The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
grafana/pkg/clientauth/middleware/token-exchange.go

111 lines
3.2 KiB

package middleware
import (
"fmt"
"net/http"
authlib "github.com/grafana/authlib/authn"
sdkhttpclient "github.com/grafana/grafana-plugin-sdk-go/backend/httpclient"
"github.com/grafana/grafana/pkg/apimachinery/identity"
infralog "github.com/grafana/grafana/pkg/infra/log"
"github.com/grafana/grafana/pkg/setting"
)
type TokenExchangeMiddleware struct {
tokenExchangeClient authlib.TokenExchanger
}
type tokenExchangeMiddlewareImpl struct {
tokenExchangeClient authlib.TokenExchanger
audiences []string
next http.RoundTripper
}
type signerSettings struct {
token string
tokenExchangeURL string
}
var _ http.RoundTripper = &tokenExchangeMiddlewareImpl{}
func TestingTokenExchangeMiddleware(tokenExchangeClient authlib.TokenExchanger) *TokenExchangeMiddleware {
return &TokenExchangeMiddleware{
tokenExchangeClient: tokenExchangeClient,
}
}
func NewTokenExchangeMiddleware(cfg *setting.Cfg) (*TokenExchangeMiddleware, error) {
clientCfg, err := readSignerSettings(cfg)
if err != nil {
return nil, err
}
tokenExchangeClient, err := authlib.NewTokenExchangeClient(authlib.TokenExchangeConfig{
Token: clientCfg.token,
TokenExchangeURL: clientCfg.tokenExchangeURL,
})
if err != nil {
return nil, err
}
return &TokenExchangeMiddleware{
tokenExchangeClient: tokenExchangeClient,
}, nil
}
func (p *TokenExchangeMiddleware) New(audiences []string) sdkhttpclient.MiddlewareFunc {
return func(opts sdkhttpclient.Options, next http.RoundTripper) http.RoundTripper {
return &tokenExchangeMiddlewareImpl{
tokenExchangeClient: p.tokenExchangeClient,
audiences: audiences,
next: next,
}
}
}
func (m tokenExchangeMiddlewareImpl) RoundTrip(req *http.Request) (res *http.Response, e error) {
log := infralog.New("token-exchange-middleware")
user, err := identity.GetRequester(req.Context())
if err != nil {
return nil, err
}
namespace := user.GetNamespace()
if namespace == "" {
return nil, fmt.Errorf("cluster scoped resources are currently not supported")
}
log.Debug("signing request", "url", req.URL.Path, "audience", m.audiences, "namespace", namespace)
token, err := m.tokenExchangeClient.Exchange(req.Context(), authlib.TokenExchangeRequest{
Namespace: namespace,
Audiences: m.audiences,
})
if err != nil {
return nil, fmt.Errorf("failed to exchange token: %w", err)
}
req.Header.Set("X-Access-Token", "Bearer "+token.Token)
return m.next.RoundTrip(req)
}
// we exercise the below code path in OSS but would rather have it fail
// instead of documenting these non-pertinent settings and requiring mock values for them.
// hence, the error return is handled above as non-critical and a mock
// exchange client is returned.
func readSignerSettings(cfg *setting.Cfg) (*signerSettings, error) {
grpcClientAuthSection := cfg.SectionWithEnvOverrides("grpc_client_authentication")
s := &signerSettings{}
s.token = grpcClientAuthSection.Key("token").MustString("")
s.tokenExchangeURL = grpcClientAuthSection.Key("token_exchange_url").MustString("")
if s.token == "" || s.tokenExchangeURL == "" {
return nil, fmt.Errorf("authorization: missing token or tokenExchangeUrl")
}
return s, nil
}