AuthN: Use sync hook to fetch service account (#84078)

* Use sync hook to fetch service account
2025-02-25 18:55:37 -06:00 · 2024-03-11 15:56:53 +01:00
parent d8b8a2c2b0
commit 9c292d2c3f
4 changed files with 14 additions and 45 deletions
--- a/pkg/services/authn/authnimpl/service.go
+++ b/pkg/services/authn/authnimpl/service.go
@@ -90,7 +90,7 @@ func ProvideService(
 	usageStats.RegisterMetricsFunc(s.getUsageStats)

 	s.RegisterClient(clients.ProvideRender(userService, renderService))
-	s.RegisterClient(clients.ProvideAPIKey(apikeyService, userService))
+	s.RegisterClient(clients.ProvideAPIKey(apikeyService))

 	if cfg.LoginCookieName != "" {
 		s.RegisterClient(clients.ProvideSession(cfg, sessionService))
--- a/pkg/services/authn/authnimpl/sync/user_sync.go
+++ b/pkg/services/authn/authnimpl/sync/user_sync.go
@@ -111,7 +111,7 @@ func (s *UserSync) FetchSyncedUserHook(ctx context.Context, identity *authn.Iden
 		return nil
 	}
 	namespace, id := identity.GetNamespacedID()
-	if namespace != authn.NamespaceUser {
+	if namespace != authn.NamespaceUser && namespace != authn.NamespaceServiceAccount {
 		return nil
 	}

--- a/pkg/services/authn/clients/api_key.go
+++ b/pkg/services/authn/clients/api_key.go
@@ -14,7 +14,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/org"
-	"github.com/grafana/grafana/pkg/services/user"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/util/errutil"
 )
@@ -29,17 +28,15 @@ var (
 var _ authn.HookClient = new(APIKey)
 var _ authn.ContextAwareClient = new(APIKey)

-func ProvideAPIKey(apiKeyService apikey.Service, userService user.Service) *APIKey {
+func ProvideAPIKey(apiKeyService apikey.Service) *APIKey {
 	return &APIKey{
 		log:           log.New(authn.ClientAPIKey),
-		userService:   userService,
 		apiKeyService: apiKeyService,
 	}
 }

 type APIKey struct {
 	log           log.Logger
-	userService   user.Service
 	apiKeyService apikey.Service
 }

@@ -81,16 +78,12 @@ func (s *APIKey) Authenticate(ctx context.Context, r *authn.Request) (*authn.Ide
 		}, nil
 	}

-	usr, err := s.userService.GetSignedInUserWithCacheCtx(ctx, &user.GetSignedInUserQuery{
-		UserID: *apiKey.ServiceAccountId,
-		OrgID:  apiKey.OrgID,
-	})
-
-	if err != nil {
-		return nil, err
-	}
-
-	return authn.IdentityFromSignedInUser(authn.NamespacedID(authn.NamespaceServiceAccount, usr.UserID), usr, authn.ClientParams{SyncPermissions: true}, login.APIKeyAuthModule), nil
+	return &authn.Identity{
+		ID:              authn.NamespacedID(authn.NamespaceServiceAccount, *apiKey.ServiceAccountId),
+		OrgID:           apiKey.OrgID,
+		AuthenticatedBy: login.APIKeyAuthModule,
+		ClientParams:    authn.ClientParams{FetchSyncedUser: true, SyncPermissions: true},
+	}, nil
 }

 func (s *APIKey) getAPIKey(ctx context.Context, token string) (*apikey.APIKey, error) {
--- a/pkg/services/authn/clients/api_key_test.go
+++ b/pkg/services/authn/clients/api_key_test.go
@@ -16,8 +16,6 @@ import (
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/login"
 	"github.com/grafana/grafana/pkg/services/org"
-	"github.com/grafana/grafana/pkg/services/user"
-	"github.com/grafana/grafana/pkg/services/user/usertest"
 )

 var (
@@ -30,7 +28,6 @@ func TestAPIKey_Authenticate(t *testing.T) {
 		desc             string
 		req              *authn.Request
 		expectedKey      *apikey.APIKey
-		expectedUser     *user.SignedInUser
 		expectedErr      error
 		expectedIdentity *authn.Identity
 	}
@@ -72,20 +69,11 @@ func TestAPIKey_Authenticate(t *testing.T) {
 				Key:              hash,
 				ServiceAccountId: intPtr(1),
 			},
-			expectedUser: &user.SignedInUser{
-				UserID:           1,
-				OrgID:            1,
-				IsServiceAccount: true,
-				OrgRole:          org.RoleViewer,
-				Name:             "test",
-			},
 			expectedIdentity: &authn.Identity{
-				ID:             "service-account:1",
-				OrgID:          1,
-				Name:           "test",
-				OrgRoles:       map[int64]org.RoleType{1: org.RoleViewer},
-				IsGrafanaAdmin: boolPtr(false),
+				ID:    "service-account:1",
+				OrgID: 1,
 				ClientParams: authn.ClientParams{
+					FetchSyncedUser: true,
 					SyncPermissions: true,
 				},
 				AuthenticatedBy: login.APIKeyAuthModule,
@@ -124,11 +112,7 @@ func TestAPIKey_Authenticate(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			c := ProvideAPIKey(&apikeytest.Service{
-				ExpectedAPIKey: tt.expectedKey,
-			}, &usertest.FakeUserService{
-				ExpectedSignedInUser: tt.expectedUser,
-			})
+			c := ProvideAPIKey(&apikeytest.Service{ExpectedAPIKey: tt.expectedKey})

 			identity, err := c.Authenticate(context.Background(), tt.req)
 			if tt.expectedErr != nil {
@@ -195,7 +179,7 @@ func TestAPIKey_Test(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
-			c := ProvideAPIKey(&apikeytest.Service{}, usertest.NewUserServiceFake())
+			c := ProvideAPIKey(&apikeytest.Service{})
 			assert.Equal(t, tt.expected, c.Test(context.Background(), tt.req))
 		})
 	}
@@ -286,19 +270,11 @@ func TestAPIKey_GetAPIKeyIDFromIdentity(t *testing.T) {
 		},
 	}}

-	signedInUser := &user.SignedInUser{
-		UserID: 1,
-		OrgID:  1,
-		Name:   "test",
-	}
-
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
 			c := ProvideAPIKey(&apikeytest.Service{
 				ExpectedError:  tt.expectedError,
 				ExpectedAPIKey: tt.expectedKey,
-			}, &usertest.FakeUserService{
-				ExpectedSignedInUser: signedInUser,
 			})
 			id, exists := c.getAPIKeyID(context.Background(), tt.expectedIdentity, req)
 			assert.Equal(t, tt.expectedExists, exists)