mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
72db9739c7
* UserAuth: clean-up auth entries on update * Update pkg/services/login/authinfoservice/database/database.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
313 lines
8.5 KiB
Go
313 lines
8.5 KiB
Go
package database
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
"time"
|
|
|
|
"github.com/grafana/grafana/pkg/infra/db"
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
"github.com/grafana/grafana/pkg/services/login"
|
|
"github.com/grafana/grafana/pkg/services/secrets"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
)
|
|
|
|
var GetTime = time.Now
|
|
|
|
type AuthInfoStore struct {
|
|
sqlStore db.DB
|
|
secretsService secrets.Service
|
|
logger log.Logger
|
|
userService user.Service
|
|
}
|
|
|
|
func ProvideAuthInfoStore(sqlStore db.DB, secretsService secrets.Service, userService user.Service) login.Store {
|
|
store := &AuthInfoStore{
|
|
sqlStore: sqlStore,
|
|
secretsService: secretsService,
|
|
logger: log.New("login.authinfo.store"),
|
|
userService: userService,
|
|
}
|
|
// FIXME: disabled the metric collection for duplicate user entries
|
|
// due to query performance issues that is clogging the users Grafana instance
|
|
// InitDuplicateUserMetrics()
|
|
return store
|
|
}
|
|
|
|
// GetAuthInfo returns the auth info for a user
|
|
// It will return the latest auth info for a user
|
|
func (s *AuthInfoStore) GetAuthInfo(ctx context.Context, query *login.GetAuthInfoQuery) (*login.UserAuth, error) {
|
|
if query.UserId == 0 && query.AuthId == "" {
|
|
return nil, user.ErrUserNotFound
|
|
}
|
|
|
|
userAuth := &login.UserAuth{
|
|
UserId: query.UserId,
|
|
AuthModule: query.AuthModule,
|
|
AuthId: query.AuthId,
|
|
}
|
|
|
|
var has bool
|
|
var err error
|
|
|
|
err = s.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
|
|
has, err = sess.Desc("created").Get(userAuth)
|
|
return err
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !has {
|
|
return nil, user.ErrUserNotFound
|
|
}
|
|
|
|
secretAccessToken, err := s.decodeAndDecrypt(userAuth.OAuthAccessToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
secretRefreshToken, err := s.decodeAndDecrypt(userAuth.OAuthRefreshToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
secretTokenType, err := s.decodeAndDecrypt(userAuth.OAuthTokenType)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
secretIdToken, err := s.decodeAndDecrypt(userAuth.OAuthIdToken)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
userAuth.OAuthAccessToken = secretAccessToken
|
|
userAuth.OAuthRefreshToken = secretRefreshToken
|
|
userAuth.OAuthTokenType = secretTokenType
|
|
userAuth.OAuthIdToken = secretIdToken
|
|
|
|
return userAuth, nil
|
|
}
|
|
|
|
func (s *AuthInfoStore) GetUserLabels(ctx context.Context, query login.GetUserLabelsQuery) (map[int64]string, error) {
|
|
userAuths := []login.UserAuth{}
|
|
params := make([]interface{}, 0, len(query.UserIDs))
|
|
for _, id := range query.UserIDs {
|
|
params = append(params, id)
|
|
}
|
|
|
|
err := s.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
|
|
return sess.Table("user_auth").In("user_id", params).OrderBy("created").Find(&userAuths)
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
labelMap := make(map[int64]string, len(userAuths))
|
|
|
|
for i := range userAuths {
|
|
labelMap[userAuths[i].UserId] = userAuths[i].AuthModule
|
|
}
|
|
|
|
return labelMap, nil
|
|
}
|
|
|
|
func (s *AuthInfoStore) SetAuthInfo(ctx context.Context, cmd *login.SetAuthInfoCommand) error {
|
|
authUser := &login.UserAuth{
|
|
UserId: cmd.UserId,
|
|
AuthModule: cmd.AuthModule,
|
|
AuthId: cmd.AuthId,
|
|
Created: GetTime(),
|
|
}
|
|
|
|
if cmd.OAuthToken != nil {
|
|
secretAccessToken, err := s.encryptAndEncode(cmd.OAuthToken.AccessToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretRefreshToken, err := s.encryptAndEncode(cmd.OAuthToken.RefreshToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretTokenType, err := s.encryptAndEncode(cmd.OAuthToken.TokenType)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var secretIdToken string
|
|
if idToken, ok := cmd.OAuthToken.Extra("id_token").(string); ok && idToken != "" {
|
|
secretIdToken, err = s.encryptAndEncode(idToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
authUser.OAuthAccessToken = secretAccessToken
|
|
authUser.OAuthRefreshToken = secretRefreshToken
|
|
authUser.OAuthTokenType = secretTokenType
|
|
authUser.OAuthIdToken = secretIdToken
|
|
authUser.OAuthExpiry = cmd.OAuthToken.Expiry
|
|
}
|
|
|
|
return s.sqlStore.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
|
|
_, err := sess.Insert(authUser)
|
|
return err
|
|
})
|
|
}
|
|
|
|
// UpdateAuthInfoDate updates the auth info for the user with the latest date.
|
|
// Avoids overlapping entries hiding the last used one (ex: LDAP->SAML->LDAP).
|
|
func (s *AuthInfoStore) UpdateAuthInfoDate(ctx context.Context, authInfo *login.UserAuth) error {
|
|
authInfo.Created = GetTime()
|
|
|
|
cond := &login.UserAuth{
|
|
Id: authInfo.Id,
|
|
UserId: authInfo.UserId,
|
|
AuthModule: authInfo.AuthModule,
|
|
}
|
|
return s.sqlStore.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
|
|
_, err := sess.Cols("created").Update(authInfo, cond)
|
|
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (s *AuthInfoStore) UpdateAuthInfo(ctx context.Context, cmd *login.UpdateAuthInfoCommand) error {
|
|
authUser := &login.UserAuth{
|
|
UserId: cmd.UserId,
|
|
AuthModule: cmd.AuthModule,
|
|
AuthId: cmd.AuthId,
|
|
Created: GetTime(),
|
|
}
|
|
|
|
if cmd.OAuthToken != nil {
|
|
secretAccessToken, err := s.encryptAndEncode(cmd.OAuthToken.AccessToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretRefreshToken, err := s.encryptAndEncode(cmd.OAuthToken.RefreshToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
secretTokenType, err := s.encryptAndEncode(cmd.OAuthToken.TokenType)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
var secretIdToken string
|
|
if idToken, ok := cmd.OAuthToken.Extra("id_token").(string); ok && idToken != "" {
|
|
secretIdToken, err = s.encryptAndEncode(idToken)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
authUser.OAuthAccessToken = secretAccessToken
|
|
authUser.OAuthRefreshToken = secretRefreshToken
|
|
authUser.OAuthTokenType = secretTokenType
|
|
authUser.OAuthIdToken = secretIdToken
|
|
authUser.OAuthExpiry = cmd.OAuthToken.Expiry
|
|
}
|
|
|
|
return s.sqlStore.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
|
|
upd, err := sess.MustCols("o_auth_expiry").Where("user_id = ? AND auth_module = ?", cmd.UserId, cmd.AuthModule).Update(authUser)
|
|
|
|
s.logger.Debug("Updated user_auth", "user_id", cmd.UserId, "auth_id", cmd.AuthId, "auth_module", cmd.AuthModule, "rows", upd)
|
|
|
|
// Clean up duplicated entries
|
|
if upd > 1 {
|
|
var id int64
|
|
ok, err := sess.SQL(
|
|
"SELECT id FROM user_auth WHERE user_id = ? AND auth_module = ? AND auth_id = ?",
|
|
cmd.UserId, cmd.AuthModule, cmd.AuthId,
|
|
).Get(&id)
|
|
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !ok {
|
|
return nil
|
|
}
|
|
|
|
_, err = sess.Exec(
|
|
"DELETE FROM user_auth WHERE user_id = ? AND auth_module = ? AND auth_id = ? AND id != ?",
|
|
cmd.UserId, cmd.AuthModule, cmd.AuthId, id,
|
|
)
|
|
return err
|
|
}
|
|
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (s *AuthInfoStore) DeleteAuthInfo(ctx context.Context, cmd *login.DeleteAuthInfoCommand) error {
|
|
return s.sqlStore.WithTransactionalDbSession(ctx, func(sess *db.Session) error {
|
|
_, err := sess.Delete(cmd.UserAuth)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (s *AuthInfoStore) DeleteUserAuthInfo(ctx context.Context, userID int64) error {
|
|
return s.sqlStore.WithDbSession(ctx, func(sess *db.Session) error {
|
|
var rawSQL = "DELETE FROM user_auth WHERE user_id = ?"
|
|
_, err := sess.Exec(rawSQL, userID)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (s *AuthInfoStore) GetUserById(ctx context.Context, id int64) (*user.User, error) {
|
|
query := user.GetUserByIDQuery{ID: id}
|
|
user, err := s.userService.GetByID(ctx, &query)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return user, nil
|
|
}
|
|
|
|
func (s *AuthInfoStore) GetUserByLogin(ctx context.Context, login string) (*user.User, error) {
|
|
query := user.GetUserByLoginQuery{LoginOrEmail: login}
|
|
usr, err := s.userService.GetByLogin(ctx, &query)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return usr, nil
|
|
}
|
|
|
|
func (s *AuthInfoStore) GetUserByEmail(ctx context.Context, email string) (*user.User, error) {
|
|
query := user.GetUserByEmailQuery{Email: email}
|
|
usr, err := s.userService.GetByEmail(ctx, &query)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return usr, nil
|
|
}
|
|
|
|
// decodeAndDecrypt will decode the string with the standard base64 decoder and then decrypt it
|
|
func (s *AuthInfoStore) decodeAndDecrypt(str string) (string, error) {
|
|
// Bail out if empty string since it'll cause a segfault in Decrypt
|
|
if str == "" {
|
|
return "", nil
|
|
}
|
|
decoded, err := base64.StdEncoding.DecodeString(str)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
decrypted, err := s.secretsService.Decrypt(context.Background(), decoded)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(decrypted), nil
|
|
}
|
|
|
|
// encryptAndEncode will encrypt a string with grafana's secretKey, and
|
|
// then encode it with the standard bas64 encoder
|
|
func (s *AuthInfoStore) encryptAndEncode(str string) (string, error) {
|
|
encrypted, err := s.secretsService.Encrypt(context.Background(), []byte(str), secrets.WithoutScope())
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return base64.StdEncoding.EncodeToString(encrypted), nil
|
|
}
|