mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
722c414fef
* Encryption: Add support to encrypt/decrypt sjd * Add datasources.Service as a proxy to datasources db operations * Encrypt ds.SecureJsonData before calling SQLStore * Move ds cache code into ds service * Fix tlsmanager tests * Fix pluginproxy tests * Remove some securejsondata.GetEncryptedJsonData usages * Add pluginsettings.Service as a proxy for plugin settings db operations * Add AlertNotificationService as a proxy for alert notification db operations * Remove some securejsondata.GetEncryptedJsonData usages * Remove more securejsondata.GetEncryptedJsonData usages * Fix lint errors * Minor fixes * Remove encryption global functions usages from ngalert * Fix lint errors * Minor fixes * Minor fixes * Remove securejsondata.DecryptedValue usage * Refactor the refactor * Remove securejsondata.DecryptedValue usage * Move securejsondata to migrations package * Move securejsondata to migrations package * Minor fix * Fix integration test * Fix integration tests * Undo undesired changes * Fix tests * Add context.Context into encryption methods * Fix tests * Fix tests * Fix tests * Trigger CI * Fix test * Add names to params of encryption service interface * Remove bus from CacheServiceImpl * Add logging * Add keys to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Add missing key to logger Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Undo changes in markdown files * Fix formatting * Add context to secrets service * Rename decryptSecureJsonData to decryptSecureJsonDataFn * Name args in GetDecryptedValueFn * Add template back to NewAlertmanagerNotifier * Copy GetDecryptedValueFn to ngalert * Add logging to pluginsettings * Fix pluginsettings test Co-authored-by: Tania B <yalyna.ts@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
188 lines
5.1 KiB
Go
188 lines
5.1 KiB
Go
package authinfoservice
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"time"
|
|
|
|
"github.com/grafana/grafana/pkg/services/sqlstore"
|
|
|
|
"github.com/grafana/grafana/pkg/models"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
var getTime = time.Now
|
|
|
|
func (s *Implementation) GetExternalUserInfoByLogin(query *models.GetExternalUserInfoByLoginQuery) error {
|
|
userQuery := models.GetUserByLoginQuery{LoginOrEmail: query.LoginOrEmail}
|
|
err := s.Bus.Dispatch(&userQuery)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
authInfoQuery := &models.GetAuthInfoQuery{UserId: userQuery.Result.Id}
|
|
if err := s.Bus.Dispatch(authInfoQuery); err != nil {
|
|
return err
|
|
}
|
|
|
|
query.Result = &models.ExternalUserInfo{
|
|
UserId: userQuery.Result.Id,
|
|
Login: userQuery.Result.Login,
|
|
Email: userQuery.Result.Email,
|
|
Name: userQuery.Result.Name,
|
|
IsDisabled: userQuery.Result.IsDisabled,
|
|
AuthModule: authInfoQuery.Result.AuthModule,
|
|
AuthId: authInfoQuery.Result.AuthId,
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *Implementation) GetAuthInfo(query *models.GetAuthInfoQuery) error {
|
|
userAuth := &models.UserAuth{
|
|
UserId: query.UserId,
|
|
AuthModule: query.AuthModule,
|
|
AuthId: query.AuthId,
|
|
}
|
|
|
|
var has bool
|
|
var err error
|
|
|
|
err = s.SQLStore.WithDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
|
|
has, err = sess.Desc("created").Get(userAuth)
|
|
return err
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !has {
|
|
return models.ErrUserNotFound
|
|
}
|
|
|
|
secretAccessToken, err := s.decodeAndDecrypt(userAuth.OAuthAccessToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretRefreshToken, err := s.decodeAndDecrypt(userAuth.OAuthRefreshToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretTokenType, err := s.decodeAndDecrypt(userAuth.OAuthTokenType)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
userAuth.OAuthAccessToken = secretAccessToken
|
|
userAuth.OAuthRefreshToken = secretRefreshToken
|
|
userAuth.OAuthTokenType = secretTokenType
|
|
|
|
query.Result = userAuth
|
|
return nil
|
|
}
|
|
|
|
func (s *Implementation) SetAuthInfo(cmd *models.SetAuthInfoCommand) error {
|
|
return s.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
|
|
authUser := &models.UserAuth{
|
|
UserId: cmd.UserId,
|
|
AuthModule: cmd.AuthModule,
|
|
AuthId: cmd.AuthId,
|
|
Created: getTime(),
|
|
}
|
|
|
|
if cmd.OAuthToken != nil {
|
|
secretAccessToken, err := s.encryptAndEncode(cmd.OAuthToken.AccessToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretRefreshToken, err := s.encryptAndEncode(cmd.OAuthToken.RefreshToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretTokenType, err := s.encryptAndEncode(cmd.OAuthToken.TokenType)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
authUser.OAuthAccessToken = secretAccessToken
|
|
authUser.OAuthRefreshToken = secretRefreshToken
|
|
authUser.OAuthTokenType = secretTokenType
|
|
authUser.OAuthExpiry = cmd.OAuthToken.Expiry
|
|
}
|
|
|
|
_, err := sess.Insert(authUser)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (s *Implementation) UpdateAuthInfo(cmd *models.UpdateAuthInfoCommand) error {
|
|
return s.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
|
|
authUser := &models.UserAuth{
|
|
UserId: cmd.UserId,
|
|
AuthModule: cmd.AuthModule,
|
|
AuthId: cmd.AuthId,
|
|
Created: getTime(),
|
|
}
|
|
|
|
if cmd.OAuthToken != nil {
|
|
secretAccessToken, err := s.encryptAndEncode(cmd.OAuthToken.AccessToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretRefreshToken, err := s.encryptAndEncode(cmd.OAuthToken.RefreshToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretTokenType, err := s.encryptAndEncode(cmd.OAuthToken.TokenType)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
authUser.OAuthAccessToken = secretAccessToken
|
|
authUser.OAuthRefreshToken = secretRefreshToken
|
|
authUser.OAuthTokenType = secretTokenType
|
|
authUser.OAuthExpiry = cmd.OAuthToken.Expiry
|
|
}
|
|
|
|
cond := &models.UserAuth{
|
|
UserId: cmd.UserId,
|
|
AuthModule: cmd.AuthModule,
|
|
}
|
|
upd, err := sess.Update(authUser, cond)
|
|
s.logger.Debug("Updated user_auth", "user_id", cmd.UserId, "auth_module", cmd.AuthModule, "rows", upd)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (s *Implementation) DeleteAuthInfo(cmd *models.DeleteAuthInfoCommand) error {
|
|
return s.SQLStore.WithTransactionalDbSession(context.Background(), func(sess *sqlstore.DBSession) error {
|
|
_, err := sess.Delete(cmd.UserAuth)
|
|
return err
|
|
})
|
|
}
|
|
|
|
// decodeAndDecrypt will decode the string with the standard base64 decoder and then decrypt it
|
|
func (s *Implementation) decodeAndDecrypt(str string) (string, error) {
|
|
// Bail out if empty string since it'll cause a segfault in util.Decrypt
|
|
if str == "" {
|
|
return "", nil
|
|
}
|
|
decoded, err := base64.StdEncoding.DecodeString(str)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
decrypted, err := s.EncryptionService.Decrypt(context.Background(), decoded, setting.SecretKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(decrypted), nil
|
|
}
|
|
|
|
// encryptAndEncode will encrypt a string with grafana's secretKey, and
|
|
// then encode it with the standard bas64 encoder
|
|
func (s *Implementation) encryptAndEncode(str string) (string, error) {
|
|
encrypted, err := s.EncryptionService.Encrypt(context.Background(), []byte(str), setting.SecretKey)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return base64.StdEncoding.EncodeToString(encrypted), nil
|
|
}
|