mirror of
https://github.com/grafana/grafana.git
synced 2024-12-30 10:47:30 -06:00
4c19e83ff0
* Chore: move team store implementation to a separate package * trying to fix more tests * fix tests in service accounts and access control * fix common tests * restore commented out test * add todos
924 lines
25 KiB
Go
924 lines
25 KiB
Go
package sqlstore
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"fmt"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/grafana/grafana/pkg/events"
|
|
"github.com/grafana/grafana/pkg/models"
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/org"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
"github.com/grafana/grafana/pkg/util"
|
|
)
|
|
|
|
type ErrCaseInsensitiveLoginConflict struct {
|
|
users []user.User
|
|
}
|
|
|
|
func (e *ErrCaseInsensitiveLoginConflict) Unwrap() error {
|
|
return user.ErrCaseInsensitive
|
|
}
|
|
|
|
func (e *ErrCaseInsensitiveLoginConflict) Error() string {
|
|
n := len(e.users)
|
|
|
|
userStrings := make([]string, 0, n)
|
|
for _, v := range e.users {
|
|
userStrings = append(userStrings, fmt.Sprintf("%s (email:%s, id:%d)", v.Login, v.Email, v.ID))
|
|
}
|
|
|
|
return fmt.Sprintf(
|
|
"Found a conflict in user login information. %d users already exist with either the same login or email: [%s].",
|
|
n, strings.Join(userStrings, ", "))
|
|
}
|
|
|
|
func (ss *SQLStore) getOrgIDForNewUser(sess *DBSession, args user.CreateUserCommand) (int64, error) {
|
|
if ss.Cfg.AutoAssignOrg && args.OrgID != 0 {
|
|
if err := verifyExistingOrg(sess, args.OrgID); err != nil {
|
|
return -1, err
|
|
}
|
|
return args.OrgID, nil
|
|
}
|
|
|
|
orgName := args.OrgName
|
|
if orgName == "" {
|
|
orgName = util.StringsFallback2(args.Email, args.Login)
|
|
}
|
|
|
|
return ss.getOrCreateOrg(sess, orgName)
|
|
}
|
|
|
|
func (ss *SQLStore) userCaseInsensitiveLoginConflict(ctx context.Context, sess *DBSession, login, email string) error {
|
|
users := make([]user.User, 0)
|
|
|
|
if err := sess.Where("LOWER(email)=LOWER(?) OR LOWER(login)=LOWER(?)",
|
|
email, login).Find(&users); err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(users) > 1 {
|
|
return &ErrCaseInsensitiveLoginConflict{users}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// createUser creates a user in the database
|
|
// if autoAssignOrg is enabled then args.OrgID will be used
|
|
// to add to an existing Org with id=args.OrgID
|
|
// if autoAssignOrg is disabled then args.OrgName will be used
|
|
// to create a new Org with name=args.OrgName.
|
|
// If a org already exists with that name, it will error
|
|
func (ss *SQLStore) createUser(ctx context.Context, sess *DBSession, args user.CreateUserCommand) (user.User, error) {
|
|
var usr user.User
|
|
var orgID int64 = -1
|
|
if !args.SkipOrgSetup {
|
|
var err error
|
|
orgID, err = ss.getOrgIDForNewUser(sess, args)
|
|
if err != nil {
|
|
return usr, err
|
|
}
|
|
}
|
|
|
|
if args.Email == "" {
|
|
args.Email = args.Login
|
|
}
|
|
|
|
where := "email=? OR login=?"
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
where = "LOWER(email)=LOWER(?) OR LOWER(login)=LOWER(?)"
|
|
args.Login = strings.ToLower(args.Login)
|
|
args.Email = strings.ToLower(args.Email)
|
|
}
|
|
|
|
exists, err := sess.Where(where, args.Email, args.Login).Get(&user.User{})
|
|
if err != nil {
|
|
return usr, err
|
|
}
|
|
if exists {
|
|
return usr, user.ErrUserAlreadyExists
|
|
}
|
|
|
|
// create user
|
|
usr = user.User{
|
|
Email: args.Email,
|
|
Name: args.Name,
|
|
Login: args.Login,
|
|
Company: args.Company,
|
|
IsAdmin: args.IsAdmin,
|
|
IsDisabled: args.IsDisabled,
|
|
OrgID: orgID,
|
|
EmailVerified: args.EmailVerified,
|
|
Created: TimeNow(),
|
|
Updated: TimeNow(),
|
|
LastSeenAt: TimeNow().AddDate(-10, 0, 0),
|
|
IsServiceAccount: args.IsServiceAccount,
|
|
}
|
|
|
|
salt, err := util.GetRandomString(10)
|
|
if err != nil {
|
|
return usr, err
|
|
}
|
|
usr.Salt = salt
|
|
rands, err := util.GetRandomString(10)
|
|
if err != nil {
|
|
return usr, err
|
|
}
|
|
usr.Rands = rands
|
|
|
|
if len(args.Password) > 0 {
|
|
encodedPassword, err := util.EncodePassword(args.Password, usr.Salt)
|
|
if err != nil {
|
|
return usr, err
|
|
}
|
|
usr.Password = encodedPassword
|
|
}
|
|
|
|
sess.UseBool("is_admin")
|
|
|
|
if _, err := sess.Insert(&usr); err != nil {
|
|
return usr, err
|
|
}
|
|
|
|
sess.publishAfterCommit(&events.UserCreated{
|
|
Timestamp: usr.Created,
|
|
Id: usr.ID,
|
|
Name: usr.Name,
|
|
Login: usr.Login,
|
|
Email: usr.Email,
|
|
})
|
|
|
|
// create org user link
|
|
if !args.SkipOrgSetup {
|
|
orgUser := models.OrgUser{
|
|
OrgId: orgID,
|
|
UserId: usr.ID,
|
|
Role: org.RoleAdmin,
|
|
Created: TimeNow(),
|
|
Updated: TimeNow(),
|
|
}
|
|
|
|
if ss.Cfg.AutoAssignOrg && !usr.IsAdmin {
|
|
if len(args.DefaultOrgRole) > 0 {
|
|
orgUser.Role = org.RoleType(args.DefaultOrgRole)
|
|
} else {
|
|
orgUser.Role = org.RoleType(ss.Cfg.AutoAssignOrgRole)
|
|
}
|
|
}
|
|
|
|
if _, err = sess.Insert(&orgUser); err != nil {
|
|
return usr, err
|
|
}
|
|
}
|
|
|
|
return usr, nil
|
|
}
|
|
|
|
// deprecated method, use only for tests
|
|
func (ss *SQLStore) CreateUser(ctx context.Context, cmd user.CreateUserCommand) (*user.User, error) {
|
|
var user user.User
|
|
createErr := ss.WithTransactionalDbSession(ctx, func(sess *DBSession) (err error) {
|
|
user, err = ss.createUser(ctx, sess, cmd)
|
|
return
|
|
})
|
|
return &user, createErr
|
|
}
|
|
|
|
func notServiceAccountFilter(ss *SQLStore) string {
|
|
return fmt.Sprintf("%s.is_service_account = %s",
|
|
ss.Dialect.Quote("user"),
|
|
ss.Dialect.BooleanStr(false))
|
|
}
|
|
|
|
func (ss *SQLStore) GetUserById(ctx context.Context, query *models.GetUserByIdQuery) error {
|
|
return ss.WithDbSession(ctx, func(sess *DBSession) error {
|
|
usr := new(user.User)
|
|
|
|
has, err := sess.ID(query.Id).
|
|
Where(notServiceAccountFilter(ss)).
|
|
Get(usr)
|
|
|
|
if err != nil {
|
|
return err
|
|
} else if !has {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
if err := ss.userCaseInsensitiveLoginConflict(ctx, sess, usr.Login, usr.Email); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
query.Result = usr
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) GetUserByLogin(ctx context.Context, query *models.GetUserByLoginQuery) error {
|
|
return ss.WithDbSession(ctx, func(sess *DBSession) error {
|
|
if query.LoginOrEmail == "" {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
// Try and find the user by login first.
|
|
// It's not sufficient to assume that a LoginOrEmail with an "@" is an email.
|
|
usr := &user.User{}
|
|
where := "login=?"
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
where = "LOWER(login)=LOWER(?)"
|
|
}
|
|
|
|
has, err := sess.Where(notServiceAccountFilter(ss)).Where(where, query.LoginOrEmail).Get(usr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !has && strings.Contains(query.LoginOrEmail, "@") {
|
|
// If the user wasn't found, and it contains an "@" fallback to finding the
|
|
// user by email.
|
|
|
|
where = "email=?"
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
where = "LOWER(email)=LOWER(?)"
|
|
}
|
|
usr = &user.User{}
|
|
has, err = sess.Where(notServiceAccountFilter(ss)).Where(where, query.LoginOrEmail).Get(usr)
|
|
}
|
|
|
|
if err != nil {
|
|
return err
|
|
} else if !has {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
if err := ss.userCaseInsensitiveLoginConflict(ctx, sess, usr.Login, usr.Email); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
query.Result = usr
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) GetUserByEmail(ctx context.Context, query *models.GetUserByEmailQuery) error {
|
|
return ss.WithDbSession(ctx, func(sess *DBSession) error {
|
|
if query.Email == "" {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
usr := &user.User{}
|
|
where := "email=?"
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
where = "LOWER(email)=LOWER(?)"
|
|
}
|
|
|
|
has, err := sess.Where(notServiceAccountFilter(ss)).Where(where, query.Email).Get(usr)
|
|
|
|
if err != nil {
|
|
return err
|
|
} else if !has {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
if err := ss.userCaseInsensitiveLoginConflict(ctx, sess, usr.Login, usr.Email); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
query.Result = usr
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) UpdateUser(ctx context.Context, cmd *models.UpdateUserCommand) error {
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
cmd.Login = strings.ToLower(cmd.Login)
|
|
cmd.Email = strings.ToLower(cmd.Email)
|
|
}
|
|
|
|
return ss.WithTransactionalDbSession(ctx, func(sess *DBSession) error {
|
|
user := user.User{
|
|
Name: cmd.Name,
|
|
Email: cmd.Email,
|
|
Login: cmd.Login,
|
|
Theme: cmd.Theme,
|
|
Updated: TimeNow(),
|
|
}
|
|
|
|
if _, err := sess.ID(cmd.UserId).Where(notServiceAccountFilter(ss)).Update(&user); err != nil {
|
|
return err
|
|
}
|
|
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
if err := ss.userCaseInsensitiveLoginConflict(ctx, sess, user.Login, user.Email); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
sess.publishAfterCommit(&events.UserUpdated{
|
|
Timestamp: user.Created,
|
|
Id: user.ID,
|
|
Name: user.Name,
|
|
Login: user.Login,
|
|
Email: user.Email,
|
|
})
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) ChangeUserPassword(ctx context.Context, cmd *models.ChangeUserPasswordCommand) error {
|
|
return ss.WithTransactionalDbSession(ctx, func(sess *DBSession) error {
|
|
user := user.User{
|
|
Password: cmd.NewPassword,
|
|
Updated: TimeNow(),
|
|
}
|
|
|
|
_, err := sess.ID(cmd.UserId).Where(notServiceAccountFilter(ss)).Update(&user)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) UpdateUserLastSeenAt(ctx context.Context, cmd *models.UpdateUserLastSeenAtCommand) error {
|
|
return ss.WithTransactionalDbSession(ctx, func(sess *DBSession) error {
|
|
user := user.User{
|
|
ID: cmd.UserId,
|
|
LastSeenAt: TimeNow(),
|
|
}
|
|
|
|
_, err := sess.ID(cmd.UserId).Update(&user)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) SetUsingOrg(ctx context.Context, cmd *models.SetUsingOrgCommand) error {
|
|
getOrgsForUserCmd := &models.GetUserOrgListQuery{UserId: cmd.UserId}
|
|
if err := ss.GetUserOrgList(ctx, getOrgsForUserCmd); err != nil {
|
|
return err
|
|
}
|
|
|
|
valid := false
|
|
for _, other := range getOrgsForUserCmd.Result {
|
|
if other.OrgId == cmd.OrgId {
|
|
valid = true
|
|
}
|
|
}
|
|
if !valid {
|
|
return fmt.Errorf("user does not belong to org")
|
|
}
|
|
|
|
return ss.WithTransactionalDbSession(ctx, func(sess *DBSession) error {
|
|
return setUsingOrgInTransaction(sess, cmd.UserId, cmd.OrgId)
|
|
})
|
|
}
|
|
|
|
func setUsingOrgInTransaction(sess *DBSession, userID int64, orgID int64) error {
|
|
user := user.User{
|
|
ID: userID,
|
|
OrgID: orgID,
|
|
}
|
|
|
|
_, err := sess.ID(userID).Update(&user)
|
|
return err
|
|
}
|
|
|
|
func removeUserOrg(sess *DBSession, userID int64) error {
|
|
user := user.User{
|
|
ID: userID,
|
|
OrgID: 0,
|
|
}
|
|
|
|
_, err := sess.ID(userID).MustCols("org_id").Update(&user)
|
|
return err
|
|
}
|
|
|
|
func (ss *SQLStore) GetUserProfile(ctx context.Context, query *models.GetUserProfileQuery) error {
|
|
return ss.WithDbSession(ctx, func(sess *DBSession) error {
|
|
var usr user.User
|
|
has, err := sess.ID(query.UserId).Where(notServiceAccountFilter(ss)).Get(&usr)
|
|
|
|
if err != nil {
|
|
return err
|
|
} else if !has {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
query.Result = models.UserProfileDTO{
|
|
Id: usr.ID,
|
|
Name: usr.Name,
|
|
Email: usr.Email,
|
|
Login: usr.Login,
|
|
Theme: usr.Theme,
|
|
IsGrafanaAdmin: usr.IsAdmin,
|
|
IsDisabled: usr.IsDisabled,
|
|
OrgId: usr.OrgID,
|
|
UpdatedAt: usr.Updated,
|
|
CreatedAt: usr.Created,
|
|
}
|
|
|
|
return err
|
|
})
|
|
}
|
|
|
|
type byOrgName []*models.UserOrgDTO
|
|
|
|
// Len returns the length of an array of organisations.
|
|
func (o byOrgName) Len() int {
|
|
return len(o)
|
|
}
|
|
|
|
// Swap swaps two indices of an array of organizations.
|
|
func (o byOrgName) Swap(i, j int) {
|
|
o[i], o[j] = o[j], o[i]
|
|
}
|
|
|
|
// Less returns whether element i of an array of organizations is less than element j.
|
|
func (o byOrgName) Less(i, j int) bool {
|
|
if strings.ToLower(o[i].Name) < strings.ToLower(o[j].Name) {
|
|
return true
|
|
}
|
|
|
|
return o[i].Name < o[j].Name
|
|
}
|
|
|
|
func (ss *SQLStore) GetUserOrgList(ctx context.Context, query *models.GetUserOrgListQuery) error {
|
|
return ss.WithDbSession(ctx, func(dbSess *DBSession) error {
|
|
query.Result = make([]*models.UserOrgDTO, 0)
|
|
sess := dbSess.Table("org_user")
|
|
sess.Join("INNER", "org", "org_user.org_id=org.id")
|
|
sess.Join("INNER", ss.Dialect.Quote("user"), fmt.Sprintf("org_user.user_id=%s.id", ss.Dialect.Quote("user")))
|
|
sess.Where("org_user.user_id=?", query.UserId)
|
|
sess.Where(notServiceAccountFilter(ss))
|
|
sess.Cols("org.name", "org_user.role", "org_user.org_id")
|
|
sess.OrderBy("org.name")
|
|
err := sess.Find(&query.Result)
|
|
sort.Sort(byOrgName(query.Result))
|
|
return err
|
|
})
|
|
}
|
|
|
|
func newSignedInUserCacheKey(orgID, userID int64) string {
|
|
return fmt.Sprintf("signed-in-user-%d-%d", userID, orgID)
|
|
}
|
|
|
|
func (ss *SQLStore) GetSignedInUserWithCacheCtx(ctx context.Context, query *models.GetSignedInUserQuery) error {
|
|
cacheKey := newSignedInUserCacheKey(query.OrgId, query.UserId)
|
|
if cached, found := ss.CacheService.Get(cacheKey); found {
|
|
cachedUser := cached.(user.SignedInUser)
|
|
query.Result = &cachedUser
|
|
return nil
|
|
}
|
|
|
|
err := ss.GetSignedInUser(ctx, query)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
cacheKey = newSignedInUserCacheKey(query.Result.OrgID, query.UserId)
|
|
ss.CacheService.Set(cacheKey, *query.Result, time.Second*5)
|
|
return nil
|
|
}
|
|
|
|
func (ss *SQLStore) GetSignedInUser(ctx context.Context, query *models.GetSignedInUserQuery) error {
|
|
return ss.WithDbSession(ctx, func(dbSess *DBSession) error {
|
|
orgId := "u.org_id"
|
|
if query.OrgId > 0 {
|
|
orgId = strconv.FormatInt(query.OrgId, 10)
|
|
}
|
|
|
|
var rawSQL = `SELECT
|
|
u.id as user_id,
|
|
u.is_admin as is_grafana_admin,
|
|
u.email as email,
|
|
u.login as login,
|
|
u.name as name,
|
|
u.is_disabled as is_disabled,
|
|
u.help_flags1 as help_flags1,
|
|
u.last_seen_at as last_seen_at,
|
|
(SELECT COUNT(*) FROM org_user where org_user.user_id = u.id) as org_count,
|
|
user_auth.auth_module as external_auth_module,
|
|
user_auth.auth_id as external_auth_id,
|
|
org.name as org_name,
|
|
org_user.role as org_role,
|
|
org.id as org_id
|
|
FROM ` + dialect.Quote("user") + ` as u
|
|
LEFT OUTER JOIN user_auth on user_auth.user_id = u.id
|
|
LEFT OUTER JOIN org_user on org_user.org_id = ` + orgId + ` and org_user.user_id = u.id
|
|
LEFT OUTER JOIN org on org.id = org_user.org_id `
|
|
|
|
sess := dbSess.Table("user")
|
|
sess = sess.Context(ctx)
|
|
switch {
|
|
case query.UserId > 0:
|
|
sess.SQL(rawSQL+"WHERE u.id=?", query.UserId)
|
|
case query.Login != "":
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
sess.SQL(rawSQL+"WHERE LOWER(u.login)=LOWER(?)", query.Login)
|
|
} else {
|
|
sess.SQL(rawSQL+"WHERE u.login=?", query.Login)
|
|
}
|
|
case query.Email != "":
|
|
if ss.Cfg.CaseInsensitiveLogin {
|
|
sess.SQL(rawSQL+"WHERE LOWER(u.email)=LOWER(?)", query.Email)
|
|
} else {
|
|
sess.SQL(rawSQL+"WHERE u.email=?", query.Email)
|
|
}
|
|
}
|
|
|
|
var usr user.SignedInUser
|
|
has, err := sess.Get(&usr)
|
|
if err != nil {
|
|
return err
|
|
} else if !has {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
if usr.OrgRole == "" {
|
|
usr.OrgID = -1
|
|
usr.OrgName = "Org missing"
|
|
}
|
|
|
|
if usr.ExternalAuthModule != "oauth_grafana_com" {
|
|
usr.ExternalAuthID = ""
|
|
}
|
|
|
|
// tempUser is used to retrieve the teams for the signed in user for internal use.
|
|
tempUser := &user.SignedInUser{
|
|
OrgID: usr.OrgID,
|
|
Permissions: map[int64]map[string][]string{
|
|
usr.OrgID: {
|
|
ac.ActionTeamsRead: {ac.ScopeTeamsAll},
|
|
},
|
|
},
|
|
}
|
|
getTeamsByUserQuery := &models.GetTeamsByUserQuery{
|
|
OrgId: usr.OrgID,
|
|
UserId: usr.UserID,
|
|
SignedInUser: tempUser,
|
|
}
|
|
err = ss.GetTeamsByUser(ctx, getTeamsByUserQuery)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
usr.Teams = make([]int64, len(getTeamsByUserQuery.Result))
|
|
for i, t := range getTeamsByUserQuery.Result {
|
|
usr.Teams[i] = t.Id
|
|
}
|
|
|
|
query.Result = &usr
|
|
return err
|
|
})
|
|
}
|
|
|
|
// GetTeamsByUser is used by the Guardian when checking a users' permissions
|
|
// TODO: use team.Service after user service is split
|
|
func (ss *SQLStore) GetTeamsByUser(ctx context.Context, query *models.GetTeamsByUserQuery) error {
|
|
return ss.WithDbSession(ctx, func(sess *DBSession) error {
|
|
query.Result = make([]*models.TeamDTO, 0)
|
|
|
|
var sql bytes.Buffer
|
|
var params []interface{}
|
|
params = append(params, query.OrgId, query.UserId)
|
|
|
|
sql.WriteString(getTeamSelectSQLBase([]string{}))
|
|
sql.WriteString(` INNER JOIN team_member on team.id = team_member.team_id`)
|
|
sql.WriteString(` WHERE team.org_id = ? and team_member.user_id = ?`)
|
|
|
|
if !ac.IsDisabled(ss.Cfg) {
|
|
acFilter, err := ac.Filter(query.SignedInUser, "team.id", "teams:id:", ac.ActionTeamsRead)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
sql.WriteString(` and` + acFilter.Where)
|
|
params = append(params, acFilter.Args...)
|
|
}
|
|
|
|
err := sess.SQL(sql.String(), params...).Find(&query.Result)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func getTeamMemberCount(filteredUsers []string) string {
|
|
if len(filteredUsers) > 0 {
|
|
return `(SELECT COUNT(*) FROM team_member
|
|
INNER JOIN ` + dialect.Quote("user") + ` ON team_member.user_id = ` + dialect.Quote("user") + `.id
|
|
WHERE team_member.team_id = team.id AND ` + dialect.Quote("user") + `.login NOT IN (?` +
|
|
strings.Repeat(",?", len(filteredUsers)-1) + ")" +
|
|
`) AS member_count `
|
|
}
|
|
|
|
return "(SELECT COUNT(*) FROM team_member WHERE team_member.team_id = team.id) AS member_count "
|
|
}
|
|
|
|
func getTeamSelectSQLBase(filteredUsers []string) string {
|
|
return `SELECT
|
|
team.id as id,
|
|
team.org_id,
|
|
team.name as name,
|
|
team.email as email, ` +
|
|
getTeamMemberCount(filteredUsers) +
|
|
` FROM team as team `
|
|
}
|
|
|
|
func (ss *SQLStore) SearchUsers(ctx context.Context, query *models.SearchUsersQuery) error {
|
|
return ss.WithDbSession(ctx, func(dbSess *DBSession) error {
|
|
query.Result = models.SearchUserQueryResult{
|
|
Users: make([]*models.UserSearchHitDTO, 0),
|
|
}
|
|
|
|
queryWithWildcards := "%" + query.Query + "%"
|
|
|
|
whereConditions := make([]string, 0)
|
|
whereParams := make([]interface{}, 0)
|
|
sess := dbSess.Table("user").Alias("u")
|
|
|
|
whereConditions = append(whereConditions, "u.is_service_account = ?")
|
|
whereParams = append(whereParams, dialect.BooleanStr(false))
|
|
|
|
// Join with only most recent auth module
|
|
joinCondition := `(
|
|
SELECT id from user_auth
|
|
WHERE user_auth.user_id = u.id
|
|
ORDER BY user_auth.created DESC `
|
|
joinCondition = "user_auth.id=" + joinCondition + dialect.Limit(1) + ")"
|
|
sess.Join("LEFT", "user_auth", joinCondition)
|
|
if query.OrgId > 0 {
|
|
whereConditions = append(whereConditions, "org_id = ?")
|
|
whereParams = append(whereParams, query.OrgId)
|
|
}
|
|
|
|
// user only sees the users for which it has read permissions
|
|
if !ac.IsDisabled(ss.Cfg) {
|
|
acFilter, err := ac.Filter(query.SignedInUser, "u.id", "global.users:id:", ac.ActionUsersRead)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
whereConditions = append(whereConditions, acFilter.Where)
|
|
whereParams = append(whereParams, acFilter.Args...)
|
|
}
|
|
|
|
if query.Query != "" {
|
|
whereConditions = append(whereConditions, "(email "+dialect.LikeStr()+" ? OR name "+dialect.LikeStr()+" ? OR login "+dialect.LikeStr()+" ?)")
|
|
whereParams = append(whereParams, queryWithWildcards, queryWithWildcards, queryWithWildcards)
|
|
}
|
|
|
|
if query.IsDisabled != nil {
|
|
whereConditions = append(whereConditions, "is_disabled = ?")
|
|
whereParams = append(whereParams, query.IsDisabled)
|
|
}
|
|
|
|
if query.AuthModule != "" {
|
|
whereConditions = append(whereConditions, `auth_module=?`)
|
|
whereParams = append(whereParams, query.AuthModule)
|
|
}
|
|
|
|
if len(whereConditions) > 0 {
|
|
sess.Where(strings.Join(whereConditions, " AND "), whereParams...)
|
|
}
|
|
|
|
for _, filter := range query.Filters {
|
|
if jc := filter.JoinCondition(); jc != nil {
|
|
sess.Join(jc.Operator, jc.Table, jc.Params)
|
|
}
|
|
if ic := filter.InCondition(); ic != nil {
|
|
sess.In(ic.Condition, ic.Params)
|
|
}
|
|
if wc := filter.WhereCondition(); wc != nil {
|
|
sess.Where(wc.Condition, wc.Params)
|
|
}
|
|
}
|
|
|
|
if query.Limit > 0 {
|
|
offset := query.Limit * (query.Page - 1)
|
|
sess.Limit(query.Limit, offset)
|
|
}
|
|
|
|
sess.Cols("u.id", "u.email", "u.name", "u.login", "u.is_admin", "u.is_disabled", "u.last_seen_at", "user_auth.auth_module")
|
|
sess.Asc("u.login", "u.email")
|
|
if err := sess.Find(&query.Result.Users); err != nil {
|
|
return err
|
|
}
|
|
|
|
// get total
|
|
user := user.User{}
|
|
countSess := dbSess.Table("user").Alias("u")
|
|
|
|
// Join with user_auth table if users filtered by auth_module
|
|
if query.AuthModule != "" {
|
|
countSess.Join("LEFT", "user_auth", joinCondition)
|
|
}
|
|
|
|
if len(whereConditions) > 0 {
|
|
countSess.Where(strings.Join(whereConditions, " AND "), whereParams...)
|
|
}
|
|
|
|
for _, filter := range query.Filters {
|
|
if jc := filter.JoinCondition(); jc != nil {
|
|
countSess.Join(jc.Operator, jc.Table, jc.Params)
|
|
}
|
|
if ic := filter.InCondition(); ic != nil {
|
|
countSess.In(ic.Condition, ic.Params)
|
|
}
|
|
if wc := filter.WhereCondition(); wc != nil {
|
|
countSess.Where(wc.Condition, wc.Params)
|
|
}
|
|
}
|
|
|
|
count, err := countSess.Count(&user)
|
|
query.Result.TotalCount = count
|
|
|
|
for _, user := range query.Result.Users {
|
|
user.LastSeenAtAge = util.GetAgeString(user.LastSeenAt)
|
|
}
|
|
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) DisableUser(ctx context.Context, cmd *models.DisableUserCommand) error {
|
|
return ss.WithDbSession(ctx, func(dbSess *DBSession) error {
|
|
usr := user.User{}
|
|
sess := dbSess.Table("user")
|
|
|
|
if has, err := sess.ID(cmd.UserId).Where(notServiceAccountFilter(ss)).Get(&usr); err != nil {
|
|
return err
|
|
} else if !has {
|
|
return user.ErrUserNotFound
|
|
}
|
|
|
|
usr.IsDisabled = cmd.IsDisabled
|
|
sess.UseBool("is_disabled")
|
|
|
|
_, err := sess.ID(cmd.UserId).Update(&usr)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) BatchDisableUsers(ctx context.Context, cmd *models.BatchDisableUsersCommand) error {
|
|
return ss.WithTransactionalDbSession(ctx, func(sess *DBSession) error {
|
|
userIds := cmd.UserIds
|
|
|
|
if len(userIds) == 0 {
|
|
return nil
|
|
}
|
|
|
|
user_id_params := strings.Repeat(",?", len(userIds)-1)
|
|
disableSQL := "UPDATE " + dialect.Quote("user") + " SET is_disabled=? WHERE Id IN (?" + user_id_params + ")"
|
|
|
|
disableParams := []interface{}{disableSQL, cmd.IsDisabled}
|
|
for _, v := range userIds {
|
|
disableParams = append(disableParams, v)
|
|
}
|
|
|
|
_, err := sess.Where(notServiceAccountFilter(ss)).Exec(disableParams...)
|
|
return err
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) DeleteUser(ctx context.Context, cmd *models.DeleteUserCommand) error {
|
|
return ss.WithTransactionalDbSession(ctx, func(sess *DBSession) error {
|
|
return deleteUserInTransaction(ss, sess, cmd)
|
|
})
|
|
}
|
|
|
|
func deleteUserInTransaction(ss *SQLStore, sess *DBSession, cmd *models.DeleteUserCommand) error {
|
|
// Check if user exists
|
|
usr := user.User{ID: cmd.UserId}
|
|
has, err := sess.Where(notServiceAccountFilter(ss)).Get(&usr)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !has {
|
|
return user.ErrUserNotFound
|
|
}
|
|
for _, sql := range UserDeletions() {
|
|
_, err := sess.Exec(sql, cmd.UserId)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return deleteUserAccessControl(sess, cmd.UserId)
|
|
}
|
|
|
|
func deleteUserAccessControl(sess *DBSession, userID int64) error {
|
|
// Delete user role assignments
|
|
if _, err := sess.Exec("DELETE FROM user_role WHERE user_id = ?", userID); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Delete permissions that are scoped to user
|
|
if _, err := sess.Exec("DELETE FROM permission WHERE scope = ?", ac.Scope("users", "id", strconv.FormatInt(userID, 10))); err != nil {
|
|
return err
|
|
}
|
|
|
|
var roleIDs []int64
|
|
if err := sess.SQL("SELECT id FROM role WHERE name = ?", ac.ManagedUserRoleName(userID)).Find(&roleIDs); err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(roleIDs) == 0 {
|
|
return nil
|
|
}
|
|
|
|
query := "DELETE FROM permission WHERE role_id IN(? " + strings.Repeat(",?", len(roleIDs)-1) + ")"
|
|
args := make([]interface{}, 0, len(roleIDs)+1)
|
|
args = append(args, query)
|
|
for _, id := range roleIDs {
|
|
args = append(args, id)
|
|
}
|
|
|
|
// Delete managed user permissions
|
|
if _, err := sess.Exec(args...); err != nil {
|
|
return err
|
|
}
|
|
|
|
// Delete managed user roles
|
|
if _, err := sess.Exec("DELETE FROM role WHERE name = ?", ac.ManagedUserRoleName(userID)); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func UserDeletions() []string {
|
|
deletes := []string{
|
|
"DELETE FROM star WHERE user_id = ?",
|
|
"DELETE FROM " + dialect.Quote("user") + " WHERE id = ?",
|
|
"DELETE FROM org_user WHERE user_id = ?",
|
|
"DELETE FROM dashboard_acl WHERE user_id = ?",
|
|
"DELETE FROM preferences WHERE user_id = ?",
|
|
"DELETE FROM team_member WHERE user_id = ?",
|
|
"DELETE FROM user_auth WHERE user_id = ?",
|
|
"DELETE FROM user_auth_token WHERE user_id = ?",
|
|
"DELETE FROM quota WHERE user_id = ?",
|
|
}
|
|
return deletes
|
|
}
|
|
|
|
// UpdateUserPermissions sets the user Server Admin flag
|
|
func (ss *SQLStore) UpdateUserPermissions(userID int64, isAdmin bool) error {
|
|
return ss.WithTransactionalDbSession(context.Background(), func(sess *DBSession) error {
|
|
var user user.User
|
|
if _, err := sess.ID(userID).Where(notServiceAccountFilter(ss)).Get(&user); err != nil {
|
|
return err
|
|
}
|
|
|
|
user.IsAdmin = isAdmin
|
|
sess.UseBool("is_admin")
|
|
|
|
_, err := sess.ID(user.ID).Update(&user)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// validate that after update there is at least one server admin
|
|
if err := validateOneAdminLeft(sess); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func (ss *SQLStore) SetUserHelpFlag(ctx context.Context, cmd *models.SetUserHelpFlagCommand) error {
|
|
return ss.WithTransactionalDbSession(ctx, func(sess *DBSession) error {
|
|
user := user.User{
|
|
ID: cmd.UserId,
|
|
HelpFlags1: cmd.HelpFlags1,
|
|
Updated: TimeNow(),
|
|
}
|
|
|
|
_, err := sess.ID(cmd.UserId).Cols("help_flags1").Update(&user)
|
|
return err
|
|
})
|
|
}
|
|
|
|
// validateOneAdminLeft validate that there is an admin user left
|
|
func validateOneAdminLeft(sess *DBSession) error {
|
|
count, err := sess.Where("is_admin=?", true).Count(&user.User{})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if count == 0 {
|
|
return user.ErrLastGrafanaAdmin
|
|
}
|
|
|
|
return nil
|
|
}
|