AuthN: Embed an OAuth2 server for external service authentication (#68086)

* Moving POC files from #64283 to a new branch

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

* Adding missing permission definition

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

* Force the service instantiation while client isn't merged

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

* Merge conf with main

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

* Leave go-sqlite3 version unchanged

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

* tidy

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

* User SearchUserPermissions instead of SearchUsersPermissions

* Replace DummyKeyService with signingkeys.Service

* Use user🆔<id> as subject

* Fix introspection endpoint issue

* Add X-Grafana-Org-Id to get_resources.bash script

* Regenerate toggles_gen.go
* Fix basic.go

* Add GetExternalService tests

* Add GetPublicKeyScopes tests

* Add GetScopesOnUser tests

* Add GetScopes tests

* Add ParsePublicKeyPem tests

* Add database test for GetByName

* re-add comments

* client tests added

* Add GetExternalServicePublicKey tests

* Add other test case to GetExternalServicePublicKey

* client_credentials grant test

* Add test to jwtbearer grant

* Test Comments

* Add handleKeyOptions tests

* Add RSA key generation test

* Add ECDSA by default to EmbeddedSigningKeysService

* Clean up org id scope and audiences

* Add audiences to the DB

* Fix check on Audience

* Fix double import

* Add AC Store mock and align oauthserver tests

* Fix test after rebase

* Adding missing store function to mock

* Fix double import

* Add CODEOWNER

* Fix some linting errors

* errors don't need type assertion

* Typo codeowners

* use mockery for oauthserver store

* Add feature toggle check

* Fix db tests to handle the feature flag

* Adding call to DeleteExternalServiceRole

* Fix flaky test

* Re-organize routes comments and plan futur work

* Add client_id check to Extended JWT client

* Clean up

* Fix

* Remove background service registry instantiation of the OAuth server

* Comment cleanup

* Remove unused client function

* Update go.mod to use the latest ory/fosite commit

* Remove oauth2_server related configs from defaults.ini

* Add audiences to DTO

* Fix flaky test

* Remove registration endpoint and demo scripts. Document code

* Rename packages

* Remove the OAuthService vs OAuthServer confusion

* fix incorrect import ext_jwt_test

* Comments and order

* Comment basic auth

* Remove unecessary todo

* Clean api

* Moving ParsePublicKeyPem to utils

* re ordering functions in service.go

* Fix comment

* comment on the redirect uri

* Add RBAC actions, not only scopes

* Fix tests

* re-import featuremgmt in migrations

* Fix wire

* Fix scopes in test

* Fix flaky test

* Remove todo, the intersection should always return the minimal set

* Remove unecessary check from intersection code

* Allow env overrides on settings

* remove the term app name

* Remove app keyword for client instead and use Name instead of ExternalServiceName

* LogID remove ExternalService ref

* Use Name instead of ExternalServiceName

* Imports order

* Inline

* Using ExternalService and ExternalServiceDTO

* Remove xorm tags

* comment

* Rename client files

* client -> external service

* comments

* Move test to correct package

* slimmer test

* cachedUser -> cachedExternalService

* Fix aggregate store test

* PluginAuthSession -> AuthSession

* Revert the nil cehcks

* Remove unecessary extra

* Removing custom session

* fix typo in test

* Use constants for tests

* Simplify HandleToken tests

* Refactor the HandleTokenRequest test

* test message

* Review test

* Prevent flacky test on client as well

* go imports

* Revert changes from 526e48ad45

* AuthN: Change the External Service registration form (#68649)

* AuthN: change the External Service registration form

* Gen default permissions

* Change demo script registration form

* Remove unecessary comment

* Nit.

* Reduce cyclomatic complexity

* Remove demo_scripts

* Handle case with no service account

* Comments

* Group key gen

* Nit.

* Check the SaveExternalService test

* Rename cachedUser to cachedClient in test

* One more test case to database test

* Comments

* Remove last org scope

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

* Update pkg/services/oauthserver/utils/utils_test.go

* Update pkg/services/sqlstore/migrations/oauthserver/migrations.go

Remove comment

* Update pkg/setting/setting.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>

pkg/services/accesscontrol/accesscontrol.go

@@ -196,6 +196,7 @@ func GroupScopesByAction(permissions []Permission) map[string][]string {
 	return m
 }
 
+// Reduce will reduce a list of permissions to its minimal form, grouping scopes by action
 func Reduce(ps []Permission) map[string][]string {
 	reduced := make(map[string][]string)
 	scopesByAction := make(map[string]map[string]bool)
@@ -260,6 +261,110 @@ func Reduce(ps []Permission) map[string][]string {
 	return reduced
 }
 
+// intersectScopes computes the minimal list of scopes common to two slices.
+func intersectScopes(s1, s2 []string) []string {
+	if len(s1) == 0 || len(s2) == 0 {
+		return []string{}
+	}
+
+	// helpers
+	splitScopes := func(s []string) (map[string]bool, map[string]bool) {
+		scopes := make(map[string]bool)
+		wildcards := make(map[string]bool)
+		for _, s := range s {
+			if isWildcard(s) {
+				wildcards[s] = true
+			} else {
+				scopes[s] = true
+			}
+		}
+		return scopes, wildcards
+	}
+	includes := func(wildcardsSet map[string]bool, scope string) bool {
+		for wildcard := range wildcardsSet {
+			if wildcard == "*" || strings.HasPrefix(scope, wildcard[:len(wildcard)-1]) {
+				return true
+			}
+		}
+		return false
+	}
+
+	res := make([]string, 0)
+
+	// split input into scopes and wildcards
+	s1Scopes, s1Wildcards := splitScopes(s1)
+	s2Scopes, s2Wildcards := splitScopes(s2)
+
+	// intersect wildcards
+	wildcards := make(map[string]bool)
+	for s := range s1Wildcards {
+		// if s1 wildcard is included in s2 wildcards
+		// then it is included in the intersection
+		if includes(s2Wildcards, s) {
+			wildcards[s] = true
+			continue
+		}
+	}
+	for s := range s2Wildcards {
+		// if s2 wildcard is included in s1 wildcards
+		// then it is included in the intersection
+		if includes(s1Wildcards, s) {
+			wildcards[s] = true
+		}
+	}
+
+	// intersect scopes
+	scopes := make(map[string]bool)
+	for s := range s1Scopes {
+		// if s1 scope is included in s2 wilcards or s2 scopes
+		// then it is included in the intersection
+		if includes(s2Wildcards, s) || s2Scopes[s] {
+			scopes[s] = true
+		}
+	}
+	for s := range s2Scopes {
+		// if s2 scope is included in s1 wilcards
+		// then it is included in the intersection
+		if includes(s1Wildcards, s) {
+			scopes[s] = true
+		}
+	}
+
+	// merge wildcards and scopes
+	for w := range wildcards {
+		res = append(res, w)
+	}
+	for s := range scopes {
+		res = append(res, s)
+	}
+
+	return res
+}
+
+// Intersect returns the intersection of two slices of permissions, grouping scopes by action.
+func Intersect(p1, p2 []Permission) map[string][]string {
+	if len(p1) == 0 || len(p2) == 0 {
+		return map[string][]string{}
+	}
+
+	res := make(map[string][]string)
+	p1m := Reduce(p1)
+	p2m := Reduce(p2)
+
+	// Loop over the smallest map
+	if len(p1m) > len(p2m) {
+		p1m, p2m = p2m, p1m
+	}
+
+	for a1, s1 := range p1m {
+		if s2, ok := p2m[a1]; ok {
+			res[a1] = intersectScopes(s1, s2)
+		}
+	}
+
+	return res
+}
+
 func ValidateScope(scope string) bool {
 	prefix, last := scope[:len(scope)-1], scope[len(scope)-1]
 	// verify that last char is either ':' or '/' if last character of scope is '*'