Auth: Implement reload function for LDAP (grafana#89267)

* keep config in a separate struct in LDAP

* implement reload function for LDAP

* remove param from sso service constructor

* update unit tests

* add feature flag

* remove nil params

* address feedback

* add unit test for disabled config

Author: dmihai

packages/grafana-data/src/types/featureToggles.gen.ts

@@ -195,4 +195,5 @@ export interface FeatureToggles {
   pinNavItems?: boolean;
   authZGRPCServer?: boolean;
   openSearchBackendFlowEnabled?: boolean;
+  ssoSettingsLDAP?: boolean;
 }

pkg/login/social/socialimpl/service_test.go

@@ -14,7 +14,6 @@ import (
 	"github.com/grafana/grafana/pkg/login/social/connectors"
 	"github.com/grafana/grafana/pkg/services/accesscontrol/acimpl"
 	"github.com/grafana/grafana/pkg/services/featuremgmt"
-	ldap "github.com/grafana/grafana/pkg/services/ldap/service"
 	"github.com/grafana/grafana/pkg/services/licensing"
 	secretsfake "github.com/grafana/grafana/pkg/services/secrets/fakes"
 	"github.com/grafana/grafana/pkg/services/ssosettings/ssosettingsimpl"
@@ -82,7 +81,6 @@ func TestSocialService_ProvideService(t *testing.T) {
 		nil,
 		&setting.OSSImpl{Cfg: cfg},
 		&licensing.OSSLicensingService{},
-		ldap.ProvideService(cfg),
 	)
 
 	for _, tc := range testCases {
@@ -195,7 +193,6 @@ func TestSocialService_ProvideService_GrafanaComGrafanaNet(t *testing.T) {
 		nil,
 		nil,
 		&licensing.OSSLicensingService{},
-		ldap.ProvideService(cfg),
 	)
 
 	for _, tc := range testCases {

pkg/services/featuremgmt/registry.go

@@ -1323,6 +1323,14 @@ var (
 			Stage:       FeatureStagePublicPreview,
 			Owner:       awsDatasourcesSquad,
 		},
+		{
+			Name:              "ssoSettingsLDAP",
+			Description:       "Use the new SSO Settings API to configure LDAP",
+			Stage:             FeatureStageExperimental,
+			Owner:             identityAccessTeam,
+			HideFromDocs:      true,
+			HideFromAdminPage: true,
+		},
 	}
 )
 

pkg/services/featuremgmt/toggles_gen.csv

@@ -176,3 +176,4 @@ azureMonitorPrometheusExemplars,experimental,@grafana/partner-datasources,false,
 pinNavItems,experimental,@grafana/grafana-frontend-platform,false,false,false
 authZGRPCServer,experimental,@grafana/identity-access-team,false,false,false
 openSearchBackendFlowEnabled,preview,@grafana/aws-datasources,false,false,false
+ssoSettingsLDAP,experimental,@grafana/identity-access-team,false,false,false

pkg/services/featuremgmt/toggles_gen.go

@@ -714,4 +714,8 @@ const (
 	// FlagOpenSearchBackendFlowEnabled
 	// Enables the backend query flow for Open Search datasource plugin
 	FlagOpenSearchBackendFlowEnabled = "openSearchBackendFlowEnabled"
+
+	// FlagSsoSettingsLDAP
+	// Use the new SSO Settings API to configure LDAP
+	FlagSsoSettingsLDAP = "ssoSettingsLDAP"
 )

pkg/services/featuremgmt/toggles_gen.json

@@ -2126,6 +2126,20 @@
         "allowSelfServe": true
       }
     },
+    {
+      "metadata": {
+        "name": "ssoSettingsLDAP",
+        "resourceVersion": "1718624569822",
+        "creationTimestamp": "2024-06-17T11:42:49Z"
+      },
+      "spec": {
+        "description": "Use the new SSO Settings API to configure LDAP",
+        "stage": "experimental",
+        "codeowner": "@grafana/identity-access-team",
+        "hideFromAdminPage": true,
+        "hideFromDocs": true
+      }
+    },
     {
       "metadata": {
         "name": "ssoSettingsSAML",

pkg/services/ldap/service/helpers.go

@@ -1,8 +1,10 @@
 package service
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
+	"strconv"
 
 	"github.com/BurntSushi/toml"
 
@@ -85,3 +87,27 @@ func assertNotEmptyCfg(val any, propName string) error {
 	}
 	return nil
 }
+
+func resolveBool(input any, defaultValue bool) bool {
+	strInput := fmt.Sprintf("%v", input)
+	result, err := strconv.ParseBool(strInput)
+	if err != nil {
+		return defaultValue
+	}
+	return result
+}
+
+func resolveServerConfig(input any) (*ldap.ServersConfig, error) {
+	var ldapCfg ldap.ServersConfig
+
+	inputJson, err := json.Marshal(input)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = json.Unmarshal(inputJson, &ldapCfg); err != nil {
+		return nil, err
+	}
+
+	return &ldapCfg, nil
+}

pkg/services/ldap/service/ldap.go

@@ -1,13 +1,19 @@
 package service
 
 import (
+	"context"
 	"errors"
 	"sync"
 
+	"github.com/grafana/grafana/pkg/apimachinery/identity"
 	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/login/social"
+	"github.com/grafana/grafana/pkg/services/featuremgmt"
 	"github.com/grafana/grafana/pkg/services/ldap"
 	"github.com/grafana/grafana/pkg/services/ldap/multildap"
 	"github.com/grafana/grafana/pkg/services/login"
+	"github.com/grafana/grafana/pkg/services/ssosettings"
+	"github.com/grafana/grafana/pkg/services/ssosettings/models"
 	"github.com/grafana/grafana/pkg/setting"
 )
 
@@ -29,39 +35,82 @@ type LDAP interface {
 }
 
 type LDAPImpl struct {
-	client  multildap.IMultiLDAP
-	cfg     *ldap.Config
-	ldapCfg *ldap.ServersConfig
-	log     log.Logger
+	client      multildap.IMultiLDAP
+	cfg         *ldap.Config
+	ldapCfg     *ldap.ServersConfig
+	log         log.Logger
+	features    featuremgmt.FeatureToggles
+	ssoSettings ssosettings.Service
 
 	// loadingMutex locks the reading of the config so multiple requests for reloading are sequential.
 	loadingMutex *sync.Mutex
 }
 
-func ProvideService(cfg *setting.Cfg) *LDAPImpl {
+func ProvideService(cfg *setting.Cfg, features featuremgmt.FeatureToggles, ssoSettings ssosettings.Service) *LDAPImpl {
 	s := &LDAPImpl{
-		client:       nil,
-		ldapCfg:      nil,
-		cfg:          ldap.GetLDAPConfig(cfg),
 		log:          log.New("ldap.service"),
 		loadingMutex: &sync.Mutex{},
+		features:     features,
+		ssoSettings:  ssoSettings,
 	}
 
-	if !cfg.LDAPAuthEnabled {
-		return s
-	}
+	if s.features.IsEnabledGlobally(featuremgmt.FlagSsoSettingsApi) && s.features.IsEnabledGlobally(featuremgmt.FlagSsoSettingsLDAP) {
+		s.ssoSettings.RegisterReloadable(social.LDAPProviderName, s)
 
-	ldapCfg, err := multildap.GetConfig(s.cfg)
-	if err != nil {
-		s.log.Error("Failed to get LDAP config", "error", err)
+		ldapSettings, err := s.ssoSettings.GetForProvider(context.Background(), social.LDAPProviderName)
+		if err != nil {
+			s.log.Error("Failed to retrieve LDAP settings from SSO settings service", "error", err)
+			return s
+		}
+
+		err = s.Reload(context.Background(), *ldapSettings)
+		if err != nil {
+			s.log.Error("Failed to load LDAP settings", "error", err)
+			return s
+		}
 	} else {
-		s.ldapCfg = ldapCfg
-		s.client = multildap.New(s.ldapCfg.Servers, s.cfg)
+		s.cfg = ldap.GetLDAPConfig(cfg)
+		if !cfg.LDAPAuthEnabled {
+			return s
+		}
+
+		ldapCfg, err := multildap.GetConfig(s.cfg)
+		if err != nil {
+			s.log.Error("Failed to get LDAP config", "error", err)
+		} else {
+			s.ldapCfg = ldapCfg
+			s.client = multildap.New(s.ldapCfg.Servers, s.cfg)
+		}
 	}
 
 	return s
 }
 
+func (s *LDAPImpl) Reload(ctx context.Context, settings models.SSOSettings) error {
+	cfg := &ldap.Config{}
+	cfg.Enabled = resolveBool(settings.Settings["enabled"], false)
+	cfg.SkipOrgRoleSync = resolveBool(settings.Settings["skip_org_role_sync"], false)
+	cfg.AllowSignUp = resolveBool(settings.Settings["allow_sign_up"], true)
+
+	ldapCfg, err := resolveServerConfig(settings.Settings["config"])
+	if err != nil {
+		return err
+	}
+
+	s.loadingMutex.Lock()
+	defer s.loadingMutex.Unlock()
+
+	s.cfg = cfg
+	s.ldapCfg = ldapCfg
+	s.client = multildap.New(s.ldapCfg.Servers, s.cfg)
+
+	return nil
+}
+
+func (s *LDAPImpl) Validate(ctx context.Context, settings models.SSOSettings, oldSettings models.SSOSettings, requester identity.Requester) error {
+	return nil
+}
+
 func (s *LDAPImpl) ReloadConfig() error {
 	if !s.cfg.Enabled {
 		return nil