grafana

Commit Graph

Author	SHA1	Message	Date
Jeffrey Descan	c5f906f472	Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787 ) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>	6 years ago
Torkel Ödegaard	be2bf1a297	AuthProxy: Can now login with auth proxy and get a login token (#20175 ) * AuthProxy: Can now login with auth proxy and get a login token * added unit tests * renamed setting and updated docs * AuthProxy: minor tweak * Fixed tests and namings * spellfix * fix * remove unused setting, probably from merge conflict * fix	6 years ago
Jon Gyllenswärd	53f8088316	Auth Proxy: replace ini setting ldap_sync_ttl with sync_ttl (#20191 ) * Renamed ttl config in code to be more consistent with behaviour * Introduced new setting `sync_ttl` in .ini file * Keeping the old setting `ldap_sync_ttl` in the .ini file as fallback and compatibility.	6 years ago
Arve Knudsen	35e0e078b7	pkg/util: Check errors (#19832 ) * pkg/util: Check errors * pkg/services: DRY up code	6 years ago
Arve Knudsen	6e7c18fc1c	pkg/middleware: Check errors (#19749 ) * pkg/middleware: Check errors * pkg/middleware: Log when gzip middleware handler fails	6 years ago
gotjosh	0cbbb43222	LDAP: Add API endpoint to debug user mapping from LDAP (#18833 ) * Move the ReloadLDAPCfg function to the debug file Appears to be a better suite place for this. * LDAP: Return the server information when we find a specific user We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things: - Understand in which server we found the user - Have access the groups specified as part of the server configuration * LDAP: Adds the /api/admin/ldap/:username endpoint This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration. No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.	6 years ago
Marcus Efraimsson	964c2e722f	Snapshot: Fix http api (#18830 ) (cherry picked from commit `be2e2330f5`)	6 years ago
Oleg Gaidarenko	6ca1a6c8da	Auth: change the error HTTP status codes (#18584 ) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439	6 years ago
kay delaney	fb0cec5591	Backend: Adds support for HTTP/2 (#18358 ) * Backend: Adds support for HTTP/2 * Adds mozilla recommended ciphers * Updates sample.ini and config documentation	6 years ago
Sofia Papagiannaki	4e29357d15	Backend: Do not set SameSite cookie attribute if cookie_samesite is none (#18462 ) * Do not set SameSite login_error cookie attribute if cookie_samesite is none * Do not set SameSite grafana_session cookie attribute if cookie_samesite is none * Update middleware tests	6 years ago
Oleg Gaidarenko	d88fdc86fc	Auth: Do not search for the user twice (#18366 ) * Auth: Do not search for the user twice Previously `initContextWithBasicAuth` did not use `LoginUserQuery`, doing `GetUserByLoginQuery` only i.e. looking user in DB only, things changed when this function started to check LDAP provider via `LoginUserQuery` (#6940), however, this request was placed after `GetUserByLoginQuery`, so we first looking in DB then in the LDAP - if LDAP user hasn't logged in we will not find it in DB, so `LoginUserQuery` will never be reached. `LoginUserQuery` request already performs `GetUserByLoginQuery` request in correct sequence. So we can just remove redundant request. * Correct sequence execution during authentification & introduce tests for it * Move basic auth tests to separate test file, since main test file already pretty large * Introduce `testing.go` for the middleware module * Remove redundant test helper function * Make handler names more explicit Ref `5777f65d05` Fixes #18329 * Auth: address review comment	6 years ago
Oleg Gaidarenko	7e89a93b5f	Auth: introduce more tests for middleware module (#18365 ) * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add additional test helper Ref `82661b9f69`	6 years ago
Oleg Gaidarenko	82661b9f69	Auth: consistently return same basic auth errors (#18310 ) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error	6 years ago
gotjosh	ed8aeb2999	Auth Proxy: Include additional headers as part of the cache key (#18298 ) * Auth Proxy: Include additional headers as part of the cache key Auth proxy has support to send additional user attributes as part of the authentication flow. These attributes (e.g. Groups) need to be monitored as part of the process in case of change. This commit changes the way we compute the cache key to include all of the attributes sent as part of the authentication request. That way, if we change any user attributes we'll upsert the user information.	6 years ago
Oleg Gaidarenko	75fa1f0207	Metrics: use consistent naming for exported variables (#18134 ) * Metrics: remove unused metrics Metric `M_Grafana_Version` is not used anywhere, nor the mentioned `M_Grafana_Build_Version`. Seems to be an artefact? * Metrics: make the naming consistent * Metrics: add comments to exported vars * Metrics: use proper naming Fixes #18110	7 years ago
gotjosh	332920954e	SAML: Show SAML login button even if OAuth is disabled (#17993 ) * Move the SAML button outside of the oauth div * Don't attempt to search cookies with an empty name	7 years ago
Oleg Gaidarenko	caa1314f44	Build: use golangci-lint as a make command (#17739 ) * Build: use golangci-lint as a make command * Since gometalinter was deprecated in favor of golangci-lint so it was replaced by it. Responsibilities held by the gometalinter was moved to golangci-lint * There was some changes in implementation (that was also mentioned in the code comment) between the tools, which uncovered couple errors in the code. Those issues were either solved or disabled by the inline comments * Introduce the golangci-lint config, to make their configuration more manageable * Build: replace backend-lint.sh script with make	7 years ago
Sofia Papagiannaki	f3f03ceb6a	Auth Proxy: Respect auto_sign_up setting (#17843 ) * Add test for disabled auth proxy auto signup option * Set correctly auth proxy auto signup	7 years ago
Alexander Zobnin	c2affdee1e	OAuth: return github teams as a part of user info (enable team sync) (#17797 ) * OAuth: github team sync POC * OAuth: minor refactor of github module * OAuth: able to use team shorthands for github team sync * support passing a list of groups via auth-proxy header	7 years ago
Sofia Papagiannaki	dc9ec7dc91	Auth: Allow expiration of API keys (#17678 ) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be time.Time instead of string Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire.	7 years ago
Kyle Brandt	bd08d8ce8e	middleware: fix Strict-Transport-Security header (#17644 ) fixes #17641	7 years ago
Yann Verry	ed613194ac	HTTPServer: Fix X-XSS-Protection header formatting (#17620 ) Fixes #17619	7 years ago
Oleg Gaidarenko	1b1d951495	LDAP: refactoring (#17479 ) * LDAP: use only one struct * Use only models.ExternalUserInfo * Add additional helper method :/ * Move all the helpers to one module * LDAP: refactoring * Rename some of the public methods and change their behaviour * Remove outdated methods * Simplify logic * More tests There is no and never were tests for settings.go, added tests for helper methods (cover is now about 100% for them). Added tests for the main LDAP logic, but there is some stuff to add. Dial() is not tested and not decoupled. It might be a challenge to do it properly * Restructure tests: * they wouldn't depend on external modules * more consistent naming * logical division * More guards for erroneous paths * Login: make login service an explicit dependency * LDAP: remove no longer needed test helper fns * LDAP: remove useless import * LDAP: Use new interface in multildap module * LDAP: corrections for the groups of multiple users * In case there is several users their groups weren't detected correctly * Simplify helpers module	7 years ago
Kyle Brandt	599514ad68	middleware: add security related HTTP(S) response headers (#17522 ) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509	7 years ago
Kyle Brandt	826d33ea37	auth_proxy: non-negative cache TTL (#17495 ) fixes setex error with redis on #17377	7 years ago
Marcus Efraimsson	b9181df212	Auth Proxy: Log any error in middleware (#17275 ) Fixes so that errors happening in auth proxy middleware is logged. Ref #17247	7 years ago
Oleg Gaidarenko	9b7f9dd9be	LDAP: consistently name the LDAP entities (#17203 )	7 years ago
Mario Trangoni	66ba2aa524	Fix gosimple issues (#17179 ) Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>	7 years ago
Oleg Gaidarenko	35f227de11	Feature: LDAP refactoring (#16950 ) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic	7 years ago
Oleg Gaidarenko	79ac3fd699	Chore: remove use of `== false` (#17036 ) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035	7 years ago
zhulongcheng	2fff8f77dc	move log package to /infra (#17023 ) ref #14679 Signed-off-by: zhulongcheng <zhulongcheng.me@gmail.com>	7 years ago
Marcus Efraimsson	1c1427520d	Security: Add new setting allow_embedding (#16853 ) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189	7 years ago
Marcus Efraimsson	f778c1d971	Security: Responses from backend should not be cached (#16848 ) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845	7 years ago
Samuel	846b9327a5	LDAP: Added reload endpoint for LDAP config (#15470 ) * 4843 - Added reload endpoint for LDAP config closes #4843 * Refactor to make the reload work after master drifted	7 years ago
Carl Bergquist	9660356638	Auth: Enable retries and transaction for some db calls for auth tokens (#16785 ) the WithSession wrapper handles retries and connection management so the caller dont have to worry about it.	7 years ago
Oleg Gaidarenko	62b85a886e	LDAP Refactoring to support syncronizing more than one user at a time. (#16705 ) * Feature: add cron setting for the ldap settings * Move ldap configuration read to special function * Introduce cron setting (no docs for it yet, pending approval) * Chore: duplicate ldap module as a service * Feature: implement active sync This is very early preliminary implementation of active sync. There is only one thing that's going right for this code - it works. Aside from that, there is no tests, error handling, docs, transactions, it's very much duplicative and etc. But this is the overall direction with architecture I'm going for * Chore: introduce login service * Chore: gradually switch to ldap service * Chore: use new approach for auth_proxy * Chore: use new approach along with refactoring * Chore: use new ldap interface for auth_proxy * Chore: improve auth_proxy and subsequently ldap * Chore: more of the refactoring bits * Chore: address comments from code review * Chore: more refactoring stuff * Chore: make linter happy * Chore: add cron dep for grafana enterprise * Chore: initialize config package var * Chore: disable gosec for now * Chore: update dependencies * Chore: remove unused module * Chore: address review comments * Chore: make linter happy	7 years ago
Oleg Gaidarenko	db584b3d28	Chore: remove session storage references (#16445 ) * Chore: remove session storage references * Small refactoring of the settings module * Update docs - remove references for the session storage * Update config files (sample and default configs) * Add tests for warning during the config load on defined storage cache * Remove all references to session storage * Remove macaron session dependency * Remove leftovers * Fix: address review comments * Fix: remove old deps * Fix: add skipStaticRootValidation = true to tests * Fix: improve the docs and warning message As per discussion in here - https://github.com/grafana/grafana/pull/16445/files#r273026255 * Chore: make linter happy Fixes #16148 Ref #16114	7 years ago
Oleg Gaidarenko	318182ccc9	Chore: refactor auth proxy (#16504 ) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy	7 years ago
Oleg Gaidarenko	67cbc7d4cf	Chore: use remote cache instead of session storage (#16114 ) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161	7 years ago
Leonard Gram	6589a4e55f	teams: better names for api permissions.	7 years ago
Hugo Häggmark	782b5b6a3a	teams: viewers and editors can view teams	7 years ago
Leonard Gram	22e098b830	teams: editors can work with teams.	7 years ago
Marcus Efraimsson	8029e48588	support get user tokens/revoke all user tokens in UserTokenService	7 years ago
Johannes Schill	a81d5486b0	Viewers with viewers_can_edit should be able to access /explore (#15787 ) * fix: Viewers with viewers_can_edit should be able to access /explore #15773 * refactoring initial PR a bit to simplify function and reduce duplication	7 years ago
bergquist	8a3a3cccc3	moves metric package to /infra ref #14679	7 years ago
bergquist	e163aadfe4	use authtoken for session quota restrictions closes #15360	7 years ago
bergquist	1310d356fc	removes unused session code	7 years ago
Marcus Efraimsson	836501186f	fix	7 years ago
Marcus Efraimsson	8678620730	move UserToken and UserTokenService to models package	7 years ago
Marcus Efraimsson	a60124a88c	change UserToken from interface to struct	7 years ago

... 3 4 5 6 7 ...

470 Commits (d67ad9efc485f36c7115272b32bcd48da6780c89)