* apply security fix for admin only folder migration (#482)
* Data source: prevent from using auth proxy header as custom data source header (#474)
* applying changes from 446/fix-user-escalation-through-auth-proxy
* linting
* only validate custom headers if auth proxy is enabled
* import ordering
* add links to CVE
* clean up
* remove typo
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
(cherry picked from commit 0100a6aa9645313b25a79a17d947cbf936cc4e76)
* OAuth: Allow assigning Server Admin (#54780)
* extract errors to errors file
* implement oauth server admin assignment
* add server admin tests
* deduplicate autoAssignOrgRole
* deduplicate strict setting
* deduplicate strict setting
* add support for generic oauth
* add role attribute strict support for generic oauth
* add support for github/gitlab
* assignGrafanaAdmin option is here to stay
* unify similar errors
* add config option
* add okta server admin mapping
* remove never used Company attribute
* unify generic oauth role extract with other methods
* case insensitive role match as in azure
* add ini settings
* add server admin to devenv
* remove duplicate fields
* add documentation to oauth
* fix titlecase test
* implement doc feedback
(cherry picked from commit ef245874da)
* Auth: Restore legacy behavior and add deprecation notice for empty org role in oauth (#55118)
* Auth: Add deprecation notice for empty org role
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* fix recasts
* fix azure tests missing logger
* Adding test to gitlab oauth
* Covering more cases
* Cover more options
* Add role attributestrict check fail
* Adding one more edge case test
* Using legacy for gitlab
* Yet another edge case YAEC
* Reverting github oauth to legacy
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Not using token
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Nit.
* Adding warning in docs
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* add warning to generic oauth
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Be more precise
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Adding warning to github oauth
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Adding warning to gitlab oauth
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Adding warning to okta oauth
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Add docs about mapping to AzureAD
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Clarify oauth_skip_org_role_update_sync
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Nit.
* Nit on Azure AD
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Reorder docs index
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Fix typo
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: gamab <gabi.mabs@gmail.com>
(cherry picked from commit 00e7324bf6)
* Auth: Allow admins to manually change oauth user role if `oauth_skip_org_role_update_sync` is enabled (#55182)
* Auth: Allow admins to change oauth user info it it's not synced.
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update public/app/features/admin/UserAdminPage.tsx
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Add missing import
* Simplify init
Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com>
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* SAML: Add option to skip org role sync (#55230)
* SAML: Add option to skip org role sync
* Modify frontend accordingly
* Remove update from config option name
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Remove update from config option name
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
* Fix typo
Co-authored-by: Jguer <joao.guerreiro@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com>
(cherry picked from commit 3e2e9f93b9)
* Update gitlab_oauth_test.go
* Update gitlab_oauth_test.go
* API: Fix response status when snapshots are not found
* API: Fix response status when snapshot key is empty
* Apply suggestions from code review
(cherry picked from commit 5fec6cc4f5)
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Auth: check of auth_token in url and resolve user if present
* check if auth_token is passed in url
* Auth: Pass auth_token for request if present in path
* no need to decode token in index
* temp
* use loadURLToken and set authorization header
* cache token in memory and strip it from url
* Use loadURLToken
* Keep token in url
* strip sensitive query strings from url used by context logger
* adapt login by url to jwt token
* add jwt iframe devenv
* add jwt iframe devenv instructions
* add access note
* add test for cleaning request
* ensure jwt token is not carried into handlers
* do not reshuffle queries, might be important
* add correct db dump location
* prefer set token instead of cached token
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Alerting: use static channel configuration to determinate secure fields
* move to channels package
* introduce channel_config package to fix cyclic import
* add missing changes
* compare type to type
* First stab at new page layouts behind feature toggle
* Simplifying PageHeader
* Progress on a new model that can more easily support new and old page layouts
* Progress
* rename folder
* Progress
* Minor change
* fixes
* Fixing tests
* Make breadcrumbs work
* Add tests for old Page component
* Adding tests for new Page component and behavior
* fixing page header test
* Fixed test
* Moving user profile routes to navId
* PageLayouts: Updates dashboards routes with navId
* added missing navId
* AppChrome outside route
* Renaming folder
* Minor fix
* Updated
* Fixing StoragePage
* Updated
* Updating translation ids
* Updated snapshot
* update nav translation ids (yes this is confusing)
Co-authored-by: Ashley Harrison <ashley.harrison@grafana.com>
Co-authored-by: joshhunt <josh@trtr.co>
* Fix get legacy alert response
* Swagger: Fix get folder by UID response
* Fix conflicting swagger model Alert
Reanme legacy alerting swagger model to LegacyAlert to differentiate it
from the prometheus Alert
* Bump grafana-plugin-sdk-go
* Fix get folder response
* Use go-swagger command for merging the specifications and remove merge_specs script
* Move user not found err to user service
* User ErrCaseInsensitive from user pkg
* User ErrUserAlreadyExists from user pkg
* User ErrLastGrafanaAdmin from user pkg
* Remove errors from model
* Remove user from preferences, stars, orguser, team member
* Fix lint
* Add Delete user from org and dashboard acl
* Delete user from user auth
* Add DeleteUser to quota
* Add test files and adjust user auth store
* Rename package in wire for user auth
* Import Quota Service interface in other services
* do the same in tests
* fix lint tests
* Fix tests
* Add some tests
* Rename InsertUser and DeleteUser to InsertOrgUser and DeleteOrgUser
* Rename DeleteUser to DeleteByUser in quota
* changing a method name in few additional places
* Fix in other places
* Fix lint
* Fix tests
* Chore: Split Delete User method
* Add fakes for userauth
* Add mock for access control Delete User permossion, use interface
* Use interface for ream guardian
* Add simple fake for dashboard acl
* Add go routines, clean up, use interfaces
* fix lint
* Update pkg/services/user/userimpl/user_test.go
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Update pkg/services/user/userimpl/user_test.go
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Update pkg/services/user/userimpl/user_test.go
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Add wrapper for not service account error
* fix indentation
* Use fmt for error wrapper
Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
* Encryption: Move secrets migrations into secrets.Migrator
* Encryption: Refactor secrets.Service initialization
* Encryption: Add support to run secrets migrations even when EE is disabled
* Encryption: Expose secrets migrations through HTTP API
* Update docs
* Fix docs links
* Some adjustments to makes errors explicit through HTTP response
* Remove user from preferences, stars, orguser, team member
* Fix lint
* Add Delete user from org and dashboard acl
* Delete user from user auth
* Add DeleteUser to quota
* Add test files and adjust user auth store
* Rename package in wire for user auth
* Import Quota Service interface in other services
* do the same in tests
* fix lint tests
* Fix tests
* Add some tests
* Rename InsertUser and DeleteUser to InsertOrgUser and DeleteOrgUser
* Rename DeleteUser to DeleteByUser in quota
* changing a method name in few additional places
* Fix in other places
* Fix lint
* Fix tests
* Rename DeleteOrgUser to DeleteUserFromAll
* Update pkg/services/org/orgimpl/org_test.go
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Update pkg/services/preference/prefimpl/inmemory_test.go
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Rename Acl to ACL
* Fix wire after merge with main
* Move test to uni test
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* update decrypt secrets function signature and add secrets error handling
* remove a couple instances of unnecessary logging since errors are properly handled now
* add unit test
* fix linting issues
/api/admin/pause-all-alerts only takes effect for legacy alerts. This
change returns a 403 if it's called when legacy alerting is disabled.
Fixes#51729
Ieva
Jo
Domas
Grot (@grafanabot)
Gabriel MABILLE
Jean-Philippe Quéméner
Alexander Emelin
Konrad Lalik
Sofia Papagiannaki
Ryan McKinley
ying-jeanne
Giordano Ricci
Torkel Ödegaard
idafurjes
owensmallwood
Ezequiel Victorero
Joan López de la Franca Beltran
Emil Tullstedt
Michael Mandrus
Joe Blubaugh