Rewrite credential handling

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

Author: jkroepke

.changeset/serious-badgers-fetch.md

@@ -2,4 +2,4 @@
 'grafana-infinity-datasource': minor
 ---
 
-Add native Azure authentication
+Add native Microsoft authentication

docker-compose.yaml

@@ -22,3 +22,6 @@ services:
       - GF_SECURITY_ANGULAR_SUPPORT_ENABLED=false
       - GF_SECURITY_CSRF_ALWAYS_CHECK=true
       - GF_ENTERPRISE_LICENSE_TEXT=$GF_ENTERPRISE_LICENSE_TEXT
+      - GF_AZURE_FORWARD_SETTINGS_TO_PLUGINS=
+      - GF_AZURE_WORKLOAD_IDENTITY_ENABLED=true
+      - GF_AZURE_USER_IDENTITY_ENABLED=true

pkg/infinity/azure.go

@@ -4,7 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"os"
+	"strings"
 
 	"github.com/grafana/grafana-azure-sdk-go/azcredentials"
 	"github.com/grafana/grafana-azure-sdk-go/azhttpclient"
@@ -19,56 +19,62 @@ func ApplyAzureAuth(ctx context.Context, httpClient *http.Client, settings model
 	defer span.End()
 
 	if IsAzureAuthConfigured(settings) {
-		azSettings := &azsettings.AzureSettings{
-			Cloud:                   string(settings.MicrosoftSettings.Cloud),
-			ManagedIdentityEnabled:  true,
-			WorkloadIdentityEnabled: true,
-		}
-
-		tenantID := settings.MicrosoftSettings.TenantID
-		if tenantID == "" {
-			tenantID = os.Getenv("AZURE_TENANT_ID")
-		}
-
-		clientID := settings.OAuth2Settings.ClientID
-		if clientID == "" {
-			clientID = os.Getenv("AZURE_CLIENT_ID")
+		azSettings, err := azsettings.ReadFromEnv()
+		if err != nil {
+			return nil, err
 		}
 
 		var credentials azcredentials.AzureCredentials
 
 		switch settings.MicrosoftSettings.AuthType {
 		case models.MicrosoftAuthTypeClientSecret:
-			clientSecret := settings.OAuth2Settings.ClientSecret
-			if clientSecret == "" {
-				clientSecret = os.Getenv("AZURE_CLIENT_SECRET")
+
+			if strings.TrimSpace(settings.MicrosoftSettings.TenantID) == "" {
+				return nil, fmt.Errorf("Tenant ID %w ", models.MicrosoftRequiredForClientSecretErrHelp)
+			}
+
+			if strings.TrimSpace(settings.MicrosoftSettings.ClientID) == "" {
+				return nil, fmt.Errorf("Client ID %w ", models.MicrosoftRequiredForClientSecretErrHelp)
+			}
+
+			if strings.TrimSpace(settings.MicrosoftSettings.ClientSecret) == "" {
+				return nil, fmt.Errorf("Client secret %w ", models.MicrosoftRequiredForClientSecretErrHelp)
 			}
 
 			credentials = &azcredentials.AzureClientSecretCredentials{
 				AzureCloud:   string(settings.MicrosoftSettings.Cloud),
-				TenantId:     tenantID,
-				ClientId:     clientID,
-				ClientSecret: clientSecret,
+				TenantId:     settings.MicrosoftSettings.TenantID,
+				ClientId:     settings.MicrosoftSettings.ClientID,
+				ClientSecret: settings.MicrosoftSettings.ClientSecret,
 			}
 		case models.MicrosoftAuthTypeManagedIdentity:
-			azSettings.ManagedIdentityClientId = clientID
+			if !azSettings.ManagedIdentityEnabled {
+				return nil, fmt.Errorf("Managed Identity %w ", models.MicrosoftDisabledAuthErrHelp)
+			}
 
 			credentials = &azcredentials.AzureManagedIdentityCredentials{
-				ClientId: clientID,
+				// ClientId is optional for managed identity, because it can be inferred from the environment
+				// https://github.com/grafana/grafana-azure-sdk-go/blob/21e2891b4190eb7c255c8cd275836def8200faf8/aztokenprovider/retriever_msi.go#L20-L30
+				ClientId: settings.MicrosoftSettings.ClientID,
 			}
 		case models.MicrosoftAuthTypeWorkloadIdentity:
-			azSettings.WorkloadIdentitySettings = &azsettings.WorkloadIdentitySettings{
-				TenantId: tenantID,
-				ClientId: clientID,
+			if !azSettings.WorkloadIdentityEnabled {
+				return nil, fmt.Errorf("Workload Identity %w ", models.MicrosoftDisabledAuthErrHelp)
 			}
 
 			credentials = &azcredentials.AzureWorkloadIdentityCredentials{}
+		case models.MicrosoftAuthTypeCurrentUserIdentity:
+			if !azSettings.UserIdentityEnabled {
+				return nil, fmt.Errorf("User Identity %w ", models.MicrosoftDisabledAuthErrHelp)
+			}
+
+			credentials = &azcredentials.AadCurrentUserCredentials{}
 		default:
 			panic(fmt.Errorf("invalid auth type '%s'", settings.MicrosoftSettings.AuthType))
 		}
 
 		authOpts := azhttpclient.NewAuthOptions(azSettings)
-		authOpts.Scopes(settings.OAuth2Settings.Scopes)
+		authOpts.Scopes(settings.MicrosoftSettings.Scopes)
 
 		httpClient.Transport = azhttpclient.AzureMiddleware(authOpts, credentials).
 			CreateMiddleware(httpclient.Options{}, httpClient.Transport)

pkg/infinity/client.go

@@ -159,7 +159,7 @@ func NewClient(ctx context.Context, settings models.InfinitySettings) (client *C
 }
 
 func ApplySecureSocksProxyConfiguration(httpClient *http.Client, settings models.InfinitySettings) (*http.Client, error) {
-	if IsAwsAuthConfigured(settings) {
+	if IsAwsAuthConfigured(settings) || IsAzureAuthConfigured(settings) {
 		return httpClient, nil
 	}
 	t := httpClient.Transport
@@ -171,13 +171,11 @@ func ApplySecureSocksProxyConfiguration(httpClient *http.Client, settings models
 		t = t.(*oauth2.Transport).Base
 	}
 
-	if t, ok := t.(*http.Transport); ok {
-		// secure socks proxy configuration - checks if enabled inside the function
-		err := proxy.New(settings.ProxyOpts.ProxyOptions).ConfigureSecureSocksHTTPProxy(t)
-		if err != nil {
-			backend.Logger.Error("error configuring secure socks proxy", "err", err.Error())
-			return nil, fmt.Errorf("error configuring secure socks proxy. %s", err)
-		}
+	// secure socks proxy configuration - checks if enabled inside the function
+	err := proxy.New(settings.ProxyOpts.ProxyOptions).ConfigureSecureSocksHTTPProxy(t.(*http.Transport))
+	if err != nil {
+		backend.Logger.Error("error configuring secure socks proxy", "err", err.Error())
+		return nil, fmt.Errorf("error configuring secure socks proxy. %s", err)
 	}
 
 	return httpClient, nil

pkg/models/settings.go

@@ -68,9 +68,10 @@ type AWSSettings struct {
 type MicrosoftAuthType string
 
 const (
-	MicrosoftAuthTypeManagedIdentity  MicrosoftAuthType = azcredentials.AzureAuthManagedIdentity
-	MicrosoftAuthTypeWorkloadIdentity MicrosoftAuthType = azcredentials.AzureAuthWorkloadIdentity
-	MicrosoftAuthTypeClientSecret     MicrosoftAuthType = azcredentials.AzureAuthClientSecret
+	MicrosoftAuthTypeManagedIdentity     MicrosoftAuthType = azcredentials.AzureAuthManagedIdentity
+	MicrosoftAuthTypeWorkloadIdentity    MicrosoftAuthType = azcredentials.AzureAuthWorkloadIdentity
+	MicrosoftAuthTypeClientSecret        MicrosoftAuthType = azcredentials.AzureAuthClientSecret
+	MicrosoftAuthTypeCurrentUserIdentity MicrosoftAuthType = azcredentials.AzureAuthCurrentUserIdentity
 )
 
 type MicrosoftCloudType string
@@ -81,10 +82,20 @@ const (
 	MicrosoftCloudUSGovernment MicrosoftCloudType = azsettings.AzureUSGovernment
 )
 
+var (
+	MicrosoftRequiredForClientSecretErrHelp = errors.New(` is required for Microsoft client secret authentication`)
+	MicrosoftDisabledAuthErrHelp            = errors.New(` is not enabled in the Grafana Azure settings. For more information, please refer to the Grafana documentation at 
+https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#azure. 
+Additionally, this plugin needs to be added to the grafana.ini setting azure.forward_settings_to_plugins.`)
+)
+
 type MicrosoftSettings struct {
-	Cloud    MicrosoftCloudType `json:"cloud"`
-	AuthType MicrosoftAuthType  `json:"auth_type"`
-	TenantID string             `json:"tenant_id"`
+	Cloud        MicrosoftCloudType `json:"cloud"`
+	AuthType     MicrosoftAuthType  `json:"auth_type"`
+	TenantID     string             `json:"tenant_id"`
+	ClientID     string             `json:"client_id"`
+	ClientSecret string
+	Scopes       []string `json:"scopes,omitempty"`
 }
 
 type ProxyType string
@@ -165,6 +176,42 @@ func (s *InfinitySettings) Validate() error {
 		}
 		return nil
 	}
+	if s.AuthenticationMethod == AuthenticationMethodMicrosoft {
+		azSettings, err := azsettings.ReadFromEnv()
+		if err != nil {
+			return err
+		}
+
+		switch s.MicrosoftSettings.AuthType {
+		case MicrosoftAuthTypeClientSecret:
+			if strings.TrimSpace(s.MicrosoftSettings.TenantID) == "" {
+				return fmt.Errorf("Tenant ID %w ", MicrosoftRequiredForClientSecretErrHelp)
+			}
+
+			if strings.TrimSpace(s.MicrosoftSettings.ClientID) == "" {
+				return fmt.Errorf("Client ID %w ", MicrosoftRequiredForClientSecretErrHelp)
+			}
+
+			if strings.TrimSpace(s.MicrosoftSettings.ClientSecret) == "" {
+				return fmt.Errorf("Client secret %w ", MicrosoftRequiredForClientSecretErrHelp)
+			}
+		case MicrosoftAuthTypeManagedIdentity:
+			if !azSettings.ManagedIdentityEnabled {
+				return errors.New("managed identity authentication is not enabled in Grafana config. " +
+					"Refer https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#azure")
+			}
+		case MicrosoftAuthTypeWorkloadIdentity:
+			if !azSettings.WorkloadIdentityEnabled {
+				return errors.New("workload identity authentication is not enabled in Grafana config." +
+					"Refer https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#azure")
+			}
+		case MicrosoftAuthTypeCurrentUserIdentity:
+			if !azSettings.UserIdentityEnabled {
+				return errors.New("user identity authentication is not enabled in Grafana config." +
+					"Refer https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#azure")
+			}
+		}
+	}
 	if s.AuthenticationMethod != AuthenticationMethodNone && len(s.AllowedHosts) < 1 {
 		return errors.New("configure allowed hosts in the authentication section")
 	}
@@ -212,7 +259,6 @@ type InfinitySettingsJson struct {
 	ProxyType                ProxyType         `json:"proxy_type,omitempty"`
 	ProxyUrl                 string            `json:"proxy_url,omitempty"`
 	AllowedHosts             []string          `json:"allowedHosts,omitempty"`
-
 	ReferenceData            []RefData         `json:"refData,omitempty"`
 	CustomHealthCheckEnabled bool              `json:"customHealthCheckEnabled,omitempty"`
 	CustomHealthCheckUrl     string            `json:"customHealthCheckUrl,omitempty"`
@@ -312,6 +358,9 @@ func LoadSettings(ctx context.Context, config backend.DataSourceInstanceSettings
 	if val, ok := config.DecryptedSecureJSONData["azureBlobAccountKey"]; ok {
 		settings.AzureBlobAccountKey = val
 	}
+	if val, ok := config.DecryptedSecureJSONData["microsoftClientSecret"]; ok {
+		settings.MicrosoftSettings.ClientSecret = val
+	}
 	settings.CustomHeaders = GetSecrets(config, "httpHeaderName", "httpHeaderValue")
 	settings.SecureQueryFields = GetSecrets(config, "secureQueryName", "secureQueryValue")
 	settings.OAuth2Settings.EndpointParams = GetSecrets(config, "oauth2EndPointParamsName", "oauth2EndPointParamsValue")

pkg/models/settings_test.go

@@ -161,9 +161,11 @@ func TestAllSettingsAgainstFrontEnd(t *testing.T) {
 				"service" 	: "service1"
 			},
 			"microsoft" : {
-                "cloud"      : "AzureUSGovernment",
-				"auth_type"	 : "clientsecret",
-				"tenant_id"	 : "tenant1"
+				"cloud"	 	: "AzureUSGovernment",
+				"auth_type"	: "clientsecret",
+				"tenant_id"	: "tenant1",
+				"client_id"	: "myMicrosoftClientID",
+				"scopes"	: ["msscope1","msscope2"]
 			},
 			"oauth2" : {
 				"client_id":"myClientID",
@@ -186,6 +188,7 @@ func TestAllSettingsAgainstFrontEnd(t *testing.T) {
 			"awsAccessKey":               "awsAccessKey1",
 			"awsSecretKey":               "awsSecretKey1",
 			"oauth2ClientSecret":         "myOauth2ClientSecret",
+			"microsoftClientSecret":      "myMicrosoftClientSecret",
 			"oauth2JWTPrivateKey":        "myOauth2JWTPrivateKey",
 			"oauth2EndPointParamsValue1": "Resource1",
 			"oauth2EndPointParamsValue2": "Resource2",
@@ -218,9 +221,12 @@ func TestAllSettingsAgainstFrontEnd(t *testing.T) {
 			Region:   "region1",
 		},
 		MicrosoftSettings: models.MicrosoftSettings{
-			Cloud:    models.MicrosoftCloudUSGovernment,
-			AuthType: models.MicrosoftAuthTypeClientSecret,
-			TenantID: "tenant1",
+			Cloud:        models.MicrosoftCloudUSGovernment,
+			AuthType:     models.MicrosoftAuthTypeClientSecret,
+			TenantID:     "tenant1",
+			ClientID:     "myMicrosoftClientID",
+			ClientSecret: "myMicrosoftClientSecret",
+			Scopes:       []string{"msscope1", "msscope2"},
 		},
 		OAuth2Settings: models.OAuth2Settings{
 			ClientID:     "myClientID",

src/editors/config/Auth.tsx

@@ -18,7 +18,7 @@ const authTypes: Array<SelectableValue<AuthType | 'others'> & { logo?: string }>
   { value: 'oauthPassThru', label: 'Forward OAuth' },
   { value: 'oauth2', label: 'OAuth2', logo: '/public/plugins/yesoreyeram-infinity-datasource/img/oauth-2-sm.png' },
   { value: 'aws', label: 'AWS', logo: '/public/plugins/yesoreyeram-infinity-datasource/img/aws.jpg' },
-  { value: 'microsoft', label: 'Microsoft Entra ID' },
+  { value: 'microsoft', label: 'Microsoft Entra ID', logo: '/public/img/microsoft_auth_icon.svg' },
   { value: 'azureBlob', label: 'Azure Blob' },
   { value: 'others', label: 'Other Auth Providers' },
 ];
@@ -137,7 +137,7 @@ export const AuthEditor = (props: DataSourcePluginOptionsEditorProps<InfinityOpt
               e.preventDefault();
             }}
           >
-            {a.logo ? <img src={a.logo} width={24} height={24} style={{ marginInlineEnd: '10px' }} /> : <Icon name="key-skeleton-alt" style={{ marginInlineEnd: '10px' }} />}
+            {a.logo ? <img src={a.logo} width={16} height={16} style={{ marginInlineEnd: '10px' }} /> : <Icon name="key-skeleton-alt" style={{ marginInlineEnd: '10px' }} />}
             {a.label}
           </a>
         ))}