grafana/pkg/services/anonymous/anonimpl/client.go

package anonimpl

import (
	"context"
	"errors"
	"net/http"
	"strings"

	"github.com/grafana/authlib/claims"
	"github.com/grafana/grafana/pkg/apimachinery/errutil"
	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/services/anonymous"
	"github.com/grafana/grafana/pkg/services/anonymous/anonimpl/anonstore"
	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/org"
	"github.com/grafana/grafana/pkg/setting"
)

var (
	errInvalidOrg = errutil.Unauthorized("anonymous.invalid-org")
	errInvalidID  = errutil.Unauthorized("anonymous.invalid-id")
)

var _ authn.ContextAwareClient = new(Anonymous)
var _ authn.IdentityResolverClient = new(Anonymous)

type Anonymous struct {
	cfg               *setting.Cfg
	log               log.Logger
	orgService        org.Service
	anonDeviceService anonymous.Service
}

func (a *Anonymous) Name() string {
	return authn.ClientAnonymous
}

func (a *Anonymous) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
	o, err := a.orgService.GetByName(ctx, &org.GetOrgByNameQuery{Name: a.cfg.AnonymousOrgName})
	if err != nil {
		a.log.FromContext(ctx).Error("Failed to find organization", "name", a.cfg.AnonymousOrgName, "error", err)
		return nil, err
	}

	httpReqCopy := &http.Request{}
	if r.HTTPRequest != nil && r.HTTPRequest.Header != nil {
		// avoid r.HTTPRequest.Clone(context.Background()) as we do not require a full clone
		httpReqCopy.Header = r.HTTPRequest.Header.Clone()
		httpReqCopy.RemoteAddr = r.HTTPRequest.RemoteAddr
	}

	if err := a.anonDeviceService.TagDevice(ctx, httpReqCopy, anonymous.AnonDeviceUI); err != nil {
		if errors.Is(err, anonstore.ErrDeviceLimitReached) {
			return nil, err
		}

		a.log.Warn("Failed to tag anonymous session", "error", err)
	}

	return a.newAnonymousIdentity(o), nil
}

func (a *Anonymous) IsEnabled() bool {
	return a.cfg.AnonymousEnabled
}

func (a *Anonymous) Test(ctx context.Context, r *authn.Request) bool {
	// If anonymous client is register it can always be used for authentication
	return true
}

func (a *Anonymous) IdentityType() claims.IdentityType {
	return claims.TypeAnonymous
}

func (a *Anonymous) ResolveIdentity(ctx context.Context, orgID int64, typ claims.IdentityType, id string) (*authn.Identity, error) {
	o, err := a.orgService.GetByName(ctx, &org.GetOrgByNameQuery{Name: a.cfg.AnonymousOrgName})
	if err != nil {
		return nil, err
	}

	if o.ID != orgID {
		return nil, errInvalidOrg.Errorf("anonymous user cannot authenticate in org %d", o.ID)
	}

	// Anonymous identities should always have the same namespace id.
	if !claims.IsIdentityType(typ, claims.TypeAnonymous) || id != "0" {
		return nil, errInvalidID
	}

	return a.newAnonymousIdentity(o), nil
}

func (a *Anonymous) UsageStatFn(ctx context.Context) (map[string]any, error) {
	m := map[string]any{}

	// Add stats about anonymous auth
	m["stats.anonymous.customized_role.count"] = 0
	if !strings.EqualFold(a.cfg.AnonymousOrgRole, "Viewer") {
		m["stats.anonymous.customized_role.count"] = 1
	}

	return m, nil
}

func (a *Anonymous) Priority() uint {
	return 100
}

func (a *Anonymous) newAnonymousIdentity(o *org.Org) *authn.Identity {
	return &authn.Identity{
		ID:           "0",
		Type:         claims.TypeAnonymous,
		OrgID:        o.ID,
		OrgName:      o.Name,
		OrgRoles:     map[int64]org.RoleType{o.ID: org.RoleType(a.cfg.AnonymousOrgRole)},
		ClientParams: authn.ClientParams{SyncPermissions: true},
	}
}
Anon: Scaffold anon service (#74744) * remove API tagging method and authed tagging * add anonstore move debug to after cache change test order fix issue where mysql trims to second * add old device cleanup lint utc-ize everything trim whitespace * remove dangling setting * Add delete devices * Move anonymous authnclient to anonimpl * Add simple post login hook * move registration of Background Service cleanup * add updated_at index * do not untag device if login err * add delete device integration test 2023-09-25 22:25:29 +08:00			`package anonimpl`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00
			`import (`
			`"context"`
Anonymous: Add configurable device limit (#79265) * Anonymous: Add device limiter * break auth if limit reached * fix typo * refactored const to make it clearer with expiration * anon device limit for config --------- Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> 2023-12-12 18:57:25 +08:00			`"errors"`
AnonymousAuth: Fix concurrent read-write crash (#68637) clone http req before tagging 2023-05-22 19:27:28 +08:00			`"net/http"`
Authn: Stat registration (#62934) * reorganize auth usage stats * usage stat privilege elevators * stat count of modified role * cfg related info * add authn anon client * kv store * ensure anon enabled is collected even if client is not registered * fix usage stats test 2023-02-07 00:23:53 +08:00			`"strings"`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00
Auth: use IdentityType from authlib (#91763) 2024-08-12 14:26:53 +08:00			`"github.com/grafana/authlib/claims"`
Chore: Move identity and errutil to apimachinery module (#89116) 2024-06-13 12:11:35 +08:00			`"github.com/grafana/grafana/pkg/apimachinery/errutil"`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00			`"github.com/grafana/grafana/pkg/infra/log"`
Authn: Anon session service (#63052) * add anon sessions package * add usage stat fn * implement count for cache * add anonservice to authn broker * lint * add tests for remote cache count * move anon service to services * wrap tagging in goroutine * make func used 2023-02-21 23:21:18 +08:00			`"github.com/grafana/grafana/pkg/services/anonymous"`
Anonymous: Add configurable device limit (#79265) * Anonymous: Add device limiter * break auth if limit reached * fix typo * refactored const to make it clearer with expiration * anon device limit for config --------- Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> 2023-12-12 18:57:25 +08:00			`"github.com/grafana/grafana/pkg/services/anonymous/anonimpl/anonstore"`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00			`"github.com/grafana/grafana/pkg/services/authn"`
			`"github.com/grafana/grafana/pkg/services/org"`
			`"github.com/grafana/grafana/pkg/setting"`
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00			`)`

			`var (`
			`errInvalidOrg = errutil.Unauthorized("anonymous.invalid-org")`
			`errInvalidID = errutil.Unauthorized("anonymous.invalid-id")`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00			`)`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`var _ authn.ContextAwareClient = new(Anonymous)`
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00			`var _ authn.IdentityResolverClient = new(Anonymous)`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00
			`type Anonymous struct {`
Auth: Rename Sessions to Devices in counting (#72432) * rename session to device * rename session to device 2023-07-27 17:09:08 +08:00			`cfg *setting.Cfg`
			`log log.Logger`
			`orgService org.Service`
			`anonDeviceService anonymous.Service`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00			`}`

AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`func (a *Anonymous) Name() string {`
			`return authn.ClientAnonymous`
			`}`

Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00			`func (a Anonymous) Authenticate(ctx context.Context, r authn.Request) (*authn.Identity, error) {`
			`o, err := a.orgService.GetByName(ctx, &org.GetOrgByNameQuery{Name: a.cfg.AnonymousOrgName})`
			`if err != nil {`
Chore: capitalise log message for auth packages (#74332) 2023-09-05 00:49:47 +08:00			`a.log.FromContext(ctx).Error("Failed to find organization", "name", a.cfg.AnonymousOrgName, "error", err)`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00			`return nil, err`
			`}`

AnonymousAuth: Fix concurrent read-write crash (#68637) clone http req before tagging 2023-05-22 19:27:28 +08:00			`httpReqCopy := &http.Request{}`
			`if r.HTTPRequest != nil && r.HTTPRequest.Header != nil {`
			`// avoid r.HTTPRequest.Clone(context.Background()) as we do not require a full clone`
			`httpReqCopy.Header = r.HTTPRequest.Header.Clone()`
			`httpReqCopy.RemoteAddr = r.HTTPRequest.RemoteAddr`
			`}`

Anonymous: Add configurable device limit (#79265) * Anonymous: Add device limiter * break auth if limit reached * fix typo * refactored const to make it clearer with expiration * anon device limit for config --------- Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> 2023-12-12 18:57:25 +08:00			`if err := a.anonDeviceService.TagDevice(ctx, httpReqCopy, anonymous.AnonDeviceUI); err != nil {`
			`if errors.Is(err, anonstore.ErrDeviceLimitReached) {`
			`return nil, err`
Authn: Anon session service (#63052) * add anon sessions package * add usage stat fn * implement count for cache * add anonservice to authn broker * lint * add tests for remote cache count * move anon service to services * wrap tagging in goroutine * make func used 2023-02-21 23:21:18 +08:00			`}`
Anonymous: Add configurable device limit (#79265) * Anonymous: Add device limiter * break auth if limit reached * fix typo * refactored const to make it clearer with expiration * anon device limit for config --------- Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com> 2023-12-12 18:57:25 +08:00
			`a.log.Warn("Failed to tag anonymous session", "error", err)`
			`}`
Authn: Anon session service (#63052) * add anon sessions package * add usage stat fn * implement count for cache * add anonservice to authn broker * lint * add tests for remote cache count * move anon service to services * wrap tagging in goroutine * make func used 2023-02-21 23:21:18 +08:00
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00			`return a.newAnonymousIdentity(o), nil`
Auth: Add anonymous authn client (#59637) * Authn: Add Client interface and Reqeust and Identity structures * Authn: Implement Authenticate method in service * Authn: Add tracing * Authn: Add logger * AuthN: Implement Anonymous client 2022-12-02 22:10:03 +08:00			`}`
Authn: Add client for api keys (#60339) * AuthN: Add functionallity to test if auth client should be used * AuthN: Add bolierplate client for api keys and register it * AuthN: Add tests for api key client * Inject service * AuthN: Update client names * ContextHandler: Set authn service * AuthN: Implement authentication for api key client * ContextHandler: Use authn service for api keys if flag is enabled * AuthN: refactor authentication method to return additional value to indicate if client could perform authentication * update prefixes * Add namespaced id to identity * AuthN: Expand the Identity struct to include required fields from signed in user * Add error for disabled service account * Add function to write error response based on errutil.Error * Add error to log * Return errors based on errutil.Error * pass error * update log message * Fix namespaced ids * Add tests * Lint 2022-12-19 16:22:11 +08:00
Auth: Add `IsClientEnabled` and `IsEnabled` for the `authn.Service` and `authn.Client` interfaces (#86034) * Add `Service. IsClientEnabled` and `Client.IsEnabled` functions * Implement `IsEnabled` function for authn clients * Implement `IsClientEnabled` function for authn services 2024-04-15 16:54:50 +08:00			`func (a *Anonymous) IsEnabled() bool {`
			`return a.cfg.AnonymousEnabled`
			`}`

Authn: Add client for api keys (#60339) * AuthN: Add functionallity to test if auth client should be used * AuthN: Add bolierplate client for api keys and register it * AuthN: Add tests for api key client * Inject service * AuthN: Update client names * ContextHandler: Set authn service * AuthN: Implement authentication for api key client * ContextHandler: Use authn service for api keys if flag is enabled * AuthN: refactor authentication method to return additional value to indicate if client could perform authentication * update prefixes * Add namespaced id to identity * AuthN: Expand the Identity struct to include required fields from signed in user * Add error for disabled service account * Add function to write error response based on errutil.Error * Add error to log * Return errors based on errutil.Error * pass error * update log message * Fix namespaced ids * Add tests * Lint 2022-12-19 16:22:11 +08:00			`func (a Anonymous) Test(ctx context.Context, r authn.Request) bool {`
			`// If anonymous client is register it can always be used for authentication`
			`return true`
			`}`
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00
Auth: use IdentityType from authlib (#91763) 2024-08-12 14:26:53 +08:00			`func (a *Anonymous) IdentityType() claims.IdentityType {`
			`return claims.TypeAnonymous`
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00			`}`

Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`func (a Anonymous) ResolveIdentity(ctx context.Context, orgID int64, typ claims.IdentityType, id string) (authn.Identity, error) {`
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00			`o, err := a.orgService.GetByName(ctx, &org.GetOrgByNameQuery{Name: a.cfg.AnonymousOrgName})`
			`if err != nil {`
			`return nil, err`
			`}`

			`if o.ID != orgID {`
			`return nil, errInvalidOrg.Errorf("anonymous user cannot authenticate in org %d", o.ID)`
			`}`

			`// Anonymous identities should always have the same namespace id.`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`if !claims.IsIdentityType(typ, claims.TypeAnonymous) \|\| id != "0" {`
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00			`return nil, errInvalidID`
			`}`

			`return a.newAnonymousIdentity(o), nil`
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com> 2023-01-26 17:50:44 +08:00			`}`
Authn: Stat registration (#62934) * reorganize auth usage stats * usage stat privilege elevators * stat count of modified role * cfg related info * add authn anon client * kv store * ensure anon enabled is collected even if client is not registered * fix usage stats test 2023-02-07 00:23:53 +08:00
Chore: use any rather than interface{} (#74066) 2023-08-30 23:46:47 +08:00			`func (a *Anonymous) UsageStatFn(ctx context.Context) (map[string]any, error) {`
			`m := map[string]any{}`
Authn: Stat registration (#62934) * reorganize auth usage stats * usage stat privilege elevators * stat count of modified role * cfg related info * add authn anon client * kv store * ensure anon enabled is collected even if client is not registered * fix usage stats test 2023-02-07 00:23:53 +08:00
			`// Add stats about anonymous auth`
			`m["stats.anonymous.customized_role.count"] = 0`
			`if !strings.EqualFold(a.cfg.AnonymousOrgRole, "Viewer") {`
			`m["stats.anonymous.customized_role.count"] = 1`
			`}`

			`return m, nil`
			`}`
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00
			`func (a *Anonymous) Priority() uint {`
			`return 100`
			`}`

			`func (a Anonymous) newAnonymousIdentity(o org.Org) *authn.Identity {`
			`return &authn.Identity{`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 2024-08-13 16:18:28 +08:00			`ID: "0",`
			`Type: claims.TypeAnonymous,`
Anon: Add support to resolve anonymous identity (#87486) 2024-05-13 17:06:14 +08:00			`OrgID: o.ID,`
			`OrgName: o.Name,`
			`OrgRoles: map[int64]org.RoleType{o.ID: org.RoleType(a.cfg.AnonymousOrgRole)},`
			`ClientParams: authn.ClientParams{SyncPermissions: true},`
			`}`
			`}`