* OnGoing
comment
* WIP on the wrapper
* Get before Delete
* WIP: add an unimplemented storage authorizer
* WIP implementing the resource permission authorize
* Implement beforeCreate
* Create, Delete, Update
* List
* Use a resource permissions wrapper
* Switch the main authorizer to service
* Add namespace
* Use compile for list
* Comment
* Remove unecessary comments
* fix bug with folder permissions
* Implement tests for List
* Test get
* List test small refactor
* Delete test
* Reorganize code
* imports
* Start splitting the tests
* test AfterDelete
* actually test beforeWrite
* Implement tests for wrapper create
* Test delete
* Test List and Get
* Fix List
* Remaining tests
* simplify
* Remove comments
* Reorder
* Change authorizer to allow access
* Provisioning: allow access check to proceed even when non access policy
* Provisioning: access checker needs this for MT
* add permissions registration
* remove scopes
* use in MT for now
* no need to document an internal flag here
* revert vscode change
* refactor the authZ permission evaluation and mapper code to allow evaluating unscoped actions beyond creation
* update wire
* gofmt
* add boolean to struct
---------
Co-authored-by: IevaVasiljeva <ieva.vasiljeva@grafana.com>
* Use the new authorizer for the User resource
* Use accessClient
* Update pkg/services/authz/rbac/mapper.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Chore: Update authlib
* exclude incompatible version of github.com/grafana/gomemcache
* Update go-jose to v4
* fix jose imports
* remove jose v3 from go.mod
* fix tests
* fix serialize
* fix failing live tests
* add v1 of ES256 testkeys. Port tests to use ES256 instead of HS256
* accept more signature algs for okta and azuread
* azure social graph token sig
* accept more signature algs for oauth refresh and jwt auth
* update workspace
* add a static signer for inproc
* rebase and fix ext_jwt
* fix jwt tests
* apply alex patch on gomemcache
* update linting
* fix ext_jwt panic
* update workspaces
---------
Co-authored-by: Jo Garnier <git@jguer.space>
* AuthZ: Create without scope for resources outside of folders
* Make it explicit that create requires a scope check
* Update pkg/services/authz/rbac/service.go
* Use skipScope instead of ReqScope
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Explain why there is no need to skip scope for roles
---------
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* IAM: Register CoreRole apis
* one line store instantiation
* Small refactor for readability
* Add authorizer for CoreRole
* Nit
* Error strings should not end with punctiation
* Account for error
* Switch to use the local resource client
* error should not start with upper casing
* noopStorageErr should have a name starting with err
* Update workspace
* I don't know why I don't have the same output as the CI 🤷
* Dependency xOwnership
* imports
* Import order
* Rename alias to make it clear this is legacy
* feat(add): datasources:query support for using the authlib/authzservice
* added test for datasources
* refactor to create the translation right away
* Update pkg/services/authz/rbac/mapper.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* fix tests
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* SQLTemplates: Add helper to ensure all templates have a test-case associated
* UnifiedStorage: Add missing sql template test case
* LegacyDashboards: Add sql templates fs to test cases for exhaustiveness check
* RBACStore: Add sql templates fs to test cases for exhaustiveness check
* LegacyIAM: Add missing sql template test cases
* Anonymous access: Allow setting org role in new authz service
* back out change that is not needed; rename struct
* cleanup
* Fix tests
---------
Co-authored-by: Gabriel Mabille <gabriel.mabille@grafana.com>
* Authz: Test List
* Anonymous case
* Cover rendering
* Authz: Check namespace is set in the context
* Explicitly request a namespace check in the storage functions
* Revert logic
Todd Treece
Gabriel MABILLE
Misi
Charandas
Ryan McKinley
Mihai Turdean
Ieva
Alexander Zobnin
Andres Torres
mohammad-hamid
Jean-Philippe Quéméner
Matheus Macabu
Eric Leijonmarck
Stephanie Hingtgen
Karl Persson