grafana

Commit Graph

Author	SHA1	Message	Date
grafana-delivery-bot[bot]	3881a173fe	[release-11.5.2] AuthN: Refetch user on "ErrUserAlreadyExists" (#100582 ) AuthN: Refetch user on "ErrUserAlreadyExists" (#100346) * AuthN: Refetch user on "ErrUserAlreadyExists" (cherry picked from commit `0b4c622df8`) Co-authored-by: Karl Persson <23356117+kalleep@users.noreply.github.com>	11 months ago
Misi	6cd3a5458e	Auth: Return error when retries have been exhausted for OAuth token refresh (#98034 ) Return error when retries for DB lock have been exhausted in oauth_token.go	1 year ago
Misi	84b8296ffb	OAuth: Use the attached external session data in OAuthToken and OAuthTokenSync (#96655 ) * wip * wip + tests * wip * wip opt2 * Use authn.Identity struct's SessionToken * Merge fixes * Handle disabling the feature flag correctly * Fix test * Cleanup * Remove HasOAuthEntry from the OAuthTokenService interface * Remove unused function	1 year ago
Karl Persson	8d74296b6c	Authn: Always set namespace (#96230 ) * Rename from AllowedKubernetesNamespace to Namespace * Use a sync hook to always set namespace for Identity. * format * Don't set uid when authenticating as user	1 year ago
Misi	c872cad879	OrgSync: Do not set default Organization for a user to a non-existent Organization (#94537 ) Do not set default org for a user to a missing org Co-authored-by: Karl Persson <kalle.persson@grafana.com>	1 year ago
Gabriel MABILLE	7ef13497a8	AuthN: Ext JWT support actions (#92486 )	1 year ago
Dan Cech	9020eb4b17	Auth: Update oauthtoken service to use remote cache and server lock (#90572 ) * update oauthtoken service to use remote cache and server lock * remove token cache * retry is lock is held by an in-flight refresh * refactor token renewal to avoid race condition * re-add refresh token expiry cache, but in SyncOauthTokenHook * Add delta to the cache ttl * Fix merge * Change lockTimeConfig * Always set the token from within the server lock * Improvements * early return when user is not authed by OAuth or refresh is disabled * Allow more time for token refresh, tracing * Retry on Mysql Deadlock error 1213 * Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go Co-authored-by: Dan Cech <dcech@grafana.com> * Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go Co-authored-by: Dan Cech <dcech@grafana.com> * Add settings for configuring min wait time between retries * Add docs for the new setting * Clean up * Update docs/sources/setup-grafana/configure-grafana/_index.md Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> --------- Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com> Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>	1 year ago
Karl Persson	8bcd9c2594	Identity: Remove typed id (#91801 ) * Refactor identity struct to store type in separate field * Update ResolveIdentity to take string representation of typedID * Add IsIdentityType to requester interface * Use IsIdentityType from interface * Remove usage of TypedID * Remote typedID struct * fix GetInternalID	1 year ago
Ryan McKinley	21d4a4f49e	Auth: use IdentityType from authlib (#91763 )	1 year ago
Vardan Torosyan	e20f8c566d	RBAC sync: Fix removal of roles which need to be added (#91152 ) * RBAC sync: Fix removal of roles which need to be added * Optimize code * cleanup: appease the linter --------- Co-authored-by: Victor Cinaglia <victor@grafana.com>	1 year ago
Ryan McKinley	9db3bc926e	Identity: Rename "namespace" to "type" in the requester interface (#90567 )	1 year ago
Vardan Torosyan	82236976ae	Add support ticket fixed roles to cloud role sync (#90864 ) * Add support ticket fixed roles to cloud role sync * Adding tests * Fix the linter	1 year ago
Misi	f337da8e57	Chore: Add more context to logs of OAuthToken and OAuthTokenSync (#90071 ) Chore: Add more context to oauth token sync	2 years ago
Jeff Levin	cfe8317d45	Add auth spans and remove deduplication code for scopes (#89804 ) Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Dave Henderson <dave.henderson@grafana.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Ryan McKinley	99d8025829	Chore: Move identity and errutil to apimachinery module (#89116 )	2 years ago
Carl Bergquist	6c79f63c04	Auth: Pass ctx when updating last seen (#88496 ) Signed-off-by: bergquist <carl.bergquist@gmail.com>	2 years ago
Kristin Laemmert	16b1e285ea	Chore: Use cache for all signed in user lookups (#88133 ) * GetSignedInUser unexported (renamed to getSignedInUser) * GetSignedInUserWithCacheCtx renamed to GetSignedInUser * added a check for a nil cacheservice (as defensive programming / test convenience)	2 years ago
Karl Persson	9977258d04	AuthN: Set uid during authentication (#87797 ) * Identity: Remove GetNamespacedUID and use GetUID instead * Authn: Set uid for users and service accounts	2 years ago
Karl Persson	be5ced4287	Identity: Use typed version of namespace id (#87257 ) * Remove different constructors and only use NewNamespaceID * AdminUser: check typed namespace id * Identity: Add convinient function to parse valid user id when type is either user or service account * Annotations: Use typed namespace id instead	2 years ago
Gabriel MABILLE	8802282ebc	RBAC: fix panic role not found permission sync (#87217 )	2 years ago
Karl Persson	c4cfee8d96	User: support setting org and help flags though update function (#86535 ) * User: Support setting active org through update function * User: add support to update help flags through update function	2 years ago
Karl Persson	cd724d74aa	Authn: move namespace id type (#86853 ) * Use RoleType from org package * Move to identity package and re-export from authn * Replace usage of top level functions for identity Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
Karl Persson	0fa983ad8e	AuthN: Use typed namespace id inside authn package (#86048 ) * authn: Use typed namespace id inside package	2 years ago
Karl Persson	0f06120b56	User: Clean up update functions (#86341 ) * User: remove unused function * User: Remove UpdatePermissions and support IsGrafanaAdmin flag in Update function instead * User: Remove Disable function and use Update instead	2 years ago
Karl Persson	8520892923	User: Fix GetByID (#86282 ) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID	2 years ago
Karl Persson	895222725c	Session: set authID and authenticatedBy (#85806 ) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places	2 years ago
Karl Persson	ebb4bb859e	Authn: allow ResolveIdentity to authenticate in "global" scope (#85835 ) * Authn: allow ResolveIdentity to authenticate in "global" scope * Use constant	2 years ago
Misi	8796d2d307	Auth: Convert SetDefaultOrgHook to PostLoginHook (#85649 ) * Convert SetDefaultOrgHook to PostLoginHook	2 years ago
Karl Persson	b1fc0861f1	AuthN: reset email verified on email change (#85643 ) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
Karl Persson	ba41954854	Email: trigger email verification flow (#85587 ) * Add email and email_verified to id token if identity is a user * Add endpoint to trigger email verification for user * Add function to clear stored id tokens and use it when email verification is completed	2 years ago
Jo	5340a6e548	Auth: Extended JWT client for OBO and Service Authentication (#83814 ) * reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Jo	da40158fed	Auth: Improve org role sync debugging (#85146 ) add login to the context of the logger	2 years ago
Misi	63f1c30313	Auth: Set the default org after User login (#83918 ) * poc * add logger, skip hook when user is not assigned to default org * Add tests, move to hook folder * docs * Skip for OrgId < 1 * Address feedback * Update docs/sources/setup-grafana/configure-grafana/_index.md * lint * Move the hook to org_sync.go * Update pkg/services/authn/authnimpl/sync/org_sync.go * Handle the case when GetUserOrgList returns error --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com>	2 years ago
Karl Persson	9c292d2c3f	AuthN: Use sync hook to fetch service account (#84078 ) * Use sync hook to fetch service account	2 years ago
Gabriel MABILLE	596e828150	Fix: Refresh token when id_token is expired (#79569 ) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
Karl Persson	7b58f71b33	AuthN: Add auth hook that can sync grafana cloud role to rbac cloud role (#80416 ) * AuthnSync: Rename files and structures * AuthnSync: register rbac cloud role sync if feature toggle is enabled * RBAC: Add new sync function to service interface * RBAC: add common prefix and role names for cloud fixed roles * AuthnSync+RBAC: implement rbac cloud role sync Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Vardan Torosyan	63cd5a5625	Chore: Cleanup namespace and ID resolution (#79360 ) * Chore: Cleanup namespace ID resolution * Check for negative userID when relevant * Reuse existing function for parsing ID as int * Fix imports	2 years ago
Misi	50f4e78a39	Auth: Use SSO settings service to load social connectors + refactor (#79005 ) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError	2 years ago
Karl Persson	1eb19befaa	Login: refactor auth info package (#78459 ) * Remove unused stats and metrics * No longer collect metrics * Remove unused dependency * Move database from sub package	2 years ago
Karl Persson	d42201dbf4	Login: remove unused function (#78442 ) * Move test to the db so we test the queries and not just testing the mock * Remove unused function and dependencies * Remove unused functions from the database * Add some integration tests	2 years ago
Karl Persson	140b5b4a61	AuthN: Add debug logs and check error during oauth token sync (#78323 ) Add some debug logs and handle error	2 years ago
Misi	1e81ffccac	Auth: Handle when access token has already been refreshed in OAuth token sync (#77118 ) * Use singleflight to prevent logging error if the token has already been refreshed * Change order of error checks * align tests, change error name * Change sf key * Update based on the review * refactor	2 years ago
Karl Persson	ed1c50233f	Revert "AuthN: move oauth token hook into session client" (#76882 ) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit `455cede699`.	2 years ago
Karl Persson	455cede699	AuthN: move oauth token hook into session client (#76688 ) * Move rotate logic into its own function * Move oauth token sync to session client * Add user to the local cache if refresh tokens are not enabled for the provider so we can skip the check in other requests	2 years ago
Karl Persson	1528d6f5c4	Authn: Prevent empty username and email during sync (#76330 ) * Move errors to error file * Move check for both empty username and email to user service * Move check for empty email and username to user service Update * Wrap inner error * Set username in test	2 years ago
Misi	bd2191c158	Auth: OAuth token sync improvements (#75943 ) * Add metric, improve token refresh * changes * handle ctx cancelled * Fix import order	2 years ago
Karl Persson	fd2235b5ad	AuthN: Implement requester interface for identity (#75618 ) * AuthN: Implement identity.Requester interface for authn.Identity * AuthN: Replace OrgRole with GetOrgRole * IDForwarding: skip converting to SignedInUser * Pass identity directly in permission sync hook	2 years ago
Gabriel MABILLE	0ed649b108	AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248 ) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test	2 years ago
linoman	13f4382214	Auth: Implement requester interface in access control module (#74289 ) * Implement requester interface in the access control module	2 years ago
Serge Zaitsev	8187d8cb66	Chore: capitalise log message for auth packages (#74332 )	2 years ago

1 2

80 Commits (2e2e89a81663dfdab284e945bc508c33a6eadddb)