* devenv: fix volumes section when sources don't contain one
* wip
* Working correctly with improvedExternalSessionHandling on
* Remove not needed lines
* Working with the old flow, tests
* Handle compatibility with the feature toggle, tests wip
* Tests
* Cleanup
* Address feedback
* Align tests
* Add comment
* Fix issue with session removal after the invalidation of tokens
* Remove commented out code
* clean up
* Add samlCatalog metric
* Add samlCatalog metric to stats
* Define hook for successful SamlCatalog metrics
* Register new hook
* Add tests
* Rework the collected stats and split it into versions
* Remove noisy log line
* Add IsProvisioned field to UpdateUserCommand
* Update user store to include the new IsProvisioned field
* Update store tests to include the new IsProvisioned field
* SCIM: fix provisioned user role assignment from SAML assertion
* revert org_sync_test changes
* clean up tests
* skip user lookup during org sync
* sanitize log output
* only log non-sensitive fields
* Add hook to validate access for users based on provisioning logic
* Wire the hook
* Add tests
* declare new variables for errors
* rework the authorization flow for provisioned users
* Add scim feature to testinfra opts
* Grant access if the identity doesn't have associated a user
* skip external uid check for subsequent calls
* Update tests
* Validate authID when user is provisioned
* Add new `user_unique_id` to `user_auth` table
* Validate provisioned user with saml assertion
* Rework `ExternalUID`
* Validate for ExternalUID only
* Enhance verbosity
* Move ExternalUID to saml config
* Rename db variable for externalUID
* Add verbosity to debug ExternalUID
* Assign new error for ExternalUID mismatch
* Add `GetByLoginFn`
* Add new configuration to saml tests
* add validation for empty externalUID
* Add isProvisioned field to model
* Add new isProvisioned column to migration
* Disable auto assignment to organization if the user is provisioned
* add annotation to user model
* add annotation to user models
* Remove IsProvisioned field from Identity
* Move new field assignenment and add default value
* Update annotations for user query results
* Remove isProvisioned from identity
* Add new column to test
* Resolve user from identity at SyncOrgHook
* Rename from AllowedKubernetesNamespace to Namespace
* Use a sync hook to always set namespace for Identity.
* format
* Don't set uid when authenticating as user
* update oauthtoken service to use remote cache and server lock
* remove token cache
* retry is lock is held by an in-flight refresh
* refactor token renewal to avoid race condition
* re-add refresh token expiry cache, but in SyncOauthTokenHook
* Add delta to the cache ttl
* Fix merge
* Change lockTimeConfig
* Always set the token from within the server lock
* Improvements
* early return when user is not authed by OAuth or refresh is disabled
* Allow more time for token refresh, tracing
* Retry on Mysql Deadlock error 1213
* Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go
Co-authored-by: Dan Cech <dcech@grafana.com>
* Update pkg/services/authn/authnimpl/sync/oauth_token_sync.go
Co-authored-by: Dan Cech <dcech@grafana.com>
* Add settings for configuring min wait time between retries
* Add docs for the new setting
* Clean up
* Update docs/sources/setup-grafana/configure-grafana/_index.md
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
---------
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
Co-authored-by: Christopher Moyer <35463610+chri2547@users.noreply.github.com>
* Refactor identity struct to store type in separate field
* Update ResolveIdentity to take string representation of typedID
* Add IsIdentityType to requester interface
* Use IsIdentityType from interface
* Remove usage of TypedID
* Remote typedID struct
* fix GetInternalID
* RBAC sync: Fix removal of roles which need to be added
* Optimize code
* cleanup: appease the linter
---------
Co-authored-by: Victor Cinaglia <victor@grafana.com>
* GetSignedInUser unexported (renamed to getSignedInUser)
* GetSignedInUserWithCacheCtx renamed to GetSignedInUser
* added a check for a nil cacheservice (as defensive programming / test convenience)
* Remove different constructors and only use NewNamespaceID
* AdminUser: check typed namespace id
* Identity: Add convinient function to parse valid user id when type is either user or service account
* Annotations: Use typed namespace id instead
* Use RoleType from org package
* Move to identity package and re-export from authn
* Replace usage of top level functions for identity
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
* User: remove unused function
* User: Remove UpdatePermissions and support IsGrafanaAdmin flag in Update function instead
* User: Remove Disable function and use Update instead
