AuthN: Remove embedded oauth server (#83146)

* AuthN: Remove embedded oauth server * Restore main * go mod tidy * Fix problem * Remove permission intersection * Fix test and lint * Fix TestData test * Revert to origin/main * Update go.mod * Update go.mod * Update go.sum
2025-02-25 18:55:37 -06:00 · 2024-02-26 11:29:09 +01:00
parent d0679f0993
commit 80d6bf6da0
55 changed files with 46 additions and 5631 deletions
--- a/pkg/services/authn/authnimpl/service.go
+++ b/pkg/services/authn/authnimpl/service.go
@@ -24,7 +24,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/authn/authnimpl/sync"
 	"github.com/grafana/grafana/pkg/services/authn/clients"
-	"github.com/grafana/grafana/pkg/services/extsvcauth/oauthserver"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/ldap/service"
 	"github.com/grafana/grafana/pkg/services/login"
@@ -72,7 +71,7 @@ func ProvideService(
 	features *featuremgmt.FeatureManager, oauthTokenService oauthtoken.OAuthTokenService,
 	socialService social.Service, cache *remotecache.RemoteCache,
 	ldapService service.LDAP, registerer prometheus.Registerer,
-	signingKeysService signingkeys.Service, oauthServer oauthserver.OAuth2Server,
+	signingKeysService signingkeys.Service,
 	settingsProviderService setting.Provider,
 ) *Service {
 	s := &Service{
@@ -136,9 +135,10 @@ func ProvideService(
 		s.RegisterClient(clients.ProvideJWT(jwtService, cfg))
 	}

-	if s.cfg.ExtendedJWTAuthEnabled && features.IsEnabledGlobally(featuremgmt.FlagExternalServiceAuth) {
-		s.RegisterClient(clients.ProvideExtendedJWT(userService, cfg, signingKeysService, oauthServer))
-	}
+	// FIXME (gamab): Commenting that out for now as we want to re-use the client for external service auth
+	// if s.cfg.ExtendedJWTAuthEnabled && features.IsEnabledGlobally(featuremgmt.FlagExternalServiceAuth) {
+	// 	s.RegisterClient(clients.ProvideExtendedJWT(userService, cfg, signingKeysService, oauthServer))
+	// }

 	for name := range socialService.GetOAuthProviders() {
 		clientName := authn.ClientWithPrefix(name)
--- a/pkg/services/authn/clients/basic.go
+++ b/pkg/services/authn/clients/basic.go
@@ -2,7 +2,6 @@ package clients

 import (
 	"context"
-	"strings"

 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/util/errutil"
@@ -43,10 +42,6 @@ func (c *Basic) Test(ctx context.Context, r *authn.Request) bool {
 	if r.HTTPRequest == nil {
 		return false
 	}
-	// The OAuth2 introspection endpoint uses basic auth but is handled by the oauthserver package.
-	if strings.EqualFold(r.HTTPRequest.RequestURI, "/oauth2/introspect") {
-		return false
-	}
 	return looksLikeBasicAuthRequest(r)
 }

--- a/pkg/services/authn/clients/basic_test.go
+++ b/pkg/services/authn/clients/basic_test.go
@@ -85,12 +85,6 @@ func TestBasic_Test(t *testing.T) {
 				HTTPRequest: &http.Request{Header: map[string][]string{authorizationHeaderName: {"something"}}},
 			},
 		},
-		{
-			desc: "should fail when the URL ends with /oauth2/introspect",
-			req: &authn.Request{
-				HTTPRequest: &http.Request{Header: map[string][]string{authorizationHeaderName: {encodeBasicAuth("user", "password")}}, RequestURI: "/oauth2/introspect"},
-			},
-		},
 	}

 	for _, tt := range tests {
--- a/pkg/services/authn/clients/ext_jwt.go
+++ b/pkg/services/authn/clients/ext_jwt.go
@@ -14,7 +14,6 @@ import (

 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/services/authn"
-	"github.com/grafana/grafana/pkg/services/extsvcauth/oauthserver"
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/signingkeys"
 	"github.com/grafana/grafana/pkg/services/user"
@@ -33,13 +32,12 @@ const (
 	rfc9068MediaType      = "application/at+jwt"
 )

-func ProvideExtendedJWT(userService user.Service, cfg *setting.Cfg, signingKeys signingkeys.Service, oauthServer oauthserver.OAuth2Server) *ExtendedJWT {
+func ProvideExtendedJWT(userService user.Service, cfg *setting.Cfg, signingKeys signingkeys.Service) *ExtendedJWT {
 	return &ExtendedJWT{
 		cfg:         cfg,
 		log:         log.New(authn.ClientExtendedJWT),
 		userService: userService,
 		signingKeys: signingKeys,
-		oauthServer: oauthServer,
 	}
 }

@@ -48,7 +46,6 @@ type ExtendedJWT struct {
 	log         log.Logger
 	userService user.Service
 	signingKeys signingkeys.Service
-	oauthServer oauthserver.OAuth2Server
 }

 type ExtendedJWTClaims struct {
@@ -222,10 +219,6 @@ func (s *ExtendedJWT) validateClientIdClaim(ctx context.Context, claims Extended
 		return fmt.Errorf("missing 'client_id' claim")
 	}

-	if _, err := s.oauthServer.GetExternalService(ctx, claims.ClientID); err != nil {
-		return fmt.Errorf("invalid 'client_id' claim: %s", claims.ClientID)
-	}
-
 	return nil
 }

--- a/pkg/services/authn/clients/ext_jwt_test.go
+++ b/pkg/services/authn/clients/ext_jwt_test.go
@@ -17,8 +17,6 @@ import (

 	"github.com/grafana/grafana/pkg/models/roletype"
 	"github.com/grafana/grafana/pkg/services/authn"
-	"github.com/grafana/grafana/pkg/services/extsvcauth/oauthserver"
-	"github.com/grafana/grafana/pkg/services/extsvcauth/oauthserver/oastest"
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/signingkeys"
 	"github.com/grafana/grafana/pkg/services/signingkeys/signingkeystest"
@@ -268,27 +266,6 @@ func TestExtendedJWT_Authenticate(t *testing.T) {
 			want:    nil,
 			wantErr: true,
 		},
-		{
-			name: "should return error when the client was not found",
-			payload: ExtendedJWTClaims{
-				Claims: jwt.Claims{
-					Issuer:   "http://localhost:3000",
-					Subject:  "user:id:2",
-					Audience: jwt.Audience{"http://localhost:3000"},
-					ID:       "1234567890",
-					Expiry:   jwt.NewNumericDate(time.Date(2023, 5, 3, 0, 0, 0, 0, time.UTC)),
-					IssuedAt: jwt.NewNumericDate(time.Date(2023, 5, 2, 0, 0, 0, 0, time.UTC)),
-				},
-				ClientID: "unknown-client-id",
-				Scopes:   []string{"profile", "groups"},
-			},
-			initTestEnv: func(env *testEnv) {
-				env.oauthSvc.ExpectedErr = oauthserver.ErrClientNotFoundFn("unknown-client-id")
-			},
-			orgID:   1,
-			want:    nil,
-			wantErr: true,
-		},
 	}

 	for _, tc := range testCases {
@@ -521,21 +498,18 @@ func setupTestCtx(t *testing.T, cfg *setting.Cfg) *testEnv {
 	}

 	userSvc := &usertest.FakeUserService{}
-	oauthSvc := &oastest.FakeService{}

-	extJwtClient := ProvideExtendedJWT(userSvc, cfg, signingKeysSvc, oauthSvc)
+	extJwtClient := ProvideExtendedJWT(userSvc, cfg, signingKeysSvc)

 	return &testEnv{
-		oauthSvc: oauthSvc,
-		userSvc:  userSvc,
-		s:        extJwtClient,
+		userSvc: userSvc,
+		s:       extJwtClient,
 	}
 }

 type testEnv struct {
-	oauthSvc *oastest.FakeService
-	userSvc  *usertest.FakeUserService
-	s        *ExtendedJWT
+	userSvc *usertest.FakeUserService
+	s       *ExtendedJWT
 }

 func generateToken(payload ExtendedJWTClaims, signingKey any, alg jose.SignatureAlgorithm) string {