apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54499 Commits
2158 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: 3f60ef5146
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3f60ef5146'
${ noResults }
grafana/pkg/login/social/social.go

138 lines
6.0 KiB
Raw Normal View History Unescape

working on oauth
11 years ago
package social
import (
SupportBundles: Add OAuth bundle collectors (#64810) * wip * add oauth support bundles * add specific configs for generic oauth and azureAD * add doc entry * optimize struct packing * Update pkg/login/social/azuread_oauth.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * nit update --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
"bytes"
Chore: Fix goimports grouping (#62426) fix goimports ordering
2 years ago
"context"
OAuth: Fix token refresh failure when custom SSL settings are configured for OAuth provider (#27523) OAuth token refresh fails when custom SSL settings are configured for oauth provider. These changes makes sure that custom SSL settings are applied for HTTP client before refreshing token. Fixes #27514
5 years ago
"fmt"
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic
9 years ago
"net/http"
working on oauth
11 years ago
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
3 years ago
"github.com/grafana/grafana/pkg/services/org"
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
"golang.org/x/oauth2"
working on oauth
11 years ago
)
OAuth: Introduce user_refresh_token setting and make it default for the selected providers (#71533) * First changes * WIP docs * Align current tests * Add test for UseRefreshToken * Update docs * Fix * Remove unnecessary AuthCodeURL from generic_oauth * Change GitHub to disable use_refresh_token by default
2 years ago
const (
OfflineAccessScope = "offline_access"
Auth: Load ini/env vars settings in the fallback strategy (#78495) * Return data in camelCase from the OAuth fb strategy * changes * wip * Add defaults for oauth fb strategy * revert other changes * Add tests * Add Defaults to cfg and use it in OAuthStrategy * Return *OAuthInfo from OAuthStrategy * lint * Remove unnecessary Defaults * Introduce const for fields, fix import order * Align failing tests * clean up * Changes requested by @gamab * Update pkg/services/ssosettings/strategies/oauth_strategy_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Load data on startup * Rename + simplify --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
RoleGrafanaAdmin = "GrafanaAdmin" // For AzureAD for example this value cannot contain spaces
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
AzureADProviderName = "azuread"
GenericOAuthProviderName = "generic_oauth"
GitHubProviderName = "github"
GitlabProviderName = "gitlab"
GoogleProviderName = "google"
GrafanaComProviderName = "grafana_com"
// legacy/old settings for the provider
GrafanaNetProviderName = "grafananet"
OktaProviderName = "okta"
samlsettings: api integration (#84300) * add strategy and tests * use settings provider service and remove multiple providers strategy * Move SAML strategy to ssosettings service * Update codeowners file * reload from settings provider * add saml as configurable provider * Add new SAML strategy * rename old saml settings interface * update saml string references * use OSS license * validate saml provider depends on license for List * add tests for list rendering including saml * change the licensing validation to service init * replace service struct for provider
1 year ago
SAMLProviderName = "saml"
SSO: Add LDAP fallback strategy for SSO settings service (#88905) * add root and client certificate value fields for LDAP * update error messages for connection error * add LDAP fallback strategy for SSO settings service * fix params for sso service provider * fix params for sso service provider * sort imports * sort imports * replace json.Number with int64 in config map * remove type assertions
1 year ago
LDAPProviderName = "ldap"
OAuth: Introduce user_refresh_token setting and make it default for the selected providers (#71533) * First changes * WIP docs * Align current tests * Add test for UseRefreshToken * Update docs * Fix * Remove unnecessary AuthCodeURL from generic_oauth * Change GitHub to disable use_refresh_token by default
2 years ago
)
[release-11.3.6] Auth: Introduce authn.SSOClientConfig to get client config from SSOSettings service (#103001) Auth: Introduce authn.SSOClientConfig to get client config from SSOSettings service (#94618) * wip * possible solution * Separate interface for SSO settings clients * Rename interface * Fix tests * Rename * Change GetClientConfig to comma ok idiom (cherry picked from commit 50a635bc7e09a4eb11ffe00fbc80a46f18e5b6ec)
3 months ago
var SocialBaseUrl = "/login/"
working on oauth
11 years ago
Auth: Use SSO settings service to load social connectors + refactor (#79005) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError
2 years ago
type Service interface {
GetOAuthProviders() map[string]bool
GetOAuthHttpClient(string) (*http.Client, error)
GetConnector(string) (SocialConnector, error)
GetOAuthInfoProvider(string) *OAuthInfo
GetOAuthInfoProviders() map[string]*OAuthInfo
}
//go:generate mockery --name SocialConnector --structname MockSocialConnector --outpkg socialtest --filename social_connector_mock.go --output ./socialtest/
type SocialConnector interface {
UserInfo(ctx context.Context, client *http.Client, token *oauth2.Token) (*BasicUserInfo, error)
IsEmailAllowed(email string) bool
IsSignupAllowed() bool
GetOAuthInfo() *OAuthInfo
AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
Exchange(ctx context.Context, code string, authOptions ...oauth2.AuthCodeOption) (*oauth2.Token, error)
Client(ctx context.Context, t *oauth2.Token) *http.Client
TokenSource(ctx context.Context, t *oauth2.Token) oauth2.TokenSource
SupportBundleContent(*bytes.Buffer) error
support for decoding JWT id tokens
8 years ago
}
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
type OAuthInfo struct {
Auth: Remove types from SSOSettings struct in SSO service (#79459) * replace SSOSettings with SSOSettingsDTO * fix database tests * fix oauth strategy * fix sso settings service tests * add secrets encryption on update * rename SSOSettingsDTO to SSOSettings * remove extraKeys from strategy * change back settings type from createOAuthConnector to OAuthInfo * do not parse multi-value fields in oauth strategy
2 years ago
AllowAssignGrafanaAdmin bool `mapstructure:"allow_assign_grafana_admin" toml:"allow_assign_grafana_admin"`
AllowSignup bool `mapstructure:"allow_sign_up" toml:"allow_sign_up"`
AllowedDomains []string `mapstructure:"allowed_domains" toml:"allowed_domains"`
AllowedGroups []string `mapstructure:"allowed_groups" toml:"allowed_groups"`
ApiUrl string `mapstructure:"api_url" toml:"api_url"`
AuthStyle string `mapstructure:"auth_style" toml:"auth_style"`
AuthUrl string `mapstructure:"auth_url" toml:"auth_url"`
AutoLogin bool `mapstructure:"auto_login" toml:"auto_login"`
ClientId string `mapstructure:"client_id" toml:"client_id"`
ClientSecret string `mapstructure:"client_secret" toml:"-"`
EmailAttributeName string `mapstructure:"email_attribute_name" toml:"email_attribute_name"`
EmailAttributePath string `mapstructure:"email_attribute_path" toml:"email_attribute_path"`
EmptyScopes bool `mapstructure:"empty_scopes" toml:"empty_scopes"`
Enabled bool `mapstructure:"enabled" toml:"enabled"`
GroupsAttributePath string `mapstructure:"groups_attribute_path" toml:"groups_attribute_path"`
HostedDomain string `mapstructure:"hosted_domain" toml:"hosted_domain"`
Icon string `mapstructure:"icon" toml:"icon"`
Name string `mapstructure:"name" toml:"name"`
RoleAttributePath string `mapstructure:"role_attribute_path" toml:"role_attribute_path"`
RoleAttributeStrict bool `mapstructure:"role_attribute_strict" toml:"role_attribute_strict"`
OIDC: Support Generic OAuth org to role mappings (#87394) * Social: link to OrgRoleMapper * OIDC: support Generic Oauth org to role mappings Fixes: #73448 Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Handle when getAllOrgs fails in the org_role_mapper * Add more tests * OIDC: ensure orgs are evaluated from API when not from token Signed-off-by: Mathieu Parent <math.parent@gmail.com> * OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Extend docs * Fix test, lint --------- Signed-off-by: Mathieu Parent <math.parent@gmail.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
1 year ago
OrgAttributePath string `mapstructure:"org_attribute_path"`
OrgMapping []string `mapstructure:"org_mapping"`
Auth: Remove types from SSOSettings struct in SSO service (#79459) * replace SSOSettings with SSOSettingsDTO * fix database tests * fix oauth strategy * fix sso settings service tests * add secrets encryption on update * rename SSOSettingsDTO to SSOSettings * remove extraKeys from strategy * change back settings type from createOAuthConnector to OAuthInfo * do not parse multi-value fields in oauth strategy
2 years ago
Scopes []string `mapstructure:"scopes" toml:"scopes"`
SignoutRedirectUrl string `mapstructure:"signout_redirect_url" toml:"signout_redirect_url"`
SkipOrgRoleSync bool `mapstructure:"skip_org_role_sync" toml:"skip_org_role_sync"`
TeamIdsAttributePath string `mapstructure:"team_ids_attribute_path" toml:"team_ids_attribute_path"`
TeamsUrl string `mapstructure:"teams_url" toml:"teams_url"`
TlsClientCa string `mapstructure:"tls_client_ca" toml:"tls_client_ca"`
TlsClientCert string `mapstructure:"tls_client_cert" toml:"tls_client_cert"`
TlsClientKey string `mapstructure:"tls_client_key" toml:"tls_client_key"`
TlsSkipVerify bool `mapstructure:"tls_skip_verify_insecure" toml:"tls_skip_verify_insecure"`
TokenUrl string `mapstructure:"token_url" toml:"token_url"`
UsePKCE bool `mapstructure:"use_pkce" toml:"use_pkce"`
UseRefreshToken bool `mapstructure:"use_refresh_token" toml:"use_refresh_token"`
Extra map[string]string `mapstructure:",remain" toml:"extra,omitempty"`
Add common type for oauth authorization errors
9 years ago
}
Auth: Load ini/env vars settings in the fallback strategy (#78495) * Return data in camelCase from the OAuth fb strategy * changes * wip * Add defaults for oauth fb strategy * revert other changes * Add tests * Add Defaults to cfg and use it in OAuthStrategy * Return *OAuthInfo from OAuthStrategy * lint * Remove unnecessary Defaults * Introduce const for fields, fix import order * Align failing tests * clean up * Changes requested by @gamab * Update pkg/services/ssosettings/strategies/oauth_strategy_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Load data on startup * Rename + simplify --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
func NewOAuthInfo() *OAuthInfo {
return &OAuthInfo{
Scopes: []string{},
AllowedDomains: []string{},
AllowedGroups: []string{},
Extra: map[string]string{},
}
}
[release-11.3.6] Auth: Introduce authn.SSOClientConfig to get client config from SSOSettings service (#103001) Auth: Introduce authn.SSOClientConfig to get client config from SSOSettings service (#94618) * wip * possible solution * Separate interface for SSO settings clients * Rename interface * Fix tests * Rename * Change GetClientConfig to comma ok idiom (cherry picked from commit 50a635bc7e09a4eb11ffe00fbc80a46f18e5b6ec)
3 months ago
func (o *OAuthInfo) GetDisplayName() string {
return o.Name
}
func (o *OAuthInfo) IsSingleLogoutEnabled() bool {
// OIDC SLO is not supported
return false
}
func (o *OAuthInfo) IsAutoLoginEnabled() bool {
return o.AutoLogin
}
[release-11.3.6] Auth: Fix SAML user IsExternallySynced not being set correctly (#103101) Auth: Fix SAML user IsExternallySynced not being set correctly (#98487) (cherry picked from commit 345757c3ae1f2016bac08cccab5d4352056768d2) Co-authored-by: xavi <114113189+volcanonoodle@users.noreply.github.com>
3 months ago
func (o *OAuthInfo) IsSkipOrgRoleSyncEnabled() bool {
return o.SkipOrgRoleSync
}
func (o *OAuthInfo) IsAllowAssignGrafanaAdminEnabled() bool {
return o.AllowAssignGrafanaAdmin
}
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
type BasicUserInfo struct {
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id string
Name string
Email string
Login string
Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
3 years ago
Role org.RoleType
OIDC: Support Generic OAuth org to role mappings (#87394) * Social: link to OrgRoleMapper * OIDC: support Generic Oauth org to role mappings Fixes: #73448 Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Handle when getAllOrgs fails in the org_role_mapper * Add more tests * OIDC: ensure orgs are evaluated from API when not from token Signed-off-by: Mathieu Parent <math.parent@gmail.com> * OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Extend docs * Fix test, lint --------- Signed-off-by: Mathieu Parent <math.parent@gmail.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
1 year ago
OrgRoles map[int64]org.RoleType
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
IsGrafanaAdmin *bool // nil will avoid overriding user's set server admin setting
Groups []string
Chore: Refactor OAuth/social package to service (#35403) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase
4 years ago
}
OAuth: Allow role mapping from GitHub and GitLab groups (#52407) * OAuth: Add extract role support to github OAuth: correct github errors Oauth: add github tests Oauth: Allow mapping via group memberships Oauth: Add markdown instructions to the new mappers fix lint * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com> * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
3 years ago
func (b *BasicUserInfo) String() string {
OIDC: Support Generic OAuth org to role mappings (#87394) * Social: link to OrgRoleMapper * OIDC: support Generic Oauth org to role mappings Fixes: #73448 Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Handle when getAllOrgs fails in the org_role_mapper * Add more tests * OIDC: ensure orgs are evaluated from API when not from token Signed-off-by: Mathieu Parent <math.parent@gmail.com> * OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict Signed-off-by: Mathieu Parent <math.parent@gmail.com> * Extend docs * Fix test, lint --------- Signed-off-by: Mathieu Parent <math.parent@gmail.com> Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
1 year ago
return fmt.Sprintf("Id: %s, Name: %s, Email: %s, Login: %s, Role: %s, Groups: %v, OrgRoles: %v",
b.Id, b.Name, b.Email, b.Login, b.Role, b.Groups, b.OrgRoles)
OAuth: Allow role mapping from GitHub and GitLab groups (#52407) * OAuth: Add extract role support to github OAuth: correct github errors Oauth: add github tests Oauth: Allow mapping via group memberships Oauth: Add markdown instructions to the new mappers fix lint * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com> * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>
3 years ago
}