Accesscontrol: Remove service account creation code from addapikey (#43900)

* Remove service account creation code from addapikey
Co-authored-by: J Guerreiro <joao.guerreiro@grafana.com>

pkg/api/apikey.go

@@ -80,35 +80,8 @@ func (hs *HTTPServer) AddAPIKey(c *models.ReqContext) response.Response {
 	cmd.OrgId = c.OrgId
 	var err error
 	if hs.Cfg.FeatureToggles["service-accounts"] {
-		//Every new API key must have an associated service account
-		if cmd.CreateNewServiceAccount {
-			//Create a new service account for the new API key
-			serviceAccount, err := hs.SQLStore.CloneUserToServiceAccount(c.Req.Context(), c.SignedInUser)
-			if err != nil {
-				hs.log.Warn("Unable to clone user to service account", "err", err)
-				return response.Error(500, "Unable to clone user to service account", err)
-			}
-			cmd.ServiceAccountId = serviceAccount.Id
-		} else {
-			//Link the new API key to an existing service account
-
-			//Check if user and service account are in the same org
-			query := models.GetUserByIdQuery{Id: cmd.ServiceAccountId}
-			err = bus.Dispatch(c.Req.Context(), &query)
-			if err != nil {
-				hs.log.Warn("Unable to link new API key to existing service account", "err", err, "query", query)
-				return response.Error(500, "Unable to link new API key to existing service account", err)
-			}
-			serviceAccountDetails := query.Result
-			if serviceAccountDetails.OrgId != c.OrgId || serviceAccountDetails.OrgId != cmd.OrgId {
-				hs.log.Warn("Target service is not in the same organisation as requesting user or api key", "err", err, "reqOrg", cmd.OrgId, "serviceAccId", serviceAccountDetails.OrgId, "userOrgId", c.OrgId)
-				return response.Error(403, "Target service is not in the same organisation as requesting user or api key", err)
-			}
-		}
-	} else {
-		if cmd.CreateNewServiceAccount {
-			return response.Error(400, "Service accounts disabled.  Retry create api request without service account flag.", err)
-		}
+		// Api keys should now be created with addadditionalapikey endpoint
+		return response.Error(400, "API keys should now be added via the AdditionalAPIKey endpoint.", err)
 	}
 
 	newKeyInfo, err := apikeygen.New(cmd.OrgId, cmd.Name)
@@ -146,9 +119,6 @@ func (hs *HTTPServer) AdditionalAPIKey(c *models.ReqContext) response.Response {
 	if !hs.Cfg.FeatureToggles["service-accounts"] {
 		return response.Error(500, "Requires services-accounts feature", errors.New("feature missing"))
 	}
-	if cmd.CreateNewServiceAccount {
-		return response.Error(500, "Can't create service account while adding additional API key", nil)
-	}
 
 	return hs.AddAPIKey(c)
 }

pkg/models/apikey.go

@@ -27,15 +27,13 @@ type ApiKey struct {
 // ---------------------
 // COMMANDS
 type AddApiKeyCommand struct {
-	Name                    string   `json:"name" binding:"Required"`
-	Role                    RoleType `json:"role" binding:"Required"`
-	OrgId                   int64    `json:"-"`
-	Key                     string   `json:"-"`
-	SecondsToLive           int64    `json:"secondsToLive"`
-	ServiceAccountId        int64    `json:"serviceAccount"`
-	CreateNewServiceAccount bool     `json:"createServiceAccount"`
-
-	Result *ApiKey `json:"-"`
+	Name             string   `json:"name" binding:"Required"`
+	Role             RoleType `json:"role" binding:"Required"`
+	OrgId            int64    `json:"-"`
+	Key              string   `json:"-"`
+	SecondsToLive    int64    `json:"secondsToLive"`
+	ServiceAccountId int64    `json:"-"`
+	Result           *ApiKey  `json:"-"`
 }
 
 type DeleteApiKeyCommand struct {