o.ID,
 		OrgName:      o.Name,
 		OrgRoles:     map[int64]org.RoleType{o.ID: org.RoleType(a.cfg.AnonymousOrgRole)},
--- a/pkg/services/anonymous/anonimpl/client_test.go
+++ b/pkg/services/anonymous/anonimpl/client_test.go
@ -59,7 +59,7 @@ func TestAnonymous_Authenticate(t *testing.T) {
 			} else {
 				require.Nil(t, err)

-				assert.Equal(t, true, identity.ID == "")
+				assert.Equal(t, authn.AnonymousNamespaceID, identity.ID)
 				assert.Equal(t, tt.org.ID, identity.OrgID)
 				assert.Equal(t, tt.org.Name, identity.OrgName)
 				assert.Equal(t, tt.cfg.AnonymousOrgRole, string(identity.GetOrgRole()))
--- a/pkg/services/authn/clients/render.go
+++ b/pkg/services/authn/clients/render.go
@ -45,7 +45,7 @@ func (c *Render) Authenticate(ctx context.Context, r *authn.Request) (*authn.Ide
 	var identity *authn.Identity
 	if renderUsr.UserID <= 0 {
 		identity = &authn.Identity{
-			ID:           authn.NamespacedID(authn.NamespaceUser, 0),
+			ID:           authn.NamespacedID(authn.NamespaceRenderService, 0),
 			OrgID:        renderUsr.OrgID,
 			OrgRoles:     map[int64]org.RoleType{renderUsr.OrgID: org.RoleType(renderUsr.OrgRole)},
 			ClientParams: authn.ClientParams{SyncPermissions: true},
--- a/pkg/services/authn/clients/render_test.go
+++ b/pkg/services/authn/clients/render_test.go
@ -38,7 +38,7 @@ func TestRender_Authenticate(t *testing.T) {
 				},
 			},
 			expectedIdentity: &authn.Identity{
-				ID:              "user:0",
+				ID:              "render:0",
 				OrgID:           1,
 				OrgRoles:        map[int64]org.RoleType{1: org.RoleViewer},
 				AuthenticatedBy: login.RenderModule,
--- a/pkg/services/authn/identity.go
+++ b/pkg/services/authn/identity.go
@ -29,6 +29,10 @@ const (
 	NamespaceRenderService  = identity.NamespaceRenderService
 )

+const (
+	AnonymousNamespaceID = NamespaceAnonymous + ":0"
+)
+
 var _ identity.Requester = (*Identity)(nil)

 type Identity struct {
@ -43,8 +47,6 @@ type Identity struct {
 	// Namespace* constants. For example, "user:1" or "api-key:1".
 	// If the entity is not found in the DB or this entity is non-persistent, this field will be empty.
 	ID string
-	// IsAnonymous
-	IsAnonymous bool
 	// Login is the shorthand identifier of the entity. Should be unique.
 	Login string
 	// Name is the display name of the entity. It is not guaranteed to be unique.
@ -202,6 +204,8 @@ func (i *Identity) NamespacedID() (string, int64) {

 // SignedInUser returns a SignedInUser from the identity.
 func (i *Identity) SignedInUser() *user.SignedInUser {
+	namespace, id := i.GetNamespacedID()
+
 	u := &user.SignedInUser{
 		OrgID:           i.OrgID,
 		OrgName:         i.OrgName,
@ -211,7 +215,7 @@ func (i *Identity) SignedInUser() *user.SignedInUser {
 		Email:           i.Email,
 		AuthenticatedBy: i.AuthenticatedBy,
 		IsGrafanaAdmin:  i.GetIsGrafanaAdmin(),
-		IsAnonymous:     i.IsAnonymous,
+		IsAnonymous:     namespace == NamespaceAnonymous,
 		IsDisabled:      i.IsDisabled,
 		HelpFlags1:      i.HelpFlags1,
 		LastSeenAt:      i.LastSeenAt,
@ -220,7 +224,6 @@ func (i *Identity) SignedInUser() *user.SignedInUser {
 		IDToken:         i.IDToken,
 	}

-	namespace, id := i.GetNamespacedID()
 	if namespace == NamespaceAPIKey {
 		u.ApiKeyID = intIdentifier(id)
 	} else {
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@ -119,8 +119,8 @@ func (h *ContextHandler) Middleware(next http.Handler) http.Handler {
 		} else {
 			reqContext.SignedInUser = identity.SignedInUser()
 			reqContext.UserToken = identity.SessionToken
-			reqContext.IsSignedIn = !identity.IsAnonymous
-			reqContext.AllowAnonymous = identity.IsAnonymous
+			reqContext.IsSignedIn = !reqContext.SignedInUser.IsAnonymous
+			reqContext.AllowAnonymous = reqContext.SignedInUser.IsAnonymous
 			reqContext.IsRenderCall = identity.AuthenticatedBy == login.RenderModule
 		}

--- a/pkg/services/contexthandler/contexthandler_test.go
+++ b/pkg/services/contexthandler/contexthandler_test.go
@ -64,7 +64,7 @@ func TestContextHandler(t *testing.T) {
 	})

 	t.Run("should not set IsSignedIn on anonymous identity", func(t *testing.T) {
-		identity := &authn.Identity{IsAnonymous: true, OrgID: 1}
+		identity := &authn.Identity{ID: authn.AnonymousNamespaceID, OrgID: 1}
 		handler := contexthandler.ProvideService(
 			setting.NewCfg(),
 			tracing.InitializeTracerForTest(),