Auth: Update authlib (#94947)

* Update authlib

pkg/registry/apis/iam/authorizer.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/grafana/authlib/authz"
 	"github.com/grafana/authlib/claims"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 
@@ -14,7 +15,7 @@ import (
 	gfauthorizer "github.com/grafana/grafana/pkg/services/apiserver/auth/authorizer"
 )
 
-func newLegacyAuthorizer(ac accesscontrol.AccessControl, store legacy.LegacyIdentityStore) (authorizer.Authorizer, claims.AccessClient) {
+func newLegacyAuthorizer(ac accesscontrol.AccessControl, store legacy.LegacyIdentityStore) (authorizer.Authorizer, authz.AccessClient) {
 	client := accesscontrol.NewLegacyAccessClient(
 		ac,
 		accesscontrol.ResourceAuthorizerOptions{

pkg/registry/apis/iam/common/common.go

@@ -4,9 +4,9 @@ import (
 	"context"
 	"strconv"
 
+	"github.com/grafana/authlib/authz"
 	"github.com/grafana/authlib/claims"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
-	"github.com/grafana/grafana/pkg/apimachinery/utils"
 	iamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
 	"github.com/grafana/grafana/pkg/services/apiserver/endpoints/request"
 	"github.com/grafana/grafana/pkg/services/team"
@@ -48,7 +48,7 @@ type ListFunc[T Resource] func(ctx context.Context, ns claims.NamespaceInfo, p P
 func List[T Resource](
 	ctx context.Context,
 	resourceName string,
-	ac claims.AccessClient,
+	ac authz.AccessClient,
 	p Pagination,
 	fn ListFunc[T],
 ) (*ListResponse[T], error) {
@@ -62,11 +62,10 @@ func List[T Resource](
 		return nil, err
 	}
 
-	check := func(_ string, _ string) bool { return true }
+	check := func(_, _, _ string) bool { return true }
 	if ac != nil {
 		var err error
-		check, err = ac.Compile(ctx, ident, claims.AccessRequest{
-			Verb:      utils.VerbList,
+		check, err = ac.Compile(ctx, ident, authz.ListRequest{
 			Resource:  resourceName,
 			Namespace: ns.Value,
 		})
@@ -84,7 +83,7 @@ func List[T Resource](
 	}
 
 	for _, item := range first.Items {
-		if !check(ns.Value, item.AuthID()) {
+		if !check(ns.Value, item.AuthID(), "") {
 			continue
 		}
 		res.Items = append(res.Items, item)
@@ -107,7 +106,7 @@ outer:
 				break outer
 			}
 
-			if !check(ns.Value, item.AuthID()) {
+			if !check(ns.Value, item.AuthID(), "") {
 				continue
 			}
 

pkg/registry/apis/iam/legacy/sql.go

@@ -40,11 +40,6 @@ func NewLegacySQLStores(sql legacysql.LegacyDatabaseProvider) LegacyIdentityStor
 
 type legacySQLStore struct {
 	sql legacysql.LegacyDatabaseProvider
-	ac  claims.AccessClient
-}
-
-func (s *legacySQLStore) WithAccessClient(ac claims.AccessClient) {
-	s.ac = ac
 }
 
 // Templates setup.

pkg/registry/apis/iam/register.go

@@ -11,7 +11,7 @@ import (
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	common "k8s.io/kube-openapi/pkg/common"
 
-	"github.com/grafana/authlib/claims"
+	"github.com/grafana/authlib/authz"
 	"github.com/grafana/grafana/pkg/apimachinery/identity"
 	iamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
 	"github.com/grafana/grafana/pkg/infra/db"
@@ -32,7 +32,7 @@ var _ builder.APIGroupBuilder = (*IdentityAccessManagementAPIBuilder)(nil)
 type IdentityAccessManagementAPIBuilder struct {
 	store        legacy.LegacyIdentityStore
 	authorizer   authorizer.Authorizer
-	accessClient claims.AccessClient
+	accessClient authz.AccessClient
 
 	// Not set for multi-tenant deployment for now
 	sso ssosettings.Service

pkg/registry/apis/iam/serviceaccount/store.go

@@ -10,6 +10,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/registry/rest"
 
+	"github.com/grafana/authlib/authz"
 	"github.com/grafana/authlib/claims"
 	"github.com/grafana/grafana/pkg/apimachinery/utils"
 	iamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
@@ -28,13 +29,13 @@ var (
 
 var resource = iamv0.ServiceAccountResourceInfo
 
-func NewLegacyStore(store legacy.LegacyIdentityStore, ac claims.AccessClient) *LegacyStore {
+func NewLegacyStore(store legacy.LegacyIdentityStore, ac authz.AccessClient) *LegacyStore {
 	return &LegacyStore{store, ac}
 }
 
 type LegacyStore struct {
 	store legacy.LegacyIdentityStore
-	ac    claims.AccessClient
+	ac    authz.AccessClient
 }
 
 func (s *LegacyStore) New() runtime.Object {

pkg/registry/apis/iam/team/store.go

@@ -10,6 +10,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/registry/rest"
 
+	"github.com/grafana/authlib/authz"
 	"github.com/grafana/authlib/claims"
 	"github.com/grafana/grafana/pkg/apimachinery/utils"
 	iamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
@@ -29,13 +30,13 @@ var (
 
 var resource = iamv0.TeamResourceInfo
 
-func NewLegacyStore(store legacy.LegacyIdentityStore, ac claims.AccessClient) *LegacyStore {
+func NewLegacyStore(store legacy.LegacyIdentityStore, ac authz.AccessClient) *LegacyStore {
 	return &LegacyStore{store, ac}
 }
 
 type LegacyStore struct {
 	store legacy.LegacyIdentityStore
-	ac    claims.AccessClient
+	ac    authz.AccessClient
 }
 
 func (s *LegacyStore) New() runtime.Object {

pkg/registry/apis/iam/user/store.go

@@ -10,6 +10,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apiserver/pkg/registry/rest"
 
+	"github.com/grafana/authlib/authz"
 	"github.com/grafana/authlib/claims"
 	"github.com/grafana/grafana/pkg/apimachinery/utils"
 	iamv0 "github.com/grafana/grafana/pkg/apis/iam/v0alpha1"
@@ -29,13 +30,13 @@ var (
 
 var resource = iamv0.UserResourceInfo
 
-func NewLegacyStore(store legacy.LegacyIdentityStore, ac claims.AccessClient) *LegacyStore {
+func NewLegacyStore(store legacy.LegacyIdentityStore, ac authz.AccessClient) *LegacyStore {
 	return &LegacyStore{store, ac}
 }
 
 type LegacyStore struct {
 	store legacy.LegacyIdentityStore
-	ac    claims.AccessClient
+	ac    authz.AccessClient
 }
 
 func (s *LegacyStore) New() runtime.Object {