grafana

Commit Graph

Author	SHA1	Message	Date
Karl Persson	c4cfee8d96	User: support setting org and help flags though update function (#86535 ) * User: Support setting active org through update function * User: add support to update help flags through update function	1 year ago
Karl Persson	cd724d74aa	Authn: move namespace id type (#86853 ) * Use RoleType from org package * Move to identity package and re-export from authn * Replace usage of top level functions for identity Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Charandas	d46b163810	Authn (jwt_auth): add tracing spans for validating newer use cases (#86812 )	1 year ago
Karl Persson	0fa983ad8e	AuthN: Use typed namespace id inside authn package (#86048 ) * authn: Use typed namespace id inside package	1 year ago
Ieva	036f826b87	AuthZ: Further protect admin endpoints (#86285 ) * only users with Grafana Admin role can grant/revoke Grafana Admin role * check permissions to user amdin endpoints globally * allow checking global permissions for service accounts * use a middleware for checking whether the caller is Grafana Admin	1 year ago
Karl Persson	0f06120b56	User: Clean up update functions (#86341 ) * User: remove unused function * User: Remove UpdatePermissions and support IsGrafanaAdmin flag in Update function instead * User: Remove Disable function and use Update instead	1 year ago
Karl Persson	8520892923	User: Fix GetByID (#86282 ) * Auth: Remove unused lookup param * Remove case sensitive lookup for GetByID	1 year ago
linoman	51da96d94e	Auth: Add `IsClientEnabled` and `IsEnabled` for the `authn.Service` and `authn.Client` interfaces (#86034 ) * Add `Service. IsClientEnabled` and `Client.IsEnabled` functions * Implement `IsEnabled` function for authn clients * Implement `IsClientEnabled` function for authn services	1 year ago
Karl Persson	73fecc8d80	Authn: Identity resolvers (#85930 ) * AuthN: Add NamespaceID struct. We should replace the usage of encoded namespaceID with this one * AuthN: Add optional interface that clients can implement to be able to resolve identity for a namespace * Authn: Implement IdentityResolverClient for api keys * AuthN: use idenity resolvers Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Karl Persson	895222725c	Session: set authID and authenticatedBy (#85806 ) * Authn: Resolve authenticate by and auth id when fethcing signed in user * Change logout client interface to only take Requester interface * Session: Fetch external auth info when authenticating sessions * Use authenticated by from identity * Move call to get auth-info into session client and use GetAuthenticatedBy in various places	1 year ago
Alexander Zobnin	3127566a20	Access control: Use ResolveIdentity() for authorizing in org (#85549 ) * Access control: Use ResolveIdentity() for authorizing in org * Fix tests * Fix middleware tests * Use ResolveIdentity in HasGlobalAccess() function * remove makeTmpUser * Cleanup * Fix linter errors * Fix test build * Remove GetUserPermissionsInOrg()	1 year ago
Karl Persson	ebb4bb859e	Authn: allow ResolveIdentity to authenticate in "global" scope (#85835 ) * Authn: allow ResolveIdentity to authenticate in "global" scope * Use constant	1 year ago
Karl Persson	46ee87a0fc	Authn: Ignore context.Canceled errors when logging auth errors (#85707 ) Ignore context.Canceled errors when logging auth errors	1 year ago
Misi	8796d2d307	Auth: Convert SetDefaultOrgHook to PostLoginHook (#85649 ) * Convert SetDefaultOrgHook to PostLoginHook	1 year ago
Karl Persson	b1fc0861f1	AuthN: reset email verified on email change (#85643 ) * AuthN: reset email verified on email change Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Karl Persson	ba41954854	Email: trigger email verification flow (#85587 ) * Add email and email_verified to id token if identity is a user * Add endpoint to trigger email verification for user * Add function to clear stored id tokens and use it when email verification is completed	1 year ago
Karl Persson	504870f10a	Auth: Decouple client and hook registration (#85084 )	1 year ago
Jo	5340a6e548	Auth: Extended JWT client for OBO and Service Authentication (#83814 ) * reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	1 year ago
linoman	e4250a72db	JWT: Find login and email claims with JMESPATH (#85305 ) * add function to static function to static service * find email and login claims with jmespath * rename configuration files * Replace JWTClaims struct for map * check for subclaims error	1 year ago
Karl Persson	152cb47692	AuthN: Add IsAuthenticatedBy to identity interface and replace checks (#85262 ) Add IsAuthenticatedBy to identity interface and replace checks	1 year ago
Jo	da40158fed	Auth: Improve org role sync debugging (#85146 ) add login to the context of the logger	1 year ago
Karl Persson	2f3a01f79f	OAuth: Make sub claim required for generic oauth behind feature toggle (#85065 ) * Add feature toggle for sub claims requirement * OAuth: require valid auth id * Fix feature toggle description	1 year ago
Eric Leijonmarck	bb792ff540	Auth: Remove oauth skip org role sync (#84972 ) * remove oauth wide skip org role sync * we are warning from config * set it to false * removed from config ini files and updated docs	1 year ago
Karl Persson	d4e802dd47	Authn: Add function to resolve identity from org and namespace id (#84555 ) * Add function to get the namespaced id * Add function to resolve an identity through authn.Service from org and namespace id * Switch to resolve identity for re-authenticate in another org	1 year ago
Misi	63f1c30313	Auth: Set the default org after User login (#83918 ) * poc * add logger, skip hook when user is not assigned to default org * Add tests, move to hook folder * docs * Skip for OrgId < 1 * Address feedback * Update docs/sources/setup-grafana/configure-grafana/_index.md * lint * Move the hook to org_sync.go * Update pkg/services/authn/authnimpl/sync/org_sync.go * Handle the case when GetUserOrgList returns error --------- Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com> Co-authored-by: Karl Persson <kalle.persson@grafana.com>	1 year ago
Karl Persson	6ea9f0c447	AuthN: Use fetch user sync hook for render keys connected to a user (#84080 ) * Use fetch user sync hook for render keys connected to a user	1 year ago
Karl Persson	9c292d2c3f	AuthN: Use sync hook to fetch service account (#84078 ) * Use sync hook to fetch service account	1 year ago
Jo	36a19bfa83	AuthProxy: Allow disabling Auth Proxy cache (#83755 ) * extract auth proxy settings * simplify auth proxy methods * add doc mentions	1 year ago
Jo	2182cc47ac	LDAP: Fix LDAP users authenticated via auth proxy not being able to use LDAP active sync (#83715 ) * fix LDAP users authenticated via auth proxy not being able to use ldap sync * simplify id resolution at the cost of no fallthrough * remove unused services * remove unused cache key	1 year ago
Gabriel MABILLE	80d6bf6da0	AuthN: Remove embedded oauth server (#83146 ) * AuthN: Remove embedded oauth server * Restore main * go mod tidy * Fix problem * Remove permission intersection * Fix test and lint * Fix TestData test * Revert to origin/main * Update go.mod * Update go.mod * Update go.sum	1 year ago
Klesh Wong	9282c7a7a4	AuthProxy: Invalidate previous cached item for user when changes are made to any header (#81445 ) * fix: sign in using auth_proxy with role a -> b -> a would end up with role b * Update pkg/services/authn/clients/proxy.go Co-authored-by: Karl Persson <kalle.persson92@gmail.com> * Update pkg/services/authn/clients/proxy.go Co-authored-by: Karl Persson <kalle.persson92@gmail.com>	1 year ago
Karl Persson	9e04fd0fb7	AuthToken: Remove client token rotation feature toggle (#82886 ) * Remove usage of client token rotation flag * Remove client token rotation feature toggle	1 year ago
Misi	bb9d5799cf	Auth: Load `oauth_allow_insecure_email_lookup` using the SettingsProvider (#82460 ) * wip * Introduce fixed:server.config:writer role * Fix tests * Update name	1 year ago
linoman	ac84069071	Password policy (#82268 ) * add password service interface * add password service implementation * add tests for password service * add password service wiring * add feature toggle * Rework from service interface to static function * Replace previous password validations * Add codeowners to password service * add error logs * update config files --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>	1 year ago
Jo	6f62d970e3	JWT Authentication: Add support for specifying groups in auth.jwt for teamsync (#82175 ) * merge JSON search logic * document public methods * improve test coverage * use separate JWT setting struct * correct use of cfg.JWTAuth * add group tests * fix DynMap typing * add settings to default ini * add groups option to devenv path * fix test * lint * revert jwt-proxy change * remove redundant check * fix parallel test	1 year ago
Gabriel MABILLE	596e828150	Fix: Refresh token when id_token is expired (#79569 ) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Gabriel MABILLE	3df0611f81	RBAC: Fix authorize in org (#81552 ) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case	1 year ago
Jo	f3f36e37fa	AuthInfo: No mandatory auth_id in Auth Info service (#81335 ) * fix auth info update not having mandatory auth_id * remove uneeded newline	1 year ago
Misi	20bb0a3ab1	AuthN: Support reloading SSO config after the sso settings have changed (#80734 ) * Add AuthNSvc reload handling * Working, need to add test * Remove commented out code * Add Reload implementation to connectors * Align and add tests, refactor * Add more tests, linting * Add extra checks + tests to oauth client * Clean up based on reviews * Move config instantiation into newSocialBase * Use specific error	1 year ago
Karl Persson	7b58f71b33	AuthN: Add auth hook that can sync grafana cloud role to rbac cloud role (#80416 ) * AuthnSync: Rename files and structures * AuthnSync: register rbac cloud role sync if feature toggle is enabled * RBAC: Add new sync function to service interface * RBAC: add common prefix and role names for cloud fixed roles * AuthnSync+RBAC: implement rbac cloud role sync Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	1 year ago
arukiidou	bffb28c177	refactor: use golang.org/x/oauth2 pkce option (#80511 ) Signed-off-by: junya koyama <arukiidou@yahoo.co.jp>	1 year ago
Ryan McKinley	1caaa56de0	FeatureFlags: Use interface rather than manager (#80000 )	1 year ago
Vardan Torosyan	63cd5a5625	Chore: Cleanup namespace and ID resolution (#79360 ) * Chore: Cleanup namespace ID resolution * Check for negative userID when relevant * Reuse existing function for parsing ID as int * Fix imports	1 year ago
Karl Persson	8cb351e54a	Authn: Handle logout logic in auth broker (#79635 ) * AuthN: Add new client extension interface that allows for custom logout logic * AuthN: Add tests for oauth client logout * Call authn.Logout Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	1 year ago
Misi	9e5826f40f	OAuth: Remove accessTokenExpirationCheck feature toggle (#79455 ) * Remove accessTokenExpirationCheck from code and align docs * Apply suggestions from code review * lint --------- Co-authored-by: lwandz13 <126723338+lwandz13@users.noreply.github.com>	1 year ago
Vardan Torosyan	a35146f7ed	Service account: Update last used timestamp when token is used (#79254 )	1 year ago
Misi	50f4e78a39	Auth: Use SSO settings service to load social connectors + refactor (#79005 ) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError	1 year ago
Karl Persson	687ffb4a0c	Authn: Only resolve org id once (#78811 )	2 years ago
Gabriel MABILLE	059ba25973	AuthN: Check API Key is not trying to access another organization (#78749 ) * AuthN: Check API Key is not trying to access another organization * Revert local change * Add test * Discussed with Kalle we should set r.OrgID * Syntax sugar * Suggestion org-mismatch	2 years ago
Jo	7d559bc69a	AuthProxy: Do not allow sessions to be assigned with other methods (#78602 ) do not allow login token with other methods	2 years ago

1 2 3 4

189 Commits (4fd2cb601434bac80eaa7e7a6181e9b69c8fccb2)