mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
3d9908f363
* Fix: Prevent ExtSvcTokens from containing nil characters * Rebase * Add more logs * Nit. nil -> NUL * Nit. Part -> Parts * Back to const * Account for comments Co-authored-by: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com> --------- Co-authored-by: Claudiu Dragalina-Paraipan <claudiu.dragalina@grafana.com>
66 lines
2.3 KiB
Go
66 lines
2.3 KiB
Go
package extsvcaccounts
|
|
|
|
import (
|
|
"github.com/grafana/grafana/pkg/models/roletype"
|
|
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
|
|
"github.com/grafana/grafana/pkg/services/extsvcauth"
|
|
"github.com/grafana/grafana/pkg/services/serviceaccounts"
|
|
"github.com/grafana/grafana/pkg/services/user"
|
|
"github.com/grafana/grafana/pkg/util/errutil"
|
|
)
|
|
|
|
const (
|
|
metricsNamespace = "grafana"
|
|
|
|
kvStoreType = "extsvc-token"
|
|
// #nosec G101 - this is not a hardcoded secret
|
|
tokenNamePrefix = "extsvc-token"
|
|
|
|
maxTokenGenRetries = 10
|
|
)
|
|
|
|
var (
|
|
ErrCannotBeDeleted = errutil.BadRequest("extsvcaccounts.ErrCannotBeDeleted", errutil.WithPublicMessage("external service account cannot be deleted"))
|
|
ErrCannotBeUpdated = errutil.BadRequest("extsvcaccounts.ErrCannotBeUpdated", errutil.WithPublicMessage("external service account cannot be updated"))
|
|
ErrCannotCreateToken = errutil.BadRequest("extsvcaccounts.ErrCannotCreateToken", errutil.WithPublicMessage("cannot add external service account token"))
|
|
ErrCannotDeleteToken = errutil.BadRequest("extsvcaccounts.ErrCannotDeleteToken", errutil.WithPublicMessage("cannot delete external service account token"))
|
|
ErrCannotListTokens = errutil.BadRequest("extsvcaccounts.ErrCannotListTokens", errutil.WithPublicMessage("cannot list external service account tokens"))
|
|
ErrCredentialsGenFailed = errutil.Internal("extsvcaccounts.ErrCredentialsGenFailed")
|
|
ErrCredentialsNotFound = errutil.NotFound("extsvcaccounts.ErrCredentialsNotFound")
|
|
ErrInvalidName = errutil.BadRequest("extsvcaccounts.ErrInvalidName", errutil.WithPublicMessage("only external service account names can be prefixed with 'extsvc-'"))
|
|
|
|
extsvcuser = &user.SignedInUser{
|
|
OrgID: extsvcauth.TmpOrgID,
|
|
Permissions: map[int64]map[string][]string{
|
|
extsvcauth.TmpOrgID: {serviceaccounts.ActionRead: {"serviceaccounts:id:*"}},
|
|
},
|
|
}
|
|
)
|
|
|
|
// Credentials represents the credentials associated to an external service
|
|
type Credentials struct {
|
|
Secret string
|
|
}
|
|
|
|
type SaveCredentialsCmd struct {
|
|
ExtSvcSlug string
|
|
OrgID int64
|
|
Secret string
|
|
}
|
|
|
|
type saveCmd struct {
|
|
Enabled bool
|
|
ExtSvcSlug string
|
|
OrgID int64
|
|
Permissions []ac.Permission
|
|
SaID int64
|
|
}
|
|
|
|
func newRole(r roletype.RoleType) *roletype.RoleType {
|
|
return &r
|
|
}
|
|
|
|
func newBool(b bool) *bool {
|
|
return &b
|
|
}
|