* Auth: move interface to its own file
* Auth: move to test package
* Auth: move quota consts to auth file
* Auth: move service to impl package
* Auth: move interfaces and related models to auth package
* Auth: Create sub package and type alias to avoid circular dependency
* RBAC: Remove name from role registration
* Inline accesscontrol service
* test fix
* use fmt
Co-Authored-By: marefr <marcus.efraimsson@gmail.com>
Co-authored-by: marefr <marcus.efraimsson@gmail.com>
* clean up and document integration test convention
* clarify integration test conventions
* clean up integration tests that don't follow convention
* mark testIntegration* functions as helpers to avoid confusion
* RBAC: Remove the access control evaluator fake
* API: Change to use access control implementation instead of mocks with
rbac disabled in tests
* Tests: Set cfg and access control defaults after applying options
* Tests: Rewrite team legacy access control tests
* Tests: Add helper function to create user with permissions
* Tests: set fake quota service as default
* Team: Add ExpectedTeamDTO and set in query result
* RBAC: Revert change
* RBAC: Add deprecation notice to mock
* chore: add alias for InitTestDB and Session
Adds an alias for the sqlstore InitTestDB and Session, and updates tests using these to reduce dependencies on the sqlstore.Store.
* next pass of removing sqlstore imports
* last little bit
* remove mockstore where possible
* Copy sqlstore methods to suer store
* Adjust ProvideService signatures in test
* Add xorm tags and tests for search
* Remove methods from sqlstore
* fix lint in tests
* Chore: Copy user methods over to user store
* Fix some tests and bugs
* Add some more tests
* Move tests to user store
* Move back the tests
* Add some tests
* SQLStore: Ensure that sessions are always closed
Delete `NewSession()` in favour of `WithDbSession()`
* Add WithDbSessionForceNewSession to the interface
* Apply suggestions from code review
* add users-manager command
* add users-manager command
* rename files
* refactor: imports and renaming
* Command: add conflict merge user command
- MergeUser will
- replace all user_ids from conflicting users to the chosen userId
- delete users whose user_ids are not the chosen user
- SameIdentification will
- update chosen user with chosen email,login details
- delete users whose user_ids are not the chosen user
* refactor: clean up
* refactor: create structure for read, validate, ingest
* feat: ls and generate-file for conflicting users
* remove usagestats
* added back pkg/services/login/authinfoservice/database/stats.go
* Revert "added back pkg/services/login/authinfoservice/database/stats.go"
This reverts commit 2ba6e3c4d6.
* Revert "remove usagestats"
This reverts commit 1e3fa97810.
* cherry pick
* Revert "cherry pick"
This reverts commit 461626c306.
* validation of picked merge user
* fix test
* make lint
* make test run
* tests for ingest working
* clean up and refactored to align with downstream refactoring
* formatting
* refactor: name list instead of ls
* fix: static lint error use trimprefix
* WIP: permissions for validation
* fix: remove unused functions in sqlstore
* fix: remove unused function
* handling of multiple users and resolve discarded users
* fix tests
* fix: bug that did not exclude the blocks
* ioutil is blacklisted
* WIP: validation
* tests for merging a user working
* add latest changes to output print
* refactor: removed conflictEmail and conflictLogin that was not used
* refactor: code clean up, showChanges working
* test and linting fixes
* test and linting fixes
* refactor: removed logging of config and added more info for vlidation command
* refactor: fix order of code
* fix time now
* refactor: no longer need for check casesensitive login/email
* removed unnessecary loop
* refactor: move functions around
* test: working
* docs: add docuemntationf for file
* Add failing test for generating the conflict login block
* Fix regex
* Fix some stuff/tests
Co-authored-by: eleijonmarck <eric.leijonmarck@gmail.com>
* add: docs for conflict file
* add: conflict_email, conflict_login fields
* add: conflict_email, conflict_login fields
* WIP
* fix: tests working as intended
* Update pkg/cmd/grafana-cli/commands/conflict_user_command.go
Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
* review comments
* Update pkg/cmd/grafana-cli/commands/conflict_user_command.go
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
* Update pkg/cmd/grafana-cli/commands/conflict_user_command.go
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
* missspelling
* trailing new line
* update to use userimpl store
* remove newline
* remove newline
* refactor: initializing of resolver for conflicts
* fix: test sqlStore
* refactor: removed lines
* refactor: remove TODOs
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
* UserService: update callers to use the UserService instead of calling sqlstore directly
There is one major change hiding in this PR. UserService.Delete originally called a number of services to delete user-related records. I moved everything except the actual call to the user table, and moved those into the API. This was done to avoid dependencies cycles; many of our services depend on the user service, so the user service itself should have as few dependencies as possible.
* Chore: move team store implementation to a separate package
* trying to fix more tests
* fix tests in service accounts and access control
* fix common tests
* restore commented out test
* add todos
* access control to log user name if it does not have permissions
* update ngalert Evaluator to accept user instead of creating a pseudo one
* update alerting eval (rule\query testing) API to provide the real user to the Evaluator
* update scheduler to create a pseudo user with proper permissions
* RBAC: Add cache for oss permissions
* RBAC: include service account actions
* RBAC: revert changes to fetch service account permissions
* Update comment for setting
* RBAC: Disable permission chache for tests
* RBAC: Allow app plugins restriction
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* Moving declaration to HttpServer
Co-Authored-By: marefr <marcus.efraimsson@gmail.com>
* Picking changes from the other branch
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
* Rename plugins.settings to plugins
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* Account for PluginAdminExternalManageEnabled
Co-authored-by: Will Browne <will.browne@grafana.com>
* Set metadata on instantiation
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
Co-authored-by: marefr <marcus.efraimsson@gmail.com>
Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com>
Co-authored-by: Will Browne <will.browne@grafana.com>
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* RBAC: Remove service dependency for Evaluator component
* RBAC: Add service and load permissions in target org if they are not
there
* RBAC: Use service if we need to load permissions for org
* API: remove service injection into evaluator
* API: set new user for each request in tests
* PublicDashboards: Use fake service to provide permissions
* RBAC: Set org id for dashboard provisioning user
* RBAC: Move metadata to own file
* RBAC: Rename test files
* RBAC: Add wildcard structure and helper function to generate wildcards
from prefix
* RBAC: Refactor filter to use WildcardsFromPrefix
* RBAC: Refactor GetResourceMetadata to use WildcardsFromPrefix
* RBAC: Test evaluation before attaching mutator
* RBAC: Return error if no resolver is found for scope
* RBAC: Sync changes to evaluation in mock
* RBAC: Check for resolver not found error and just fail the evaluation in that case
* RBAC: Rename interface to Store
* RBAC: Move ranme scopeInjector
* RBAC: Rename files to service
* RBAC: Rename to service
* RBAC: Split up accesscontrol into two components
* RBAC: Add DeclareFixedRoles to AccessControl interface
* Wire: Fix wire bindings
* RBAC: Move resolvers to root
* RBAC: Remove invalid test
* RBAC: Inject access control service
* RBAC: Implement the RoleRegistry interface in fake
* Rename file to store
* Move resource permission specific database functions to
resourcepermissions package
* Wire: Remove interface bind
* RBAC: Remove injection of resourcepermission Store
* RBAC: Export store constructor
* Tests: Use resource permission package to initiate store used in tests
* RBAC: Remove internal types package and move to resourcepermissions
package
* RBAC: Run database tests as itegration tests
* RBAC: Add orgID to DeleteUserPermissions
* RBAC: Refactor query to delete all permissions in specified org, 0
deletes all permissions
* Delete user permission in org when user is removed
* Remove call to delete permissions in frontend
* Remove user permissions if removed orgs is detected during oauth sync
Co-authored-by: Jo <joao.guerreiro@grafana.com>
* Remove delete suer from store interface
* Remove get signed in user with cache ctx from store interface
* Support options when setting up access control tests
* Fix broken tests
* Fix lint
* Add user fake to middleware
* Fix middleware tests, remove usertest being initialised twice
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Chore: Add user service method SetUsingOrg
* Chore: Add user service method GetSignedInUserWithCacheCtx
* Use method GetSignedInUserWithCacheCtx from user service
* Fix lint after rebase
* Fix lint
* Fix lint error
* roll back some changes
* Roll back changes in api and middleware
* Add xorm tags to SignedInUser ID fields
* Move SignedInUser to user service and RoleType and Roles to org
* Use go naming convention for roles
* Fix some imports and leftovers
* Fix ldap debug test
* Fix lint
* Fix lint 2
* Fix lint 3
* Fix type and not needed conversion
* Clean up messages in api tests
* Clean up api tests 2
* pkg/web: closure-style middlewares
Switches the middleware execution model from web.Handlers in a slice to
web.Middleware.
Middlewares are temporarily kept in a slice to preserve ordering, but
prior to execution they are applied, forming a giant call-stack, giving
granular control over the execution flow.
* pkg/middleware: adapt to web.Middleware
* pkg/middleware/recovery: use c.Req over req
c.Req gets updated by future handlers, while req stays static.
The current recovery implementation needs this newer information
* pkg/web: correct middleware ordering
* pkg/webtest: adapt middleware
* pkg/web/hack: set w and r onto web.Context
By adopting std middlewares, it may happen they invoke next(w,r) without
putting their modified w,r into the web.Context, leading old-style
handlers to operate on outdated fields.
pkg/web now takes care of this
* pkg/middleware: selectively use future context
* pkg/web: accept closure-style on Use()
* webtest: Middleware testing
adds a utility function to web/webtest to obtain a http.ResponseWriter,
http.Request and http.Handler the same as a middleware that runs would receive
* *: cleanup
* pkg/web: don't wrap Middleware from Router
* pkg/web: require chain to write response
* *: remove temp files
* webtest: don't require chain write
* *: cleanup
* Move user not found err to user service
* User ErrCaseInsensitive from user pkg
* User ErrUserAlreadyExists from user pkg
* User ErrLastGrafanaAdmin from user pkg
* Remove errors from model
* Remove user from preferences, stars, orguser, team member
* Fix lint
* Add Delete user from org and dashboard acl
* Delete user from user auth
* Add DeleteUser to quota
* Add test files and adjust user auth store
* Rename package in wire for user auth
* Import Quota Service interface in other services
* do the same in tests
* fix lint tests
* Fix tests
* Add some tests
* Rename InsertUser and DeleteUser to InsertOrgUser and DeleteOrgUser
* Rename DeleteUser to DeleteByUser in quota
* changing a method name in few additional places
* Fix in other places
* Fix lint
* Fix tests
* Chore: Split Delete User method
* Add fakes for userauth
* Add mock for access control Delete User permossion, use interface
* Use interface for ream guardian
* Add simple fake for dashboard acl
* Add go routines, clean up, use interfaces
* fix lint
* Update pkg/services/user/userimpl/user_test.go
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Update pkg/services/user/userimpl/user_test.go
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Update pkg/services/user/userimpl/user_test.go
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Add wrapper for not service account error
* fix indentation
* Use fmt for error wrapper
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Revert "Serviceaccounts: #48995
Do not display service accounts assigned to team (#48995)"
This reverts commit cbf71fbd7f.
* fix: test to not include more actions than necessary
* adding service accounts to teams - backend and frontend changes
* also support SA addition through the old team membership endpoints
* fix tests
* tests
* serviceaccounts permission tests
* serviceaccounts permission service tests run
* added back test that was removed by accident
* lint
* refactor: add testoptionsTeams
* fix a bug
* service account picker change
* explicitly set SA managed permissions to false for dash and folders
* lint
* allow team creator to list service accounts
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
* Copy delete user permission to access control service
* Update pkg/services/accesscontrol/database/database_test.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Split Create User
* Use new create user and User from package user
* Add service to wire
* Making create user work
* Replace user from user pkg
* One more
* Move Insert to orguser Service/Store
* Remove unnecessary conversion
* Cleaunp
* Fix Get User and add fakes
* Fixing get org id for user logic, adding fakes and other adjustments
* Add some tests for ourguser service and store
* Fix insert org logic
* Add comment about deprecation
* Fix after merge with main
* Move orguser service/store to org service/store
* Remove orguser from wire
* Unimplement new Create user and use User from pkg user
* Fix wire generation
* Fix lint
* Fix lint - use only User and CrateUserCommand from user pkg
* Remove User and CreateUserCommand from models
* Fix lint 2
* RBAC: Add access control metadata to Folder dto
* Add access control metadata to folder dto response
* Add test to verify that access control metadata is attached
* Attach access control metadata to multiple folders
* Add access control metadata to frontend folder dto
* Inject access control into dashboard service
* Add function to parse id scopes
* Add dashboard as return value
* Update mock
* Return only err to keep service interface
* Add scope resolvers for dashboard id scopes
* Add function to parse uid scopes
* Add dashboard uid scope resolver
* Register scope resolvers for dashboards
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* update action names
* correctly retrieve teams for signed in user
* remove test
* undo swagger changes
* undo swagger changes pt2
* add migration from old action names to the new ones
* rename from list to read
* linting
* also update alertign actions
* fix migration
* pkg/web: store http.Handler internally
* pkg/web: remove injection
Removes any injection code from pkg/web.
It already was no longer functional, as we already only injected into
`http.Handler`, meaning we only inject ctx.Req and ctx.Resp.
Any other types (*Context, *ReqContext) were already accessed using the
http.Request.Context.Value() method.
* *: remove type mappings
Removes any call to the previously removed TypeMapper, as those were
non-functional already.
* pkg/web: remove Context.Invoke
was no longer used outside of pkg/web and also no longer functional
Makes `pkg/web` only accept handles from the following set:
```go
handlerStd = func(http.ResponseWriter, *http.Request)
handlerStdCtx = func(http.ResponseWriter, *http.Request, *web.Context)
handlerStdReqCtx = func(http.ResponseWriter, *http.Request, *models.ReqContext)
handlerReqCtx = func(*models.ReqContext)
handlerReqCtxRes = func(*models.ReqContext) Response
handlerCtx = func(*web.Context)
```
This is a first step to reducing above set to only `http.Handler`.
---
Due to a cyclic import situation between `pkg/models` and `pkg/web`, parts of this PR were put into `pkg/api/response`, even though they definitely do not belong there. This however is _temporary_ until we untangle `models.ReqContext`.
* introduce a fallback handler that checks that role is Viewer.
* update UI nav links to allow alerting tabs for anonymous user
* update rule api to check for Viewer role instead of SignedIn when RBAC is disabled
* rename folder to match package name
* backend/sqlstore: move GetDashboard into DashboardService
This is a stepping-stone commit which copies the GetDashboard function - which lets us remove the sqlstore from the interfaces in dashboards - without changing any other callers.
* checkpoint: moving GetDashboard calls into dashboard service
* finish refactoring api tests for dashboardService.GetDashboard
* Add RBAC section to settings
* Default to RBAC enabled settings to true
* Update tests to respect RBAC
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* reduce the usage of access control flag further by removing it from SQL store methods
* fixing tests
* fix another test
* linting
* remove AC feature toggle use from API keys
* remove unneeded function
