From c50ada3a1aadde739be538a4e1d431882253168b Mon Sep 17 00:00:00 2001 From: linoman <2051016+linoman@users.noreply.github.com> Date: Fri, 3 Nov 2023 10:27:43 +0100 Subject: [PATCH] auth: wire service account proxy (#77215) * Add interface verification compliance * rework service account api to a provider * wire the service accounts api * rewire the implementation of sa srv for the proxy --------- Co-authored-by: Misi --- pkg/server/wire.go | 4 +++- pkg/services/serviceaccounts/manager/service.go | 10 ++-------- pkg/services/serviceaccounts/proxy/service.go | 13 +++++++++++++ 3 files changed, 18 insertions(+), 9 deletions(-) diff --git a/pkg/server/wire.go b/pkg/server/wire.go index 24231f93fbe..95db107db6d 100644 --- a/pkg/server/wire.go +++ b/pkg/server/wire.go @@ -123,6 +123,7 @@ import ( "github.com/grafana/grafana/pkg/services/serviceaccounts" "github.com/grafana/grafana/pkg/services/serviceaccounts/extsvcaccounts" serviceaccountsmanager "github.com/grafana/grafana/pkg/services/serviceaccounts/manager" + serviceaccountsproxy "github.com/grafana/grafana/pkg/services/serviceaccounts/proxy" serviceaccountsretriever "github.com/grafana/grafana/pkg/services/serviceaccounts/retriever" "github.com/grafana/grafana/pkg/services/shorturls" "github.com/grafana/grafana/pkg/services/shorturls/shorturlimpl" @@ -288,7 +289,8 @@ var wireBasicSet = wire.NewSet( ossaccesscontrol.ProvideServiceAccountPermissions, wire.Bind(new(accesscontrol.ServiceAccountPermissionsService), new(*ossaccesscontrol.ServiceAccountPermissionsService)), serviceaccountsmanager.ProvideServiceAccountsService, - wire.Bind(new(serviceaccounts.Service), new(*serviceaccountsmanager.ServiceAccountsService)), + serviceaccountsproxy.ProvideServiceAccountsProxy, + wire.Bind(new(serviceaccounts.Service), new(*serviceaccountsproxy.ServiceAccountsProxy)), expr.ProvideService, featuremgmt.ProvideManagerService, featuremgmt.ProvideToggles, diff --git a/pkg/services/serviceaccounts/manager/service.go b/pkg/services/serviceaccounts/manager/service.go index 8a9b557c145..141e79e1a94 100644 --- a/pkg/services/serviceaccounts/manager/service.go +++ b/pkg/services/serviceaccounts/manager/service.go @@ -6,7 +6,6 @@ import ( "fmt" "time" - "github.com/grafana/grafana/pkg/api/routing" "github.com/grafana/grafana/pkg/infra/kvstore" "github.com/grafana/grafana/pkg/infra/log" "github.com/grafana/grafana/pkg/infra/usagestats" @@ -14,7 +13,6 @@ import ( "github.com/grafana/grafana/pkg/services/apikey" "github.com/grafana/grafana/pkg/services/org" "github.com/grafana/grafana/pkg/services/serviceaccounts" - "github.com/grafana/grafana/pkg/services/serviceaccounts/api" "github.com/grafana/grafana/pkg/services/serviceaccounts/database" "github.com/grafana/grafana/pkg/services/serviceaccounts/secretscan" "github.com/grafana/grafana/pkg/services/sqlstore" @@ -39,15 +37,12 @@ type ServiceAccountsService struct { func ProvideServiceAccountsService( cfg *setting.Cfg, - ac accesscontrol.AccessControl, - routeRegister routing.RouteRegister, usageStats usagestats.Service, store *sqlstore.SQLStore, apiKeyService apikey.Service, kvStore kvstore.KVStore, userService user.Service, orgService org.Service, - permissionService accesscontrol.ServiceAccountPermissionsService, accesscontrolService accesscontrol.Service, ) (*ServiceAccountsService, error) { serviceAccountsStore := database.ProvideServiceAccountsStore( @@ -70,9 +65,6 @@ func ProvideServiceAccountsService( usageStats.RegisterMetricsFunc(s.getUsageMetrics) - serviceaccountsAPI := api.NewServiceAccountsAPI(cfg, s, ac, accesscontrolService, routeRegister, permissionService) - serviceaccountsAPI.RegisterAPIEndpoints() - s.secretScanEnabled = cfg.SectionWithEnvOverrides("secretscan").Key("enabled").MustBool(false) s.secretScanInterval = cfg.SectionWithEnvOverrides("secretscan"). Key("interval").MustDuration(defaultSecretScanInterval) @@ -146,6 +138,8 @@ func (sa *ServiceAccountsService) Run(ctx context.Context) error { } } +var _ serviceaccounts.Service = (*ServiceAccountsService)(nil) + func (sa *ServiceAccountsService) CreateServiceAccount(ctx context.Context, orgID int64, saForm *serviceaccounts.CreateServiceAccountForm) (*serviceaccounts.ServiceAccountDTO, error) { if err := validOrgID(orgID); err != nil { return nil, err diff --git a/pkg/services/serviceaccounts/proxy/service.go b/pkg/services/serviceaccounts/proxy/service.go index 929a527189e..62a3c9d05dc 100644 --- a/pkg/services/serviceaccounts/proxy/service.go +++ b/pkg/services/serviceaccounts/proxy/service.go @@ -4,12 +4,16 @@ import ( "context" "strings" + "github.com/grafana/grafana/pkg/api/routing" "github.com/grafana/grafana/pkg/infra/log" + "github.com/grafana/grafana/pkg/services/accesscontrol" "github.com/grafana/grafana/pkg/services/apikey" "github.com/grafana/grafana/pkg/services/featuremgmt" "github.com/grafana/grafana/pkg/services/serviceaccounts" + "github.com/grafana/grafana/pkg/services/serviceaccounts/api" "github.com/grafana/grafana/pkg/services/serviceaccounts/extsvcaccounts" "github.com/grafana/grafana/pkg/services/serviceaccounts/manager" + "github.com/grafana/grafana/pkg/setting" ) // ServiceAccountsProxy is a proxy for the serviceaccounts.Service interface @@ -23,14 +27,23 @@ type ServiceAccountsProxy struct { } func ProvideServiceAccountsProxy( + cfg *setting.Cfg, + ac accesscontrol.AccessControl, + accesscontrolService accesscontrol.Service, features *featuremgmt.FeatureManager, + permissionService accesscontrol.ServiceAccountPermissionsService, proxiedService *manager.ServiceAccountsService, + routeRegister routing.RouteRegister, ) (*ServiceAccountsProxy, error) { s := &ServiceAccountsProxy{ log: log.New("serviceaccounts.proxy"), proxiedService: proxiedService, isProxyEnabled: features.IsEnabled(featuremgmt.FlagExternalServiceAccounts) || features.IsEnabled(featuremgmt.FlagExternalServiceAuth), } + + serviceaccountsAPI := api.NewServiceAccountsAPI(cfg, s, ac, accesscontrolService, routeRegister, permissionService) + serviceaccountsAPI.RegisterAPIEndpoints() + return s, nil }