Commit Graph

45 Commits

Author SHA1 Message Date
Emil Tullstedt
ad971cc9be
LDAP: Search all DNs for users (#38891) 2021-09-14 10:49:37 +02:00
Arve Knudsen
d27a72f859
IPv6: Support host address configured with enclosing square brackets (#31226)
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-02-15 17:55:41 +01:00
Arve Knudsen
116809ed7f
services/provisioning: Various cleanup (#30396)
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2021-01-19 18:57:09 +01:00
Arve Knudsen
c2cad26ca9
Chore: Disable default golangci-lint filter (#29751)
* Disable default golangci-lint filter

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Chore: Fix linter warnings

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-12-15 09:32:06 +01:00
Arve Knudsen
12661e8a9d
Move middleware context handler logic to service (#29605)
* middleware: Move context handler to own service

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2020-12-11 11:44:44 +01:00
Arve Knudsen
f326b79cc1
Security: Add gosec G304 auditing annotations (#29578)
* Security: Add gosec G304 auditing annotations

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* Add gosec annotations

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* Add gosec annotations

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* add G304 auditing comment

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* Add gosec annotations

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* space

Signed-off-by: bergquist <carl.bergquist@gmail.com>

* Add gosec annotations

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

Co-authored-by: bergquist <carl.bergquist@gmail.com>
2020-12-03 22:13:06 +01:00
Arve Knudsen
752a424e1f
Auth proxy: Return standard error type (#29502)
* Rewrite auth proxy tests to use standard lib

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Auth proxy: Use standard error type

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-12-02 16:57:16 +01:00
Arve Knudsen
9593d57914
Chore: Enable errorlint linter (#29227)
* Enable errorlint linter
* Handle wrapped errors

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2020-11-19 14:47:17 +01:00
Arve Knudsen
7897c6b7d5
Chore: Fix staticcheck issues (#28854)
* Chore: Fix issues reported by staticcheck

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>

* Undo changes

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-11-05 11:57:20 +01:00
Arve Knudsen
077eab1b24
Chore: Use net.JoinHostPort (#28421)
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-10-22 07:34:26 +02:00
Arve Knudsen
a5d9196a53
Chore/fix lint issues (#27704)
* Chore: Fix linting issues

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-09-22 16:22:19 +02:00
Leonard Gram
c266f45858
LDAP: users without org mappings are marked as disabled (#26650)
* LDAP: users without org mappings are marked as disabled

* Update pkg/services/ldap/ldap.go

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* LDAP: verifies that unmapped users are tagged as isDisabled

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-07-31 14:41:31 +02:00
Arve Knudsen
16c185c3b9
Chore: Drop xerrors dependency (#26718)
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-07-31 09:45:20 +02:00
Arve Knudsen
d4e4cb4c71
Chore: Enable Go linter gocritic (#26224)
* Chore: Enable gocritic linter

Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-07-16 14:39:01 +02:00
Arve Knudsen
41d432b5ae
Chore: Enable whitespace linter (#25903)
Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-07-06 20:17:28 +02:00
annegies
a2737c0896
Remove break from ldap, get all groups from all the group base searches specified (#25825)
Signed-off-by: Annegies van 't Zand <ace.vtzand@gmail.com>
2020-07-06 12:02:39 +02:00
Emil Tullstedt
e8b5f2330d
Settings: Expand variables in configuration (#25075) 2020-06-10 14:58:42 +02:00
Arve Knudsen
07582a8e85
Chore: Fix various spelling errors in back-end code (#25241)
* Chore: Fix various spelling errors in back-end code
Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>>
2020-06-01 17:11:25 +02:00
Mario Trangoni
5116420e9a
Fix misspell issues (#23905)
* Fix misspell issues

See,
$ golangci-lint run --timeout 10m --disable-all -E misspell ./...

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>

* Fix codespell issues

See,
$ codespell -S './.git*' -L 'uint,thru,pres,unknwon,serie,referer,uptodate,durationm'

Signed-off-by: Mario Trangoni <mjtrangoni@gmail.com>

* ci please?

* non-empty commit - ci?

* Trigger build

Co-authored-by: bergquist <carl.bergquist@gmail.com>
Co-authored-by: Kyle Brandt <kyle@grafana.com>
2020-04-29 21:37:21 +02:00
Omar Nahhas Sanchez
cf23f15a08
Adding debug line to search ldap. (#23824) 2020-04-24 09:53:42 +02:00
Ricardo
c3884abf62
Add fallback to search_base_dns if group_search_base_dns is undefined. (#21263)
* Add fallback to search_base_dns if group_search_base_dns is undefined.

refs: #20862

* removed newline to make lint-go happy

* Added requested changes on ldap.md for last commit

Refs: #21263
2020-03-03 09:11:16 -08:00
Carl Bergquist
f9962eabff
chore: avoid aliasing imports in services (#22499) 2020-02-29 13:35:15 +01:00
Torkel Ödegaard
4ffff1a312
LDAP: Interpolate env variable expressions in ldap.toml file (#20173)
* LDAP: Interpolate env variable expressions in ldap.toml file

* Removed comment
2019-11-06 21:41:21 +01:00
gotjosh
b20a258b72
LDAP: Show non-matched groups returned from LDAP (#19208)
* LDAP: Show all LDAP groups

* Use the returned LDAP groups as the reference when debugging LDAP

We need to use the LDAP groups returned as the main reference for
assuming what we were able to match and what wasn't. Before, we were
using the configured groups in LDAP TOML configuration file.

* s/User name/Username

* Add a title to for the LDAP mapping results

* LDAP: UI Updates to debug view

* LDAP: Make it explicit when we weren't able to match teams
2019-09-19 16:13:38 +01:00
gotjosh
99c799e9b7
Close the connection only if we establish it. (#18897) 2019-09-16 14:13:35 +01:00
gotjosh
0cbbb43222
LDAP: Add API endpoint to debug user mapping from LDAP (#18833)
* Move the ReloadLDAPCfg function to the debug file

Appears to be a better suite place for this.

* LDAP: Return the server information when we find a specific user

We allow you to specify multiple LDAP servers as part of LDAP authentication integration. As part of searching for specific users, we need to understand from which server they come from. Returning the server configuration as part of the search will help us do two things:

- Understand in which server we found the user
- Have access the groups specified as part of the server configuration

* LDAP: Adds the /api/admin/ldap/:username endpoint

This endpoint returns a user found within the configured LDAP server(s). Moreso, it provides the mapping information for the user to help administrators understand how the users would be created within Grafana based on the current configuration.

No changes are executed or saved to the database, this is all an in-memory representation of how the final result would look like.
2019-09-03 18:34:44 +01:00
Oleg Gaidarenko
fb273cb874
LDAP: nitpicks (#18309)
* LDAP: nitpicks

* Add more tests

* Correct and clarify comment for Login() method

* Rename methods (hail consistency!)

* Uppercases first letter of the logs everywhere

* Moves method definitions around to more appropriate places

Fixes #18295
2019-08-02 19:24:44 +03:00
Oleg Gaidarenko
1e5fc76601
LDAP: improve POSIX support (#18235)
* LDAP: improve POSIX support

* Correctly abtain DN attributes result

* Allow more flexibility with comparison mapping between POSIX group & user

* Add devenv for POSIX LDAP server

* Correct the docs

Fixes #18140
2019-07-24 12:49:18 +03:00
Leonard Gram
5d3a60d46e
LDAP: Adds bind before searching LDAP for non-login cases. (#18023) 2019-07-10 12:25:21 +02:00
Leonard Gram
25506829be
LDAP: Adds back support for single bind. (#17999) 2019-07-09 14:12:17 +02:00
Oleg Gaidarenko
e2cf7c9698
LDAP: finishing touches (#17945)
* LDAP:Docs: `active_sync_enabled` setting

Mention `active_sync_enabled` setting and enable it by default

* LDAP: move "disableExternalUser" method

Idea behind new design of the LDAP module is to minimise conflation
between other parts of the system, so it would decoupled as much as
possible from stuff like database, HTTP transport and etc.

Following "Do One Thing and Do It Well" Unix philosophy principal, other things
could be better fitted on the consumer side of things.

Which what this commit trying to archive

* LDAP: correct user/admin binding

The second binding was not happening, so if the admin login/password
in LDAP configuration was correct, anyone could had login as anyone using
incorrect password
2019-07-05 17:49:00 +03:00
Oleg Gaidarenko
444c4d5999
LDAP: Divide the requests (#17885)
* LDAP: Divide the requests

Active Directory does indeed have a limitation with 1000 results
per search (default of course).

However, that limitation can be workaround with the pagination search feature,
meaning `pagination` number is how many times LDAP compatible server will be
requested by the client with specified amount of users (like 1000). That feature
already embeded with LDAP compatible client (including our `go-ldap`).

But slapd server has by default stricter settings. First, limitation is not 1000
but 500, second, pagination workaround presumably (information about it a bit
scarce and I still not sure on some of the details from my own testing)
cannot be workaround with pagination feature.

See
https://www.openldap.org/doc/admin24/limits.html
https://serverfault.com/questions/328671/paging-using-ldapsearch
hashicorp/vault#4162 - not sure why they were hitting the limit in
the first place, since `go-ldap` doesn't have one by default.

But, given all that, for me `ldapsearch` command with same request
as with `go-ldap` still returns more then 500 results, it can even return
as much as 10500 items (probably more).

So either there is some differences with implementation of the LDAP search
between `go-ldap` module and `ldapsearch` or I am missing a step :/.

In the wild (see serverfault link), apparently, people still hitting that
limitation even with `ldapsearch`, so it still seems to be an issue.

But, nevertheless, I'm still confused by this incoherence.

To workaround it, I divide the request by no more then
500 items per search
2019-07-03 17:39:54 +03:00
Oleg Gaidarenko
ca136c7c22
Devenv:LDAP: couple simplifications for LDAP (#17807)
* Add LDAP config instead sed use

* Add container name

* Add SizeLimit option to client and to server.
  Probably useless at this point, but it's better to have it then otherwise
2019-07-01 15:09:04 +03:00
Leonard Gram
37e9988e95
ldap: makes mocks available for testing. (#17576)
* ldap: makes mocks available for testing.
2019-06-14 09:54:19 +02:00
Oleg Gaidarenko
1b1d951495 LDAP: refactoring (#17479)
* LDAP: use only one struct

* Use only models.ExternalUserInfo

* Add additional helper method :/

* Move all the helpers to one module

* LDAP: refactoring

* Rename some of the public methods and change their behaviour

* Remove outdated methods

* Simplify logic

* More tests
  There is no and never were tests for settings.go, added tests for helper
  methods (cover is now about 100% for them). Added tests for the main
  LDAP logic, but there is some stuff to add. Dial() is not tested and not
  decoupled. It might be a challenge to do it properly

* Restructure tests:
   * they wouldn't depend on external modules
   * more consistent naming
   * logical division

* More guards for erroneous paths

* Login: make login service an explicit dependency

* LDAP: remove no longer needed test helper fns

* LDAP: remove useless import

* LDAP: Use new interface in multildap module

* LDAP: corrections for the groups of multiple users

* In case there is several users their groups weren't detected correctly

* Simplify helpers module
2019-06-13 16:47:51 +02:00
Oleg Gaidarenko
a3092dc57b
LDAP: remove unused function (#17351) 2019-05-29 16:12:42 +03:00
Oleg Gaidarenko
de92c360a1
LDAP: reduce API and allow its extension (#17209)
* Removes Add/Remove methods

* Publicise necessary fields and methods so we could extend it

* Publicise mock API

* More comments and additional simplifications

* Sync with master

Still having low coverage :/ - should be addressed in #17208
2019-05-27 10:36:49 +03:00
Oleg Gaidarenko
9b7f9dd9be
LDAP: consistently name the LDAP entities (#17203) 2019-05-22 15:30:03 +03:00
Alexander Zobnin
2d03815770
Users: Disable users removed from LDAP (#16820)
* Users: add is_disabled column

* Users: disable users removed from LDAP

* Auth: return ErrInvalidCredentials for failed LDAP auth

* User: return isDisabled flag in user search api

* User: mark disabled users at the server admin page

* Chore: refactor according to review

* Auth: prevent disabled user from login

* Auth: re-enable user when it found in ldap

* User: add api endpoint for disabling user

* User: use separate endpoints to disable/enable user

* User: disallow disabling external users

* User: able do disable users from admin UI

* Chore: refactor based on review

* Chore: use more clear error check when disabling user

* Fix login tests

* Tests for disabling user during the LDAP login

* Tests for disable user API

* Tests for login with disabled user

* Remove disable user UI stub

* Sync with latest LDAP refactoring
2019-05-21 14:52:49 +03:00
Oleg Gaidarenko
a0f5923b95
LDAP: add tests for initialBind (#17132)
* LDAP: add tests for initialBind

* LDAP: clarify comment for Login()
2019-05-20 15:57:52 +03:00
Oleg Gaidarenko
35f227de11
Feature: LDAP refactoring (#16950)
* incapsulates multipleldap logic under one module

* abstracts users upsert and get logic

* changes some of the text error messages and import sort sequence

* heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour

* integrates affected auth_proxy module and their tests

* refactoring of the auth_proxy logic
2019-05-17 14:57:26 +03:00
Oleg Gaidarenko
79ac3fd699
Chore: remove use of == false (#17036)
Interestingly enough, golint or revive doesn't not prohibit
the use that construction :)

Ref #17035
2019-05-14 10:18:28 +03:00
zhulongcheng
2fff8f77dc move log package to /infra (#17023)
ref #14679

Signed-off-by: zhulongcheng <zhulongcheng.me@gmail.com>
2019-05-13 08:45:54 +02:00
Samuel
846b9327a5 LDAP: Added reload endpoint for LDAP config (#15470)
* 4843 - Added reload endpoint for LDAP config

closes #4843

* Refactor to make the reload work after master drifted
2019-05-03 14:53:07 +02:00
Oleg Gaidarenko
62b85a886e
LDAP Refactoring to support syncronizing more than one user at a time. (#16705)
* Feature: add cron setting for the ldap settings

* Move ldap configuration read to special function

* Introduce cron setting (no docs for it yet, pending approval)

* Chore: duplicate ldap module as a service

* Feature: implement active sync

This is very early preliminary implementation of active sync.
There is only one thing that's going right for this code - it works.

Aside from that, there is no tests, error handling, docs, transactions,
it's very much duplicative and etc.

But this is the overall direction with architecture I'm going for

* Chore: introduce login service

* Chore: gradually switch to ldap service

* Chore: use new approach for auth_proxy

* Chore: use new approach along with refactoring

* Chore: use new ldap interface for auth_proxy

* Chore: improve auth_proxy and subsequently ldap

* Chore: more of the refactoring bits

* Chore: address comments from code review

* Chore: more refactoring stuff

* Chore: make linter happy

* Chore: add cron dep for grafana enterprise

* Chore: initialize config package var

* Chore: disable gosec for now

* Chore: update dependencies

* Chore: remove unused module

* Chore: address review comments

* Chore: make linter happy
2019-04-26 15:47:16 +03:00