From c28b49e5d1786ece33fbfe0fb07bf86cc2983655 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Farkas?= <gabor.farkas@gmail.com>
Date: Tue, 18 Mar 2025 13:51:49 +0100
Subject: [PATCH] datasources: querier: single-tenant auth (#102049)

---
 pkg/registry/apis/query/register.go | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/pkg/registry/apis/query/register.go b/pkg/registry/apis/query/register.go
index 4f8303126fb..44f15087832 100644
--- a/pkg/registry/apis/query/register.go
+++ b/pkg/registry/apis/query/register.go
@@ -1,6 +1,7 @@
 package query
 
 import (
+	"context"
 	"encoding/json"
 
 	"github.com/prometheus/client_golang/prometheus"
@@ -13,6 +14,7 @@ import (
 	common "k8s.io/kube-openapi/pkg/common"
 	"k8s.io/kube-openapi/pkg/spec3"
 
+	claims "github.com/grafana/authlib/types"
 	query "github.com/grafana/grafana/pkg/apis/query/v0alpha1"
 	"github.com/grafana/grafana/pkg/expr"
 	"github.com/grafana/grafana/pkg/infra/log"
@@ -38,6 +40,8 @@ type QueryAPIBuilder struct {
 	userFacingDefaultError string
 	features               featuremgmt.FeatureToggles
 
+	authorizer authorizer.Authorizer
+
 	tracer     tracing.Tracer
 	metrics    *queryMetrics
 	parser     *queryParser
@@ -49,6 +53,7 @@ type QueryAPIBuilder struct {
 
 func NewQueryAPIBuilder(features featuremgmt.FeatureToggles,
 	client clientapi.DataSourceClientSupplier,
+	ar authorizer.Authorizer,
 	registry query.DataSourceApiServerRegistry,
 	legacy service.LegacyDataSourceLookup,
 	registerer prometheus.Registerer,
@@ -75,6 +80,7 @@ func NewQueryAPIBuilder(features featuremgmt.FeatureToggles,
 		concurrentQueryLimit: 4,
 		log:                  log.New("query_apiserver"),
 		client:               client,
+		authorizer:           ar,
 		registry:             registry,
 		parser:               newQueryParser(reader, legacy, tracer, log.New("query_parser")),
 		metrics:              newQueryMetrics(registerer),
@@ -105,11 +111,25 @@ func RegisterAPIService(features featuremgmt.FeatureToggles,
 		return nil, nil // skip registration unless explicitly added (or all experimental are added)
 	}
 
+	ar := authorizer.AuthorizerFunc(
+		func(ctx context.Context, attr authorizer.Attributes) (authorized authorizer.Decision, reason string, err error) {
+			// we only verify that we have a valid user.
+			// the "real" check will happen when the specific
+			// data sources are loaded.
+			_, ok := claims.AuthInfoFrom(ctx)
+			if !ok {
+				return authorizer.DecisionDeny, "valid user is required", nil
+			}
+
+			return authorizer.DecisionAllow, "", nil
+		})
+
 	builder, err := NewQueryAPIBuilder(
 		features,
 		&CommonDataSourceClientSupplier{
 			Client: client.NewQueryClientForPluginClient(pluginClient, pCtxProvider),
 		},
+		ar,
 		client.NewDataSourceRegistryFromStore(pluginStore, dataSourcesService),
 		legacy, registerer, tracer,
 	)
@@ -167,7 +187,7 @@ func (b *QueryAPIBuilder) GetOpenAPIDefinitions() common.GetOpenAPIDefinitions {
 }
 
 func (b *QueryAPIBuilder) GetAuthorizer() authorizer.Authorizer {
-	return nil // default is OK
+	return b.authorizer
 }
 
 func (b *QueryAPIBuilder) PostProcessOpenAPI(oas *spec3.OpenAPI) (*spec3.OpenAPI, error) {