Rendering: Store render key in remote cache (#22031)

By storing render key in remote cache it will enable
image renderer to use public facing url or load
balancer url to render images and thereby remove
the requirement of image renderer having to use the
url of the originating Grafana instance when running
HA setup (multiple Grafana instances).

Fixes #17704
Ref grafana/grafana-image-renderer#91

pkg/middleware/middleware.go

@@ -15,6 +15,7 @@ import (
 	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/infra/remotecache"
 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/services/rendering"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
@@ -39,6 +40,7 @@ var (
 func GetContextHandler(
 	ats models.UserTokenService,
 	remoteCache *remotecache.RemoteCache,
+	renderService rendering.Service,
 ) macaron.Handler {
 	return func(c *macaron.Context) {
 		ctx := &models.ReqContext{
@@ -62,7 +64,7 @@ func GetContextHandler(
 		// then look for api key in session (special case for render calls via api)
 		// then test if anonymous access is enabled
 		switch {
-		case initContextWithRenderAuth(ctx):
+		case initContextWithRenderAuth(ctx, renderService):
 		case initContextWithApiKey(ctx):
 		case initContextWithBasicAuth(ctx, orgId):
 		case initContextWithAuthProxy(remoteCache, ctx, orgId):

pkg/middleware/middleware_test.go

@@ -557,7 +557,7 @@ func middlewareScenario(t *testing.T, desc string, fn scenarioFunc) {
 		sc.userAuthTokenService = auth.NewFakeUserAuthTokenService()
 		sc.remoteCacheService = remotecache.NewFakeStore(t)
 
-		sc.m.Use(GetContextHandler(sc.userAuthTokenService, sc.remoteCacheService))
+		sc.m.Use(GetContextHandler(sc.userAuthTokenService, sc.remoteCacheService, nil))
 
 		sc.m.Use(OrgRedirect())
 

pkg/middleware/recovery_test.go

@@ -68,7 +68,7 @@ func recoveryScenario(t *testing.T, desc string, url string, fn scenarioFunc) {
 		sc.userAuthTokenService = auth.NewFakeUserAuthTokenService()
 		sc.remoteCacheService = remotecache.NewFakeStore(t)
 
-		sc.m.Use(GetContextHandler(sc.userAuthTokenService, sc.remoteCacheService))
+		sc.m.Use(GetContextHandler(sc.userAuthTokenService, sc.remoteCacheService, nil))
 		// mock out gc goroutine
 		sc.m.Use(OrgRedirect())
 

pkg/middleware/render_auth.go

@@ -1,59 +1,32 @@
 package middleware
 
 import (
-	"sync"
 	"time"
 
+	"github.com/grafana/grafana/pkg/services/rendering"
+
 	m "github.com/grafana/grafana/pkg/models"
-	"github.com/grafana/grafana/pkg/util"
 )
 
-var renderKeysLock sync.Mutex
-var renderKeys map[string]*m.SignedInUser = make(map[string]*m.SignedInUser)
-
-func initContextWithRenderAuth(ctx *m.ReqContext) bool {
+func initContextWithRenderAuth(ctx *m.ReqContext, renderService rendering.Service) bool {
 	key := ctx.GetCookie("renderKey")
 	if key == "" {
 		return false
 	}
 
-	renderKeysLock.Lock()
-	defer renderKeysLock.Unlock()
-
-	renderUser, exists := renderKeys[key]
+	renderUser, exists := renderService.GetRenderUser(key)
 	if !exists {
 		ctx.JsonApiErr(401, "Invalid Render Key", nil)
 		return true
 	}
 
 	ctx.IsSignedIn = true
-	ctx.SignedInUser = renderUser
+	ctx.SignedInUser = &m.SignedInUser{
+		OrgId:   renderUser.OrgID,
+		UserId:  renderUser.UserID,
+		OrgRole: m.RoleType(renderUser.OrgRole),
+	}
 	ctx.IsRenderCall = true
 	ctx.LastSeenAt = time.Now()
 	return true
 }
-
-func AddRenderAuthKey(orgId int64, userId int64, orgRole m.RoleType) (string, error) {
-	renderKeysLock.Lock()
-	defer renderKeysLock.Unlock()
-
-	key, err := util.GetRandomString(32)
-	if err != nil {
-		return "", err
-	}
-
-	renderKeys[key] = &m.SignedInUser{
-		OrgId:   orgId,
-		OrgRole: orgRole,
-		UserId:  userId,
-	}
-
-	return key, nil
-}
-
-func RemoveRenderAuthKey(key string) {
-	renderKeysLock.Lock()
-	defer renderKeysLock.Unlock()
-
-	delete(renderKeys, key)
-}