Require alert.notifications:write permissions to test receivers and templates (#865)
(cherry picked from commit 3c21ab70075256d4ba8e4fbfdcb15f5a394161fa)
Alerting: Update migration to put alerts to the default folder if dashboard folder is missing (#65577)
* extract function
* use context logger
* put alert to general folder if folder is missing
* move folderHelper init
* add test
* Update pkg/services/sqlstore/migrations/ualert/ualert.go
Co-authored-by: Matthew Jacobson <matthew.jacobson@grafana.com>
---------
Co-authored-by: Matthew Jacobson <matthew.jacobson@grafana.com>
(cherry picked from commit 7b2f44762e)
# Conflicts:
# pkg/services/sqlstore/migrations/ualert/migration_test.go
# pkg/services/sqlstore/migrations/ualert/ualert.go
* Trim leading and trailing whitespaces from email and username on signup
* Check whether the provided email address is the same as where the invitation sent
Co-authored-by: Mihaly Gyongyosi <mgyongyosi@users.noreply.github.com>
We also need to upgrade the linter together with the Go version, all the changes should relate to either fixing linting problems or upgrading the Go version used to build Grafana.
* remove support for v1
(cherry picked from commit 8630a7a991af74edc4030f57d37a4bc263202fde)
* Security: Make proxy endpoints not leak sensitive HTTP headers
Fixes CVE-2022-31130
(cherry picked from commit 2974574a53ab6d26be7b706e76271173a91fea3a)
* Security: Fix do not forward login cookie in outgoing requests
(cherry picked from commit 54a32fc83b233f5910495b5fcca0b4f881221538)
* Add test for username/login field conflict
(cherry picked from commit 7aabcf2694)
* Swap order of login fields
(cherry picked from commit 5ec176cada)
* "Release: Updated versions in package to 8.5.14" (#547)
Co-authored-by: Will Browne <will.browne@grafana.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: linoman <2051016+linoman@users.noreply.github.com>
Co-authored-by: Grot (@grafanabot) <43478413+grafanabot@users.noreply.github.com>
* Data source: prevent from using auth proxy header as custom data source header (#477)
* apply security changes for auth proxy permission escalation
* add links to CVE
* remove duplicate check
* apply security fix for admin only folder migration (#484)
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* Allow the webhook notifier to support a custom Authorization header
Instead of doing something clever of re-using the existing username/password fields of Basic Authentication - I opted for two diffent fields to match the upstream Alertmanager configuration (that in turn is based of the HTTP Basic authentication).
It'll fail if you have values for both HTTP Basic Authentication and Authorization.
(cherry picked from commit b026f2bc5d)
This commit fixes a bug where the state did not change from Alerting to Error if the evaluation result returned an error, or from Error to Alerting if evaluations stopped returning errors.
(cherry picked from commit 34d45977ca)
Co-authored-by: George Robinson <george.robinson@grafana.com>
* Alerting: Don't stop the migration when alert rule tags are invalid
As we migrate we expect the `alertRuleTags` on a dashboard alert to be a JSON object. However, it seems this is not really validated by Grafana and an user can change the format to something else that the JSON parser is not able to marshal into a `map[string]string`.
Let's do a bit better by "attempting" to parse the tags and if we can't we'll simple return an empty map. The data is still there so if the user wishes they can go back, fix the data and attemp the migration again.
(cherry picked from commit 90646e7f41)
* Generate additional actions when setting folder permissions in acl list
* Add migration for managed folder permissions to include alert rule
actions
(cherry picked from commit bdff63d4a8)
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
* add migrator to drop folder create actions that was set fromt he folder (#49878)
(cherry picked from commit f4f25d911b)
* Add missing const
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: gamab <gabi.mabs@gmail.com>
After migrating to unified alerting, users must explicitly allow rolling
back to legacy alerting by setting force_migration = true in config.
This updates the panic message to clarify why that's required and what
the consequences of rolling back will be.
Fixes#50469
(cherry picked from commit 30f035ca34)
Co-authored-by: Joe Blubaugh <joe.blubaugh@grafana.com>
* Alerting: Remove double quotes from matchers
With #38629 a new Alertmanager configuration object was introduced with `object_matchers`, it was meant to circumvent around the fact that Prometheus label names don't support a set of characters that Grafana needs to support for alerts, silences, matchers, etc. (with a common example being elasticsearch's `.`).
This new object does not include the label of sanitzation or validation that its Prometheus equivalent supports in `matchers` and therefore are semantically not equivalent.
This triggered the problem that when the migration is run, we use `matchers` as the object to populate in configuration for routing policies, but when the UI does its first save this object is transformed to `object_matchers`.
Matchers that were previously running just fine would immediately stop working as soon as the configuration is saved.
This problem surfaced with the introduction of #49952 where we stopped stripping double quotes from matchers (not just regex but _all_ of them).
* Add comment explaining rationale and future removal
Co-authored-by: Alex Weaver <weaver.alex.d@gmail.com>
(cherry picked from commit 1a50b0dbb7)
Co-authored-by: gotjosh <josue.abreu@gmail.com>
* Alerting: Fix access to alerts for viewer with editor permissions when RBAC is disabled (#49270)
* Add folder edit permission for users with Viewer role
* relax permissions required to create an alert when RBAC is disabled
(cherry picked from commit 3dfafbadef)
* fix backend conflict
* fixup
Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
* introduce a fallback handler that checks that role is Viewer.
* update UI nav links to allow alerting tabs for anonymous user
* update rule api to check for Viewer role instead of SignedIn when RBAC is disabled
(cherry picked from commit f7f2253072)
* Update migration to migrate only alerts that belong to existing org\dashboard
(cherry picked from commit d87fdc1037)
Co-authored-by: Yuriy Tseretyan <yuriy.tseretyan@grafana.com>
* Use saved dashboard model to create library panel connections when importing
* Rename variables in dashboard import for clarity
(cherry picked from commit 71e1305364)
Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com>
* Alerting: Provisioning GET routes for mute timings (#49044)
* Define GET routes and run codegen
* Wire up forked and non-generated API
* Implement and wire
* Tests, authorization
* Fix linter error
(cherry picked from commit 9af30f6570)
* ErrorContains -> Error, then Contains
Co-authored-by: Alexander Weaver <weaver.alex.d@gmail.com>
* Change dash permission check for dashboards that are moved to a different folder
(cherry picked from commit 6923b4c6c6)
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Alerting: Provisioning message templates (#48665)
* Generate API for writing templates
* Persist templates app logic layer
* Validate templates
* Extract logic, make set and delete methods
* Drop post route for templates
* Fix response details, wire up remainder of API
* Authorize routes
* Mirror some existing tests on new APIs
* Generate mock for prov store
* Wire up prov store mock, add tests using it
* Cover cases for both storage paths
* Add happy path tests and fix bugs if file contains no template section
* Normalize template content with define statement
* Tests for deletion
* Fix linter error
* Move provenance field to DTO
* empty commit
* ID to name
* Fix in auth too
(cherry picked from commit 0f56462fbe)
* ErrorContains -> Error then Contains
Co-authored-by: Alexander Weaver <weaver.alex.d@gmail.com>
