Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
This PR reduces the number of allocations made while caching permissions from the database, fixes the hierarchy of spans and adds new spans for tracing.
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
* Auth: Implement org role mapping for google oauth provider
* Update docs
* Remove unused function
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
* Conf: Add org_mapping and org_attribute_path to github and gitlab conf
* Gitlab: Implement org role mapping
* Update docs
---------
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
* Introduce preLogoutHooks in authn service
* Add gcom_logout_hook
* Config the api token from the Grafana config file
* Simplify
* Add tests for logout hook
* Clean up
* Update
* Address PR comment
* Fix
* Social: link to OrgRoleMapper
* OIDC: support Generic Oauth org to role mappings
Fixes: #73448
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
* Handle when getAllOrgs fails in the org_role_mapper
* Add more tests
* OIDC: ensure orgs are evaluated from API when not from token
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
* OIDC: ensure AutoAssignOrg is applied with OrgMapping without RoleAttributeStrict
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
* Extend docs
* Fix test, lint
---------
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
* GetSignedInUser unexported (renamed to getSignedInUser)
* GetSignedInUserWithCacheCtx renamed to GetSignedInUser
* added a check for a nil cacheservice (as defensive programming / test convenience)
* Remove different constructors and only use NewNamespaceID
* AdminUser: check typed namespace id
* Identity: Add convinient function to parse valid user id when type is either user or service account
* Annotations: Use typed namespace id instead
* clean up error handling in postDashboard and remove UserDisplayDTO
* replace GetUserUID with GetUID and GetNamespacedUID, enforce namespace constant type
* lint fix
* lint fix
* more lint fixes
* Use RoleType from org package
* Move to identity package and re-export from authn
* Replace usage of top level functions for identity
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
* only users with Grafana Admin role can grant/revoke Grafana Admin role
* check permissions to user amdin endpoints globally
* allow checking global permissions for service accounts
* use a middleware for checking whether the caller is Grafana Admin
* User: remove unused function
* User: Remove UpdatePermissions and support IsGrafanaAdmin flag in Update function instead
* User: Remove Disable function and use Update instead
* Add `Service. IsClientEnabled` and `Client.IsEnabled` functions
* Implement `IsEnabled` function for authn clients
* Implement `IsClientEnabled` function for authn services
* AuthN: Add NamespaceID struct. We should replace the usage of encoded namespaceID with this one
* AuthN: Add optional interface that clients can implement to be able to resolve identity for a namespace
* Authn: Implement IdentityResolverClient for api keys
* AuthN: use idenity resolvers
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
* Authn: Resolve authenticate by and auth id when fethcing signed in user
* Change logout client interface to only take Requester interface
* Session: Fetch external auth info when authenticating sessions
* Use authenticated by from identity
* Move call to get auth-info into session client and use GetAuthenticatedBy in various places
* Add email and email_verified to id token if identity is a user
* Add endpoint to trigger email verification for user
* Add function to clear stored id tokens and use it when email verification is completed
* reenable ext-jwt-client
* fixup settings struct
* add user and service auth
* lint up
* add user auth to grafana ext
* fixes
* Populate token permissions
Co-authored-by: jguer <joao.guerreiro@grafana.com>
* fix tests
* fix lint
* small prealloc
* small prealloc
* use special namespace for access policies
* fix access policy auth
* fix tests
* fix uncalled settings expander
* add feature toggle
* small feedback fixes
* rename entitlements to permissions
* add authlibn
* allow viewing the signed in user info for non user namespace
* fix invalid namespacedID
* use authlib as verifier for tokens
* Update pkg/services/authn/clients/ext_jwt.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update pkg/services/authn/clients/ext_jwt_test.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* fix parameter names
* change asserts to normal package
* add rule for assert
* fix ownerships
* Local diff
* test and lint
* Fix test
* Fix ac test
* Fix pluginproxy test
* Revert testdata changes
* Force revert on test data
---------
Co-authored-by: gamab <gabriel.mabille@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* add function to static function to static service
* find email and login claims with jmespath
* rename configuration files
* Replace JWTClaims struct for map
* check for subclaims error
