grafana/pkg/services/extsvcauth/models.go

package extsvcauth

import (
	"context"

	"github.com/grafana/grafana/pkg/services/accesscontrol"
)

const (
	ServiceAccounts AuthProvider = "ServiceAccounts"

	// TmpOrgID is the orgID we use while global service accounts are not supported.
	TmpOrgIDStr string = "1"
	TmpOrgID    int64  = 1
)

type AuthProvider string

//go:generate mockery --name ExternalServiceRegistry --structname ExternalServiceRegistryMock --output tests --outpkg tests --filename extsvcregmock.go
type ExternalServiceRegistry interface {
	// HasExternalService returns whether an external service has been saved with that name.
	HasExternalService(ctx context.Context, name string) (bool, error)

	// GetExternalServiceNames returns the names of external services registered in store.
	GetExternalServiceNames(ctx context.Context) ([]string, error)

	// RemoveExternalService removes an external service and its associated resources from the database (ex: service account, token).
	RemoveExternalService(ctx context.Context, name string) error

	// SaveExternalService creates or updates an external service in the database. Based on the requested auth provider,
	// it generates client_id, secrets and any additional provider specificities (ex: rsa keys). It also ensures that the
	// associated service account has the correct permissions.
	SaveExternalService(ctx context.Context, cmd *ExternalServiceRegistration) (*ExternalService, error)
}

type SelfCfg struct {
	// Enabled allows the service to request access tokens for itself
	Enabled bool
	// Permissions are the permissions that the external service needs its associated service account to have.
	Permissions []accesscontrol.Permission
}

// ExternalServiceRegistration represents the registration form to save new client.
type ExternalServiceRegistration struct {
	Name string
	// Self access configuration
	Self SelfCfg
	// Auth Provider that the client will use to connect to Grafana
	AuthProvider AuthProvider
	// Auth Provider specific config
	OAuthProviderCfg *OAuthProviderCfg
}

// ExternalService represents the credentials that the ExternalService can use to connect to Grafana.
type ExternalService struct {
	Name       string
	ID         string
	Secret     string
	OAuthExtra *OAuthExtra // Auth Provider specificities (ex: ecdsa key pair)
}

type KeyOption struct {
	// URL       string `json:"url,omitempty"` // TODO allow specifying a URL (to a .jwks file) to fetch the key from
	// PublicPEM contains the Base64 encoded public key in PEM format
	PublicPEM string
	Generate  bool
}

// ProviderCfg represents the registration form specificities needed to register OAuth2 clients.
type OAuthProviderCfg struct {
	// RedirectURI is the URI that is used in the code flow.
	// Note that this is not used yet.
	RedirectURI *string
	// Key is the option to specify a public key or ask the server to generate a crypto key pair.
	Key *KeyOption
}

type KeyResult struct {
	URL        string
	PrivatePem string
	PublicPem  string
	Generated  bool
}

// OAuthExtra represents the specificities of an OAuth2 client.
type OAuthExtra struct {
	Audiences   string
	GrantTypes  string
	KeyResult   *KeyResult
	RedirectURI string
}
AuthN: New service to support multiple authentication providers for plugins (#75979) * OnGoing * Continue migrating structure * Comment * Add intermediary service * Remove unused error so far * no need for fmt use errors * use RoleNone * Docs * Fix test * Accounting for review feedback * Rename oauthserver.ExternalService to OAuthClient * Revert as the interface looks weird * Update pluginintegration * Rename oauthserver.ExternalService * closer to what it was before 2023-10-06 00:13:06 +08:00			`package extsvcauth`

			`import (`
			`"context"`

			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`)`

			`const (`
Plugins: Automatic service account (and token) setup (#76473) * Update cue to have an AuthProvider entry * Cable the new auth provider * Add feature flag check to the accesscontrol service * Fix test * Change the structure of externalServiceRegistration (#76673) 2023-10-17 22:21:23 +08:00			`ServiceAccounts AuthProvider = "ServiceAccounts"`
AuthN: Add service account token generation to `ExtSvcAccountsService` (#76327) * Manage service account secrets * Wip * WIP * WIP * Revert to keep a light interface * Implement SaveExternalService * Remove unecessary functions from the interface * Remove unused field * Better log * Leave ext svc credentials out of the extsvcauth package for now * Remove todo * Add tests to SaveExternalService * Test that secret has been removed from store * Lint * Nit. * Rename commands and structs Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * Account for PR feedback Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> * Linting * Add nosec comment G101 - this is not a hardcoded secret * Lowercase kvStoreType --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> 2023-10-12 22:15:16 +08:00
			`// TmpOrgID is the orgID we use while global service accounts are not supported.`
ExtSvcAccounts: FIX prevent service account deletion (#84502) * ExtSvcAccounts: Fix External Service Accounts Login check Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Remove service accounts assignments and permissions on delete * Fix first set of tests * Fix second batch of tests * Fix third batch of tests --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 2024-03-15 02:11:02 +08:00			`TmpOrgIDStr string = "1"`
			`TmpOrgID int64 = 1`
AuthN: New service to support multiple authentication providers for plugins (#75979) * OnGoing * Continue migrating structure * Comment * Add intermediary service * Remove unused error so far * no need for fmt use errors * use RoleNone * Docs * Fix test * Accounting for review feedback * Rename oauthserver.ExternalService to OAuthClient * Revert as the interface looks weird * Update pluginintegration * Rename oauthserver.ExternalService * closer to what it was before 2023-10-06 00:13:06 +08:00			`)`

			`type AuthProvider string`

ExtSvcAuth: Clean up orphaned external services on start up (#77951) * Plugin: Remove external service on plugin removal * Early exit no service account * Add log * WIP * Cable OAuth2Server client removal * Move function lower * Add function to test removal * Add test to RemoveExternalService * Test RemoveExtSvcAccount * remove apostrophy in comment * Add cfg to plugin installer to check features * Add feature flag check in the service registration service * Comments * Move metrics Inc * Initialize map * Reorder * Initialize mutex as well * Add HasExternalService as suggested * WIP: CleanUpOrphanedExternalServices * Commit suggestion Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Nit on test. Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * oauthserver return names * Name is not Slug * Use plugin ID not slug * Add background job * remove negation on feature check * Add test to the CleanUp function * Test GetExternalServiceNames * rename test * Add test for ExtSvcAccountsService_GetExternalServiceNames * Add a todo * Add todo * Option based on mix * Rewrite a bit the comment * Opinionated choice use slugs instead of names everywhere * Nit. * Comments and re-ordering * Comment * Add log * Add context --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> 2023-11-16 19:07:42 +08:00			`//go:generate mockery --name ExternalServiceRegistry --structname ExternalServiceRegistryMock --output tests --outpkg tests --filename extsvcregmock.go`
AuthN: New service to support multiple authentication providers for plugins (#75979) * OnGoing * Continue migrating structure * Comment * Add intermediary service * Remove unused error so far * no need for fmt use errors * use RoleNone * Docs * Fix test * Accounting for review feedback * Rename oauthserver.ExternalService to OAuthClient * Revert as the interface looks weird * Update pluginintegration * Rename oauthserver.ExternalService * closer to what it was before 2023-10-06 00:13:06 +08:00			`type ExternalServiceRegistry interface {`
Plugin: Remove external service on plugin removal (#77712) * Plugin: Remove external service on plugin removal * Add feature flag check in the service registration service * Initialize map * Add HasExternalService as suggested * Commit suggestion Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Nit on test. Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> 2023-11-13 20:18:13 +08:00			`// HasExternalService returns whether an external service has been saved with that name.`
ExtSvcAuth: Refactor external service registry to use ExternalServiceRegistry variables (#78056) ExtSvcAuth: Refactor external service registry to use ExternalServiceRegistry 2023-11-13 23:23:11 +08:00			`HasExternalService(ctx context.Context, name string) (bool, error)`
Plugin: Remove external service on plugin removal (#77712) * Plugin: Remove external service on plugin removal * Add feature flag check in the service registration service * Initialize map * Add HasExternalService as suggested * Commit suggestion Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Nit on test. Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> 2023-11-13 20:18:13 +08:00
ExtSvcAuth: Clean up orphaned external services on start up (#77951) * Plugin: Remove external service on plugin removal * Early exit no service account * Add log * WIP * Cable OAuth2Server client removal * Move function lower * Add function to test removal * Add test to RemoveExternalService * Test RemoveExtSvcAccount * remove apostrophy in comment * Add cfg to plugin installer to check features * Add feature flag check in the service registration service * Comments * Move metrics Inc * Initialize map * Reorder * Initialize mutex as well * Add HasExternalService as suggested * WIP: CleanUpOrphanedExternalServices * Commit suggestion Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Nit on test. Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * oauthserver return names * Name is not Slug * Use plugin ID not slug * Add background job * remove negation on feature check * Add test to the CleanUp function * Test GetExternalServiceNames * rename test * Add test for ExtSvcAccountsService_GetExternalServiceNames * Add a todo * Add todo * Option based on mix * Rewrite a bit the comment * Opinionated choice use slugs instead of names everywhere * Nit. * Comments and re-ordering * Comment * Add log * Add context --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> 2023-11-16 19:07:42 +08:00			`// GetExternalServiceNames returns the names of external services registered in store.`
			`GetExternalServiceNames(ctx context.Context) ([]string, error)`

Plugin: Remove external service on plugin removal (#77712) * Plugin: Remove external service on plugin removal * Add feature flag check in the service registration service * Initialize map * Add HasExternalService as suggested * Commit suggestion Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Nit on test. Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> 2023-11-13 20:18:13 +08:00			`// RemoveExternalService removes an external service and its associated resources from the database (ex: service account, token).`
			`RemoveExternalService(ctx context.Context, name string) error`

AuthN: New service to support multiple authentication providers for plugins (#75979) * OnGoing * Continue migrating structure * Comment * Add intermediary service * Remove unused error so far * no need for fmt use errors * use RoleNone * Docs * Fix test * Accounting for review feedback * Rename oauthserver.ExternalService to OAuthClient * Revert as the interface looks weird * Update pluginintegration * Rename oauthserver.ExternalService * closer to what it was before 2023-10-06 00:13:06 +08:00			`// SaveExternalService creates or updates an external service in the database. Based on the requested auth provider,`
			`// it generates client_id, secrets and any additional provider specificities (ex: rsa keys). It also ensures that the`
			`// associated service account has the correct permissions.`
			`SaveExternalService(ctx context.Context, cmd ExternalServiceRegistration) (ExternalService, error)`
			`}`

			`type SelfCfg struct {`
			`// Enabled allows the service to request access tokens for itself`
			`Enabled bool`
			`// Permissions are the permissions that the external service needs its associated service account to have.`
			`Permissions []accesscontrol.Permission`
			`}`

			`// ExternalServiceRegistration represents the registration form to save new client.`
			`type ExternalServiceRegistration struct {`
			`Name string`
			`// Self access configuration`
			`Self SelfCfg`
			`// Auth Provider that the client will use to connect to Grafana`
			`AuthProvider AuthProvider`
			`// Auth Provider specific config`
			`OAuthProviderCfg *OAuthProviderCfg`
			`}`

			`// ExternalService represents the credentials that the ExternalService can use to connect to Grafana.`
			`type ExternalService struct {`
			`Name string`
			`ID string`
			`Secret string`
			`OAuthExtra *OAuthExtra // Auth Provider specificities (ex: ecdsa key pair)`
			`}`

			`type KeyOption struct {`
			// URL string `json:"url,omitempty"` // TODO allow specifying a URL (to a .jwks file) to fetch the key from
			`// PublicPEM contains the Base64 encoded public key in PEM format`
			`PublicPEM string`
			`Generate bool`
			`}`

			`// ProviderCfg represents the registration form specificities needed to register OAuth2 clients.`
			`type OAuthProviderCfg struct {`
			`// RedirectURI is the URI that is used in the code flow.`
			`// Note that this is not used yet.`
			`RedirectURI *string`
			`// Key is the option to specify a public key or ask the server to generate a crypto key pair.`
			`Key *KeyOption`
			`}`

			`type KeyResult struct {`
			`URL string`
			`PrivatePem string`
			`PublicPem string`
			`Generated bool`
			`}`

			`// OAuthExtra represents the specificities of an OAuth2 client.`
			`type OAuthExtra struct {`
			`Audiences string`
			`GrantTypes string`
			`KeyResult *KeyResult`
			`RedirectURI string`
			`}`