Commit Graph

167 Commits

Author SHA1 Message Date
Karl Persson
be5ced4287
Identity: Use typed version of namespace id (#87257)
* Remove different constructors and only use NewNamespaceID

* AdminUser: check typed namespace id

* Identity: Add convinient function to parse valid user id when type is either user or service account

* Annotations: Use typed namespace id instead
2024-05-08 14:03:53 +02:00
Dan Cech
41bee274fd
Chore: Fix error handling in postDashboard, remove UserDisplayDTO, fix live redis client initialization (#87206)
* clean up error handling in postDashboard and remove UserDisplayDTO

* replace GetUserUID with GetUID and GetNamespacedUID, enforce namespace constant type

* lint fix

* lint fix

* more lint fixes
2024-05-06 14:17:34 -04:00
Karl Persson
0fa983ad8e
AuthN: Use typed namespace id inside authn package (#86048)
* authn: Use typed namespace id inside package
2024-04-24 09:57:34 +02:00
Marcus Efraimsson
3e385763c5
Tracing: Improve HTTP request/middleware spans and standalone apiserver (#85715)
Fixes so that auth middleware trace/span doesn't wrap the next handlers.
Allow tracing service name to be overridden in standalone apiserver.
Change k8s api tracing operation name to KubernetesAPI from 
grafana-apiserver (which is the service name)
2024-04-11 13:28:23 +02:00
Karl Persson
152cb47692
AuthN: Add IsAuthenticatedBy to identity interface and replace checks (#85262)
Add IsAuthenticatedBy to identity interface and replace checks
2024-03-27 15:22:13 +01:00
Jo
36a19bfa83
AuthProxy: Allow disabling Auth Proxy cache (#83755)
* extract auth proxy settings

* simplify auth proxy methods

* add doc mentions
2024-03-01 11:31:06 +01:00
Jo
2182cc47ac
LDAP: Fix LDAP users authenticated via auth proxy not being able to use LDAP active sync (#83715)
* fix LDAP users authenticated via auth proxy not being able to use ldap sync

* simplify id resolution at the cost of no fallthrough

* remove unused services

* remove unused cache key
2024-03-01 10:14:32 +01:00
Karl Persson
9e04fd0fb7
AuthToken: Remove client token rotation feature toggle (#82886)
* Remove usage of client token rotation flag

* Remove client token rotation feature toggle
2024-02-16 15:03:37 +01:00
Jo
6f62d970e3
JWT Authentication: Add support for specifying groups in auth.jwt for teamsync (#82175)
* merge JSON search logic

* document public methods

* improve test coverage

* use separate JWT setting struct

* correct use of cfg.JWTAuth

* add group tests

* fix DynMap typing

* add settings to default ini

* add groups option to devenv path

* fix test

* lint

* revert jwt-proxy change

* remove redundant check

* fix parallel test
2024-02-09 16:35:58 +01:00
Jo
cf616d5074
Remove X-Grafana-Device-Id from outbound requests (#81957) 2024-02-06 14:06:19 +01:00
Ryan McKinley
1caaa56de0
FeatureFlags: Use interface rather than manager (#80000) 2024-01-09 10:38:06 -08:00
Torkel Ödegaard
e924627659
Frontend: Reload the browser when backend configuration/assets change (#79057)
* Detect frontend asset changes

* Update

* merge main

* Frontend: Detect new assets / versions / config changes (#79258)

* avoid first check

* Updates and add tests

* Update

* Update

* Updated code

* refine

* use context

---------

Co-authored-by: Ryan McKinley <ryantxu@gmail.com>
2024-01-04 08:00:07 +01:00
Karl Persson
05d1ce4026
Auth: id response header (#79757)
* Add utility function to check if namespace is any of

* Refactor code to use identity interface
2023-12-21 14:06:28 +01:00
Karl Persson
21f94c5b78
Auth: id response header (#77871)
* Add config options for identity id response header

* Add feature to add identity id response header to all responses

* Use util.SplitString
2023-11-29 15:51:13 +01:00
Ryan McKinley
f69fd3726b
FeatureToggles: Add context and and an explicit global check (#78081) 2023-11-14 12:50:27 -08:00
Kyle Brandt
e4d1fdc3d0
Errors: Make errors the same in dev as prod (#77366)
When running in dev mode, error messages would contain an additional "error" property alongside "message". Since this causes confusion, that has been removed and now error messages are the same both modes (using "message").
2023-10-30 14:06:26 -04:00
Gabriel MABILLE
13a10b9bf0
Chore: Clean up the context handler (#75864)
* Chore: Clean up the context handler

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

* Better comment

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>

---------

Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
2023-10-04 17:56:51 +02:00
Marcus Efraimsson
e4c1a7a141
Tracing: Standardize on otel tracing (#75528) 2023-10-03 14:54:20 +02:00
Karl Persson
7a38090bc0
AuthN: Fix namespaces for anonymous and render (#75661)
* AuthN: remove IsAnonymous from identity struct and set correct namespace for anonymous and render

* Don't parse user id for render namespace
2023-09-29 09:10:33 +02:00
Marcus Efraimsson
0128d0403f
Tracing: Use tracing.InitializeTracerForTest (#75479) 2023-09-27 09:51:57 +02:00
Ryan McKinley
025b2f3011
Chore: use any rather than interface{} (#74066) 2023-08-30 18:46:47 +03:00
Torkel Ödegaard
3ee26df41e
PublicDashboards: Variables refactor (#73476)
Co-authored-by: Juan Cabanas <juan.cabanas@grafana.com>
Co-authored-by: Ezequiel Victorero <ezequiel.victorero@grafana.com>
Co-authored-by: Ryan McKinley <ryantxu@gmail.com>
2023-08-25 13:56:02 -05:00
Karl Persson
e53e22ef2a
Contexthandler: Remove code that is no longer used (#73101)
* Contexthandler: remove dead code

* Contexthandler: Add tests

* Update pkg/tests/api/alerting/api_alertmanager_test.go

Co-authored-by: Jo <joao.guerreiro@grafana.com>

---------

Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-08-09 15:17:59 +02:00
Jo
5d8e6aa162
Auth: Org Invite and Team API SignedInUser interfacing (#73085)
* fix ngalert Evaluate sig change

* interface for teams and org invites

* Update pkg/api/org_invite.go

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>

---------

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-08-09 12:33:35 +02:00
Karl Persson
144e4887ee
Auth: Use authn.Service for all tests (#72921)
* Dashboards: Fix tests when authn broker is enabled.
StarService was not configured for tests, the call was guarded by !c.IsSignedIn

* Change default to be anon user to match expectations from tests

* OAuth: rewrite tests to work with authn.Service

* Setup template renderer by default

* Extract cookie options from cfg instead of relying on global variables

* Fix test to work with authn service

* Middleware: rewrite auth tests

* Remvoe session cookie if we cannot refresh access token
2023-08-09 08:54:52 +02:00
Jo
3353b1a8aa
Auth: Add authed device tagging (#72442)
* add authed device tagging

* fix config

* implement feedback

* implement feedback

* add reverse untag behavior

* remove duplicate stat

* Update pkg/services/anonymous/anonimpl/impl.go
2023-07-31 18:04:28 +02:00
Jo
e04a6fb08e
Auth: Fix static test fake (#72514)
fix static fake
2023-07-31 10:41:37 +02:00
Jo
a4a87f6228
Auth: Rename Sessions to Devices in counting (#72432)
* rename session to device

* rename session to device
2023-07-27 11:09:08 +02:00
Jo
ed780ce0e9
Auth: Fix Last Seen being updated on every request (#72036)
* make sure LastSeen hook has information to decide if update is necessary

* make user service check if it should update the user's last seen

* do not run last seen hook if is a login request

* make service return error when last seen is up to date

* fix err

* Update pkg/services/contexthandler/contexthandler.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* fix golint

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2023-07-24 16:37:35 +02:00
Todd Treece
52121b7165
Chore: Add grafana-apiserver (#70721)
* add grafana-apiserver
* remove watchset & move provisioning and http server to background
services
* remove scheme
* otel fixes (#70874)
* remove module ProvideRegistry test
* use certgenerator from apiserver package
* Control collector/pdata from going to v1.0.0-rc8 (as Tempo 1.5.1 would have it)
2023-07-14 12:22:10 -07:00
Misi
5efc3386d3
AuthZ: Extend /api/search to work with self-contained permissions (#70749)
* Search sql filter draft, unfinished

* Search works for empty roles

* Add current AuthModule to SignedInUser

* clean up, changes to the search

* Use constant prefixes

* Change AuthModule to AuthenticatedBy

* Add tests for using the permissions from the SignedInUser

* Refactor and simplify code

* Fix sql generation for pg and mysql

* Fixes, clean up

* Add test for empty permission list

* Fix

* Fix any vs all in case of edit permission

* Update pkg/services/authn/authn.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Update pkg/services/sqlstore/permissions/dashboard_test.go

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>

* Fixes, changes based on the review

---------

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2023-07-12 12:31:36 +02:00
Michael Mandrus
ff6d6659fb
Query: Fix concurrency handling for mixed datasource queries (#70100)
* split queries and merge responses

* increase concurrency again

* update unit test to verify the headers are merged

* fix lint issue

* fix race condition in unit test

* Fix function name and add a bit more documentation about how the func should be used

* update function call after rename

* check for duplicate header vals

* make concurrent query limit configurable

* Update conf/sample.ini

Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>

---------

Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
2023-07-06 17:15:43 +03:00
Jo
aee5c6dea0
Auth: Use auth broker by default (#69620)
remove authnservice toggle
2023-06-07 08:57:41 +02:00
Jo
05e71d4c6b
AnonymousAuth: Fix concurrent read-write crash (#68637)
clone http req before tagging
2023-05-22 13:27:28 +02:00
Jo
5ec0f82baa
Separate authn flow from analytics (#68327)
* separate authn flow from analytics

* lint fix
2023-05-15 18:38:54 +02:00
linoman
15e34505e2
Render analytics identifiers (#67860)
* Append analytics identifier upon authenticate session

* Add id and module upon syncing user to identity

* Add authModule & id to `IdentityFromSignedInUser`

* Allow req calls in test to use basic auth

* Add `intercom_secret` to grafana config in tests

* Add test for analytics render in html view
2023-05-05 17:17:18 +02:00
Jo
96fdbbee90 AuthJWT: Fix JWT query param leak (CVE-2023-1387) (#825)
fix JWT query param leak

Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
2023-04-27 14:40:44 +03:00
Misi
4cac95d1c2
Auth: Remove the session cookie only if it's invalid or revoked (#65984)
Remove the cookie if it's invalid or revoked
2023-04-13 09:23:39 +02:00
Michael Mandrus
5626461b3c
Caching: Refactor enterprise query caching middleware to a wire service (#65616)
* define initial service and add to wire

* update caching service interface

* add skipQueryCache header handler and update metrics query function to use it

* add caching service as a dependency to query service

* working caching impl

* propagate cache status to frontend in response

* beginning of improvements suggested by Lean - separate caching logic from query logic.

* more changes to simplify query function

* Decided to revert renaming of function

* Remove error status from cache request

* add extra documentation

* Move query caching duration metric to query package

* add a little bit of documentation

* wip: convert resource caching

* Change return type of query service QueryData to a QueryDataResponse with Headers

* update codeowners

* change X-Cache value to const

* use resource caching in endpoint handlers

* write resource headers to response even if it's not a cache hit

* fix panic caused by lack of nil check

* update unit test

* remove NONE header - shouldn't show up in OSS

* Convert everything to use the plugin middleware

* revert a few more things

* clean up unused vars

* start reverting resource caching, start to implement in plugin middleware

* revert more, fix typo

* Update caching interfaces - resource caching now has a separate cache method

* continue wiring up new resource caching conventions - still in progress

* add more safety to implementation

* remove some unused objects

* remove some code that I left in by accident

* add some comments, fix codeowners, fix duplicate registration

* fix source of panic in resource middleware

* Update client decorator test to provide an empty response object

* create tests for caching middleware

* fix unit test

* Update pkg/services/caching/service.go

Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com>

* improve error message in error log

* quick docs update

* Remove use of mockery. Update return signature to return an explicit hit/miss bool

* create unit test for empty request context

* rename caching metrics to make it clear they pertain to caching

* Update pkg/services/pluginsintegration/clientmiddleware/caching_middleware.go

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

* Add clarifying comments to cache skip middleware func

* Add comment pointing to the resource cache update call

* fix unit tests (missing dependency)

* try to fix mystery syntax error

* fix a panic

* Caching: Introduce feature toggle to caching service refactor (#66323)

* introduce new feature toggle

* hide calls to new service behind a feature flag

* remove licensing flag from toggle (misunderstood what it was for)

* fix unit tests

* rerun toggle gen

---------

Co-authored-by: Arati R. <33031346+suntala@users.noreply.github.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
2023-04-12 12:30:33 -04:00
Joan López de la Franca Beltran
87a0c95164
Rendering: Experimental support to use JWTs as auth method (#60841)
* Rendering: Add support for auth through JWT

* Goimports

* Apply review suggestions

* Correct feature toggle ref

* Minor changes
2023-04-03 18:53:38 +02:00
Emil Tullstedt
be9361cb9e
Logger: Add feature toggle for errors in HTTP request logs (#64425) 2023-03-31 15:38:09 +02:00
Karl Persson
e4d998dc1a
ApiKeyGenPrefix: rename package (#65623)
* Rename package to satokengen to make it clearer that it is for service
account tokens
2023-03-30 17:04:10 +02:00
Serge Zaitsev
a38f230d37
Chore: Remove result fields from login (#65136)
* remove result fields from login

* fix tests

* fix tests

* another shadowing
2023-03-28 20:32:21 +02:00
Karl Persson
382b24742a
Auth: Add feature flag to move token rotation to client (#65060)
* FeatureToggle: Add toggle to use a new way of rotating tokens

* API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd

* Auth: Aling not authorized handling between auth middleware and access
control middleware

* API: add utility function to get redirect for login

* API: Handle token rotation redirect for login page

* Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request

* ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated

* AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated

* Cookies: Add option NotHttpOnly

* AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated

* AuthN: Add function to delete session cookie and set expiry cookie

Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 14:39:04 +01:00
Eric Leijonmarck
3cd952b8ba
Auth: Fix orgrole picker disabled if isSynced user (#64033)
* fix: disable orgrolepicker if externaluser is synced

* add disable to role picker

* just took me 2 hours to center the icon

* wip

* fix: check externallySyncedUser for API call

* remove check from store

* add: tests

* refactor authproxy and made tests run

* add: feature toggle

* set feature toggle for tests

* add: IsProviderEnabled

* refactor: featuretoggle name

* IsProviderEnabled tests

* add specific tests for isProviderEnabled

* fix: org_user tests

* add: owner to featuretoggle

* add missing authlabels

* remove fmt

* feature toggle

* change config

* add test for a different authmodule

* test refactor

* gen feature toggle again

* fix basic auth user able to change the org role

* test for basic auth role

* make err.base to error

* lowered lvl of log and input mesg
2023-03-22 17:41:59 +00:00
Serge Zaitsev
743d66396a
Chore: Remove result field from API keys commands and queries (#65055)
* Chore: remove result field from api keys

* fix shadowing

* actually shadowing was all right
2023-03-21 13:26:33 +01:00
Carl Bergquist
eb507dca89
Remotecache: rename setbytearray/getbytearray to set/get and remove codec (#64470)
Signed-off-by: bergquist <carl.bergquist@gmail.com>
2023-03-10 13:57:29 +01:00
Karl Persson
8ef2afda87
ContextHandler: Always initiate permission map on signed in user (#64541) 2023-03-09 18:08:56 +01:00
Jo
4ee389676e
RemoteCache: Cleanup infra remote cache (#64381)
* add warning on Count

* add usagestats service

* fix typo

* remove unused glog

* remote cache stats collect

* add encrypt usage stat

* rename handler

* Update pkg/infra/remotecache/remotecache.go

Co-authored-by: Dan Cech <dcech@grafana.com>

* Update pkg/infra/remotecache/remotecache_test.go

---------

Co-authored-by: Dan Cech <dcech@grafana.com>
2023-03-09 09:26:13 +01:00
Ezequiel Victorero
8bd4e2cb25
Reqcontext: Use err status code instead of always fallback (#63974) 2023-03-01 17:11:16 -03:00