PMM-13633 New check for not service account error.

percona · Dec 27, 2024 · 28bf347 · 28bf347
1 parent 79e6cd8
commit 28bf347
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/managed/services/grafana/client.go b/managed/services/grafana/client.go
@@ -43,8 +43,12 @@ import (
 	"github.com/percona/pmm/utils/grafana"
 )
 
-// ErrFailedToGetToken means it failed to get user's token. Most likely due to the fact user is not logged in using Percona Account.
-var ErrFailedToGetToken = errors.New("failed to get token")
+var (
+	// ErrFailedToGetToken means it failed to get user's token. Most likely due to the fact user is not logged in using Percona Account.
+	ErrFailedToGetToken = errors.New("failed to get token")
+	// ErrIsNotServiceAccount means that provided auth header is not Service account. Most likely it is API Key.
+	ErrIsNotServiceAccount = errors.New("Auth method is not service account token")
+)
 
 const (
 	pmmServiceTokenName   = "pmm-agent-st" //nolint:gosec
@@ -229,7 +233,7 @@ func (c *Client) getAuthUser(ctx context.Context, authHeaders http.Header) (auth
 	if token != "" {
 		role, err := c.getRoleForServiceToken(ctx, token)
 		if err != nil {
-			if strings.Contains(err.Error(), "Auth method is not service account token") {
+			if err == ErrIsNotServiceAccount {
 				role, err := c.getRoleForAPIKey(ctx, authHeaders)
 				return authUser{
 					role:   role,
@@ -336,6 +340,10 @@ func (c *Client) getRoleForServiceToken(ctx context.Context, token string) (role
 		return none, err
 	}
 
+	if k == nil {
+		return none, ErrIsNotServiceAccount
+	}
+
 	if id, _ := k["orgId"].(float64); id != 1 {
 		return none, nil
 	}