chore(update-contributors): do not skip ci (#3556)

grafana · Sep 19, 2024 · 6958c22 · 6958c22
1 parent b60259a
commit 6958c22
Show file tree

Hide file tree

Showing 7 changed files with 269 additions and 115 deletions.
diff --git a/api/gen/proto/go/vcs/v1/vcs.pb.go b/api/gen/proto/go/vcs/v1/vcs.pb.go
diff --git a/api/gen/proto/go/vcs/v1/vcs_vtproto.pb.go b/api/gen/proto/go/vcs/v1/vcs_vtproto.pb.go
diff --git a/api/openapiv2/gen/phlare.swagger.json b/api/openapiv2/gen/phlare.swagger.json
@@ -1089,15 +1089,25 @@
       "type": "object",
       "properties": {
         "cookie": {
-          "type": "string"
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "token": {
+          "type": "string",
+          "title": "base64 encoded encrypted token"
         }
       }
     },
     "v1GithubRefreshResponse": {
       "type": "object",
       "properties": {
         "cookie": {
-          "type": "string"
+          "type": "string",
+          "title": "Deprecated"
+        },
+        "token": {
+          "type": "string",
+          "title": "base64 encoded encrypted token"
         }
       }
     },

diff --git a/api/vcs/v1/vcs.proto b/api/vcs/v1/vcs.proto
@@ -21,13 +21,19 @@ message GithubLoginRequest {
 }
 
 message GithubLoginResponse {
+  // Deprecated
   string cookie = 1;
+  // base64 encoded encrypted token
+  string token = 2;
 }
 
 message GithubRefreshRequest {}
 
 message GithubRefreshResponse {
+  // Deprecated
   string cookie = 1;
+  // base64 encoded encrypted token
+  string token = 2;
 }
 
 message GetFileRequest {

diff --git a/pkg/querier/vcs/service.go b/pkg/querier/vcs/service.go
@@ -67,14 +67,20 @@ func (q *Service) GithubLogin(ctx context.Context, req *connect.Request[vcsv1.Gi
 		return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("failed to authorize with GitHub"))
 	}
 
-	cookie, err := encodeToken(token, encryptionKey)
+	cookie, err := encodeTokenInCookie(token, encryptionKey)
+	if err != nil {
+		q.logger.Log("err", err, "msg", "failed to encode legacy GitHub OAuth token")
+		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to refresh token"))
+	}
+
+	encoded, err := encryptToken(token, encryptionKey)
 	if err != nil {
 		q.logger.Log("err", err, "msg", "failed to encode GitHub OAuth token")
-		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to authorize with GitHub"))
 	}
 
 	res := &vcsv1.GithubLoginResponse{
 		Cookie: cookie.String(),
+		Token:  encoded,
 	}
 	return connect.NewResponse(res), nil
 }
@@ -106,14 +112,20 @@ func (q *Service) GithubRefresh(ctx context.Context, req *connect.Request[vcsv1.
 		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to process token"))
 	}
 
-	cookie, err := encodeToken(newToken, derivedKey)
+	cookie, err := encodeTokenInCookie(newToken, derivedKey)
 	if err != nil {
-		q.logger.Log("err", err, "msg", "failed to encode GitHub OAuth token")
+		q.logger.Log("err", err, "msg", "failed to encode legacy GitHub OAuth token")
 		return nil, connect.NewError(connect.CodeInternal, fmt.Errorf("failed to refresh token"))
 	}
 
+	encoded, err := encryptToken(newToken, derivedKey)
+	if err != nil {
+		q.logger.Log("err", err, "msg", "failed to encode GitHub OAuth token")
+	}
+
 	res := &vcsv1.GithubRefreshResponse{
 		Cookie: cookie.String(),
+		Token:  encoded,
 	}
 	return connect.NewResponse(res), nil
 }

diff --git a/pkg/querier/vcs/token.go b/pkg/querier/vcs/token.go
@@ -23,7 +23,8 @@ const (
 	sessionCookieName = "GitSession"
 )
 
-type gitSessionTokenCookie struct {
+// Deprecated
+type legacyGitSessionTokenCookie struct {
 	Metadata        string `json:"metadata"`
 	ExpiryTimestamp int64  `json:"expiry"`
 }
@@ -102,14 +103,14 @@ func tokenFromRequest(ctx context.Context, req connect.AnyRequest) (*oauth2.Toke
 	return token, nil
 }
 
-// encodeToken encrypts then base64 encodes an OAuth token.
-func encodeToken(token *oauth2.Token, key []byte) (*http.Cookie, error) {
+// Deprecated: encodeTokenInCookie creates a cookie by encrypting then base64 encoding an OAuth token.
+func encodeTokenInCookie(token *oauth2.Token, key []byte) (*http.Cookie, error) {
 	encrypted, err := encryptToken(token, key)
 	if err != nil {
 		return nil, err
 	}
 
-	bytes, err := json.Marshal(gitSessionTokenCookie{
+	bytes, err := json.Marshal(legacyGitSessionTokenCookie{
 		Metadata:        encrypted,
 		ExpiryTimestamp: token.Expiry.UnixMilli(),
 	})
@@ -133,23 +134,32 @@ func encodeToken(token *oauth2.Token, key []byte) (*http.Cookie, error) {
 func decodeToken(value string, key []byte) (*oauth2.Token, error) {
 	var token *oauth2.Token
 
+	token, err := decryptToken(value, key)
+	if err != nil {
+		// This may be a legacy cookie. Legacy cookies are base64 encoded JSON objects.
+		token, innerErr := decodeLegacyToken(value, key)
+		if innerErr != nil {
+			// Legacy fallback failed, return the original error.
+			return nil, err
+		}
+		return token, nil
+	}
+	return token, nil
+}
+
+// Deprecated: decodeLegacyToken base64 decodes and decrypts a legacyGitSessionTokenCookie
+func decodeLegacyToken(value string, key []byte) (*oauth2.Token, error) {
+	var token *oauth2.Token
+
 	decoded, err := base64.StdEncoding.DecodeString(value)
 	if err != nil {
 		return nil, err
 	}
 
-	sessionToken := gitSessionTokenCookie{}
+	sessionToken := legacyGitSessionTokenCookie{}
 	err = json.Unmarshal(decoded, &sessionToken)
 	if err != nil {
-		// This may be a legacy cookie. Legacy cookies aren't base64 encoded
-		// JSON objects, but rather a base64 encoded crypto hash.
-		var innerErr error
-		token, innerErr = decryptToken(value, key)
-		if innerErr != nil {
-			// Legacy fallback failed, return the original error.
-			return nil, err
-		}
-		return token, nil
+		return nil, err
 	}
 
 	token, err = decryptToken(sessionToken.Metadata, key)

diff --git a/pkg/querier/vcs/token_test.go b/pkg/querier/vcs/token_test.go
@@ -172,7 +172,7 @@ func Test_tokenFromRequest(t *testing.T) {
 	})
 }
 
-func Test_encodeToken(t *testing.T) {
+func Test_encodeTokenInCookie(t *testing.T) {
 	githubSessionSecret = []byte("16_byte_key_XXXX")
 	ctx := newTestContext()
 
@@ -186,7 +186,7 @@ func Test_encodeToken(t *testing.T) {
 		Expiry:       time.Unix(1713298947, 0).UTC(), // 2024-04-16T20:22:27.346Z
 	}
 
-	got, err := encodeToken(token, derivedKey)
+	got, err := encodeTokenInCookie(token, derivedKey)
 	require.NoError(t, err)
 	require.Equal(t, sessionCookieName, got.Name)
 	require.NotEmpty(t, got.Value)
@@ -258,7 +258,7 @@ func Test_tenantIsolation(t *testing.T) {
 	derivedKeyA, err := deriveEncryptionKeyForContext(ctxA)
 	require.NoError(t, err)
 
-	encodedTokenA, err := encodeToken(&oauth2.Token{
+	encodedTokenA, err := encodeTokenInCookie(&oauth2.Token{
 		AccessToken: "so_secret",
 	}, derivedKeyA)
 	require.NoError(t, err)
@@ -298,7 +298,7 @@ func newTestContextWithTenantID(tenantID string) context.Context {
 func testEncodeCookie(t *testing.T, key []byte, token *oauth2.Token) *http.Cookie {
 	t.Helper()
 
-	encoded, err := encodeToken(token, key)
+	encoded, err := encodeTokenInCookie(token, key)
 	require.NoError(t, err)
 
 	return encoded