Affected by GO-2022-0342 and 27 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

oauthserver

package

v0.0.0-testrgm6 Latest Latest Go to latest Published: Jul 24, 2023 License: AGPL-3.0 Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/grafana/grafana

Documentation ¶

Index ¶

Constants
Variables
func ErrClientNotFound(clientID string) error
type ExternalService
type ExternalServiceDTO
type ExternalServiceRegistration
type ImpersonationCfg
type KeyOption
type KeyResult
type OAuth2Server
type SelfCfg
type Store

Constants ¶

View Source

const (
	// TmpOrgID is the orgID we use while global service accounts are not supported.
	TmpOrgID int64 = 1
	// NoServiceAccountID is the ID we use for client that have no service account associated.
	NoServiceAccountID int64 = 0

	// List of scopes used to identify the impersonated user.
	ScopeUsersSelf       = "users:self"
	ScopeGlobalUsersSelf = "global.users:self"
	ScopeTeamsSelf       = "teams:self"

	// Supported encryptions
	RS256 = "RS256"
	ES256 = "ES256"
)

Variables ¶

View Source

var (
	ErrClientRequiredID = errutil.NewBase(errutil.StatusBadRequest,
		"oauthserver.required-client-id",
		errutil.WithPublicMessage("client ID is required")).Errorf("Client ID is required")
	ErrClientRequiredName = errutil.NewBase(errutil.StatusBadRequest,
		"oauthserver.required-client-name",
		errutil.WithPublicMessage("client name is required")).Errorf("Client name is required")
)

View Source

var (
	ErrClientNotFoundMessageID = "oauthserver.client-not-found"
)

Functions ¶

func ErrClientNotFound ¶

func ErrClientNotFound(clientID string) error

Types ¶

type ExternalService ¶

type ExternalService struct {
	ID               int64  `xorm:"id pk autoincr"`
	Name             string `xorm:"name"`
	ClientID         string `xorm:"client_id"`
	Secret           string `xorm:"secret"`
	RedirectURI      string `xorm:"redirect_uri"` // Not used yet (code flow)
	GrantTypes       string `xorm:"grant_types"`  // CSV value
	Audiences        string `xorm:"audiences"`    // CSV value
	PublicPem        []byte `xorm:"public_pem"`
	ServiceAccountID int64  `xorm:"service_account_id"`
	// SelfPermissions are the registered service account permissions (registered and managed permissions)
	SelfPermissions []ac.Permission
	// ImpersonatePermissions is the restriction set of permissions while impersonating
	ImpersonatePermissions []ac.Permission

	// SignedInUser refers to the current Service Account identity/user
	SignedInUser      *user.SignedInUser
	Scopes            []string
	ImpersonateScopes []string
}

func (*ExternalService) GetAudience ¶

func (c *ExternalService) GetAudience() fosite.Arguments

GetAudience returns the allowed audience(s) for this client.

func (*ExternalService) GetGrantTypes ¶

func (c *ExternalService) GetGrantTypes() fosite.Arguments

GetGrantTypes returns the client's allowed grant types.

func (*ExternalService) GetHashedSecret ¶

func (c *ExternalService) GetHashedSecret() []byte

GetHashedSecret returns the hashed secret as it is stored in the store.

func (*ExternalService) GetID ¶

func (c *ExternalService) GetID() string

GetID returns the client ID.

func (*ExternalService) GetRedirectURIs ¶

func (c *ExternalService) GetRedirectURIs() []string

GetRedirectURIs returns the client's allowed redirect URIs.

func (*ExternalService) GetResponseTypes ¶

func (c *ExternalService) GetResponseTypes() fosite.Arguments

GetResponseTypes returns the client's allowed response types. All allowed combinations of response types have to be listed, each combination having response types of the combination separated by a space.

func (*ExternalService) GetScopes ¶

func (c *ExternalService) GetScopes() fosite.Arguments

GetScopes returns the scopes this client is allowed to request on its own behalf.

func (*ExternalService) GetScopesOnUser ¶

func (c *ExternalService) GetScopesOnUser(ctx context.Context, accessControl ac.AccessControl, userID int64) []string

GetScopes returns the scopes this client is allowed to request on a specific user.

func (*ExternalService) IsPublic ¶

func (c *ExternalService) IsPublic() bool

IsPublic returns true, if this client is marked as public.

func (*ExternalService) LogID ¶

func (c *ExternalService) LogID() string

func (*ExternalService) ToDTO ¶

func (c *ExternalService) ToDTO() *ExternalServiceDTO

type ExternalServiceDTO ¶

type ExternalServiceDTO struct {
	Name        string     `json:"name"`
	ID          string     `json:"clientId"`
	Secret      string     `json:"clientSecret"`
	RedirectURI string     `json:"redirectUri,omitempty"` // Not used yet (code flow)
	GrantTypes  string     `json:"grantTypes"`            // CSV value
	Audiences   string     `json:"audiences"`             // CSV value
	KeyResult   *KeyResult `json:"key,omitempty"`
}

type ExternalServiceRegistration ¶

type ExternalServiceRegistration struct {
	Name string `json:"name"`
	// RedirectURI is the URI that is used in the code flow.
	// Note that this is not used yet.
	RedirectURI *string `json:"redirectUri,omitempty"`
	// Impersonation access configuration
	Impersonation ImpersonationCfg `json:"impersonation"`
	// Self access configuration
	Self SelfCfg `json:"self"`
	// Key is the option to specify a public key or ask the server to generate a crypto key pair.
	Key *KeyOption `json:"key,omitempty"`
}

ExternalServiceRegistration represents the registration form to save new OAuth2 client.

type ImpersonationCfg ¶

type ImpersonationCfg struct {
	// Enabled allows the service to request access tokens to impersonate users using the jwtbearer grant
	Enabled bool `json:"enabled"`
	// Groups allows the service to list the impersonated user's teams
	Groups bool `json:"groups"`
	// Permissions are the permissions that the external service needs when impersonating a user.
	// The intersection of this set with the impersonated user's permission guarantees that the client will not
	// gain more privileges than the impersonated user has.
	Permissions []accesscontrol.Permission `json:"permissions,omitempty"`
}

type KeyOption ¶

type KeyOption struct {
	// URL       string `json:"url,omitempty"` // TODO allow specifying a URL (to a .jwks file) to fetch the key from
	// PublicPEM contains the Base64 encoded public key in PEM format
	PublicPEM string `json:"public_pem,omitempty"`
	Generate  bool   `json:"generate,omitempty"`
}

type KeyResult ¶

type KeyResult struct {
	URL        string `json:"url,omitempty"`
	PrivatePem string `json:"private,omitempty"`
	PublicPem  string `json:"public,omitempty"`
	Generated  bool   `json:"generated,omitempty"`
}

type OAuth2Server ¶

type OAuth2Server interface {
	// SaveExternalService creates or updates an external service in the database, it generates client_id and secrets and
	// it ensures that the associated service account has the correct permissions.
	SaveExternalService(ctx context.Context, cmd *ExternalServiceRegistration) (*ExternalServiceDTO, error)
	// GetExternalService retrieves an external service from store by client_id. It populates the SelfPermissions and
	// SignedInUser from the associated service account.
	GetExternalService(ctx context.Context, id string) (*ExternalService, error)

	// HandleTokenRequest handles the client's OAuth2 query to obtain an access_token by presenting its authorization
	// grant (ex: client_credentials, jwtbearer).
	HandleTokenRequest(rw http.ResponseWriter, req *http.Request)
	// HandleIntrospectionRequest handles the OAuth2 query to determine the active state of an OAuth 2.0 token and
	// to determine meta-information about this token.
	HandleIntrospectionRequest(rw http.ResponseWriter, req *http.Request)
}

OAuth2Server represents a service in charge of managing OAuth2 clients and handling OAuth2 requests (token, introspection).

type SelfCfg ¶

type SelfCfg struct {
	// Enabled allows the service to request access tokens for itself using the client_credentials grant
	Enabled bool `json:"enabled"`
	// Permissions are the permissions that the external service needs its associated service account to have.
	Permissions []accesscontrol.Permission `json:"permissions,omitempty"`
}

type Store ¶

type Store interface {
	RegisterExternalService(ctx context.Context, client *ExternalService) error
	SaveExternalService(ctx context.Context, client *ExternalService) error
	GetExternalService(ctx context.Context, id string) (*ExternalService, error)
	GetExternalServiceByName(ctx context.Context, name string) (*ExternalService, error)
	GetExternalServicePublicKey(ctx context.Context, clientID string) (*jose.JSONWebKey, error)
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
api
oasimpl
oastest
store
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL