OAuth passthrough support (#145)

* Add passthrough client

* Type updates

* Use passthrough client where needed

* Type updates and config editor refactor

* Documentation updates

* Review

* Minor tests and fix defers

Author: aangelisc

README.md

@@ -1,6 +1,7 @@
 # Google Cloud Logging Data Source
 
 ## Overview
+
 The Google Cloud Logging Data Source is a backend data source plugin for Grafana,
 which allows users to query and visualize their Google Cloud logs in Grafana.
 
@@ -35,11 +36,21 @@ If you host Grafana on a GCE VM, you can also use the [Compute Engine service ac
 Similar to [Prometheus data sources on Google Cloud](https://cloud.google.com/stackdriver/docs/managed-prometheus/query#use-serverless), you can also configure a scheduled job to use an OAuth2 access token to view the logs. Please follow the steps in the [data source syncer README](https://github.com/GoogleCloudPlatform/cloud-logging-data-source-plugin/blob/main/datasource-syncer/README.md) to configure it.
 
 ### Service account impersonation
+
 You can also configure the plugin to use [service account impersonation](https://cloud.google.com/iam/docs/service-account-impersonation).
 You need to ensure the service account used by this plugin has the `iam.serviceAccounts.getAccessToken` permission. This permission is in roles like the [Service Account Token Creator role](https://cloud.google.com/iam/docs/understanding-roles#iam.serviceAccountTokenCreator) (roles/iam.serviceAccountTokenCreator). Also, the service account impersonated
 by this plugin needs logging read and project list permissions.
 
+### OAuth Passthrough
+
+You can configure the data source to use the OAuth token of the signed in user to authenticate to Google Cloud Logging. This requires a Grafana instance that is configured with [Google authentication](https://grafana.com/docs/grafana/latest/setup-grafana/configure-access/configure-authentication/google/).
+
+Once Grafana is configured with Google authentication for signing in, ensure that the scopes set in the Grafana configuration include: `https://www.googleapis.com/auth/userinfo.profile`, `https://www.googleapis.com/auth/userinfo.email`, and `https://www.googleapis.com/auth/logging.read`. The latter will allow the signed in user to read Google Cloud Logging data.
+
+You can then configure the data source with the `OAuth Passthrough` authentication method. Ensure that you provide a default project ID otherwise the health-check will fail.
+
 ### Grafana Configuration
+
 1. With Grafana restarted, navigate to `Configuration -> Data sources` (or the route `/datasources`)
 2. Click "Add data source"
 3. Select "Google Cloud Logging"
@@ -66,6 +77,7 @@ datasources:
 ```
 
 ### Supported variables
+
 The plugin currently supports variables for logging scopes. For example, you can define a project variable and switch between projects. The following screenshot shows an example using project, bucket, and view.
 
 ![template variables](https://github.com/GoogleCloudPlatform/cloud-logging-data-source-plugin/blob/main/src/img/template_vars.png?raw=true)
@@ -74,6 +86,7 @@ Below is an example of defining a variable for log views.
 ![define a variable](https://github.com/GoogleCloudPlatform/cloud-logging-data-source-plugin/blob/main/src/img/template_query_vars.png?raw=true)
 
 ### Alerting
+
 [Grafana Alerting](https://grafana.com/docs/grafana/latest/alerting/fundamentals/data-source-alerting/) is not directly supported due to how [Logging Query Language](https://cloud.google.com/logging/docs/view/logging-query-language) works on Google Cloud. If you need to create alerts based on logs, consider using [Log-based metrics](https://cloud.google.com/logging/docs/logs-based-metrics) and a [Cloud Monitoring data source](https://grafana.com/docs/grafana/latest/datasources/google-cloud-monitoring/).
 
 ## Licenses

pkg/plugin/cloudlogging/client.go

@@ -185,6 +185,37 @@ func NewClientWithAccessToken(ctx context.Context, accessToken string) (*Client,
 	}, nil
 }
 
+// NewClientWithPassThrough creates a new Clients using Oauth browser credentials
+func NewClientWithPassThrough(ctx context.Context, headers map[string]string) (*Client, error) {
+	token, found := strings.CutPrefix(headers["Authorization"], "Bearer ")
+	if !found || token == "" {
+		return nil, errors.New("missing or invalid Authorization header")
+	}
+
+	oauthOpt := option.WithTokenSource(
+		oauth2.StaticTokenSource(&oauth2.Token{
+			AccessToken: token,
+		}),
+	)
+	client, err := logging.NewClient(ctx, oauthOpt, option.WithUserAgent("googlecloud-logging-datasource"))
+	if err != nil {
+		return nil, err
+	}
+	rClient, err := resourcemanager.NewService(ctx, oauthOpt, option.WithUserAgent("googlecloud-logging-datasource"))
+	if err != nil {
+		return nil, err
+	}
+	configClient, err := logging.NewConfigClient(ctx, oauthOpt, option.WithUserAgent("googlecloud-logging-datasource"))
+	if err != nil {
+		return nil, err
+	}
+	return &Client{
+		lClient:      client,
+		rClient:      rClient.Projects,
+		configClient: configClient,
+	}, nil
+}
+
 // Close closes the underlying connection to the GCP API
 func (c *Client) Close() error {
 	c.configClient.Close()
@@ -216,7 +247,7 @@ func (q *Query) String() string {
 func (c *Client) ListProjects(ctx context.Context) ([]string, error) {
 	projectIDs := []string{}
 	pageToken := ""
-	
+
 	for {
 		call := c.rClient.List()
 		if pageToken != "" {
@@ -239,7 +270,7 @@ func (c *Client) ListProjects(ctx context.Context) ([]string, error) {
 		}
 		pageToken = response.NextPageToken
 	}
-	
+
 	return projectIDs, nil
 }
 

pkg/plugin/plugin.go

@@ -42,11 +42,12 @@ var (
 )
 
 const (
-	privateKeyKey             = "privateKey"
-	gceAuthentication         = "gce"
-	jwtAuthentication         = "jwt"
-	accessTokenAuthentication = "accessToken"
-	accessTokenKey            = "accessToken"
+	privateKeyKey                  = "privateKey"
+	gceAuthentication              = "gce"
+	jwtAuthentication              = "jwt"
+	accessTokenAuthentication      = "accessToken"
+	accessTokenKey                 = "accessToken"
+	oauthpassthroughAuthentication = "oauthPassthrough"
 )
 
 // config is the fields parsed from the front end
@@ -57,6 +58,7 @@ type config struct {
 	TokenURI                    string `json:"tokenUri"`
 	ServiceAccountToImpersonate string `json:"serviceAccountToImpersonate"`
 	UsingImpersonation          bool   `json:"usingImpersonation"`
+	OAuthPassThru               bool   `json:"oauthPassThru"`
 }
 
 // toServiceAccountJSON creates the serviceAccountJSON bytes from the config fields
@@ -96,6 +98,8 @@ func NewCloudLoggingDatasource(ctx context.Context, settings backend.DataSourceI
 		conf.AuthType = accessTokenAuthentication
 	}
 
+	oauthPassThrough := false
+
 	var client_err error
 	var client *cloudlogging.Client
 
@@ -128,6 +132,8 @@ func NewCloudLoggingDatasource(ctx context.Context, settings backend.DataSourceI
 			return nil, errMissingAccessToken
 		}
 		client, client_err = cloudlogging.NewClientWithAccessToken(context.TODO(), accessToken)
+	case oauthpassthroughAuthentication:
+		oauthPassThrough = true
 	default:
 		return nil, fmt.Errorf("unknown authentication type: %s", conf.AuthType)
 	}
@@ -137,22 +143,26 @@ func NewCloudLoggingDatasource(ctx context.Context, settings backend.DataSourceI
 	}
 
 	return &CloudLoggingDatasource{
-		client: client,
+		client:           client,
+		oauthPassThrough: oauthPassThrough,
 	}, nil
 }
 
 // CloudLoggingDatasource is an example datasource which can respond to data queries, reports
 // its health and has streaming skills.
 type CloudLoggingDatasource struct {
-	client cloudlogging.API
+	client           cloudlogging.API
+	oauthPassThrough bool
 }
 
 // Dispose here tells plugin SDK that plugin wants to clean up resources when a new instance
 // created. As soon as datasource settings change detected by SDK old datasource instance will
 // be disposed and a new one will be created using NewSampleDatasource factory function.
 func (d *CloudLoggingDatasource) Dispose() {
-	if err := d.client.Close(); err != nil {
-		log.DefaultLogger.Error("failed closing client", "error", err)
+	if d.client != nil {
+		if err := d.client.Close(); err != nil {
+			log.DefaultLogger.Error("failed closing client", "error", err)
+		}
 	}
 }
 
@@ -161,6 +171,25 @@ func (d *CloudLoggingDatasource) Dispose() {
 func (d *CloudLoggingDatasource) CallResource(ctx context.Context, req *backend.CallResourceRequest, sender backend.CallResourceResponseSender) error {
 	// log.DefaultLogger.Info("CallResource called")
 
+	client := d.client
+
+	if d.oauthPassThrough {
+		headers := make(map[string]string)
+		for k, v := range req.Headers {
+			if strings.EqualFold(k, "Authorization") {
+				headers["Authorization"] = v[0]
+				break
+			}
+		}
+		oauthClient, err := d.CreateOauthClient(ctx, headers)
+		if err != nil {
+			return err
+		}
+
+		client = oauthClient
+		defer client.Close()
+	}
+
 	var body []byte
 
 	// Right now we only support calls to the following:
@@ -183,7 +212,7 @@ func (d *CloudLoggingDatasource) CallResource(ctx context.Context, req *backend.
 			})
 		}
 	} else if resource == "projects" {
-		projects, err := d.client.ListProjects(ctx)
+		projects, err := client.ListProjects(ctx)
 		if err != nil {
 			log.DefaultLogger.Warn("problem listing projects", "error", err)
 		}
@@ -199,7 +228,7 @@ func (d *CloudLoggingDatasource) CallResource(ctx context.Context, req *backend.
 		reqUrl, _ := url.Parse(req.URL)
 		params, _ := url.ParseQuery(reqUrl.RawQuery)
 
-		bucketNames, err := d.client.ListProjectBuckets(ctx, params.Get("ProjectId"))
+		bucketNames, err := client.ListProjectBuckets(ctx, params.Get("ProjectId"))
 		if err != nil {
 			log.DefaultLogger.Warn("problem listing log buckets", "error", err)
 		}
@@ -215,7 +244,7 @@ func (d *CloudLoggingDatasource) CallResource(ctx context.Context, req *backend.
 		reqUrl, _ := url.Parse(req.URL)
 		params, _ := url.ParseQuery(reqUrl.RawQuery)
 
-		views, err := d.client.ListProjectBucketViews(ctx, params.Get("ProjectId"), params.Get("BucketId"))
+		views, err := client.ListProjectBucketViews(ctx, params.Get("ProjectId"), params.Get("BucketId"))
 		if err != nil {
 			log.DefaultLogger.Warn("problem listing log views", "error", err)
 		}
@@ -246,13 +275,23 @@ func (d *CloudLoggingDatasource) CallResource(ctx context.Context, req *backend.
 // contains Frames ([]*Frame).
 func (d *CloudLoggingDatasource) QueryData(ctx context.Context, req *backend.QueryDataRequest) (*backend.QueryDataResponse, error) {
 	// log.DefaultLogger.Info("QueryData called")
+	client := d.client
+
+	if d.oauthPassThrough {
+		oauthClient, err := d.CreateOauthClient(ctx, req.Headers)
+		if err != nil {
+			return nil, err
+		}
+		client = oauthClient
+		defer client.Close()
+	}
 
 	// create response struct
 	response := backend.NewQueryDataResponse()
 
 	// loop over queries and execute them individually.
 	for _, q := range req.Queries {
-		res := d.query(ctx, req.PluginContext, q)
+		res := d.query(ctx, req.PluginContext, q, client)
 
 		// save the response in a hashmap
 		// based on with RefID as identifier
@@ -271,7 +310,7 @@ type queryModel struct {
 	ViewId    string `json:"viewId"`
 }
 
-func (d *CloudLoggingDatasource) query(ctx context.Context, pCtx backend.PluginContext, query backend.DataQuery) backend.DataResponse {
+func (d *CloudLoggingDatasource) query(ctx context.Context, pCtx backend.PluginContext, query backend.DataQuery, client cloudlogging.API) backend.DataResponse {
 	response := backend.DataResponse{}
 
 	var q queryModel
@@ -301,7 +340,7 @@ func (d *CloudLoggingDatasource) query(ctx context.Context, pCtx backend.PluginC
 		},
 	}
 
-	logs, err := d.client.ListLogs(ctx, &clientRequest)
+	logs, err := client.ListLogs(ctx, &clientRequest)
 	if err != nil {
 		response.Error = fmt.Errorf("query: %w", err)
 		return response
@@ -344,6 +383,17 @@ func (d *CloudLoggingDatasource) query(ctx context.Context, pCtx backend.PluginC
 func (d *CloudLoggingDatasource) CheckHealth(ctx context.Context, req *backend.CheckHealthRequest) (*backend.CheckHealthResult, error) {
 	// log.DefaultLogger.Info("CheckHealth called")
 
+	client := d.client
+
+	if d.oauthPassThrough {
+		oauthClient, err := d.CreateOauthClient(ctx, req.Headers)
+		if err != nil {
+			return nil, err
+		}
+		client = oauthClient
+		defer client.Close()
+	}
+
 	var status = backend.HealthStatusOk
 	settings := req.PluginContext.DataSourceInstanceSettings
 
@@ -359,7 +409,13 @@ func (d *CloudLoggingDatasource) CheckHealth(ctx context.Context, req *backend.C
 		}
 		conf.DefaultProject = proj
 	}
-	if err := d.client.TestConnection(ctx, conf.DefaultProject); err != nil {
+	if conf.DefaultProject == "" && conf.OAuthPassThru {
+		return &backend.CheckHealthResult{
+			Status:  backend.HealthStatusError,
+			Message: "Please define a default project for OAuth authentication",
+		}, nil
+	}
+	if err := client.TestConnection(ctx, conf.DefaultProject); err != nil {
 		return &backend.CheckHealthResult{
 			Status:  backend.HealthStatusError,
 			Message: fmt.Sprintf("failed to run test query: %s", err),
@@ -371,3 +427,12 @@ func (d *CloudLoggingDatasource) CheckHealth(ctx context.Context, req *backend.C
 		Message: fmt.Sprintf("Successfully queried logs from GCP project %s", conf.DefaultProject),
 	}, nil
 }
+
+func (d *CloudLoggingDatasource) CreateOauthClient(ctx context.Context, headers map[string]string) (*cloudlogging.Client, error) {
+	client, err := cloudlogging.NewClientWithPassThrough(ctx, headers)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}

pkg/plugin/plugin_test.go

@@ -193,3 +193,62 @@ func TestQueryData_SingleLog(t *testing.T) {
 	require.Equal(t, string(expectedFrame), string(serializedFrame))
 	client.AssertExpectations(t)
 }
+
+func TestNewCloudLoggingDatasource_OAuthPassthrough(t *testing.T) {
+	jsonData := `{"oauthPassThru": true, "authenticationType": "oauthPassthrough", "defaultProject": "test-project"}`
+	settings := backend.DataSourceInstanceSettings{
+		JSONData: []byte(jsonData),
+	}
+
+	instance, err := NewCloudLoggingDatasource(context.Background(), settings)
+	require.NoError(t, err)
+	require.NotNil(t, instance)
+
+	ds, ok := instance.(*CloudLoggingDatasource)
+	require.True(t, ok)
+	require.True(t, ds.oauthPassThrough)
+	require.Nil(t, ds.client)
+}
+
+func TestCreateOauthClient_Success(t *testing.T) {
+	ds := &CloudLoggingDatasource{
+		oauthPassThrough: true,
+	}
+
+	headers := map[string]string{
+		"Authorization": "Bearer test-token-123",
+	}
+
+	client, err := ds.CreateOauthClient(context.Background(), headers)
+	require.NoError(t, err)
+	require.NotNil(t, client)
+	defer client.Close()
+}
+
+func TestCreateOauthClient_MissingAuthHeader(t *testing.T) {
+	ds := &CloudLoggingDatasource{
+		oauthPassThrough: true,
+	}
+
+	headers := map[string]string{}
+
+	client, err := ds.CreateOauthClient(context.Background(), headers)
+	require.Error(t, err)
+	require.ErrorContains(t, err, "missing or invalid Authorization header")
+	require.Nil(t, client)
+}
+
+func TestCreateOauthClient_InvalidAuthHeader(t *testing.T) {
+	ds := &CloudLoggingDatasource{
+		oauthPassThrough: true,
+	}
+
+	headers := map[string]string{
+		"Authorization": "Basic invalid-auth",
+	}
+
+	client, err := ds.CreateOauthClient(context.Background(), headers)
+	require.Error(t, err)
+	require.ErrorContains(t, err, "missing or invalid Authorization header")
+	require.Nil(t, client)
+}