percona · BupycHuk · Apr 1, 2024 · Sep 19, 2023 · Oct 2, 2023 · Oct 2, 2023
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 	"time"
 
 	"github.com/pkg/errors"
@@ -160,7 +161,11 @@ func register(cfg *config.Config, l *logrus.Entry) {
 	}
 	cfg.ID = agentID
 	if token != "" {
-		cfg.Server.Username = "api_key"
+		if strings.HasPrefix(token, "glsa_") {
+			cfg.Server.Username = "service_token"
+		} else {
+			cfg.Server.Username = "api_key"
+		}
 		cfg.Server.Password = token
 	} else {
 		l.Info("PMM Server responded with an empty api key token. Consider upgrading PMM Server to the latest version.")

@@ -25,6 +25,7 @@
 	"encoding/json"
 	"fmt"
 	"io"
+	"math/rand"
 	"net"
 	"net/http"
 	"net/url"
@@ -47,7 +48,10 @@
 // ErrFailedToGetToken means it failed to get user's token. Most likely due to the fact user is not logged in using Percona Account.
 var ErrFailedToGetToken = errors.New("failed to get token")
 
-const defaultEvaluationInterval = time.Minute
+const (
+	defaultEvaluationInterval = time.Minute
+	pmmServiceTokenName       = "pmm-agent-service-token"
+)
 
 // Client represents a client for Grafana API.
 type Client struct {
@@ -138,7 +142,7 @@
 	if err != nil {
 		return errors.WithStack(err)
 	}
-	if resp.StatusCode != 200 && resp.StatusCode != 202 {
+	if resp.StatusCode != 200 && resp.StatusCode != 201 && resp.StatusCode != 202 {
 		cErr := &clientError{
 			Method: req.Method,
 			URL:    req.URL.String(),
@@ -218,9 +222,23 @@
 // Otherwise, it returns a role in the default organization (with ID 1).
 // Ctx is used only for cancelation.
 func (c *Client) getAuthUser(ctx context.Context, authHeaders http.Header) (authUser, error) {
-	// Check if it's API Key
-	if c.isAPIKeyAuth(authHeaders.Get("Authorization")) {
-		role, err := c.getRoleForAPIKey(ctx, authHeaders)
+	// Check if it's API Key or Service Token
+	auth := authHeaders.Get("Authorization")
+	if c.isBearerTokenAuth(auth) {
+		h := strings.TrimPrefix(auth, "Basic ")
+		d, err := base64.StdEncoding.DecodeString(strings.TrimSpace(h))
+		if err != nil {
+			return authUser{}, err
+		}
+		if strings.HasPrefix(string(d), "api_key") {
+			role, err := c.getRoleForAPIKey(ctx, authHeaders)
+			return authUser{
+				role:   role,
+				userID: 0,
+			}, err
+		}
+
+		role, err := c.getRoleForServiceToken(ctx, authHeaders)
 		return authUser{
 			role:   role,
 			userID: 0,
@@ -277,7 +295,7 @@
 	}, nil
 }
 
-func (c *Client) isAPIKeyAuth(authHeader string) bool {
+func (c *Client) isBearerTokenAuth(authHeader string) bool {
 	switch {
 	case strings.HasPrefix(authHeader, "Bearer"):
 		return true
@@ -287,7 +305,7 @@
 		if err != nil {
 			return false
 		}
-		return strings.HasPrefix(string(d), "api_key:")
+		return strings.HasPrefix(string(d), "api_key:") || strings.HasPrefix(string(d), "service_token:")
 	}
 	return false
 }
@@ -327,6 +345,20 @@
 	return c.convertRole(role), nil
 }
 
+func (c *Client) getRoleForServiceToken(ctx context.Context, authHeaders http.Header) (role, error) {
+	var k map[string]interface{}
+	if err := c.do(ctx, http.MethodGet, "/api/auth/serviceaccount", "", authHeaders, nil, &k); err != nil {
+		return none, err
+	}
+
+	if id, _ := k["orgId"].(float64); id != 1 {
+		return none, nil
+	}
+
+	role, _ := k["role"].(string)
+	return c.convertRole(role), nil
+}
+
 func (c *Client) testCreateUser(ctx context.Context, login string, role role, authHeaders http.Header) (int, error) {
 	// https://grafana.com/docs/http_api/admin/#global-users
 	b, err := json.Marshal(map[string]string{
@@ -376,6 +408,15 @@
 	return c.createAPIKey(ctx, name, admin, authHeaders)
 }
 
+// CreateServiceAccountAndToken creates service account and token with Admin role and provided name.
+func (c *Client) CreateServiceAccountAndToken(ctx context.Context, name string) (int64, string, error) {
+	authHeaders, err := c.authHeadersFromContext(ctx)
+	if err != nil {
+		return 0, "", err
+	}
+	return c.createServiceAccountAndToken(ctx, name, admin, authHeaders)
+}
+
 // DeleteAPIKeysWithPrefix deletes all API keys with provided prefix. If there is no api key with provided prefix just ignores it.
 func (c *Client) DeleteAPIKeysWithPrefix(ctx context.Context, prefix string) error {
 	authHeaders, err := c.authHeadersFromContext(ctx)
@@ -578,6 +619,75 @@
 	return c.do(ctx, "DELETE", "/api/auth/keys/"+strconv.FormatInt(apiKeyID, 10), "", authHeaders, nil, nil)
 }
 
+type serviceAccount struct {
+	Name  string `json:"name"`
+	Role  string `json:"role"`
+	OrgID int64  `json:"orgId"`
+}
+type serviceToken struct {
+	ID         int64      `json:"id"`
+	Name       string     `json:"name"`
+	Role       string     `json:"role"`
+	Expiration *time.Time `json:"expiration,omitempty"`
+}
+
+func (c *Client) createServiceAccountAndToken(ctx context.Context, name string, role role, authHeaders http.Header) (int64, string, error) {
+	b, err := json.Marshal(serviceAccount{Name: name, Role: role.String()})
+	if err != nil {
+		return 0, "", errors.WithStack(err)
+	}
+
+	var m map[string]interface{}
+	if err = c.do(ctx, "POST", "/api/serviceaccounts", "", authHeaders, b, &m); err != nil {
+		return 0, "", err
+	}
+
+	serviceAccountID := int64(m["id"].(float64)) //nolint:forcetypeassert
+
+	// orgId is ignored during creating service account and default is -1
+	// orgId should be setup to 1
+	if err != nil {
+		return 0, "", errors.WithStack(err)
+	}
+	if err = c.do(ctx, "PATCH", fmt.Sprintf("/api/serviceaccounts/%d", serviceAccountID), "", authHeaders, []byte("{\"orgId\": 1}"), &m); err != nil {
+		return 0, "", err
+	}
+
+	// due to reregister of node PMM agent related tokens should be deleted first
+	err = c.deletePMMAgentRelatedServiceTokens(ctx, serviceAccountID, authHeaders)
+	if err != nil {
+		return 0, "", errors.WithStack(err)
+	}
+
+	serviceTokenName := fmt.Sprintf("%s-%s-%d", pmmServiceTokenName, name, rand.Int63())
+	b, err = json.Marshal(serviceToken{Name: serviceTokenName})
+	if err != nil {
+		return 0, "", errors.WithStack(err)
+	}
+	if err = c.do(ctx, "POST", fmt.Sprintf("/api/serviceaccounts/%d/tokens", serviceAccountID), "", authHeaders, b, &m); err != nil {
+		return 0, "", errors.WithStack(err)
+	}
+	serviceTokenID := int64(m["id"].(float64)) //nolint:forcetypeassert
+	serviceTokenKey := m["key"].(string)       //nolint:forcetypeassert
+
+	return serviceTokenID, serviceTokenKey, nil
+}
+
+func (c *Client) deletePMMAgentRelatedServiceTokens(ctx context.Context, serviceAccountID int64, authHeaders http.Header) error {
+	var tokens []serviceToken
+	if err := c.do(ctx, "GET", fmt.Sprintf("/api/serviceaccounts/%d/tokens", serviceAccountID), "", authHeaders, nil, &tokens); err != nil {
+		return err
+	}
+
+	for _, token := range tokens {
+		if strings.HasPrefix(token.Name, pmmServiceTokenName) {
+			c.do(ctx, "DELETE", fmt.Sprintf("/api/serviceaccounts/%d/tokens/%d", serviceAccountID, token.ID), "", authHeaders, nil, nil)
+		}
+	}
+
+	return nil
+}
+
 // Annotation contains grafana annotation response.
 type annotation struct {
 	Time time.Time `json:"-"`