grafana/pkg/api/pluginproxy/token_provider_azure.go

package pluginproxy

import (
	"context"
	"strings"

	"github.com/grafana/grafana-azure-sdk-go/azcredentials"
	"github.com/grafana/grafana-azure-sdk-go/azsettings"
	"github.com/grafana/grafana-azure-sdk-go/aztokenprovider"

	"github.com/grafana/grafana/pkg/plugins"
	"github.com/grafana/grafana/pkg/setting"
)

type azureAccessTokenProvider struct {
	ctx           context.Context
	tokenProvider aztokenprovider.AzureTokenProvider
	scopes        []string
}

func newAzureAccessTokenProvider(ctx context.Context, cfg *setting.Cfg, authParams *plugins.JWTTokenAuth) (*azureAccessTokenProvider, error) {
	credentials := getAzureCredentials(cfg.Azure, authParams)
	tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials)
	if err != nil {
		return nil, err
	}
	return &azureAccessTokenProvider{
		ctx:           ctx,
		tokenProvider: tokenProvider,
		scopes:        authParams.Scopes,
	}, nil
}

func (provider *azureAccessTokenProvider) GetAccessToken() (string, error) {
	return provider.tokenProvider.GetAccessToken(provider.ctx, provider.scopes)
}

func getAzureCredentials(settings *azsettings.AzureSettings, authParams *plugins.JWTTokenAuth) azcredentials.AzureCredentials {
	authType := strings.ToLower(authParams.Params["azure_auth_type"])
	clientId := authParams.Params["client_id"]

	// Type of authentication being determined by the following logic:
	// * If authType is set to 'msi' then user explicitly selected the managed identity authentication
	// * If authType isn't set but other fields are configured then it's a datasource which was configured
	//   before managed identities where introduced, therefore use client secret authentication
	// * If authType and other fields aren't set then it means the datasource never been configured
	//   and managed identity is the default authentication choice as long as managed identities are enabled
	isManagedIdentity := authType == "msi" || (authType == "" && clientId == "" && settings.ManagedIdentityEnabled)

	if isManagedIdentity {
		return &azcredentials.AzureManagedIdentityCredentials{}
	} else {
		return &azcredentials.AzureClientSecretCredentials{
			AzureCloud:   authParams.Params["azure_cloud"],
			Authority:    authParams.Url,
			TenantId:     authParams.Params["tenant_id"],
			ClientId:     authParams.Params["client_id"],
			ClientSecret: authParams.Params["client_secret"],
		}
	}
}
AzureMonitor: token provider into aztokenprovider and cleanup (#36102) 2021-06-29 16:05:42 +08:00			`package pluginproxy`

			`import (`
			`"context"`
AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (#36284) 2021-07-05 18:20:12 +08:00			`"strings"`
AzureMonitor: token provider into aztokenprovider and cleanup (#36102) 2021-06-29 16:05:42 +08:00
Migrate to Grafana Azure SDK (#47232) 2022-04-04 17:23:13 +08:00			`"github.com/grafana/grafana-azure-sdk-go/azcredentials"`
			`"github.com/grafana/grafana-azure-sdk-go/azsettings"`
			`"github.com/grafana/grafana-azure-sdk-go/aztokenprovider"`

AzureMonitor: token provider into aztokenprovider and cleanup (#36102) 2021-06-29 16:05:42 +08:00			`"github.com/grafana/grafana/pkg/plugins"`
			`"github.com/grafana/grafana/pkg/setting"`
			`)`

			`type azureAccessTokenProvider struct {`
			`ctx context.Context`
			`tokenProvider aztokenprovider.AzureTokenProvider`
AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (#36284) 2021-07-05 18:20:12 +08:00			`scopes []string`
AzureMonitor: token provider into aztokenprovider and cleanup (#36102) 2021-06-29 16:05:42 +08:00			`}`

Plugins: Refactor Plugin Management (#40477) * add core plugin flow * add instrumentation * move func * remove cruft * support external backend plugins * refactor + clean up * remove comments * refactor loader * simplify core plugin path arg * cleanup loggers * move signature validator to plugins package * fix sig packaging * cleanup plugin model * remove unnecessary plugin field * add start+stop for pm * fix failures * add decommissioned state * export fields just to get things flowing * fix comments * set static routes * make image loading idempotent * merge with backend plugin manager * re-use funcs * reorder imports + remove unnecessary interface * add some TODOs + remove unused func * remove unused instrumentation func * simplify client usage * remove import alias * re-use backendplugin.Plugin interface * re order funcs * improve var name * fix log statements * refactor data model * add logic for dupe check during loading * cleanup state setting * refactor loader * cleanup manager interface * add rendering flow * refactor loading + init * add renderer support * fix renderer plugin * reformat imports * track errors * fix plugin signature inheritance * name param in interface * update func comment * fix func arg name * introduce class concept * remove func * fix external plugin check * apply changes from pm-experiment * fix core plugins * fix imports * rename interface * comment API interface * add support for testdata plugin * enable alerting + use correct core plugin contracts * slim manager API * fix param name * fix filter * support static routes * fix rendering * tidy rendering * get tests compiling * fix install+uninstall * start finder test * add finder test coverage * start loader tests * add test for core plugins * load core + bundled test * add test for nested plugin loading * add test files * clean interface + fix registering some core plugins * refactoring * reformat and create sub packages * simplify core plugin init * fix ctx cancel scenario * migrate initializer * remove Init() funcs * add test starter * new logger * flesh out initializer tests * refactoring * remove unused svc * refactor rendering flow * fixup loader tests * add enabled helper func * fix logger name * fix data fetchers * fix case where plugin dir doesn't exist * improve coverage + move dupe checking to loader * remove noisy debug logs * register core plugins automagically * add support for renderer in catalog * make private func + fix req validation * use interface * re-add check for renderer in catalog * tidy up from moving to auto reg core plugins * core plugin registrar * guards * copy over core plugins for test infra * all tests green * renames * propagate new interfaces * kill old manager * get compiling * tidy up * update naming * refactor manager test + cleanup * add more cases to finder test * migrate validator to field * more coverage * refactor dupe checking * add test for plugin class * add coverage for initializer * split out rendering * move * fixup tests * fix uss test * fix frontend settings * fix grafanads test * add check when checking sig errors * fix enabled map * fixup * allow manual setup of CM * rename to cloud-monitoring * remove TODO * add installer interface for testing * loader interface returns * tests passing * refactor + add more coverage * support 'stackdriver' * fix frontend settings loading * improve naming based on package name * small tidy * refactor test * fix renderer start * make cloud-monitoring plugin ID clearer * add plugin update test * add integration tests * don't break all if sig can't be calculated * add root URL check test * add more signature verification tests * update DTO name * update enabled plugins comment * update comments * fix linter * revert fe naming change * fix errors endpoint * reset error code field name * re-order test to help verify * assert -> require * pm check * add missing entry + re-order * re-check * dump icon log * verify manager contents first * reformat * apply PR feedback * apply style changes * fix one vs all loading err * improve log output * only start when no signature error * move log * rework plugin update check * fix test * fix multi loading from cfg.PluginSettings * improve log output #2 * add error abstraction to capture errors without registering a plugin * add debug log * add unsigned warning * e2e test attempt * fix logger * set home path * prevent panic * alternate * ugh.. fix home path * return renderer even if not started * make renderer plugin managed * add fallback renderer icon, update renderer badge + prevent changes when renderer is installed * fix icon loading * rollback renderer changes * use correct field * remove unneccessary block * remove newline * remove unused func * fix bundled plugins base + module fields * remove unused field since refactor * add authorizer abstraction * loader only returns plugins expected to run * fix multi log output 2021-11-01 17:53:33 +08:00			`func newAzureAccessTokenProvider(ctx context.Context, cfg setting.Cfg, authParams plugins.JWTTokenAuth) (*azureAccessTokenProvider, error) {`
Shared Azure middleware between Azure Monitor and Prometheus datasources (#46002) * Scopes in Azure middleware * Enable Azure middleware without feature flag * Use common Azure middleware in Azure Monitor * Apply feature flag to JsonData configuration of Azure auth * Enforce feature flag in Prometheus datasource * Prometheus provider tests * Datasource service tests * Fix http client provider tests * Pass sdkhttpclient.Options by reference * Add middleware to httpclient.Options * Remove dependency on Grafana settings * Unit-tests updated * Fix ds_proxy_test * Fix service_test 2022-04-01 19:26:49 +08:00			`credentials := getAzureCredentials(cfg.Azure, authParams)`
			`tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg.Azure, credentials)`
AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (#36284) 2021-07-05 18:20:12 +08:00			`if err != nil {`
			`return nil, err`
			`}`
AzureMonitor: token provider into aztokenprovider and cleanup (#36102) 2021-06-29 16:05:42 +08:00			`return &azureAccessTokenProvider{`
			`ctx: ctx,`
AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (#36284) 2021-07-05 18:20:12 +08:00			`tokenProvider: tokenProvider,`
			`scopes: authParams.Scopes,`
			`}, nil`
AzureMonitor: token provider into aztokenprovider and cleanup (#36102) 2021-06-29 16:05:42 +08:00			`}`

			`func (provider *azureAccessTokenProvider) GetAccessToken() (string, error) {`
AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (#36284) 2021-07-05 18:20:12 +08:00			`return provider.tokenProvider.GetAccessToken(provider.ctx, provider.scopes)`
			`}`

Shared Azure middleware between Azure Monitor and Prometheus datasources (#46002) * Scopes in Azure middleware * Enable Azure middleware without feature flag * Use common Azure middleware in Azure Monitor * Apply feature flag to JsonData configuration of Azure auth * Enforce feature flag in Prometheus datasource * Prometheus provider tests * Datasource service tests * Fix http client provider tests * Pass sdkhttpclient.Options by reference * Add middleware to httpclient.Options * Remove dependency on Grafana settings * Unit-tests updated * Fix ds_proxy_test * Fix service_test 2022-04-01 19:26:49 +08:00			`func getAzureCredentials(settings azsettings.AzureSettings, authParams plugins.JWTTokenAuth) azcredentials.AzureCredentials {`
AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (#36284) 2021-07-05 18:20:12 +08:00			`authType := strings.ToLower(authParams.Params["azure_auth_type"])`
			`clientId := authParams.Params["client_id"]`

			`// Type of authentication being determined by the following logic:`
			`// * If authType is set to 'msi' then user explicitly selected the managed identity authentication`
			`// * If authType isn't set but other fields are configured then it's a datasource which was configured`
			`// before managed identities where introduced, therefore use client secret authentication`
			`// * If authType and other fields aren't set then it means the datasource never been configured`
			`// and managed identity is the default authentication choice as long as managed identities are enabled`
Shared Azure middleware between Azure Monitor and Prometheus datasources (#46002) * Scopes in Azure middleware * Enable Azure middleware without feature flag * Use common Azure middleware in Azure Monitor * Apply feature flag to JsonData configuration of Azure auth * Enforce feature flag in Prometheus datasource * Prometheus provider tests * Datasource service tests * Fix http client provider tests * Pass sdkhttpclient.Options by reference * Add middleware to httpclient.Options * Remove dependency on Grafana settings * Unit-tests updated * Fix ds_proxy_test * Fix service_test 2022-04-01 19:26:49 +08:00			`isManagedIdentity := authType == "msi" \|\| (authType == "" && clientId == "" && settings.ManagedIdentityEnabled)`
AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (#36284) 2021-07-05 18:20:12 +08:00
			`if isManagedIdentity {`
			`return &azcredentials.AzureManagedIdentityCredentials{}`
			`} else {`
			`return &azcredentials.AzureClientSecretCredentials{`
			`AzureCloud: authParams.Params["azure_cloud"],`
			`Authority: authParams.Url,`
			`TenantId: authParams.Params["tenant_id"],`
			`ClientId: authParams.Params["client_id"],`
			`ClientSecret: authParams.Params["client_secret"],`
			`}`
			`}`
AzureMonitor: token provider into aztokenprovider and cleanup (#36102) 2021-06-29 16:05:42 +08:00			`}`