Commit Graph

419 Commits

Author SHA1 Message Date
Yuri Tseretyan
356a29592b
Alerting: Add two sets of provisioning actions for rules and notifications (#87149) 2024-05-09 13:19:07 -04:00
Ieva
105313f5c2
RBAC: Adding action set resolver for RBAC evaluation (#86801)
* add action set resolver

* rename variables

* some fixes and some tests

* more tests

* more tests, and put action set storing behind a feature toggle

* undo change from cfg to feature mgmt - will cover it in a separate PR due to the amount of test changes

* fix dependency cycle, update some tests

* add one more test

* fix for feature toggle check not being set on test configs

* linting fixes

* check that action set name can be split nicely

* clean up tests by turning GetActionSetNames into a function

* undo accidental change

* test fix

* more test fixes
2024-05-09 10:18:03 +01:00
Alexander Zobnin
d1c582815a
Access control: Fix searching permissions from cache (#87489)
* Fix searching permissions from cache

* Write permissions to cache
2024-05-08 16:08:21 +02:00
Ieva
9a824bdf0a
RBAC: Don't set empty action sets (#87398)
* don't set empty action sets

* extend comment
2024-05-08 15:09:46 +03:00
Karl Persson
be5ced4287
Identity: Use typed version of namespace id (#87257)
* Remove different constructors and only use NewNamespaceID

* AdminUser: check typed namespace id

* Identity: Add convinient function to parse valid user id when type is either user or service account

* Annotations: Use typed namespace id instead
2024-05-08 14:03:53 +02:00
Eric Leijonmarck
6b218b11cf
Actionsets: fix remove printf (#87439)
fix: remove printf
2024-05-07 16:36:01 +03:00
Alexander Zobnin
82dea4b3e5
Access control: Cache basic roles and teams permissions (#87043)
* RBAC: Cache basic roles permissions

* Cache teams permissions

* Set cache TTL to 1 minute

* Add OSS implementation

* Fetch basic role permissions correctly

* fix conflict_user_command

* Fix teams permissions query

* Add traces for GetUserPermissions

* Fix folders tests

* Fix colflict user command

* Update store mock

* Fix linter error

* Reuse GetUserPermissions for fetching basic roles

* tests for GetTeamsPermissions

* pre-allocate slice capacity

* Fix linter
2024-05-07 15:23:11 +02:00
Dan Cech
41bee274fd
Chore: Fix error handling in postDashboard, remove UserDisplayDTO, fix live redis client initialization (#87206)
* clean up error handling in postDashboard and remove UserDisplayDTO

* replace GetUserUID with GetUID and GetNamespacedUID, enforce namespace constant type

* lint fix

* lint fix

* more lint fixes
2024-05-06 14:17:34 -04:00
Eric Leijonmarck
601485c74d
Actionsets: Fix downgrade of permission to add the actionset permission (#87328)
* check for missingActions empty and add actionset

* spelling
2024-05-06 10:16:26 +01:00
Karl Persson
d8fbbdefea
Identity: Use typed namespace id (#87121)
* Use typed namespace id
2024-05-02 14:50:56 +02:00
Ieva
28dd1ddd8e
RBAC: Do not set permissions on data sources with wildcard UID in OSS (#87220)
do not set permissions on DS with wildcard UID
2024-05-02 13:18:29 +03:00
Ieva
5e060d2d99
Data source: Maintain the default data source permissions when switching from unlicensed to licensed Grafana (#87119)
set managed data source permissions upon resource creation for unlicensed Grafana, remove them on deletion
2024-04-30 16:05:30 +01:00
Karl Persson
a2cba3d0b5
User: Add tracing (#87028)
* Inject tracer in tests

* Annotate with traces

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-04-30 13:15:56 +02:00
Ieva
cee713e34c
Chore: Add tracing to team service (#86999)
* add tracing to team service

* another test fix

* pass in context for team creation and membership checking
2024-04-29 11:32:03 +01:00
Ieva
8028d1c3e1
Chore: Update tests to use team membership hooks (#86846)
* update tests to use team membership hooks

* linting
2024-04-24 16:55:42 +01:00
Serge Zaitsev
522a98c126
Chore: Make Cfg field private in SQLStore (#85593)
* make cfg private in sqlstore

* fix db init in tests

* fix case

* fix folder test init

* fix imports

* make another Cfg private

* remove another Cfg

* remove unused variable

* use store cfg, it has side-effects

* fix mutated cfg in tests
2024-04-24 10:38:40 +02:00
Karl Persson
0fa983ad8e
AuthN: Use typed namespace id inside authn package (#86048)
* authn: Use typed namespace id inside package
2024-04-24 09:57:34 +02:00
Eric Leijonmarck
ddabef9895
RBAC: Add actionsets struct and write path (#86108)
* Add actionsets struct and failing test

* update from review

* review comments

* review comments update

* refactor: create interface

* actionset service

* fix tests

* move from wireoss to wire

* Apply suggestions from code review

remove unnecessary comments

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* nil for the actionsetservice

* Revert "nil for the actionsetservice"

This reverts commit e3d3cc8171.

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-04-19 15:38:14 +01:00
Aaron Godin
d409d8e860
IAM - Fix error messages for resource permissions endpoints (#85773)
* IAM: fix many error messages in access-related code to provide more information

* Remove debug statement

* Refactor resourcepermissions package to use errutil

* Replace a few more errors with errutil and wrap errors found in users and teams services

* Apply diff of openAPI spec
2024-04-17 08:53:28 -05:00
Yuri Tseretyan
12605bfed2
Alerting: Update fixed roles to include silences permissions (#85826)
* update fixed roles to include silences
* add silence actions to managed permissions
* update documentation
2024-04-12 12:37:34 -04:00
Karl Persson
73fecc8d80
Authn: Identity resolvers (#85930)
* AuthN: Add NamespaceID struct. We should replace the usage of encoded namespaceID with this one

* AuthN: Add optional interface that clients can implement to be able to resolve identity for a namespace

* Authn: Implement IdentityResolverClient for api keys

* AuthN: use idenity resolvers

Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
2024-04-12 11:38:20 +02:00
Ieva
58059da10b
RBAC: Fix global role deletion in hosted Grafana (#85980)
take into account the value of RBACSingleOrganization setting when determining org
2024-04-11 18:50:23 +01:00
Alexander Zobnin
3127566a20
Access control: Use ResolveIdentity() for authorizing in org (#85549)
* Access control: Use ResolveIdentity() for authorizing in org

* Fix tests

* Fix middleware tests

* Use ResolveIdentity in HasGlobalAccess() function

* remove makeTmpUser

* Cleanup

* Fix linter errors

* Fix test build

* Remove GetUserPermissionsInOrg()
2024-04-10 12:42:13 +02:00
Yuri Tseretyan
509691b416
Alerting: Introduce authorization logic for operations on silences (#85418)
* extract genericService from RuleService just to reuse it later
* implement silence service

---------

Co-authored-by: William Wernert <william.wernert@grafana.com>
Co-authored-by: Matthew Jacobson <matthew.jacobson@grafana.com>
2024-04-08 18:02:28 -04:00
Serge Zaitsev
faa1244518
Chore: Replace sqlstore with db interface (#85366)
* replace sqlstore with db interface in a few packages

* remove from stats

* remove sqlstore in admin test

* remove sqlstore from api plugin tests

* fix another createUser

* remove sqlstore in publicdashboards

* remove sqlstore from orgs

* clean up orguser test

* more clean up in sso

* clean up service accounts

* further cleanup

* more cleanup in accesscontrol

* last cleanup in accesscontrol

* clean up teams

* more removals

* split cfg from db in testenv

* few remaining fixes

* fix test with bus

* pass cfg for testing inside db as an option

* set query retries when no opts provided

* revert golden test data

* rebase and rollback
2024-04-04 15:04:47 +02:00
Karl Persson
504870f10a
Auth: Decouple client and hook registration (#85084) 2024-04-04 09:33:00 +02:00
Ieva
beb15d938b
RBAC: Fix access checks for interactions with RBAC roles in hosted Grafana (#85485)
* don't check global permissions for cloud instances

* linting
2024-04-03 11:44:16 +01:00
Jo
5340a6e548
Auth: Extended JWT client for OBO and Service Authentication (#83814)
* reenable ext-jwt-client

* fixup settings struct

* add user and service auth

* lint up

* add user auth to grafana ext

* fixes

* Populate token permissions

Co-authored-by: jguer <joao.guerreiro@grafana.com>

* fix tests

* fix lint

* small prealloc

* small prealloc

* use special namespace for access policies

* fix access policy auth

* fix tests

* fix uncalled settings expander

* add feature toggle

* small feedback fixes

* rename entitlements to permissions

* add authlibn

* allow viewing the signed in user info for non user namespace

* fix invalid namespacedID

* use authlib as verifier for tokens

* Update pkg/services/authn/clients/ext_jwt.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Update pkg/services/authn/clients/ext_jwt_test.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix parameter names

* change asserts to normal package

* add rule for assert

* fix ownerships

* Local diff

* test and lint

* Fix test

* Fix ac test

* Fix pluginproxy test

* Revert testdata changes

* Force revert on test data

---------

Co-authored-by: gamab <gabriel.mabille@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-04-02 17:45:15 +02:00
linoman
147154d2ea
Remove AuthConfigUIAdminAccess (#85452)
* Remove AuthConfigUIAdminAccess
2024-04-02 15:02:28 +02:00
Karl Persson
5dd98a0fd5
RBAC: handle partially resolved scopes (#85323)
* RBAC: handle partially resolved scopes

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2024-03-28 10:08:07 +01:00
Gabriel MABILLE
5e48804364
RBAC: Fix slow user permission search query on MySQL (#85058)
* Bench testing search user perm

* Add BenchmarkSearchUsersPermissions_1K_1K

* Clarify benchmark searches by action prefix

* Make MySQL more efficient

* Move all filter options

* Expand after assignments union

* update comments
2024-03-25 19:11:17 +01:00
Yuri Tseretyan
48de8657c9
Alerting: Editor role can access all provisioning API (#85022) 2024-03-23 00:14:15 +02:00
Ieva
7aa0ba8c59
Teams: Display teams page to team reader if they also have the access to list team permissions (#84650)
* display teams to team reader if they also have the access to list team permissions

* fix a typo in the docs
2024-03-18 14:52:01 +02:00
Alexander Zobnin
f36ad469d0
Access Control: Get global role from request params (#84469) 2024-03-14 16:17:24 +01:00
Alexander Zobnin
fd9031ca37
Access Control: Get org from request data for authorization (#84359)
* Access Control: Get org from request data for authorization

* move type to models

* Update pkg/services/accesscontrol/middleware.go

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

* refactor

* refactor

* Fix linter

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-03-13 17:05:03 +01:00
Misi
f5c78e0ad9
RBAC: Add ActionSettingsRead action to general.auth.config writer (#84366)
Add ActionSettingsRead action to general.auth.config writer
2024-03-13 14:48:13 +01:00
Yuri Tseretyan
21719a6b5b
Chore: Fix log message in access control (#84101) 2024-03-07 23:34:22 +02:00
Karl Persson
22074c5026
RBAC: add debug log for permission evaluation (#83880)
* fix: add debug log when evaluating permissions that includes target permissions
2024-03-05 08:50:19 +01:00
Alexander Zobnin
82a88cc83f
Access control: Extend GetUserPermissions() to query permissions in org (#83392)
* Access control: Extend GetUserPermissions() to query permissions in specific org

* Use db query to fetch permissions in org

* refactor

* refactor

* use conditional join

* minor refactor

* Add test cases

* Search permissions correctly in OSS vs Enterprise

* Get permissions from memory

* Refactor

* remove unused func

* Add tests for GetUserPermissionsInOrg

* fix linter
2024-03-04 13:29:13 +01:00
Jo
0aebb9ee39
Misc: Remove unused params and impossible logic (#83756)
* remove unused params and impossible logic

* remove unused param
2024-03-01 12:08:00 +01:00
Gabriel MABILLE
8d9921a5ba
RBAC: Fix delete team permissions on team delete (#83442)
* RBAC: Remove team permissions on delete

* Remove unecessary deletes from store function

* Nit on mock

* Add test to the database

* Nit on comment

* Add another test to check that other permissions remain
2024-02-27 12:21:26 +01:00
Jo
cc3b088b6c
Teams: Fix missing context in team service (#83327)
fix missing context in team service
2024-02-27 11:10:54 +01:00
Gabriel MABILLE
80d6bf6da0
AuthN: Remove embedded oauth server (#83146)
* AuthN: Remove embedded oauth server

* Restore main

* go mod tidy

* Fix problem

* Remove permission intersection

* Fix test and lint

* Fix TestData test

* Revert to origin/main

* Update go.mod

* Update go.mod

* Update go.sum
2024-02-26 11:29:09 +01:00
Alexander Zobnin
9bbb7f67e0
Chore: Move store interface to top level (#83153)
* Chore: Move store interface to top level

* Update store mock
2024-02-21 14:32:54 +01:00
Serge Zaitsev
1aff748e8f
Use split scopes instead of substr in search v1 (#82092)
* use split scopes instead of substr in search v1

* tests, of course

* yet, some test helpers dont use split scopes

* another test helper to fix

* add permission.identifier to group by

* check if attribute is uid

* fix tests

* use SplitScope()

* fix more tests
2024-02-18 22:26:08 +01:00
Misi
bb9d5799cf
Auth: Load oauth_allow_insecure_email_lookup using the SettingsProvider (#82460)
* wip

* Introduce fixed:server.config:writer role

* Fix tests

* Update name
2024-02-16 12:05:00 +01:00
Gabriel MABILLE
846eadff63
RBAC Search: Replace userLogin filter by namespacedID filter (#81810)
* Add namespace ID

* Refactor and add tests

* Rename maxOneOption -> atMostOneOption

* Add ToDo

* Remove UserLogin & UserID for NamespaceID

Co-authored-by: jguer <joao.guerreiro@grafana.com>

* Remove unecessary import of the userSvc

* Update pkg/services/accesscontrol/acimpl/service.go

* fix 1 -> userID

* Update pkg/services/accesscontrol/accesscontrol.go

---------

Co-authored-by: jguer <joao.guerreiro@grafana.com>
2024-02-16 11:42:36 +01:00
Karl Persson
1315c67c8b
Team/User: UID migrations (#82298)
* Add user uid migration to run on every startup to protect against empty values in a upgrade downgrade scenario

* Add team uid migration to run on every startup to protect against empty values in a upgrade downgrade scenario

* Run team uid migration
2024-02-12 14:48:29 +01:00
Dan Cech
790e1feb93
Chore: Update test database initialization (#81673)
* streamline initialization of test databases, support on-disk sqlite test db

* clean up test databases

* introduce testsuite helper

* use testsuite everywhere we use a test db

* update documentation

* improve error handling

* disable entity integration test until we can figure out locking error
2024-02-09 09:35:39 -05:00
Jo
6ac0bc5ecf
Seeder: Add missing methods to Registrations (#81961)
* add slice copy method

* fix slice copy
2024-02-08 09:54:17 +01:00