* Add function to get the namespaced id
* Add function to resolve an identity through authn.Service from org and namespace id
* Switch to resolve identity for re-authenticate in another org
* AuthN: Move identity struct to its own file
* IDForwarding: Add IDToken property to usr and identity structs and add GetIDToken to requester interface
* Inject IDService into background services
* IDForwarding: Register post auth hook when feature toggle is enabled
* Authn: Add interface for external identity sync
This interface is implemented by authnimpl.Service and just triggers PostAuthHooks and skipping last seen update by default
* Authn: Add SyncIdentity to fake and add a new mock
* wip
* scope active user to 1 org
* remove TODOs
* add render auth namespace
* import cycle fix
* make condition more readable
* convert Evaluate to user Requester
* only use active OrgID for SearchUserPermissions
* add cache key to interface definition
* change final SignedInUsers to interface
* fix api key managed roles fetch
* fix anon auth id parsing
* Update pkg/services/accesscontrol/acimpl/accesscontrol.go
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Dashboards: Fix tests when authn broker is enabled.
StarService was not configured for tests, the call was guarded by !c.IsSignedIn
* Change default to be anon user to match expectations from tests
* OAuth: rewrite tests to work with authn.Service
* Setup template renderer by default
* Extract cookie options from cfg instead of relying on global variables
* Fix test to work with authn service
* Middleware: rewrite auth tests
* Remvoe session cookie if we cannot refresh access token
* make sure LastSeen hook has information to decide if update is necessary
* make user service check if it should update the user's last seen
* do not run last seen hook if is a login request
* make service return error when last seen is up to date
* fix err
* Update pkg/services/contexthandler/contexthandler.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* fix golint
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Search sql filter draft, unfinished
* Search works for empty roles
* Add current AuthModule to SignedInUser
* clean up, changes to the search
* Use constant prefixes
* Change AuthModule to AuthenticatedBy
* Add tests for using the permissions from the SignedInUser
* Refactor and simplify code
* Fix sql generation for pg and mysql
* Fixes, clean up
* Add test for empty permission list
* Fix
* Fix any vs all in case of edit permission
* Update pkg/services/authn/authn.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update pkg/services/sqlstore/permissions/dashboard_test.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Fixes, changes based on the review
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Append analytics identifier upon authenticate session
* Add id and module upon syncing user to identity
* Add authModule & id to `IdentityFromSignedInUser`
* Allow req calls in test to use basic auth
* Add `intercom_secret` to grafana config in tests
* Add test for analytics render in html view
* FeatureToggle: Add toggle to use a new way of rotating tokens
* API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd
* Auth: Aling not authorized handling between auth middleware and access
control middleware
* API: add utility function to get redirect for login
* API: Handle token rotation redirect for login page
* Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request
* ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated
* AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated
* Cookies: Add option NotHttpOnly
* AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated
* AuthN: Add function to delete session cookie and set expiry cookie
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* AuthN: add utility functions to handle response and redirect after
successful login
* API: Reuse utility functions for logins if authnService flag is enabled
* AuthN: Add flag to control org role syncs
* JWT: Only sync org roles if the skip flag for jwt is false
* LDAP: Only sync org role if skip flag for ldap is false
* OAuth: Skip org roles sync if no roles were provided by upstream service
* Grafana: Set SyncOrgRoles to true for authentication through proxy with grafana as backend
* AuthN: Update comments for ClientParams
* AuthN: Update flag name from SyncTeamMembers to SyncTeams
* UserSync: rename function and fix order of parameters so it is correct
* UserSync: Fix so we skip check if no authModule or authID is passed
* UserSync: move quota check to create user function
* UserSync: Move FetchSyncedUserHook to UserSync
* UserSync: Move last seen user hook to user sync service
* ApiKey: Implement last seen hook as a client hook instead
* reorganize auth usage stats
* usage stat privilege elevators
* stat count of modified role
* cfg related info
* add authn anon client
* kv store
* ensure anon enabled is collected even if client is not registered
* fix usage stats test
* AuthN: Add HookClient interface
* AuthN: Check if client implement authn.HookClient and call the hook if
it does
* AuthN: Convert refresh token hook into a client hook
* AuthN: Update signature of redirect client and RedirectURL function
* OAuth: use authn.Service to perform oauth authentication and login if feature toggle is enabled
* AuthN: register oauth clients
* AuthN: set auth module metadata
* AuthN: add logs for failed login attempts
* AuthN: Don't use enable disabled setting
* OAuth: only run hooks when authnService feature toggle is disabled
* OAuth: Add function to handle oauth errors from authn.Service
* AuthN: store post auth hooks in a priority list and update registration
function to take a priority
* AuthN: store post login hooks in a priority list and update registration function to take a priority
* AuthN: Change priority for sync user
* API: Add reqSignedIn to router groups
* AuthN: Add fall through in context handler
* AuthN: Add IsAnonymous field
* AuthN: add priority to context aware clients
* ContextHandler: Add comment
* AuthN: Add a simple priority queue
* AuthN: Add Name to client interface
* AuthN: register clients with function
* AuthN: update mock and fake to implement interface
* AuthN: rewrite test without reflection
* AuthN: add comment
* AuthN: fix queue insert
* AuthN: rewrite tests
* AuthN: make the queue generic so we can reuse it for hooks
* ContextHandler: Add fixme for auth headers
* AuthN: remove unused variable
* AuthN: use multierror
* AuthN: write proper tests for queue
* AuthN: Add queue item that can store the value and priority
Co-authored-by: Jo <joao.guerreiro@grafana.com>
* AuthN: set up boilerplate for proxy client
* AuthN: Implement Test for proxy client
* AuthN: parse accept list in constructor
* AuthN: add proxy client interface
* AuthN: handle error
* AuthN: Implement the proxy client interface for ldap
* AuthN: change reciever name
* AuthN: add grafana as a proxy client
* AuthN: for error returned
* AuthN: add tests for grafana proxy auth
* AuthN: swap order of grafan and ldap auth
* AuthN: Parse additional proxy headers in proxy client and pass down
* AuthN: Create password client wrapper and use that on in basic auth
client
* AuthN: fix basic auth client test
* AuthN: Add tests for form authentication
* API: Inject authn service
* Login: If authnService feature flag is enabled use authn login
* Login: Handle token creation errors
* AuthN: add the ability to register post login hooks
* AuthN: add a guard for the user id
* AuthN: Add helper to create external user info from identity
* AuthN: Pass auth request to password clients
* AuthN: set auth module and username in metadata
* AuthN: Add boilderplate for render auth client
* AuthN: Implement test function for render auth client
* AuthN: Implement Authenticate for render arender auth client
* ContextHandler: Perform render auth if flag is enabled
* AuthN: Add basic auth client boilerplate
* AuthN: Implement test function for basic auth client
* AuthN: Implement the authentication method for basic auth
* AuthN: Add tests for basic auth authentication
* ContextHandler: perform basic auth authentication through authn service
if feature toggle is enabled
* AuthN: Add providers for sync services and pass required dependencies
* AuthN: Replicate functionallity to get org id for request
* Authn: parse org id for the request and populate the auth request with
it
* AuthN: add simple mock for client to use in test
* AuthN: add tests to verify that authentication is called with correct
org id
* AuthN: Add ClientParams to mock
* AuthN: Fix flaky org id selection
* add user sync
* add org user sync
* add client params
* merge remaining conflicts
* remove change to report.go
* update comments
* add basic tests for user ID population
* add tests for auth ID find
* add tests for user sync create and update
* add tests for orgsync
* satisfy lint
* add userID guards
* AuthN: Add functionallity to test if auth client should be used
* AuthN: Add bolierplate client for api keys and register it
* AuthN: Add tests for api key client
* Inject service
* AuthN: Update client names
* ContextHandler: Set authn service
* AuthN: Implement authentication for api key client
* ContextHandler: Use authn service for api keys if flag is enabled
* AuthN: refactor authentication method to return additional value to
indicate if client could perform authentication
* update prefixes
* Add namespaced id to identity
* AuthN: Expand the Identity struct to include required fields from signed
in user
* Add error for disabled service account
* Add function to write error response based on errutil.Error
* Add error to log
* Return errors based on errutil.Error
* pass error
* update log message
* Fix namespaced ids
* Add tests
* Lint
