AzureMonitor: strongly-typed AzureCredentials and correct resolution of auth type and cloud (grafana#36284)

Author: Sergey Kostrukov

pkg/api/pluginproxy/ds_auth_provider.go

@@ -92,8 +92,7 @@ func getTokenProvider(ctx context.Context, cfg *setting.Cfg, ds *models.DataSour
 		if tokenAuth == nil {
 			return nil, fmt.Errorf("'tokenAuth' not configured for authentication type '%s'", authType)
 		}
-		provider := newAzureAccessTokenProvider(ctx, cfg, tokenAuth)
-		return provider, nil
+		return newAzureAccessTokenProvider(ctx, cfg, tokenAuth)
 
 	case "gce":
 		if jwtTokenAuth == nil {

pkg/api/pluginproxy/token_provider_azure.go

@@ -2,24 +2,58 @@ package pluginproxy
 
 import (
 	"context"
+	"strings"
 
 	"github.com/grafana/grafana/pkg/plugins"
 	"github.com/grafana/grafana/pkg/setting"
+	"github.com/grafana/grafana/pkg/tsdb/azuremonitor/azcredentials"
 	"github.com/grafana/grafana/pkg/tsdb/azuremonitor/aztokenprovider"
 )
 
 type azureAccessTokenProvider struct {
 	ctx           context.Context
 	tokenProvider aztokenprovider.AzureTokenProvider
+	scopes        []string
 }
 
-func newAzureAccessTokenProvider(ctx context.Context, cfg *setting.Cfg, authParams *plugins.JwtTokenAuth) *azureAccessTokenProvider {
+func newAzureAccessTokenProvider(ctx context.Context, cfg *setting.Cfg, authParams *plugins.JwtTokenAuth) (*azureAccessTokenProvider, error) {
+	credentials := getAzureCredentials(cfg, authParams)
+	tokenProvider, err := aztokenprovider.NewAzureAccessTokenProvider(cfg, credentials)
+	if err != nil {
+		return nil, err
+	}
 	return &azureAccessTokenProvider{
 		ctx:           ctx,
-		tokenProvider: aztokenprovider.NewAzureAccessTokenProvider(cfg, authParams),
-	}
+		tokenProvider: tokenProvider,
+		scopes:        authParams.Scopes,
+	}, nil
 }
 
 func (provider *azureAccessTokenProvider) GetAccessToken() (string, error) {
-	return provider.tokenProvider.GetAccessToken(provider.ctx)
+	return provider.tokenProvider.GetAccessToken(provider.ctx, provider.scopes)
+}
+
+func getAzureCredentials(cfg *setting.Cfg, authParams *plugins.JwtTokenAuth) azcredentials.AzureCredentials {
+	authType := strings.ToLower(authParams.Params["azure_auth_type"])
+	clientId := authParams.Params["client_id"]
+
+	// Type of authentication being determined by the following logic:
+	// * If authType is set to 'msi' then user explicitly selected the managed identity authentication
+	// * If authType isn't set but other fields are configured then it's a datasource which was configured
+	//   before managed identities where introduced, therefore use client secret authentication
+	// * If authType and other fields aren't set then it means the datasource never been configured
+	//   and managed identity is the default authentication choice as long as managed identities are enabled
+	isManagedIdentity := authType == "msi" || (authType == "" && clientId == "" && cfg.Azure.ManagedIdentityEnabled)
+
+	if isManagedIdentity {
+		return &azcredentials.AzureManagedIdentityCredentials{}
+	} else {
+		return &azcredentials.AzureClientSecretCredentials{
+			AzureCloud:   authParams.Params["azure_cloud"],
+			Authority:    authParams.Url,
+			TenantId:     authParams.Params["tenant_id"],
+			ClientId:     authParams.Params["client_id"],
+			ClientSecret: authParams.Params["client_secret"],
+		}
+	}
 }

pkg/tsdb/azuremonitor/azcredentials/credentials.go

@@ -0,0 +1,30 @@
+package azcredentials
+
+const (
+	AzureAuthManagedIdentity = "msi"
+	AzureAuthClientSecret    = "clientsecret"
+)
+
+type AzureCredentials interface {
+	AzureAuthType() string
+}
+
+type AzureManagedIdentityCredentials struct {
+	ClientId string
+}
+
+type AzureClientSecretCredentials struct {
+	AzureCloud   string
+	Authority    string
+	TenantId     string
+	ClientId     string
+	ClientSecret string
+}
+
+func (credentials *AzureManagedIdentityCredentials) AzureAuthType() string {
+	return AzureAuthManagedIdentity
+}
+
+func (credentials *AzureClientSecretCredentials) AzureAuthType() string {
+	return AzureAuthClientSecret
+}

pkg/tsdb/azuremonitor/aztokenprovider/middleware.go

@@ -9,10 +9,10 @@ import (
 
 const authenticationMiddlewareName = "AzureAuthentication"
 
-func AuthMiddleware(tokenProvider AzureTokenProvider) httpclient.Middleware {
+func AuthMiddleware(tokenProvider AzureTokenProvider, scopes []string) httpclient.Middleware {
 	return httpclient.NamedMiddlewareFunc(authenticationMiddlewareName, func(opts httpclient.Options, next http.RoundTripper) http.RoundTripper {
 		return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
-			token, err := tokenProvider.GetAccessToken(req.Context())
+			token, err := tokenProvider.GetAccessToken(req.Context(), scopes)
 			if err != nil {
 				return nil, fmt.Errorf("failed to retrieve Azure access token: %w", err)
 			}

pkg/tsdb/azuremonitor/aztokenprovider/token_cache.go

@@ -19,14 +19,14 @@ type AccessToken struct {
 	ExpiresOn time.Time
 }
 
-type TokenCredential interface {
+type TokenRetriever interface {
 	GetCacheKey() string
 	Init() error
 	GetAccessToken(ctx context.Context, scopes []string) (*AccessToken, error)
 }
 
 type ConcurrentTokenCache interface {
-	GetAccessToken(ctx context.Context, credential TokenCredential, scopes []string) (string, error)
+	GetAccessToken(ctx context.Context, tokenRetriever TokenRetriever, scopes []string) (string, error)
 }
 
 func NewConcurrentTokenCache() ConcurrentTokenCache {
@@ -37,35 +37,35 @@ type tokenCacheImpl struct {
 	cache sync.Map // of *credentialCacheEntry
 }
 type credentialCacheEntry struct {
-	credential TokenCredential
+	retriever TokenRetriever
 
 	credInit  uint32
 	credMutex sync.Mutex
 	cache     sync.Map // of *scopesCacheEntry
 }
 
 type scopesCacheEntry struct {
-	credential TokenCredential
-	scopes     []string
+	retriever TokenRetriever
+	scopes    []string
 
 	cond        *sync.Cond
 	refreshing  bool
 	accessToken *AccessToken
 }
 
-func (c *tokenCacheImpl) GetAccessToken(ctx context.Context, credential TokenCredential, scopes []string) (string, error) {
-	return c.getEntryFor(credential).getAccessToken(ctx, scopes)
+func (c *tokenCacheImpl) GetAccessToken(ctx context.Context, tokenRetriever TokenRetriever, scopes []string) (string, error) {
+	return c.getEntryFor(tokenRetriever).getAccessToken(ctx, scopes)
 }
 
-func (c *tokenCacheImpl) getEntryFor(credential TokenCredential) *credentialCacheEntry {
+func (c *tokenCacheImpl) getEntryFor(credential TokenRetriever) *credentialCacheEntry {
 	var entry interface{}
 	var ok bool
 
 	key := credential.GetCacheKey()
 
 	if entry, ok = c.cache.Load(key); !ok {
 		entry, _ = c.cache.LoadOrStore(key, &credentialCacheEntry{
-			credential: credential,
+			retriever: credential,
 		})
 	}
 
@@ -87,8 +87,8 @@ func (c *credentialCacheEntry) ensureInitialized() error {
 		defer c.credMutex.Unlock()
 
 		if c.credInit == 0 {
-			// Initialize credential
-			err := c.credential.Init()
+			// Initialize retriever
+			err := c.retriever.Init()
 			if err != nil {
 				return err
 			}
@@ -108,9 +108,9 @@ func (c *credentialCacheEntry) getEntryFor(scopes []string) *scopesCacheEntry {
 
 	if entry, ok = c.cache.Load(key); !ok {
 		entry, _ = c.cache.LoadOrStore(key, &scopesCacheEntry{
-			credential: c.credential,
-			scopes:     scopes,
-			cond:       sync.NewCond(&sync.Mutex{}),
+			retriever: c.retriever,
+			scopes:    scopes,
+			cond:      sync.NewCond(&sync.Mutex{}),
 		})
 	}
 
@@ -155,7 +155,7 @@ func (c *scopesCacheEntry) getAccessToken(ctx context.Context) (string, error) {
 func (c *scopesCacheEntry) refreshAccessToken(ctx context.Context) (*AccessToken, error) {
 	var accessToken *AccessToken
 
-	// Safeguarding from panic caused by credential implementation
+	// Safeguarding from panic caused by retriever implementation
 	defer func() {
 		c.cond.L.Lock()
 
@@ -169,7 +169,7 @@ func (c *scopesCacheEntry) refreshAccessToken(ctx context.Context) (*AccessToken
 		c.cond.L.Unlock()
 	}()
 
-	token, err := c.credential.GetAccessToken(ctx, c.scopes)
+	token, err := c.retriever.GetAccessToken(ctx, c.scopes)
 	if err != nil {
 		return nil, err
 	}