forked from grafana/grafana
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathauth.go
158 lines (125 loc) · 4.71 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
package interceptors
import (
"context"
"strings"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
"github.com/grafana/grafana/pkg/components/satokengen"
"github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/services/accesscontrol"
"github.com/grafana/grafana/pkg/services/apikey"
grpccontext "github.com/grafana/grafana/pkg/services/grpcserver/context"
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/user"
)
type Authenticator interface {
Authenticate(ctx context.Context) (context.Context, error)
}
// authenticator can authenticate GRPC requests.
type authenticator struct {
contextHandler grpccontext.ContextHandler
logger log.Logger
APIKeyService apikey.Service
UserService user.Service
AccessControlService accesscontrol.Service
}
func ProvideAuthenticator(apiKeyService apikey.Service, userService user.Service, accessControlService accesscontrol.Service, contextHandler grpccontext.ContextHandler) Authenticator {
return &authenticator{
contextHandler: contextHandler,
logger: log.New("grpc-server-authenticator"),
AccessControlService: accessControlService,
APIKeyService: apiKeyService,
UserService: userService,
}
}
// Authenticate checks that a token exists and is valid, and then removes the token from the
// authorization header in the context.
func (a *authenticator) Authenticate(ctx context.Context) (context.Context, error) {
return a.tokenAuth(ctx)
}
const tokenPrefix = "Bearer "
func (a *authenticator) tokenAuth(ctx context.Context) (context.Context, error) {
auth, err := extractAuthorization(ctx)
if err != nil {
return ctx, err
}
if !strings.HasPrefix(auth, tokenPrefix) {
return ctx, status.Error(codes.Unauthenticated, `missing "Bearer " prefix in "authorization" value`)
}
token := strings.TrimPrefix(auth, tokenPrefix)
if token == "" {
return ctx, status.Error(codes.Unauthenticated, "token required")
}
newCtx := purgeHeader(ctx, "authorization")
signedInUser, err := a.getSignedInUser(ctx, token)
if err != nil {
a.logger.Warn("request with invalid token", "error", err, "token", token)
return ctx, status.Error(codes.Unauthenticated, "invalid token")
}
newCtx = a.contextHandler.SetUser(newCtx, signedInUser)
return newCtx, nil
}
func (a *authenticator) getSignedInUser(ctx context.Context, token string) (*user.SignedInUser, error) {
decoded, err := satokengen.Decode(token)
if err != nil {
return nil, err
}
hash, err := decoded.Hash()
if err != nil {
return nil, err
}
apikey, err := a.APIKeyService.GetAPIKeyByHash(ctx, hash)
if err != nil {
return nil, err
}
if apikey == nil || apikey.ServiceAccountId == nil {
return nil, status.Error(codes.Unauthenticated, "api key does not have a service account")
}
querySignedInUser := user.GetSignedInUserQuery{UserID: *apikey.ServiceAccountId, OrgID: apikey.OrgID}
signedInUser, err := a.UserService.GetSignedInUser(ctx, &querySignedInUser)
if err != nil {
return nil, err
}
if signedInUser == nil {
return nil, status.Error(codes.Unauthenticated, "service account not found")
}
if !signedInUser.HasRole(org.RoleAdmin) {
return nil, status.Error(codes.PermissionDenied, "service account does not have admin role")
}
// disabled service accounts are not allowed to access the API
if signedInUser.IsDisabled {
return nil, status.Error(codes.PermissionDenied, "service account is disabled")
}
if signedInUser.Permissions == nil {
signedInUser.Permissions = make(map[int64]map[string][]string)
}
if signedInUser.Permissions[signedInUser.OrgID] == nil {
permissions, err := a.AccessControlService.GetUserPermissions(ctx, signedInUser, accesscontrol.Options{})
if err != nil {
a.logger.Error("failed fetching permissions for user", "userID", signedInUser.UserID, "error", err)
}
signedInUser.Permissions[signedInUser.OrgID] = accesscontrol.GroupScopesByActionContext(context.Background(), permissions)
}
return signedInUser, nil
}
func extractAuthorization(ctx context.Context) (string, error) {
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return "", status.Error(codes.Unauthenticated, "no headers in request")
}
authHeaders, ok := md["authorization"]
if !ok {
return "", status.Error(codes.Unauthenticated, `no "authorization" header in request`)
}
if len(authHeaders) != 1 {
return "", status.Error(codes.Unauthenticated, `malformed "authorization" header: one value required`)
}
return authHeaders[0], nil
}
func purgeHeader(ctx context.Context, header string) context.Context {
md, _ := metadata.FromIncomingContext(ctx)
mdCopy := md.Copy()
mdCopy[header] = nil
return metadata.NewIncomingContext(ctx, mdCopy)
}