From 4e828f189c811bcbdedd401dcc7d4d29d38894b9 Mon Sep 17 00:00:00 2001 From: vikrantgupta25 Date: Sat, 7 Mar 2026 13:55:57 +0530 Subject: [PATCH] feat(serviceaccount): update authz typeables --- ee/query-service/app/server.go | 2 +- pkg/authn/passwordauthn/emailpasswordauthn/authn.go | 2 +- pkg/modules/session/implsession/module.go | 2 +- pkg/query-service/app/server.go | 2 +- pkg/tokenizer/jwttokenizer/provider.go | 2 +- .../tokenizerstore/sqltokenizerstore/store.go | 2 +- pkg/types/authtypes/authn.go | 10 ++++++---- 7 files changed, 12 insertions(+), 10 deletions(-) diff --git a/ee/query-service/app/server.go b/ee/query-service/app/server.go index 1e8a6756d1..da520b9fd6 100644 --- a/ee/query-service/app/server.go +++ b/ee/query-service/app/server.go @@ -216,7 +216,7 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h }), otelmux.WithPublicEndpoint(), )) - r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ_API_KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap) + r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ-API-KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap) r.Use(middleware.NewTimeout(s.signoz.Instrumentation.Logger(), s.config.APIServer.Timeout.ExcludedRoutes, s.config.APIServer.Timeout.Default, diff --git a/pkg/authn/passwordauthn/emailpasswordauthn/authn.go b/pkg/authn/passwordauthn/emailpasswordauthn/authn.go index 97f8af681d..8de52c4806 100644 --- a/pkg/authn/passwordauthn/emailpasswordauthn/authn.go +++ b/pkg/authn/passwordauthn/emailpasswordauthn/authn.go @@ -30,5 +30,5 @@ func (a *AuthN) Authenticate(ctx context.Context, email string, password string, return nil, errors.New(errors.TypeUnauthenticated, types.ErrCodeIncorrectPassword, "invalid email or password") } - return authtypes.NewIdentity(user.ID, orgID, user.Email), nil + return authtypes.NewIdentity(user.ID, valuer.UUID{}, authtypes.PrincipalUser, orgID, user.Email), nil } diff --git a/pkg/modules/session/implsession/module.go b/pkg/modules/session/implsession/module.go index c9e1940212..9434493230 100644 --- a/pkg/modules/session/implsession/module.go +++ b/pkg/modules/session/implsession/module.go @@ -158,7 +158,7 @@ func (module *module) CreateCallbackAuthNSession(ctx context.Context, authNProvi return "", errors.WithAdditionalf(err, "root user can only authenticate via password") } - token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, user.OrgID, user.Email), map[string]string{}) + token, err := module.tokenizer.CreateToken(ctx, authtypes.NewIdentity(user.ID, valuer.UUID{}, authtypes.PrincipalUser, user.OrgID, user.Email), map[string]string{}) if err != nil { return "", err } diff --git a/pkg/query-service/app/server.go b/pkg/query-service/app/server.go index b141968650..df60847bcc 100644 --- a/pkg/query-service/app/server.go +++ b/pkg/query-service/app/server.go @@ -195,7 +195,7 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server, }), otelmux.WithPublicEndpoint(), )) - r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ_API_KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap) + r.Use(middleware.NewAuthN([]string{"Authorization", "Sec-WebSocket-Protocol"}, []string{"SIGNOZ-API-KEY"}, s.signoz.Sharder, s.signoz.Tokenizer, s.signoz.ServiceAccountTokenizer, s.signoz.Instrumentation.Logger()).Wrap) r.Use(middleware.NewTimeout(s.signoz.Instrumentation.Logger(), s.config.APIServer.Timeout.ExcludedRoutes, s.config.APIServer.Timeout.Default, diff --git a/pkg/tokenizer/jwttokenizer/provider.go b/pkg/tokenizer/jwttokenizer/provider.go index c32637143c..c0f91ba012 100644 --- a/pkg/tokenizer/jwttokenizer/provider.go +++ b/pkg/tokenizer/jwttokenizer/provider.go @@ -113,7 +113,7 @@ func (provider *provider) GetIdentity(ctx context.Context, accessToken string) ( return nil, err } - return authtypes.NewIdentity(valuer.MustNewUUID(claims.UserID), valuer.MustNewUUID(claims.OrgID), valuer.MustNewEmail(claims.Email)), nil + return authtypes.NewIdentity(valuer.MustNewUUID(claims.UserID), valuer.UUID{}, authtypes.PrincipalUser, valuer.MustNewUUID(claims.OrgID), valuer.MustNewEmail(claims.Email)), nil } func (provider *provider) DeleteToken(ctx context.Context, accessToken string) error { diff --git a/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go b/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go index 4685e40f02..370e170c2c 100644 --- a/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go +++ b/pkg/tokenizer/tokenizerstore/sqltokenizerstore/store.go @@ -47,7 +47,7 @@ func (store *store) GetIdentityByUserID(ctx context.Context, userID valuer.UUID) return nil, store.sqlstore.WrapNotFoundErrf(err, types.ErrCodeUserNotFound, "user with id: %s does not exist", userID) } - return authtypes.NewIdentity(userID, user.OrgID, user.Email), nil + return authtypes.NewIdentity(userID, valuer.UUID{}, authtypes.PrincipalUser, user.OrgID, user.Email), nil } func (store *store) GetByAccessToken(ctx context.Context, accessToken string) (*authtypes.StorableToken, error) { diff --git a/pkg/types/authtypes/authn.go b/pkg/types/authtypes/authn.go index e7c84b5c30..6760198a2e 100644 --- a/pkg/types/authtypes/authn.go +++ b/pkg/types/authtypes/authn.go @@ -79,11 +79,13 @@ func NewStateFromString(state string) (State, error) { }, nil } -func NewIdentity(userID valuer.UUID, orgID valuer.UUID, email valuer.Email) *Identity { +func NewIdentity(userID valuer.UUID, serviceAccountID valuer.UUID, principal Principal, orgID valuer.UUID, email valuer.Email) *Identity { return &Identity{ - UserID: userID, - OrgID: orgID, - Email: email, + UserID: userID, + ServiceAccountID: serviceAccountID, + Principal: principal, + OrgID: orgID, + Email: email, } }