apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45702 Commits
2179 Branches
608 Tags
1.9 GiB
Tag: Branch: Tree: cada1f040a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'cada1f040a'
${ noResults }
grafana/pkg/login/social/azuread_oauth_test.go

786 lines
23 KiB
Raw Normal View History Unescape

Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
package social
import (
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
"context"
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
"crypto/rand"
"crypto/rsa"
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
"encoding/json"
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
"net/http"
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
"net/http/httptest"
"strings"
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
"testing"
"time"
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
5 years ago
Deps: Replace go-jose v2 with go-jose v3 (#64228) replace go-jose v2 with go-jose v3
2 years ago
"github.com/go-jose/go-jose/v3"
"github.com/go-jose/go-jose/v3/jwt"
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
"github.com/stretchr/testify/require"
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
5 years ago
"golang.org/x/oauth2"
OAuth: Refactor OAuth parameters handling to support obtaining refresh tokens for Google OAuth (#58782) * Add ApprovalForce to AuthCodeOptions * Extract access token validity check to a function * Refactor * Oauth: set options internally instead of exposing new function * Align tests * Remove unused function Co-authored-by: Karl Persson <kalle.persson@grafana.com>
3 years ago
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
"github.com/grafana/grafana/pkg/infra/remotecache"
OAuth: Refactor OAuth parameters handling to support obtaining refresh tokens for Google OAuth (#58782) * Add ApprovalForce to AuthCodeOptions * Extract access token validity check to a function * Refactor * Oauth: set options internally instead of exposing new function * Align tests * Remove unused function Co-authored-by: Karl Persson <kalle.persson@grafana.com>
3 years ago
"github.com/grafana/grafana/pkg/services/featuremgmt"
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
)
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
func trueBoolPtr() *bool {
b := true
return &b
}
func falseBoolPtr() *bool {
b := false
return &b
}
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
func TestSocialAzureAD_UserInfo(t *testing.T) {
type fields struct {
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
SocialBase *SocialBase
allowedGroups []string
allowedOrganizations []string
forceUseGraphAPI bool
Auth: Fix US gov azure ad oauth URL parsing (#71254) Updates regex for tenant ID parsing to support .us domains in addition to .com domains for Azure AD. Fixes #71252
2 years ago
usGovURL bool
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
}
type args struct {
client *http.Client
}
tests := []struct {
Oauth: Assign role from GF_USERS_AUTO_ASSIGN_ORG_ROLE for Azure AD Oauth (#34838) * 30555:Assign correct role with environment variable GF_USERS_AUTO_ASSIGN_ORG_ROLE * 30555:Remove unused condition
4 years ago
name string
fields fields
claims *azureClaims
args args
settingAutoAssignOrgRole string
want *BasicUserInfo
wantErr bool
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
}{
{
name: "Email in email claim",
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{},
Name: "My Name",
ID: "1234",
},
Chore: Remove global setting var from azure ad oath (#35040) * Remove global setting var from azure ad oath * Remove more glob var from social * Use GrafanaComURL from cfg
4 years ago
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
Chore: Remove global setting var from azure ad oath (#35040) * Remove global setting var from azure ad oath * Remove more glob var from social * Use GrafanaComURL from cfg
4 years ago
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Viewer",
Groups: []string{},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
},
},
{
name: "No email",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
fields: fields{
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
claims: &azureClaims{
Email: "",
PreferredUsername: "",
Roles: []string{},
Name: "My Name",
ID: "1234",
},
want: nil,
wantErr: true,
},
{
name: "No id token",
claims: nil,
want: nil,
wantErr: true,
},
Auth: Fix US gov azure ad oauth URL parsing (#71254) Updates regex for tenant ID parsing to support .us domains in addition to .com domains for Azure AD. Fixes #71252
2 years ago
{
name: "US Government domain",
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{},
Name: "My Name",
ID: "1234",
},
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
Auth: Fix US gov azure ad oauth URL parsing (#71254) Updates regex for tenant ID parsing to support .us domains in addition to .com domains for Azure AD. Fixes #71252
2 years ago
usGovURL: true,
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Viewer",
Groups: []string{},
},
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
{
name: "Email in preferred_username claim",
claims: &azureClaims{
Email: "",
PreferredUsername: "me@example.com",
Roles: []string{},
Name: "My Name",
ID: "1234",
},
Chore: Remove global setting var from azure ad oath (#35040) * Remove global setting var from azure ad oath * Remove more glob var from social * Use GrafanaComURL from cfg
4 years ago
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
Chore: Remove global setting var from azure ad oath (#35040) * Remove global setting var from azure ad oath * Remove more glob var from social * Use GrafanaComURL from cfg
4 years ago
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Viewer",
Groups: []string{},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
},
},
{
name: "Admin role",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
fields: fields{
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"Admin"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Admin",
Groups: []string{},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
},
},
{
name: "Lowercase Admin role",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
fields: fields{
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"admin"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Admin",
Groups: []string{},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
},
},
{
name: "Only other roles",
Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
3 years ago
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
3 years ago
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"AppAdmin"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Viewer",
Groups: []string{},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
},
},
Oauth: Assign role from GF_USERS_AUTO_ASSIGN_ORG_ROLE for Azure AD Oauth (#34838) * 30555:Assign correct role with environment variable GF_USERS_AUTO_ASSIGN_ORG_ROLE * 30555:Remove unused condition
4 years ago
{
name: "role from env variable",
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{},
Name: "My Name",
ID: "1234",
},
Chore: Remove global setting var from azure ad oath (#35040) * Remove global setting var from azure ad oath * Remove more glob var from social * Use GrafanaComURL from cfg
4 years ago
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Editor", false, *featuremgmt.WithFeatures()),
Chore: Remove global setting var from azure ad oath (#35040) * Remove global setting var from azure ad oath * Remove more glob var from social * Use GrafanaComURL from cfg
4 years ago
},
Oauth: Assign role from GF_USERS_AUTO_ASSIGN_ORG_ROLE for Azure AD Oauth (#34838) * 30555:Assign correct role with environment variable GF_USERS_AUTO_ASSIGN_ORG_ROLE * 30555:Remove unused condition
4 years ago
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Editor",
Groups: []string{},
Oauth: Assign role from GF_USERS_AUTO_ASSIGN_ORG_ROLE for Azure AD Oauth (#34838) * 30555:Assign correct role with environment variable GF_USERS_AUTO_ASSIGN_ORG_ROLE * 30555:Remove unused condition
4 years ago
},
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
{
name: "Editor role",
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"Editor"},
Name: "My Name",
ID: "1234",
},
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
fields: fields{
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Editor", false, *featuremgmt.WithFeatures()),
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Editor",
Groups: []string{},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
},
},
{
name: "Admin and Editor roles in claim",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
fields: fields{
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "Editor", false, *featuremgmt.WithFeatures()),
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"Admin", "Editor"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Admin",
Groups: []string{},
},
},
{
name: "Grafana Admin but setting is disabled",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
fields: fields{SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{AllowAssignGrafanaAdmin: false}, "Editor", false, *featuremgmt.WithFeatures())},
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"GrafanaAdmin"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Admin",
Groups: []string{},
IsGrafanaAdmin: nil,
},
},
{
name: "Editor roles in claim and GrafanaAdminAssignment enabled",
fields: fields{
SocialBase: newSocialBase("azuread",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
&oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{AllowAssignGrafanaAdmin: true}, "", false, *featuremgmt.WithFeatures()),
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
},
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"Editor"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Editor",
Groups: []string{},
IsGrafanaAdmin: falseBoolPtr(),
},
},
{
Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
3 years ago
name: "Grafana Admin and Editor roles in claim",
fields: fields{SocialBase: newSocialBase("azuread",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
&oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{AllowAssignGrafanaAdmin: true}, "", false, *featuremgmt.WithFeatures())},
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"GrafanaAdmin", "Editor"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Admin",
Groups: []string{},
IsGrafanaAdmin: trueBoolPtr(),
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
5 years ago
},
},
{
name: "Error if user is not a member of allowed_groups",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{AllowAssignGrafanaAdmin: false}, "Editor", false, *featuremgmt.WithFeatures()),
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
5 years ago
allowedGroups: []string{"dead-beef"},
},
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{},
Groups: []string{"foo", "bar"},
Name: "My Name",
ID: "1234",
},
want: nil,
wantErr: true,
},
{
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
name: "Error if user is not a member of allowed_organizations",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{AllowAssignGrafanaAdmin: false}, "Editor", false, *featuremgmt.WithFeatures()),
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
allowedOrganizations: []string{"uuid-1234"},
},
claims: &azureClaims{
Email: "me@example.com",
TenantID: "uuid-5678",
PreferredUsername: "",
Roles: []string{},
Groups: []string{"foo", "bar"},
Name: "My Name",
ID: "1234",
},
want: nil,
wantErr: true,
}, {
name: "No error if user is a member of allowed_organizations",
fields: fields{
allowedOrganizations: []string{"uuid-1234", "uuid-5678"},
},
claims: &azureClaims{
Email: "me@example.com",
TenantID: "uuid-5678",
PreferredUsername: "",
Roles: []string{},
Groups: []string{"foo", "bar"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Auth: Enforce role sync except if skip org role sync is enabled (#70766) * enforce role sync except if skip org role sync is enabled * move errors to errors file and set codes * fix docs and defaults * remove legacy parameter * support fall through token-api in generic oauth * fix error handling for generic_oauth * Update pkg/login/social/generic_oauth.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/login/social/gitlab_oauth_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/login/social/gitlab_oauth_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
Role: "Viewer",
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
Groups: []string{"foo", "bar"},
},
wantErr: false,
},
{
name: "No Error if user is a member of allowed_groups",
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
5 years ago
fields: fields{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
allowedGroups: []string{"foo", "bar"},
Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
3 years ago
SocialBase: newSocialBase("azuread",
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
&oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{AllowAssignGrafanaAdmin: false}, "Viewer", false, *featuremgmt.WithFeatures()),
Azure OAuth: enable teamsync (#22160) * Azure OAuth: extract groups from token for teamsync * Docs: changed some headers * Azure OAuth: fix tests * Azure OAuth: fix linter error (simplify) * Azure OAuth: add allowed_groups option * Azure OAuth: docs for team sync and allowed_groups * Azure OAuth: tests for allowed_groups * Update docs/sources/auth/azuread.md Co-Authored-By: Leonard Gram <leo@xlson.com> Co-authored-by: Leonard Gram <leo@xlson.com>
5 years ago
},
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{},
Groups: []string{"foo"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Viewer",
Groups: []string{"foo"},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
},
},
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
{
name: "Fetch groups when ClaimsNames and ClaimsSources is set",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "", false, *featuremgmt.WithFeatures()),
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
},
claims: &azureClaims{
ID: "1",
Name: "test",
PreferredUsername: "test",
Email: "test@test.com",
Roles: []string{"Viewer"},
ClaimNames: claimNames{Groups: "src1"},
ClaimSources: nil, // set by the test
},
settingAutoAssignOrgRole: "",
want: &BasicUserInfo{
Id: "1",
Name: "test",
Email: "test@test.com",
Login: "test@test.com",
Role: "Viewer",
Groups: []string{"from_server"},
},
wantErr: false,
},
AzureAD: Add option to force fetch the groups from the Graph API (#56916) * Add a new option to systematically fetch AzureAD groups from the Graph API
3 years ago
{
name: "Fetch groups when forceUseGraphAPI is set",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "", false, *featuremgmt.WithFeatures()),
AzureAD: Add option to force fetch the groups from the Graph API (#56916) * Add a new option to systematically fetch AzureAD groups from the Graph API
3 years ago
forceUseGraphAPI: true,
},
claims: &azureClaims{
ID: "1",
Name: "test",
PreferredUsername: "test",
Email: "test@test.com",
Roles: []string{"Viewer"},
ClaimNames: claimNames{Groups: "src1"},
ClaimSources: nil, // set by the test
Groups: []string{"foo", "bar"}, // must be ignored
},
settingAutoAssignOrgRole: "",
want: &BasicUserInfo{
Id: "1",
Name: "test",
Email: "test@test.com",
Login: "test@test.com",
Role: "Viewer",
Groups: []string{"from_server"},
},
wantErr: false,
},
AzureAD OAuth: Add optional strict parsing of role_attribute_path for Azure AD (#42157) * AzureAD OAuth: Add optional strict parsing of role_attribute_path for Azure AD Fix casting issues modify unit tests Unit test fix Add proper test args * Return empty role when using strict attribute mode * Raise error on empty role * Fix UT for latest case
3 years ago
{
name: "Fetch empty role when strict attribute role is true and no match",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{RoleAttributeStrict: true}, "", false, *featuremgmt.WithFeatures()),
AzureAD OAuth: Add optional strict parsing of role_attribute_path for Azure AD (#42157) * AzureAD OAuth: Add optional strict parsing of role_attribute_path for Azure AD Fix casting issues modify unit tests Unit test fix Add proper test args * Return empty role when using strict attribute mode * Raise error on empty role * Fix UT for latest case
3 years ago
},
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"foo"},
Groups: []string{},
Name: "My Name",
ID: "1234",
},
want: nil,
wantErr: true,
},
AzureAd Oauth: Fix strictMode to reject users without an assigned role (#48474) * AzureAd Oauth: Fix strictMode to reject users without an assigned role Signed-off-by: kyschouv <kyschouv@microsoft.com> * AzureAd OAuth: Add test for strictMode auth when no role claims are returned Signed-off-by: kyschouv <kyschouv@microsoft.com>
3 years ago
{
name: "Fetch empty role when strict attribute role is true and no role claims returned",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{RoleAttributeStrict: true}, "", false, *featuremgmt.WithFeatures()),
AzureAd Oauth: Fix strictMode to reject users without an assigned role (#48474) * AzureAd Oauth: Fix strictMode to reject users without an assigned role Signed-off-by: kyschouv <kyschouv@microsoft.com> * AzureAd OAuth: Add test for strictMode auth when no role claims are returned Signed-off-by: kyschouv <kyschouv@microsoft.com>
3 years ago
},
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{},
Groups: []string{},
Name: "My Name",
ID: "1234",
},
want: nil,
wantErr: true,
},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
}
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
require.NoError(t, err)
// Instantiate a signer using RSASSA-PSS (SHA256) with the given private key.
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.PS256, Key: privateKey}, (&jose.SignerOptions{
Chore: use any rather than interface{} (#74066)
2 years ago
ExtraHeaders: map[jose.HeaderKey]any{"kid": "1"},
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
}).WithType("JWT"))
require.NoError(t, err)
// generate JWKS
jwks := &jose.JSONWebKeySet{
Keys: []jose.JSONWebKey{
{
Key: privateKey.Public(),
KeyID: "1",
Algorithm: "PS256",
Use: "sig",
},
},
}
authURL := "https://login.microsoftonline.com/1234/oauth2/v2.0/authorize"
Auth: Fix US gov azure ad oauth URL parsing (#71254) Updates regex for tenant ID parsing to support .us domains in addition to .com domains for Azure AD. Fixes #71252
2 years ago
usGovAuthURL := "https://login.microsoftonline.us/1234/oauth2/v2.0/authorize"
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
cache := remotecache.NewFakeCacheStorage()
// put JWKS in cache
jwksDump, err := json.Marshal(jwks)
require.NoError(t, err)
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
err = cache.Set(context.Background(), azureCacheKeyPrefix+"client-id-example", jwksDump, 0)
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
require.NoError(t, err)
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := &SocialAzureAD{
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
SocialBase: tt.fields.SocialBase,
allowedOrganizations: tt.fields.allowedOrganizations,
forceUseGraphAPI: tt.fields.forceUseGraphAPI,
cache: cache,
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
}
if tt.fields.SocialBase == nil {
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
s.SocialBase = newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{}, "", false, *featuremgmt.WithFeatures())
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
}
Auth: Add support for role mapping and allowed groups in Google OIDC (#76266) * support google oauth allowed_groups. unify allowed groups logic * add role mapping for google oauth * add documentation * add addendums * remove extra isGroupMember * add to sample ini * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
if tt.fields.allowedGroups != nil {
s.allowedGroups = tt.fields.allowedGroups
}
Auth: Fix US gov azure ad oauth URL parsing (#71254) Updates regex for tenant ID parsing to support .us domains in addition to .com domains for Azure AD. Fixes #71252
2 years ago
if tt.fields.usGovURL {
s.SocialBase.Endpoint.AuthURL = usGovAuthURL
} else {
s.SocialBase.Endpoint.AuthURL = authURL
}
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
cl := jwt.Claims{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
Audience: jwt.Audience{"client-id-example"},
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
Subject: "subject",
Issuer: "issuer",
NotBefore: jwt.NewNumericDate(time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)),
}
var raw string
if tt.claims != nil {
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
tt.claims.Audience = "client-id-example"
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
if tt.claims.ClaimNames.Groups != "" {
server := httptest.NewServer(http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
tokenParts := strings.Split(request.Header.Get("Authorization"), " ")
require.Len(t, tokenParts, 2)
require.Equal(t, "fake_token", tokenParts[1])
writer.WriteHeader(http.StatusOK)
type response struct {
Value []string
}
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
res := response{Value: []string{"from_server"}}
require.NoError(t, json.NewEncoder(writer).Encode(&res))
}))
// need to set the fake servers url as endpoint to capture request
tt.claims.ClaimSources = map[string]claimSource{
tt.claims.ClaimNames.Groups: {Endpoint: server.URL},
}
}
raw, err = jwt.Signed(sig).Claims(cl).Claims(tt.claims).CompactSerialize()
require.NoError(t, err)
} else {
raw, err = jwt.Signed(sig).Claims(cl).CompactSerialize()
require.NoError(t, err)
}
token := &oauth2.Token{
AccessToken: "fake_token",
}
if tt.claims != nil {
Chore: use any rather than interface{} (#74066)
2 years ago
token = token.WithExtra(map[string]any{"id_token": raw})
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
}
if tt.fields.SocialBase != nil {
tt.args.client = s.Client(context.Background(), token)
}
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
got, err := s.UserInfo(context.Background(), tt.args.client, token)
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
if (err != nil) != tt.wantErr {
t.Errorf("UserInfo() error = %v, wantErr %v", err, tt.wantErr)
return
}
require.EqualValues(t, tt.want, got)
})
}
}
func TestSocialAzureAD_SkipOrgRole(t *testing.T) {
type fields struct {
SocialBase *SocialBase
allowedGroups []string
forceUseGraphAPI bool
skipOrgRoleSync bool
}
type args struct {
client *http.Client
}
tests := []struct {
name string
fields fields
claims *azureClaims
args args
settingAutoAssignOrgRole string
want *BasicUserInfo
wantErr bool
}{
{
name: "Grafana Admin and Editor roles in claim, skipOrgRoleSync disabled should get roles, skipOrgRoleSyncBase disabled",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread",
&oauth2.Config{ClientID: "client-id-example"},
&OAuthInfo{AllowAssignGrafanaAdmin: true}, "", false, *featuremgmt.WithFeatures()),
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
skipOrgRoleSync: false,
},
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"GrafanaAdmin", "Editor"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Admin",
IsGrafanaAdmin: trueBoolPtr(),
Groups: []string{},
},
},
{
name: "Grafana Admin and Editor roles in claim, skipOrgRoleSync disabled should not get roles",
fields: fields{
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
SocialBase: newSocialBase("azuread",
&oauth2.Config{ClientID: "client-id-example"},
&OAuthInfo{AllowAssignGrafanaAdmin: true}, "", false, *featuremgmt.WithFeatures()),
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
skipOrgRoleSync: false,
},
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{"GrafanaAdmin", "Editor"},
Name: "My Name",
ID: "1234",
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Admin",
IsGrafanaAdmin: trueBoolPtr(),
Groups: []string{},
},
},
}
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
require.NoError(t, err)
// Instantiate a signer using RSASSA-PSS (SHA256) with the given private key.
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.PS256, Key: privateKey}, (&jose.SignerOptions{
Chore: use any rather than interface{} (#74066)
2 years ago
ExtraHeaders: map[jose.HeaderKey]any{"kid": "1"},
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
}).WithType("JWT"))
require.NoError(t, err)
// generate JWKS
jwks := &jose.JSONWebKeySet{
Keys: []jose.JSONWebKey{
{
Key: privateKey.Public(),
KeyID: "1",
Algorithm: string(jose.PS256),
Use: "sig",
},
},
}
authURL := "https://login.microsoftonline.com/1234/oauth2/v2.0/authorize"
cache := remotecache.NewFakeCacheStorage()
// put JWKS in cache
jwksDump, err := json.Marshal(jwks)
require.NoError(t, err)
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
err = cache.Set(context.Background(), azureCacheKeyPrefix+"client-id-example", jwksDump, 0)
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
require.NoError(t, err)
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := &SocialAzureAD{
SocialBase: tt.fields.SocialBase,
forceUseGraphAPI: tt.fields.forceUseGraphAPI,
skipOrgRoleSync: tt.fields.skipOrgRoleSync,
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
cache: cache,
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
}
if tt.fields.SocialBase == nil {
Auth: Add support for role mapping and allowed groups in Google OIDC (#76266) * support google oauth allowed_groups. unify allowed groups logic * add role mapping for google oauth * add documentation * add addendums * remove extra isGroupMember * add to sample ini * Apply suggestions from code review Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2 years ago
s.SocialBase = newSocialBase("azuread", &oauth2.Config{ClientID: "client-id-example"}, &OAuthInfo{
AllowedGroups: tt.fields.allowedGroups,
}, "", false, *featuremgmt.WithFeatures())
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
}
Auth: Add auth.azure_ad security improvements (#912) * security improvements id_token * add audience validation * add allowOrganizations * add allowOrganizations tests and documentation * add log warn on no configuration * anonymize tenant id * Apply suggestions from code review Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Update pkg/login/social/azuread_oauth_test.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * optimize key validation and add mising fields * fix missing key_id * lint * Update docs/sources/setup-grafana/configure-security/configure-authentication/azuread/index.md Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * lint docs --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
s.SocialBase.Endpoint.AuthURL = authURL
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
cl := jwt.Claims{
Subject: "subject",
Issuer: "issuer",
NotBefore: jwt.NewNumericDate(time.Date(2016, 1, 1, 0, 0, 0, 0, time.UTC)),
Audience: jwt.Audience{"leela", "fry"},
}
var raw string
if tt.claims != nil {
Auth: Add support for custom signing keys in auth.azure_ad (#71365) * fallthrough JWKS validation and caching for Azure * remove unused field
2 years ago
tt.claims.Audience = "client-id-example"
Auth: Add skip_org_role_sync for AzureAD OAuth (#60322) * [WIP] Auth: add backend skipOrgRoleSync to AzureAD OAuth - add: skipOrgRoleSync - rename: skipOrgRoleSync to skipOrgRoleSyncBase (to make it clear that it is the base version of SocialBase) - add: tests for skipOrgRoleSync in AzureAD TODO: - [ ] frontend changes * add: docs * refactor: remove role from basicinfo * add: settings for grafanacom * add: settigns for frontend * add: logic for azureAD user skip org role * add: docs for skip_org_role_sync * refactor: docs a bit * add: tests for userinfo * refactor: to only extract if skiporgrolesync false * refactor: based on review comments * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
2 years ago
if tt.claims.ClaimNames.Groups != "" {
server := httptest.NewServer(http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
tokenParts := strings.Split(request.Header.Get("Authorization"), " ")
require.Len(t, tokenParts, 2)
require.Equal(t, "fake_token", tokenParts[1])
writer.WriteHeader(http.StatusOK)
type response struct {
Value []string
}
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
res := response{Value: []string{"from_server"}}
require.NoError(t, json.NewEncoder(writer).Encode(&res))
}))
// need to set the fake servers url as endpoint to capture request
tt.claims.ClaimSources = map[string]claimSource{
tt.claims.ClaimNames.Groups: {Endpoint: server.URL},
}
}
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
raw, err = jwt.Signed(sig).Claims(cl).Claims(tt.claims).CompactSerialize()
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
require.NoError(t, err)
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
} else {
raw, err = jwt.Signed(sig).Claims(cl).CompactSerialize()
OAuth: Allow assigning Server Admin (#54780) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback
3 years ago
require.NoError(t, err)
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
}
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
token := &oauth2.Token{
AccessToken: "fake_token",
}
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
if tt.claims != nil {
Chore: use any rather than interface{} (#74066)
2 years ago
token = token.WithExtra(map[string]any{"id_token": raw})
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
}
AzureAD OAuth: Add support for fetching user groups (#43470) * Add functionallity to extractGroups to handle groups-overage claims Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago
if tt.fields.SocialBase != nil {
tt.args.client = s.Client(context.Background(), token)
}
Auth: Add request context to UserInfo calls (#70007) * use context for UserInfo requests * set timeouts for oauth http client * Update pkg/login/social/common.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2 years ago
got, err := s.UserInfo(context.Background(), tt.args.client, token)
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
if (err != nil) != tt.wantErr {
t.Errorf("UserInfo() error = %v, wantErr %v", err, tt.wantErr)
return
}
Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>
3 years ago
require.EqualValues(t, tt.want, got)
Auth: Azure AD OAuth (#20030) * Implement Azure AD oauth * Use go-jose and cleanup * Update go-jose in go.mod * cleanup * Add unit tests * Fix scopes * Add documentation page * Improve documentation * Convert extract_role into function. * Do not use upn and replace unique_name with preferred_username * Configure login button * Use official microsoft icon and color from branding guideline. * Add Azure AD config section in sample.ini.
5 years ago
})
}
}