Setup access control (#86)

* Use authz client to check perms on dashboard

* Update playwright config. Use browser sessions in playwright tests. Add tests as normal user as well

* Fix frontend config update

* JWT typ header checks are verified only when present. We will use our own fork of authlib to ensure that JWT verification works across versions of Grafana. Upstream declined to merge the changes into authlib.

* Use test specific snapshots as there are subtle differences between different tests

---------

Signed-off-by: Mahendra Paipuri <[email protected]>

.ci/docker-compose.yaml

@@ -34,7 +34,7 @@ services:
       # - GF_AUTH_DISABLE_LOGIN_FORM=true
       # We need to toggle external service accounts so that Grafana will get
       # the token from a service account to read dashboards
-      - GF_FEATURE_TOGGLES_ENABLE=${GF_FEATURE_TOGGLES_ENABLE:-externalServiceAccounts}
+      - GF_FEATURE_TOGGLES_ENABLE=${GF_FEATURE_TOGGLES_ENABLE:-accessControlOnCall,idForwarding,externalServiceAccounts}
       # disable alerting because it vomits logs
       - GF_ALERTING_ENABLED=false
       - GF_UNIFIED_ALERTING_ENABLED=false
@@ -95,7 +95,7 @@ services:
       # - GF_AUTH_DISABLE_LOGIN_FORM=true
       # We need to toggle external service accounts so that Grafana will get
       # the token from a service account to read dashboards
-      - GF_FEATURE_TOGGLES_ENABLE=${GF_FEATURE_TOGGLES_ENABLE:-externalServiceAccounts}
+      - GF_FEATURE_TOGGLES_ENABLE=${GF_FEATURE_TOGGLES_ENABLE:-accessControlOnCall,idForwarding,externalServiceAccounts}
       # disable alerting because it vomits logs
       - GF_ALERTING_ENABLED=false
       - GF_UNIFIED_ALERTING_ENABLED=false

.github/workflows/step_e2e-tests.yml

@@ -13,15 +13,35 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # Grafana v10
+          # Grafana v10 with user cookie and without feature flags
+          # Plugin should skip checks based on feature flags and use cookie
+          - grafana-version: 10.3.0
+            remote-chrome-url: ''
+            feature-flags: 'accessControlOnCall,idForwarding,externalServiceAccounts'
+            # snapshots-folder: local-chrome
+            name: local-chrome-10.3.0-with-features
+
+          # Grafana v10 without user cookie and with feature flags
           - grafana-version: 10.4.5
             remote-chrome-url: ''
-            snapshots-folder: local-chrome
+            feature-flags: 'accessControlOnCall,idForwarding,externalServiceAccounts'
+            # snapshots-folder: local-chrome
+            name: local-chrome-10.4.5-with-features
+
+          # Grafana v10 without user cookie and feature flags for only service accounts.
+          # In this case Grafana should skip access control checks
+          - grafana-version: 10.4.7
+            remote-chrome-url: ws://localhost:9222
+            feature-flags: 'externalServiceAccounts'
+            # snapshots-folder: remote-chrome
+            name: remote-chrome-10.4.7-without-features
 
-          # Grafana v11
+          # Latest Grafana with remote chrome
           - grafana-version: 11.1.0
             remote-chrome-url: ws://localhost:9222
-            snapshots-folder: remote-chrome
+            feature-flags: 'accessControlOnCall,idForwarding,externalServiceAccounts'
+            # snapshots-folder: remote-chrome
+            name: remote-chrome-11.1.0-with-features
 
     steps:
       - uses: actions/checkout@v4
@@ -49,6 +69,7 @@ jobs:
         env:
           GRAFANA_VERSION: ${{ matrix.grafana-version }}
           GF_REPORTER_PLUGIN_REMOTE_CHROME_URL: ${{ matrix.remote-chrome-url }}
+          GF_FEATURE_TOGGLES_ENABLE: ${{ matrix.feature-flags }}
         run: |
           # Upload/Download artifacts wont preserve permissions
           # https://github.com/actions/upload-artifact?tab=readme-ov-file#permission-loss
@@ -73,15 +94,15 @@ jobs:
         uses: nowsprinting/diff-pdf-action@v1
         with:
           file1: default.pdf
-          file2: .ci/reports/${{ matrix.snapshots-folder }}/default.pdf
-          options: --verbose --output-diff=default-${{ matrix.snapshots-folder }}-diff.pdf
+          file2: .ci/reports/${{ matrix.name }}/default.pdf
+          options: --verbose --output-diff=default-${{ matrix.name }}-diff.pdf
 
       - name: Compare PDF report from TLS server
         uses: nowsprinting/diff-pdf-action@v1
         with:
           file1: alternative.pdf
-          file2: .ci/reports/${{ matrix.snapshots-folder }}/alternative.pdf
-          options: --verbose --output-diff=alternative-${{ matrix.snapshots-folder }}-diff.pdf
+          file2: .ci/reports/${{ matrix.name }}/alternative.pdf
+          options: --verbose --output-diff=alternative-${{ matrix.name }}-diff.pdf
 
       - name: Collect docker logs on failure
         if: failure()
@@ -93,7 +114,7 @@ jobs:
         if: failure()
         uses: actions/upload-artifact@v4
         with:
-          name: ui-test-output-${{ matrix.grafana-version }}
+          name: ui-test-output-${{ matrix.name }}
           path: |
             test-results
             docker-logs

docker-compose.yaml

@@ -37,7 +37,7 @@ services:
       # - GF_AUTH_DISABLE_LOGIN_FORM=true
       # We need to toggle external service accounts so that Grafana will get
       # the token from a service account to read dashboards
-      - GF_FEATURE_TOGGLES_ENABLE=${GF_FEATURE_TOGGLES_ENABLE:-externalServiceAccounts}
+      - GF_FEATURE_TOGGLES_ENABLE=${GF_FEATURE_TOGGLES_ENABLE:-accessControlOnCall,idForwarding,externalServiceAccounts}
       # disable alerting because it vomits logs
       - GF_ALERTING_ENABLED=false
       - GF_UNIFIED_ALERTING_ENABLED=false

go.mod

@@ -9,9 +9,11 @@ require (
 	github.com/chromedp/chromedp v0.10.0
 	github.com/grafana/grafana-plugin-sdk-go v0.242.0
 	github.com/magefile/mage v1.15.0
+	github.com/mahendrapaipuri/authlib v0.0.0-20240829124252-b9fafb827c67
 	github.com/sethvargo/go-envconfig v1.1.0
 	github.com/smartystreets/goconvey v1.8.1
 	github.com/stretchr/testify v1.9.0
+	golang.org/x/mod v0.17.0
 	golang.org/x/net v0.28.0
 )
 
@@ -28,6 +30,7 @@ require (
 	github.com/elazarl/goproxy v0.0.0-20240618083138-03be62527ccb // indirect
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/getkin/kin-openapi v0.125.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -40,9 +43,11 @@ require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/flatbuffers v23.5.26+incompatible // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gopherjs/gopherjs v1.17.2 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
+	github.com/grafana/authlib/claims v0.0.0-20240814142503-ca29e2d96514 // indirect
 	github.com/grafana/otel-profiling-go v0.5.1 // indirect
 	github.com/grafana/pyroscope-go/godeltaprof v0.1.7 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/providers/prometheus v1.0.1 // indirect
@@ -68,6 +73,7 @@ require (
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
 	github.com/perimeterx/marshmallow v1.1.5 // indirect
 	github.com/pierrec/lz4/v4 v4.1.18 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -82,7 +88,7 @@ require (
 	github.com/unknwon/log v0.0.0-20200308114134-929b1006e34a // indirect
 	github.com/urfave/cli v1.22.15 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.53.0 // indirect
 	go.opentelemetry.io/contrib/propagators/jaeger v1.28.0 // indirect
 	go.opentelemetry.io/contrib/samplers/jaegerremote v0.20.0 // indirect
@@ -93,16 +99,16 @@ require (
 	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
 	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
-	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.23.0 // indirect
 	golang.org/x/text v0.17.0 // indirect
 	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
-	google.golang.org/grpc v1.64.1 // indirect
+	google.golang.org/grpc v1.65.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/fsnotify/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect