Skip to content

Commit

Permalink
PMM-12251 Set transport, check token/basic.
Browse files Browse the repository at this point in the history
  • Loading branch information
JiriCtvrtka committed Oct 7, 2023
1 parent b18c2d5 commit 9deca51
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 25 deletions.
7 changes: 6 additions & 1 deletion admin/commands/base/setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,13 @@ func SetupClients(ctx context.Context, globalFlags *flags.GlobalFlags) {
// use JSON APIs over HTTP/1.1
transport := httptransport.New(globalFlags.ServerURL.Host, globalFlags.ServerURL.Path, []string{globalFlags.ServerURL.Scheme})
if u := globalFlags.ServerURL.User; u != nil {
user := u.Username()
password, _ := u.Password()
transport.DefaultAuthentication = httptransport.BasicAuth(u.Username(), password)
if user == "service_token" || user == "api_key" {
transport.DefaultAuthentication = httptransport.BearerToken(password)
} else {
transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
}
}
transport.SetLogger(logrus.WithField("component", "server-transport"))
transport.SetDebug(globalFlags.EnableDebug || globalFlags.EnableTrace)
Expand Down
7 changes: 6 additions & 1 deletion agent/commands/clients.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,8 +104,13 @@ func setServerTransport(u *url.URL, insecureTLS bool, l *logrus.Entry) {
// use JSON APIs over HTTP/1.1
transport := httptransport.New(u.Host, u.Path, []string{u.Scheme})
if u.User != nil {
user := u.User.Username()
password, _ := u.User.Password()
transport.DefaultAuthentication = httptransport.BasicAuth(u.User.Username(), password)
if user == "service_token" || user == "api_key" {
transport.DefaultAuthentication = httptransport.BearerToken(password)
} else {
transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
}
}
transport.SetLogger(l)
transport.SetDebug(l.Logger.GetLevel() >= logrus.DebugLevel)
Expand Down
54 changes: 31 additions & 23 deletions managed/services/grafana/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -223,26 +223,12 @@ func (c *Client) GetUserID(ctx context.Context) (int, error) {
// Ctx is used only for cancelation.
func (c *Client) getAuthUser(ctx context.Context, authHeaders http.Header) (authUser, error) {
// Check if it's API Key or Service Token
auth := authHeaders.Get("Authorization")
if c.isBearerTokenAuth(auth) {
h := strings.TrimPrefix(auth, "Basic ")
d, err := base64.StdEncoding.DecodeString(strings.TrimSpace(h))
if err != nil {
return authUser{}, err
}
if strings.HasPrefix(string(d), "api_key") {
role, err := c.getRoleForAPIKey(ctx, authHeaders)
return authUser{
role: role,
userID: 0,
}, err
}

role, err := c.getRoleForServiceToken(ctx, authHeaders)
role, authorized := c.proceedTokenAuth(ctx, authHeaders)
if authorized {
return authUser{
role: role,
userID: 0,
}, err
}, nil
}

// https://grafana.com/docs/http_api/user/#actual-user - works only with Basic Auth
Expand Down Expand Up @@ -295,19 +281,40 @@ func (c *Client) getAuthUser(ctx context.Context, authHeaders http.Header) (auth
}, nil
}

func (c *Client) isBearerTokenAuth(authHeader string) bool {
func (c *Client) proceedTokenAuth(ctx context.Context, authHeaders http.Header) (role, bool) {
authHeader := authHeaders.Get("Authorization")
token := ""
switch {
case strings.HasPrefix(authHeader, "Bearer"):
return true
token = strings.TrimSpace(strings.TrimPrefix(authHeader, "Bearer"))
case strings.HasPrefix(authHeader, "Basic"):
h := strings.TrimPrefix(authHeader, "Basic")
d, err := base64.StdEncoding.DecodeString(strings.TrimSpace(h))
t, err := base64.StdEncoding.DecodeString(strings.TrimSpace(h))
if err != nil {
return none, false
}
tk := string(t)
if strings.HasPrefix(tk, "api_key:") || strings.HasPrefix(tk, "service_token:") {
token = strings.Split(tk, ":")[1]
break
}

return none, false
}

if strings.HasPrefix(string(token), "glsa_") {
role, err := c.getRoleForServiceToken(ctx, authHeaders)
if err != nil {
return false
return none, false
}
return strings.HasPrefix(string(d), "api_key:") || strings.HasPrefix(string(d), "service_token:")
return role, true
}

role, err := c.getRoleForAPIKey(ctx, authHeaders)
if err != nil {
return none, false
}
return false
return role, true
}

func (c *Client) convertRole(role string) role {
Expand Down Expand Up @@ -347,6 +354,7 @@ func (c *Client) getRoleForAPIKey(ctx context.Context, authHeaders http.Header)

func (c *Client) getRoleForServiceToken(ctx context.Context, authHeaders http.Header) (role, error) {
var k map[string]interface{}
fmt.Println(authHeaders)
if err := c.do(ctx, http.MethodGet, "/api/auth/serviceaccount", "", authHeaders, nil, &k); err != nil {
return none, err
}
Expand Down

0 comments on commit 9deca51

Please sign in to comment.