Chore: Update authlib version (#94714)

* Chore: Update authlib version * update workspace * use ParseNamespace()
2025-02-16 10:24:54 -06:00 · 2024-10-15 16:58:46 +02:00 · 2024-10-15 16:58:46 +02:00 · 9f1b584c85
commit 9f1b584c85
parent 47115c714a
8 changed files with 34 additions and 32 deletions
--- a/go.mod
+++ b/go.mod
@ -73,8 +73,8 @@ require (
 	github.com/gorilla/mux v1.8.1 // @grafana/grafana-backend-group
 	github.com/gorilla/websocket v1.5.0 // @grafana/grafana-app-platform-squad
 	github.com/grafana/alerting v0.0.0-20241010165806-807ddf183724 // @grafana/alerting-backend
-	github.com/grafana/authlib v0.0.0-20240919120951-58259833c564 // @grafana/identity-access-team
-	github.com/grafana/authlib/claims v0.0.0-20240827210201-19d5347dd8dd // @grafana/identity-access-team
+	github.com/grafana/authlib v0.0.0-20241014135010-3e1f37f75699 // @grafana/identity-access-team
+	github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0 // @grafana/identity-access-team
 	github.com/grafana/codejen v0.0.3 // @grafana/dataviz-squad
 	github.com/grafana/cuetsy v0.1.11 // @grafana/grafana-as-code
 	github.com/grafana/dataplane/examples v0.0.1 // @grafana/observability-metrics
--- a/go.sum
+++ b/go.sum
@ -2249,10 +2249,10 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grafana/alerting v0.0.0-20241010165806-807ddf183724 h1:u+ZM5TLkdeEoSWXgYWxc4XRfPHhXpR63MyHXJxbBLrc=
 github.com/grafana/alerting v0.0.0-20241010165806-807ddf183724/go.mod h1:QsnoKX/iYZxA4Cv+H+wC7uxutBD8qi8ZW5UJvD2TYmU=
-github.com/grafana/authlib v0.0.0-20240919120951-58259833c564 h1:zYF/RBulpvMqPYR3gbzJZ8t/j/Eymn5FNidSYkueNCA=
-github.com/grafana/authlib v0.0.0-20240919120951-58259833c564/go.mod h1:PFzXbCrn0GIpN4KwT6NP1l5Z1CPLfmKHnYx8rZzQcyY=
-github.com/grafana/authlib/claims v0.0.0-20240827210201-19d5347dd8dd h1:sIlR7n38/MnZvX2qxDEszywXdI5soCwQ78aTDSARvus=
-github.com/grafana/authlib/claims v0.0.0-20240827210201-19d5347dd8dd/go.mod h1:r+F8H6awwjNQt/KPZ2GNwjk8TvsJ7/gxzkXN26GlL/A=
+github.com/grafana/authlib v0.0.0-20241014135010-3e1f37f75699 h1:+xSpRpQPhMXAE9z68u0zMzzIa78jy1UqFb4tMJczFNc=
+github.com/grafana/authlib v0.0.0-20241014135010-3e1f37f75699/go.mod h1:fhuI+ulquEIVcLsbwPml9JapWQzg8EYBp29HteO62DM=
+github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0 h1:XT/WvQCWVVOvXRJy0SCQHkhxXFHNRJ3+jzhW5PutEk8=
+github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0/go.mod h1:r+F8H6awwjNQt/KPZ2GNwjk8TvsJ7/gxzkXN26GlL/A=
 github.com/grafana/codejen v0.0.3 h1:tAWxoTUuhgmEqxJPOLtJoxlPBbMULFwKFOcRsPRPXDw=
 github.com/grafana/codejen v0.0.3/go.mod h1:zmwwM/DRyQB7pfuBjTWII3CWtxcXh8LTwAYGfDfpR6s=
 github.com/grafana/cue v0.0.0-20230926092038-971951014e3f h1:TmYAMnqg3d5KYEAaT6PtTguL2GjLfvr6wnAX8Azw6tQ=
--- a/pkg/apimachinery/go.mod
+++ b/pkg/apimachinery/go.mod
@ -3,8 +3,8 @@ module github.com/grafana/grafana/pkg/apimachinery
 go 1.23.1

 require (
-	github.com/grafana/authlib v0.0.0-20240919120951-58259833c564 // @grafana/identity-access-team
-	github.com/grafana/authlib/claims v0.0.0-20240903121118-16441568af1e // @grafana/identity-access-team
+	github.com/grafana/authlib v0.0.0-20241014135010-3e1f37f75699 // @grafana/identity-access-team
+	github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0 // @grafana/identity-access-team
 	github.com/stretchr/testify v1.9.0
 	k8s.io/apimachinery v0.31.1
 	k8s.io/apiserver v0.31.1
--- a/pkg/apimachinery/go.sum
+++ b/pkg/apimachinery/go.sum
@ -28,10 +28,10 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/grafana/authlib v0.0.0-20240919120951-58259833c564 h1:zYF/RBulpvMqPYR3gbzJZ8t/j/Eymn5FNidSYkueNCA=
-github.com/grafana/authlib v0.0.0-20240919120951-58259833c564/go.mod h1:PFzXbCrn0GIpN4KwT6NP1l5Z1CPLfmKHnYx8rZzQcyY=
-github.com/grafana/authlib/claims v0.0.0-20240903121118-16441568af1e h1:ng5SopWamGS0MHaCj2e5huWYxAfMeCrj1l/dbJnfiow=
-github.com/grafana/authlib/claims v0.0.0-20240903121118-16441568af1e/go.mod h1:r+F8H6awwjNQt/KPZ2GNwjk8TvsJ7/gxzkXN26GlL/A=
+github.com/grafana/authlib v0.0.0-20241014135010-3e1f37f75699 h1:+xSpRpQPhMXAE9z68u0zMzzIa78jy1UqFb4tMJczFNc=
+github.com/grafana/authlib v0.0.0-20241014135010-3e1f37f75699/go.mod h1:fhuI+ulquEIVcLsbwPml9JapWQzg8EYBp29HteO62DM=
+github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0 h1:XT/WvQCWVVOvXRJy0SCQHkhxXFHNRJ3+jzhW5PutEk8=
+github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0/go.mod h1:r+F8H6awwjNQt/KPZ2GNwjk8TvsJ7/gxzkXN26GlL/A=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
--- a/pkg/apiserver/go.mod
+++ b/pkg/apiserver/go.mod
@ -4,7 +4,7 @@ go 1.23.1

 require (
 	github.com/google/go-cmp v0.6.0
-	github.com/grafana/authlib/claims v0.0.0-20240903121118-16441568af1e
+	github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0
 	github.com/grafana/grafana/pkg/apimachinery v0.0.0-20240701135906-559738ce6ae1
 	github.com/prometheus/client_golang v1.20.4
 	github.com/stretchr/testify v1.9.0
--- a/pkg/apiserver/go.sum
+++ b/pkg/apiserver/go.sum
@ -78,8 +78,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grafana/authlib/claims v0.0.0-20240903121118-16441568af1e h1:ng5SopWamGS0MHaCj2e5huWYxAfMeCrj1l/dbJnfiow=
-github.com/grafana/authlib/claims v0.0.0-20240903121118-16441568af1e/go.mod h1:r+F8H6awwjNQt/KPZ2GNwjk8TvsJ7/gxzkXN26GlL/A=
+github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0 h1:XT/WvQCWVVOvXRJy0SCQHkhxXFHNRJ3+jzhW5PutEk8=
+github.com/grafana/authlib/claims v0.0.0-20240926100702-4aee62663da0/go.mod h1:r+F8H6awwjNQt/KPZ2GNwjk8TvsJ7/gxzkXN26GlL/A=
 github.com/grafana/grafana/pkg/apimachinery v0.0.0-20240701135906-559738ce6ae1 h1:ItDcDxUjVLPKja+hogpqgW/kj8LxUL2qscelXIsN1Bs=
 github.com/grafana/grafana/pkg/apimachinery v0.0.0-20240701135906-559738ce6ae1/go.mod h1:DkxMin+qOh1Fgkxfbt+CUfBqqsCQJMG9op8Os/irBPA=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
--- a/pkg/services/authz/client.go
+++ b/pkg/services/authz/client.go
@ -8,7 +8,6 @@ import (
 	authnlib "github.com/grafana/authlib/authn"
 	authzlib "github.com/grafana/authlib/authz"
 	authzv1 "github.com/grafana/authlib/authz/proto/v1"
-	"github.com/grafana/authlib/claims"
 	grpcAuth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
@ -24,7 +23,7 @@ import (
 const authzServiceAudience = "authzService"

 type Client interface {
-	authzlib.MultiTenantClient
+	authzlib.Client
 }

 // ProvideAuthZClient provides an AuthZ client and creates the AuthZ service.
@ -41,7 +40,7 @@ func ProvideAuthZClient(
 		return nil, err
 	}

-	var client authzlib.MultiTenantClient
+	var client authzlib.Client

 	// Register the server
 	server, err := newLegacyServer(acSvc, features, grpcServer, tracer, authCfg)
@ -87,7 +86,7 @@ func ProvideStandaloneAuthZClient(
 	return newGrpcLegacyClient(authCfg.remoteAddress)
 }

-func newInProcLegacyClient(server *legacyServer) (authzlib.MultiTenantClient, error) {
+func newInProcLegacyClient(server *legacyServer) (authzlib.Client, error) {
 	noAuth := func(ctx context.Context) (context.Context, error) {
 		return ctx, nil
 	}
@ -103,15 +102,13 @@ func newInProcLegacyClient(server *legacyServer) (authzlib.MultiTenantClient, er
 	)

 	return authzlib.NewLegacyClient(
-		&authzlib.MultiTenantClientConfig{},
+		&authzlib.ClientConfig{},
 		authzlib.WithGrpcConnectionLCOption(channel),
-		// nolint:staticcheck
-		authzlib.WithNamespaceFormatterLCOption(claims.OrgNamespaceFormatter),
 		authzlib.WithDisableAccessTokenLCOption(),
 	)
 }

-func newGrpcLegacyClient(address string) (authzlib.MultiTenantClient, error) {
+func newGrpcLegacyClient(address string) (authzlib.Client, error) {
 	// This client interceptor is a noop, as we don't send an access token
 	grpcClientConfig := authnlib.GrpcClientConfig{}
 	clientInterceptor, err := authnlib.NewGrpcClientInterceptor(&grpcClientConfig,
@ -121,7 +118,7 @@ func newGrpcLegacyClient(address string) (authzlib.MultiTenantClient, error) {
 		return nil, err
 	}

-	cfg := authzlib.MultiTenantClientConfig{RemoteAddress: address}
+	cfg := authzlib.ClientConfig{RemoteAddress: address}
 	client, err := authzlib.NewLegacyClient(&cfg,
 		// TODO(drclau): make this configurable (e.g. allow to use insecure connections)
 		authzlib.WithGrpcDialOptionsLCOption(
@ -129,8 +126,6 @@ func newGrpcLegacyClient(address string) (authzlib.MultiTenantClient, error) {
 			grpc.WithUnaryInterceptor(clientInterceptor.UnaryClientInterceptor),
 			grpc.WithStreamInterceptor(clientInterceptor.StreamClientInterceptor),
 		),
-		// nolint:staticcheck
-		authzlib.WithNamespaceFormatterLCOption(claims.OrgNamespaceFormatter),
 		// TODO(drclau): remove this once we have access token support on-prem
 		authzlib.WithDisableAccessTokenLCOption(),
 	)
@ -141,7 +136,7 @@ func newGrpcLegacyClient(address string) (authzlib.MultiTenantClient, error) {
 	return client, nil
 }

-func newCloudLegacyClient(authCfg *Cfg) (authzlib.MultiTenantClient, error) {
+func newCloudLegacyClient(authCfg *Cfg) (authzlib.Client, error) {
 	grpcClientConfig := authnlib.GrpcClientConfig{
 		TokenClientConfig: &authnlib.TokenExchangeConfig{
 			Token:            authCfg.token,
@ -158,7 +153,7 @@ func newCloudLegacyClient(authCfg *Cfg) (authzlib.MultiTenantClient, error) {
 		return nil, err
 	}

-	clientCfg := authzlib.MultiTenantClientConfig{RemoteAddress: authCfg.remoteAddress}
+	clientCfg := authzlib.ClientConfig{RemoteAddress: authCfg.remoteAddress}
 	client, err := authzlib.NewLegacyClient(&clientCfg,
 		// TODO(drclau): make this configurable (e.g. allow to use insecure connections)
 		authzlib.WithGrpcDialOptionsLCOption(
--- a/pkg/services/authz/server.go
+++ b/pkg/services/authz/server.go
@ -2,8 +2,10 @@ package authz

 import (
 	"context"
+	"fmt"

 	authzv1 "github.com/grafana/authlib/authz/proto/v1"
+	"github.com/grafana/authlib/claims"

 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/tracing"
@ -51,14 +53,19 @@ func (s *legacyServer) Read(ctx context.Context, req *authzv1.ReadRequest) (*aut

 	action := req.GetAction()
 	subject := req.GetSubject()
-	stackID := req.GetStackId() // TODO can we consider the stackID as the orgID?
+	namespace := req.GetNamespace() // TODO can we consider the stackID as the orgID?
+
+	info, err := claims.ParseNamespace(namespace)
+	if err != nil || info.OrgID == 0 {
+		return nil, fmt.Errorf("invalid namespace: %s", namespace)
+	}

 	ctxLogger := s.logger.FromContext(ctx)
-	ctxLogger.Debug("Read", "action", action, "subject", subject, "stackID", stackID)
+	ctxLogger.Debug("Read", "action", action, "subject", subject, "namespace", namespace)

 	permissions, err := s.acSvc.SearchUserPermissions(
 		ctx,
-		stackID,
+		info.OrgID,
 		accesscontrol.SearchOptions{Action: action, TypedID: subject},
 	)
 	if err != nil {
@ -68,7 +75,7 @@ func (s *legacyServer) Read(ctx context.Context, req *authzv1.ReadRequest) (*aut

 	data := make([]*authzv1.ReadResponse_Data, 0, len(permissions))
 	for _, perm := range permissions {
-		data = append(data, &authzv1.ReadResponse_Data{Object: perm.Scope})
+		data = append(data, &authzv1.ReadResponse_Data{Scope: perm.Scope})
 	}
 	return &authzv1.ReadResponse{
 		Data:  data,