Azure: Configuration for user identity authentication in datasources (Experimental) (#50277)

* Configuration for user identity authentication * Use token endpoint form Azure AD settings * Documentation update * Update Grafana Azure SDK * Fix secret override * Fix lint * Fix doc wording
2025-02-25 18:55:37 -06:00 · 2023-05-15 10:00:54 -07:00
parent 5ec0f82baa
commit eafba8fa69
11 changed files with 250 additions and 6 deletions
--- a/pkg/api/dtos/frontend_settings.go
+++ b/pkg/api/dtos/frontend_settings.go
@@ -46,6 +46,7 @@ type FrontendSettingsLicenseInfoDTO struct {
 type FrontendSettingsAzureDTO struct {
 	Cloud                  string `json:"cloud"`
 	ManagedIdentityEnabled bool   `json:"managedIdentityEnabled"`
+	UserIdentityEnabled    bool   `json:"userIdentityEnabled"`
 }

 type FrontendSettingsCachingDTO struct {
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -198,6 +198,7 @@ func (hs *HTTPServer) getFrontendSettings(c *contextmodel.ReqContext) (*dtos.Fro
 		Azure: dtos.FrontendSettingsAzureDTO{
 			Cloud:                  hs.Cfg.Azure.Cloud,
 			ManagedIdentityEnabled: hs.Cfg.Azure.ManagedIdentityEnabled,
+			UserIdentityEnabled:    hs.Cfg.Azure.UserIdentityEnabled,
 		},

 		Caching: dtos.FrontendSettingsCachingDTO{
--- a/pkg/api/pluginproxy/token_provider_azure.go
+++ b/pkg/api/pluginproxy/token_provider_azure.go
@@ -20,7 +20,7 @@ type azureAccessTokenProvider struct {

 func newAzureAccessTokenProvider(ctx context.Context, cfg *setting.Cfg, authParams *plugins.JWTTokenAuth) (*azureAccessTokenProvider, error) {
 	credentials := getAzureCredentials(cfg.Azure, authParams)
-	tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials)
+	tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials, false)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/setting/setting_azure.go
+++ b/pkg/setting/setting_azure.go
@@ -1,6 +1,8 @@
 package setting

-import "github.com/grafana/grafana-azure-sdk-go/azsettings"
+import (
+	"github.com/grafana/grafana-azure-sdk-go/azsettings"
+)

 func (cfg *Cfg) readAzureSettings() {
 	azureSettings := &azsettings.AzureSettings{}
@@ -11,9 +13,37 @@ func (cfg *Cfg) readAzureSettings() {
 	cloudName := azureSection.Key("cloud").MustString(azsettings.AzurePublic)
 	azureSettings.Cloud = azsettings.NormalizeAzureCloud(cloudName)

-	// Managed Identity
+	// Managed Identity authentication
 	azureSettings.ManagedIdentityEnabled = azureSection.Key("managed_identity_enabled").MustBool(false)
 	azureSettings.ManagedIdentityClientId = azureSection.Key("managed_identity_client_id").String()

+	// User Identity authentication
+	if azureSection.Key("user_identity_enabled").MustBool(false) {
+		azureSettings.UserIdentityEnabled = true
+		tokenEndpointSettings := &azsettings.TokenEndpointSettings{}
+
+		// Get token endpoint from Azure AD settings if enabled
+		azureAdSection := cfg.Raw.Section("auth.azuread")
+		if azureAdSection.Key("enabled").MustBool(false) {
+			tokenEndpointSettings.TokenUrl = azureAdSection.Key("token_url").String()
+			tokenEndpointSettings.ClientId = azureAdSection.Key("client_id").String()
+			tokenEndpointSettings.ClientSecret = azureAdSection.Key("client_secret").String()
+		}
+
+		// Override individual settings
+		if val := azureSection.Key("user_identity_token_url").String(); val != "" {
+			tokenEndpointSettings.TokenUrl = val
+		}
+		if val := azureSection.Key("user_identity_client_id").String(); val != "" {
+			tokenEndpointSettings.ClientId = val
+			tokenEndpointSettings.ClientSecret = ""
+		}
+		if val := azureSection.Key("user_identity_client_secret").String(); val != "" {
+			tokenEndpointSettings.ClientSecret = val
+		}
+
+		azureSettings.UserIdentityTokenEndpoint = tokenEndpointSettings
+	}
+
 	cfg.Azure = azureSettings
 }
--- a/pkg/setting/setting_azure_test.go
+++ b/pkg/setting/setting_azure_test.go
@@ -63,4 +63,156 @@ func TestAzureSettings(t *testing.T) {
 			})
 		}
 	})
+
+	t.Run("User Identity", func(t *testing.T) {
+		t.Run("should be disabled by default", func(t *testing.T) {
+			cfg := NewCfg()
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+
+			assert.False(t, cfg.Azure.UserIdentityEnabled)
+		})
+
+		t.Run("should be enabled", func(t *testing.T) {
+			cfg := NewCfg()
+
+			azureSection, err := cfg.Raw.NewSection("azure")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_enabled", "true")
+			require.NoError(t, err)
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+			require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
+
+			assert.True(t, cfg.Azure.UserIdentityEnabled)
+		})
+
+		t.Run("should use token endpoint from Azure AD if enabled", func(t *testing.T) {
+			cfg := NewCfg()
+
+			azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("enabled", "true")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("token_url", "URL_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_id", "ID_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
+			require.NoError(t, err)
+
+			azureSection, err := cfg.Raw.NewSection("azure")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_enabled", "true")
+			require.NoError(t, err)
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+			require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
+
+			assert.True(t, cfg.Azure.UserIdentityEnabled)
+			assert.Equal(t, "URL_1", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
+			assert.Equal(t, "ID_1", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
+			assert.Equal(t, "SECRET_1", cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
+		})
+
+		t.Run("should not use token endpoint from Azure AD if not enabled", func(t *testing.T) {
+			cfg := NewCfg()
+
+			azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("enabled", "false")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("token_url", "URL_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_id", "ID_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
+			require.NoError(t, err)
+
+			azureSection, err := cfg.Raw.NewSection("azure")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_enabled", "true")
+			require.NoError(t, err)
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+			require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
+
+			assert.True(t, cfg.Azure.UserIdentityEnabled)
+			assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
+			assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientId)
+			assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
+		})
+
+		t.Run("should override Azure AD settings", func(t *testing.T) {
+			cfg := NewCfg()
+
+			azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("enabled", "true")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("token_url", "URL_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_id", "ID_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
+			require.NoError(t, err)
+
+			azureSection, err := cfg.Raw.NewSection("azure")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_enabled", "true")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_token_url", "URL_2")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_client_id", "ID_2")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_client_secret", "SECRET_2")
+			require.NoError(t, err)
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+			require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
+
+			assert.True(t, cfg.Azure.UserIdentityEnabled)
+			assert.Equal(t, "URL_2", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
+			assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
+			assert.Equal(t, "SECRET_2", cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
+		})
+
+		t.Run("should not use secret from Azure AD if client ID overridden", func(t *testing.T) {
+			cfg := NewCfg()
+
+			azureAdSection, err := cfg.Raw.NewSection("auth.azuread")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("enabled", "true")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("token_url", "URL_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_id", "ID_1")
+			require.NoError(t, err)
+			_, err = azureAdSection.NewKey("client_secret", "SECRET_1")
+			require.NoError(t, err)
+
+			azureSection, err := cfg.Raw.NewSection("azure")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_enabled", "true")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_token_url", "URL_2")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_client_id", "ID_2")
+			require.NoError(t, err)
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+			require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
+
+			assert.True(t, cfg.Azure.UserIdentityEnabled)
+			assert.Equal(t, "URL_2", cfg.Azure.UserIdentityTokenEndpoint.TokenUrl)
+			assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
+			assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
+		})
+	})
 }