grafana

Commit Graph

Author	SHA1	Message	Date
Misi	7128415529	Auth: Add more context to logs around token rotation, revocation (#78600 ) Add more context to logs around token rotation, revocation Co-authored-by: Karl Persson <kalle.persson@grafana.com>	2 years ago
Ryan McKinley	f69fd3726b	FeatureToggles: Add context and and an explicit global check (#78081 )	2 years ago
Karl Persson	bc9fab6f30	IDForwarding: Update settings name (#77257 ) Update settings name	2 years ago
Karl Persson	1b6d39f823	IDForwarding: Require that id forwarding is enabled for data source (#77131 ) * Require that id forwarding is enabled for data source * Address feedback	2 years ago
Karl Persson	e2ba399e30	IDForwarding: Use single flight for SignIdentity (#76530 ) * IDForwarding: Use single flight for SignIdentity * Update cache inside single flight call	2 years ago
Karl Persson	ea741dda6b	Signingkeys: Add local cache (#76234 ) * IDForwarding: change audience to be prefixed by org and remove JTI * IDForwarding: Construct new signer each time we want to sign a token. * SigningKeys: Simplify storage layer and move logic to service * SigningKeys: Add private key to local cache	2 years ago
Jo	8919cafcb4	Identity: Unfurl UserID and Email in pkg/api to user identity.Requester (#76112 ) * Unfurl OrgRole in pkg/api to allow using identity.Requester interface * Unfurl Email in pkg/api to allow using identity.Requester interface * Update UserID in pkg/api to allow using identity.Requester interface * fix authed test * fix datasource tests * guard login * fix preferences anon testing * fix anonymous index rendering * do not error with user id 0	2 years ago
Karl Persson	a2d4ce18ad	IDForwarding: Add basic metrics (#75798 ) * IDService: Add basic metrics * IDService: Add more metrics --------- Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	2 years ago
Karl Persson	09e638cd9d	IDForwarding: Use feature toggle not generate a key if feature is not enabled (#75961 ) * Use feature toggle not generate a key if feature is not enabled * Fix check	2 years ago
Jo	44fa0697ce	Auth: Signing Key persistence (#75487 ) * signing key wip use db keyset storage add signing_key table add testing for key storage add ES256 key tests Remove caching and implement UpdateOrCreate Stabilize interfaces * Encrypt private keys * Fixup signer * Fixup ext_jwt * Add GetOrCreatePrivate with automatic key rotation * use GetOrCreate for ext_jwt * use GetOrCreate in id * catch invalid block type * fix broken test * remove key generator * reduce public interface of signing service	2 years ago
Karl Persson	fd2235b5ad	AuthN: Implement requester interface for identity (#75618 ) * AuthN: Implement identity.Requester interface for authn.Identity * AuthN: Replace OrgRole with GetOrgRole * IDForwarding: skip converting to SignedInUser * Pass identity directly in permission sync hook	2 years ago
Karl Persson	b9b4246432	IDForwarding: Add auth hook to generate id token (#75555 ) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled	2 years ago
Karl Persson	b50f1e15a8	IDForwarding: Add service and a local signer (#75423 ) * IDForwarding: Add service for handling id token and create a local signer --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Karl Persson	cebae4fb9a	Requester: Update GetCacheKey (#74834 ) * AuthN: re-export all namespaces * Identity: Change signature of GetCacheKey * User: check HasUniqueID * Default to org role None if role is empty	2 years ago
Eric Leijonmarck	b00f3216c1	Auth: Refactor for revoking user tokens within last hours (#74616 ) * fix: revoked tokens within last hours adds check for unlimited sessions out of index adds a function for specifing the hours to look back when revoking users tokens, otherwise we "assume" the clean up takes care of them adds a index for the `user_auth_token` - `revoked_at` for faster queries when using `revoked_at` * fix: sqllite datetime conversion with unixtimestamps * fix: postgres dialect * fix: mysql dialect * fix: mysql dialect missing closing ) * refactor: delete revoked tokens directly * fix: tests for sqlite * AuthToken: Simplify DeleteUserRevokedTokens and add test * fix: linting newline * Reset get time after test * fix: test order by revoked * fix: order by different db * ascending * test with seen at --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>	2 years ago
Jo	77e4d477e5	Auth: Optimize auth token operations (#74602 ) * add token count * wip * user count method for tag reporting * remove non functioning mysql clientFoundRows check * Update pkg/services/auth/authtest/testing.go Co-authored-by: Misi <mgyongyosi@users.noreply.github.com> * add user ID guard --------- Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	2 years ago
linoman	13f4382214	Auth: Implement requester interface in access control module (#74289 ) * Implement requester interface in the access control module	2 years ago
Serge Zaitsev	8187d8cb66	Chore: capitalise log message for auth packages (#74332 )	2 years ago
Eric Leijonmarck	47a756d524	Auth: Move to requester interface (#74276 ) add identity interface for auth	2 years ago
Ryan McKinley	025b2f3011	Chore: use any rather than interface{} (#74066 )	2 years ago
Jo	5eed495cce	Chore: Port user services to identity.Requester (#73851 ) * port api key api to signedinuser * port users to signed in user interface * fix tests	2 years ago
Jo	26339f978b	Auth: Move access control API to SignedInUser interface (#73144 ) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>	2 years ago
Jo	67de18ff06	Auth: Move Service Account service to SignedInUser Interface (#73142 ) * move service account service to identity interface * Update pkg/services/auth/identity/requester.go	2 years ago
Jo	5d8e6aa162	Auth: Org Invite and Team API SignedInUser interfacing (#73085 ) * fix ngalert Evaluate sig change * interface for teams and org invites * Update pkg/api/org_invite.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Jo	bd1a856d33	Auth: Add SignedIn user interface NamespacedID (#72944 ) * wip * scope active user to 1 org * remove TODOs * add render auth namespace * import cycle fix * make condition more readable * convert Evaluate to user Requester * only use active OrgID for SearchUserPermissions * add cache key to interface definition * change final SignedInUsers to interface * fix api key managed roles fetch * fix anon auth id parsing * Update pkg/services/accesscontrol/acimpl/accesscontrol.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Misi	bba11d04cb	Auth: Add key_id config param to auth.jwt (#72711 ) * Specify keyID for public key provided in PEM format for JWT Auth * Update docs * Update sample.ini	2 years ago
Jo	30274a4f88	Auth: Move Team service to SignedInUserInterface (#72674 ) * move SignedInUser to specific file * add primitive interface for signedInUser	2 years ago
Jo	5e5c751ecd	Auth: Respect cache control for JWKS in auth.jwt (#68872 ) * respect cache control for auth.jwt * add documentation * add small note on cache control header ignores * make distinction of env	2 years ago
Karl Persson	382b24742a	Auth: Add feature flag to move token rotation to client (#65060 ) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	2 years ago
Carl Bergquist	eb507dca89	Remotecache: rename setbytearray/getbytearray to set/get and remove codec (#64470 ) Signed-off-by: bergquist <carl.bergquist@gmail.com>	2 years ago
Jo	45fde4235b	Deps: Replace go-jose v2 with go-jose v3 (#64228 ) replace go-jose v2 with go-jose v3	2 years ago
Carl Bergquist	b88206d98f	Cache: Refactor cache clients to use byte array (#62930 ) Signed-off-by: bergquist <carl.bergquist@gmail.com>	2 years ago
Carl Bergquist	64c2032c2b	Auth: removes temporary cache of user session token (#62730 ) Signed-off-by: bergquist <carl.bergquist@gmail.com>	2 years ago
Misi	7c1d9769ca	Auth: Rotate token patch (#62676 ) * Use singleflight.Group * Align tests * Cleanup	2 years ago
Serge Zaitsev	7dbd2cd139	Chore: Fix goimports grouping (#62426 ) fix goimports ordering	2 years ago
Kristin Laemmert	9256a520a4	chore: move user_auth models to (mostly) login service (#62269 ) * chore: move user_auth models to (mostly) login service	2 years ago
Kristin Laemmert	cd08f2575a	chore: move jwt models into auth/jwt (#61862 ) * chore: move jwt models into auth/jwt	2 years ago
Misi	b8b08ea292	Auth: Add sub claim check to JWT Auth pre-checks (#61417 ) * Auth: Add sub claim check to JWT Auth pre-checks * Add #nosec annotation to the test tokens	2 years ago
Jo	0c8ad80575	Authn: JWT client (#61157 ) * add jwt client * alias JWT verifier * debug implementation * add tests for jwt client * add constant for JWT module * Feedback Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Mihály Gyöngyösi <mgyongyosi@users.noreply.github.com>	2 years ago
Jo	df4f0343e5	Auth: Session cache [main] (#59935 ) * Auth: Session cache [v9.2.x] (#59907) * add cache wrapper only cache token if not to rotate Co-authored-by: Kalle Persson <kalle.persson@grafana.com> anticipate next rotation Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> (cherry picked from commit `07a4b2343d`) * FeatureToggle: for storing sessions in a Remote Cache Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> (cherry picked from commit `b8a8c15148`) * use feature flag for session cache * ensure ttl is minimum 1 second Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * ensure 2 ttl window to prevent caching of tokens near rotation Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * fix description of toggle Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com> Co-authored-by: Kalle Persson <kalle.persson@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> (cherry picked from commit `2919588a82`) * fix broken quota test	3 years ago
Jo	fee50be1bb	Sessions: Remove invalid session cookie if it's invalid/expired/missing (#59556 ) only remove invalid session cookie if it's invalid/expired/missing	3 years ago
Karl Persson	062c5b805c	Auth: Merge ActiveAuthTokenService into UserAuthTokenService (#59032 ) * Auth: Merge UserTokenService and ActiveAuthTokenService * Auth: Rename function	3 years ago
Karl Persson	fef1e1d5bc	Auth: Refactor auth package (#58920 ) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency	3 years ago
Sofia Papagiannaki	9855e74b92	Chore: Refactor quota service (#58643 ) Chore: Refactor quota service (#57586) * Chore: refactore quota service * Apply suggestions from code review	3 years ago
Sofia Papagiannaki	96cdf77995	Revert "Chore: Refactor quota service (#57586 )" (#58394 ) This reverts commit `326ea86a57`.	3 years ago
Sofia Papagiannaki	326ea86a57	Chore: Refactor quota service (#57586 ) * Chore: refactore quota service * Apply suggestions from code review	3 years ago
Kristin Laemmert	05709ce411	chore: remove sqlstore & mockstore dependencies from (most) packages (#57087 ) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible	3 years ago
Misi	9c954d06ab	Auth: Refresh OAuth access_token automatically using the refresh_token (#56076 ) * Verify OAuth token expiration for oauth users in the ctx handler middleware * Use refresh token to get a new access token * Refactor oauth_token.go * Add tests for the middleware changes * Align other tests * Add tests, wip * Add more tests * Add InvalidateOAuthTokens method * Fix ExpiryDate update to default * Invalidate OAuth tokens during logout * Improve logout * Add more comments * Cleanup * Fix import order * Add error to HasOAuthEntry return values * add dev debug logs * Fix tests Co-authored-by: jguer <joao.guerreiro@grafana.com>	3 years ago
Sofia Papagiannaki	8b77ee2734	SQLStore: Ensure that sessions are always closed (#55864 ) * SQLStore: Ensure that sessions are always closed Delete `NewSession()` in favour of `WithDbSession()` * Add WithDbSessionForceNewSession to the interface * Apply suggestions from code review	3 years ago
Marcus Efraimsson	862a6a2fa6	Logging: Introduce API for contextual logging (#55198 ) Introduces a FromContext method on the log.Logger interface that allows contextual key/value pairs to be attached, e.g. per request, so that any logger using this API will automatically get the per request context attached. The proposal makes the traceID available for contextual logger , if available, and would allow logs originating from a certain HTTP request to be correlated with traceID. In addition, when tracing not enabled, skip adding traceID=00000000000000000000000000000000 to logs.	3 years ago

1 2 3

131 Commits (7a006c32bbad4c29e8b4eeeebe125bd671f0985a)