Grafana Token API Access

database/director.go

@@ -0,0 +1,132 @@
+package database
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/jellydator/ttlcache/v3"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
+)
+
+var DirectorDB *gorm.DB
+
+type GrafanaApiKey struct {
+	ID          string `gorm:"primaryKey;column:id;type:text;not null"`
+	Name        string `gorm:"column:name;type:text"`
+	HashedValue string `gorm:"column:hashed_value;type:text;not null"`
+	Scopes      string `gorm:"column:scopes;type:text"`
+	ExpiresAt   time.Time
+	CreatedAt   time.Time
+	CreatedBy   string `gorm:"column:created_by;type:text"`
+}
+
+var verifiedKeysCache *ttlcache.Cache[string, GrafanaApiKey] = ttlcache.New[string, GrafanaApiKey]()
+
+func generateSecret(length int) (string, error) {
+	bytes := make([]byte, length)
+	_, err := rand.Read(bytes)
+	if err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(bytes), nil
+}
+
+func generateTokenID(secret string) string {
+	hash := sha256.Sum256([]byte(secret))
+	return hex.EncodeToString(hash[:])[:5]
+}
+func VerifyGrafanaApiKey(apiKey string) (bool, error) {
+	parts := strings.Split(apiKey, ".")
+	if len(parts) != 2 {
+		return false, errors.New("invalid API key format")
+	}
+	id := parts[0]
+	secret := parts[1]
+
+	item := verifiedKeysCache.Get(id)
+	if item != nil {
+		cachedToken := item.Value()
+		beforeExpiration := time.Now().Before(cachedToken.ExpiresAt)
+		matches := bcrypt.CompareHashAndPassword([]byte(cachedToken.HashedValue), []byte(secret)) == nil
+		if beforeExpiration && matches {
+			return true, nil
+		}
+	}
+
+	var token GrafanaApiKey
+	result := DirectorDB.First(&token, "id = ?", id)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return false, nil // token not found
+		}
+		return false, errors.Wrap(result.Error, "failed to retrieve the Grafana API key")
+	}
+
+	if time.Now().After(token.ExpiresAt) {
+		return false, nil
+	}
+
+	err := bcrypt.CompareHashAndPassword([]byte(token.HashedValue), []byte(secret))
+	if err != nil {
+		return false, nil
+	}
+
+	verifiedKeysCache.Set(id, token, ttlcache.DefaultTTL)
+	return true, nil
+}
+
+func CreateGrafanaApiKey(name, createdBy, scopes string) (string, error) {
+	expiresAt := time.Now().Add(time.Hour * 24 * 30) // 30 days
+	for {
+		secret, err := generateSecret(32)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to generate a secret")
+		}
+
+		id := generateTokenID(secret)
+
+		hashedValue, err := bcrypt.GenerateFromPassword([]byte(secret), bcrypt.DefaultCost)
+		if err != nil {
+			return "", errors.Wrap(err, "failed to hash the secret")
+		}
+
+		apiKey := GrafanaApiKey{
+			ID:          id,
+			Name:        name,
+			HashedValue: string(hashedValue),
+			Scopes:      scopes,
+			ExpiresAt:   expiresAt,
+			CreatedAt:   time.Now(),
+			CreatedBy:   createdBy,
+		}
+		result := DirectorDB.Create(apiKey)
+		if result.Error != nil {
+			isConstraintError := result.Error.Error() == "UNIQUE constraint failed: tokens.id"
+			if !isConstraintError {
+				return "", errors.Wrap(result.Error, "failed to create a new Grafana API key")
+			}
+			// If the ID is already taken, try again
+			continue
+		}
+		return fmt.Sprintf("%s.%s", id, secret), nil
+	}
+}
+
+func DeleteGrafanaApiKey(id string) error {
+	result := DirectorDB.Delete(&GrafanaApiKey{}, "id = ?", id)
+	if result.Error != nil {
+		return errors.Wrap(result.Error, "failed to delete the Grafana API key")
+	}
+	if result.RowsAffected == 0 {
+		return errors.New("API key not found")
+	}
+	// delete from cache so that we don't accidentally allow the deleted key to be used
+	verifiedKeysCache.Delete(id)
+	return nil
+}

director/director.go

@@ -39,6 +39,7 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"github.com/pelicanplatform/pelican/config"
+	"github.com/pelicanplatform/pelican/database"
 	"github.com/pelicanplatform/pelican/metrics"
 	"github.com/pelicanplatform/pelican/param"
 	"github.com/pelicanplatform/pelican/pelican_url"
@@ -77,6 +78,11 @@ type (
 
 	// Context key for the project name
 	ProjectContextKey struct{}
+
+	CreateGrafanaTokenReq struct {
+		Name      string `json:"name"`
+		CreatedBy string `json:"created_by"`
+	}
 )
 
 const (
@@ -1360,6 +1366,65 @@ func listNamespacesV2(ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, namespacesAdsV2)
 }
 
+func createGrafanaToken(ctx *gin.Context) {
+	authOption := token.AuthOption{
+		Sources: []token.TokenSource{token.Cookie},
+		Issuers: []token.TokenIssuer{token.LocalIssuer},
+		Scopes:  []token_scopes.TokenScope{token_scopes.WebUi_Access},
+	}
+
+	status, ok, err := token.Verify(ctx, authOption)
+	if !ok {
+		log.Warningf("Cannot verify token: %v", err)
+		ctx.JSON(status, server_structs.SimpleApiResp{
+			Status: server_structs.RespFailed,
+			Msg:    err.Error(),
+		})
+		return
+	}
+	// marshall body into struct
+	var req CreateGrafanaTokenReq
+	err = ctx.ShouldBindJSON(&req)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, server_structs.SimpleApiResp{
+			Status: server_structs.RespFailed,
+			Msg:    fmt.Sprintf("Invalid request body: %v", err),
+		})
+		return
+	}
+
+	scopes := fmt.Sprintf("%s,%s", token_scopes.Monitoring_Query.String(), token_scopes.Monitoring_Scrape.String())
+	token, err := database.CreateGrafanaApiKey(req.Name, req.CreatedBy, scopes)
+	if err != nil {
+		log.Warning("Failed to create Grafana API key: ", err)
+		ctx.JSON(status, server_structs.SimpleApiResp{
+			Status: server_structs.RespFailed,
+			Msg:    err.Error(),
+		})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"token": token})
+}
+
+func deleteGrafanaToken(ctx *gin.Context) {
+	id := ctx.Param("id")
+	err := database.DeleteGrafanaApiKey(id)
+	if err != nil {
+		log.Warning("Failed to delete Grafana API key: ", err)
+		ctx.JSON(http.StatusInternalServerError, server_structs.SimpleApiResp{
+			Status: server_structs.RespFailed,
+			Msg:    err.Error(),
+		})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, server_structs.SimpleApiResp{
+		Status: server_structs.RespOK,
+		Msg:    "Grafana API key deleted",
+	})
+}
+
 func getPrefixByPath(ctx *gin.Context) {
 	pathParam := ctx.Param("path")
 	if pathParam == "" || pathParam == "/" {
@@ -1510,6 +1575,9 @@ func RegisterDirectorAPI(ctx context.Context, router *gin.RouterGroup) {
 		// so that director can be our point of contact for collecting system-level metrics.
 		// Rename the endpoint to reflect such plan.
 		directorAPIV1.GET("/discoverServers", discoverOriginCache)
+
+		directorAPIV1.POST("/createGrafanaToken", createGrafanaToken)
+		directorAPIV1.DELETE("/deleteGrafanaToken/:id", deleteGrafanaToken)
 	}
 
 	directorAPIV2 := router.Group("/api/v2.0/director")

director/director_db.go

@@ -26,6 +26,7 @@ import (
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
 
+	"github.com/pelicanplatform/pelican/database"
 	"github.com/pelicanplatform/pelican/param"
 	"github.com/pelicanplatform/pelican/server_utils"
 )
@@ -39,8 +40,6 @@ type ServerDowntime struct {
 	UpdatedAt time.Time
 }
 
-var db *gorm.DB
-
 //go:embed migrations/*.sql
 var embedMigrations embed.FS
 
@@ -51,8 +50,8 @@ func InitializeDB() error {
 	if err != nil {
 		return errors.Wrap(err, "failed to initialize the Director's sqlite database")
 	}
-	db = tdb
-	sqldb, err := db.DB()
+	database.DirectorDB = tdb
+	sqldb, err := database.DirectorDB.DB()
 	if err != nil {
 		return errors.Wrapf(err, "failed to get sql.DB from gorm DB: %s", dbPath)
 	}
@@ -65,7 +64,7 @@ func InitializeDB() error {
 
 // Shut down the Director's sqlite database
 func shutdownDirectorDB() error {
-	return server_utils.ShutdownDB(db)
+	return server_utils.ShutdownDB(database.DirectorDB)
 }
 
 // Create a new db entry representing the downtime info of a server
@@ -82,7 +81,7 @@ func createServerDowntime(serverName string, filterType filterType) error {
 		UpdatedAt:  time.Now(),
 	}
 
-	if err := db.Create(serverDowntime).Error; err != nil {
+	if err := database.DirectorDB.Create(serverDowntime).Error; err != nil {
 		return errors.Wrap(err, "unable to create server downtime table")
 	}
 	return nil
@@ -91,7 +90,7 @@ func createServerDowntime(serverName string, filterType filterType) error {
 // Retrieve the downtime info of a given server (filter applied to the server)
 func getServerDowntime(serverName string) (filterType, error) {
 	var serverDowntime ServerDowntime
-	err := db.First(&serverDowntime, "name = ?", serverName).Error
+	err := database.DirectorDB.First(&serverDowntime, "name = ?", serverName).Error
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			return "", errors.Wrapf(err, "%s is not found in the Director db", serverName)
@@ -104,7 +103,7 @@ func getServerDowntime(serverName string) (filterType, error) {
 // Retrieve the downtime info of all servers saved in the Director's sqlite database
 func getAllServerDowntimes() ([]ServerDowntime, error) {
 	var statuses []ServerDowntime
-	result := db.Find(&statuses)
+	result := database.DirectorDB.Find(&statuses)
 
 	if result.Error != nil {
 		return nil, errors.Wrap(result.Error, "unable to get the downtime of all servers")
@@ -116,7 +115,7 @@ func getAllServerDowntimes() ([]ServerDowntime, error) {
 func setServerDowntime(serverName string, filterType filterType) error {
 	var serverDowntime ServerDowntime
 	// silence the logger for this query because there's definitely an ErrRecordNotFound when a new downtime info entry inserted
-	err := db.Session(&gorm.Session{Logger: db.Logger.LogMode(logger.Silent)}).First(&serverDowntime, "name = ?", serverName).Error
+	err := database.DirectorDB.Session(&gorm.Session{Logger: database.DirectorDB.Logger.LogMode(logger.Silent)}).First(&serverDowntime, "name = ?", serverName).Error
 
 	// If the server doesn't exist in director db, create a new entry for it
 	if err != nil {
@@ -130,7 +129,7 @@ func setServerDowntime(serverName string, filterType filterType) error {
 	serverDowntime.FilterType = filterType
 	serverDowntime.UpdatedAt = time.Now()
 
-	if err := db.Save(&serverDowntime).Error; err != nil {
+	if err := database.DirectorDB.Save(&serverDowntime).Error; err != nil {
 		return errors.Wrap(err, "unable to update")
 	}
 	return nil
@@ -144,7 +143,7 @@ var setServerDowntimeFn setServerDowntimeFunc = setServerDowntime
 
 // Delete the downtime info of a given server from the Director's sqlite database
 func deleteServerDowntime(serverName string) error {
-	if err := db.Where("name = ?", serverName).Delete(&ServerDowntime{}).Error; err != nil {
+	if err := database.DirectorDB.Where("name = ?", serverName).Delete(&ServerDowntime{}).Error; err != nil {
 		return errors.Wrap(err, "failed to delete an entry in Server Status table")
 	}
 	return nil

director/director_db_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 
+	"github.com/pelicanplatform/pelican/database"
 	"github.com/pelicanplatform/pelican/server_utils"
 )
 
@@ -22,9 +23,9 @@ var (
 
 func SetupMockDirectorDB(t *testing.T) {
 	mockDB, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
-	db = mockDB
+	database.DirectorDB = mockDB
 	require.NoError(t, err, "Error setting up mock origin DB")
-	err = db.AutoMigrate(&ServerDowntime{})
+	err = database.DirectorDB.AutoMigrate(&ServerDowntime{})
 	require.NoError(t, err, "Failed to migrate DB for Globus table")
 }
 
@@ -34,7 +35,7 @@ func TeardownMockDirectorDB(t *testing.T) {
 }
 
 func insertMockDBData(ss []ServerDowntime) error {
-	return db.Create(&ss).Error
+	return database.DirectorDB.Create(&ss).Error
 }
 
 func TestDirectorDBBasics(t *testing.T) {

director/migrations/20250103161929_create_db_tables.sql

@@ -0,0 +1,27 @@
+-- +goose Up
+-- +goose StatementBegin
+SELECT 'up SQL query';
+-- +goose StatementEnd
+
+CREATE TABLE IF NOT EXISTS server_downtimes (
+    uuid TEXT PRIMARY KEY,
+    name TEXT NOT NULL UNIQUE,
+    filter_type TEXT NOT NULL,
+    created_at DATETIME NOT NULL,
+    updated_at DATETIME NOT NULL
+);
+
+CREATE TABLE grafana_api_keys (
+    id TEXT PRIMARY KEY,
+    name TEXT,
+    hashed_value TEXT NOT NULL,
+    scopes TEXT,
+    expires_at DATETIME,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    created_by TEXT
+);
+
+-- +goose Down
+-- +goose StatementBegin
+SELECT 'down SQL query';
+-- +goose StatementEnd