trinodb
diff --git a/‎.github/workflows/ci.yml
Lines changed: 48 additions & 9 deletions b/‎.github/workflows/ci.yml
Lines changed: 48 additions & 9 deletions
diff --git a/‎pkg/trino/client/client.go
Lines changed: 85 additions & 0 deletions b/‎pkg/trino/client/client.go
Lines changed: 85 additions & 0 deletions
diff --git a/‎pkg/trino/client/token.go
Lines changed: 26 additions & 0 deletions b/‎pkg/trino/client/token.go
Lines changed: 26 additions & 0 deletions
diff --git a/‎pkg/trino/driver/driver.go
Lines changed: 42 additions & 0 deletions b/‎pkg/trino/driver/driver.go
Lines changed: 42 additions & 0 deletions
diff --git a/‎pkg/trino/models/settings.go
Lines changed: 7 additions & 0 deletions b/‎pkg/trino/models/settings.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/ConfigEditor.tsx
Lines changed: 74 additions & 1 deletion b/‎src/ConfigEditor.tsx
Lines changed: 74 additions & 1 deletion
@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - main
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -42,25 +43,63 @@ jobs:
           version: latest
           args: buildAll
 
-      - name: End to end test
+      - name: Setup services (Trino, Grafana, PostgreSQL, Keycloak)
         run: |
           docker network create trino
 
-          docker run \
-            --rm --detach \
+          echo "Starting PostgreSQL..."
+          docker run --rm --detach \
+            --name postgres \
+            --net trino \
+            --env POSTGRES_USER=keycloak \
+            --env POSTGRES_PASSWORD=keycloak \
+            --env POSTGRES_DB=keycloak \
+            postgres:17.4
+          
+          echo "Starting Keycloak..."
+          docker run --rm --detach \
+            --name keycloak \
+            --net trino \
+            --publish 18080:8080 \
+            --env KC_BOOTSTRAP_ADMIN_USERNAME=admin \
+            --env KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
+            --env KC_DB=postgres \
+            --env KC_DB_URL_HOST=postgres \
+            --env KC_DB_URL_DATABASE=keycloak \
+            --env KC_DB_USERNAME=keycloak \
+            --env KC_DB_PASSWORD=keycloak \
+            --volume "$(pwd)/test-data/test-keycloak-realm.json:/opt/keycloak/data/import/realm.json" \
+            quay.io/keycloak/keycloak:26.1.4 \
+            start-dev --import-realm
+
+          echo "Waiting for Keycloak to be ready..."
+          while true; do
+            if curl -s http://localhost:18080/realms/master | grep -q "realm"; then
+              echo "Keycloak is ready!"
+             break
+           fi
+            echo "Waiting for Keycloak..."
+           sleep 5
+          done
+
+          echo "Starting Trino..."
+          docker run --rm --detach \
             --name trino \
             --net trino \
+            --volume "$(pwd)/test-data/test-trino-config.properties:/etc/trino/config.properties" \
             trinodb/trino:468
 
-          docker run \
-            --rm --detach \
+          echo "Starting Grafana..."
+          docker run --rm --detach \
             --name grafana \
             --net trino \
             --publish 3000:3000 \
             --volume "$(pwd):/var/lib/grafana/plugins/trino" \
             --env "GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS=trino-datasource" \
-           grafana/grafana:11.4.0
+            grafana/grafana:11.4.0
 
-           npx tsc -p tsconfig.json --noEmit
-           npx playwright install
-           npx playwright test
+      - name: End to end test
+        run: |
+          npx tsc -p tsconfig.json --noEmit
+          npx playwright install
+          npx playwright test
@@ -0,0 +1,85 @@
+package client
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/grafana/grafana-plugin-sdk-go/backend/log"
+	"io"
+	"net/http"
+	"net/url"
+	"sync"
+	"time"
+)
+
+var (
+	lock  = &sync.Mutex{}
+	token *Token
+)
+
+type Client struct {
+	*http.Client
+	ClientId          string
+	ClientSecret      string
+	Url               string
+	ImpersonationUser string
+}
+
+func (c *Client) Do(req *http.Request) (*http.Response, error) {
+	token, err := c.getToken()
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "Bearer "+token.AccessToken)
+	if c.ImpersonationUser != "" {
+		req.Header.Set("X-Trino-User", c.ImpersonationUser)
+	}
+	return c.Client.Do(req)
+}
+
+func (c *Client) getToken() (*Token, error) {
+	if token != nil && !token.isAlmostExpired() {
+		return token, nil
+	}
+	lock.Lock()
+	defer lock.Unlock()
+	if token != nil && !token.isAlmostExpired() {
+		return token, nil
+	}
+	newToken, err := c.retrieveToken()
+	if err != nil {
+		return nil, err
+	}
+	token = newToken
+	return token, nil
+}
+
+func (c *Client) retrieveToken() (*Token, error) {
+	log.DefaultLogger.Debug("Try retrieve token")
+	values := url.Values{
+		"client_id":     []string{c.ClientId},
+		"client_secret": []string{c.ClientSecret},
+		"grant_type":    []string{"client_credentials"},
+	}
+
+	token := &Token{}
+	response, err := c.PostForm(c.Url, values)
+	if err != nil {
+		return nil, fmt.Errorf("failed to request the token response: %w", err)
+	}
+	defer response.Body.Close()
+	if response.StatusCode != 200 {
+		return nil, errors.New("Cannot obtain token from IDP. Status code=" + response.Status)
+	}
+	var jsonResponse []byte
+	if jsonResponse, err = io.ReadAll(response.Body); err != nil {
+		return nil, fmt.Errorf("failed to read the token response: %w", err)
+	}
+	err = json.Unmarshal(jsonResponse, token)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode the token response: %w", err)
+	}
+	token.ExpiresAt = time.Now().Add(time.Second * time.Duration(token.ExpiresIn))
+	log.DefaultLogger.Debug("Token will expire at:", "date", token.ExpiresAt.Format(time.RFC1123Z))
+	return token, nil
+}
@@ -0,0 +1,26 @@
+package client
+
+import (
+	"time"
+)
+
+// UntilExpirationInSeconds time has to be a greater than HTTP request timeout
+// In most HTTP clients HTTP request timeout is 30 seconds.
+const UntilExpirationInSeconds = 60
+
+type Token struct {
+	AccessToken string `json:"access_token"`
+	ExpiresIn   int    `json:"expires_in"`
+	ExpiresAt   time.Time
+}
+
+func (token *Token) isAlmostExpired() bool {
+	if token.AccessToken == "" {
+		return true
+	} else {
+		if time.Now().Add(time.Second * time.Duration(UntilExpirationInSeconds)).After(token.ExpiresAt) {
+			return true
+		}
+	}
+	return false
+}
@@ -6,7 +6,9 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	trinoClient "github.com/trinodb/grafana-trino/pkg/trino/client"
 	"net/http"
+	"strings"
 
 	"github.com/trinodb/grafana-trino/pkg/trino/models"
 	"github.com/trinodb/trino-go-client/trino"
@@ -15,6 +17,17 @@ import (
 
 const DriverName string = "trino"
 
+// just compile time assertion
+var _ http.RoundTripper = &customTransport{}
+
+type customTransport struct {
+	client *trinoClient.Client
+}
+
+func (t *customTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	return t.client.Do(req)
+}
+
 // Open registers a new driver with a unique name
 func Open(settings models.TrinoDatasourceSettings) (*sql.DB, error) {
 	skipVerify := false
@@ -48,6 +61,35 @@ func Open(settings models.TrinoDatasourceSettings) (*sql.DB, error) {
 			},
 		},
 	}
+	if settings.TokenUrl != "" || settings.ClientId != "" || settings.ClientSecret != "" {
+		if settings.AccessToken != "" {
+			return nil, errors.New("access token must not be set within 'OAuth Trino Authentication' settings")
+		}
+		var missingParams []string
+		if settings.TokenUrl == "" {
+			missingParams = append(missingParams, "Token URL")
+		}
+		if settings.ClientId == "" {
+			missingParams = append(missingParams, "Client id")
+		}
+		if settings.ClientSecret == "" {
+			missingParams = append(missingParams, "Client secret")
+		}
+		if len(missingParams) > 0 {
+			return nil, fmt.Errorf("missing parameters for 'OAuth Trino Authentication': %v", strings.Join(missingParams, ", "))
+		}
+		client = &http.Client{
+			Transport: &customTransport{
+				client: &trinoClient.Client{
+					Client:            client,
+					ClientId:          settings.ClientId,
+					ClientSecret:      settings.ClientSecret,
+					Url:               settings.TokenUrl,
+					ImpersonationUser: settings.ImpersonationUser,
+				},
+			},
+		}
+	}
 	err := trino.RegisterCustomClient("grafana", client)
 	if err != nil {
 		return nil, err
 
@@ -16,6 +16,10 @@ type TrinoDatasourceSettings struct {
 	Opts                httpclient.Options `json:"-"`
 	EnableImpersonation bool               `json:"enableImpersonation"`
 	AccessToken         string             `json:"accessToken"`
+	TokenUrl            string             `json:"tokenUrl"`
+	ClientId            string             `json:"clientId"`
+	ClientSecret        string             `json:"clientSecret"`
+	ImpersonationUser   string             `json:"impersonationUser"`
 }
 
 func (s *TrinoDatasourceSettings) Load(config backend.DataSourceInstanceSettings) error {
@@ -48,5 +52,8 @@ func (s *TrinoDatasourceSettings) Load(config backend.DataSourceInstanceSettings
 	if token, ok := config.DecryptedSecureJSONData["accessToken"]; ok {
 		s.AccessToken = token
 	}
+	if clientSecret, ok := config.DecryptedSecureJSONData["clientSecret"]; ok {
+		s.ClientSecret = clientSecret
+	}
 	return nil
 }
@@ -1,5 +1,5 @@
 import React, { ChangeEvent, PureComponent } from 'react';
-import { DataSourceHttpSettings, InlineField, InlineSwitch, SecretInput } from '@grafana/ui';
+import { DataSourceHttpSettings, InlineField, InlineSwitch, SecretInput, Input } from '@grafana/ui';
 import { DataSourcePluginOptionsEditorProps } from '@grafana/data';
 import {TrinoDataSourceOptions, TrinoSecureJsonData} from './types';
 
@@ -19,6 +19,21 @@ export class ConfigEditor extends PureComponent<Props, State> {
     const onResetToken = () => {
       onOptionsChange({...options, secureJsonFields: {...options.secureJsonFields, accessToken: false }, secureJsonData: {...options.secureJsonData, accessToken: '' }});
     };
+    const onTokenUrlChange = (event: ChangeEvent<HTMLInputElement>) => {
+      onOptionsChange({...options, jsonData: {...options.jsonData, tokenUrl: event.target.value}})
+    };
+    const onClientIdChange = (event: ChangeEvent<HTMLInputElement>) => {
+      onOptionsChange({...options, jsonData: {...options.jsonData, clientId: event.target.value}})
+    };
+    const onClientSecretChange = (event: ChangeEvent<HTMLInputElement>) => {
+      onOptionsChange({...options, secureJsonData: {...options.secureJsonData, clientSecret: event.target.value}})
+    };
+    const onResetClientSecret = () => {
+      onOptionsChange({...options, secureJsonFields: {...options.secureJsonFields, clientSecret: false}, secureJsonData: {...options.secureJsonData, clientSecret: ''}});
+    };
+    const onImpersonationUserChange = (event: ChangeEvent<HTMLInputElement>) => {
+      onOptionsChange({...options, jsonData: {...options.jsonData, impersonationUser: event.target.value}})
+    };
     return (
       <div className="gf-form-group">
         <DataSourceHttpSettings
@@ -58,6 +73,64 @@ export class ConfigEditor extends PureComponent<Props, State> {
             </InlineField>
           </div>
         </div>
+
+        <h3 className="page-heading">OAuth Trino Authentication</h3>
+        <div className="gf-form-group">
+          <div className="gf-form-inline">
+            <InlineField
+              label="Token URL"
+              tooltip="If set, token is retrieved by client credentials flow before request to Trino is sent"
+              labelWidth={26}
+            >
+              <Input
+                value={options.jsonData?.tokenUrl ?? ''}
+                onChange={onTokenUrlChange}
+                width={60}
+              />
+            </InlineField>
+          </div>
+          <div className="gf-form-inline">
+            <InlineField
+              label="Client id"
+              tooltip="Required if Token URL is set"
+              labelWidth={26}
+            >
+              <Input
+                value={options.jsonData?.clientId ?? ''}
+                onChange={onClientIdChange}
+                width={60}
+              />
+            </InlineField>
+          </div>
+          <div className="gf-form-inline">
+            <InlineField
+              label="Client secret"
+              tooltip="Required if Token URL is set"
+              labelWidth={26}
+            >
+              <SecretInput
+                value={options.secureJsonData?.clientSecret ?? ''}
+                isConfigured={options.secureJsonFields?.clientSecret}
+                onChange={onClientSecretChange}
+                width={60}
+                onReset={onResetClientSecret}
+              />
+            </InlineField>
+          </div>
+          <div className="gf-form-inline">
+            <InlineField
+              label="Impersonation user"
+              tooltip="If set, this user will be used for impersonation in Trino"
+              labelWidth={26}
+            >
+              <Input
+                value={options.jsonData?.impersonationUser ?? ''}
+                onChange={onImpersonationUserChange}
+                width={60}
+              />
+            </InlineField>
+          </div>
+        </div>
       </div>
     );
   }
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,10 @@ type TrinoDatasourceSettings struct {`
`16`	`16`	Opts httpclient.Options `json:"-"`
`17`	`17`	EnableImpersonation bool `json:"enableImpersonation"`
`18`	`18`	AccessToken string `json:"accessToken"`
	`19`	+ TokenUrl string `json:"tokenUrl"`
	`20`	+ ClientId string `json:"clientId"`
	`21`	+ ClientSecret string `json:"clientSecret"`
	`22`	+ ImpersonationUser string `json:"impersonationUser"`
`19`	`23`	`}`
`20`	`24`
`21`	`25`	`func (s *TrinoDatasourceSettings) Load(config backend.DataSourceInstanceSettings) error {`
`@@ -48,5 +52,8 @@ func (s *TrinoDatasourceSettings) Load(config backend.DataSourceInstanceSettings`
`48`	`52`	`if token, ok := config.DecryptedSecureJSONData["accessToken"]; ok {`
`49`	`53`	`s.AccessToken = token`
`50`	`54`	`}`
	`55`	`+ if clientSecret, ok := config.DecryptedSecureJSONData["clientSecret"]; ok {`
	`56`	`+ s.ClientSecret = clientSecret`
	`57`	`+ }`
`51`	`58`	`return nil`
`52`	`59`	`}`