Accesscontrol: Add additional API keys to service account, move cloneserviceaccount to sqlstore (#41189)

* Add additional api key, move cloneserviceaccount

* Remove TODOs, for now

* Error messages

* Linter

* Security check

* Add comments

* Take service account id from correct variable

* Update user.go

pkg/services/accesscontrol/mock/mock.go

@@ -14,20 +14,16 @@ type fullAccessControl interface {
 }
 
 type Calls struct {
-	CloneUserToServiceAccount  []interface{}
-	Evaluate                   []interface{}
-	GetUserPermissions         []interface{}
-	GetUserRoles               []interface{}
-	IsDisabled                 []interface{}
-	DeclareFixedRoles          []interface{}
-	GetUserBuiltInRoles        []interface{}
-	RegisterFixedRoles         []interface{}
-	LinkAPIKeyToServiceAccount []interface{}
+	Evaluate            []interface{}
+	GetUserPermissions  []interface{}
+	GetUserRoles        []interface{}
+	IsDisabled          []interface{}
+	DeclareFixedRoles   []interface{}
+	GetUserBuiltInRoles []interface{}
+	RegisterFixedRoles  []interface{}
 }
 
 type Mock struct {
-	// Unless an override is provided, user will be returned by CloneUserToServiceAccount
-	createduser *models.User
 	// Unless an override is provided, permissions will be returned by GetUserPermissions
 	permissions []*accesscontrol.Permission
 	// Unless an override is provided, roles will be returned by GetUserRoles
@@ -41,15 +37,13 @@ type Mock struct {
 	Calls Calls
 
 	// Override functions
-	CloneUserToServiceAccountFunc  func(context.Context, *models.SignedInUser) (*models.User, error)
-	LinkAPIKeyToServiceAccountFunc func(context.Context, *models.ApiKey, *models.User) error
-	EvaluateFunc                   func(context.Context, *models.SignedInUser, accesscontrol.Evaluator) (bool, error)
-	GetUserPermissionsFunc         func(context.Context, *models.SignedInUser) ([]*accesscontrol.Permission, error)
-	GetUserRolesFunc               func(context.Context, *models.SignedInUser) ([]*accesscontrol.RoleDTO, error)
-	IsDisabledFunc                 func() bool
-	DeclareFixedRolesFunc          func(...accesscontrol.RoleRegistration) error
-	GetUserBuiltInRolesFunc        func(user *models.SignedInUser) []string
-	RegisterFixedRolesFunc         func() error
+	EvaluateFunc            func(context.Context, *models.SignedInUser, accesscontrol.Evaluator) (bool, error)
+	GetUserPermissionsFunc  func(context.Context, *models.SignedInUser) ([]*accesscontrol.Permission, error)
+	GetUserRolesFunc        func(context.Context, *models.SignedInUser) ([]*accesscontrol.RoleDTO, error)
+	IsDisabledFunc          func() bool
+	DeclareFixedRolesFunc   func(...accesscontrol.RoleRegistration) error
+	GetUserBuiltInRolesFunc func(user *models.SignedInUser) []string
+	RegisterFixedRolesFunc  func() error
 }
 
 // Ensure the mock stays in line with the interface
@@ -119,26 +113,6 @@ func (m *Mock) GetUserRoles(ctx context.Context, user *models.SignedInUser) ([]*
 	return m.roles, nil
 }
 
-func (m *Mock) CloneUserToServiceAccount(ctx context.Context, user *models.SignedInUser) (*models.User, error) {
-	m.Calls.CloneUserToServiceAccount = append(m.Calls.CloneUserToServiceAccount, []interface{}{ctx, user})
-	// Use override if provided
-	if m.CloneUserToServiceAccountFunc != nil {
-		return m.CloneUserToServiceAccountFunc(ctx, user)
-	}
-	// Otherwise return the user
-	return m.createduser, nil
-}
-
-func (m *Mock) LinkAPIKeyToServiceAccount(ctx context.Context, apikey *models.ApiKey, service_account *models.User) error {
-	m.Calls.LinkAPIKeyToServiceAccount = append(m.Calls.LinkAPIKeyToServiceAccount, []interface{}{ctx, apikey, service_account})
-	// Use override if provided
-	if m.LinkAPIKeyToServiceAccountFunc != nil {
-		return m.LinkAPIKeyToServiceAccountFunc(ctx, apikey, service_account)
-	}
-	// Otherwise return the default
-	return nil
-}
-
 // Middleware checks if service disabled or not to switch to fallback authorization.
 // This mock return m.disabled unless an override is provided.
 func (m *Mock) IsDisabled() bool {