Azure: Fix for username assertion (#87853)

Fix for username assertion

- Allow setting username assertion in INI
- Correctly set the azsettings value
- Update tests
This commit is contained in:
Andreas Christou 2024-05-16 17:50:02 +01:00 committed by GitHub
parent 1957cfe6af
commit edae5fc791
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 47 additions and 0 deletions

View File

@ -970,6 +970,11 @@ user_identity_client_id =
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
user_identity_client_secret =
# Allows the usage of a custom token request assertion when Grafana is behind an authentication proxy
# In most cases this will not need to be used. To enable this set the value to "username"
# The default is empty and any other value will not enable this functionality
username_assertion =
# Set the plugins that will receive Azure settings for each request (via plugin context)
# By default this will include all Grafana Labs owned Azure plugins, or those that make use of Azure settings (Azure Monitor, Azure Data Explorer, Prometheus, MSSQL).
forward_settings_to_plugins = grafana-azure-monitor-datasource, prometheus, grafana-azure-data-explorer-datasource, mssql

View File

@ -888,6 +888,11 @@
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
;user_identity_client_secret =
# Allows the usage of a custom token request assertion when Grafana is behind an authentication proxy
# In most cases this will not need to be used. To enable this set the value to "username"
# The default is empty and any other value will not enable this functionality
;username_assertion =
# Set the plugins that will receive Azure settings for each request (via plugin context)
# By default this will include all Grafana Labs owned Azure plugins, or those that make use of Azure settings (Azure Monitor, Azure Data Explorer, Prometheus, MSSQL).
;forward_settings_to_plugins = grafana-azure-monitor-datasource, prometheus, grafana-azure-data-explorer-datasource, mssql

View File

@ -64,6 +64,9 @@ func (cfg *Cfg) readAzureSettings() {
if val := azureSection.Key("user_identity_client_secret").String(); val != "" {
tokenEndpointSettings.ClientSecret = val
}
if val := azureSection.Key("username_assertion").String(); val != "" && val == "username" {
tokenEndpointSettings.UsernameAssertion = true
}
azureSettings.UserIdentityTokenEndpoint = tokenEndpointSettings
azureSettings.UserIdentityFallbackCredentialsEnabled = azureSection.Key("user_identity_fallback_credentials_enabled").MustBool(true)

View File

@ -261,6 +261,40 @@ func TestAzureSettings(t *testing.T) {
assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
})
t.Run("does not enable username assertion by default", func(t *testing.T) {
cfg := NewCfg()
azureSection, err := cfg.Raw.NewSection("azure")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_enabled", "true")
require.NoError(t, err)
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
assert.True(t, cfg.Azure.UserIdentityEnabled)
assert.False(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
})
t.Run("should appropriately set username assertion", func(t *testing.T) {
cfg := NewCfg()
azureSection, err := cfg.Raw.NewSection("azure")
require.NoError(t, err)
_, err = azureSection.NewKey("user_identity_enabled", "true")
require.NoError(t, err)
_, err = azureSection.NewKey("username_assertion", "username")
require.NoError(t, err)
cfg.readAzureSettings()
require.NotNil(t, cfg.Azure)
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
assert.True(t, cfg.Azure.UserIdentityEnabled)
assert.True(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
})
})
t.Run("forward settings to plugins", func(t *testing.T) {