grafana

Commit Graph

Author	SHA1	Message	Date
Jo	dcd0c6b11e	Identity: Unfurl OrgID in pkg/services to allow using identity.Requester interface (#76113 ) Unfurl OrgID in pkg/services to allow using identity.Requester interface	2 years ago
Ryan McKinley	025b2f3011	Chore: use any rather than interface{} (#74066 )	2 years ago
Jo	d6c468c1c2	Auth: Add empty role definition (#64694 ) * Allow setting role as None Co-authored-by: gamab <gabi.mabs@gmail.com> Seeking for places where role.None would be used Co-authored-by: Jguer <joao.guerreiro@grafana.com> Adding None role to the frontend Co-authored-by: Jguer <joao.guerreiro@grafana.com> unify org role declaration and remove from add permission fix backend test fix backend lint * remove role none from frontend * Simplify checks Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * nits --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>	2 years ago
Ieva	4980b64274	RBAC: Remove legacy ac from authorization middleware (#68898 ) remove legacy AC fallback from RBAC middleware, and some unused auth logic	3 years ago
Will Browne	31d6416157	Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258 ) * migrate licensing + access control * update package name	3 years ago
Karl Persson	382b24742a	Auth: Add feature flag to move token rotation to client (#65060 ) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>	3 years ago
Jo	6b6cf5f4b7	Cfg: Move ViewersCanEdit into cfg (#64876 ) move ViewersCanEdit into cfg	3 years ago
idafurjes	6c5a573772	Chore: Move ReqContext to contexthandler service (#62102 ) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports	3 years ago
Karl Persson	95ea4bad6f	AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705 ) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com>	3 years ago
idafurjes	421976e919	Chore: Remove folders from models pkg (#61853 )	3 years ago
idafurjes	f2ffce4351	Chore: Move team models to models pkg (#61262 ) * Chore: Move team models to models pkg * Fix ACL tests * More ACL tests * Change Id to ID in conflict user command test * Remove team from models * Fix ac test lint	3 years ago
Jack Westbrook	207b2993b2	Plugins Catalog: Only allow admins to access plugins catalog (#57101 ) * feat(plugins-catalog): only allow admins to access plugins catalog routes * add backend check * fix(plugins-catalog): update route role access to include server admins Co-authored-by: Will Browne <will.browne@grafana.com>	3 years ago
Karl Persson	fef1e1d5bc	Auth: Refactor auth package (#58920 ) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency	3 years ago
Kristina	5d7d54d076	Auth: Write the redirect cookie if denied - do not write a blank redirect (#57381 ) * Write the redirect cookie if denied - do not write a blank redirect * Remove redundant code, reverse polarity	3 years ago
Kristin Laemmert	05709ce411	chore: remove sqlstore & mockstore dependencies from (most) packages (#57087 ) * chore: add alias for InitTestDB and Session Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store. * next pass of removing sqlstore imports * last little bit * remove mockstore where possible	3 years ago
Serge Zaitsev	305d494902	Chore: Switch over to team.Service instead of sqlstore (#55497 ) * switch to using team service * trying to fix tests * more tests to fix * add missing teamtest package	3 years ago
idafurjes	a14621fff6	Chore: Add user service method SetUsingOrg and GetSignedInUserWithCacheCtx (#53343 ) * Chore: Add user service method SetUsingOrg * Chore: Add user service method GetSignedInUserWithCacheCtx * Use method GetSignedInUserWithCacheCtx from user service * Fix lint after rebase * Fix lint * Fix lint error * roll back some changes * Roll back changes in api and middleware * Add xorm tags to SignedInUser ID fields	3 years ago
idafurjes	6afad51761	Move SignedInUser to user service and RoleType and Roles to org (#53445 ) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2	3 years ago
Ieva	75873d05d7	Access Control: Allow dashboard admins to query org users (#51652 ) * allow dashboard admins to query org users * rename one more variable	4 years ago
Kristin Laemmert	2edfbb7767	sqlstore split: dashboard permissions (#49962 ) * backend/sqlstore split: remove unused GetDashboardPermissionsForUser from sqlstore * remove debugging line * backend/sqlstore: move dashboard permission related functions to dashboard service	4 years ago
Kat Yang	68478e908a	Chore: Remove x from team (#47905 ) * Chore: Remove x from team * Update pkg/services/sqlstore/team.go Co-authored-by: ying-jeanne <74549700+ying-jeanne@users.noreply.github.com> * Update pkg/services/sqlstore/team.go Co-authored-by: ying-jeanne <74549700+ying-jeanne@users.noreply.github.com> * Refactor dialects and add ISAdminOfTeams to Store * Add IsAdminOfTeams to mockstore Co-authored-by: ying-jeanne <74549700+ying-jeanne@users.noreply.github.com>	4 years ago
Kat Yang	d3ae8939af	Chore: Remove x from health, alert notification, dashboard, stats, user (#45265 ) * Chore: Remove x from health * Chore: Remove x from dashboard and user * Chore: Remove x from alert notification * Chore: Remove x from stats * Fix: Update func signature in stats test * Refactor: Remove x from GetDashboardTags * Chore: Remove x from dashboard * Chore: Remove x from Stats * Fix: Update refs of HasAdminPermissionInFolders * Fix: Adjust funcs in tests to be sqlStore methods * Fix: Fix database folder test sqlstore methods	4 years ago
Dimitris Sotirakis	605d056136	Security: Sync security changes on main (#45083 ) * * Teams: Appropriately apply user id filter in /api/teams/:id and /api/teams/search * Teams: Ensure that users searching for teams are only able see teams they have access to * Teams: Require teamGuardian admin privileges to list team members * Teams: Prevent org viewers from administering teams * Teams: Add org_id condition to team count query * Teams: clarify permission requirements in teams api docs * Teams: expand scenarios for team search tests * Teams: mock teamGuardian in tests Co-authored-by: Dan Cech <dcech@grafana.com> * remove duplicate WHERE statement * Fix for CVE-2022-21702 (cherry picked from commit 202d7c190082c094bc1dc13f7fe9464746c37f9e) * Lint and test fixes (cherry picked from commit 3e6b67d5504abf4a1d7b8d621f04d062c048e981) * check content type properly (cherry picked from commit 70b4458892bf2f776302720c10d24c9ff34edd98) * basic csrf origin check (cherry picked from commit 3adaa5ff39832364f6390881fb5b42ad47df92e1) * compare origin to host (cherry picked from commit 5443892699e8ed42836bb2b9a44744ff3e970f42) * simplify url parsing (cherry picked from commit b2ffbc9513fed75468628370a48b929d30af2b1d) * check csrf for GET requests, only compare origin (cherry picked from commit 8b81dc12d8f8a1f07852809c5b4d44f0f0b1d709) * parse content type properly (cherry picked from commit 16f76f4902e6f2188bea9606c68b551af186bdc0) * mentioned get in the comment (cherry picked from commit a7e61811ef8ae558ce721e2e3fed04ce7a5a5345) * add content-type: application/json to test HTTP requests * fix pluginproxy test * Fix linter when comparing errors Co-authored-by: Kevin Minehart <kmineh0151@gmail.com> Co-authored-by: Dan Cech <dcech@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Serge Zaitsev <serge.zaitsev@grafana.com> Co-authored-by: Vardan Torosyan <vardants@gmail.com>	4 years ago
idafurjes	5a087d2708	Chore: Add context to team (#40504 ) * Add ctx to team * Remove convey from team	4 years ago
Serge Zaitsev	57fcfd578d	Chore: replace macaron with web package (#40136 ) * replace macaron with web package * add web.go	4 years ago
idafurjes	2759b16ef5	Chore: Add context for dashboards (#39844 ) * Add context for dashboards * Remove GetDashboardCtx * Remove ctx.TODO	4 years ago
Gabriel MABILLE	4be9ec8f72	AccessControl: Protect org users lookup (#38981 ) * Move legacy accesscontrol to middleware layer * Remove bus usage for this endpoint * Add tests for legacy accesscontrol * Fix tests for org user and remove one more bus usage * Added test for FolderAdmin as suggested in the review	4 years ago
Serge Zaitsev	e1e385b318	Chore: Remove untyped data map from macaron context (#39077 )	4 years ago
Tobias Skarhed	7f882eea05	Login: Require user to not be signed in to get request password email (#35421 )	5 years ago
Joan López de la Franca Beltran	610999cfa2	Auth: Allow soft token revocation (#31601 ) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>	5 years ago
Marcus Efraimsson	a97637a133	Snapshots: Fix usage of sign in link from the snapshot page (#31986 ) Fix redirect to login page from snapshot page when not authenticated. Fixes #28547	5 years ago
Torkel Ödegaard	7428668835	Profile: Fixes profile preferences being accessible when anonymous access was enabled (#31516 ) * Profile: Fixes profile preferences page being available when anonymous access was enabled * Minor change * Renamed property	5 years ago
Marcus Efraimsson	8f20b13f1c	Snapshots: Disallow anonymous user to create snapshots (#31263 )	5 years ago
Arve Knudsen	12661e8a9d	Move middleware context handler logic to service (#29605 ) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>	5 years ago
Arve Knudsen	8d5b0084f1	Middleware: Simplifications (#29491 ) * Middleware: Simplify Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * middleware: Rename auth_proxy directory to authproxy Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>	5 years ago
Torkel Ödegaard	1076f47509	Dashboard: Fixes kiosk state after being redirected to login page and back (#29273 ) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>	5 years ago
Marcus Efraimsson	3be82ecd4e	Auth: Should redirect to login when anonymous enabled and URL with different org than anonymous specified (#28158 ) If anonymous access is enabled for an org and there are multiple orgs. When requesting a page that requires user to be logged in and orgId query string is set in the request url to an org not equal the anonymous org, if the user is not logged in should be redirected to the login page. Fixes #26120 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>	5 years ago
Sofia Papagiannaki	44dff6fdd0	Auth: Fix POST request failures with anonymous access (#26049 ) Macaron context.QueryBool() seems to modify the request context that causes the POST and PUT requests to fail with: "http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0"	6 years ago
Sofia Papagiannaki	fefbbc65a8	Auth: Add support for forcing authentication in anonymous mode and modify SignIn to use it instead of redirect (#25567 ) * Forbid additional redirect urls * Optionally force login in anonymous mode * Update LoginCtrl page to ignore redirect parameter * Modify SignIn to set forceLogin query instead of redirect * Pass appUrl to frontend and use URL API for updating url query * Apply suggestions from code review Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix SignIn test Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>	6 years ago
Sofia Papagiannaki	be022d4239	API: Fix redirect issues (#22285 ) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit `0e2d874ecf`. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>	6 years ago
Carl Bergquist	f2f2722bb1	chore: avoid aliasing models in middleware (#22484 )	6 years ago
Brian Gann	0e2d874ecf	API: Fix redirect issue when configured to use a subpath (#21652 ) * request uri will contain the subpath	6 years ago
Jeffrey Descan	c5f906f472	Security: refactor 'redirect_to' cookie to use 'Secure' flag (#19787 ) * Refactor redirect_to cookie with secure flag in middleware * Refactor redirect_to cookie with secure flag in api/login * Refactor redirect_to cookie with secure flag in api/login_oauth * Removed the deletion of 'Set-Cookie' header to prevent logout * Removed the deletion of 'Set-Cookie' at top of api/login.go * Add HttpOnly flag on redirect_to cookies where missing * Refactor duplicated code * Add tests * Refactor cookie options * Replace local function for deleting cookie * Delete redundant calls Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>	6 years ago
Marcus Efraimsson	964c2e722f	Snapshot: Fix http api (#18830 ) (cherry picked from commit `be2e2330f5`)	6 years ago
Leonard Gram	6589a4e55f	teams: better names for api permissions.	7 years ago
Hugo Häggmark	782b5b6a3a	teams: viewers and editors can view teams	7 years ago
Leonard Gram	22e098b830	teams: editors can work with teams.	7 years ago
Johannes Schill	a81d5486b0	Viewers with viewers_can_edit should be able to access /explore (#15787 ) * fix: Viewers with viewers_can_edit should be able to access /explore #15773 * refactoring initial PR a bit to simplify function and reduce duplication	7 years ago
bergquist	5998646da5	restrict session usage to auth_proxy	7 years ago
Dan Cech	3056d9a80e	support passing api token in Basic auth password (#12416 )	8 years ago

1 2

84 Commits (dcd0c6b11eed17a5848e66aacad55a5572c55dd0)