PMM-12251 PMM-12686 Service accounts. (#2516) (#2852)

* PMM-12251 Service accounts.

* PMM-12251Create service account and token.

* PMM-12251 Another changes.

* PMM-12251 Fix for http client status code, creating of service token.

* PMM-12251 Set orgId to 1 to avoid problem with default (-1).

* PMM-12251 Mock regen.

* PMM-12251 Setup, tokens.

* PMM-12251 Basic/Bearer auth.

* PMM-12251 Set transport, check token/basic.

* PMM-12251 Tidy.

* PMM-12251 Lint, small changes.

* PMM-12251 Add test, logic changes.

* PMM-12251 Test, tokens funcs.

* PMM-12251 Not needed, set on transport.

* PMM-12251 Mock gen.

* PMM-12251 Node changes.

* PMM-12251 Add existedServiceToken to NodeRegister.

* PMM-12251 Typo.

* PMM-12251 Small logic changes. Validation.

* PMM-12251 Add API tests.

* PMM-12251 Align mock with changes.

* Revert "Merge remote-tracking branch 'origin/PMM-12251-service-accounts' into PMM-12251-service-accounts"

This reverts commit 82b5826, reversing
changes made to 88199cd.

* PMM-12251 Tidy.

* PMM-12251 Small refactor.

* PMM-12251 Fix.

* PMM-12251 Unregister.

* PMM-12251 Tidy.

* PMM-12251 Unregister complete.

* PMM-12251 Unregister.

* PMM-12251 Fix.

* PMM-12251 Remove print.

* PMM-12251 Refactor ID int64 to int.

* PMM-12251 Modify description in md to be aligned with Service acc.

* PMM-12251 Int64 to int in tests.

* PMM-12251 Lint.

* PMM-12251 Service token ID to int.

* PMM-12251 Lint.

* PMM-12251 Refactor of IF.

* PMM-12251 Warning instead error.

* PMM-12251 Auth tools, existed token got from headers.

* PMM-12251 Fix in doc.

* PMM-12251 Remove token prefix check.

* Revert "Bump @typescript-eslint/parser from 6.9.0 to 6.10.0 in /cli-tests (#2601)"

This reverts commit 2e66592.

* Revert "Bump @typescript-eslint/eslint-plugin from 6.9.0 to 6.10.0 in /cli-tests (#2600)"

This reverts commit b8a6e93.

* Revert "Bump golang.org/x/text from 0.13.0 to 0.14.0 (#2593)"

This reverts commit 7ca2c1a.

* Revert "Bump golang.org/x/sys from 0.13.0 to 0.14.0 (#2594)"

This reverts commit c472ab8.

* Revert "Bump eslint from 8.52.0 to 8.53.0 in /cli-tests (#2596)"

This reverts commit fac3eec.

* PMM-12251 Remove not used code.

* Revert "PMM-12251 Remove not used code."

This reverts commit 16cbe9e.

* PMM-12251 Token/headers fix.

* Revert "Revert "PMM-12251 Remove not used code.""

This reverts commit b979363.

* PMM-12251 Doc update.

* PMM-12251 Remove APIKey permissions tests.

* PMM-12251 Better error message.

* PMM-12251 Remove API key methods. Refactor.

* PMM-12251 Fix when token is empty.

* PMM-12251 Basic auth tests.

* PMM-12251 Small refactor.

* PMM-12251 API Tests clean.

* PMM-12251 Typo.

* PMM-12251 Start tests in parallel.

* PMM-12251 Force in test.

* PMM-12251 Merge CreateServiceAccount and CreateServiceToken together.

* PMM-12251 Mock.

* PMM-12251 Gen.

* PMM-12251 Refactor, node name.

* PMM-12251 Delete, mock and nodeName.

* PMM-12251 Fix node test after changes.

* PMM-12251 Fix test.

* PMM-12251 nodeName in Service Account name.

* PMM-12251 Change in naming.

* PMM-12251 Modify API test. Data race.

* PMM-12251 Changes.

* PMM-12251 Fix V3 failing tests.

* PMM-12251 Tests.

* PMM-12251 Double paralel.

* PMM-12251 Test.

* PMM-12251 Changes.

* PMM-12251 Changes in API test.

* PMM-12251 Modify test back.

* PMM-12251 Fix tests.

* PMM-12251 Fix version test.

* PMM-12251 Fix another cleanup.

* PMM-12251 Fix another tests.

* PMM-12251 Another fix of tests.

* PMM-12251 URL query escape.

* PMM-12251 Fix annotation API test.

* PMM-12251 Fix external API test.

* PMM-12251 Fix remove external API test.

* PMM-12251 Fix HAProxy API test.

* PMM-12251 Fix another API tests.

* PMM-12251 Node test.

* PMM-12251 Tidy.

* PMM-12251 Comment out for now.

* PMM-12251 TODO.

* PMM-12251 Temp, TODO lefts.

* PMM-12251 Cleanup for migrated API keys in API tests.

* PMM-12251 Cleanup for tests.

* PMM-12251 Add log error.

* PMM-12251 Lint.

* PMM-12251 Another fix for very long service accounts names.

* PMM-12251 Lint.

* PMM-12251 Required changes in mock.

* PMM-12251 Lint.

* PMM-12251 Remove comment.

* PMM-12251 Remove another duplicate test.

* PMM-12251 Seeds in generator, ctx.

* PMM-12251 Cleanup.

* PMM-12251 Make test names/SA names shorter due to limit.

* PMM-12251 Lint, formatting.

* PMM-12251 Remove leftover code, fix node tests.

* Update docs/api/welcome/authentication.md

Co-authored-by: Alex Demidoff <alexander.demidoff@percona.com>

* Update managed/services/grafana/client.go

Co-authored-by: Alex Demidoff <alexander.demidoff@percona.com>

* PMM-12251 Add debug error message.

* PMM-12251 Handle of non migrated API keys.

* PMM-12251 Fix test.

* PMM-12251 Small refactor.

* PMM-12251 Lint.

* Update api-tests/management/mongodb_test.go

Co-authored-by: Nurlan Moldomurov <nurlan.moldomurov@percona.com>

* Update api-tests/management/mongodb_test.go

Co-authored-by: Nurlan Moldomurov <nurlan.moldomurov@percona.com>

* Update api/managementpb/node.proto

Co-authored-by: Nurlan Moldomurov <nurlan.moldomurov@percona.com>

* PMM-12251 Gen after suggestions.

* PMM-12251 Gen after merge.

* PMM-12251 Another reverted changes.

* PMM-12686 Years in licence.

* PMM-12686 Basic/Token auth between server and client. (#2852)

* PMM-12686 Authorization between server and client.

* PMM-12686 Tests.

* PMM-12686 Lint.

* PMM-12686 Comment fix.

* PMM-12686 New required permissions for Connect endpoint.

* PMM-12686 Apply suggestion.

* PMM-12686 Add unit test for authenticate method.

* PMM-12686 Format.

* PMM-12686 Part changes after review.

* PMM-12686 Unit tests for auth server.

* PMM-12686 Revert unnecessary changes anymore.

* PMM-12686 Dynamic names in auth test.

* PMM-12686 Skip check for pmm-server agent.

* PMM-12686 Better local auth check.

* PMM-12686 Local auth check.

* PMM-12686 Refactor.

* PMM-12686 Refactor.

* PMM-12686 Refactor.

* PMM-12686 Fix.

* Update managed/services/grafana/auth_server.go

Co-authored-by: Alex Demidoff <alexander.demidoff@percona.com>

* PMM-12686 Revert of some changes.

* PMM-12686 Another reverted changes.

* PMM-12686 Years in licence.

* PMM-12686 Missed parallel in one test case.

---------

Co-authored-by: Alex Demidoff <alexander.demidoff@percona.com>

---------

Co-authored-by: Alex Demidoff <alexander.demidoff@percona.com>
Co-authored-by: Nurlan Moldomurov <nurlan.moldomurov@percona.com>

Author: 3 people

.mockery.yaml

@@ -38,7 +38,7 @@ packages:
     interfaces:
       agentsRegistry:
       agentsStateUpdater:
-      apiKeyProvider:
+      authProvider:
       checksService:
       connectionChecker:
       grafanaClient:

admin/commands/base/setup.go

@@ -88,8 +88,13 @@ func SetupClients(ctx context.Context, globalFlags *flags.GlobalFlags) {
 	// use JSON APIs over HTTP/1.1
 	transport := httptransport.New(globalFlags.ServerURL.Host, globalFlags.ServerURL.Path, []string{globalFlags.ServerURL.Scheme})
 	if u := globalFlags.ServerURL.User; u != nil {
+		user := u.Username()
 		password, _ := u.Password()
-		transport.DefaultAuthentication = httptransport.BasicAuth(u.Username(), password)
+		if user == "service_token" || user == "api_key" {
+			transport.DefaultAuthentication = httptransport.BearerToken(password)
+		} else {
+			transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
+		}
 	}
 	transport.SetLogger(logrus.WithField("component", "server-transport"))
 	transport.SetDebug(globalFlags.EnableDebug || globalFlags.EnableTrace)

admin/commands/management/unregister.go

@@ -16,12 +16,15 @@ package management
 
 import (
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 
 	"github.com/percona/pmm/admin/agentlocal"
 	"github.com/percona/pmm/admin/commands"
 	"github.com/percona/pmm/admin/helpers"
-	"github.com/percona/pmm/api/inventorypb/json/client"
+	inventoryClient "github.com/percona/pmm/api/inventorypb/json/client"
 	"github.com/percona/pmm/api/inventorypb/json/client/nodes"
+	"github.com/percona/pmm/api/managementpb/json/client"
+	"github.com/percona/pmm/api/managementpb/json/client/node"
 )
 
 type unregisterResult struct {
@@ -63,7 +66,7 @@ func (cmd *UnregisterCommand) RunCmd() (commands.Result, error) {
 		}
 
 		nodeID = status.NodeID
-		node, err := client.Default.Nodes.GetNode(&nodes.GetNodeParams{
+		node, err := inventoryClient.Default.Nodes.GetNode(&nodes.GetNodeParams{
 			Context: commands.Ctx,
 			Body: nodes.GetNodeBody{
 				NodeID: nodeID,
@@ -78,27 +81,31 @@ func (cmd *UnregisterCommand) RunCmd() (commands.Result, error) {
 		}
 	}
 
-	params := &nodes.RemoveNodeParams{
-		Body: nodes.RemoveNodeBody{
+	params := &node.UnregisterNodeParams{
+		Body: node.UnregisterNodeBody{
 			NodeID: nodeID,
 			Force:  cmd.Force,
 		},
 		Context: commands.Ctx,
 	}
 
-	_, err = client.Default.Nodes.RemoveNode(params)
+	res, err := client.Default.Node.UnregisterNode(params)
 	if err != nil {
 		return nil, err
 	}
 
+	if res.Payload.Warning != "" {
+		logrus.Warning(res.Payload.Warning)
+	}
+
 	return &unregisterResult{
 		NodeID:   nodeID,
 		NodeName: nodeName,
 	}, nil
 }
 
 func nodeIDFromNodeName(nodeName string) (string, error) {
-	listNodes, err := client.Default.Nodes.ListNodes(nil)
+	listNodes, err := inventoryClient.Default.Nodes.ListNodes(nil)
 	if err != nil {
 		return "", err
 	}

agent/client/basic_auth.go

@@ -17,6 +17,7 @@ package client
 import (
 	"context"
 	"encoding/base64"
+	"fmt"
 
 	"google.golang.org/grpc/credentials"
 )
@@ -31,7 +32,7 @@ func (b *basicAuth) GetRequestMetadata(ctx context.Context, uri ...string) (map[
 	auth := b.username + ":" + b.password
 	enc := base64.StdEncoding.EncodeToString([]byte(auth))
 	return map[string]string{
-		"authorization": "Basic " + enc,
+		"Authorization": fmt.Sprintf("Basic %s", enc),
 	}, nil
 }
 

agent/client/client.go

@@ -748,10 +748,16 @@ func dial(dialCtx context.Context, cfg *config.Config, l *logrus.Entry) (*dialRe
 	}
 
 	if cfg.Server.Username != "" {
-		opts = append(opts, grpc.WithPerRPCCredentials(&basicAuth{
-			username: cfg.Server.Username,
-			password: cfg.Server.Password,
-		}))
+		if cfg.Server.Username == "service_token" || cfg.Server.Username == "api_key" {
+			opts = append(opts, grpc.WithPerRPCCredentials(&tokenAuth{
+				token: cfg.Server.Password,
+			}))
+		} else {
+			opts = append(opts, grpc.WithPerRPCCredentials(&basicAuth{
+				username: cfg.Server.Username,
+				password: cfg.Server.Password,
+			}))
+		}
 	}
 
 	l.Infof("Connecting to %s ...", cfg.Server.FilteredURL())

agent/client/token_auth.go

@@ -0,0 +1,43 @@
+// Copyright (C) 2023 Percona LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//  http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package client
+
+import (
+	"context"
+	"fmt"
+
+	"google.golang.org/grpc/credentials"
+)
+
+type tokenAuth struct {
+	token string
+}
+
+// GetRequestMetadata implements credentials.PerRPCCredentials interface.
+func (t *tokenAuth) GetRequestMetadata(ctx context.Context, uri ...string) (map[string]string, error) { //nolint:revive
+	return map[string]string{
+		"Authorization": fmt.Sprintf("Bearer %s", t.token),
+	}, nil
+}
+
+// RequireTransportSecurity implements credentials.PerRPCCredentials interface.
+func (*tokenAuth) RequireTransportSecurity() bool {
+	return false
+}
+
+// check interfaces.
+var (
+	_ credentials.PerRPCCredentials = (*tokenAuth)(nil)
+)

agent/commands/clients.go

@@ -104,8 +104,13 @@ func setServerTransport(u *url.URL, insecureTLS bool, l *logrus.Entry) {
 	// use JSON APIs over HTTP/1.1
 	transport := httptransport.New(u.Host, u.Path, []string{u.Scheme})
 	if u.User != nil {
+		user := u.User.Username()
 		password, _ := u.User.Password()
-		transport.DefaultAuthentication = httptransport.BasicAuth(u.User.Username(), password)
+		if user == "service_token" || user == "api_key" {
+			transport.DefaultAuthentication = httptransport.BearerToken(password)
+		} else {
+			transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
+		}
 	}
 	transport.SetLogger(l)
 	transport.SetDebug(l.Logger.GetLevel() >= logrus.DebugLevel)

agent/commands/setup.go

@@ -160,10 +160,10 @@ func register(cfg *config.Config, l *logrus.Entry) {
 	}
 	cfg.ID = agentID
 	if token != "" {
-		cfg.Server.Username = "api_key"
+		cfg.Server.Username = "service_token"
 		cfg.Server.Password = token
 	} else {
-		l.Info("PMM Server responded with an empty api key token. Consider upgrading PMM Server to the latest version.")
+		l.Info("PMM Server responded with an empty service token. Consider upgrading PMM Server to the latest version.")
 	}
 	fmt.Printf("Registered.\n")
 }

api-tests/helpers.go

@@ -17,19 +17,23 @@ package apitests
 
 import (
 	"context"
+	"crypto/rand"
 	"fmt"
-	"math/rand"
+	"math"
+	"math/big"
 	"reflect"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
 
-	"github.com/percona/pmm/api/inventorypb/json/client"
+	inventoryClient "github.com/percona/pmm/api/inventorypb/json/client"
 	"github.com/percona/pmm/api/inventorypb/json/client/agents"
 	"github.com/percona/pmm/api/inventorypb/json/client/nodes"
 	"github.com/percona/pmm/api/inventorypb/json/client/services"
+	"github.com/percona/pmm/api/managementpb/json/client"
+	"github.com/percona/pmm/api/managementpb/json/client/node"
 )
 
 // ErrorResponse represents the response structure for error scenarios.
@@ -49,7 +53,10 @@ type TestingT interface {
 func TestString(t TestingT, name string) string {
 	t.Helper()
 
-	n := rand.Int() //nolint:gosec
+	// Without proper seed parallel tests can generate same "random" number.
+	n, err := rand.Int(rand.Reader, big.NewInt(math.MaxInt32))
+	require.NoError(t, err)
+
 	return fmt.Sprintf("pmm-api-tests/%s/%s/%s/%d", Hostname, t.Name(), name, n)
 }
 
@@ -130,6 +137,26 @@ func (tt *expectedFailureTestingT) Check() {
 	tt.t.Fatalf("%s expected to fail, but didn't: %s", tt.Name(), tt.link)
 }
 
+// UnregisterNodes unregister specified nodes.
+func UnregisterNodes(t TestingT, nodeIDs ...string) {
+	t.Helper()
+
+	for _, nodeID := range nodeIDs {
+		params := &node.UnregisterNodeParams{
+			Body: node.UnregisterNodeBody{
+				NodeID: nodeID,
+			},
+			Context: context.Background(),
+		}
+
+		res, err := client.Default.Node.UnregisterNode(params)
+		require.NoError(t, err)
+		assert.NotNil(t, res)
+		assert.NotNil(t, res.Payload)
+		assert.Empty(t, res.Payload.Warning)
+	}
+}
+
 // RemoveNodes removes specified nodes.
 func RemoveNodes(t TestingT, nodeIDs ...string) {
 	t.Helper()
@@ -141,7 +168,7 @@ func RemoveNodes(t TestingT, nodeIDs ...string) {
 			},
 			Context: context.Background(),
 		}
-		res, err := client.Default.Nodes.RemoveNode(params)
+		res, err := inventoryClient.Default.Nodes.RemoveNode(params)
 		assert.NoError(t, err)
 		assert.NotNil(t, res)
 	}
@@ -159,7 +186,7 @@ func RemoveServices(t TestingT, serviceIDs ...string) {
 			},
 			Context: context.Background(),
 		}
-		res, err := client.Default.Services.RemoveService(params)
+		res, err := inventoryClient.Default.Services.RemoveService(params)
 		assert.NoError(t, err)
 		assert.NotNil(t, res)
 	}
@@ -176,7 +203,7 @@ func RemoveAgents(t TestingT, agentIDs ...string) {
 			},
 			Context: context.Background(),
 		}
-		res, err := client.Default.Agents.RemoveAgent(params)
+		res, err := inventoryClient.Default.Agents.RemoveAgent(params)
 		assert.NoError(t, err)
 		assert.NotNil(t, res)
 	}
@@ -193,7 +220,7 @@ func AddGenericNode(t TestingT, nodeName string) *nodes.AddGenericNodeOKBodyGene
 		},
 		Context: Context,
 	}
-	res, err := client.Default.Nodes.AddGenericNode(params)
+	res, err := inventoryClient.Default.Nodes.AddGenericNode(params)
 	assert.NoError(t, err)
 	require.NotNil(t, res)
 	require.NotNil(t, res.Payload)
@@ -212,7 +239,7 @@ func AddRemoteNode(t TestingT, nodeName string) *nodes.AddRemoteNodeOKBody {
 		},
 		Context: Context,
 	}
-	res, err := client.Default.Nodes.AddRemoteNode(params)
+	res, err := inventoryClient.Default.Nodes.AddRemoteNode(params)
 	assert.NoError(t, err)
 	require.NotNil(t, res)
 	return res.Payload
@@ -227,7 +254,7 @@ func AddNode(t TestingT, nodeBody *nodes.AddNodeBody) *nodes.AddNodeOKBody {
 		Context: Context,
 	}
 
-	res, err := client.Default.Nodes.AddNode(params)
+	res, err := inventoryClient.Default.Nodes.AddNode(params)
 	assert.NoError(t, err)
 	require.NotNil(t, res)
 
@@ -238,7 +265,7 @@ func AddNode(t TestingT, nodeBody *nodes.AddNodeBody) *nodes.AddNodeOKBody {
 func AddPMMAgent(t TestingT, nodeID string) *agents.AddPMMAgentOKBody {
 	t.Helper()
 
-	res, err := client.Default.Agents.AddPMMAgent(&agents.AddPMMAgentParams{
+	res, err := inventoryClient.Default.Agents.AddPMMAgent(&agents.AddPMMAgentParams{
 		Body: agents.AddPMMAgentBody{
 			RunsOnNodeID: nodeID,
 		},