* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* move some changes from branch to the skeleton PR
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* moving resourceservice to the main wire file pt2
* move team related actions so that they can be reused
* PR feedback
* fix
* typo
* Access Control: adding hooks for team member endpoints (#43991)
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* add access control to list and add team member endpoint, and hooks for adding team members
* member permission type is 0
* add ID scope for team permission checks
* add more team actions, use Member for member permission name
* protect team member update endpoint with FGAC permissions
* update SQL functions for teams and the corresponding tests
* also protect team member removal endpoint with FGAC permissions and add a hook to permission service
* a few small fixes, provide team permission service to test setup
* AccessControl: cover team permissions
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Add background service as a consumer to resource_services
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Define actions in roles.go
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Remove action from accesscontrol model
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* As suggested by kalle
* move some changes from branch to the skeleton PR
* remove resource services from wireexts
* remove unneeded actions
* linting fix
* remove comments
* feedback fixes
* feedback
* simplifying
* remove team member within the same transaction
* fix a mistake with the error
* call the correct sql fction
* linting
* Access control: tests for team member endpoints (#44177)
* tests for team member endpoints
* clean up and fix the tests
* fixing tests take 2
* don't import enterprise test license
* don't import enterprise test license
* remove unused variable
Co-authored-by: gamab <gabi.mabs@gmail.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
Co-authored-by: ievaVasiljeva <ieva.vasiljeva@grafana.com>
* Refactor: Change sqlstore.inTransaction to SQLStore.WithTransactionalDBSession in alert files
* Fix: Revert second SaveAlerts back to normal func
* Refactor: Update tests so functions are now SQLStore methods
* Fix: Refactor pauseAlert and pauseAllAlerts to be SQLStore methods
* Fix: Refactor SaveAlerts to be SQLStore method
* Refactor: Update SaveAlerts func signature to have correct arguments
* Refactor: Define sqlStore
* Chore: Delete commented out code
* Chore: Remove unused SaveAlertsCommand
* Serviceaccounts: feat - tabview for serviceaccounts
* WIP
* feat: listing all service accounts
* refactor: needed to remove showInvitees as not present in serviceaccounts
* add token column in the list
* add token to orgserviceaccount
* Update pkg/services/serviceaccounts/api/api.go
* AccessControl: Add user metadata to user detail view
* AccessControl: Do not present delete or disable buttons based on ac metadata in admin/users
* AccessControl: do not allow password changing or user editing without permission
* AccessControl: Fetch global:users scope for admin
* AccessControl: optimize org.user metadata fetch
* Chore: early return if ac metadata is not available
* AccessControl: Add access control metadata to OrgUserDTO
* AccessControl: get User AC metadata
* AccessControl: return User Access Control metadata when requested
* add permission structure to signedinuser
* add middleware to load user permissions into signedinuser struct
* apply LoadPermissionsMiddleware to http server
* check for permissions in signedinuser struct
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Add extra fields to OSS types to support enterprise
* WIP service accounts
* Update public/app/features/api-keys/ApiKeysForm.tsx
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
* Create a service account at the same time as the API key
* Use service account credentials when accessing API with APIkey
* Throw better error
* Use Boolean for "create service account button"
* Add GetRole to service, merge RoleDTO and Role structs
This patch merges the identical OSS and Enterprise data structures, which improves the code for two reasons:
1. Makes switching between OSS and Enterprise easier
2. Reduces the chance of incompatibilities developing between the same functions in OSS and Enterprise
* Start work cloning permissions onto service account
* If API key is not linked to a service account, continue login as usual
* Fallback to old auth if no service account linked to key
* Commented
* Add CloneUserToServiceAccount
* Update mock.go
* Put graphical bits behind a feature toggle
* Start adding LinkAPIKeyToServiceAccount
* Update pkg/models/user.go
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
* Update pkg/api/apikey.go
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
* Update pkg/api/apikey.go
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
* Finish LinkAPIKeyToServiceAccount
* Update comment
* Handle api key link error
* Update pkg/services/sqlstore/apikey.go
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Feature toggle
* Update pkg/services/accesscontrol/accesscontrol.go
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Not needed (yet)
* Better error messages for OSS accesscontrol
* Set an invalid user id as default
* ServiceAccountId should be string
* Re-arrange field names
* ServiceAccountId is integer
* Update ossaccesscontrol.go
* Linter
* Remove fronend edits
* Remove console log
* Update ApiKeysForm.tsx
* feat: add serviceaccount deletion
* feat: make sure we do not accidently delete serviceaccount
* feat: ServiceAccount Type
* refactor: userDeletions function
* refactor: serviceaccount deletions\
* refactor: error name and removed attribute for userDeletecommand
* refactor:: remove serviceaccount type for now
* WIP
* add mocked function
* Remove unnecessary db query, move to right place
* Update pkg/services/accesscontrol/mock/mock.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update pkg/services/accesscontrol/mock/mock.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Update pkg/services/accesscontrol/mock/mock.go
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Better error messages
* Better and correcter error messages
* add mocked function
* refactor: move function call, add error msg
* add IsServiceAccount and fix table
* add service accounts package
* WIP
* WIP
* working serviceaccountsapi registration
* WIP tests
* test
* test working
* test running for service
* moved the error out of the models package
* fixed own review
* linting errors
* Update pkg/services/serviceaccounts/database/database.go
Co-authored-by: Jeremy Price <Jeremy.price@grafana.com>
* tests running for api
* WIP
* WIP
* removed unused secrets background svc
* removed background svc for serviceaccount infavor or wire.go
* serviceaccounts manager tests
* registering as backend service
Co-authored-by: Jeremy Price <jeremy.price@grafana.com>
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Add extra fields to OSS types to support enterprise
* Create a service account at the same time as the API key
* Use service account credentials when accessing API with APIkey
* Add GetRole to service, merge RoleDTO and Role structs
This patch merges the identical OSS and Enterprise data structures, which improves the code for two reasons:
1. Makes switching between OSS and Enterprise easier
2. Reduces the chance of incompatibilities developing between the same functions in OSS and Enterprise
* If API key is not linked to a service account, continue login as usual
* Fallback to old auth if no service account linked to key
* Add CloneUserToServiceAccount
* Adding LinkAPIKeyToServiceAccount
* Handle api key link error
* Better error messages for OSS accesscontrol
* Set an invalid user id as default
* Re-arrange field names
* ServiceAccountId is integer
* Better error messages
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Co-authored-by: Eric Leijonmarck <eric.leijonmarck@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Add global week start option to shared preferences
* Add default_week_start to configuration docs
* Add week start option to dashboards
* Add week start argument to tsdb time range parser
* Fix strict check issues
* Add tests for week start
* Change wording on default_week_start documentation
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
* Update week_start column to be a nullable field
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Update configuration to include browser option
* Update WeekStartPicker container selector
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
* Add menuShouldPortal to WeekStartPicker to remove deprecation warning
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Add inputId to WeekStartPicker
* Use e2e selector on WeekStartPicker aria-label
* Simplify WeekStartPicker onChange condition
* Specify value type on WeekStartPicker weekStarts
* Remove setWeekStart side effect from reducer
* Fix updateLocale failing to reset week start
* Store week start as string to handle empty values
Co-authored-by: achatterjee-grafana <70489351+achatterjee-grafana@users.noreply.github.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Co-authored-by: Hugo Häggmark <hugo.haggmark@grafana.com>
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Encryption: Add support to encrypt/decrypt sjd
* Add datasources.Service as a proxy to datasources db operations
* Encrypt ds.SecureJsonData before calling SQLStore
* Move ds cache code into ds service
* Fix tlsmanager tests
* Fix pluginproxy tests
* Remove some securejsondata.GetEncryptedJsonData usages
* Add pluginsettings.Service as a proxy for plugin settings db operations
* Add AlertNotificationService as a proxy for alert notification db operations
* Remove some securejsondata.GetEncryptedJsonData usages
* Remove more securejsondata.GetEncryptedJsonData usages
* Fix lint errors
* Minor fixes
* Remove encryption global functions usages from ngalert
* Fix lint errors
* Minor fixes
* Minor fixes
* Remove securejsondata.DecryptedValue usage
* Refactor the refactor
* Remove securejsondata.DecryptedValue usage
* Move securejsondata to migrations package
* Move securejsondata to migrations package
* Minor fix
* Fix integration test
* Fix integration tests
* Undo undesired changes
* Fix tests
* Add context.Context into encryption methods
* Fix tests
* Fix tests
* Fix tests
* Trigger CI
* Fix test
* Add names to params of encryption service interface
* Remove bus from CacheServiceImpl
* Add logging
* Add keys to logger
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Add missing key to logger
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Undo changes in markdown files
* Fix formatting
* Add context to secrets service
* Rename decryptSecureJsonData to decryptSecureJsonDataFn
* Name args in GetDecryptedValueFn
* Add template back to NewAlertmanagerNotifier
* Copy GetDecryptedValueFn to ngalert
* Add logging to pluginsettings
* Fix pluginsettings test
Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
* Extract search users to a new service
* Fix wire provider
* Fix common_test and remove RouteRegister
* Remove old endpoints
* Fix test
* Create search filters using interfaces
* Move Enterprise filter, rename filter for filters and allow use filters with params
* Each filter has unique key
* Back activeLast30Days filter to OSS
* Fix tests
* Delete unusued param
* Move filters to searchusers service and small refactor
* Fix tests
* refactor licenseURL function to use context and export permission evaluation fction
* remove provisioning file
* refactor licenseURL to take in a bool to avoid circular dependencies
* remove function for appending nav link, as it was only used once and move the function to create admin node
* better argument names
* create a function for permission checking
* extend permission checking when displaying server stats
* enable the use of enterprise access control actions when evaluating permissions
* import ordering
* move licensing FGAC action definitions to models package to allow access from oss
* move evaluatePermissions for routes to context serve
* change permission evaluator to take in more permissions
* move licensing FGAC actions again to appease wire
* avoid index out of bounds issue in case no children are passed in when creating server admin node
* simplify syntax for permission checking
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* update loading state for server stats
* linting
* more linting
* fix test
* fix a frontend test
* update "licensing.reports:read" action naming
* UI doesn't allow reading only licensing reports and not the rest of licensing info
Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com>
* Add encryption service
* Add tests for encryption service
* Inject encryption service into http server
* Replace encryption global function usage in login tests
* Migrate to Wire
* Move Encryption bindings to OSS Wire set
* Chore: Refactor securedata to remove global encryption calls from dashboard snapshots
* Fix dashboard snapshot tests
* Remove no longer user test
* Add dashboard snapshots service tests
* Refactor service initialization
* Set up dashboard snapshots service as a background service
Co-authored-by: Tania B <yalyna.ts@gmail.com>
Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
Fixes#30144
Co-authored-by: dsotirakis <sotirakis.dim@gmail.com>
Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
Co-authored-by: Jack Westbrook <jack.westbrook@gmail.com>
Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
Co-authored-by: Leon Sorokin <leeoniya@gmail.com>
Co-authored-by: Andrej Ocenas <mr.ocenas@gmail.com>
Co-authored-by: spinillos <selenepinillos@gmail.com>
Co-authored-by: Karl Persson <kalle.persson@grafana.com>
Co-authored-by: Leonard Gram <leo@xlson.com>
* wip
* Auth Info: refactored out into it's own service
* Auth: adds extension point where users are being mapped
* Update pkg/services/login/authinfoservice/service.go
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Update pkg/services/login/authinfoservice/service.go
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Auth: simplified code
* moved most authinfo stuff to its own package
* added back code
* linter
* simplified
Co-authored-by: Joan López de la Franca Beltran <joanjan14@gmail.com>
* Azure middleware in HttpClientProxy
* Azure authentication under feature flag
* Minor fixes
* Add prefixes to not clash with JsonData
* Return error if JsonData cannot be parsed
* Return original string if URL invalid
* Tests for datasource_cache
Make sure that default timeout settings are based on configuration
parameters. This now applies for core data sources using old TSDB
contracts and new SDK contracts. Before it was only applied for old TSDB
contracts.
Also moves global setting variables to non-global (setting.Cfg).
* Introduce dataproxy_max_idle_connections config var
* Fix according to reviewer's comments
* Fix according to reviewer's comments - round 2
* Remove unused const
* Bring back MaxIdleConnsPerHost
* Fixes according to reviewer's comments
#31871 introduced support for configuring timeout in seconds
for HTTP data sources. That had a bug where backend expected
a numeric timeout value where it was actually stored as a
string. This should resolve this by requiring input to be
numbers, storing input as numeric and falling back to string
value if there's no numeric value.
Ref #31871
