From 6acb2d17dda5e823cb18b09c123d912194857f4b Mon Sep 17 00:00:00 2001
From: uumas <gitcommit@uumas.fi>
Date: Thu, 21 Dec 2023 01:35:34 +0200
Subject: [PATCH] grafana: add oauth support

---
 roles/grafana/defaults/main.yml       |  9 +++++
 roles/grafana/meta/argument_specs.yml | 53 +++++++++++++++++++++++++++
 roles/grafana/tasks/main.yml          | 14 ++++++-
 3 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 roles/grafana/defaults/main.yml

diff --git a/roles/grafana/defaults/main.yml b/roles/grafana/defaults/main.yml
new file mode 100644
index 0000000..38a28c3
--- /dev/null
+++ b/roles/grafana/defaults/main.yml
@@ -0,0 +1,9 @@
+---
+
+grafana_oauth_enabled: false
+grafana_oauth_scopes:
+  - openid
+  - profile
+  - email
+grafana_oauth_allow_sign_up: true
+grafana_oauth_auto_login: false
diff --git a/roles/grafana/meta/argument_specs.yml b/roles/grafana/meta/argument_specs.yml
index b8a11eb..9778e89 100644
--- a/roles/grafana/meta/argument_specs.yml
+++ b/roles/grafana/meta/argument_specs.yml
@@ -5,6 +5,59 @@ argument_specs:
     short_description: Grafana
     description: "Sets up a grafana docker container"
     options:
+      grafana_oauth_enabled:
+        description: Enables generic OAuth2 authentication.
+        type: bool
+        required: false
+        default: false
+      grafana_oauth_name:
+        description: Name that refers to the generic OAuth2 authentication from the Grafana user interface.
+        type: str
+        required: false
+      grafana_oauth_client_id:
+        description: Client ID provided by your OAuth2 app.
+        type: str
+        required: "{{ grafana_oauth_enabled }}"
+      grafana_oauth_client_secret:
+        description: Client secret provided by your OAuth2 app.
+        type: str
+        required: "{{ grafana_oauth_enabled }}"
+      grafana_oauth_auth_url:
+        description: Authorization endpoint of your OAuth2 provider.
+        type: str
+        required: "{{ grafana_oauth_enabled }}"
+      grafana_oauth_token_url:
+        description: Endpoint used to obtain the OAuth2 access token.
+        type: str
+        required: "{{ grafana_oauth_enabled }}"
+      grafana_oauth_api_url:
+        description: Endpoint used to obtain user information compatible with OpenID UserInfo.
+        type: str
+        required: "{{ grafana_oauth_enabled }}"
+      grafana_oauth_scopes:
+        description: List of OAuth2 scopes.
+        type: list
+        required: false
+        items: str
+        default:
+          - openid
+          - profile
+          - email
+      grafana_oauth_role_attribute_path:
+        description: JMESPath expression to use for Grafana role lookup. Grafana will first evaluate the expression using the OAuth2 ID token. If no role is found, the expression will be evaluated using the user information obtained from the UserInfo endpoint. The result of the evaluation should be a valid Grafana role (Viewer, Editor, Admin or GrafanaAdmin).
+        type: str
+        required: false
+      grafana_oauth_allow_sign_up:
+        description: Controls Grafana user creation through the generic OAuth2 login. Only existing Grafana users can log in with generic OAuth if set to false.
+        type: bool
+        required: false
+        default: true
+      grafana_oauth_auto_login:
+        description: Set to true to enable users to bypass the login screen and automatically log in. This setting is ignored if you configure multiple auth providers to use auto-login.
+        type: bool
+        required: false
+        default: false
+
       database_passwords:
         description: "Passed to container role"
         required: true
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
index bd902a2..d4618e6 100644
--- a/roles/grafana/tasks/main.yml
+++ b/roles/grafana/tasks/main.yml
@@ -7,7 +7,7 @@
     docker_service: grafana
     docker_image: grafana/grafana
     docker_image_http_port: 3000
-    docker_volumes:
+    docker_mounts:
       - name: data
         path: /var/lib/grafana
     docker_database: postgres
@@ -19,3 +19,15 @@
       GF_DATABASE_PASSWORD: "{{ database_passwords.grafana }}"
       GF_SERVER_DOMAIN: "{{ docker_vhost_domains.grafana[0] }}"
       GF_SERVER_ROOT_URL: "https://{{ docker_vhost_domains.grafana[0] }}"
+
+      GF_AUTH_GENERIC_OAUTH_ENABLED: "{{ 'true' if grafana_oauth_enabled else 'false' }}"
+      GF_AUTH_GENERIC_OAUTH_NAME: "{{ grafana_oauth_name | default(omit) }}"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "{{ grafana_oauth_client_id }}"
+      GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ grafana_oauth_client_secret }}"
+      GF_AUTH_GENERIC_OAUTH_AUTH_URL: "{{ grafana_oauth_auth_url }}"
+      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "{{ grafana_oauth_token_url }}"
+      GF_AUTH_GENERIC_OAUTH_API_URL: "{{ grafana_oauth_api_url }}"
+      GF_AUTH_GENERIC_OAUTH_SCOPES: "{{ grafana_oauth_scopes | join(' ') }}"
+      GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP: "{{ 'true' if grafana_oauth_allow_sign_up else 'false' }}"
+      GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN: "{{ 'true' if grafana_oauth_auto_login else 'false' }}"
+      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "{{ grafana_oauth_role_attribute_path | default(omit) }}"