grafana

Commit Graph

Author	SHA1	Message	Date
Jo	36a19bfa83	AuthProxy: Allow disabling Auth Proxy cache (#83755 ) * extract auth proxy settings * simplify auth proxy methods * add doc mentions	1 year ago
Jo	2182cc47ac	LDAP: Fix LDAP users authenticated via auth proxy not being able to use LDAP active sync (#83715 ) * fix LDAP users authenticated via auth proxy not being able to use ldap sync * simplify id resolution at the cost of no fallthrough * remove unused services * remove unused cache key	1 year ago
Gabriel MABILLE	80d6bf6da0	AuthN: Remove embedded oauth server (#83146 ) * AuthN: Remove embedded oauth server * Restore main * go mod tidy * Fix problem * Remove permission intersection * Fix test and lint * Fix TestData test * Revert to origin/main * Update go.mod * Update go.mod * Update go.sum	1 year ago
Klesh Wong	9282c7a7a4	AuthProxy: Invalidate previous cached item for user when changes are made to any header (#81445 ) * fix: sign in using auth_proxy with role a -> b -> a would end up with role b * Update pkg/services/authn/clients/proxy.go Co-authored-by: Karl Persson <kalle.persson92@gmail.com> * Update pkg/services/authn/clients/proxy.go Co-authored-by: Karl Persson <kalle.persson92@gmail.com>	1 year ago
Karl Persson	9e04fd0fb7	AuthToken: Remove client token rotation feature toggle (#82886 ) * Remove usage of client token rotation flag * Remove client token rotation feature toggle	1 year ago
Misi	bb9d5799cf	Auth: Load `oauth_allow_insecure_email_lookup` using the SettingsProvider (#82460 ) * wip * Introduce fixed:server.config:writer role * Fix tests * Update name	1 year ago
linoman	ac84069071	Password policy (#82268 ) * add password service interface * add password service implementation * add tests for password service * add password service wiring * add feature toggle * Rework from service interface to static function * Replace previous password validations * Add codeowners to password service * add error logs * update config files --------- Co-authored-by: Karl Persson <kalle.persson@grafana.com>	1 year ago
Jo	6f62d970e3	JWT Authentication: Add support for specifying groups in auth.jwt for teamsync (#82175 ) * merge JSON search logic * document public methods * improve test coverage * use separate JWT setting struct * correct use of cfg.JWTAuth * add group tests * fix DynMap typing * add settings to default ini * add groups option to devenv path * fix test * lint * revert jwt-proxy change * remove redundant check * fix parallel test	1 year ago
Gabriel MABILLE	596e828150	Fix: Refresh token when id_token is expired (#79569 ) * Fix: Refresh token when id_token is expired * add id_token comparison * Fix wire * Use userID as cache key * Apply suggestions from code review --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>	1 year ago
Gabriel MABILLE	3df0611f81	RBAC: Fix authorize in org (#81552 ) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case	1 year ago
Jo	f3f36e37fa	AuthInfo: No mandatory auth_id in Auth Info service (#81335 ) * fix auth info update not having mandatory auth_id * remove uneeded newline	1 year ago
Misi	20bb0a3ab1	AuthN: Support reloading SSO config after the sso settings have changed (#80734 ) * Add AuthNSvc reload handling * Working, need to add test * Remove commented out code * Add Reload implementation to connectors * Align and add tests, refactor * Add more tests, linting * Add extra checks + tests to oauth client * Clean up based on reviews * Move config instantiation into newSocialBase * Use specific error	1 year ago
Karl Persson	7b58f71b33	AuthN: Add auth hook that can sync grafana cloud role to rbac cloud role (#80416 ) * AuthnSync: Rename files and structures * AuthnSync: register rbac cloud role sync if feature toggle is enabled * RBAC: Add new sync function to service interface * RBAC: add common prefix and role names for cloud fixed roles * AuthnSync+RBAC: implement rbac cloud role sync Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	1 year ago
arukiidou	bffb28c177	refactor: use golang.org/x/oauth2 pkce option (#80511 ) Signed-off-by: junya koyama <arukiidou@yahoo.co.jp>	1 year ago
Ryan McKinley	1caaa56de0	FeatureFlags: Use interface rather than manager (#80000 )	1 year ago
Vardan Torosyan	63cd5a5625	Chore: Cleanup namespace and ID resolution (#79360 ) * Chore: Cleanup namespace ID resolution * Check for negative userID when relevant * Reuse existing function for parsing ID as int * Fix imports	1 year ago
Karl Persson	8cb351e54a	Authn: Handle logout logic in auth broker (#79635 ) * AuthN: Add new client extension interface that allows for custom logout logic * AuthN: Add tests for oauth client logout * Call authn.Logout Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>	1 year ago
Misi	9e5826f40f	OAuth: Remove accessTokenExpirationCheck feature toggle (#79455 ) * Remove accessTokenExpirationCheck from code and align docs * Apply suggestions from code review * lint --------- Co-authored-by: lwandz13 <126723338+lwandz13@users.noreply.github.com>	1 year ago
Vardan Torosyan	a35146f7ed	Service account: Update last used timestamp when token is used (#79254 )	1 year ago
Misi	50f4e78a39	Auth: Use SSO settings service to load social connectors + refactor (#79005 ) * Refactor to prevent cyclic dependencies * Move list authorization to the API layer * Init connectors using the SSO settings service in case the ssoSettingsApi feature toggle is enabled * wip, need to handle the cyclic dep * Remove cyclic dependency * Align tests + refactor * Move back OAuthInfo to social * Delete pkg/login/social/constants * Move reloadable registration to the social providers * Rename connectors.Error to connectors.SocialError	1 year ago
Karl Persson	687ffb4a0c	Authn: Only resolve org id once (#78811 )	2 years ago
Gabriel MABILLE	059ba25973	AuthN: Check API Key is not trying to access another organization (#78749 ) * AuthN: Check API Key is not trying to access another organization * Revert local change * Add test * Discussed with Kalle we should set r.OrgID * Syntax sugar * Suggestion org-mismatch	2 years ago
Jo	7d559bc69a	AuthProxy: Do not allow sessions to be assigned with other methods (#78602 ) do not allow login token with other methods	2 years ago
Kevin Wang	8bdfb7e1cf	chore(authn.service): fix typo in log statement (#76205 )	2 years ago
Karl Persson	1eb19befaa	Login: refactor auth info package (#78459 ) * Remove unused stats and metrics * No longer collect metrics * Remove unused dependency * Move database from sub package	2 years ago
Karl Persson	d42201dbf4	Login: remove unused function (#78442 ) * Move test to the db so we test the queries and not just testing the mock * Remove unused function and dependencies * Remove unused functions from the database * Add some integration tests	2 years ago
Karl Persson	140b5b4a61	AuthN: Add debug logs and check error during oauth token sync (#78323 ) Add some debug logs and handle error	2 years ago
Ryan McKinley	f69fd3726b	FeatureToggles: Add context and and an explicit global check (#78081 )	2 years ago
Ryan McKinley	5d5f8dfc52	Chore: Upgrade Go to 1.21.3 (#77304 )	2 years ago
Gabriel MABILLE	83e9088314	AuthN: Set oauth client grant_types based on plugin state (#77248 ) * Disable plugin service account * Fix bug seen by linoman 💯 Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Account for PR feedback Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> * Fix test data * Enable datasource plugins by default Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com> * Update pkg/services/extsvcauth/oauthserver/oasimpl/service.go * Handle error differently * Fix service reg --------- Co-authored-by: linoman <2051016+linoman@users.noreply.github.com> Co-authored-by: Andres Martinez Gotor <andres.martinez@grafana.com>	2 years ago
Misi	1e81ffccac	Auth: Handle when access token has already been refreshed in OAuth token sync (#77118 ) * Use singleflight to prevent logging error if the token has already been refreshed * Change order of error checks * align tests, change error name * Change sf key * Update based on the review * refactor	2 years ago
Karl Persson	ed1c50233f	Revert "AuthN: move oauth token hook into session client" (#76882 ) Revert "AuthN: move oauth token hook into session client (#76688)" This reverts commit `455cede699`.	2 years ago
Karl Persson	455cede699	AuthN: move oauth token hook into session client (#76688 ) * Move rotate logic into its own function * Move oauth token sync to session client * Add user to the local cache if refresh tokens are not enabled for the provider so we can skip the check in other requests	2 years ago
Karl Persson	1528d6f5c4	Authn: Prevent empty username and email during sync (#76330 ) * Move errors to error file * Move check for both empty username and email to user service * Move check for empty email and username to user service Update * Wrap inner error * Set username in test	2 years ago
Karl Persson	ceb6f8b409	Authn: error logs (#76264 ) * Reduce to debug for session need rotation error * try to extract log level from error and fallback to warning	2 years ago
Karl Persson	ea741dda6b	Signingkeys: Add local cache (#76234 ) * IDForwarding: change audience to be prefixed by org and remove JTI * IDForwarding: Construct new signer each time we want to sign a token. * SigningKeys: Simplify storage layer and move logic to service * SigningKeys: Add private key to local cache	2 years ago
Karl Persson	81b366e2c8	AuthN: Make logger less noisy (#76044 ) * Change to debug for token needs rotation errors	2 years ago
Misi	bd2191c158	Auth: OAuth token sync improvements (#75943 ) * Add metric, improve token refresh * changes * handle ctx cancelled * Fix import order	2 years ago
Gabriel MABILLE	193ec8de2b	AuthN: Move oauthserver to extsvcauth (#75972 ) * AuthN: Move oauthserver to extsvcauth * Codeowners	2 years ago
Jo	44fa0697ce	Auth: Signing Key persistence (#75487 ) * signing key wip use db keyset storage add signing_key table add testing for key storage add ES256 key tests Remove caching and implement UpdateOrCreate Stabilize interfaces * Encrypt private keys * Fixup signer * Fixup ext_jwt * Add GetOrCreatePrivate with automatic key rotation * use GetOrCreate for ext_jwt * use GetOrCreate in id * catch invalid block type * fix broken test * remove key generator * reduce public interface of signing service	2 years ago
Marcus Efraimsson	e4c1a7a141	Tracing: Standardize on otel tracing (#75528 )	2 years ago
Karl Persson	7a38090bc0	AuthN: Fix namespaces for anonymous and render (#75661 ) * AuthN: remove IsAnonymous from identity struct and set correct namespace for anonymous and render * Don't parse user id for render namespace	2 years ago
Karl Persson	fd2235b5ad	AuthN: Implement requester interface for identity (#75618 ) * AuthN: Implement identity.Requester interface for authn.Identity * AuthN: Replace OrgRole with GetOrgRole * IDForwarding: skip converting to SignedInUser * Pass identity directly in permission sync hook	2 years ago
Karl Persson	b9b4246432	IDForwarding: Add auth hook to generate id token (#75555 ) * AuthN: Move identity struct to its own file * IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface * Inject IDService into background services * IDForwarding: Register post auth hook when feature toggle is enabled	2 years ago
Gabriel MABILLE	0ed649b108	AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248 ) * Replace the enable disable user hook by a hook that systematically enable users * Fix tests * Remove the skip test	2 years ago
Jo	40a1f8434d	Anon: Scaffold anon service (#74744 ) * remove API tagging method and authed tagging * add anonstore move debug to after cache change test order fix issue where mysql trims to second * add old device cleanup lint utc-ize everything trim whitespace * remove dangling setting * Add delete devices * Move anonymous authnclient to anonimpl * Add simple post login hook * move registration of Background Service cleanup * add updated_at index * do not untag device if login err * add delete device integration test	2 years ago
Gabriel MABILLE	c8149d50f9	LDAP: FIX Enable users on successfull login (#75073 ) * LDAP: Enable users on successfull login * Force enable ldap users on successful login * Fix tests * Fix tests	2 years ago
Karl Persson	cebae4fb9a	Requester: Update GetCacheKey (#74834 ) * AuthN: re-export all namespaces * Identity: Change signature of GetCacheKey * User: check HasUniqueID * Default to org role None if role is empty	2 years ago
Artur Wierzbicki	d50ccd6741	Chore: AuthN/IdentitySynchronizer interface/impl compatibility wire fix (#74400 ) authn/identitysynchronizer fix	2 years ago
linoman	13f4382214	Auth: Implement requester interface in access control module (#74289 ) * Implement requester interface in the access control module	2 years ago

1 2 3 4 5

212 Commits (c8ce20a807819626979fdf3facce1db53ec511d9)