Commit Graph

20 Commits

Author SHA1 Message Date
Gabriel MABILLE
99580d60f5
Chore: Fix flaky test by removing the extsvcauth background service (#79044) 2023-12-04 22:26:55 +01:00
Gabriel MABILLE
72d32eed27
ExtSvcAuth: Assign roles locally (#78669)
* ExtSvcAuth: Assign roles locally

* Fix test

* HandlePluginStateChanged in the OrgID

* Remove Global from command

* Use AssignmentOrgID instead of OrgID

* Remove unecessary test case
2023-11-29 12:12:30 +01:00
Xavi Lacasa
29853f624e
Lock when cleaning-up external services (#78589) 2023-11-24 17:44:14 +01:00
Xavi Lacasa
72759be6ec
AuthN: Support HA setups with External Service Account management (#78425)
* Lock when creating external service

* Add local lock back

* Improve function signature

* Define lockName separately to make it more explicit

* Update pkg/infra/serverlock/serverlock.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Update pkg/infra/serverlock/serverlock.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2023-11-22 10:15:13 +01:00
Gabriel MABILLE
36fd9040af
Chore: Fix flaky test (#78309)
* Chore: Fix flaky test

* Found another one
2023-11-17 11:38:57 +02:00
Gabriel MABILLE
ba717454e1
ExtSvcAuth: Clean up orphaned external services on start up (#77951)
* Plugin: Remove external service on plugin removal

* Early exit no service account

* Add log

* WIP

* Cable OAuth2Server client removal

* Move function lower

* Add function to test removal

* Add test to RemoveExternalService

* Test RemoveExtSvcAccount

* remove apostrophy in comment

* Add cfg to plugin installer to check features

* Add feature flag check in the service registration service

* Comments

* Move metrics Inc

* Initialize map

* Reorder

* Initialize mutex as well

* Add HasExternalService as suggested

* WIP: CleanUpOrphanedExternalServices

* Commit suggestion

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>

* Nit on test.

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>

* oauthserver return names

* Name is not Slug

* Use plugin ID not slug

* Add background job

* remove negation on feature check

* Add test to the CleanUp function

* Test GetExternalServiceNames

* rename test

* Add test for ExtSvcAccountsService_GetExternalServiceNames

* Add a todo

* Add todo

* Option based on mix

* Rewrite a bit the comment

* Opinionated choice use slugs instead of names everywhere

* Nit.

* Comments and re-ordering

* Comment

* Add log

* Add context

---------

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
2023-11-16 12:07:42 +01:00
Ryan McKinley
f69fd3726b
FeatureToggles: Add context and and an explicit global check (#78081) 2023-11-14 12:50:27 -08:00
Gabriel MABILLE
fe8d0e6381
ExtSvcAuth: Refactor external service registry to use ExternalServiceRegistry variables (#78056)
ExtSvcAuth: Refactor external service registry to use ExternalServiceRegistry
2023-11-13 16:23:11 +01:00
Gabriel MABILLE
20a2840046
Plugin: Remove external service on plugin removal (#77712)
* Plugin: Remove external service on plugin removal

* Add feature flag check in the service registration service

* Initialize map

* Add HasExternalService as suggested

* Commit suggestion

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>

* Nit on test.

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>


---------

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
2023-11-13 13:18:13 +01:00
Ryan McKinley
5d5f8dfc52
Chore: Upgrade Go to 1.21.3 (#77304) 2023-11-01 09:17:38 -07:00
Gabriel MABILLE
83e9088314
AuthN: Set oauth client grant_types based on plugin state (#77248)
* Disable plugin service account

* Fix bug seen by linoman 💯

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>

* Account for PR feedback

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>

* Fix test data

* Enable datasource plugins by default

Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>

* Update pkg/services/extsvcauth/oauthserver/oasimpl/service.go

* Handle error differently

* Fix service reg

---------

Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2023-10-27 14:45:04 +02:00
Gabriel MABILLE
3015e5921f
Chore: Move extsvcaccounts package to serviceaccounts (#76977)
* Chore: Move extsvcaccounts package to serviceaccounts

* Fix proxy

* Fix tests

* Fix linting
2023-10-24 11:01:04 +02:00
linoman
359d84799e
auth: add serviceaccount proxy (#76815)
* Add proxy service template

* Replace SA srv with proxy for external SA srv

* Move service account prefix to a constant

* Prevent deletion from external service account

* Make SA validation a resusable function

* Add protection for creating service accounts

* Add protection when updating service accounts

* Add IsExternal field for service account

* Protect ext service account token generation

* Add verbose errors for form name or sa name

* add tests

* Add logs

* Adjusts tests

---------

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2023-10-23 14:09:42 +02:00
linoman
e06f7251d7
Add prefix for external service accounts (#76794)
* Add prefix for external service accounts
2023-10-19 13:06:09 +02:00
Gabriel MABILLE
797a3c57af
Plugins: Automatic service account (and token) setup (#76473)
* Update cue to have an AuthProvider entry

* Cable the new auth provider

* Add feature flag check to the accesscontrol service

* Fix test

* Change the structure of externalServiceRegistration (#76673)
2023-10-17 16:21:23 +02:00
Gabriel MABILLE
700e6e3287
AuthN: Add service account token generation to ExtSvcAccountsService (#76327)
* Manage service account secrets

* Wip

* WIP

* WIP

* Revert to keep a light interface

* Implement SaveExternalService

* Remove unecessary functions from the interface

* Remove unused field

* Better log

* Leave ext svc credentials out of the extsvcauth package for now

* Remove todo

* Add tests to SaveExternalService

* Test that secret has been removed from store

* Lint

* Nit.

* Rename commands and structs

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* Account for PR feedback

Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>

* Linting

* Add nosec comment G101 - this is not a hardcoded secret

* Lowercase kvStoreType

---------

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>
2023-10-12 16:15:16 +02:00
Karl Persson
ea741dda6b
Signingkeys: Add local cache (#76234)
* IDForwarding: change audience to be prefixed by org and remove JTI

* IDForwarding: Construct new signer each time we want to sign a token.

* SigningKeys: Simplify storage layer and move logic to service

* SigningKeys: Add private key to local cache
2023-10-10 14:17:16 +02:00
Gabriel MABILLE
007c2c8131
AuthN: Extract from OAuthServer service account management code (#76128)
* Extract code to manage service accounts

* Add test with client credentials grants

* Fix test with the changed interface

* Wire

* Fix HandleTokenRequest

* Add tests to extsvcaccounts

* Rename Retrieve function

* Document the interface
2023-10-10 09:20:52 +02:00
Gabriel MABILLE
e902d8fd10
AuthN: New service to support multiple authentication providers for plugins (#75979)
* OnGoing

* Continue migrating structure

* Comment

* Add intermediary service

* Remove unused error so far

* no need for fmt use errors

* use RoleNone

* Docs

* Fix test

* Accounting for review feedback

* Rename oauthserver.ExternalService to OAuthClient

* Revert as the interface looks weird

* Update pluginintegration

* Rename oauthserver.ExternalService

* closer to what it was before
2023-10-05 18:13:06 +02:00
Gabriel MABILLE
193ec8de2b
AuthN: Move oauthserver to extsvcauth (#75972)
* AuthN: Move oauthserver to extsvcauth

* Codeowners
2023-10-04 16:53:17 +02:00