Auth: Fix orgrole picker disabled if isSynced user #64033

eleijonmarck · 2023-03-02T15:15:06Z

What is this feature?

disables the orgrole picker if the user is synced from external provider
disables the basicRole picker for role picker if the users is synced
adds header to column with "Synced from"
backend checks for externalUser info
add tests on backend for IsExternallySynced
implemented feature toggle for this breaking change, onlyExternalOrgRoleSync

TODO:

implement featuretoggle for this
Currently resetting the particular User's entry/entries in user_auth table is not supported. Thus, I think the best we can do on the short term to implement what @Jguer suggested: when a provider is disabled should be to always return not ExternallySync.
update doc for Grafana 10 we remove the feature toggle
reach out to support
runbook available in case supports needs help - https://github.com/grafana/grafana-authnz-team/wiki/Orgrole-picker-disabled-in-users-page

Fixes #
#63835

Special notes for your reviewer:

Goes together w. enterprise - https://github.com/grafana/grafana-enterprise/pull/4774

oss test

enterprise test

docs will be separate

eleijonmarck · 2023-03-22T14:50:55Z

pkg/api/org_users.go

+		if err != nil {
+			if errors.Is(err, user.ErrUserNotFound) {
+				hs.log.Warn("Failed to get user auth info for basic auth user", cmd.UserID, nil)
+			} else {
+				hs.log.Error("Failed to get user auth info for external sync check", cmd.UserID, err)
+				return response.Error(http.StatusInternalServerError, "Failed to get user auth info", nil)
+			}
+		}
+		if qAuth.Result != nil && qAuth.Result.AuthModule != "" && login.IsExternallySynced(hs.Cfg, qAuth.Result.AuthModule) {


we need to check for Auth.Results == nil for a basic Auth user. here we look at the error if the userNotFound for a basic Auth user.

eleijonmarck · 2023-03-22T14:51:23Z

pkg/api/org_users_test.go

+			desc:            "should not be able to change basicRole with a different provider",
+			SkipOrgRoleSync: false,
+			AuthEnabled:     true,
+			AuthModule:      login.GenericOAuthModule,
+			expectedCode:    http.StatusForbidden,
+		},
+		{
+			desc:            "should be able to change basicRole with a basic Auth",
+			SkipOrgRoleSync: false,
+			AuthEnabled:     false,
+			AuthModule:      "",
+			expectedCode:    http.StatusOK,
+		},
+		{
+			desc:            "should be able to change basicRole with a basic Auth",
+			SkipOrgRoleSync: true,
+			AuthEnabled:     true,
+			AuthModule:      "",
+			expectedCode:    http.StatusOK,
+		},
+	}


added tests for basic Auth as well

eleijonmarck · 2023-03-22T14:51:50Z

pkg/api/user.go

@@ -67,7 +67,7 @@ func (hs *HTTPServer) getUserUserProfile(c *contextmodel.ReqContext, userID int6
 		authLabel := login.GetAuthProviderLabel(getAuthQuery.Result.AuthModule)
 		userProfile.AuthLabels = append(userProfile.AuthLabels, authLabel)
 		userProfile.IsExternal = true
-		userProfile.IsExternallySynced = login.IsExternallySynced(hs.Cfg, authLabel)
+		userProfile.IsExternallySynced = login.IsExternallySynced(hs.Cfg, getAuthQuery.Result.AuthModule)


using AuthModule instead of Labels

eleijonmarck · 2023-03-22T14:56:09Z

public/app/features/admin/UserListAdminPage.tsx

@@ -150,7 +150,7 @@ const UserListAdminPageUnConnected = ({
                      <Icon name="question-circle" />
                    </Tooltip>
                  </th>
-                  <th style={{ width: '1%' }}>Synced from</th>
+                  <th style={{ width: '1%' }}>Origin</th>


changed to Origin instead, wdyt?

IevaVasiljeva

I've just tested it again, and everything works great!

Please lower the level of the log before merging (and maybe fix the way the error is used). But apart from that this looks good 👌

IevaVasiljeva · 2023-03-22T16:03:24Z

pkg/api/org_users.go

+		err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &qAuth)
+		if err != nil {
+			if errors.Is(err, user.ErrUserNotFound) {
+				hs.log.Warn("Failed to get user auth info for basic auth user", cmd.UserID, nil)


I would put it at debug level - it is currently expected that a basic auth user won't have an auth info entry.

IevaVasiljeva · 2023-03-22T16:06:27Z

pkg/api/org_users.go

+			}
+		}
+		if qAuth.Result != nil && qAuth.Result.AuthModule != "" && login.IsExternallySynced(hs.Cfg, qAuth.Result.AuthModule) {
+			return response.ErrOrFallback(http.StatusForbidden, "Cannot change role for externally synced user", org.ErrCannotChangeRoleForExternallySyncedUser)


I think the intended use of errutil errors is that they are propagated down from other methods that are called from handlers. There's not much benefit of returning it directly from the handler I think. But if you want to do it, you'll need something like this:

Suggested change

return response.ErrOrFallback(http.StatusForbidden, "Cannot change role for externally synced user", org.ErrCannotChangeRoleForExternallySyncedUser)

return response.Err(org.ErrCannotChangeRoleForExternallySyncedUser.Errorf("Cannot change role for externally synced user"))

grafanabot · 2023-03-29T11:27:17Z

The backport to v9.4.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-64033-to-v9.4.x origin/v9.4.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 3cd952b8bad8d23daee10fcc303a6d19c8b6d0a0
# Push it to GitHub
git push --set-upstream origin backport-64033-to-v9.4.x
git switch main
# Remove the local backport branch
git branch -D backport-64033-to-v9.4.x

Then, create a pull request where the base branch is v9.4.x and the compare/head branch is backport-64033-to-v9.4.x.

* fix: disable orgrolepicker if externaluser is synced * add disable to role picker * just took me 2 hours to center the icon * wip * fix: check externallySyncedUser for API call * remove check from store * add: tests * refactor authproxy and made tests run * add: feature toggle * set feature toggle for tests * add: IsProviderEnabled * refactor: featuretoggle name * IsProviderEnabled tests * add specific tests for isProviderEnabled * fix: org_user tests * add: owner to featuretoggle * add missing authlabels * remove fmt * feature toggle * change config * add test for a different authmodule * test refactor * gen feature toggle again * fix basic auth user able to change the org role * test for basic auth role * make err.base to error * lowered lvl of log and input mesg (cherry picked from commit 3cd952b)

Auth: Fix orgrole picker disabled if isSynced user (#64033) * fix: disable orgrolepicker if externaluser is synced * add disable to role picker * just took me 2 hours to center the icon * wip * fix: check externallySyncedUser for API call * remove check from store * add: tests * refactor authproxy and made tests run * add: feature toggle * set feature toggle for tests * add: IsProviderEnabled * refactor: featuretoggle name * IsProviderEnabled tests * add specific tests for isProviderEnabled * fix: org_user tests * add: owner to featuretoggle * add missing authlabels * remove fmt * feature toggle * change config * add test for a different authmodule * test refactor * gen feature toggle again * fix basic auth user able to change the org role * test for basic auth role * make err.base to error * lowered lvl of log and input mesg (cherry picked from commit 3cd952b)

jdbaldry · 2023-04-12T14:04:02Z

@eleijonmarck Should this be backported to v9.5.x? It has the 9.5.0 milestone.

fix: disable orgrolepicker if externaluser is synced

e86051c

eleijonmarck requested review from a team as code owners March 2, 2023 15:15

eleijonmarck requested review from joshhunt, ashharrison90, Jguer, IevaVasiljeva, sakjur, papagian and zserge and removed request for a team March 2, 2023 15:15

eleijonmarck added no-backport Skip backport of PR no-changelog Skip including change in changelog/release notes and removed no-backport Skip backport of PR labels Mar 2, 2023

eleijonmarck added this to the 9.4.3 milestone Mar 2, 2023

grafanabot added area/backend area/frontend labels Mar 2, 2023

eleijonmarck added the backport v9.4.x Mark PR for automatic backport to v9.4.x label Mar 2, 2023

grafanabot added the missing-labels label Mar 2, 2023

eleijonmarck added type/bug product-approved Pull requests that are approved by product/managers and are allowed to be backported labels Mar 2, 2023

grafanabot removed the missing-labels label Mar 2, 2023

eleijonmarck requested a review from mgyongyosi March 2, 2023 15:21

eleijonmarck added product-approved Pull requests that are approved by product/managers and are allowed to be backported and removed product-approved Pull requests that are approved by product/managers and are allowed to be backported labels Mar 2, 2023

eleijonmarck mentioned this pull request Mar 2, 2023

Auth: isSynced attribute not checked in org page for users in rolepicker #63835

Closed

10 tasks

Jguer requested a review from alexanderzobnin March 2, 2023 15:52

test for basic auth role

7b19016

eleijonmarck commented Mar 22, 2023

View reviewed changes

eleijonmarck requested a review from IevaVasiljeva March 22, 2023 14:56

make err.base to error

402bd06

IevaVasiljeva approved these changes Mar 22, 2023

View reviewed changes

lowered lvl of log and input mesg

be56c42

eleijonmarck merged commit 3cd952b into main Mar 22, 2023

eleijonmarck deleted the eleijonmarck/auth/skip-org-role-sync-org-page branch March 22, 2023 17:42

eleijonmarck mentioned this pull request Mar 23, 2023

Docs: add featuretoggle introduction for onlyExternalOrgRoleSync in org roles management #65264

Merged

eleijonmarck added backport v9.4.x Mark PR for automatic backport to v9.4.x and removed no-backport Skip backport of PR labels Mar 29, 2023

grafanabot added the backport-failed Failed to generate backport PR. Please resolve conflicts and create one manually. label Mar 29, 2023

eleijonmarck mentioned this pull request Mar 29, 2023

[v9.4.x] Auth: Fix orgrole picker disabled if isSynced user #65553

Merged

6 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auth: Fix orgrole picker disabled if isSynced user #64033

Auth: Fix orgrole picker disabled if isSynced user #64033

eleijonmarck commented Mar 2, 2023 •

edited

Loading

eleijonmarck Mar 22, 2023

eleijonmarck Mar 22, 2023

eleijonmarck Mar 22, 2023

eleijonmarck Mar 22, 2023

IevaVasiljeva left a comment •

edited

Loading

IevaVasiljeva Mar 22, 2023

IevaVasiljeva Mar 22, 2023

grafanabot commented Mar 29, 2023

jdbaldry commented Apr 12, 2023 •

edited

Loading

	return response.ErrOrFallback(http.StatusForbidden, "Cannot change role for externally synced user", org.ErrCannotChangeRoleForExternallySyncedUser)
	return response.Err(org.ErrCannotChangeRoleForExternallySyncedUser.Errorf("Cannot change role for externally synced user"))

Auth: Fix orgrole picker disabled if isSynced user #64033

Auth: Fix orgrole picker disabled if isSynced user #64033

Conversation

eleijonmarck commented Mar 2, 2023 • edited Loading

eleijonmarck Mar 22, 2023

Choose a reason for hiding this comment

eleijonmarck Mar 22, 2023

Choose a reason for hiding this comment

eleijonmarck Mar 22, 2023

Choose a reason for hiding this comment

eleijonmarck Mar 22, 2023

Choose a reason for hiding this comment

IevaVasiljeva left a comment • edited Loading

Choose a reason for hiding this comment

IevaVasiljeva Mar 22, 2023

Choose a reason for hiding this comment

IevaVasiljeva Mar 22, 2023

Choose a reason for hiding this comment

grafanabot commented Mar 29, 2023

jdbaldry commented Apr 12, 2023 • edited Loading

eleijonmarck commented Mar 2, 2023 •

edited

Loading

IevaVasiljeva left a comment •

edited

Loading

jdbaldry commented Apr 12, 2023 •

edited

Loading