Auth: Introduce pre-logout hooks + add GCOM LogoutHook (#88475)

* Introduce preLogoutHooks in authn service

* Add gcom_logout_hook

* Config the api token from the Grafana config file

* Simplify

* Add tests for logout hook

* Clean up

* Update

* Address PR comment

* Fix

conf/defaults.ini

@@ -1502,6 +1502,7 @@ url = https://grafana.com
 [grafana_com]
 url = https://grafana.com
 api_url = https://grafana.com/api
+sso_api_token = ""
 
 #################################### Distributed tracing ############
 # Opentracing is deprecated use opentelemetry instead

conf/sample.ini

@@ -1376,6 +1376,8 @@ max_annotations_to_keep =
 [grafana_com]
 ;url = https://grafana.com
 ;api_url = https://grafana.com/api
+# Grafana instance - Grafana.com integration SSO API token
+;sso_api_token = ""
 
 #################################### Distributed tracing ############
 # Opentracing is deprecated use opentelemetry instead

pkg/services/auth/gcomsso/gcom_logout_hook.go

@@ -0,0 +1,65 @@
+package gcomsso
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"github.com/grafana/grafana/pkg/models/usertoken"
+	"github.com/grafana/grafana/pkg/services/auth/identity"
+	"github.com/grafana/grafana/pkg/setting"
+)
+
+type gcomLogoutRequest struct {
+	Token     string `json:"idToken"`
+	SessionID string `json:"sessionId"`
+}
+
+type GComSSOService struct {
+	cfg    *setting.Cfg
+	logger *slog.Logger
+}
+
+func ProvideGComSSOService(cfg *setting.Cfg) *GComSSOService {
+	return &GComSSOService{
+		cfg:    cfg,
+		logger: slog.Default().With("logger", "gcomsso-service"),
+	}
+}
+
+func (s *GComSSOService) LogoutHook(ctx context.Context, user identity.Requester, sessionToken *usertoken.UserToken) error {
+	s.logger.Debug("Logging out from Grafana.com", "user", user.GetID(), "session", sessionToken.Id)
+	data, err := json.Marshal(&gcomLogoutRequest{
+		Token:     user.GetIDToken(),
+		SessionID: fmt.Sprint(sessionToken.Id),
+	})
+	if err != nil {
+		s.logger.Error("failed to marshal request", "error", err)
+		return err
+	}
+
+	hReq, err := http.NewRequestWithContext(ctx, http.MethodPost, s.cfg.GrafanaComURL+"/api/logout/grafana/sso", bytes.NewReader(data))
+	if err != nil {
+		return err
+	}
+	hReq.Header.Add("Content-Type", "application/json")
+	hReq.Header.Add("Authorization", "Bearer "+s.cfg.GrafanaComSSOAPIToken)
+
+	c := http.DefaultClient
+	resp, err := c.Do(hReq)
+	if err != nil {
+		s.logger.Error("failed to send request", "error", err)
+		return err
+	}
+	// nolint: errcheck
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNoContent {
+		return fmt.Errorf("failed to logout from grafana com: %d", resp.StatusCode)
+	}
+
+	return nil
+}

pkg/services/auth/gcomsso/gcom_logout_hook_test.go

@@ -0,0 +1,64 @@
+package gcomsso
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/grafana/grafana/pkg/models/usertoken"
+	"github.com/grafana/grafana/pkg/services/user"
+	"github.com/grafana/grafana/pkg/setting"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGComSSOService_LogoutHook(t *testing.T) {
+	cfg := &setting.Cfg{
+		GrafanaComURL:         "http://example.com",
+		GrafanaComSSOAPIToken: "sso-api-token",
+	}
+
+	s := ProvideGComSSOService(cfg)
+
+	t.Run("Successfully logs out from grafana.com", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			require.Equal(t, http.MethodPost, r.Method)
+			require.Equal(t, "/api/logout/grafana/sso", r.URL.Path)
+
+			require.Equal(t, "application/json", r.Header.Get("Content-Type"))
+			require.Equal(t, "Bearer "+cfg.GrafanaComSSOAPIToken, r.Header.Get("Authorization"))
+
+			w.WriteHeader(http.StatusNoContent)
+		}))
+		defer server.Close()
+
+		cfg.GrafanaComURL = server.URL
+		user := &user.SignedInUser{
+			IDToken: "id-token",
+		}
+		sessionToken := &usertoken.UserToken{
+			Id: 123,
+		}
+
+		err := s.LogoutHook(context.Background(), user, sessionToken)
+		require.NoError(t, err)
+	})
+
+	t.Run("Fails to log out from grafana.com", func(t *testing.T) {
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusInternalServerError)
+		}))
+		defer server.Close()
+
+		cfg.GrafanaComURL = server.URL
+		user := &user.SignedInUser{
+			IDToken: "id-token",
+		}
+		sessionToken := &usertoken.UserToken{
+			Id: 123,
+		}
+
+		err := s.LogoutHook(context.Background(), user, sessionToken)
+		require.Error(t, err)
+	})
+}

pkg/services/authn/authn.go

@@ -72,6 +72,7 @@ type FetchPermissionsParams struct {
 
 type PostAuthHookFn func(ctx context.Context, identity *Identity, r *Request) error
 type PostLoginHookFn func(ctx context.Context, identity *Identity, r *Request, err error)
+type PreLogoutHookFn func(ctx context.Context, requester identity.Requester, sessionToken *usertoken.UserToken) error
 
 type Service interface {
 	// Authenticate authenticates a request
@@ -88,7 +89,8 @@ type Service interface {
 	RedirectURL(ctx context.Context, client string, r *Request) (*Redirect, error)
 	// Logout revokes session token and does additional clean up if client used to authenticate supports it
 	Logout(ctx context.Context, user identity.Requester, sessionToken *usertoken.UserToken) (*Redirect, error)
-
+	// RegisterPreLogoutHook registers a hook that is called before a logout request.
+	RegisterPreLogoutHook(hook PreLogoutHookFn, priority uint)
 	// ResolveIdentity resolves an identity from org and namespace id.
 	ResolveIdentity(ctx context.Context, orgID int64, namespaceID NamespaceID) (*Identity, error)
 

pkg/services/authn/authnimpl/registration.go

@@ -7,6 +7,7 @@ import (
 	"github.com/grafana/grafana/pkg/services/accesscontrol"
 	"github.com/grafana/grafana/pkg/services/apikey"
 	"github.com/grafana/grafana/pkg/services/auth"
+	"github.com/grafana/grafana/pkg/services/auth/gcomsso"
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/authn/authnimpl/sync"
 	"github.com/grafana/grafana/pkg/services/authn/clients"
@@ -106,6 +107,7 @@ func ProvideRegistration(
 	rbacSync := sync.ProvideRBACSync(accessControlService)
 	if features.IsEnabledGlobally(featuremgmt.FlagCloudRBACRoles) {
 		authnSvc.RegisterPostAuthHook(rbacSync.SyncCloudRoles, 110)
+		authnSvc.RegisterPreLogoutHook(gcomsso.ProvideGComSSOService(cfg).LogoutHook, 50)
 	}
 
 	authnSvc.RegisterPostAuthHook(rbacSync.SyncPermissionsHook, 120)

pkg/services/authn/authnimpl/service.go

@@ -57,6 +57,7 @@ func ProvideService(
 		tracer:                 tracer,
 		metrics:                newMetrics(registerer),
 		sessionService:         sessionService,
+		preLogoutHooks:         newQueue[authn.PreLogoutHookFn](),
 		postAuthHooks:          newQueue[authn.PostAuthHookFn](),
 		postLoginHooks:         newQueue[authn.PostLoginHookFn](),
 	}
@@ -83,6 +84,8 @@ type Service struct {
 	postAuthHooks *queue[authn.PostAuthHookFn]
 	// postLoginHooks are called after a login request is performed, both for failing and successful requests.
 	postLoginHooks *queue[authn.PostLoginHookFn]
+	// preLogoutHooks are called before a logout request is performed.
+	preLogoutHooks *queue[authn.PreLogoutHookFn]
 }
 
 func (s *Service) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
@@ -259,6 +262,10 @@ func (s *Service) RedirectURL(ctx context.Context, client string, r *authn.Reque
 	return redirectClient.RedirectURL(ctx, r)
 }
 
+func (s *Service) RegisterPreLogoutHook(hook authn.PreLogoutHookFn, priority uint) {
+	s.preLogoutHooks.insert(hook, priority)
+}
+
 func (s *Service) Logout(ctx context.Context, user authn.Requester, sessionToken *auth.UserToken) (*authn.Redirect, error) {
 	ctx, span := s.tracer.Start(ctx, "authn.Logout")
 	defer span.End()
@@ -278,6 +285,12 @@ func (s *Service) Logout(ctx context.Context, user authn.Requester, sessionToken
 		return redirect, nil
 	}
 
+	for _, hook := range s.preLogoutHooks.items {
+		if err := hook.v(ctx, user, sessionToken); err != nil {
+			s.log.Error("Failed to run pre logout hook. Skipping...", "error", err)
+		}
+	}
+
 	if authModule := user.GetAuthenticatedBy(); authModule != "" {
 		client := authn.ClientWithPrefix(strings.TrimPrefix(authModule, "oauth_"))
 

pkg/services/authn/authnimpl/service_test.go

@@ -561,6 +561,7 @@ func setupTests(t *testing.T, opts ...func(svc *Service)) *Service {
 		metrics:                newMetrics(nil),
 		postAuthHooks:          newQueue[authn.PostAuthHookFn](),
 		postLoginHooks:         newQueue[authn.PostLoginHookFn](),
+		preLogoutHooks:         newQueue[authn.PreLogoutHookFn](),
 	}
 
 	for _, o := range opts {

pkg/services/authn/authntest/fake.go

@@ -46,6 +46,8 @@ func (f *FakeService) IsClientEnabled(name string) bool {
 
 func (f *FakeService) RegisterPostAuthHook(hook authn.PostAuthHookFn, priority uint) {}
 
+func (f *FakeService) RegisterPreLogoutHook(hook authn.PreLogoutHookFn, priority uint) {}
+
 func (f *FakeService) Login(ctx context.Context, client string, r *authn.Request) (*authn.Identity, error) {
 	if f.ExpectedIdentities != nil {
 		if f.CurrentIndex >= len(f.ExpectedIdentities) {

pkg/services/authn/authntest/mock.go

@@ -46,6 +46,10 @@ func (m *MockService) RegisterPostLoginHook(hook authn.PostLoginHookFn, priority
 	panic("unimplemented")
 }
 
+func (m *MockService) RegisterPreLogoutHook(hook authn.PreLogoutHookFn, priority uint) {
+	panic("unimplemented")
+}
+
 func (*MockService) Logout(_ context.Context, _ identity.Requester, _ *usertoken.UserToken) (*authn.Redirect, error) {
 	panic("unimplemented")
 }

pkg/setting/setting.go

@@ -435,6 +435,9 @@ type Cfg struct {
 	// Defaults to GrafanaComURL setting + "/api" if unset.
 	GrafanaComAPIURL string
 
+	// Grafana.com SSO API token used for Unified SSO between instances and Grafana.com.
+	GrafanaComSSOAPIToken string
+
 	// Geomap base layer config
 	GeomapDefaultBaseLayerConfig map[string]any
 	GeomapEnableCustomBaseLayers bool
@@ -1245,7 +1248,7 @@ func (cfg *Cfg) parseINIFile(iniFile *ini.File) error {
 	cfg.GrafanaComURL = grafanaComUrl
 
 	cfg.GrafanaComAPIURL = valueAsString(iniFile.Section("grafana_com"), "api_url", grafanaComUrl+"/api")
-
+	cfg.GrafanaComSSOAPIToken = valueAsString(iniFile.Section("grafana_com"), "sso_api_token", "")
 	imageUploadingSection := iniFile.Section("external_image_storage")
 	cfg.ImageUploadProvider = valueAsString(imageUploadingSection, "provider", "")