* update fixed annotation roles if FlagAnnotationPermissionUpdate is enabled
* add dashboard type scope back in the fixed roles to make the migration easier
* Chore: use errutil for pluginRepo errors
* Update pkg/util/errutil/status.go
* Use errutil helper functions
Co-Authored-By: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Forgot the log level
* Use entity
---------
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
* Add anonymous stats and user table
- anonymous users users page
- add feature toggle `anonymousAccess`
- remove check for enterprise for `Device-Id` header in request
- add anonusers/device count to stats
* promise all, review comments
* make use of promise all settled
* refactoring: devices instead of users
* review comments, moved countdevices to httpserver
* fakeAnonService for tests and generate openapi spec
* do not commit openapi3 and api-merged
* add openapi
* Apply suggestions from code review
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* formatin
* precise anon devices to avoid confusion
---------
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
Co-authored-by: jguer <me@jguer.space>
* Split signout_redirect_url into per provider settings
* Split signout_redirect_url into per provider settings
* Update docs/sources/setup-grafana/configure-security/configure-authentication/grafana/index.md
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
* Split signout_redirect_url into per provider settings
* Split signout_redirect_url into per provider settings
* Split signout_redirect_url into per provider settings
* Split signout_redirect_url into per provider settings
* Split signout_redirect_url into per provider settings
* Split signout_redirect_url into per provider settings
* update docs
* update devenvs
* add missing struct tag
---------
Co-authored-by: Rao, B V Chalapathi <b_v_chalapathi.rao@nokia.com>
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
Co-authored-by: jguer <me@jguer.space>
* Check installer perm
* Failed eval better output
* Switch fetching json data in the repo
* Comment
* Account for feedback
* Mv single_organization config option
* Inline error check
* Starting to replace errors not to have to do the management in two places
* Continue error translation
* Cover ErrChecksumMismatch
* Refactor a bit
* Lint. Tab
* log instead of erroring out
* Nit.
* Revert change on kinds
* revert file again
* Fix tests
* Match core plugin error status code
* Skip permission check for Grafana Admin
* Use errutil templates
* Use errutil templating
* Inline
* Test templating
* revert error changes
* Remove isGrafanaAdmin skip
* Feature toggle check
* Small refactor on hasPluginRequestedPermissions
* Add test
* Imports
* Post install check
* change log messages so that they make sense
* Cover no scope case
* Inline
* Nit.
* Fix test
* remove use of SignedInUserCopies
* add extra safety to not cross assign permissions
unwind circular dependency
dashboardacl->dashboardaccess
fix missing import
* correctly set teams for permissions
* fix missing inits
* nit: check err
* exit early for api keys
* Move test to the db so we test the queries and not just testing the mock
* Remove unused function and dependencies
* Remove unused functions from the database
* Add some integration tests
* change where folder checks are done for dash creation/updates
* add test for folder not being found
* test fixes
* more test fixes
* add nlint directive to where folder IDs are used
* fix bad merge
* fix test
* Plugins:Allow disabling angular deprecation UI for specific plugins
* add backend test
* changed test names
* lint
* Removed angular properties from DataSourceDTO
* Update tests
* Move angularDetected and hideAngularDeprecation in angularMeta property
* Fix angular property name in AppPluginConfig
* Fix reference to angularMeta.detected
* Fix hide_angular_deprecation not working for core plugins
* lint
* add permission check for updating the LBAC Rules
* permission scoped for id in the updating datasource
* fixed test to cover for permissions
* fix proper check for permissions and empty teamHTTPHeader requests
* check for jsondata
* check nil for jsondata inside the getEncodedString
* Folders: Show folders user has access to at the root level
* Refactor
* Refactor
* Hide parent folders user has no access to
* Skip expensive computation if possible
* Fix tests
* Fix potential nil access
* Fix duplicated folders
* Fix linter error
* Fix querying folders if no managed permissions set
* Update benchmark
* Add special shared with me folder and fetch available non-root folders on demand
* Fix parents query
* Improve db query for folders
* Reset benchmark changes
* Fix permissions for shared with me folder
* Simplify dedup
* Add option to include shared folder permission to user's permissions
* Fix nil UID
* Remove duplicated folders from shared list
* Only left the base part
* Apply suggestions from code review
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Add tests
* Fix linter errors
---------
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Chore: Replace grafana-authnz-team with identity-access-team as code owner
* Chore: Replace grafana-authnz-team with identity-access-team as code owner
* Fix the failing test
* Dashboards: Add integration tests for creating a dashboard
* Fix creating dashboard under folder using deprecated API
* Update swagger response
* Fix comments
When running in dev mode, error messages would contain an additional "error" property alongside "message". Since this causes confusion, that has been removed and now error messages are the same both modes (using "message").
* add validation of team header values w. regex
* apply valid headers
* refactor testcases to account for badly formatted json
* refactoring to move validation code close to the validation itself
* removed tes
* Update pkg/api/datasources_test.go
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Update pkg/api/datasources.go
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* review comments
* review during pairing
---------
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* introduce data source admin role and fix frontend check
* introduce fixed roles for data source creator and team reader
* add documentation
* undo an unintended change
* Add teamHeaders for datasource proxy requests
* adds validation for the teamHeaders
* added tests for applying teamHeaders
* remove previous implementation
* validation for header values being set to authproxy
* removed unnecessary checks
* newline
* Add middleware for injecting headers on the data source backend
* renamed feature toggle
* Get user teams from context
* Fix feature toggle name
* added test for validation of the auth headers and fixed evaluation to cover headers
* renaming of teamHeaders to teamHTTPHeaders
* use of header set for non-existing header and add for existing headers
* moves types into datasources
* fixed unchecked errors
* Refactor
* Add tests for data model
* Update pkg/api/datasources.go
Co-authored-by: Victor Cinaglia <victor@grafana.com>
* Update pkg/api/datasources.go
Co-authored-by: Victor Cinaglia <victor@grafana.com>
---------
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
Co-authored-by: Victor Cinaglia <victor@grafana.com>
fetch fresh permissions for global in AuthorizeInOrgMiddleware
Update pkg/services/accesscontrol/authorize_in_org_test.go
do not load viewer permissions in global ID
* Move errors to error file
* Move check for both empty username and email to user service
* Move check for empty email and username to user service Update
* Wrap inner error
* Set username in test
* Unfurl OrgRole in pkg/api to allow using identity.Requester interface
* Unfurl Email in pkg/api to allow using identity.Requester interface
* Update UserID in pkg/api to allow using identity.Requester interface
* fix authed test
* fix datasource tests
* guard login
* fix preferences anon testing
* fix anonymous index rendering
* do not error with user id 0
* Plugins: Add client middlware that forwards the signed grafana id token if present
* DsProxy: Set grafana id header if id token exists
* Add util function to apply id token to header
* Only add id forwarding middleware if feature toggle is enabled
* Add feature toggles to ds proxy and check if id forwarding is enabled
* Clean up test setup
* Change to use backend.ForwardHTTPHeaders interface
* PluginProxy: Forward signed identity when feature toggle is enabled
* PluginProxy: forrward signed id header
* Teams: Implement backend sorting
* Add docs
* Make name ordering case insensitive
* lint
* Fix no lowercasing on memberCount
* Add test to double check the filters or correctly OrderBy
* User: Add sort option to user search
* Switch to an approach that uses the dashboard search options
* Cable user sort on the org endpoint
* Alias user table with u in org store
* Add test and cover orgs/:orgID/users/search endpoint
* Add test to userimpl store
* Simplify the store_test with sortopts.ParseSortQueryParam
* Account for PR feedback
* Positive check
* Update docs
* Update docs
* Switch to ErrOrFallback
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
---------
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Reduce restrictions with non-user accounts
* Revert restrictions on anonymous accounts
* Change log level from warning to debug
* Change log messages to upper case
* Make identity.Requester available at Context
* Clean pkg/services/guardian/guardian.go
* Clean guardian provider and guardian AC
* Clean pkg/api/team.go
* Clean ctxhandler, datasources, plugin and live
* Clean dashboards and guardian
* Implement NewUserDisplayDTOFromRequester
* Change status code numbers for http constants
* Upgrade signature of ngalert services
* log parsing errors instead of throwing error
* Make identity.Requester available at Context
* Clean pkg/services/guardian/guardian.go
* Clean guardian provider and guardian AC
* Clean pkg/api/team.go
* Clean ctxhandler, datasources, plugin and live
* Question: what to do with the UserDisplayDTO?
* Clean dashboards and guardian
* Remove identity.Requester from ReqContext
* Implement NewUserDisplayDTOFromRequester
* Fix tests
* Change status code numbers for http constants
* Upgrade signature of ngalert services
* log parsing errors instead of throwing error
* Fix tests and add logs
* linting
* RBAC: remove unnessisary guardian construction and update tests
* RBAC: remove usage of guardian in UpdateFolderPermissions and refactor test
* RBAC: remove usage of guardian in update and get permissions for dashboards
* move access control api to SignedInUser interface
* remove unused code
* add logic for reading perms from a specific org
* move the specific org logic to org_user.go
* add a comment
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
* Dashboards: Fix tests when authn broker is enabled.
StarService was not configured for tests, the call was guarded by !c.IsSignedIn
* Change default to be anon user to match expectations from tests
* OAuth: rewrite tests to work with authn.Service
* Setup template renderer by default
* Extract cookie options from cfg instead of relying on global variables
* Fix test to work with authn service
* Middleware: rewrite auth tests
* Remvoe session cookie if we cannot refresh access token
* Auth: prevent auto_login redirect if user is already authenticated
Before attempting an auto-login for OAuth, verifies if current context has already been
authenticated.
Fixes: #72476
Co-authored-by: Karl Persson <kalle.persson92@gmail.com>
* add termination stage
* uid -> pluginID (for now)
* also fix fakes
* add simple test
* Fix logger name
Co-authored-by: Giuseppe Guerra <giuseppe.guerra@grafana.com>
* inline stop func call
Co-authored-by: Giuseppe Guerra <giuseppe.guerra@grafana.com>
---------
Co-authored-by: Giuseppe Guerra <giuseppe.guerra@grafana.com>
* Search: Attempt to support folderUID filter
* Search: Use folder UID instead of ID for searching folders
* Update swagger
* Fix JSON property casing
* Add integration test
* Remove redundant query condition
* Fix frontend test
* Fix listing dashboards in General/root
* Add support for fetching top level folders
using `folderUIDs=` (empty string) query parameter
* Add deprecation notice
* Send uid of general in sql.ts
* Use 'general' for query folderUIDs query param for fetching folder
* Add tests
* Fix FolderUIDFilter
---------
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
