* allow post URL
* check for config
* allow relative paths
* add allowed internal pattern; add checks for method
* update defaults.ini
* add custom header
* update config comment
* use globbing, switch to older middleware - deprecated call
* add codeowner
* update to use current api, add test
* update fall through logic
* Update pkg/middleware/validate_action_url.go
Co-authored-by: Dan Cech <dcech@grafana.com>
* Update pkg/middleware/validate_action_url.go
Co-authored-by: Dan Cech <dcech@grafana.com>
* add more tests
* Update pkg/middleware/validate_action_url_test.go
Co-authored-by: Dan Cech <dcech@grafana.com>
* fix request headers
* add additional tests for all verbs
* fix request headers++
* throw error when method is unknown
---------
Co-authored-by: Ryan McKinley <ryantxu@gmail.com>
Co-authored-by: Brian Gann <bkgann@gmail.com>
Co-authored-by: Brian Gann <briangann@users.noreply.github.com>
Co-authored-by: Dan Cech <dcech@grafana.com>
* Refactor identity struct to store type in separate field
* Update ResolveIdentity to take string representation of typedID
* Add IsIdentityType to requester interface
* Use IsIdentityType from interface
* Remove usage of TypedID
* Remote typedID struct
* fix GetInternalID
* Dashboards: Fix tests when authn broker is enabled.
StarService was not configured for tests, the call was guarded by !c.IsSignedIn
* Change default to be anon user to match expectations from tests
* OAuth: rewrite tests to work with authn.Service
* Setup template renderer by default
* Extract cookie options from cfg instead of relying on global variables
* Fix test to work with authn service
* Middleware: rewrite auth tests
* Remvoe session cookie if we cannot refresh access token
This PR adds /api/gnet to the list of ignored paths in the gzip middleware.
Without this, when gzip is enabled (`server.enable_gzip = true`), responses
from the gnet proxy are double compressed: once by grafana.com and once by
Grafana itself. With this change we only do one round of compression for these
endpoints.
To test this out, try a request like this with `server.enable_gzip = true`
(after setting `GCOM_TOKEN` to a valid grafana.com token; you may need to
change the 'bsull' slug, too):
curl -v --user admin:admin \
-H "X-Api-Key: $GCOM_TOKEN" \
-H 'Accept-Encoding: gzip' \
localhost:3000/api/gnet/instances/bsull/provisioned-plugins/grafana-ml-app | gzip -d
Note that there are two Content-Encoding: gzip headers before this PR, and
the output is still compressed even after the `gzip -d`. After this PR things
look as expected.
* Allow setting role as None
Co-authored-by: gamab <gabi.mabs@gmail.com>
Seeking for places where role.None would be used
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Adding None role to the frontend
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
unify org role declaration and remove from add permission
fix backend test
fix backend lint
* remove role none from frontend
* Simplify checks
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* nits
---------
Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
* Draft: Feature: Trusted Types support
* remove trusted-types package
* Create policy before jQuery and Angular is loaded and add feature flag
* Add trustedTypePolicies
* Sanitize scriptURL
* Add TT meta tag for test env
* Move trusted types into core
* Add DOMParser support for TrustedHTML
* Seperate RSS sanitization and add better TrustedHTML support
* Get test CSP header from config
* Remove dompurify dep from core
* Add documentation for trusted types
* Apply suggestions from code review
Co-authored-by: Kristian Bremberg <114284895+KristianGrafana@users.noreply.github.com>
* Add comment about Github discussion thread and things breaking
* Remove changes from News panel
* Remove TT feature toggle
* Expose TT and CSPReportOnly to frontend
* Log errors in console when CSP report only is enabled
* Log error for reporting and remove test mode
* Only insert CSP header in HTML for dev env
* Update docs
---------
Co-authored-by: Tobias Skarhed <tobias.skarhed@gmail.com>
Co-authored-by: Tobias Skarhed <1438972+tskarhed@users.noreply.github.com>
Jan-Otto Kröpke
Adela Almasan
Todd Treece
Karl Persson
Kevin Minehart
Ryan McKinley
Charandas
Dave Henderson
Marcus Andersson
Timur Olzhabayev
Alex Khomenko
carrychair
김은빈
Torkel Ödegaard
Carl Bergquist
Marcus Efraimsson
Will Browne
Ezequiel Victorero
Oscar Kilhed
Gabriel MABILLE
Jo
Ben Sully
Michael Mandrus
Ieva
Kristian Bremberg
Bruno