Support X-Access-Token for Grafana Cloud

In Grafana Cloud it is possible to have a plugin submit requests on
behalf of the calling user by setting the X-Access-Token header instead
of the standard Authorization header. This PR will preferentially look
for the presence of an access token and use that before falling back to
an API key like normal.

Author: csmarchbanks

mcpgrafana.go

@@ -40,6 +40,7 @@ func urlAndAPIKeyFromHeaders(req *http.Request) (string, string) {
 
 type grafanaURLKey struct{}
 type grafanaAPIKeyKey struct{}
+type grafanaAccessTokenKey struct{}
 
 // grafanaDebugKey is the context key for the Grafana transport's debug flag.
 type grafanaDebugKey struct{}
@@ -103,6 +104,12 @@ func WithGrafanaAPIKey(ctx context.Context, apiKey string) context.Context {
 	return context.WithValue(ctx, grafanaAPIKeyKey{}, apiKey)
 }
 
+// WithGrafanaAccessToken adds the Grafana access token to the context. An
+// access token is used for on-behalf-of auth in Grafana Cloud.
+func WithGrafanaAccessToken(ctx context.Context, accessToken string) context.Context {
+	return context.WithValue(ctx, grafanaAccessTokenKey{}, accessToken)
+}
+
 // GrafanaURLFromContext extracts the Grafana URL from the context.
 func GrafanaURLFromContext(ctx context.Context) string {
 	if u, ok := ctx.Value(grafanaURLKey{}).(string); ok {
@@ -119,6 +126,15 @@ func GrafanaAPIKeyFromContext(ctx context.Context) string {
 	return ""
 }
 
+// GrafanaAccessTokenFromContext extracts a Grafana access token from the context.
+// An access token is used for on-behalf-of auth in Grafana Cloud.
+func GrafanaAccessTokenFromContext(ctx context.Context) string {
+	if k, ok := ctx.Value(grafanaAccessTokenKey{}).(string); ok {
+		return k
+	}
+	return ""
+}
+
 type grafanaClientKey struct{}
 
 func makeBasePath(path string) string {

tools/alerting_client.go

@@ -21,9 +21,10 @@ const (
 )
 
 type alertingClient struct {
-	baseURL    *url.URL
-	apiKey     string
-	httpClient *http.Client
+	baseURL     *url.URL
+	accessToken string
+	apiKey      string
+	httpClient  *http.Client
 }
 
 func newAlertingClientFromContext(ctx context.Context) (*alertingClient, error) {
@@ -34,8 +35,9 @@ func newAlertingClientFromContext(ctx context.Context) (*alertingClient, error)
 	}
 
 	return &alertingClient{
-		baseURL: parsedBaseURL,
-		apiKey:  mcpgrafana.GrafanaAPIKeyFromContext(ctx),
+		baseURL:     parsedBaseURL,
+		accessToken: mcpgrafana.GrafanaAccessTokenFromContext(ctx),
+		apiKey:      mcpgrafana.GrafanaAPIKeyFromContext(ctx),
 		httpClient: &http.Client{
 			Timeout: defaultTimeout,
 		},
@@ -53,7 +55,10 @@ func (c *alertingClient) makeRequest(ctx context.Context, path string) (*http.Re
 	req.Header.Set("Accept", "application/json")
 	req.Header.Set("Content-Type", "application/json")
 
-	if c.apiKey != "" {
+	// If accessToken is set we use that first and fall back to normal Authorization.
+	if c.accessToken != "" {
+		req.Header.Set("X-Access-Token", c.accessToken)
+	} else if c.apiKey != "" {
 		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.apiKey))
 	}
 

tools/loki.go

@@ -50,13 +50,18 @@ func newLokiClient(ctx context.Context, uid string) (*Client, error) {
 		return nil, err
 	}
 
-	grafanaURL, apiKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL  = mcpgrafana.GrafanaURLFromContext(ctx)
+		apiKey      = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+		accessToken = mcpgrafana.GrafanaAccessTokenFromContext(ctx)
+	)
 	url := fmt.Sprintf("%s/api/datasources/proxy/uid/%s", strings.TrimRight(grafanaURL, "/"), uid)
 
 	client := &http.Client{
 		Transport: &authRoundTripper{
-			apiKey:     apiKey,
-			underlying: http.DefaultTransport,
+			accessToken: accessToken,
+			apiKey:      apiKey,
+			underlying:  http.DefaultTransport,
 		},
 	}
 
@@ -163,12 +168,15 @@ func (c *Client) fetchData(ctx context.Context, urlPath string, startRFC3339, en
 }
 
 type authRoundTripper struct {
-	apiKey     string
-	underlying http.RoundTripper
+	accessToken string
+	apiKey      string
+	underlying  http.RoundTripper
 }
 
 func (rt *authRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
-	if rt.apiKey != "" {
+	if rt.accessToken != "" {
+		req.Header.Set("X-Access-Token", rt.accessToken)
+	} else if rt.apiKey != "" {
 		req.Header.Set("Authorization", "Bearer "+rt.apiKey)
 	}
 

tools/oncall.go

@@ -57,7 +57,10 @@ func getOnCallURLFromSettings(ctx context.Context, grafanaURL, grafanaAPIKey str
 
 func oncallClientFromContext(ctx context.Context) (*aapi.Client, error) {
 	// Get the standard Grafana URL and API key
-	grafanaURL, grafanaAPIKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL    = mcpgrafana.GrafanaURLFromContext(ctx)
+		grafanaAPIKey = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	)
 
 	// Try to get OnCall URL from settings endpoint
 	grafanaOnCallURL, err := getOnCallURLFromSettings(ctx, grafanaURL, grafanaAPIKey)
@@ -67,6 +70,7 @@ func oncallClientFromContext(ctx context.Context) (*aapi.Client, error) {
 
 	grafanaOnCallURL = strings.TrimRight(grafanaOnCallURL, "/")
 
+	// TODO: Allow access to OnCall using an access token instead of an API key.
 	client, err := aapi.NewWithGrafanaURL(grafanaOnCallURL, grafanaAPIKey, grafanaURL)
 	if err != nil {
 		return nil, fmt.Errorf("creating OnCall client: %w", err)

tools/prometheus.go

@@ -33,10 +33,22 @@ func promClientFromContext(ctx context.Context, uid string) (promv1.API, error)
 		return nil, err
 	}
 
-	grafanaURL, apiKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL  = mcpgrafana.GrafanaURLFromContext(ctx)
+		apiKey      = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+		accessToken = mcpgrafana.GrafanaAccessTokenFromContext(ctx)
+	)
 	url := fmt.Sprintf("%s/api/datasources/proxy/uid/%s", strings.TrimRight(grafanaURL, "/"), uid)
 	rt := api.DefaultRoundTripper
-	if apiKey != "" {
+	if accessToken != "" {
+		rt = config.NewHeadersRoundTripper(&config.Headers{
+			Headers: map[string]config.Header{
+				"X-Access-Token": config.Header{
+					Secrets: []config.Secret{config.Secret(accessToken)},
+				},
+			},
+		}, rt)
+	} else if apiKey != "" {
 		rt = config.NewAuthorizationCredentialsRoundTripper(
 			"Bearer", config.NewInlineSecret(apiKey), rt,
 		)

tools/sift.go

@@ -97,11 +97,12 @@ type siftClient struct {
 	url    string
 }
 
-func newSiftClient(url, apiKey string) *siftClient {
+func newSiftClient(url, accessToken, apiKey string) *siftClient {
 	client := &http.Client{
 		Transport: &authRoundTripper{
-			apiKey:     apiKey,
-			underlying: http.DefaultTransport,
+			accessToken: accessToken,
+			apiKey:      apiKey,
+			underlying:  http.DefaultTransport,
 		},
 	}
 	return &siftClient{
@@ -112,9 +113,13 @@ func newSiftClient(url, apiKey string) *siftClient {
 
 func siftClientFromContext(ctx context.Context) (*siftClient, error) {
 	// Get the standard Grafana URL and API key
-	grafanaURL, grafanaAPIKey := mcpgrafana.GrafanaURLFromContext(ctx), mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+	var (
+		grafanaURL         = mcpgrafana.GrafanaURLFromContext(ctx)
+		grafanaAPIKey      = mcpgrafana.GrafanaAPIKeyFromContext(ctx)
+		grafanaAccessToken = mcpgrafana.GrafanaAccessTokenFromContext(ctx)
+	)
 
-	client := newSiftClient(grafanaURL, grafanaAPIKey)
+	client := newSiftClient(grafanaURL, grafanaAccessToken, grafanaAPIKey)
 
 	return client, nil
 }