mirror of
https://github.com/grafana/grafana.git
synced 2025-01-24 23:37:01 -06:00
5340a6e548
* reenable ext-jwt-client * fixup settings struct * add user and service auth * lint up * add user auth to grafana ext * fixes * Populate token permissions Co-authored-by: jguer <joao.guerreiro@grafana.com> * fix tests * fix lint * small prealloc * small prealloc * use special namespace for access policies * fix access policy auth * fix tests * fix uncalled settings expander * add feature toggle * small feedback fixes * rename entitlements to permissions * add authlibn * allow viewing the signed in user info for non user namespace * fix invalid namespacedID * use authlib as verifier for tokens * Update pkg/services/authn/clients/ext_jwt.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update pkg/services/authn/clients/ext_jwt_test.go Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * fix parameter names * change asserts to normal package * add rule for assert * fix ownerships * Local diff * test and lint * Fix test * Fix ac test * Fix pluginproxy test * Revert testdata changes * Force revert on test data --------- Co-authored-by: gamab <gabriel.mabille@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
69 lines
2.7 KiB
Go
69 lines
2.7 KiB
Go
package setting
|
|
|
|
import "time"
|
|
|
|
type AuthJWTSettings struct {
|
|
// JWT Auth
|
|
Enabled bool
|
|
HeaderName string
|
|
URLLogin bool
|
|
EmailClaim string
|
|
UsernameClaim string
|
|
ExpectClaims string
|
|
JWKSetURL string
|
|
CacheTTL time.Duration
|
|
KeyFile string
|
|
KeyID string
|
|
JWKSetFile string
|
|
AutoSignUp bool
|
|
RoleAttributePath string
|
|
RoleAttributeStrict bool
|
|
AllowAssignGrafanaAdmin bool
|
|
SkipOrgRoleSync bool
|
|
GroupsAttributePath string
|
|
EmailAttributePath string
|
|
UsernameAttributePath string
|
|
}
|
|
|
|
type ExtJWTSettings struct {
|
|
Enabled bool
|
|
ExpectIssuer string
|
|
ExpectAudience string
|
|
JWKSUrl string
|
|
}
|
|
|
|
func (cfg *Cfg) readAuthExtJWTSettings() {
|
|
authExtendedJWT := cfg.SectionWithEnvOverrides("auth.extended_jwt")
|
|
jwtSettings := ExtJWTSettings{}
|
|
jwtSettings.Enabled = authExtendedJWT.Key("enabled").MustBool(false)
|
|
jwtSettings.ExpectAudience = authExtendedJWT.Key("expect_audience").MustString("")
|
|
jwtSettings.JWKSUrl = authExtendedJWT.Key("jwks_url").MustString("")
|
|
cfg.ExtJWTAuth = jwtSettings
|
|
}
|
|
|
|
func (cfg *Cfg) readAuthJWTSettings() {
|
|
jwtSettings := AuthJWTSettings{}
|
|
authJWT := cfg.Raw.Section("auth.jwt")
|
|
jwtSettings.Enabled = authJWT.Key("enabled").MustBool(false)
|
|
jwtSettings.HeaderName = valueAsString(authJWT, "header_name", "")
|
|
jwtSettings.URLLogin = authJWT.Key("url_login").MustBool(false)
|
|
jwtSettings.EmailClaim = valueAsString(authJWT, "email_claim", "")
|
|
jwtSettings.UsernameClaim = valueAsString(authJWT, "username_claim", "")
|
|
jwtSettings.ExpectClaims = valueAsString(authJWT, "expect_claims", "{}")
|
|
jwtSettings.JWKSetURL = valueAsString(authJWT, "jwk_set_url", "")
|
|
jwtSettings.CacheTTL = authJWT.Key("cache_ttl").MustDuration(time.Minute * 60)
|
|
jwtSettings.KeyFile = valueAsString(authJWT, "key_file", "")
|
|
jwtSettings.KeyID = authJWT.Key("key_id").MustString("")
|
|
jwtSettings.JWKSetFile = valueAsString(authJWT, "jwk_set_file", "")
|
|
jwtSettings.AutoSignUp = authJWT.Key("auto_sign_up").MustBool(false)
|
|
jwtSettings.RoleAttributePath = valueAsString(authJWT, "role_attribute_path", "")
|
|
jwtSettings.RoleAttributeStrict = authJWT.Key("role_attribute_strict").MustBool(false)
|
|
jwtSettings.AllowAssignGrafanaAdmin = authJWT.Key("allow_assign_grafana_admin").MustBool(false)
|
|
jwtSettings.SkipOrgRoleSync = authJWT.Key("skip_org_role_sync").MustBool(false)
|
|
jwtSettings.GroupsAttributePath = valueAsString(authJWT, "groups_attribute_path", "")
|
|
jwtSettings.EmailAttributePath = valueAsString(authJWT, "email_attribute_path", "")
|
|
jwtSettings.UsernameAttributePath = valueAsString(authJWT, "username_attribute_path", "")
|
|
|
|
cfg.JWTAuth = jwtSettings
|
|
}
|