Affected by GO-2022-0342 and 27 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

oasimpl

package

v0.0.0-kmdagger3 Latest Latest Go to latest Published: Jun 12, 2023 License: AGPL-3.0 Imports: 43 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grafana/grafana

Documentation ¶

Index ¶

func NewAuthSession() *oauth2.JWTSession
type OAuth2ServiceImpl
- func ProvideService(router routing.RouteRegister, db db.DB, cfg *setting.Cfg, ...) (*OAuth2ServiceImpl, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewAuthSession ¶

func NewAuthSession() *oauth2.JWTSession

Types ¶

type OAuth2ServiceImpl ¶

type OAuth2ServiceImpl struct {
	// contains filtered or unexported fields
}

func ProvideService ¶

func ProvideService(router routing.RouteRegister, db db.DB, cfg *setting.Cfg, skv kvstore.SecretsKVStore,
	svcAccSvc serviceaccounts.Service, accessControl ac.AccessControl, acSvc ac.Service, userSvc user.Service,
	teamSvc team.Service, keySvc signingkeys.Service, fmgmt *featuremgmt.FeatureManager) (*OAuth2ServiceImpl, error)

func (*OAuth2ServiceImpl) ClientAssertionJWTValid ¶

func (s *OAuth2ServiceImpl) ClientAssertionJWTValid(ctx context.Context, jti string) error

ClientAssertionJWTValid returns an error if the JTI is known or the DB check failed and nil if the JTI is not known.

func (*OAuth2ServiceImpl) CreateAccessTokenSession ¶

func (s *OAuth2ServiceImpl) CreateAccessTokenSession(ctx context.Context, signature string, request fosite.Requester) (err error)

func (*OAuth2ServiceImpl) CreateAuthorizeCodeSession ¶

func (s *OAuth2ServiceImpl) CreateAuthorizeCodeSession(ctx context.Context, code string, request fosite.Requester) (err error)

GetAuthorizeCodeSession stores the authorization request for a given authorization code.

func (*OAuth2ServiceImpl) CreateRefreshTokenSession ¶

func (s *OAuth2ServiceImpl) CreateRefreshTokenSession(ctx context.Context, signature string, request fosite.Requester) (err error)

func (*OAuth2ServiceImpl) DeleteAccessTokenSession ¶

func (s *OAuth2ServiceImpl) DeleteAccessTokenSession(ctx context.Context, signature string) (err error)

func (*OAuth2ServiceImpl) DeleteRefreshTokenSession ¶

func (s *OAuth2ServiceImpl) DeleteRefreshTokenSession(ctx context.Context, signature string) (err error)

func (*OAuth2ServiceImpl) GetAccessTokenSession ¶

func (s *OAuth2ServiceImpl) GetAccessTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error)

func (*OAuth2ServiceImpl) GetAuthorizeCodeSession ¶

func (s *OAuth2ServiceImpl) GetAuthorizeCodeSession(ctx context.Context, code string, session fosite.Session) (request fosite.Requester, err error)

GetAuthorizeCodeSession hydrates the session based on the given code and returns the authorization request. If the authorization code has been invalidated with `InvalidateAuthorizeCodeSession`, this method should return the ErrInvalidatedAuthorizeCode error.

Make sure to also return the fosite.Requester value when returning the fosite.ErrInvalidatedAuthorizeCode error!

func (*OAuth2ServiceImpl) GetClient ¶

func (s *OAuth2ServiceImpl) GetClient(ctx context.Context, id string) (fosite.Client, error)

GetClient loads the client by its ID or returns an error if the client does not exist or another error occurred.

func (*OAuth2ServiceImpl) GetExternalService ¶

func (s *OAuth2ServiceImpl) GetExternalService(ctx context.Context, id string) (*oauthserver.ExternalService, error)

GetExternalService retrieves an external service from store by client_id. It populates the SelfPermissions and SignedInUser from the associated service account. For performance reason, the service uses caching.

func (*OAuth2ServiceImpl) GetPublicKey ¶

func (s *OAuth2ServiceImpl) GetPublicKey(ctx context.Context, issuer string, subject string, kid string) (*jose.JSONWebKey, error)

GetPublicKey returns public key, issued by 'issuer', and assigned for subject. Public key is used to check signature of jwt assertion in authorization grants.

func (*OAuth2ServiceImpl) GetPublicKeyScopes ¶

func (s *OAuth2ServiceImpl) GetPublicKeyScopes(ctx context.Context, issuer string, subject string, kid string) ([]string, error)

GetPublicKeyScopes returns assigned scope for assertion, identified by public key, issued by 'issuer'.

func (*OAuth2ServiceImpl) GetPublicKeys ¶

func (s *OAuth2ServiceImpl) GetPublicKeys(ctx context.Context, issuer string, subject string) (*jose.JSONWebKeySet, error)

GetPublicKeys returns public key, set issued by 'issuer', and assigned for subject.

func (*OAuth2ServiceImpl) GetRefreshTokenSession ¶

func (s *OAuth2ServiceImpl) GetRefreshTokenSession(ctx context.Context, signature string, session fosite.Session) (request fosite.Requester, err error)

func (*OAuth2ServiceImpl) HandleIntrospectionRequest ¶

func (s *OAuth2ServiceImpl) HandleIntrospectionRequest(rw http.ResponseWriter, req *http.Request)

HandleIntrospectionRequest handles the OAuth2 query to determine the active state of an OAuth 2.0 token and to determine meta-information about this token

func (*OAuth2ServiceImpl) HandleTokenRequest ¶

func (s *OAuth2ServiceImpl) HandleTokenRequest(rw http.ResponseWriter, req *http.Request)

HandleTokenRequest handles the client's OAuth2 query to obtain an access_token by presenting its authorization grant (ex: client_credentials, jwtbearer)

func (*OAuth2ServiceImpl) InvalidateAuthorizeCodeSession ¶

func (s *OAuth2ServiceImpl) InvalidateAuthorizeCodeSession(ctx context.Context, code string) (err error)

InvalidateAuthorizeCodeSession is called when an authorize code is being used. The state of the authorization code should be set to invalid and consecutive requests to GetAuthorizeCodeSession should return the ErrInvalidatedAuthorizeCode error.

func (*OAuth2ServiceImpl) IsJWTUsed ¶

func (s *OAuth2ServiceImpl) IsJWTUsed(ctx context.Context, jti string) (bool, error)

IsJWTUsed returns true, if JWT is not known yet or it can not be considered valid, because it must be already expired.

func (*OAuth2ServiceImpl) MarkJWTUsedForTime ¶

func (s *OAuth2ServiceImpl) MarkJWTUsedForTime(ctx context.Context, jti string, exp time.Time) error

MarkJWTUsedForTime marks JWT as used for a time passed in exp parameter. This helps ensure that JWTs are not replayed by maintaining the set of used "jti" values for the length of time for which the JWT would be considered valid based on the applicable "exp" instant. (https://tools.ietf.org/html/rfc7523#section-3)

func (*OAuth2ServiceImpl) RevokeAccessToken ¶

func (s *OAuth2ServiceImpl) RevokeAccessToken(ctx context.Context, requestID string) error

RevokeAccessToken revokes an access token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the token passed to the request is an access token, the server MAY revoke the respective refresh token as well.

func (*OAuth2ServiceImpl) RevokeRefreshToken ¶

func (s *OAuth2ServiceImpl) RevokeRefreshToken(ctx context.Context, requestID string) error

RevokeRefreshToken revokes a refresh token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note).

func (*OAuth2ServiceImpl) RevokeRefreshTokenMaybeGracePeriod ¶

func (s *OAuth2ServiceImpl) RevokeRefreshTokenMaybeGracePeriod(ctx context.Context, requestID string, signature string) error

RevokeRefreshTokenMaybeGracePeriod revokes a refresh token as specified in: https://tools.ietf.org/html/rfc7009#section-2.1 If the particular token is a refresh token and the authorization server supports the revocation of access tokens, then the authorization server SHOULD also invalidate all access tokens based on the same authorization grant (see Implementation Note).

If the Refresh Token grace period is greater than zero in configuration the token will have its expiration time set as UTCNow + GracePeriod.

func (*OAuth2ServiceImpl) SaveExternalService ¶

func (s *OAuth2ServiceImpl) SaveExternalService(ctx context.Context, registration *oauthserver.ExternalServiceRegistration) (*oauthserver.ExternalServiceDTO, error)

SaveExternalService creates or updates an external service in the database, it generates client_id and secrets and it ensures that the associated service account has the correct permissions. Database consistency is not guaranteed, consider changing this in the future.

func (*OAuth2ServiceImpl) SetClientAssertionJWT ¶

func (s *OAuth2ServiceImpl) SetClientAssertionJWT(ctx context.Context, jti string, exp time.Time) error

SetClientAssertionJWT marks a JTI as known for the given expiry time. Before inserting the new JTI, it will clean up any existing JTIs that have expired as those tokens can not be replayed due to the expiry.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL