grafana/pkg/services/authn/clients/render.go

package clients

import (
	"context"
	"time"

	"github.com/grafana/authlib/claims"
	"github.com/grafana/grafana/pkg/apimachinery/errutil"
	"github.com/grafana/grafana/pkg/apimachinery/identity"
	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/login"
	"github.com/grafana/grafana/pkg/services/org"
	"github.com/grafana/grafana/pkg/services/rendering"
)

var (
	errInvalidRenderKey = errutil.Unauthorized("render-auth.invalid-key", errutil.WithPublicMessage("Invalid Render Key"))
)

const (
	renderCookieName = "renderKey"
)

var _ authn.ContextAwareClient = new(Render)

func ProvideRender(renderService rendering.Service) *Render {
	return &Render{renderService}
}

type Render struct {
	renderService rendering.Service
}

func (c *Render) Name() string {
	return authn.ClientRender
}

func (c *Render) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
	key := getRenderKey(r)
	renderUsr, ok := c.renderService.GetRenderUser(ctx, key)
	if !ok {
		return nil, errInvalidRenderKey.Errorf("found no render user for key: %s", key)
	}

	if renderUsr.UserID <= 0 {
		return &authn.Identity{
			ID:              identity.NewTypedID(claims.TypeRenderService, 0),
			OrgID:           renderUsr.OrgID,
			OrgRoles:        map[int64]org.RoleType{renderUsr.OrgID: org.RoleType(renderUsr.OrgRole)},
			ClientParams:    authn.ClientParams{SyncPermissions: true},
			LastSeenAt:      time.Now(),
			AuthenticatedBy: login.RenderModule,
		}, nil
	}

	return &authn.Identity{
		ID:              identity.NewTypedID(claims.TypeUser, renderUsr.UserID),
		LastSeenAt:      time.Now(),
		AuthenticatedBy: login.RenderModule,
		ClientParams:    authn.ClientParams{FetchSyncedUser: true, SyncPermissions: true},
	}, nil
}

func (c *Render) IsEnabled() bool {
	return true
}

func (c *Render) Test(ctx context.Context, r *authn.Request) bool {
	if r.HTTPRequest == nil {
		return false
	}
	return getRenderKey(r) != ""
}

func (c *Render) Priority() uint {
	return 10
}

func getRenderKey(r *authn.Request) string {
	cookie, err := r.HTTPRequest.Cookie(renderCookieName)
	if err != nil {
		return ""
	}
	return cookie.Value
}
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`package clients`

			`import (`
			`"context"`
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`"time"`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00
Auth: use IdentityType from authlib (#91763) 2024-08-12 14:26:53 +08:00			`"github.com/grafana/authlib/claims"`
Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 12:11:35 +08:00			`"github.com/grafana/grafana/pkg/apimachinery/errutil"`
Identity: Rename "namespace" to "type" in the requester interface (#90567) 2024-07-25 17:52:14 +08:00			`"github.com/grafana/grafana/pkg/apimachinery/identity"`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`"github.com/grafana/grafana/pkg/services/authn"`
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`"github.com/grafana/grafana/pkg/services/login"`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`"github.com/grafana/grafana/pkg/services/org"`
			`"github.com/grafana/grafana/pkg/services/rendering"`
			`)`

			`var (`
Chore: Add errutils helpers (#73577) Add helpers for the errutil package in favor of errutil.NewBase. 2023-08-22 18:52:24 +08:00			`errInvalidRenderKey = errutil.Unauthorized("render-auth.invalid-key", errutil.WithPublicMessage("Invalid Render Key"))`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`)`

			`const (`
			`renderCookieName = "renderKey"`
			`)`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`var _ authn.ContextAwareClient = new(Render)`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00
AuthN: Use fetch user sync hook for render keys connected to a user (#84080) * Use fetch user sync hook for render keys connected to a user 2024-03-12 16:15:14 +08:00			`func ProvideRender(renderService rendering.Service) *Render {`
			`return &Render{renderService}`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`}`

			`type Render struct {`
			`renderService rendering.Service`
			`}`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`func (c *Render) Name() string {`
			`return authn.ClientRender`
			`}`

AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`func (c Render) Authenticate(ctx context.Context, r authn.Request) (*authn.Identity, error) {`
			`key := getRenderKey(r)`
			`renderUsr, ok := c.renderService.GetRenderUser(ctx, key)`
			`if !ok {`
AuthN: cleanup logs (#63652) * AuthN: clean up logs Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> 2023-02-24 18:26:55 +08:00			`return nil, errInvalidRenderKey.Errorf("found no render user for key: %s", key)`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`}`

			`if renderUsr.UserID <= 0 {`
AuthN: Use fetch user sync hook for render keys connected to a user (#84080) * Use fetch user sync hook for render keys connected to a user 2024-03-12 16:15:14 +08:00			`return &authn.Identity{`
Auth: use IdentityType from authlib (#91763) 2024-08-12 14:26:53 +08:00			`ID: identity.NewTypedID(claims.TypeRenderService, 0),`
AuthN: Use fetch user sync hook for render keys connected to a user (#84080) * Use fetch user sync hook for render keys connected to a user 2024-03-12 16:15:14 +08:00			`OrgID: renderUsr.OrgID,`
			`OrgRoles: map[int64]org.RoleType{renderUsr.OrgID: org.RoleType(renderUsr.OrgRole)},`
			`ClientParams: authn.ClientParams{SyncPermissions: true},`
			`LastSeenAt: time.Now(),`
			`AuthenticatedBy: login.RenderModule,`
			`}, nil`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`}`
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00
AuthN: Use fetch user sync hook for render keys connected to a user (#84080) * Use fetch user sync hook for render keys connected to a user 2024-03-12 16:15:14 +08:00			`return &authn.Identity{`
Auth: use IdentityType from authlib (#91763) 2024-08-12 14:26:53 +08:00			`ID: identity.NewTypedID(claims.TypeUser, renderUsr.UserID),`
AuthN: Use fetch user sync hook for render keys connected to a user (#84080) * Use fetch user sync hook for render keys connected to a user 2024-03-12 16:15:14 +08:00			`LastSeenAt: time.Now(),`
			`AuthenticatedBy: login.RenderModule,`
			`ClientParams: authn.ClientParams{FetchSyncedUser: true, SyncPermissions: true},`
			`}, nil`
AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`}`

Auth: Add `IsClientEnabled` and `IsEnabled` for the `authn.Service` and `authn.Client` interfaces (#86034) * Add `Service. IsClientEnabled` and `Client.IsEnabled` functions * Implement `IsEnabled` function for authn clients * Implement `IsClientEnabled` function for authn services 2024-04-15 16:54:50 +08:00			`func (c *Render) IsEnabled() bool {`
			`return true`
			`}`

AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`func (c Render) Test(ctx context.Context, r authn.Request) bool {`
			`if r.HTTPRequest == nil {`
			`return false`
			`}`
			`return getRenderKey(r) != ""`
			`}`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`func (c *Render) Priority() uint {`
			`return 10`
			`}`

AuthN: Add render auth client (#60914) * AuthN: Add boilderplate for render auth client * AuthN: Implement test function for render auth client * AuthN: Implement Authenticate for render arender auth client * ContextHandler: Perform render auth if flag is enabled 2023-01-04 20:48:00 +08:00			`func getRenderKey(r *authn.Request) string {`
			`cookie, err := r.HTTPRequest.Cookie(renderCookieName)`
			`if err != nil {`
			`return ""`
			`}`
			`return cookie.Value`
			`}`