2023-09-28 15:22:05 +08:00
|
|
|
package idimpl
|
|
|
|
|
|
|
|
|
|
import (
|
2024-01-17 16:52:05 +08:00
|
|
|
"context"
|
2023-09-28 15:22:05 +08:00
|
|
|
"testing"
|
|
|
|
|
|
2024-01-24 20:56:44 +08:00
|
|
|
"github.com/go-jose/go-jose/v3"
|
|
|
|
|
"github.com/go-jose/go-jose/v3/jwt"
|
2023-10-05 15:17:40 +08:00
|
|
|
"github.com/stretchr/testify/assert"
|
2024-01-17 16:52:05 +08:00
|
|
|
"github.com/stretchr/testify/require"
|
2023-10-05 15:17:40 +08:00
|
|
|
|
2025-01-21 17:06:55 +08:00
|
|
|
claims "github.com/grafana/authlib/types"
|
2024-01-17 16:52:05 +08:00
|
|
|
"github.com/grafana/grafana/pkg/infra/remotecache"
|
2025-07-10 21:41:00 +08:00
|
|
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
2024-01-17 16:52:05 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/auth"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/auth/idtest"
|
2023-09-28 15:22:05 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/authn"
|
|
|
|
|
"github.com/grafana/grafana/pkg/services/authn/authntest"
|
2024-01-17 16:52:05 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/login"
|
2025-02-13 21:10:58 +08:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2023-09-28 15:22:05 +08:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func Test_ProvideService(t *testing.T) {
|
2024-08-21 21:30:17 +08:00
|
|
|
t.Run("should register post auth hook", func(t *testing.T) {
|
2023-09-28 15:22:05 +08:00
|
|
|
var hookRegistered bool
|
|
|
|
|
authnService := &authntest.MockService{
|
|
|
|
|
RegisterPostAuthHookFunc: func(_ authn.PostAuthHookFn, _ uint) {
|
|
|
|
|
hookRegistered = true
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2025-07-10 21:41:00 +08:00
|
|
|
_ = ProvideService(setting.NewCfg(), nil, nil, authnService, nil, tracing.InitializeTracerForTest())
|
2023-09-28 15:22:05 +08:00
|
|
|
assert.True(t, hookRegistered)
|
|
|
|
|
})
|
|
|
|
|
}
|
2024-01-17 16:52:05 +08:00
|
|
|
|
|
|
|
|
func TestService_SignIdentity(t *testing.T) {
|
2025-02-12 21:51:29 +08:00
|
|
|
signer := &idtest.FakeSigner{
|
2024-01-17 16:52:05 +08:00
|
|
|
SignIDTokenFn: func(_ context.Context, claims *auth.IDClaims) (string, error) {
|
2024-01-24 20:56:44 +08:00
|
|
|
key := []byte("key")
|
|
|
|
|
s, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key}, nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
2024-05-07 22:46:43 +08:00
|
|
|
token, err := jwt.Signed(s).Claims(claims.Claims).Claims(claims.Rest).CompactSerialize()
|
2024-01-24 20:56:44 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
return token, nil
|
2024-01-17 16:52:05 +08:00
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2024-07-11 20:25:30 +08:00
|
|
|
t.Run("should sign identity", func(t *testing.T) {
|
2024-01-17 16:52:05 +08:00
|
|
|
s := ProvideService(
|
|
|
|
|
setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
|
2025-07-10 21:41:00 +08:00
|
|
|
&authntest.FakeService{}, nil, tracing.InitializeTracerForTest(),
|
2024-01-17 16:52:05 +08:00
|
|
|
)
|
2024-08-13 16:18:28 +08:00
|
|
|
token, _, err := s.SignIdentity(context.Background(), &authn.Identity{ID: "1", Type: claims.TypeUser})
|
2024-01-17 16:52:05 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
require.NotEmpty(t, token)
|
|
|
|
|
})
|
|
|
|
|
|
2024-07-11 20:25:30 +08:00
|
|
|
t.Run("should sign identity with authenticated by if user is externally authenticated", func(t *testing.T) {
|
2024-01-17 16:52:05 +08:00
|
|
|
s := ProvideService(
|
|
|
|
|
setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
|
2025-07-10 21:41:00 +08:00
|
|
|
&authntest.FakeService{}, nil, tracing.InitializeTracerForTest(),
|
2024-01-17 16:52:05 +08:00
|
|
|
)
|
2024-08-02 17:36:02 +08:00
|
|
|
token, _, err := s.SignIdentity(context.Background(), &authn.Identity{
|
2024-08-13 16:18:28 +08:00
|
|
|
ID: "1",
|
|
|
|
|
Type: claims.TypeUser,
|
2024-07-11 20:25:30 +08:00
|
|
|
AuthenticatedBy: login.AzureADAuthModule,
|
|
|
|
|
Login: "U1",
|
2024-08-13 16:18:28 +08:00
|
|
|
UID: "edpu3nnt61se8e",
|
|
|
|
|
})
|
2024-01-17 16:52:05 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
2024-01-24 20:56:44 +08:00
|
|
|
parsed, err := jwt.ParseSigned(token)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
2024-08-14 16:51:44 +08:00
|
|
|
gotClaims := &auth.IDClaims{}
|
|
|
|
|
require.NoError(t, parsed.UnsafeClaimsWithoutVerification(&gotClaims.Claims, &gotClaims.Rest))
|
|
|
|
|
assert.Equal(t, login.AzureADAuthModule, gotClaims.Rest.AuthenticatedBy)
|
|
|
|
|
assert.Equal(t, "U1", gotClaims.Rest.Username)
|
|
|
|
|
assert.Equal(t, claims.TypeUser, gotClaims.Rest.Type)
|
|
|
|
|
assert.Equal(t, "edpu3nnt61se8e", gotClaims.Rest.Identifier)
|
2024-01-17 16:52:05 +08:00
|
|
|
})
|
2024-08-02 17:36:02 +08:00
|
|
|
|
|
|
|
|
t.Run("should sign identity with authenticated by if user is externally authenticated", func(t *testing.T) {
|
|
|
|
|
s := ProvideService(
|
|
|
|
|
setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
|
2025-07-10 21:41:00 +08:00
|
|
|
&authntest.FakeService{}, nil, tracing.InitializeTracerForTest(),
|
2024-08-02 17:36:02 +08:00
|
|
|
)
|
|
|
|
|
_, gotClaims, err := s.SignIdentity(context.Background(), &authn.Identity{
|
2024-08-13 16:18:28 +08:00
|
|
|
ID: "1",
|
|
|
|
|
Type: claims.TypeUser,
|
2024-08-02 17:36:02 +08:00
|
|
|
AuthenticatedBy: login.AzureADAuthModule,
|
|
|
|
|
Login: "U1",
|
2024-08-13 16:18:28 +08:00
|
|
|
UID: "edpu3nnt61se8e",
|
|
|
|
|
})
|
2024-08-02 17:36:02 +08:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
assert.Equal(t, login.AzureADAuthModule, gotClaims.Rest.AuthenticatedBy)
|
|
|
|
|
assert.Equal(t, "U1", gotClaims.Rest.Username)
|
2024-08-14 16:51:44 +08:00
|
|
|
assert.Equal(t, claims.TypeUser, gotClaims.Rest.Type)
|
|
|
|
|
assert.Equal(t, "edpu3nnt61se8e", gotClaims.Rest.Identifier)
|
2024-08-02 17:36:02 +08:00
|
|
|
})
|
2025-02-13 21:10:58 +08:00
|
|
|
|
|
|
|
|
t.Run("should sign new token if org role has changed", func(t *testing.T) {
|
|
|
|
|
s := ProvideService(
|
|
|
|
|
setting.NewCfg(), signer, remotecache.NewFakeCacheStorage(),
|
2025-07-10 21:41:00 +08:00
|
|
|
&authntest.FakeService{}, nil, tracing.InitializeTracerForTest(),
|
2025-02-13 21:10:58 +08:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
ident := &authn.Identity{
|
|
|
|
|
ID: "1",
|
|
|
|
|
Type: claims.TypeUser,
|
|
|
|
|
AuthenticatedBy: login.AzureADAuthModule,
|
|
|
|
|
Login: "U1",
|
|
|
|
|
UID: "edpu3nnt61se8e",
|
|
|
|
|
OrgID: 1,
|
|
|
|
|
OrgRoles: map[int64]org.RoleType{1: org.RoleAdmin},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
first, _, err := s.SignIdentity(context.Background(), ident)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
second, _, err := s.SignIdentity(context.Background(), ident)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
assert.Equal(t, first, second)
|
|
|
|
|
|
|
|
|
|
ident.OrgRoles[1] = org.RoleEditor
|
|
|
|
|
third, _, err := s.SignIdentity(context.Background(), ident)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
assert.NotEqual(t, first, third)
|
|
|
|
|
})
|
2024-01-17 16:52:05 +08:00
|
|
|
}
|
