Accesscontrol: Remove service account creation code from addapikey (#43900)

* Remove service account creation code from addapikey
Co-authored-by: J Guerreiro <joao.guerreiro@grafana.com>
This commit is contained in:
Jeremy Price 2022-01-12 15:18:57 +01:00 committed by GitHub
parent 6409e761b5
commit e894837b7e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 41 deletions

View File

@ -80,35 +80,8 @@ func (hs *HTTPServer) AddAPIKey(c *models.ReqContext) response.Response {
cmd.OrgId = c.OrgId
var err error
if hs.Cfg.FeatureToggles["service-accounts"] {
//Every new API key must have an associated service account
if cmd.CreateNewServiceAccount {
//Create a new service account for the new API key
serviceAccount, err := hs.SQLStore.CloneUserToServiceAccount(c.Req.Context(), c.SignedInUser)
if err != nil {
hs.log.Warn("Unable to clone user to service account", "err", err)
return response.Error(500, "Unable to clone user to service account", err)
}
cmd.ServiceAccountId = serviceAccount.Id
} else {
//Link the new API key to an existing service account
//Check if user and service account are in the same org
query := models.GetUserByIdQuery{Id: cmd.ServiceAccountId}
err = bus.Dispatch(c.Req.Context(), &query)
if err != nil {
hs.log.Warn("Unable to link new API key to existing service account", "err", err, "query", query)
return response.Error(500, "Unable to link new API key to existing service account", err)
}
serviceAccountDetails := query.Result
if serviceAccountDetails.OrgId != c.OrgId || serviceAccountDetails.OrgId != cmd.OrgId {
hs.log.Warn("Target service is not in the same organisation as requesting user or api key", "err", err, "reqOrg", cmd.OrgId, "serviceAccId", serviceAccountDetails.OrgId, "userOrgId", c.OrgId)
return response.Error(403, "Target service is not in the same organisation as requesting user or api key", err)
}
}
} else {
if cmd.CreateNewServiceAccount {
return response.Error(400, "Service accounts disabled. Retry create api request without service account flag.", err)
}
// Api keys should now be created with addadditionalapikey endpoint
return response.Error(400, "API keys should now be added via the AdditionalAPIKey endpoint.", err)
}
newKeyInfo, err := apikeygen.New(cmd.OrgId, cmd.Name)
@ -146,9 +119,6 @@ func (hs *HTTPServer) AdditionalAPIKey(c *models.ReqContext) response.Response {
if !hs.Cfg.FeatureToggles["service-accounts"] {
return response.Error(500, "Requires services-accounts feature", errors.New("feature missing"))
}
if cmd.CreateNewServiceAccount {
return response.Error(500, "Can't create service account while adding additional API key", nil)
}
return hs.AddAPIKey(c)
}

View File

@ -27,15 +27,13 @@ type ApiKey struct {
// ---------------------
// COMMANDS
type AddApiKeyCommand struct {
Name string `json:"name" binding:"Required"`
Role RoleType `json:"role" binding:"Required"`
OrgId int64 `json:"-"`
Key string `json:"-"`
SecondsToLive int64 `json:"secondsToLive"`
ServiceAccountId int64 `json:"serviceAccount"`
CreateNewServiceAccount bool `json:"createServiceAccount"`
Result *ApiKey `json:"-"`
Name string `json:"name" binding:"Required"`
Role RoleType `json:"role" binding:"Required"`
OrgId int64 `json:"-"`
Key string `json:"-"`
SecondsToLive int64 `json:"secondsToLive"`
ServiceAccountId int64 `json:"-"`
Result *ApiKey `json:"-"`
}
type DeleteApiKeyCommand struct {