grafana/pkg/services/auth/idimpl/service.go

package idimpl

import (
	"context"
	"fmt"
	"time"

	"github.com/go-jose/go-jose/v3/jwt"
	"github.com/prometheus/client_golang/prometheus"
	"golang.org/x/sync/singleflight"

	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/infra/remotecache"
	"github.com/grafana/grafana/pkg/services/auth"
	"github.com/grafana/grafana/pkg/services/auth/identity"
	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/featuremgmt"
	"github.com/grafana/grafana/pkg/setting"
)

const (
	cachePrefix = "id-token"
	tokenTTL    = 1 * time.Hour
	cacheTTL    = 58 * time.Minute
)

var _ auth.IDService = (*Service)(nil)

func ProvideService(
	cfg *setting.Cfg, signer auth.IDSigner, cache remotecache.CacheStorage,
	features featuremgmt.FeatureToggles, authnService authn.Service, reg prometheus.Registerer,
) *Service {
	s := &Service{cfg: cfg, logger: log.New("id-service"), signer: signer, cache: cache, metrics: newMetrics(reg)}

	if features.IsEnabledGlobally(featuremgmt.FlagIdForwarding) {
		authnService.RegisterPostAuthHook(s.hook, 140)
	}

	return s
}

type Service struct {
	cfg     *setting.Cfg
	logger  log.Logger
	signer  auth.IDSigner
	cache   remotecache.CacheStorage
	si      singleflight.Group
	metrics *metrics
}

func (s *Service) SignIdentity(ctx context.Context, id identity.Requester) (string, error) {
	defer func(t time.Time) {
		s.metrics.tokenSigningDurationHistogram.Observe(time.Since(t).Seconds())
	}(time.Now())

	cacheKey := prefixCacheKey(id.GetCacheKey())

	result, err, _ := s.si.Do(cacheKey, func() (interface{}, error) {
		namespace, identifier := id.GetNamespacedID()

		cachedToken, err := s.cache.Get(ctx, cacheKey)
		if err == nil {
			s.metrics.tokenSigningFromCacheCounter.Inc()
			s.logger.Debug("Cached token found", "namespace", namespace, "id", identifier)
			return string(cachedToken), nil
		}

		s.metrics.tokenSigningCounter.Inc()
		s.logger.Debug("Sign new id token", "namespace", namespace, "id", identifier)

		now := time.Now()
		token, err := s.signer.SignIDToken(ctx, &auth.IDClaims{
			Claims: jwt.Claims{
				Issuer:   s.cfg.AppURL,
				Audience: getAudience(id.GetOrgID()),
				Subject:  getSubject(namespace, identifier),
				Expiry:   jwt.NewNumericDate(now.Add(tokenTTL)),
				IssuedAt: jwt.NewNumericDate(now),
			},
		})

		if err != nil {
			s.metrics.failedTokenSigningCounter.Inc()
			return "", err
		}

		if err := s.cache.Set(ctx, cacheKey, []byte(token), cacheTTL); err != nil {
			s.logger.Error("Failed to add id token to cache", "error", err)
		}

		return token, nil
	})

	if err != nil {
		return "", err
	}

	return result.(string), nil
}

func (s *Service) hook(ctx context.Context, identity *authn.Identity, _ *authn.Request) error {
	// FIXME(kalleep): we should probably lazy load this
	token, err := s.SignIdentity(ctx, identity)
	if err != nil {
		namespace, id := identity.GetNamespacedID()
		s.logger.Error("Failed to sign id token", "err", err, "namespace", namespace, "id", id)
		// for now don't return error so we don't break authentication from this hook
		return nil
	}

	identity.IDToken = token
	return nil
}

func getAudience(orgID int64) jwt.Audience {
	return jwt.Audience{fmt.Sprintf("org:%d", orgID)}
}

func getSubject(namespace, identifier string) string {
	return fmt.Sprintf("%s:%s", namespace, identifier)
}

func prefixCacheKey(key string) string {
	return fmt.Sprintf("%s-%s", cachePrefix, key)
}
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`package idimpl`

			`import (`
			`"context"`
			`"fmt"`
			`"time"`

			`"github.com/go-jose/go-jose/v3/jwt"`
IDForwarding: Use single flight for SignIdentity (#76530) * IDForwarding: Use single flight for SignIdentity * Update cache inside single flight call 2023-10-13 20:32:53 +08:00			`"github.com/prometheus/client_golang/prometheus"`
			`"golang.org/x/sync/singleflight"`

IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`"github.com/grafana/grafana/pkg/infra/log"`
			`"github.com/grafana/grafana/pkg/infra/remotecache"`
			`"github.com/grafana/grafana/pkg/services/auth"`
			`"github.com/grafana/grafana/pkg/services/auth/identity"`
IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00			`"github.com/grafana/grafana/pkg/services/authn"`
			`"github.com/grafana/grafana/pkg/services/featuremgmt"`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`"github.com/grafana/grafana/pkg/setting"`
			`)`

			`const (`
			`cachePrefix = "id-token"`
			`tokenTTL = 1 * time.Hour`
			`cacheTTL = 58 * time.Minute`
			`)`

			`var _ auth.IDService = (*Service)(nil)`

IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00			`func ProvideService(`
			`cfg *setting.Cfg, signer auth.IDSigner, cache remotecache.CacheStorage,`
IDForwarding: Add basic metrics (#75798) * IDService: Add basic metrics * IDService: Add more metrics --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2023-10-05 15:17:40 +08:00			`features featuremgmt.FeatureToggles, authnService authn.Service, reg prometheus.Registerer,`
IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00			`) *Service {`
IDForwarding: Use single flight for SignIdentity (#76530) * IDForwarding: Use single flight for SignIdentity * Update cache inside single flight call 2023-10-13 20:32:53 +08:00			`s := &Service{cfg: cfg, logger: log.New("id-service"), signer: signer, cache: cache, metrics: newMetrics(reg)}`
IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00
FeatureToggles: Add context and and an explicit global check (#78081) 2023-11-15 04:50:27 +08:00			`if features.IsEnabledGlobally(featuremgmt.FlagIdForwarding) {`
IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00			`authnService.RegisterPostAuthHook(s.hook, 140)`
			`}`

			`return s`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`}`

			`type Service struct {`
IDForwarding: Add basic metrics (#75798) * IDService: Add basic metrics * IDService: Add more metrics --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2023-10-05 15:17:40 +08:00			`cfg *setting.Cfg`
			`logger log.Logger`
			`signer auth.IDSigner`
			`cache remotecache.CacheStorage`
IDForwarding: Use single flight for SignIdentity (#76530) * IDForwarding: Use single flight for SignIdentity * Update cache inside single flight call 2023-10-13 20:32:53 +08:00			`si singleflight.Group`
IDForwarding: Add basic metrics (#75798) * IDService: Add basic metrics * IDService: Add more metrics --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2023-10-05 15:17:40 +08:00			`metrics *metrics`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`}`

			`func (s *Service) SignIdentity(ctx context.Context, id identity.Requester) (string, error) {`
IDForwarding: Add basic metrics (#75798) * IDService: Add basic metrics * IDService: Add more metrics --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> 2023-10-05 15:17:40 +08:00			`defer func(t time.Time) {`
			`s.metrics.tokenSigningDurationHistogram.Observe(time.Since(t).Seconds())`
			`}(time.Now())`

IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`cacheKey := prefixCacheKey(id.GetCacheKey())`

IDForwarding: Use single flight for SignIdentity (#76530) * IDForwarding: Use single flight for SignIdentity * Update cache inside single flight call 2023-10-13 20:32:53 +08:00			`result, err, _ := s.si.Do(cacheKey, func() (interface{}, error) {`
			`namespace, identifier := id.GetNamespacedID()`

			`cachedToken, err := s.cache.Get(ctx, cacheKey)`
			`if err == nil {`
			`s.metrics.tokenSigningFromCacheCounter.Inc()`
			`s.logger.Debug("Cached token found", "namespace", namespace, "id", identifier)`
			`return string(cachedToken), nil`
			`}`

			`s.metrics.tokenSigningCounter.Inc()`
			`s.logger.Debug("Sign new id token", "namespace", namespace, "id", identifier)`

			`now := time.Now()`
			`token, err := s.signer.SignIDToken(ctx, &auth.IDClaims{`
			`Claims: jwt.Claims{`
			`Issuer: s.cfg.AppURL,`
			`Audience: getAudience(id.GetOrgID()),`
			`Subject: getSubject(namespace, identifier),`
			`Expiry: jwt.NewNumericDate(now.Add(tokenTTL)),`
			`IssuedAt: jwt.NewNumericDate(now),`
			`},`
			`})`

			`if err != nil {`
			`s.metrics.failedTokenSigningCounter.Inc()`
			`return "", err`
			`}`

			`if err := s.cache.Set(ctx, cacheKey, []byte(token), cacheTTL); err != nil {`
			`s.logger.Error("Failed to add id token to cache", "error", err)`
			`}`

			`return token, nil`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`})`

			`if err != nil {`
			`return "", err`
			`}`

IDForwarding: Use single flight for SignIdentity (#76530) * IDForwarding: Use single flight for SignIdentity * Update cache inside single flight call 2023-10-13 20:32:53 +08:00			`return result.(string), nil`
IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`}`

IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00			`func (s Service) hook(ctx context.Context, identity authn.Identity, _ *authn.Request) error {`
			`// FIXME(kalleep): we should probably lazy load this`
AuthN: Implement requester interface for identity (#75618) * AuthN: Implement identity.Requester interface for authn.Identity * AuthN: Replace OrgRole with GetOrgRole * IDForwarding: skip converting to SignedInUser * Pass identity directly in permission sync hook 2023-09-28 22:37:32 +08:00			`token, err := s.SignIdentity(ctx, identity)`
IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00			`if err != nil {`
Chore: Cleanup namespace and ID resolution (#79360) * Chore: Cleanup namespace ID resolution * Check for negative userID when relevant * Reuse existing function for parsing ID as int * Fix imports 2023-12-22 03:42:05 +08:00			`namespace, id := identity.GetNamespacedID()`
IDForwarding: Add auth hook to generate id token (#75555) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled 2023-09-28 15:22:05 +08:00			`s.logger.Error("Failed to sign id token", "err", err, "namespace", namespace, "id", id)`
			`// for now don't return error so we don't break authentication from this hook`
			`return nil`
			`}`

			`identity.IDToken = token`
			`return nil`
			`}`

Signingkeys: Add local cache (#76234) * IDForwarding: change audience to be prefixed by org and remove JTI * IDForwarding: Construct new signer each time we want to sign a token. * SigningKeys: Simplify storage layer and move logic to service * SigningKeys: Add private key to local cache 2023-10-10 20:17:16 +08:00			`func getAudience(orgID int64) jwt.Audience {`
			`return jwt.Audience{fmt.Sprintf("org:%d", orgID)}`
			`}`

			`func getSubject(namespace, identifier string) string {`
			`return fmt.Sprintf("%s:%s", namespace, identifier)`
			`}`

IDForwarding: Add service and a local signer (#75423) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-09-27 17:36:23 +08:00			`func prefixCacheKey(key string) string {`
			`return fmt.Sprintf("%s-%s", cachePrefix, key)`
			`}`