Gabriel MABILLE
5a0ef46280
commit ad4df4b3f63bdf3e16423ac8c3fdb1a7fae5582e Author: gamab <gabriel.mabille@grafana.com> Date: Thu Oct 24 10:24:04 2024 +0200 nit commit eb8b9cf2f3e27cae258b3ae310f1584da5ba36b5 Author: gamab <gabriel.mabille@grafana.com> Date: Thu Oct 24 10:23:25 2024 +0200 miss commit aab1aed204a5dedcc6dd187b2f636995bbe2c5c6 Merge: 5aafdec92337fe710b141Author: gamab <gabriel.mabille@grafana.com> Date: Thu Oct 24 10:22:05 2024 +0200 Merge remote-tracking branch 'origin/main' into gamab/resourcestore/tracing commit 5aafdec9233d6824cba977b069d71eabc3d21a8d Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 16 18:03:56 2024 +0200 Did not fix the issue commit 20522a7f64222fad27268ac640d4b4fb9259c748 Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 16 17:42:35 2024 +0200 Test commit b45199a341b6a57e93927c9eb7de8d7758ed7619 Merge: c0fbbdb95d4e9e2b11ba2Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 16 17:31:59 2024 +0200 Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing commite9e2b11ba2Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Wed Oct 16 18:28:31 2024 +0300 PR feedback: simplified fallback implementation Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com> commitb5209dba64Author: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com> Date: Wed Oct 16 18:03:06 2024 +0300 Update pkg/services/authn/grpcutils/grpc_authenticator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> commit c0fbbdb95d4605f349b902ca8698e7b560433867 Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 16 10:32:52 2024 +0200 Add traces to fallback commit 75aa8dcbd49288f1dca53cdf6e9a7b41688dff38 Merge: d92fafcaf0d562d499e85Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 16 10:29:41 2024 +0200 Merge remote-tracking branch 'origin/drclau/unistor/replace-authenticators-3' into gamab/resourcestore/tracing commit562d499e85Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Wed Oct 16 11:05:01 2024 +0300 switched to features.IsEnabledGlobally() commitaddc6aaca4Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Wed Oct 16 10:21:31 2024 +0300 imports cleanup commit7c6d80f6aaMerge:64a5e55d619dc2ccdbfdAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Wed Oct 16 10:18:54 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit64a5e55d61Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Oct 15 11:01:54 2024 +0300 cleanup commit4fe2c03457Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Oct 15 10:31:06 2024 +0300 always enable FlagAppPlatformGrpcClientAuth for k8s int tests commitc7e36759cdAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Oct 15 10:30:43 2024 +0300 use sync.Once as it's more idiomatic commitf5c2c79981Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Oct 14 20:43:48 2024 +0300 remove client side namespace extractor commit742295c89aAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Oct 14 20:04:11 2024 +0300 avoid double registration of metrics (fallbackCounter) commita45998c8d3Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Oct 14 19:03:41 2024 +0300 use FlagAppPlatformGrpcClientAuth to enable new behavior, instead of legacy commitffdc301718Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Oct 14 18:37:22 2024 +0300 remove the NamespaceAuthorizer The NamespaceAuthorizer would fail in legacy mode. It will be added back in the future. commit4a03ed7d7dAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Oct 14 15:59:08 2024 +0300 allow using the legacy resource client via commita2c30f5328Merge:ead390f6082f3c539d9bAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Oct 14 14:08:32 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commitead390f608Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Fri Oct 11 09:38:49 2024 +0300 added server side gRPC authn fallback-to-legacy mechanism - brought back the old gRPC authenticator - added `grpc_server_authentication.legacy_fallback` config option - introduced `AuthenticatorWithFallback` - added telemetry to track fallbacks commit d92fafcaf0db9c8d97a5d071759fc21ede7d8848 Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 9 14:58:25 2024 +0200 Fix test commit 54f05ff0fecf3d696a0e98621db6991282503917 Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 9 14:42:18 2024 +0200 Forgot the tracer 😁 commit 3948048880c7a0eb2360a35b0cc9f3686f2edfef Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 9 14:02:41 2024 +0200 Add traces to NamespaceAuthorizer commit cc695bb77c37a097174556303721fbc48b9464a0 Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 9 13:56:48 2024 +0200 Add traces to authentication flow commit8686c46be5Merge:08c3d237dc4a3ce66193Author: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 9 13:56:26 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit08c3d237dcMerge:33fd104cfd84d580179dAuthor: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 9 12:41:57 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit33fd104cfdMerge:68af25fbc338f57d270aAuthor: gamab <gabriel.mabille@grafana.com> Date: Wed Oct 9 12:13:25 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit68af25fbc3Author: Gabriel MABILLE <gamab@users.noreply.github.com> Date: Mon Oct 7 16:31:09 2024 +0200 Update pkg/services/authz/config.go commit4fba5c9b32Author: gamab <gabriel.mabille@grafana.com> Date: Fri Oct 4 15:17:41 2024 +0200 PR Feedback commit86867a14caAuthor: Gabriel MABILLE <gamab@users.noreply.github.com> Date: Fri Oct 4 15:13:06 2024 +0200 Update pkg/services/authn/grpcutils/config.go Co-authored-by: Dan Cech <dcech@grafana.com> commitc591631135Merge:c80c46ca6ae37b43117bAuthor: gamab <gabriel.mabille@grafana.com> Date: Fri Oct 4 13:07:48 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commitc80c46ca6aMerge:3acada9d474224d05934Author: gamab <gabriel.mabille@grafana.com> Date: Thu Oct 3 14:58:51 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit3acada9d47Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Fri Sep 27 17:39:59 2024 +0300 introducing `mode` config for gRPC auth server & client side commit914ca237e2Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Thu Sep 26 20:47:57 2024 +0300 Fixed integration tests commit71c33dcbe3Merge:52f248eebb920d79680dAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Thu Sep 26 19:25:33 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit52f248eebbAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 24 18:44:38 2024 +0300 updated namespace extractor usage commita6c977ba4dMerge:fb7bbf743b8da1d78c92Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 24 17:35:03 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commitfb7bbf743bAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 24 17:34:36 2024 +0300 unistor client side updates commita28440c40bMerge:79d9969aa8a8b07b0c81Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 24 10:45:09 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit79d9969aa8Author: gamab <gabriel.mabille@grafana.com> Date: Mon Sep 9 16:14:02 2024 +0200 Rename NewResourceClient funcs commit36b3752490Merge:8ce354bb06b89f3f8115Author: gamab <gabriel.mabille@grafana.com> Date: Mon Sep 9 16:00:54 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit8ce354bb06Author: gamab <gabriel.mabille@grafana.com> Date: Mon Sep 9 10:40:06 2024 +0200 Align commitbdf79f3b2fMerge:8f4df8973d8eb7e55f8fAuthor: gamab <gabriel.mabille@grafana.com> Date: Mon Sep 9 10:38:45 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit8f4df8973dMerge:2441cd8d539338e40dc3Author: gamab <gabriel.mabille@grafana.com> Date: Thu Sep 5 11:26:39 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit2441cd8d53Merge:2904074a2f2bbce8a7f7Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 17:31:36 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit2904074a2fAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 16:35:25 2024 +0300 refactoring Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com> commit125cb3c834Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 16:34:18 2024 +0300 refactoring (aesthetics) Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com> commit499a31df53Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 15:59:09 2024 +0300 update usage of ReadGprcServerConfig() commitf5d383644dAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 15:44:09 2024 +0300 make update-workspace commit755485751eAuthor: gamab <gabriel.mabille@grafana.com> Date: Tue Sep 3 14:43:22 2024 +0200 Fix trace commitd09e14c26aAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 15:42:50 2024 +0300 removed WithIDTokenExtractorOption, and other PR feedback commit21220c2ccaAuthor: gamab <gabriel.mabille@grafana.com> Date: Tue Sep 3 14:36:59 2024 +0200 Else statement commit6cf1efdcc4Author: gamab <gabriel.mabille@grafana.com> Date: Tue Sep 3 14:35:02 2024 +0200 Mod update commit4b73a93883Author: gamab <gabriel.mabille@grafana.com> Date: Tue Sep 3 14:32:20 2024 +0200 Add Auth func overrides commit6032ab3ae1Author: gamab <gabriel.mabille@grafana.com> Date: Tue Sep 3 14:26:18 2024 +0200 Use NamespaceAuthorizer commit601beb5327Author: gamab <gabriel.mabille@grafana.com> Date: Tue Sep 3 14:20:47 2024 +0200 Update authlib commita1b6408127Merge:0d70225c1a1128c417d8Author: gamab <gabriel.mabille@grafana.com> Date: Tue Sep 3 14:18:49 2024 +0200 Merge remote-tracking branch 'origin/main' into drclau/unistor/replace-authenticators-3 commit0d70225c1aAuthor: Claudiu Dragalina-Paraipan <drclau@users.noreply.github.com> Date: Tue Sep 3 15:15:54 2024 +0300 Update pkg/services/authn/grpcutils/grpc_authenticator.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> commit62f165f6f9Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 10:55:45 2024 +0300 refactoring NamespaceAccessChecker usage and use CloudNamespaceFormatter in Cloud Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com> commitbb5ee88d4fAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 10:39:11 2024 +0300 added stackIdExtractor for cloud mode Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com> commit84866a8a51Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Sep 3 10:38:19 2024 +0300 authz client cfg changes - removed ModeCloud, relying on ModeGrpc and stackID instead to discover if we're running in Cloud - reusing settings from "grpc_client_authentication", instead of duplicating in "authorization" section Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com> commit14a1021605Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Sep 2 21:44:35 2024 +0300 make update-workspace commit84f8c9be94Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Sep 2 21:36:10 2024 +0300 cleanup: refactoring leftover commit7fe8d62304Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Sep 2 19:30:51 2024 +0300 update authlib version (small fix) commit7c2353ae25Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Sep 2 19:17:11 2024 +0300 cleanup: remove unused `GrpcServerConfig.Mode` commit52b7cf8550Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Sep 2 19:06:59 2024 +0300 make update-workspace commit14ddfbd8fbAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Sep 2 19:02:40 2024 +0300 finalize authlib grpc interceptors usage commit884c4a8c24Merge:0fd1988beda1190b165bAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Sep 2 19:00:07 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit0fd1988bedMerge:b766bfb24fe0950a1283Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Fri Aug 30 10:45:51 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commitb766bfb24fMerge:6993f108a268751ed310Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Wed Aug 28 15:46:04 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit6993f108a2Merge:5f073b04d0f1ba609b34Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Tue Aug 27 12:51:07 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit5f073b04d0Merge:0620891d45ac5ebe6e4dAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Aug 19 21:09:44 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit0620891d45Merge:6a272e8e2a15f2b08f00Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Mon Aug 12 14:14:44 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit6a272e8e2aAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Thu Aug 8 18:53:43 2024 +0300 allow insecure conns in dev mode + refactoring commit31c7b030baAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Thu Aug 8 10:31:13 2024 +0300 allow insecure connections (for testing purposes); remove audience checks audience checks will still need to be done for Access tokens, but not for ID tokens commit0fdd2ff802Merge:763961210cf384759ad1Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Wed Aug 7 14:42:39 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit763961210cAuthor: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Fri Aug 2 18:54:29 2024 +0300 wip commitc46b42a595Merge:92aba937a90145b0fe70Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Fri Aug 2 14:44:06 2024 +0300 Merge branch 'main' into drclau/unistor/replace-authenticators-3 commit92aba937a9Author: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> Date: Thu Aug 1 18:32:19 2024 +0300 authn: client side updates Co-Authored-By: Gabriel MABILLE <gamab@users.noreply.github.com>
206 lines
6.5 KiB
Go
206 lines
6.5 KiB
Go
package resource
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"fmt"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/fullstorydev/grpchan"
|
|
"github.com/fullstorydev/grpchan/inprocgrpc"
|
|
"github.com/go-jose/go-jose/v3"
|
|
"github.com/go-jose/go-jose/v3/jwt"
|
|
authnlib "github.com/grafana/authlib/authn"
|
|
"github.com/grafana/authlib/claims"
|
|
grpcAuth "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/grafana/grafana/pkg/apimachinery/identity"
|
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
|
"github.com/grafana/grafana/pkg/services/auth"
|
|
"github.com/grafana/grafana/pkg/services/authn/grpcutils"
|
|
grpcUtils "github.com/grafana/grafana/pkg/storage/unified/resource/grpc"
|
|
)
|
|
|
|
type ResourceClient interface {
|
|
ResourceStoreClient
|
|
ResourceIndexClient
|
|
BlobStoreClient
|
|
DiagnosticsClient
|
|
}
|
|
|
|
// Internal implementation
|
|
type resourceClient struct {
|
|
ResourceStoreClient
|
|
ResourceIndexClient
|
|
BlobStoreClient
|
|
DiagnosticsClient
|
|
}
|
|
|
|
func NewLegacyResourceClient(channel *grpc.ClientConn) ResourceClient {
|
|
cc := grpchan.InterceptClientConn(channel, grpcUtils.UnaryClientInterceptor, grpcUtils.StreamClientInterceptor)
|
|
return &resourceClient{
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
|
BlobStoreClient: NewBlobStoreClient(cc),
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
}
|
|
}
|
|
|
|
func NewLocalResourceClient(server ResourceServer) ResourceClient {
|
|
// scenario: local in-proc
|
|
channel := &inprocgrpc.Channel{}
|
|
|
|
grpcAuthInt := grpcutils.NewInProcGrpcAuthenticator()
|
|
for _, desc := range []*grpc.ServiceDesc{
|
|
&ResourceStore_ServiceDesc,
|
|
&ResourceIndex_ServiceDesc,
|
|
&BlobStore_ServiceDesc,
|
|
&Diagnostics_ServiceDesc,
|
|
} {
|
|
channel.RegisterService(
|
|
grpchan.InterceptServer(
|
|
desc,
|
|
grpcAuth.UnaryServerInterceptor(grpcAuthInt.Authenticate),
|
|
grpcAuth.StreamServerInterceptor(grpcAuthInt.Authenticate),
|
|
),
|
|
server,
|
|
)
|
|
}
|
|
|
|
clientInt, _ := authnlib.NewGrpcClientInterceptor(
|
|
&authnlib.GrpcClientConfig{},
|
|
authnlib.WithDisableAccessTokenOption(),
|
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
|
)
|
|
|
|
cc := grpchan.InterceptClientConn(channel, clientInt.UnaryClientInterceptor, clientInt.StreamClientInterceptor)
|
|
return &resourceClient{
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
|
BlobStoreClient: NewBlobStoreClient(cc),
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
}
|
|
}
|
|
|
|
func NewGRPCResourceClient(tracer tracing.Tracer, conn *grpc.ClientConn) (ResourceClient, error) {
|
|
// scenario: remote on-prem
|
|
clientInt, err := authnlib.NewGrpcClientInterceptor(
|
|
&authnlib.GrpcClientConfig{},
|
|
authnlib.WithDisableAccessTokenOption(),
|
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
|
authnlib.WithTracerOption(tracer),
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
cc := grpchan.InterceptClientConn(conn, clientInt.UnaryClientInterceptor, clientInt.StreamClientInterceptor)
|
|
return &resourceClient{
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
}, nil
|
|
}
|
|
|
|
func NewCloudResourceClient(tracer tracing.Tracer, conn *grpc.ClientConn, cfg authnlib.GrpcClientConfig, allowInsecure bool) (ResourceClient, error) {
|
|
// scenario: remote cloud
|
|
opts := []authnlib.GrpcClientInterceptorOption{
|
|
authnlib.WithIDTokenExtractorOption(idTokenExtractor),
|
|
authnlib.WithTracerOption(tracer),
|
|
}
|
|
|
|
if allowInsecure {
|
|
opts = allowInsecureTransportOpt(&cfg, opts)
|
|
}
|
|
|
|
clientInt, err := authnlib.NewGrpcClientInterceptor(&cfg, opts...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
cc := grpchan.InterceptClientConn(conn, clientInt.UnaryClientInterceptor, clientInt.StreamClientInterceptor)
|
|
return &resourceClient{
|
|
ResourceStoreClient: NewResourceStoreClient(cc),
|
|
ResourceIndexClient: NewResourceIndexClient(cc),
|
|
DiagnosticsClient: NewDiagnosticsClient(cc),
|
|
}, nil
|
|
}
|
|
|
|
func idTokenExtractor(ctx context.Context) (string, error) {
|
|
authInfo, ok := claims.From(ctx)
|
|
if !ok {
|
|
return "", fmt.Errorf("no claims found")
|
|
}
|
|
|
|
extra := authInfo.GetExtra()
|
|
if token, exists := extra["id-token"]; exists && len(token) != 0 && token[0] != "" {
|
|
return token[0], nil
|
|
}
|
|
|
|
// If no token is found, create an internal token.
|
|
// This is a workaround for StaticRequester not having a signed ID token.
|
|
if staticRequester, ok := authInfo.(*identity.StaticRequester); ok {
|
|
token, idClaims, err := createInternalToken(staticRequester)
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed to create internal token: %w", err)
|
|
}
|
|
|
|
staticRequester.IDToken = token
|
|
staticRequester.IDTokenClaims = idClaims
|
|
return token, nil
|
|
}
|
|
|
|
return "", fmt.Errorf("id-token not found")
|
|
}
|
|
|
|
func allowInsecureTransportOpt(grpcClientConfig *authnlib.GrpcClientConfig, opts []authnlib.GrpcClientInterceptorOption) []authnlib.GrpcClientInterceptorOption {
|
|
client := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
|
|
tokenClient, _ := authnlib.NewTokenExchangeClient(*grpcClientConfig.TokenClientConfig, authnlib.WithHTTPClient(client))
|
|
return append(opts, authnlib.WithTokenClientOption(tokenClient))
|
|
}
|
|
|
|
// createInternalToken creates a symmetrically signed token for using in in-proc mode only.
|
|
func createInternalToken(authInfo claims.AuthInfo) (string, *authnlib.Claims[authnlib.IDTokenClaims], error) {
|
|
signerOpts := jose.SignerOptions{}
|
|
signerOpts.WithType("jwt") // Should be uppercase, but this is what authlib expects
|
|
signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: []byte("internal key")}, &signerOpts)
|
|
if err != nil {
|
|
return "", nil, err
|
|
}
|
|
|
|
identity := authInfo.GetIdentity()
|
|
now := time.Now()
|
|
tokenTTL := 10 * time.Minute
|
|
idClaims := &auth.IDClaims{
|
|
Claims: &jwt.Claims{
|
|
Audience: identity.Audience(),
|
|
Subject: identity.Subject(),
|
|
Expiry: jwt.NewNumericDate(now.Add(tokenTTL)),
|
|
IssuedAt: jwt.NewNumericDate(now),
|
|
},
|
|
Rest: authnlib.IDTokenClaims{
|
|
Namespace: identity.Namespace(),
|
|
Identifier: identity.Identifier(),
|
|
Type: identity.IdentityType(),
|
|
},
|
|
}
|
|
|
|
if claims.IsIdentityType(identity.IdentityType(), claims.TypeUser) {
|
|
idClaims.Rest.Email = identity.Email()
|
|
idClaims.Rest.EmailVerified = identity.EmailVerified()
|
|
idClaims.Rest.AuthenticatedBy = identity.AuthenticatedBy()
|
|
idClaims.Rest.Username = identity.Username()
|
|
idClaims.Rest.DisplayName = identity.DisplayName()
|
|
}
|
|
|
|
builder := jwt.Signed(signer).Claims(&idClaims.Rest).Claims(idClaims.Claims)
|
|
token, err := builder.CompactSerialize()
|
|
if err != nil {
|
|
return "", nil, err
|
|
}
|
|
|
|
return token, idClaims, nil
|
|
}
|