2024-09-05 17:52:30 +08:00
|
|
|
package resource
|
|
|
|
|
|
|
|
|
|
import (
|
2024-09-24 14:03:48 +08:00
|
|
|
"context"
|
2024-10-24 15:12:37 +08:00
|
|
|
"crypto/tls"
|
2024-09-24 14:03:48 +08:00
|
|
|
"fmt"
|
2024-10-24 15:12:37 +08:00
|
|
|
"net/http"
|
2024-09-24 14:03:48 +08:00
|
|
|
"time"
|
|
|
|
|
|
2024-09-05 17:52:30 +08:00
|
|
|
"github.com/fullstorydev/grpchan"
|
|
|
|
|
"github.com/fullstorydev/grpchan/inprocgrpc"
|
2024-09-24 14:03:48 +08:00
|
|
|
"github.com/go-jose/go-jose/v3"
|
|
|
|
|
"github.com/go-jose/go-jose/v3/jwt"
|
|
|
|
|
authnlib "github.com/grafana/authlib/authn"
|
|
|
|
|
"github.com/grafana/authlib/claims"
|
2024-09-05 17:52:30 +08:00
|
|
|
grpcAuth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
|
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
|
|
2024-09-24 14:03:48 +08:00
|
|
|
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
2024-10-28 20:35:30 +08:00
|
|
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
2024-09-24 14:03:48 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/auth"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
|
2024-09-05 17:52:30 +08:00
|
|
|
grpcUtils "github.com/grafana/grafana/pkg/storage/unified/resource/grpc"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type ResourceClient interface {
|
|
|
|
|
ResourceStoreClient
|
|
|
|
|
ResourceIndexClient
|
2024-10-17 18:18:29 +08:00
|
|
|
BlobStoreClient
|
2024-09-05 17:52:30 +08:00
|
|
|
DiagnosticsClient
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Internal implementation
|
|
|
|
|
type resourceClient struct {
|
|
|
|
|
ResourceStoreClient
|
|
|
|
|
ResourceIndexClient
|
2024-10-17 18:18:29 +08:00
|
|
|
BlobStoreClient
|
2024-09-05 17:52:30 +08:00
|
|
|
DiagnosticsClient
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-24 15:12:37 +08:00
|
|
|
func NewLegacyResourceClient(channel *grpc.ClientConn) ResourceClient {
|
2024-09-05 17:52:30 +08:00
|
|
|
cc := grpchan.InterceptClientConn(channel, grpcUtils.UnaryClientInterceptor, grpcUtils.StreamClientInterceptor)
|
|
|
|
|
return &resourceClient{
|
|
|
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
|
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
2024-10-17 18:18:29 +08:00
|
|
|
BlobStoreClient: NewBlobStoreClient(cc),
|
2024-09-05 17:52:30 +08:00
|
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func NewLocalResourceClient(server ResourceServer) ResourceClient {
|
2024-10-24 15:12:37 +08:00
|
|
|
// scenario: local in-proc
|
2024-09-05 17:52:30 +08:00
|
|
|
channel := &inprocgrpc.Channel{}
|
|
|
|
|
|
2024-09-24 14:03:48 +08:00
|
|
|
grpcAuthInt := grpcutils.NewInProcGrpcAuthenticator()
|
2024-09-19 22:16:48 +08:00
|
|
|
for _, desc := range []*grpc.ServiceDesc{
|
|
|
|
|
&ResourceStore_ServiceDesc,
|
|
|
|
|
&ResourceIndex_ServiceDesc,
|
2024-10-17 18:18:29 +08:00
|
|
|
&BlobStore_ServiceDesc,
|
2024-09-19 22:16:48 +08:00
|
|
|
&Diagnostics_ServiceDesc,
|
|
|
|
|
} {
|
|
|
|
|
channel.RegisterService(
|
|
|
|
|
grpchan.InterceptServer(
|
|
|
|
|
desc,
|
2024-09-24 14:03:48 +08:00
|
|
|
grpcAuth.UnaryServerInterceptor(grpcAuthInt.Authenticate),
|
|
|
|
|
grpcAuth.StreamServerInterceptor(grpcAuthInt.Authenticate),
|
2024-09-19 22:16:48 +08:00
|
|
|
),
|
|
|
|
|
server,
|
|
|
|
|
)
|
|
|
|
|
}
|
2024-09-05 17:52:30 +08:00
|
|
|
|
2024-09-24 14:03:48 +08:00
|
|
|
clientInt, _ := authnlib.NewGrpcClientInterceptor(
|
|
|
|
|
&authnlib.GrpcClientConfig{},
|
|
|
|
|
authnlib.WithDisableAccessTokenOption(),
|
|
|
|
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
cc := grpchan.InterceptClientConn(channel, clientInt.UnaryClientInterceptor, clientInt.StreamClientInterceptor)
|
2024-09-05 17:52:30 +08:00
|
|
|
return &resourceClient{
|
|
|
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
|
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
2024-10-17 18:18:29 +08:00
|
|
|
BlobStoreClient: NewBlobStoreClient(cc),
|
2024-09-05 17:52:30 +08:00
|
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-09-24 14:03:48 +08:00
|
|
|
|
2024-10-28 20:35:30 +08:00
|
|
|
func NewGRPCResourceClient(tracer tracing.Tracer, conn *grpc.ClientConn) (ResourceClient, error) {
|
2024-10-24 15:12:37 +08:00
|
|
|
// scenario: remote on-prem
|
|
|
|
|
clientInt, err := authnlib.NewGrpcClientInterceptor(
|
|
|
|
|
&authnlib.GrpcClientConfig{},
|
|
|
|
|
authnlib.WithDisableAccessTokenOption(),
|
|
|
|
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
2024-10-28 20:35:30 +08:00
|
|
|
authnlib.WithTracerOption(tracer),
|
2024-10-24 15:12:37 +08:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cc := grpchan.InterceptClientConn(conn, clientInt.UnaryClientInterceptor, clientInt.StreamClientInterceptor)
|
|
|
|
|
return &resourceClient{
|
|
|
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
|
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
|
|
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-28 20:35:30 +08:00
|
|
|
func NewCloudResourceClient(tracer tracing.Tracer, conn *grpc.ClientConn, cfg authnlib.GrpcClientConfig, allowInsecure bool) (ResourceClient, error) {
|
2024-10-24 15:12:37 +08:00
|
|
|
// scenario: remote cloud
|
|
|
|
|
opts := []authnlib.GrpcClientInterceptorOption{
|
|
|
|
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
2024-10-28 20:35:30 +08:00
|
|
|
authnlib.WithTracerOption(tracer),
|
2024-10-24 15:12:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if allowInsecure {
|
|
|
|
|
opts = allowInsecureTransportOpt(&cfg, opts)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
clientInt, err := authnlib.NewGrpcClientInterceptor(&cfg, opts...)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cc := grpchan.InterceptClientConn(conn, clientInt.UnaryClientInterceptor, clientInt.StreamClientInterceptor)
|
|
|
|
|
return &resourceClient{
|
|
|
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
|
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
|
|
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-24 14:03:48 +08:00
|
|
|
func idTokenExtractor(ctx context.Context) (string, error) {
|
|
|
|
|
authInfo, ok := claims.From(ctx)
|
|
|
|
|
if !ok {
|
|
|
|
|
return "", fmt.Errorf("no claims found")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
extra := authInfo.GetExtra()
|
|
|
|
|
if token, exists := extra["id-token"]; exists && len(token) != 0 && token[0] != "" {
|
|
|
|
|
return token[0], nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If no token is found, create an internal token.
|
|
|
|
|
// This is a workaround for StaticRequester not having a signed ID token.
|
|
|
|
|
if staticRequester, ok := authInfo.(*identity.StaticRequester); ok {
|
2024-12-03 22:11:17 +08:00
|
|
|
token, _, err := createInternalToken(staticRequester)
|
2024-09-24 14:03:48 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return "", fmt.Errorf("failed to create internal token: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
staticRequester.IDToken = token
|
|
|
|
|
return token, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return "", fmt.Errorf("id-token not found")
|
|
|
|
|
}
|
|
|
|
|
|
2024-10-24 15:12:37 +08:00
|
|
|
func allowInsecureTransportOpt(grpcClientConfig *authnlib.GrpcClientConfig, opts []authnlib.GrpcClientInterceptorOption) []authnlib.GrpcClientInterceptorOption {
|
|
|
|
|
client := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
|
|
|
|
|
tokenClient, _ := authnlib.NewTokenExchangeClient(*grpcClientConfig.TokenClientConfig, authnlib.WithHTTPClient(client))
|
|
|
|
|
return append(opts, authnlib.WithTokenClientOption(tokenClient))
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-24 14:03:48 +08:00
|
|
|
// createInternalToken creates a symmetrically signed token for using in in-proc mode only.
|
|
|
|
|
func createInternalToken(authInfo claims.AuthInfo) (string, *authnlib.Claims[authnlib.IDTokenClaims], error) {
|
|
|
|
|
signerOpts := jose.SignerOptions{}
|
|
|
|
|
signerOpts.WithType("jwt") // Should be uppercase, but this is what authlib expects
|
|
|
|
|
signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: []byte("internal key")}, &signerOpts)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
now := time.Now()
|
|
|
|
|
tokenTTL := 10 * time.Minute
|
|
|
|
|
idClaims := &auth.IDClaims{
|
2024-12-03 22:11:17 +08:00
|
|
|
Claims: jwt.Claims{
|
|
|
|
|
Audience: authInfo.GetAudience(),
|
|
|
|
|
Subject: authInfo.GetSubject(),
|
2024-09-24 14:03:48 +08:00
|
|
|
Expiry: jwt.NewNumericDate(now.Add(tokenTTL)),
|
|
|
|
|
IssuedAt: jwt.NewNumericDate(now),
|
|
|
|
|
},
|
|
|
|
|
Rest: authnlib.IDTokenClaims{
|
2024-12-03 22:11:17 +08:00
|
|
|
Namespace: authInfo.GetNamespace(),
|
|
|
|
|
Identifier: authInfo.GetIdentifier(),
|
|
|
|
|
Type: authInfo.GetIdentityType(),
|
2024-09-24 14:03:48 +08:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-03 22:11:17 +08:00
|
|
|
if claims.IsIdentityType(authInfo.GetIdentityType(), claims.TypeUser) {
|
|
|
|
|
idClaims.Rest.Email = authInfo.GetEmail()
|
|
|
|
|
idClaims.Rest.EmailVerified = authInfo.GetEmailVerified()
|
|
|
|
|
idClaims.Rest.AuthenticatedBy = authInfo.GetAuthenticatedBy()
|
|
|
|
|
idClaims.Rest.Username = authInfo.GetUsername()
|
|
|
|
|
idClaims.Rest.DisplayName = authInfo.GetName()
|
2024-09-24 14:03:48 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
builder := jwt.Signed(signer).Claims(&idClaims.Rest).Claims(idClaims.Claims)
|
|
|
|
|
token, err := builder.CompactSerialize()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return token, idClaims, nil
|
|
|
|
|
}
|
