Add multi-auth devenv (#57609)

* add authentik devenv

* remove direct dependency on spew

* use cn

* add authentik instructions

* add backup instructions

devenv/docker/blocks/auth/authentik/README.md

@@ -0,0 +1,67 @@
+# Authentik block
+
+Authentik is an open source idP that supports LDAP, SAML, OAuth.
+
+Useful for testing a second implementation
+
+## Currently configured in DB and instructions
+
+- [x] LDAP
+- [ ] SAML
+- [ ] OAuth
+
+## Deployment
+
+First build and deploy the `openldap` container.
+
+```bash
+make devenv sources=auth/authentik
+```
+
+### Exposed ports
+
+The container will expose port `3389` and `6636` as LDAP and LDAPS.
+
+The container will expose port `9000` for API and Admin interface.
+
+
+## LDAP Setup
+
+The following changes are needed at Grafana's configuration file.
+
+```ini
+[auth.ldap]
+enabled = true
+config_file = devenv/docker/blocks/auth/authentik/ldap_authentik.toml
+
+sync_cron = "* * * * 1"
+active_sync_enabled = true
+```
+
+## Available users and groups
+
+*authentik admin*: 
+
+- username: akadmin
+- email: admin@localhost
+- password: admin
+
+*grafana logins*:
+
+- username: authentik-admin
+- password: grafana
+
+- username: authentik-editor
+- password: grafana
+
+- username: authentik-viewer
+- password: grafana
+
+## Backing up DB
+
+In case you want to make changes to the devenv setup, you can dump keycloak's DB:
+
+```bash
+cd devenv;
+docker-compose exec -T authentikdb bash -c "pg_dump -U authentik authentik" > docker/blocks/auth/authentik/cloak.sql
+```

devenv/docker/blocks/auth/authentik/docker-compose.yaml

@@ -0,0 +1,91 @@
+  authentikdb:
+    image: docker.io/library/postgres:12-alpine
+    restart: unless-stopped
+    container_name: authentikdb
+    environment:
+      POSTGRES_DB: authentik
+      POSTGRES_USER: authentik
+      POSTGRES_PASSWORD: authentik
+    volumes:
+      - ./docker/blocks/auth/authentik/cloak.sql:/docker-entrypoint-initdb.d/cloak.sql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+
+  authentikredis:
+    image: docker.io/library/redis:alpine
+    restart: unless-stopped
+    command: --save 60 1 --loglevel warning
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+
+  authentik_ldap:
+    image: ghcr.io/goauthentik/ldap
+    ports:
+      - 3389:3389
+      - 6636:6636
+    environment:
+      AUTHENTIK_HOST: http://authentik:9000
+      AUTHENTIK_INSECURE: "true"
+      AUTHENTIK_TOKEN: 77vDKwFWqCAsD9ykbH6vsGuMHtloM6urfeglrR9KRhWFcABtwmGGiQWHQStw
+    links:
+      - "authentik:authentik"
+
+  authentik:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.0}
+    restart: unless-stopped
+    container_name: authentik
+    command: server
+    environment:
+      AUTHENTIK_SECRET_KEY: FA8GANUqMJwFg0drDlurF+ZQK2A6ohSjc4MGksUqN+A36yIA
+      AUTHENTIK_REDIS__HOST: authentikredis
+      AUTHENTIK_POSTGRESQL__HOST: authentikdb
+      AUTHENTIK_POSTGRESQL__USER: authentik
+      AUTHENTIK_POSTGRESQL__NAME: authentik
+      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+    ports:
+      - 9000:9000
+    depends_on:
+      - authentikdb
+      - authentikredis
+    volumes:
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+      - ./geoip:/geoip
+    links:
+      - "authentikdb:authentikdb"
+      - "authentikredis:authentikredis"
+
+  authentik-worker:
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.10.0}
+    restart: unless-stopped
+    container_name: authentik-worker
+    command: worker
+    environment:
+      AUTHENTIK_SECRET_KEY: FA8GANUqMJwFg0drDlurF+ZQK2A6ohSjc4MGksUqN+A36yIA
+      AUTHENTIK_REDIS__HOST: authentikredis
+      AUTHENTIK_POSTGRESQL__HOST: authentikdb
+      AUTHENTIK_POSTGRESQL__USER: authentik
+      AUTHENTIK_POSTGRESQL__NAME: authentik
+      AUTHENTIK_POSTGRESQL__PASSWORD: authentik
+      AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
+    depends_on:
+      - authentikdb
+      - authentikredis
+    volumes:
+      - ./media:/media
+      - ./certs:/certs
+      - ./custom-templates:/templates
+      - ./geoip:/geoip
+    links:
+      - "authentikdb:authentikdb"
+      - "authentikredis:authentikredis"

devenv/docker/blocks/auth/authentik/ldap_authentik.toml

@@ -0,0 +1,38 @@
+[[servers]]
+host = "127.0.0.1"
+port = 3389
+use_ssl = false
+start_tls = false
+ssl_skip_verify = true
+
+bind_dn = "cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io"
+bind_password = 'grafana'
+timeout = 10
+
+search_filter = "(cn=%s)"
+search_base_dns = ["DC=ldap,DC=goauthentik,DC=io"]
+
+# Specify names of the ldap attributes your ldap uses
+[servers.attributes]
+name = "displayName"
+surname = "sn"
+username = "cn"
+member_of = "memberOf"
+email =  "mail"
+
+# Map ldap groups to grafana org roles
+[[servers.group_mappings]]
+group_dn = "cn=admin,ou=groups,dc=ldap,dc=goauthentik,dc=io"
+org_role = "Admin"
+org_id = 1
+
+
+[[servers.group_mappings]]
+group_dn = "cn=editor,ou=groups,dc=ldap,dc=goauthentik,dc=io"
+org_role = "Editor"
+org_id = 1
+
+[[servers.group_mappings]]
+group_dn = "cn=viewer,ou=groups,dc=ldap,dc=goauthentik,dc=io"
+org_role = "Viewer"
+org_id = 1

devenv/docker/compose_header.yml

@@ -1,2 +1,2 @@
-version: "2.1"
+version: "3.4"
 services:

go.mod

@@ -31,7 +31,6 @@ require (
 	github.com/centrifugal/centrifuge v0.25.0
 	github.com/cortexproject/cortex v1.10.1-0.20211014125347-85c378182d0d
 	github.com/crewjam/saml v0.4.8
-	github.com/davecgh/go-spew v1.1.1
 	github.com/denisenkom/go-mssqldb v0.12.0
 	github.com/dop251/goja v0.0.0-20210804101310-32956a348b49
 	github.com/fatih/color v1.13.0
@@ -45,7 +44,7 @@ require (
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/go-stack/stack v1.8.1
 	github.com/gobwas/glob v0.2.3
-	github.com/gofrs/uuid v4.3.0+incompatible // indirect
+	github.com/gofrs/uuid v4.3.0+incompatible
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/mock v1.6.0
 	github.com/golang/snappy v0.0.4
@@ -268,6 +267,7 @@ require (
 	github.com/bmatcuk/doublestar v1.1.1 // indirect
 	github.com/buildkite/yaml v2.1.0+incompatible // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/drone/drone-yaml v0.0.0-20190729072335-70fa398b3560 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect

go.sum

@@ -3088,7 +3088,6 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=

pkg/models/user_auth.go

@@ -1,6 +1,7 @@
 package models
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/grafana/grafana/pkg/services/org"
@@ -37,6 +38,10 @@ type ExternalUserInfo struct {
 	IsDisabled     bool
 }
 
+func (e *ExternalUserInfo) String() string {
+	return fmt.Sprintf("%+v", *e)
+}
+
 type LoginInfo struct {
 	AuthModule    string
 	User          *user.User

pkg/services/ldap/ldap.go

@@ -12,7 +12,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/davecgh/go-spew/spew"
 	"gopkg.in/ldap.v3"
 
 	"github.com/grafana/grafana/pkg/infra/log"
@@ -303,7 +302,7 @@ func (server *Server) Users(logins []string) (
 	}
 
 	server.log.Debug(
-		"LDAP users found", "users", spew.Sdump(serializedUsers),
+		"LDAP users found", "users", fmt.Sprintf("%v", serializedUsers),
 	)
 
 	return serializedUsers, nil