invalidate access token cache after datasource is updated

pkg/api/pluginproxy/access_token_provider.go

@@ -13,6 +13,7 @@ import (
 
 	"golang.org/x/oauth2"
 
+	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
 	"golang.org/x/oauth2/jwt"
 )
@@ -37,8 +38,9 @@ type oauthJwtTokenCacheType struct {
 }
 
 type accessTokenProvider struct {
-	route        *plugins.AppPluginRoute
-	datasourceID int64
+	route             *plugins.AppPluginRoute
+	datasourceId      int64
+	datasourceVersion int
 }
 
 type jwtToken struct {
@@ -47,10 +49,11 @@ type jwtToken struct {
 	AccessToken     string    `json:"access_token"`
 }
 
-func newAccessTokenProvider(dsID int64, pluginRoute *plugins.AppPluginRoute) *accessTokenProvider {
+func newAccessTokenProvider(ds *models.DataSource, pluginRoute *plugins.AppPluginRoute) *accessTokenProvider {
 	return &accessTokenProvider{
-		datasourceID: dsID,
-		route:        pluginRoute,
+		datasourceId:      ds.Id,
+		datasourceVersion: ds.Version,
+		route:             pluginRoute,
 	}
 }
 
@@ -164,5 +167,5 @@ var getTokenSource = func(conf *jwt.Config, ctx context.Context) (*oauth2.Token,
 }
 
 func (provider *accessTokenProvider) getAccessTokenCacheKey() string {
-	return fmt.Sprintf("%v_%v_%v", provider.datasourceID, provider.route.Path, provider.route.Method)
+	return fmt.Sprintf("%v_%v_%v_%v", provider.datasourceId, provider.datasourceVersion, provider.route.Path, provider.route.Method)
 }

pkg/api/pluginproxy/access_token_provider_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/plugins"
 	. "github.com/smartystreets/goconvey/convey"
 	"golang.org/x/oauth2"
@@ -41,11 +42,13 @@ func TestAccessToken(t *testing.T) {
 			},
 		}
 
+		ds := &models.DataSource{Id: 1, Version: 2}
+
 		Convey("should fetch token using jwt private key", func() {
 			getTokenSource = func(conf *jwt.Config, ctx context.Context) (*oauth2.Token, error) {
 				return &oauth2.Token{AccessToken: "abc"}, nil
 			}
-			provider := newAccessTokenProvider(1, pluginRoute)
+			provider := newAccessTokenProvider(ds, pluginRoute)
 			token, err := provider.getJwtAccessToken(context.Background(), templateData)
 			So(err, ShouldBeNil)
 
@@ -64,7 +67,7 @@ func TestAccessToken(t *testing.T) {
 				return &oauth2.Token{AccessToken: "abc"}, nil
 			}
 
-			provider := newAccessTokenProvider(1, pluginRoute)
+			provider := newAccessTokenProvider(ds, pluginRoute)
 			_, err := provider.getJwtAccessToken(context.Background(), templateData)
 			So(err, ShouldBeNil)
 		})
@@ -75,7 +78,7 @@ func TestAccessToken(t *testing.T) {
 					AccessToken: "abc",
 					Expiry:      time.Now().Add(1 * time.Minute)}, nil
 			}
-			provider := newAccessTokenProvider(1, pluginRoute)
+			provider := newAccessTokenProvider(ds, pluginRoute)
 			token1, err := provider.getJwtAccessToken(context.Background(), templateData)
 			So(err, ShouldBeNil)
 			So(token1, ShouldEqual, "abc")

pkg/api/pluginproxy/ds_auth_provider.go

@@ -44,7 +44,7 @@ func ApplyRoute(ctx context.Context, req *http.Request, proxyPath string, route
 		logger.Error("Failed to render plugin headers", "error", err)
 	}
 
-	tokenProvider := newAccessTokenProvider(ds.Id, route)
+	tokenProvider := newAccessTokenProvider(ds, route)
 
 	if route.TokenAuth != nil {
 		if token, err := tokenProvider.getAccessToken(data); err != nil {