From b279d0a9e291e169ebd194ed31e9851c69af4be7 Mon Sep 17 00:00:00 2001
From: nd <git@notandy.de>
Date: Sat, 12 Dec 2020 23:39:03 +0100
Subject: [PATCH] added oauth2 support

---
 defaults/main.yml        |  9 +++++++++
 templates/grafana.ini.j2 | 22 +++++++++++++---------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 44c6643..d251ac4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,6 +4,15 @@ grafana:
     secret_key: "{{ lookup('password', '/dev/null') }}"
     instance_name: "${HOSTNAME}"
     root_url: "https://localhost"
+    oauth2:
+      enabled: "false"
+      name: "OAuth"
+      client_id: ""
+      client_secret: ""
+      auth_url: ""
+      token_url: ""
+      api_url: ""
+      scopes: ""
   plugins:
     "grafana-piechart-panel": {}
   datasources: {}
diff --git a/templates/grafana.ini.j2 b/templates/grafana.ini.j2
index 46866a3..68d0a6a 100644
--- a/templates/grafana.ini.j2
+++ b/templates/grafana.ini.j2
@@ -317,17 +317,19 @@ disable_gravatar = true
 
 #################################### Generic OAuth ##########################
 [auth.generic_oauth]
-;enabled = false
-;name = OAuth
-;allow_sign_up = true
-;client_id = some_id
-;client_secret = some_secret
-;scopes = user:email,read:org
+enabled = {{ grafana.config.oauth2.enabled }}
+name = {{ grafana.config.oauth2.name }}
+allow_sign_up = true
+client_id = {{ grafana.config.oauth2.client_id }}
+client_secret = {{ grafana.config.oauth2.client_secret }}
+scopes = {{ grafana.config.oauth2.scopes }}
 ;email_attribute_name = email:primary
 ;email_attribute_path =
-;auth_url = https://foo.bar/login/oauth/authorize
-;token_url = https://foo.bar/login/oauth/access_token
-;api_url = https://foo.bar/user
+
+auth_url = {{ grafana.config.oauth2.auth_url }}
+token_url = {{ grafana.config.oauth2.token_url }}
+api_url = {{ grafana.config.oauth2.api_url }}
+
 ;team_ids =
 ;allowed_organizations =
 ;tls_skip_verify_insecure = false
@@ -335,6 +337,8 @@ disable_gravatar = true
 ;tls_client_key =
 ;tls_client_ca =
 
+role_attribute_path = {{ grafana.config.oauth2.role_attribute_path }}
+
 ; Set to true to enable sending client_id and client_secret via POST body instead of Basic authentication HTTP header
 ; This might be required if the OAuth provider is not RFC6749 compliant, only supporting credentials passed via POST payload
 ;send_client_credentials_via_post = false