mirror of
https://github.com/grafana/grafana.git
synced 2024-12-25 08:21:46 -06:00
Azure: Fix for username assertion (#87853)
Fix for username assertion - Allow setting username assertion in INI - Correctly set the azsettings value - Update tests
This commit is contained in:
parent
1957cfe6af
commit
edae5fc791
@ -970,6 +970,11 @@ user_identity_client_id =
|
||||
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
|
||||
user_identity_client_secret =
|
||||
|
||||
# Allows the usage of a custom token request assertion when Grafana is behind an authentication proxy
|
||||
# In most cases this will not need to be used. To enable this set the value to "username"
|
||||
# The default is empty and any other value will not enable this functionality
|
||||
username_assertion =
|
||||
|
||||
# Set the plugins that will receive Azure settings for each request (via plugin context)
|
||||
# By default this will include all Grafana Labs owned Azure plugins, or those that make use of Azure settings (Azure Monitor, Azure Data Explorer, Prometheus, MSSQL).
|
||||
forward_settings_to_plugins = grafana-azure-monitor-datasource, prometheus, grafana-azure-data-explorer-datasource, mssql
|
||||
|
@ -888,6 +888,11 @@
|
||||
# By default is the same as used in AAD authentication or can be set to another application (for OBO flow)
|
||||
;user_identity_client_secret =
|
||||
|
||||
# Allows the usage of a custom token request assertion when Grafana is behind an authentication proxy
|
||||
# In most cases this will not need to be used. To enable this set the value to "username"
|
||||
# The default is empty and any other value will not enable this functionality
|
||||
;username_assertion =
|
||||
|
||||
# Set the plugins that will receive Azure settings for each request (via plugin context)
|
||||
# By default this will include all Grafana Labs owned Azure plugins, or those that make use of Azure settings (Azure Monitor, Azure Data Explorer, Prometheus, MSSQL).
|
||||
;forward_settings_to_plugins = grafana-azure-monitor-datasource, prometheus, grafana-azure-data-explorer-datasource, mssql
|
||||
|
@ -64,6 +64,9 @@ func (cfg *Cfg) readAzureSettings() {
|
||||
if val := azureSection.Key("user_identity_client_secret").String(); val != "" {
|
||||
tokenEndpointSettings.ClientSecret = val
|
||||
}
|
||||
if val := azureSection.Key("username_assertion").String(); val != "" && val == "username" {
|
||||
tokenEndpointSettings.UsernameAssertion = true
|
||||
}
|
||||
|
||||
azureSettings.UserIdentityTokenEndpoint = tokenEndpointSettings
|
||||
azureSettings.UserIdentityFallbackCredentialsEnabled = azureSection.Key("user_identity_fallback_credentials_enabled").MustBool(true)
|
||||
|
@ -261,6 +261,40 @@ func TestAzureSettings(t *testing.T) {
|
||||
assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
|
||||
assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
|
||||
})
|
||||
|
||||
t.Run("does not enable username assertion by default", func(t *testing.T) {
|
||||
cfg := NewCfg()
|
||||
|
||||
azureSection, err := cfg.Raw.NewSection("azure")
|
||||
require.NoError(t, err)
|
||||
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
||||
require.NoError(t, err)
|
||||
|
||||
cfg.readAzureSettings()
|
||||
require.NotNil(t, cfg.Azure)
|
||||
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
||||
|
||||
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
||||
assert.False(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
|
||||
})
|
||||
|
||||
t.Run("should appropriately set username assertion", func(t *testing.T) {
|
||||
cfg := NewCfg()
|
||||
|
||||
azureSection, err := cfg.Raw.NewSection("azure")
|
||||
require.NoError(t, err)
|
||||
_, err = azureSection.NewKey("user_identity_enabled", "true")
|
||||
require.NoError(t, err)
|
||||
_, err = azureSection.NewKey("username_assertion", "username")
|
||||
require.NoError(t, err)
|
||||
|
||||
cfg.readAzureSettings()
|
||||
require.NotNil(t, cfg.Azure)
|
||||
require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
|
||||
|
||||
assert.True(t, cfg.Azure.UserIdentityEnabled)
|
||||
assert.True(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("forward settings to plugins", func(t *testing.T) {
|
||||
|
Loading…
Reference in New Issue
Block a user