root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 253 Packages Projects Releases Wiki Activity
grafana/pkg/services/accesscontrol/middleware.go

421 lines
12 KiB
Go
Raw Normal View History

Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
package accesscontrol
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
import (
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 19:29:17 +08:00
"bytes"
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
"context"
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
"errors"
Access control: Attach ID to error message (#33472)
2021-05-13 05:00:27 +08:00
"fmt"
Access Control: Get org from request data for authorization (#84359) * Access Control: Get org from request data for authorization * move type to models * Update pkg/services/accesscontrol/middleware.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * refactor * refactor * Fix linter --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-03-14 00:05:03 +08:00
"io"
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
"net/http"
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
"net/url"
"regexp"
Remove Macaron ParamsInt64 function from code base (#43810) * draft commit * change all calls * Compilation errors
2022-01-15 00:55:57 +08:00
"strconv"
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
"strings"
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 19:29:17 +08:00
"text/template"
Access control: Attach ID to error message (#33472)
2021-05-13 05:00:27 +08:00
"time"
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
"github.com/grafana/grafana/pkg/middleware/cookies"
Auth: Refactor auth package (#58920) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency
2022-11-18 16:56:06 +08:00
"github.com/grafana/grafana/pkg/models/usertoken"
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
"github.com/grafana/grafana/pkg/services/auth/identity"
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
"github.com/grafana/grafana/pkg/services/authn"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
Chore: Delete org model duplicates (#60940) * Delete org model duplicates * Fix lint * Move OrgDetailsDTO to org pkg
2023-01-04 23:20:26 +08:00
"github.com/grafana/grafana/pkg/services/org"
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
"github.com/grafana/grafana/pkg/services/team"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
"github.com/grafana/grafana/pkg/services/user"
Access control: Redirect non-API calls (#41100)
2021-11-04 16:59:52 +08:00
"github.com/grafana/grafana/pkg/setting"
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 17:36:28 +08:00
"github.com/grafana/grafana/pkg/util"
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 20:30:59 +08:00
"github.com/grafana/grafana/pkg/web"
Access control: Basic structure and functionality behind feature toggle (#31893) Co-authored-by: Alexander Zobnin <alexander.zobnin@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Arve Knudsen <arve.knudsen@grafana.com> Co-authored-by: Marcus Efraimsson <marcus.efraimsson@grafana.com>
2021-03-22 20:22:48 +08:00
)
RBAC: Remove legacy ac from authorization middleware (#68898) remove legacy AC fallback from RBAC middleware, and some unused auth logic
2023-05-24 16:49:42 +08:00
func Middleware(ac AccessControl) func(Evaluator) web.Handler {
return func(evaluator Evaluator) web.Handler {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
return func(c *contextmodel.ReqContext) {
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
if c.AllowAnonymous {
forceLogin, _ := strconv.ParseBool(c.Req.URL.Query().Get("forceLogin")) // ignoring error, assuming false for non-true values is ok.
orgID, err := strconv.ParseInt(c.Req.URL.Query().Get("orgId"), 10, 64)
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
if err == nil && orgID > 0 && orgID != c.SignedInUser.GetOrgID() {
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
forceLogin = true
}
if !c.IsSignedIn && forceLogin {
Misc: Remove unused params and impossible logic (#83756) * remove unused params and impossible logic * remove unused param
2024-03-01 19:08:00 +08:00
unauthorized(c)
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
return
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
}
}
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
if c.LookupTokenErr != nil {
var revokedErr *usertoken.TokenRevokedError
if errors.As(c.LookupTokenErr, &revokedErr) {
tokenRevoked(c, revokedErr)
return
}
Misc: Remove unused params and impossible logic (#83756) * remove unused params and impossible logic * remove unused param
2024-03-01 19:08:00 +08:00
unauthorized(c)
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
return
}
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
authorize(c, ac, c.SignedInUser, evaluator)
}
}
}
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
func authorize(c *contextmodel.ReqContext, ac AccessControl, user identity.Requester, evaluator Evaluator) {
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 19:29:17 +08:00
injected, err := evaluator.MutateScopes(c.Req.Context(), scopeInjector(scopeParams{
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
OrgID: user.GetOrgID(),
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
URLParams: web.Params(c.Req),
}))
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
if err != nil {
c.JsonApiErr(http.StatusInternalServerError, "Internal server error", err)
return
}
hasAccess, err := ac.Evaluate(c.Req.Context(), user, injected)
if !hasAccess || err != nil {
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
deny(c, injected, err)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
return
}
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func deny(c *contextmodel.ReqContext, evaluator Evaluator, err error) {
Access control: Attach ID to error message (#33472)
2021-05-13 05:00:27 +08:00
id := newID()
if err != nil {
c.Logger.Error("Error from access control system", "error", err, "accessErrorID", id)
} else {
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
namespace, identifier := c.SignedInUser.GetNamespacedID()
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 17:36:28 +08:00
c.Logger.Info(
"Access denied",
Auth: Move access control API to SignedInUser interface (#73144) * move access control api to SignedInUser interface * remove unused code * add logic for reading perms from a specific org * move the specific org logic to org_user.go * add a comment --------- Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
2023-08-18 18:42:18 +08:00
"namespace", namespace,
"userID", identifier,
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 17:36:28 +08:00
"accessErrorID", id,
AccessControl: improve denied message (#44551) * AccessControl: improve denied message * AccessControl: tweak permission denied
2022-01-28 19:17:24 +08:00
"permissions", evaluator.GoString(),
Access Control: refactor permission evaluator to be more flexible (#35996) * add a more flexible way to create permissions * update interface for accesscontrol to use new eval interface * use new eval interface * update middleware to use new eval interface * remove evaluator function and move metrics to service * add tests for accesscontrol middleware * Remove failed function from interface and update inejct to create a new evaluator * Change name * Support Several sopes for a permission * use evaluator and update fakeAccessControl * Implement String that will return string representation of permissions for an evaluator Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-08-24 17:36:28 +08:00
)
Access control: Attach ID to error message (#33472)
2021-05-13 05:00:27 +08:00
}
Access control: Redirect non-API calls (#41100)
2021-11-04 16:59:52 +08:00
if !c.IsApiRequest() {
// TODO(emil): I'd like to show a message after this redirect, not sure how that can be done?
Auth: Write the redirect cookie if denied - do not write a blank redirect (#57381) * Write the redirect cookie if denied - do not write a blank redirect * Remove redundant code, reverse polarity
2022-10-21 22:53:17 +08:00
writeRedirectCookie(c)
Access control: Redirect non-API calls (#41100)
2021-11-04 16:59:52 +08:00
c.Redirect(setting.AppSubUrl + "/")
return
}
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
message := ""
if evaluator != nil {
message = evaluator.String()
}
Access control: Attach ID to error message (#33472)
2021-05-13 05:00:27 +08:00
// If the user triggers an error in the access control system, we
// don't want the user to be aware of that, so the user gets the
// same information from the system regardless of if it's an
// internal server error or access denied.
c.JSON(http.StatusForbidden, map[string]string{
"title": "Access denied", // the component needs to pick this up
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
"message": fmt.Sprintf("You'll need additional permissions to perform this action. Permissions needed: %s", message),
Access control: Attach ID to error message (#33472)
2021-05-13 05:00:27 +08:00
"accessErrorId": id,
})
}
Misc: Remove unused params and impossible logic (#83756) * remove unused params and impossible logic * remove unused param
2024-03-01 19:08:00 +08:00
func unauthorized(c *contextmodel.ReqContext) {
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
if c.IsApiRequest() {
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
c.WriteErrOrFallback(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), c.LookupTokenErr)
return
}
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
writeRedirectCookie(c)
if errors.Is(c.LookupTokenErr, authn.ErrTokenNeedsRotation) {
c.Redirect(setting.AppSubUrl + "/user/auth-tokens/rotate")
return
}
c.Redirect(setting.AppSubUrl + "/login")
}
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
func tokenRevoked(c *contextmodel.ReqContext, err *usertoken.TokenRevokedError) {
if c.IsApiRequest() {
Chore: use any rather than interface{} (#74066)
2023-08-30 23:46:47 +08:00
c.JSON(http.StatusUnauthorized, map[string]any{
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
"message": "Token revoked",
Chore: use any rather than interface{} (#74066)
2023-08-30 23:46:47 +08:00
"error": map[string]any{
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
"id": "ERR_TOKEN_REVOKED",
"maxConcurrentSessions": err.MaxConcurrentSessions,
},
})
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
return
}
writeRedirectCookie(c)
c.Redirect(setting.AppSubUrl + "/login")
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func writeRedirectCookie(c *contextmodel.ReqContext) {
RBAC: Redirect to /login when forceLogin is set (#56469)
2022-10-07 14:18:56 +08:00
redirectTo := c.Req.RequestURI
if setting.AppSubUrl != "" && !strings.HasPrefix(redirectTo, setting.AppSubUrl) {
redirectTo = setting.AppSubUrl + c.Req.RequestURI
}
// remove any forceLogin=true params
redirectTo = removeForceLoginParams(redirectTo)
cookies.WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, nil)
}
var forceLoginParamsRegexp = regexp.MustCompile(`&?forceLogin=true`)
func removeForceLoginParams(str string) string {
return forceLoginParamsRegexp.ReplaceAllString(str, "")
}
Access control: Attach ID to error message (#33472)
2021-05-13 05:00:27 +08:00
func newID() string {
// Less ambiguity than alphanumerical.
numerical := []byte("0123456789")
id, err := util.GetRandomString(10, numerical...)
if err != nil {
// this should not happen, but if it does, a timestamp is as
// useful as anything.
id = fmt.Sprintf("%d", time.Now().UnixNano())
}
return "ACE" + id
}
AccessControl: Extend scope parameters with extra params from context (#39722) * AccessControl: Extend scope parameters with extra params from context Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2021-10-06 19:15:09 +08:00
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
type OrgIDGetter func(c *contextmodel.ReqContext) (int64, error)
Chore: Copy user methods over to user store (#56000) * Chore: Copy user methods over to user store * Fix some tests and bugs * Add some more tests * Move tests to user store * Move back the tests * Add some tests
2022-10-04 18:17:55 +08:00
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
type userCache interface {
Chore: Remove GetSignedInUserWithCacheCtx from store interface (#53734) * Remove delete suer from store interface * Remove get signed in user with cache ctx from store interface * Support options when setting up access control tests * Fix broken tests * Fix lint * Add user fake to middleware * Fix middleware tests, remove usertest being initialised twice Co-authored-by: Karl Persson <kalle.persson@grafana.com>
2022-08-16 22:08:59 +08:00
GetSignedInUserWithCacheCtx(ctx context.Context, query *user.GetSignedInUserQuery) (*user.SignedInUser, error)
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
}
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
type teamService interface {
GetTeamIDsByUser(ctx context.Context, query *team.GetTeamIDsByUserQuery) ([]int64, error)
}
func AuthorizeInOrgMiddleware(ac AccessControl, service Service, userService userCache, teamService teamService) func(OrgIDGetter, Evaluator) web.Handler {
RBAC: Remove legacy ac from authorization middleware (#68898) remove legacy AC fallback from RBAC middleware, and some unused auth logic
2023-05-24 16:49:42 +08:00
return func(getTargetOrg OrgIDGetter, evaluator Evaluator) web.Handler {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
return func(c *contextmodel.ReqContext) {
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit
2023-07-12 18:28:04 +08:00
targetOrgID, err := getTargetOrg(c)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
if err != nil {
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
deny(c, nil, fmt.Errorf("failed to get target org: %w", err))
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
return
}
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit
2023-07-12 18:28:04 +08:00
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
tmpUser, err := makeTmpUser(c.Req.Context(), service, userService, teamService, c.SignedInUser, targetOrgID)
if err != nil {
deny(c, nil, fmt.Errorf("failed to authenticate user in target org: %w", err))
return
RBAC: Remove service dependency in Evaluator component (#54910) * RBAC: Remove service dependency for Evaluator component * RBAC: Add service and load permissions in target org if they are not there * RBAC: Use service if we need to load permissions for org * API: remove service injection into evaluator * API: set new user for each request in tests * PublicDashboards: Use fake service to provide permissions * RBAC: Set org id for dashboard provisioning user
2022-09-09 15:07:45 +08:00
}
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
authorize(c, ac, tmpUser, evaluator)
AccessControl: Fix locked role picker in orgs/edit page (#46539) * AccessControl: Fix locked role picker in orgs/edit page * Use correct org when computing metadata
2022-03-24 15:58:10 +08:00
MESA: Allow using synced permissions (#71377) * wip * cover authorize in org behavior * revert export * fix org tests * change permissions nit
2023-07-12 18:28:04 +08:00
// guard against nil map
if c.SignedInUser.Permissions == nil {
c.SignedInUser.Permissions = make(map[int64]map[string][]string)
}
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
c.SignedInUser.Permissions[tmpUser.GetOrgID()] = tmpUser.GetPermissions()
}
}
}
// makeTmpUser creates a temporary user that can be used to evaluate access across orgs.
func makeTmpUser(ctx context.Context, service Service, cache userCache,
teamService teamService, reqUser identity.Requester, targetOrgID int64) (identity.Requester, error) {
tmpUser := &user.SignedInUser{
OrgID: reqUser.GetOrgID(),
OrgName: reqUser.GetOrgName(),
OrgRole: reqUser.GetOrgRole(),
IsGrafanaAdmin: reqUser.GetIsGrafanaAdmin(),
Login: reqUser.GetLogin(),
Teams: reqUser.GetTeams(),
Permissions: map[int64]map[string][]string{
reqUser.GetOrgID(): reqUser.GetPermissions(),
},
}
namespace, identifier := reqUser.GetNamespacedID()
id, _ := identity.IntIdentifier(namespace, identifier)
switch namespace {
case identity.NamespaceUser:
tmpUser.UserID = id
case identity.NamespaceAPIKey:
tmpUser.ApiKeyID = id
if tmpUser.OrgID != targetOrgID {
return nil, errors.New("API key does not belong to target org")
}
case identity.NamespaceServiceAccount:
tmpUser.UserID = id
tmpUser.IsServiceAccount = true
}
if tmpUser.OrgID != targetOrgID {
switch targetOrgID {
case GlobalOrgID:
tmpUser.OrgID = GlobalOrgID
tmpUser.OrgRole = org.RoleNone
tmpUser.OrgName = ""
tmpUser.Teams = []int64{}
default:
if cache == nil {
return nil, errors.New("user cache is nil")
}
query := user.GetSignedInUserQuery{UserID: tmpUser.UserID, OrgID: targetOrgID}
queryResult, err := cache.GetSignedInUserWithCacheCtx(ctx, &query)
if err != nil {
return nil, err
}
tmpUser.OrgID = queryResult.OrgID
tmpUser.OrgName = queryResult.OrgName
tmpUser.OrgRole = queryResult.OrgRole
RBAC: Fix authorize in org (#81552) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case
2024-02-01 19:37:01 +08:00
// Only fetch the team membership is the user is a member of the organization
if queryResult.OrgID == targetOrgID {
if teamService != nil {
teamIDs, err := teamService.GetTeamIDsByUser(ctx, &team.GetTeamIDsByUserQuery{OrgID: targetOrgID, UserID: tmpUser.UserID})
if err != nil {
return nil, err
}
tmpUser.Teams = teamIDs
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
}
}
}
}
RBAC: Fix authorize in org (#81552) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case
2024-02-01 19:37:01 +08:00
// If the user is not a member of the organization
// evaluation must happen based on global permissions.
evaluationOrg := targetOrgID
if tmpUser.OrgID == NoOrgID {
evaluationOrg = GlobalOrgID
}
if tmpUser.Permissions[evaluationOrg] == nil || len(tmpUser.Permissions[evaluationOrg]) == 0 {
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
permissions, err := service.GetUserPermissions(ctx, tmpUser, Options{})
if err != nil {
return nil, err
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
}
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
RBAC: Fix authorize in org (#81552) * RBAC: Fix authorize in org * Implement option 2 * Fix typo * Fix alerting test * Add test to cover the not member case
2024-02-01 19:37:01 +08:00
tmpUser.Permissions[evaluationOrg] = GroupScopesByAction(permissions)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
}
Authz: Remove use of SignedInUser copy for permission evaluation (#78448) * remove use of SignedInUserCopies * add extra safety to not cross assign permissions unwind circular dependency dashboardacl->dashboardaccess fix missing import * correctly set teams for permissions * fix missing inits * nit: check err * exit early for api keys
2023-11-22 21:20:22 +08:00
return tmpUser, nil
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func UseOrgFromContextParams(c *contextmodel.ReqContext) (int64, error) {
Remove Macaron ParamsInt64 function from code base (#43810) * draft commit * change all calls * Compilation errors
2022-01-15 00:55:57 +08:00
orgID, err := strconv.ParseInt(web.Params(c.Req)[":orgId"], 10, 64)
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
// Special case of macaron handling invalid params
Chore: Differentiate the ErrOrgNotFound error messages (#64131) * Better org not found error messages
2023-03-06 15:57:46 +08:00
if err != nil {
return 0, org.ErrOrgNotFound.Errorf("failed to get organization from context: %w", err)
}
if orgID == 0 {
return 0, org.ErrOrgNotFound.Errorf("empty org ID")
AccessControl: Remove scopes from orgs endpoints (#41709) * AccessControl: Check permissions in target org * Remove org scopes and add an authorizeInOrg middleware * Use query result org id and perform users permission check globally for GetOrgByName * Remove scope translation for orgs current * Suggestion from Ieva
2021-11-17 17:12:28 +08:00
}
return orgID, nil
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func UseGlobalOrg(c *contextmodel.ReqContext) (int64, error) {
Access Control: Move access control middlewares to domain package (#48322) * Move access control middleware to domain package
2022-04-28 16:46:18 +08:00
return GlobalOrgID, nil
Access control: Refactor managed permission system to create api and frontend components (#42540) * Refactor resource permissions * Add frondend components for resource permissions Co-authored-by: kay delaney <45561153+kaydelaney@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2021-12-20 16:52:24 +08:00
}
RBAC: Check `plugins:install` globally (#78438) * RBAC: Check plugins:install globally * Add disclamer to the RBACSingleOrganization config option
2023-11-21 22:09:43 +08:00
// UseGlobalOrSingleOrg returns the global organization or the current organization in a single organization setup
func UseGlobalOrSingleOrg(cfg *setting.Cfg) OrgIDGetter {
return func(c *contextmodel.ReqContext) (int64, error) {
if cfg.RBACSingleOrganization {
return c.GetOrgID(), nil
}
return GlobalOrgID, nil
}
}
Access Control: Get org from request data for authorization (#84359) * Access Control: Get org from request data for authorization * move type to models * Update pkg/services/accesscontrol/middleware.go Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * refactor * refactor * Fix linter --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2024-03-14 00:05:03 +08:00
// UseOrgFromRequestData returns the organization from the request data.
// If no org is specified, then the org where user is logged in is returned.
func UseOrgFromRequestData(c *contextmodel.ReqContext) (int64, error) {
query, err := getOrgQueryFromRequest(c)
if err != nil {
// Special case of macaron handling invalid params
return NoOrgID, org.ErrOrgNotFound.Errorf("failed to get organization from context: %w", err)
}
if query.OrgId == nil {
return c.SignedInUser.GetOrgID(), nil
}
return *query.OrgId, nil
}
// UseGlobalOrgFromRequestData returns global org if `global` flag is set or the org where user is logged in.
func UseGlobalOrgFromRequestData(c *contextmodel.ReqContext) (int64, error) {
query, err := getOrgQueryFromRequest(c)
if err != nil {
// Special case of macaron handling invalid params
return NoOrgID, org.ErrOrgNotFound.Errorf("failed to get organization from context: %w", err)
}
if query.Global {
return GlobalOrgID, nil
}
return c.SignedInUser.GetOrgID(), nil
}
func getOrgQueryFromRequest(c *contextmodel.ReqContext) (*QueryWithOrg, error) {
query := &QueryWithOrg{}
req, err := CloneRequest(c.Req)
if err != nil {
return nil, err
}
if err := web.Bind(req, query); err != nil {
// Special case of macaron handling invalid params
return nil, err
}
return query, nil
}
// CloneRequest creates request copy including request body
func CloneRequest(req *http.Request) (*http.Request, error) {
// Get copy of body to prevent error when reading closed body in request handler
bodyCopy, err := CopyRequestBody(req)
if err != nil {
return nil, err
}
reqCopy := req.Clone(req.Context())
reqCopy.Body = bodyCopy
return reqCopy, nil
}
// CopyRequestBody returns copy of request body and keeps the original one to prevent error when reading closed body
func CopyRequestBody(req *http.Request) (io.ReadCloser, error) {
if req.Body == nil {
return nil, nil
}
body := req.Body
var buf bytes.Buffer
if _, err := buf.ReadFrom(body); err != nil {
return nil, err
}
if err := body.Close(); err != nil {
return nil, err
}
req.Body = io.NopCloser(&buf)
return io.NopCloser(bytes.NewReader(buf.Bytes())), nil
}
RBAC: Split up service into several components (#54002) * RBAC: Rename interface to Store * RBAC: Move ranme scopeInjector * RBAC: Rename files to service * RBAC: Rename to service * RBAC: Split up accesscontrol into two components * RBAC: Add DeclareFixedRoles to AccessControl interface * Wire: Fix wire bindings * RBAC: Move resolvers to root * RBAC: Remove invalid test * RBAC: Inject access control service * RBAC: Implement the RoleRegistry interface in fake
2022-08-24 19:29:17 +08:00
// scopeParams holds the parameters used to fill in scope templates
type scopeParams struct {
OrgID int64
URLParams map[string]string
}
// scopeInjector inject request params into the templated scopes. e.g. "settings:" + eval.Parameters(":id")
func scopeInjector(params scopeParams) ScopeAttributeMutator {
return func(_ context.Context, scope string) ([]string, error) {
tmpl, err := template.New("scope").Parse(scope)
if err != nil {
return nil, err
}
var buf bytes.Buffer
if err = tmpl.Execute(&buf, params); err != nil {
return nil, err
}
return []string{buf.String()}, nil
}
}