212 lines
6.3 KiB
Go
212 lines
6.3 KiB
Go
package sync
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"sort"
|
|
|
|
claims "github.com/grafana/authlib/types"
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
|
"github.com/grafana/grafana/pkg/infra/tracing"
|
|
"github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/authn"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
"github.com/grafana/grafana/pkg/setting"
|
|
)
|
|
|
|
func ProvideOrgSync(userService user.Service, orgService org.Service, accessControl accesscontrol.Service, cfg *setting.Cfg, tracer tracing.Tracer) *OrgSync {
|
|
return &OrgSync{userService, orgService, accessControl, cfg, log.New("org.sync"), tracer}
|
|
}
|
|
|
|
type OrgSync struct {
|
|
userService user.Service
|
|
orgService org.Service
|
|
accessControl accesscontrol.Service
|
|
cfg *setting.Cfg
|
|
log log.Logger
|
|
tracer tracing.Tracer
|
|
}
|
|
|
|
func (s *OrgSync) SyncOrgRolesHook(ctx context.Context, id *authn.Identity, _ *authn.Request) error {
|
|
ctx, span := s.tracer.Start(ctx, "org.sync.SyncOrgRolesHook")
|
|
defer span.End()
|
|
|
|
if !id.ClientParams.SyncOrgRoles {
|
|
return nil
|
|
}
|
|
|
|
ctxLogger := s.log.FromContext(ctx).New("id", id.ID, "login", id.Login)
|
|
|
|
if !id.IsIdentityType(claims.TypeUser) {
|
|
ctxLogger.Warn("Failed to sync org role, invalid namespace for identity", "type", id.GetIdentityType())
|
|
return nil
|
|
}
|
|
|
|
userID, err := id.GetInternalID()
|
|
if err != nil {
|
|
ctxLogger.Warn("Failed to sync org role, invalid ID for identity", "type", id.GetIdentityType(), "err", err)
|
|
return nil
|
|
}
|
|
|
|
// ignore org syncing if the user is provisioned
|
|
usr, err := s.userService.GetByID(ctx, &user.GetUserByIDQuery{ID: userID})
|
|
if err != nil {
|
|
ctxLogger.Error("Failed to get user from provided identity", "error", err)
|
|
return nil
|
|
}
|
|
if usr.IsProvisioned {
|
|
return nil
|
|
}
|
|
|
|
ctxLogger.Debug("Syncing organization roles", "extOrgRoles", id.OrgRoles)
|
|
// don't sync org roles if none is specified
|
|
if len(id.OrgRoles) == 0 {
|
|
ctxLogger.Debug("Not syncing organization roles since external user doesn't have any")
|
|
return nil
|
|
}
|
|
|
|
orgsQuery := &org.GetUserOrgListQuery{UserID: userID}
|
|
result, err := s.orgService.GetUserOrgList(ctx, orgsQuery)
|
|
if err != nil {
|
|
ctxLogger.Error("Failed to get user's organizations", "error", err)
|
|
return nil
|
|
}
|
|
|
|
handledOrgIds := map[int64]bool{}
|
|
deleteOrgIds := []int64{}
|
|
|
|
// update existing org roles
|
|
for _, orga := range result {
|
|
handledOrgIds[orga.OrgID] = true
|
|
|
|
extRole := id.OrgRoles[orga.OrgID]
|
|
if extRole == "" {
|
|
deleteOrgIds = append(deleteOrgIds, orga.OrgID)
|
|
} else if extRole != orga.Role {
|
|
// update role
|
|
cmd := &org.UpdateOrgUserCommand{OrgID: orga.OrgID, UserID: userID, Role: extRole}
|
|
if err := s.orgService.UpdateOrgUser(ctx, cmd); err != nil {
|
|
ctxLogger.Error("Failed to update active org user", "error", err)
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
orgIDs := make([]int64, 0, len(id.OrgRoles))
|
|
// add any new org roles
|
|
for orgId, orgRole := range id.OrgRoles {
|
|
if _, exists := handledOrgIds[orgId]; exists {
|
|
orgIDs = append(orgIDs, orgId)
|
|
continue
|
|
}
|
|
|
|
// add role
|
|
cmd := &org.AddOrgUserCommand{UserID: userID, Role: orgRole, OrgID: orgId}
|
|
err := s.orgService.AddOrgUser(ctx, cmd)
|
|
|
|
if errors.Is(err, org.ErrOrgNotFound) {
|
|
continue
|
|
}
|
|
|
|
if err != nil {
|
|
ctxLogger.Error("Failed to update active org for user", "error", err)
|
|
return err
|
|
}
|
|
|
|
orgIDs = append(orgIDs, orgId)
|
|
}
|
|
|
|
// delete any removed org roles
|
|
for _, orgID := range deleteOrgIds {
|
|
ctxLogger.Debug("Removing user's organization membership as part of syncing with OAuth login", "orgId", orgID)
|
|
cmd := &org.RemoveOrgUserCommand{OrgID: orgID, UserID: userID}
|
|
if err := s.orgService.RemoveOrgUser(ctx, cmd); err != nil {
|
|
ctxLogger.Error("Failed to remove user from org", "orgId", orgID, "error", err)
|
|
if errors.Is(err, org.ErrLastOrgAdmin) {
|
|
continue
|
|
}
|
|
|
|
return err
|
|
}
|
|
|
|
if err := s.accessControl.DeleteUserPermissions(ctx, orgID, cmd.UserID); err != nil {
|
|
ctxLogger.Error("Failed to delete permissions for user", "orgId", orgID, "error", err)
|
|
}
|
|
}
|
|
|
|
// Note: sort all org ids to not make it flaky, for now we default to the lowest id
|
|
sort.Slice(orgIDs, func(i, j int) bool { return orgIDs[i] < orgIDs[j] })
|
|
// update user's default org if needed
|
|
if _, ok := id.OrgRoles[id.OrgID]; !ok {
|
|
if len(orgIDs) > 0 {
|
|
id.OrgID = orgIDs[0]
|
|
return s.userService.Update(ctx, &user.UpdateUserCommand{
|
|
UserID: userID,
|
|
OrgID: &id.OrgID,
|
|
})
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *OrgSync) SetDefaultOrgHook(ctx context.Context, currentIdentity *authn.Identity, r *authn.Request, err error) {
|
|
ctx, span := s.tracer.Start(ctx, "org.sync.SetDefaultOrgHook")
|
|
defer span.End()
|
|
|
|
if s.cfg.LoginDefaultOrgId < 1 || currentIdentity == nil || err != nil {
|
|
return
|
|
}
|
|
|
|
ctxLogger := s.log.FromContext(ctx)
|
|
|
|
if !currentIdentity.IsIdentityType(claims.TypeUser) {
|
|
ctxLogger.Debug("Skipping default org sync, not a user", "type", currentIdentity.GetIdentityType())
|
|
return
|
|
}
|
|
|
|
userID, err := currentIdentity.GetInternalID()
|
|
if err != nil {
|
|
ctxLogger.Debug("Skipping default org sync, invalid ID for identity", "id", currentIdentity.ID, "type", currentIdentity.GetIdentityType(), "err", err)
|
|
return
|
|
}
|
|
|
|
hasAssignedToOrg, err := s.validateUsingOrg(ctx, userID, s.cfg.LoginDefaultOrgId)
|
|
if err != nil {
|
|
ctxLogger.Error("Skipping default org sync, failed to validate user's organizations", "id", currentIdentity.ID, "err", err)
|
|
return
|
|
}
|
|
|
|
if !hasAssignedToOrg {
|
|
ctxLogger.Debug("Skipping default org sync, user is not assigned to org", "id", currentIdentity.ID, "org", s.cfg.LoginDefaultOrgId)
|
|
return
|
|
}
|
|
|
|
cmd := user.UpdateUserCommand{UserID: userID, OrgID: &s.cfg.LoginDefaultOrgId}
|
|
if svcErr := s.userService.Update(ctx, &cmd); svcErr != nil {
|
|
ctxLogger.Error("Failed to set default org", "id", currentIdentity.ID, "err", svcErr)
|
|
}
|
|
}
|
|
|
|
func (s *OrgSync) validateUsingOrg(ctx context.Context, userID int64, orgID int64) (bool, error) {
|
|
ctx, span := s.tracer.Start(ctx, "org.sync.validateUsingOrg")
|
|
defer span.End()
|
|
|
|
query := org.GetUserOrgListQuery{UserID: userID}
|
|
|
|
result, err := s.orgService.GetUserOrgList(ctx, &query)
|
|
if err != nil {
|
|
return false, fmt.Errorf("failed to get user's organizations: %w", err)
|
|
}
|
|
|
|
// validate that the org id in the list
|
|
for _, other := range result {
|
|
if other.OrgID == orgID {
|
|
return true, nil
|
|
}
|
|
}
|
|
return false, nil
|
|
}
|