Commit Graph

68 Commits

Author SHA1 Message Date
Artur Wierzbicki
b6f77bdfdb
Chore: provide authn.Service rather than *authnimpl.Service (#64792)
chore: provide `authn.Service` rather than `*authnimpl.Service` (#64792)
2023-03-15 03:04:11 -07:00
Carl Bergquist
eb507dca89
Remotecache: rename setbytearray/getbytearray to set/get and remove codec (#64470)
Signed-off-by: bergquist <carl.bergquist@gmail.com>
2023-03-10 13:57:29 +01:00
Carl Bergquist
7c55dbf37d
Remotecache: Migrates get/set calls to use bytearrays and remove get/set functions (#63525)
Signed-off-by: bergquist <carl.bergquist@gmail.com>
2023-03-08 17:08:57 +01:00
Misi
6543259a7d
Auth: Add SyncPermissions post auth hook (#64205)
* Add SyncPermissionsFromDB post auth hook

* Delete FromDB prefix

* Align tests

* Fixes

* Change SyncPermissionsHook prio
2023-03-08 13:35:54 +01:00
Karl Persson
872d2d1e1c
AuthN: Login error handling (#64239)
* Social: Fix type so it appears in error responses

* AuthN: construct errutil.Error from social.Error

* login: Check for errutil.Error and use public message

* Login: redirectURLWithErrorCookie for authn errors

Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-03-07 09:57:25 +01:00
Karl Persson
66ef5325d1
AuthN: add metrics for login and authentication (#63783)
* AuthN: Add metrics
2023-03-06 17:07:57 +01:00
Karl Persson
4ede9fc7a4
AuthN: User sync info clean up (#64217)
* AuthN: handle case where auth_info exists but not the user
2023-03-06 14:17:48 +01:00
Karl Persson
f258adadbf
AuthN: add utility functions for different type of login responses (#64133)
* AuthN: add utility functions to handle response and redirect after
successful login

* API: Reuse utility functions for logins if authnService flag is enabled
2023-03-03 14:17:09 +01:00
Jo
92f47e72e1
Authn: Add missing jwt auth stat (#64127)
add missing jwt auth stat
2023-03-03 13:39:08 +01:00
Karl Persson
e3cbc1f165
AuthN: Fix issue with duplicated auth connection (#63836)
AuthN: Fix issue with duplicated auth connection when user signed in
first time
2023-02-28 13:34:15 +01:00
Karl Persson
8484d0c4ef
Settings: Remove global variables for auth settings (#63795)
* Setting: Remove global DisableLoginForm and add it to cfg

* Setting: Remove unused BasicAuthEnabled global

* Setting: Remove global OAuthAutoLogin and use from cfg

* Setting: Remove global AnonymousEnabled

* Setting: Remove global values for AuthProxy settings
2023-02-27 15:28:49 +01:00
Karl Persson
2a7fc3983b
AuthN: cleanup logs (#63652)
* AuthN: clean up logs
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-02-24 11:26:55 +01:00
Karl Persson
16b416b88b
AuthN: Extract enable disabled users logic to its own hook (#63628) 2023-02-23 13:06:06 +01:00
Karl Persson
ddaf145d71
AuthN: Fix user sync with multiple client (#63615)
* AuthN: Fix user sync to handle auth connections to multiple providers
2023-02-23 12:23:51 +01:00
Karl Persson
057d9c45fa
AuthN: Add in-memory cache for oauth token refresh hook (#63569)
* OAuthSyncHook: Add in-memory cache so we don't have to perform the check on every request

Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-02-23 09:36:21 +01:00
Jo
635a456fa4
Authn: Add separate context for session tagging (#63561)
add context
2023-02-22 14:31:08 +01:00
Karl Persson
207a55be66
AuthN: add flag for org roles sync (#63507)
* AuthN: Add flag to control org role syncs

* JWT: Only sync org roles if the skip flag for jwt is false

* LDAP: Only sync org role if skip flag for ldap is false

* OAuth: Skip org roles sync if no roles were provided by upstream service

* Grafana: Set SyncOrgRoles to true for authentication through proxy with grafana as backend
2023-02-22 10:27:48 +01:00
Jo
ff78103a24
Authn: Anon session service (#63052)
* add anon sessions package

* add usage stat fn

* implement count for cache

* add anonservice to authn broker

* lint

* add tests for remote cache count

* move anon service to services

* wrap tagging in goroutine

* make func used
2023-02-21 16:21:18 +01:00
Karl Persson
5ca8ea40c1
AuthN: Cleanup authn package (#63456)
* AuthN: Update comments for ClientParams

* AuthN: Update flag name from SyncTeamMembers to SyncTeams

* UserSync: rename function and fix order of parameters so it is correct

* UserSync: Fix so we skip check if no authModule or authID is passed

* UserSync: move quota check to create user function

* UserSync: Move FetchSyncedUserHook to UserSync

* UserSync: Move last seen user hook to user sync service

* ApiKey: Implement last seen hook as a client hook instead
2023-02-21 11:21:34 +01:00
Jo
554dc9b97d
Authn: Fix password client fallthrough (#63244)
* fix password client fallthrough

* fix grafana client String
2023-02-12 13:42:47 +00:00
Jo
d4cfbd9fd3
LDAP: Move LDAP globals to Config (#63255)
* structure dtos and private methods

* add basic LDAP service

* use LDAP service in ldap debug API

* lower non fatal error

* remove unused globals

* wip

* remove final globals

* fix tests to use cfg enabled

* restructure errors

* remove logger from globals

* use ldap service in authn

* use ldap service in context handler

* fix failed tests

* fix ldap middleware provides

* fix provides in auth_test.go
2023-02-10 19:01:55 +01:00
Jo
6322fce725
LDAP: Move to single package cluster (#63035)
* move multildap to ldap package

* move LDAP api and tests to ldap package

* register background service

* lint
2023-02-08 09:32:59 +01:00
Jo
14a78b58e9
Authn: Stat registration (#62934)
* reorganize auth usage stats

* usage stat privilege elevators

* stat count of modified role

* cfg related info

* add authn anon client

* kv store

* ensure anon enabled is collected even if client is not registered

* fix usage stats test
2023-02-06 17:23:53 +01:00
Karl Persson
9311085e5a
AuthN: support sync cache for proxy client (#62874)
* AuthN: Add cache support for auth proxy to skip sync

* AuthN: Change proxy auth hook to be a client hook

* AuthN: fix cache key

* fix test

* lint
2023-02-06 13:30:05 +01:00
idafurjes
982939111b
Rename Id to ID for annotation models (#62886)
* Rename Id to ID for annotation models

* Add xorm tags

* Rename Id to ID for API key models

* Add xorm tags
2023-02-03 17:23:09 +01:00
Karl Persson
6840cc11ff
AuthN: add support for client specific hooks (#62863)
* AuthN: Add HookClient interface

* AuthN: Check if client implement authn.HookClient and call the hook if
it does

* AuthN: Convert refresh token hook into a client hook
2023-02-03 14:35:17 +01:00
Karl Persson
180a587f70
AuthN: fetch final state of signed in user (#62854)
* AuthN: add a hook we can use to fetch final state of user
2023-02-03 14:14:38 +01:00
Karl Persson
ad068ed533
AuthN: Use BasicAuth from http request (#62792)
AuthN: use BasicAuth from http request
2023-02-03 09:11:53 +01:00
Misi
7c1d9769ca
Auth: Rotate token patch (#62676)
* Use singleflight.Group

* Align tests

* Cleanup
2023-02-02 14:36:16 +01:00
Karl Persson
d395901e80
AuthN: Expose RegisterClient and add client name for saml (#62604)
* AuthN: add RegisterClient to service interface

* AuthN: Add client name for saml
2023-02-02 10:09:52 +01:00
Karl Persson
efeb0daec6
AuthN: Add oauth clients and perform oauth authentication with authn.Service (#62072)
* AuthN: Update signature of redirect client and RedirectURL function

* OAuth: use authn.Service to perform oauth authentication and login if feature toggle is enabled

* AuthN: register oauth clients

* AuthN: set auth module metadata

* AuthN: add logs for failed login attempts

* AuthN: Don't use enable disabled setting

* OAuth: only run hooks when authnService feature toggle is disabled

* OAuth: Add function to handle oauth errors from authn.Service
2023-01-30 12:45:04 +01:00
Serge Zaitsev
7dbd2cd139
Chore: Fix goimports grouping (#62426)
fix goimports ordering
2023-01-30 09:34:18 +01:00
Kristin Laemmert
9256a520a4
chore: move user_auth models to (mostly) login service (#62269)
* chore: move user_auth models to (mostly) login service
2023-01-27 13:36:54 -05:00
Eric Leijonmarck
5531e22f46
Auth: Add disable of team sync for JWT Authentication (#62191)
* fix: disable team sync for JWT Authentication

* add: comment to test

* change test to conform to new expected behavior

* fix: spelling

* formatting
2023-01-27 16:05:25 +01:00
Karl Persson
3447ad2602
AuthN: support priority for post auth and post login hooks (#62208)
* AuthN: store post auth hooks in a priority list and update registration
function to take a priority

* AuthN: store post login hooks in a priority list and update registration function to take a priority

* AuthN: Change priority for sync user
2023-01-27 11:40:12 +01:00
Jo
284ca4eab4
AuthN: JWT remove unnecessary if (#62233)
remove unnecessary if
2023-01-26 17:32:20 +01:00
Karl Persson
95ea4bad6f
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705)
* API: Add reqSignedIn to router groups

* AuthN: Add fall through in context handler

* AuthN: Add IsAnonymous field

* AuthN: add priority to context aware clients

* ContextHandler: Add comment

* AuthN: Add a simple priority queue

* AuthN: Add Name to client interface

* AuthN: register clients with function

* AuthN: update mock and fake to implement interface

* AuthN: rewrite test without reflection

* AuthN: add comment

* AuthN: fix queue insert

* AuthN: rewrite tests

* AuthN: make the queue generic so we can reuse it for hooks

* ContextHandler: Add fixme for auth headers

* AuthN: remove unused variable

* AuthN: use multierror

* AuthN: write proper tests for queue

* AuthN: Add queue item that can store the value and priority

Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-01-26 10:50:44 +01:00
Karl Persson
50608db59a
AuthN: Add interface and function to operate on clients that supports redirects (#61905) 2023-01-23 11:54:38 +01:00
Kristin Laemmert
cd08f2575a
chore: move jwt models into auth/jwt (#61862)
* chore: move jwt models into auth/jwt
2023-01-20 13:11:06 -05:00
linoman
56c2755b3b
Fix JWT claims request (#61650)
* Fix JWT claims request

* Add test scenarios for missing config options
2023-01-19 16:03:09 +01:00
linoman
4d095547f8
Auth: Implement skip org role sync for jwt (#61647)
* Add new config option

* Add frontend control

* Condition new auth broker with config option

* Condition old auth broker with config option

Co-authored-by: Jo <joao.guerreiro@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
2023-01-18 13:59:50 +01:00
Jo
ecafb4dd15
Auth forwarding: Pass tokens without refresh (#61634)
* return only tokens from oauth

* feedback
2023-01-18 10:50:35 +00:00
Karl Persson
412d80b498
AuthN: Add post auth hook for oauth token refresh (#61608)
* AuthN: rename package to sync

* AuthN: rename sync files

* Ouath: Add mock for OauthTokenService

* AuthN: Implement access token refresh hook

* AuthN: remove feature check from hook

* AuthN: register post auth hook for oauth token refresh
2023-01-18 10:47:09 +01:00
Karl Persson
766fa4e7d5
AuthN: Add last seen sync hooks for user and api keys (#61571)
* AUthN: Add last seen sync hooks for user / service account and move api
key last seen to own hook

* ContextHandler: only run sync for last seen if auth.Service is not
enabled
2023-01-17 13:50:58 +01:00
Karl Persson
b44b6fc5c6
AuthN: Add auth proxy client (#61555)
* AuthN: set up boilerplate for proxy client

* AuthN: Implement Test for proxy client

* AuthN: parse accept list in constructor

* AuthN: add proxy client interface

* AuthN: handle error

* AuthN: Implement the proxy client interface for ldap

* AuthN: change reciever name

* AuthN: add grafana as a proxy client

* AuthN: for error returned

* AuthN: add tests for grafana proxy auth

* AuthN: swap order of grafan and ldap auth

* AuthN: Parse additional proxy headers in proxy client and pass down
2023-01-17 10:07:46 +01:00
Karl Persson
2324597d8d
AuthN: Perform login with authn.Service (#61466)
* AuthN: Create password client wrapper and use that on in basic auth
client

* AuthN: fix basic auth client test

* AuthN: Add tests for form authentication

* API: Inject authn service

* Login: If authnService feature flag is enabled use authn login

* Login: Handle token creation errors
2023-01-17 09:11:45 +01:00
Jo
6fec8fda39
AuthN: Clean errors in user/org sync (#61560)
* clean errors in user/org sync

* lower logging level for non 5xx errors
2023-01-16 16:37:04 +00:00
Jo
be3b81fecd
AuthN: Readd user protection service to user sync (#61534)
* add user protection service to user sync

* fix tests
2023-01-16 11:15:14 +00:00
Jo
dcfeab2c73
AuthN: User Quota (#61540)
* remove reqContext from quota checks in login

* add guards for nil ScopeParams
2023-01-16 11:54:15 +01:00
Misi
b8b08ea292
Auth: Add sub claim check to JWT Auth pre-checks (#61417)
* Auth: Add sub claim check to JWT Auth pre-checks

* Add #nosec annotation to the test tokens
2023-01-16 10:50:34 +01:00