grafana/pkg/services/authz/server.go

package authz

import (
	"context"
	"fmt"

	authzv1 "github.com/grafana/authlib/authz/proto/v1"
	"github.com/grafana/authlib/claims"

	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/infra/tracing"
	"github.com/grafana/grafana/pkg/services/accesscontrol"
	"github.com/grafana/grafana/pkg/services/featuremgmt"
	"github.com/grafana/grafana/pkg/services/grpcserver"
)

var _ authzv1.AuthzServiceServer = (*legacyServer)(nil)

type legacyServer struct {
	authzv1.UnimplementedAuthzServiceServer

	acSvc  accesscontrol.Service
	logger log.Logger
	tracer tracing.Tracer
}

func newLegacyServer(
	acSvc accesscontrol.Service, features featuremgmt.FeatureToggles,
	grpcServer grpcserver.Provider, tracer tracing.Tracer, cfg *Cfg,
) (*legacyServer, error) {
	if !features.IsEnabledGlobally(featuremgmt.FlagAuthZGRPCServer) {
		return nil, nil
	}

	s := &legacyServer{
		acSvc:  acSvc,
		logger: log.New("authz-grpc-server"),
		tracer: tracer,
	}

	if cfg.listen {
		grpcServer.GetServer().RegisterService(&authzv1.AuthzService_ServiceDesc, s)
	}

	return s, nil
}

func (s *legacyServer) Read(ctx context.Context, req *authzv1.ReadRequest) (*authzv1.ReadResponse, error) {
	ctx, span := s.tracer.Start(ctx, "authz.grpc.Read")
	defer span.End()

	// FIXME: once we have access tokens, we need to do namespace validation here

	action := req.GetAction()
	subject := req.GetSubject()
	namespace := req.GetNamespace() // TODO can we consider the stackID as the orgID?

	info, err := claims.ParseNamespace(namespace)
	if err != nil || info.OrgID == 0 {
		return nil, fmt.Errorf("invalid namespace: %s", namespace)
	}

	ctxLogger := s.logger.FromContext(ctx)
	ctxLogger.Debug("Read", "action", action, "subject", subject, "namespace", namespace)

	permissions, err := s.acSvc.SearchUserPermissions(
		ctx,
		info.OrgID,
		accesscontrol.SearchOptions{Action: action, TypedID: subject},
	)
	if err != nil {
		ctxLogger.Error("failed to search user permissions", "error", err)
		return nil, tracing.Errorf(span, "failed to search user permissions: %w", err)
	}

	data := make([]*authzv1.ReadResponse_Data, 0, len(permissions))
	for _, perm := range permissions {
		data = append(data, &authzv1.ReadResponse_Data{Scope: perm.Scope})
	}
	return &authzv1.ReadResponse{
		Data:  data,
		Found: len(data) > 0,
	}, nil
}
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago			`package authz`

			`import (`
			`"context"`
Chore: Update authlib version (#94714) * Chore: Update authlib version * update workspace * use ParseNamespace() 7 months ago			`"fmt"`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago
			`authzv1 "github.com/grafana/authlib/authz/proto/v1"`
Chore: Update authlib version (#94714) * Chore: Update authlib version * update workspace * use ParseNamespace() 7 months ago			`"github.com/grafana/authlib/claims"`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago
			`"github.com/grafana/grafana/pkg/infra/log"`
			`"github.com/grafana/grafana/pkg/infra/tracing"`
			`"github.com/grafana/grafana/pkg/services/accesscontrol"`
			`"github.com/grafana/grafana/pkg/services/featuremgmt"`
			`"github.com/grafana/grafana/pkg/services/grpcserver"`
			`)`

			`var _ authzv1.AuthzServiceServer = (*legacyServer)(nil)`

			`type legacyServer struct {`
			`authzv1.UnimplementedAuthzServiceServer`

			`acSvc accesscontrol.Service`
			`logger log.Logger`
			`tracer tracing.Tracer`
			`}`

			`func newLegacyServer(`
			`acSvc accesscontrol.Service, features featuremgmt.FeatureToggles,`
AuthZ: GRPC client init and config options (#89161) 11 months ago			`grpcServer grpcserver.Provider, tracer tracing.Tracer, cfg *Cfg,`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago			`) (*legacyServer, error) {`
			`if !features.IsEnabledGlobally(featuremgmt.FlagAuthZGRPCServer) {`
			`return nil, nil`
			`}`

			`s := &legacyServer{`
			`acSvc: acSvc,`
			`logger: log.New("authz-grpc-server"),`
			`tracer: tracer,`
			`}`

AuthZ: GRPC client init and config options (#89161) 11 months ago			`if cfg.listen {`
			`grpcServer.GetServer().RegisterService(&authzv1.AuthzService_ServiceDesc, s)`
			`}`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago
			`return s, nil`
			`}`

			`func (s legacyServer) Read(ctx context.Context, req authzv1.ReadRequest) (*authzv1.ReadResponse, error) {`
			`ctx, span := s.tracer.Start(ctx, "authz.grpc.Read")`
			`defer span.End()`

authz: set authzv1.ReadResponse.Found (#91212) Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com> 10 months ago			`// FIXME: once we have access tokens, we need to do namespace validation here`

AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago			`action := req.GetAction()`
			`subject := req.GetSubject()`
Chore: Update authlib version (#94714) * Chore: Update authlib version * update workspace * use ParseNamespace() 7 months ago			`namespace := req.GetNamespace() // TODO can we consider the stackID as the orgID?`

			`info, err := claims.ParseNamespace(namespace)`
			`if err != nil \|\| info.OrgID == 0 {`
			`return nil, fmt.Errorf("invalid namespace: %s", namespace)`
			`}`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago
			`ctxLogger := s.logger.FromContext(ctx)`
Chore: Update authlib version (#94714) * Chore: Update authlib version * update workspace * use ParseNamespace() 7 months ago			`ctxLogger.Debug("Read", "action", action, "subject", subject, "namespace", namespace)`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 10 months ago			`permissions, err := s.acSvc.SearchUserPermissions(`
			`ctx,`
Chore: Update authlib version (#94714) * Chore: Update authlib version * update workspace * use ParseNamespace() 7 months ago			`info.OrgID,`
Identity: Remove typed id (#91801) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID 10 months ago			`accesscontrol.SearchOptions{Action: action, TypedID: subject},`
			`)`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago			`if err != nil {`
			`ctxLogger.Error("failed to search user permissions", "error", err)`
			`return nil, tracing.Errorf(span, "failed to search user permissions: %w", err)`
			`}`

			`data := make([]*authzv1.ReadResponse_Data, 0, len(permissions))`
			`for _, perm := range permissions {`
Chore: Update authlib version (#94714) * Chore: Update authlib version * update workspace * use ParseNamespace() 7 months ago			`data = append(data, &authzv1.ReadResponse_Data{Scope: perm.Scope})`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago			`}`
authz: set authzv1.ReadResponse.Found (#91212) Co-authored-by: Gabriel MABILLE <gabriel.mabille@grafana.com> 10 months ago			`return &authzv1.ReadResponse{`
			`Data: data,`
			`Found: len(data) > 0,`
			`}, nil`
AuthZ: embed an authorization server (#89018) * AuthZ: embed an authorization server * CODEOWNERS * Remove swagger * WIP * Flatten structure and inject wireset * sync mod files * Rename authorization package * Fix swagger gen * CODEOWNERS * Use itf instead of impl --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com> 12 months ago			`}`