From 09a1fb0041978a2ac576b6bdf4e38ebe235b5b42 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <6413499+elberfeld@users.noreply.github.com>
Date: Sat, 1 Jun 2024 22:08:50 +0200
Subject: [PATCH] grafana oauth config

---
 testserver/docker_grafana/Documentation.md    | 36 ++++++++++++++++++
 testserver/docker_grafana/tasks/main.yml      |  1 +
 .../templates/docker-compose.yml              |  4 +-
 .../docker_grafana/templates/grafana.ini      | 37 ++++++++++++++++++-
 4 files changed, 75 insertions(+), 3 deletions(-)
 create mode 100644 testserver/docker_grafana/Documentation.md

diff --git a/testserver/docker_grafana/Documentation.md b/testserver/docker_grafana/Documentation.md
new file mode 100644
index 00000000..771c3e47
--- /dev/null
+++ b/testserver/docker_grafana/Documentation.md
@@ -0,0 +1,36 @@
+
+# Overview 
+
+* Anonymous Access is possible with Viewer permissions
+* Authentication to Grafana is only possible with an account in uffd, regular authentication is disabled 
+* All users with group 'grafana_access' can access the Application and get Editor permissions
+* Users with group 'grafana_admin' get administrative privileges in Grafana
+
+# Setup OIDC Authentication via uffd 
+
+Uffd Reference: https://git.cccv.de/uffd
+
+
+## Setup in Grafana
+
+All setup is done in the grafana.ini
+References: 
+* https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/
+* https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/generic-oauth/
+
+## Setup in uffd
+
+Create Groups:
+
+- grafana_access: General Access to Grafana
+- grafana_admin: Admin Access to Grafana
+
+Create a Service / OAuth Client: 
+
+Only Users with goup grafana_access can access Wordpress 
+
+Client-ID: grafana
+Client-Secret: from file oauth_client_secret on the server
+Redirect-URIs: 
+* https://grafana.test-warpzone.de/login/generic_oauth
+
diff --git a/testserver/docker_grafana/tasks/main.yml b/testserver/docker_grafana/tasks/main.yml
index 2cfccfda..7254d033 100644
--- a/testserver/docker_grafana/tasks/main.yml
+++ b/testserver/docker_grafana/tasks/main.yml
@@ -3,6 +3,7 @@
 - include_tasks: ../functions/get_secret.yml
   with_items:
     - { path: "{{ basedir }}/secrets/grafana_admin_pass", length: 12 }
+    - { path: "{{ basedir }}/secrets/oauth_client_secret", length: 32 }
 #    - { path: "/srv/mqtt/influxdb_token", length: -1 }
 
 - name: create folder struct for grafana
diff --git a/testserver/docker_grafana/templates/docker-compose.yml b/testserver/docker_grafana/templates/docker-compose.yml
index ff4e34c0..6b81b987 100644
--- a/testserver/docker_grafana/templates/docker-compose.yml
+++ b/testserver/docker_grafana/templates/docker-compose.yml
@@ -2,7 +2,7 @@ services:
 
   app:
 
-    image: grafana/grafana:latest
+    image: grafana/grafana-oss:latest
     restart: always
     volumes:
       - "{{ basedir }}/grafana.ini:/etc/grafana/grafana.ini"
@@ -10,6 +10,8 @@ services:
     environment:
       GF_SERVER_ROOT_URL: "https://{{ domain }}"
       GF_SECURITY_ADMIN_PASSWORD: "{{ grafana_admin_pass }}"
+      GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP: "true"
+      GF_LOG_LEVEL: "debug"
     labels:
       - traefik.enable=true
       - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
diff --git a/testserver/docker_grafana/templates/grafana.ini b/testserver/docker_grafana/templates/grafana.ini
index 7fa96d17..bf7de3a1 100644
--- a/testserver/docker_grafana/templates/grafana.ini
+++ b/testserver/docker_grafana/templates/grafana.ini
@@ -108,7 +108,7 @@ allow_org_create = false
 auto_assign_org = true
 
 # Default role new users will be automatically assigned (if disabled above is set to true)
-auto_assign_org_role = Viewer
+# auto_assign_org_role = Viewer
 
 # Background text for the user field on the login page
 login_hint = Fallback account
@@ -119,7 +119,7 @@ default_theme = dark
 [auth]
 # Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
 ;disable_login_form = false
-disable_login_form = false
+disable_login_form = true
 
 # Auto Login via OAuth 
 oauth_auto_login = true
@@ -127,6 +127,7 @@ oauth_auto_login = true
 # Set to true to disable the signout link in the side menu. useful if you use auth.proxy, defaults to false
 ;disable_signout_menu = false
 
+
 #################################### Anonymous Auth ##########################
 [auth.anonymous]
 # enable anonymous access
@@ -135,6 +136,38 @@ enabled = true
 # specify organization name that should be used for unauthenticated users
 org_name = Main Org.
 
+# Role for unauthenticated users, other valid values are `Editor` and `Admin`
+org_role = Viewer
+
+#################################### Generic OAuth ##########################
+[auth.generic_oauth]
+
+# Enable OAuth Authentication 
+enabled = true
+name = OAuth
+
+# Users cann be created by OAuth login 
+allow_sign_up = true
+
+
+# OAuth Client Settings
+client_id = grafana
+client_secret = {{ oauth_client_secret}}
+scopes = profile
+auth_url = {{ oauth_global.authorize_url }}
+token_url = {{ oauth_global.token_url }}
+api_url = {{ oauth_global.userinfo_url }}
+
+# Attribute Mappings
+#login_attribute_path = nickname
+#name_attribute_path = nickname
+
+# Role Mapping
+skip_org_role_sync = false
+allow_assign_grafana_admin = true
+role_attribute_path = contains(groups[*], 'grafana_admin') && 'GrafanaAdmin' || 'Editor'
+
+
 #################################### Alerting ############################
 [alerting]
 # Disable alerting engine & UI features
-- 
GitLab