apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
56116 Commits
2296 Branches
613 Tags
1.8 GiB
Tag: Branch: Tree: 37404446b1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '37404446b1'
${ noResults }
grafana/pkg/login/social/connectors/common.go

214 lines
4.6 KiB
Raw Normal View History Unescape

Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
package connectors
feat(oauth): create struct for generic oauth and add config values
9 years ago
import (
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
"context"
feat(oauth): create struct for generic oauth and add config values
9 years ago
"fmt"
Handle ioutil deprecations (#53526) * replace ioutil.ReadFile -> os.ReadFile * replace ioutil.ReadAll -> io.ReadAll * replace ioutil.TempFile -> os.CreateTemp * replace ioutil.NopCloser -> io.NopCloser * replace ioutil.WriteFile -> os.WriteFile * replace ioutil.TempDir -> os.MkdirTemp * replace ioutil.Discard -> io.Discard
3 years ago
"io"
centralize oauth http calls, validate response status (#8470)
8 years ago
"net/http"
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
"reflect"
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
"slices"
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
"strconv"
feat(oauth): create struct for generic oauth and add config values
9 years ago
"strings"
centralize oauth http calls, validate response status (#8470)
8 years ago
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
"github.com/mitchellh/mapstructure"
"golang.org/x/oauth2"
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
"github.com/grafana/grafana/pkg/login/social"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util"
feat(oauth): create struct for generic oauth and add config values
9 years ago
)
Auth: Add all settings to Azure AD SSO config UI (#83618) * Add all settings to AzureAD UI * prettify * Fixes * Load extra keys with type assertion
1 year ago
type ExtraFieldType int
const (
String ExtraFieldType = iota
Bool
)
type ExtraKeyInfo struct {
Type ExtraFieldType
DefaultValue any
}
Auth: Load ini/env vars settings in the fallback strategy (#78495) * Return data in camelCase from the OAuth fb strategy * changes * wip * Add defaults for oauth fb strategy * revert other changes * Add tests * Add Defaults to cfg and use it in OAuthStrategy * Return *OAuthInfo from OAuthStrategy * lint * Remove unnecessary Defaults * Introduce const for fields, fix import order * Align failing tests * clean up * Changes requested by @gamab * Update pkg/services/ssosettings/strategies/oauth_strategy_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Load data on startup * Rename + simplify --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
const (
// consider moving this to OAuthInfo
teamIdsKey = "team_ids"
// consider moving this to OAuthInfo
allowedOrganizationsKey = "allowed_organizations"
)
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
6 years ago
var (
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
errMissingGroupMembership = &SocialError{"user not a member of one of the required groups"}
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
6 years ago
)
Chore: Disable default golangci-lint filter (#29751) * Disable default golangci-lint filter Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: Fix linter warnings Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
type httpGetResponse struct {
Support large github organisations (#8846) * Add new HttpGetResponse struct type * Modify HttpGet() return to use HttpGetResponse * Look up _all_ the teams the user is a member of
8 years ago
Body []byte
Headers http.Header
}
Okta OAuth provider (team sync support) (#22972) * Okta OAuth support * Chore: fix linter error * Chore: move IsEmailAllowed to SocialBase * Chore: move IsSignupAllowed to SocialBase * Chore: review fixes * Okta: support allowed_groups * Okta: default config * Chore: move extractEmail() to OktaClaims struct * Chore: review fixes * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Docs: Okta OAuth * Chore: don't return expected errors from searchJSONForAttr * Docs: role mapping * Chore: review fixes (searchJSONForAttr) * Docs: review fixes * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Chore: log error if searchJSONForAttr failed * Docs: add Okta login link * Docs: review fixes * Docs: add reference to the org roles Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
func (s *SocialBase) IsEmailAllowed(email string) bool {
Auth: perform read locking on every exported func from social providers (#83960) perform read locking on every exported func from social providers
1 year ago
s.reloadMutex.RLock()
defer s.reloadMutex.RUnlock()
Auth: Implement the reload functionality from OAuth social connectors (#79795) * implement Reload() func for azuread provider * add unit test for failure * use mutex when updating the info field * implement the Reload() func for the other providers * use mutex when reading info * retrieve info using GetOAuthInfo() in common file * move Reload() to SocialBase
2 years ago
Auth: perform read locking on every exported func from social providers (#83960) perform read locking on every exported func from social providers
1 year ago
return isEmailAllowed(email, s.info.AllowedDomains)
Okta OAuth provider (team sync support) (#22972) * Okta OAuth support * Chore: fix linter error * Chore: move IsEmailAllowed to SocialBase * Chore: move IsSignupAllowed to SocialBase * Chore: review fixes * Okta: support allowed_groups * Okta: default config * Chore: move extractEmail() to OktaClaims struct * Chore: review fixes * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Docs: Okta OAuth * Chore: don't return expected errors from searchJSONForAttr * Docs: role mapping * Chore: review fixes (searchJSONForAttr) * Docs: review fixes * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Chore: log error if searchJSONForAttr failed * Docs: add Okta login link * Docs: review fixes * Docs: add reference to the org roles Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
}
func (s *SocialBase) IsSignupAllowed() bool {
Auth: perform read locking on every exported func from social providers (#83960) perform read locking on every exported func from social providers
1 year ago
s.reloadMutex.RLock()
defer s.reloadMutex.RUnlock()
Auth: Implement the reload functionality from OAuth social connectors (#79795) * implement Reload() func for azuread provider * add unit test for failure * use mutex when updating the info field * implement the Reload() func for the other providers * use mutex when reading info * retrieve info using GetOAuthInfo() in common file * move Reload() to SocialBase
2 years ago
Auth: perform read locking on every exported func from social providers (#83960) perform read locking on every exported func from social providers
1 year ago
return s.info.AllowSignup
Okta OAuth provider (team sync support) (#22972) * Okta OAuth support * Chore: fix linter error * Chore: move IsEmailAllowed to SocialBase * Chore: move IsSignupAllowed to SocialBase * Chore: review fixes * Okta: support allowed_groups * Okta: default config * Chore: move extractEmail() to OktaClaims struct * Chore: review fixes * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Docs: Okta OAuth * Chore: don't return expected errors from searchJSONForAttr * Docs: role mapping * Chore: review fixes (searchJSONForAttr) * Docs: review fixes * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Chore: log error if searchJSONForAttr failed * Docs: add Okta login link * Docs: review fixes * Docs: add reference to the org roles Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
}
feat(oauth): create struct for generic oauth and add config values
9 years ago
func isEmailAllowed(email string, allowedDomains []string) bool {
if len(allowedDomains) == 0 {
return true
}
valid := false
for _, domain := range allowedDomains {
emailSuffix := fmt.Sprintf("@%s", domain)
OAuth: make oauth case insensitive match for email (#49252)
3 years ago
valid = valid || strings.HasSuffix(strings.ToLower(email), strings.ToLower(emailSuffix))
feat(oauth): create struct for generic oauth and add config values
9 years ago
}
return valid
}
centralize oauth http calls, validate response status (#8470)
8 years ago
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
func (s *SocialBase) httpGet(ctx context.Context, client *http.Client, url string) (*httpGetResponse, error) {
req, errReq := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
if errReq != nil {
return nil, errReq
}
r, errDo := client.Do(req)
if errDo != nil {
return nil, errDo
centralize oauth http calls, validate response status (#8470)
8 years ago
}
Chore: Disable default golangci-lint filter (#29751) * Disable default golangci-lint filter Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: Fix linter warnings Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
defer func() {
if err := r.Body.Close(); err != nil {
s.log.Warn("Failed to close response body", "err", err)
}
}()
centralize oauth http calls, validate response status (#8470)
8 years ago
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
body, errRead := io.ReadAll(r.Body)
if errRead != nil {
return nil, errRead
centralize oauth http calls, validate response status (#8470)
8 years ago
}
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
response := &httpGetResponse{body, r.Header}
Support large github organisations (#8846) * Add new HttpGetResponse struct type * Modify HttpGet() return to use HttpGetResponse * Look up _all_ the teams the user is a member of
8 years ago
centralize oauth http calls, validate response status (#8470)
8 years ago
if r.StatusCode >= 300 {
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
return nil, fmt.Errorf("unsuccessful response status code %d: %s", r.StatusCode, string(response.Body))
centralize oauth http calls, validate response status (#8470)
8 years ago
}
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
remove the global log error/warn etc functions (#41404) * remove the global log error/warn etc functions and use request context logger whenever possible
4 years ago
s.log.Debug("HTTP GET", "url", url, "status", r.Status, "response_body", string(response.Body))
centralize oauth http calls, validate response status (#8470)
8 years ago
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
return response, nil
centralize oauth http calls, validate response status (#8470)
8 years ago
}
Okta OAuth provider (team sync support) (#22972) * Okta OAuth support * Chore: fix linter error * Chore: move IsEmailAllowed to SocialBase * Chore: move IsSignupAllowed to SocialBase * Chore: review fixes * Okta: support allowed_groups * Okta: default config * Chore: move extractEmail() to OktaClaims struct * Chore: review fixes * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * generic_oauth_test: Handle error cases Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Docs: Okta OAuth * Chore: don't return expected errors from searchJSONForAttr * Docs: role mapping * Chore: review fixes (searchJSONForAttr) * Docs: review fixes * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Update docs/sources/auth/okta.md Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> * Chore: log error if searchJSONForAttr failed * Docs: add Okta login link * Docs: review fixes * Docs: add reference to the org roles Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
5 years ago
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
func createOAuthConfig(info *social.OAuthInfo, cfg *setting.Cfg, defaultName string) *oauth2.Config {
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
var authStyle oauth2.AuthStyle
switch strings.ToLower(info.AuthStyle) {
case "inparams":
authStyle = oauth2.AuthStyleInParams
case "inheader":
authStyle = oauth2.AuthStyleInHeader
default:
authStyle = oauth2.AuthStyleAutoDetect
}
OAuth: Support client_secret_jwt for oauth providers when doing token exchange (#95455) * added backend support for client_secret_jwt * added backend support for client_secret_jwt * added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id) * ran yarn install to update lock file * added support for client_secret_jwt when managed_identity_client_id is null * added audience flag and changed exchange to directly access oauth config using .info * added logic in setting oauth.Config for supported client authentication values * added client_authentication, managed_identity_client_id, and audience to sample.ini file * using provided ctx in ManagedIdentityCallback function * added frontend support for federated identity credential auth * added client authentication field * added Azure AD documentation for Grafana * added bold font to "Add" keyword in documentation * minor wording change relating to previous commit * addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function * correction to audience name changing * fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function * Change docs * Add iam team as owner of azcore pkg * added backend support for client_secret_jwt * added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id) * ran yarn install to update lock file * added support for client_secret_jwt when managed_identity_client_id is null * added audience flag and changed exchange to directly access oauth config using .info * added logic in setting oauth.Config for supported client authentication values * added client_authentication, managed_identity_client_id, and audience to sample.ini file * using provided ctx in ManagedIdentityCallback function * added frontend support for federated identity credential auth * added client authentication field * added Azure AD documentation for Grafana * added bold font to "Add" keyword in documentation * minor wording change relating to previous commit * addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function * correction to audience name changing * fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function * Change docs * Add iam team as owner of azcore pkg * updated yarn lock file * updated doc for correction * removed wrong changes in pkg directory * removed newline in dashboard-generate.yaml and unified.ts * updated yarn.lock to match upstream * Lint Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * removing unwanted changes * added back removed newline * fixed failing test in azuread_oauth_test.go * Update azuread_oauth.go removed unnecessary newline, fixed lint --------- Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
7 months ago
var clientSecret string
switch info.ClientAuthentication {
case "client_secret_post":
clientSecret = info.ClientSecret
case "managed_identity":
clientSecret = ""
default:
clientSecret = info.ClientSecret
}
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
config := oauth2.Config{
ClientID: info.ClientId,
OAuth: Support client_secret_jwt for oauth providers when doing token exchange (#95455) * added backend support for client_secret_jwt * added backend support for client_secret_jwt * added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id) * ran yarn install to update lock file * added support for client_secret_jwt when managed_identity_client_id is null * added audience flag and changed exchange to directly access oauth config using .info * added logic in setting oauth.Config for supported client authentication values * added client_authentication, managed_identity_client_id, and audience to sample.ini file * using provided ctx in ManagedIdentityCallback function * added frontend support for federated identity credential auth * added client authentication field * added Azure AD documentation for Grafana * added bold font to "Add" keyword in documentation * minor wording change relating to previous commit * addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function * correction to audience name changing * fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function * Change docs * Add iam team as owner of azcore pkg * added backend support for client_secret_jwt * added all logic to the exchange function (overloaded social exchange in azuread_oauth to handle managed identity client id) * ran yarn install to update lock file * added support for client_secret_jwt when managed_identity_client_id is null * added audience flag and changed exchange to directly access oauth config using .info * added logic in setting oauth.Config for supported client authentication values * added client_authentication, managed_identity_client_id, and audience to sample.ini file * using provided ctx in ManagedIdentityCallback function * added frontend support for federated identity credential auth * added client authentication field * added Azure AD documentation for Grafana * added bold font to "Add" keyword in documentation * minor wording change relating to previous commit * addressed changing audience to federated_credential_audience, moving validation, and changing managedIdentityCallback to private function * correction to audience name changing * fixed orgMappingClientAuthentication function name, and added in logic into validateFederatedCredentialAudience function * Change docs * Add iam team as owner of azcore pkg * updated yarn lock file * updated doc for correction * removed wrong changes in pkg directory * removed newline in dashboard-generate.yaml and unified.ts * updated yarn.lock to match upstream * Lint Signed-off-by: Jack Baldry <jack.baldry@grafana.com> * removing unwanted changes * added back removed newline * fixed failing test in azuread_oauth_test.go * Update azuread_oauth.go removed unnecessary newline, fixed lint --------- Signed-off-by: Jack Baldry <jack.baldry@grafana.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
7 months ago
ClientSecret: clientSecret,
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
Endpoint: oauth2.Endpoint{
AuthURL: info.AuthUrl,
TokenURL: info.TokenUrl,
AuthStyle: authStyle,
},
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
RedirectURL: strings.TrimSuffix(cfg.AppURL, "/") + social.SocialBaseUrl + defaultName,
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
Scopes: info.Scopes,
}
return &config
}
Auth: Load ini/env vars settings in the fallback strategy (#78495) * Return data in camelCase from the OAuth fb strategy * changes * wip * Add defaults for oauth fb strategy * revert other changes * Add tests * Add Defaults to cfg and use it in OAuthStrategy * Return *OAuthInfo from OAuthStrategy * lint * Remove unnecessary Defaults * Introduce const for fields, fix import order * Align failing tests * clean up * Changes requested by @gamab * Update pkg/services/ssosettings/strategies/oauth_strategy_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Load data on startup * Rename + simplify --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
func MustBool(value any, defaultValue bool) bool {
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
if value == nil {
return defaultValue
}
str, ok := value.(string)
if ok {
result, err := strconv.ParseBool(str)
if err != nil {
return defaultValue
}
return result
}
result, ok := value.(bool)
if !ok {
return defaultValue
}
return result
}
Refactor SSOSettings to use types (#78675) * refactor SSOSettings to use types * test struct * refactor SSOSettings struct to use types * fix database tests * fix populateSSOSettings() to accept an SSOSettings param * fix all tests from the database layer * handle errors for converting to/from SSOSettings * add json tag on OAuthInfo fields * use continue instead of if/else * add the source field to SSOSettingsDTO conversion * remove omitempty from json tags in OAuthInfo struct
2 years ago
// CreateOAuthInfoFromKeyValues creates an OAuthInfo struct from a map[string]any using mapstructure
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
// it puts all extra key values into OAuthInfo's Extra map
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
func CreateOAuthInfoFromKeyValues(settingsKV map[string]any) (*social.OAuthInfo, error) {
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
emptyStrToSliceDecodeHook := func(from reflect.Type, to reflect.Type, data any) (any, error) {
if from.Kind() == reflect.String && to.Kind() == reflect.Slice {
strData, ok := data.(string)
if !ok {
return nil, fmt.Errorf("failed to convert %v to string", data)
}
if strData == "" {
return []string{}, nil
}
return util.SplitString(strData), nil
}
return data, nil
}
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
var oauthInfo social.OAuthInfo
Auth: Refactor OAuth connectors' initialization (#77919) * Refactor AzureAD to init itself * Use mapstructure to convert data to OAuthInfo * Update * Align tests * Remove unused functions * Add owner to mapstructure * Clean up, lint * Refactor Okta init, Align tests * Address review comments, fix name in newSocialBase * Update newSocialBase first param * Refactor GitLab init, align tests * Update pkg/login/social/common.go Co-authored-by: Karl Persson <kalle.persson@grafana.com> * Use ini conversion to map * Leftovers * Refactor GitHub connector initialization, align tests * Refactor Google connector init, align tests * Refactor grafana_com connector, align tests * Refactor generic_oauth connector init, align tests * cleanup * Remove util.go * Add tests for custom field init * Change OAuthInfo's Extra type * Fix * Replace interface{} with any * clean up --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2 years ago
decoder, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
DecodeHook: emptyStrToSliceDecodeHook,
Result: &oauthInfo,
WeaklyTypedInput: true,
})
if err != nil {
return nil, err
}
err = decoder.Decode(settingsKV)
if err != nil {
return nil, err
}
if oauthInfo.EmptyScopes {
oauthInfo.Scopes = []string{}
}
return &oauthInfo, err
}
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
func appendUniqueScope(config *oauth2.Config, scope string) {
Auth: use the scope parameter instead of a hardcoded value in appendUniqueScope() (#84053) use the scope parameter instead of a hardcoded value
1 year ago
if !slices.Contains(config.Scopes, scope) {
config.Scopes = append(config.Scopes, scope)
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
}
}