grafana

Commit Graph

Author	SHA1	Message	Date
Jo	7f3536a6d2	OAuth: Fix misleading warn log related to oauth and increase logged content (#57336 ) * only emit warn log when sync is not skipped. Fix warn log that had wrong recommendation * log presence of refresh token	3 years ago
Misi	9c954d06ab	Auth: Refresh OAuth access_token automatically using the refresh_token (#56076 ) * Verify OAuth token expiration for oauth users in the ctx handler middleware * Use refresh token to get a new access token * Refactor oauth_token.go * Add tests for the middleware changes * Align other tests * Add tests, wip * Add more tests * Add InvalidateOAuthTokens method * Fix ExpiryDate update to default * Invalidate OAuth tokens during logout * Improve logout * Add more comments * Cleanup * Fix import order * Add error to HasOAuthEntry return values * add dev debug logs * Fix tests Co-authored-by: jguer <joao.guerreiro@grafana.com>	3 years ago
Junaid Ali	33eb4a2807	Exclude full OAuth token details from printing out on stdout (#55426 ) * remove token details from printing out on stdout * Update login_oauth.go * address comment	3 years ago
Jo	00e7324bf6	Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118 ) * Auth: Add deprecation notice for empty org role Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix recasts * fix azure tests missing logger * Adding test to gitlab oauth * Covering more cases * Cover more options * Add role attributestrict check fail * Adding one more edge case test * Using legacy for gitlab * Yet another edge case YAEC * Reverting github oauth to legacy Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Not using token Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Adding warning in docs Co-authored-by: Jguer <joao.guerreiro@grafana.com> * add warning to generic oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Be more precise Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to github oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to gitlab oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Adding warning to okta oauth Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Add docs about mapping to AzureAD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Clarify oauth_skip_org_role_update_sync Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Nit. * Nit on Azure AD Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Reorder docs index Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com>	3 years ago
Jo	ef245874da	OAuth: Allow assigning Server Admin (#54780 ) * extract errors to errors file * implement oauth server admin assignment * add server admin tests * deduplicate autoAssignOrgRole * deduplicate strict setting * deduplicate strict setting * add support for generic oauth * add role attribute strict support for generic oauth * add support for github/gitlab * assignGrafanaAdmin option is here to stay * unify similar errors * add config option * add okta server admin mapping * remove never used Company attribute * unify generic oauth role extract with other methods * case insensitive role match as in azure * add ini settings * add server admin to devenv * remove duplicate fields * add documentation to oauth * fix titlecase test * implement doc feedback	3 years ago
idafurjes	6afad51761	Move SignedInUser to user service and RoleType and Roles to org (#53445 ) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2	3 years ago
Jo	beb3cb9abe	Oauth: Reduce error scope on upsert (#53242 )	3 years ago
Jo	f3ee57abef	Fix: Choose Lookup params per auth module (#395 ) (#52312 ) Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: Prefer pointer to struct in lookup Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: user email for ldap Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: Use only login for lookup in LDAP Co-authored-by: Karl Persson <kalle.persson@grafana.com> Fix: use user email for ldap Co-authored-by: Karl Persson <kalle.persson@grafana.com> fix remaining test fix nit picks	4 years ago
idafurjes	6c43eb0b4d	Split Create User (#50502 ) * Split Create User * Use new create user and User from package user * Add service to wire * Making create user work * Replace user from user pkg * One more * Move Insert to orguser Service/Store * Remove unnecessary conversion * Cleaunp * Fix Get User and add fakes * Fixing get org id for user logic, adding fakes and other adjustments * Add some tests for ourguser service and store * Fix insert org logic * Add comment about deprecation * Fix after merge with main * Move orguser service/store to org service/store * Remove orguser from wire * Unimplement new Create user and use User from pkg user * Fix wire generation * Fix lint * Fix lint - use only User and CrateUserCommand from user pkg * Remove User and CreateUserCommand from models * Fix lint 2	4 years ago
Jguer	d2ab3556fa	OAuth: Restore debug log behavior (#51244 )	4 years ago
Karl Persson	95a4c4a4d6	OAuth: Redirect to login if no oauth module is found or if module is not configured (#50661 ) * OAuth: Redirect to login if no oauth module is found or if module is not configured * OAuth: Update test to check for location header	4 years ago
Alexander Zobnin	9b61d9eb1c	Fix wrap_handler() panic during OAuth login (#49671 )	4 years ago
baez90	6beba5a049	Chore: add setting to skip org assignment for external users (#34834 ) * Chore: add setting to skip org assignment for external users Introduce 'skip_org_role_update_sync' setting to skip any kind of org assignment during the login of external users. As a consequence manual organization assignments won't be overridden during the upsert of an external user. Part of #22605 * Chore: Rename skip_org_role_update_sync to oauth_skip_org_role_update_sync and relocate it to auth section * Chore: replace global setting access where possible	4 years ago
ying-jeanne	016fa77460	remove bus from loginservice (#44907 )	4 years ago
idafurjes	8e6d6af744	Rename DispatchCtx to Dispatch (#43563 )	4 years ago
Serge Zaitsev	d9cdcb550e	Chore: Refactor api handlers to use web.Bind (#42199 ) * Chore: Refactor api handlers to use web.Bind * fix comments * fix comment * trying to fix most of the tests and force routing.Wrap type check * fix library panels tests * fix frontend logging tests * allow passing nil as a response to skip writing * return nil instead of the response * rewrite login handler function types * remove handlerFuncCtx * make linter happy * remove old bindings from the libraryelements * restore comments	4 years ago
idafurjes	ac6867c3bb	Chore: Add context to authinfo (#42096 ) * Add context to authinfo * Replace Dispatch with DispatchCtx	4 years ago
ying-jeanne	54de1078c8	remove the global log error/warn etc functions (#41404 ) * remove the global log error/warn etc functions and use request context logger whenever possible	4 years ago
ying-jeanne	681218275e	remove crit and trace (#40320 )	4 years ago
Emil Tullstedt	e73cd2fdeb	OAuth: Support PKCE (#39948 )	4 years ago
Serge Zaitsev	57fcfd578d	Chore: replace macaron with web package (#40136 ) * replace macaron with web package * add web.go	4 years ago
Serge Zaitsev	063160aae2	Chore: pass url parameters through context.Context (#38826 ) * pass url parameters through context.Context * fix url param names without colon prefix * change context params to vars * replace url vars in tests using new api * rename vars to params * add some comments * rename seturlvars to seturlparams	4 years ago
idafurjes	60ac54d969	Chore: Refactor OAuth/social package to service (#35403 ) * Creating SocialService * Add GetOAuthProviders as socialService method * Add OAuthTokenService * Add GetOAuthHttpClient method to SocialService * Rename services, access socialMap from GetConnector * Fix tests by mocking oauthtoken methods * Move NewAuthService into Init * Move OAuthService to social pkg * Refactor OAuthService to OAuthProvider * Fix nil map error, rename file, simplify tests * Fix bug for Forward OAuth Identify * Remove file after rebase	5 years ago
Arve Knudsen	dd2d206d99	Backend: Remove more globals (#29644 ) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Arve Knudsen	c2cad26ca9	Chore: Disable default golangci-lint filter (#29751 ) * Disable default golangci-lint filter Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Chore: Fix linter warnings Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Arve Knudsen	12661e8a9d	Move middleware context handler logic to service (#29605 ) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>	5 years ago
Arve Knudsen	294770f411	Chore: Handle wrapped errors (#29223 ) * Chore: Handle wrapped errors Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>	5 years ago
Agnès Toulet	2c246276fd	API: replace SendLoginLogCommand with LoginHook (#28777 ) * API: replace SendLoginLogCommand with LoginHook * LoginInfo: Query -> LoginUsername	5 years ago
Bill Oley	19caa100dc	OAuth: Fix token refresh failure when custom SSL settings are configured for OAuth provider (#27523 ) OAuth token refresh fails when custom SSL settings are configured for oauth provider. These changes makes sure that custom SSL settings are applied for HTTP client before refreshing token. Fixes #27514	5 years ago
Agnès Toulet	a9daaadd50	API: send Login actions (#27249 ) * API: first version to send events about login actions * API: improve login actions events * Login: update auth test with new behavior * Login: update auth test for auth module * Login OAuth: improve functions structure * API: make struct public to use for saml * API: add send login log tests for grafana and ldap login * API: remove log from tests * Login API: fix test linting * Update pkg/api/login_oauth.go Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> * Login API: refactor using defer Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>	5 years ago
Arve Knudsen	7589b1b517	OAuth: Refactor user syncing (#26721 ) * OAuth: Refactor user syncing Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Don't ignore error Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Arve Knudsen	5a6afd9096	OAuth: Add some debug logs (#26716 ) * OAuth: Add some debug logs Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Arve Knudsen	4c56eb3991	Chore: Enable goprintffuncname and nakedret linters (#26376 ) * Chore: Enable goprintffuncname linter * Chore: Enable nakedret linter Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	6 years ago
Alexander Zobnin	f023e7a399	SAML Role and Team sync (open source part) (#23391 ) * SAML: add default params for role and team sync * SAML: add org_mapping option * SAML: support allowed_organizations option * Chore: expose RedirectWithError from HTTPServer * Chore: return RedirectResponse (fix superfluous response.writeheader message) * HTTPServer: expose ValidateRedirectTo() and CookieOptionsFromCfg() * Config: move SAML section to the enterprise	6 years ago
rtrompier	474dac1501	OAuth : Introduce new setting for configuring max age of OAuth state cookie (#23195 ) * Cookie : Increase duration to avoid error When using oauth2 authentication with multifactor, the 60s delay may be too short * Introduce new setting for OAuth state cookie max age Co-authored-by: Sofia Papagiannaki <sofia@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>	6 years ago
Carl Bergquist	3798ac903d	Upgrade golangci-lint and fixes some linting errors. (#22909 ) Example: https://play.golang.org/p/cfPIPG3BwjJ	6 years ago
Sofia Papagiannaki	be022d4239	API: Fix redirect issues (#22285 ) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit `0e2d874ecf`. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>	6 years ago
Carl Bergquist	3fdd2648b1	Chore: Avoid aliasing importing models in api package (#22492 )	6 years ago
Arve Knudsen	8d1bef3769	OAuth: Enforce auto_assign_org_id setting when role mapping enabled using Generic OAuth (#22268 ) * OAuth: Make use of auto_assign_org_id setting	6 years ago
Jeffrey Descan	c5f906f472	Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787 ) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>	6 years ago
Martin Reinhardt	7a3d1c0e4b	OAuth: Generic OAuth role mapping support (#17149 ) Adds support for Generic OAuth role mapping. A new configuration setting for generic oauth is added named role_attribute_path which accepts a JMESPath expression. Only Grafana roles named Viewer, Editor or Admin are accepted. Closes #9766	6 years ago
Arve Knudsen	0a2d5e16dd	pkg/api: Check errors (#19657 ) * pkg/api: Check errors * pkg/api: Remove unused function HashEmail	6 years ago
Sofia Papagiannaki	269c1fb107	Do not set SameSite for OAuth cookie if cookie_samesite is None (#18392 )	6 years ago
Sofia Papagiannaki	69b7b8bb46	Fix OAuth error due to SameSite cookie policy (#18332 ) The `oauth_state` cookie used to be created with the SameSite value set according to the `cookie_samesite` configuration. However, due to a Safari bug SameSite=None or SameSite=invalid are treated as Strict which results in "missing saved state" OAuth login failures because the cookie is not sent with the redirect requests to the OAuth provider. This commit always creates the `oauth_state` cookie with SameSite=Lax to compensate for this.	6 years ago
Oleg Gaidarenko	d16fd58bdb	Auth: do not expose disabled user disabled status (#18229 ) Fixes #17947	7 years ago
Oleg Gaidarenko	75fa1f0207	Metrics: use consistent naming for exported variables (#18134 ) * Metrics: remove unused metrics Metric `M_Grafana_Version` is not used anywhere, nor the mentioned `M_Grafana_Build_Version`. Seems to be an artefact? * Metrics: make the naming consistent * Metrics: add comments to exported vars * Metrics: use proper naming Fixes #18110	7 years ago
Alexander Zobnin	48d5a1bcd3	OAuth: deny login for disabled users (#17957 )	7 years ago
Alexander Zobnin	c2affdee1e	OAuth: return github teams as a part of user info (enable team sync) (#17797 ) * OAuth: github team sync POC * OAuth: minor refactor of github module * OAuth: able to use team shorthands for github team sync * support passing a list of groups via auth-proxy header	7 years ago
zhulongcheng	2fff8f77dc	move log package to /infra (#17023 ) ref #14679 Signed-off-by: zhulongcheng <zhulongcheng.me@gmail.com>	7 years ago
bergquist	60fef31748	moves social package to /login ref #14679	7 years ago

1 2 3

112 Commits (a9458c8c00c5aba6efcbf9879662ebdd6174c248)