Documentation ¶
Index ¶
- Constants
- Variables
- func ClientWithPrefix(name string) string
- func DeleteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg)
- func HandleLoginRedirect(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, ...)
- func HandleLoginRedirectResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, ...) *response.RedirectResponse
- func HandleLoginResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, ...) *response.NormalResponse
- func NamespacedID(namespace string, id int64) string
- func WriteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg, token *usertoken.UserToken)
- type Client
- type ClientParams
- type ContextAwareClient
- type HookClient
- type Identity
- type IdentitySynchronizer
- type PasswordClient
- type PostAuthHookFn
- type PostLoginHookFn
- type ProxyClient
- type Redirect
- type RedirectClient
- type RedirectValidator
- type Request
- type Service
- type UsageStatClient
Constants ¶
const ( ClientAPIKey = "auth.client.api-key" // #nosec G101 ClientAnonymous = "auth.client.anonymous" ClientBasic = "auth.client.basic" ClientJWT = "auth.client.jwt" ClientExtendedJWT = "auth.client.extended-jwt" ClientRender = "auth.client.render" ClientSession = "auth.client.session" ClientForm = "auth.client.form" ClientProxy = "auth.client.proxy" ClientSAML = "auth.client.saml" )
const ( MetaKeyUsername = "username" MetaKeyAuthModule = "authModule" MetaKeyIsLogin = "isLogin" )
const ( KeyOAuthPKCE = "pkce" KeyOAuthState = "state" )
const ( NamespaceUser = identity.NamespaceUser NamespaceAPIKey = identity.NamespaceAPIKey NamespaceServiceAccount = identity.NamespaceServiceAccount )
Variables ¶
var ( ErrTokenNeedsRotation = errutil.NewBase(errutil.StatusUnauthorized, "session.token.rotate") ErrUnsupportedClient = errutil.NewBase(errutil.StatusBadRequest, "auth.client.unsupported") ErrClientNotConfigured = errutil.NewBase(errutil.StatusBadRequest, "auth.client.notConfigured") ErrUnsupportedIdentity = errutil.NewBase(errutil.StatusNotImplemented, "auth.identity.unsupported") ErrExpiredAccessToken = errutil.NewBase(errutil.StatusUnauthorized, "oauth.expired-token", errutil.WithPublicMessage("OAuth access token expired")) )
Functions ¶
func ClientWithPrefix ¶
ClientWithPrefix returns a client name prefixed with "auth.client."
func DeleteSessionCookie ¶
func DeleteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg)
func HandleLoginRedirect ¶
func HandleLoginRedirect(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator)
HandleLoginRedirect is a utility function to perform common operations after a successful login and redirects
func HandleLoginRedirectResponse ¶
func HandleLoginRedirectResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator) *response.RedirectResponse
HandleLoginRedirectResponse is a utility function to perform common operations after a successful login and return a response.RedirectResponse
func HandleLoginResponse ¶
func HandleLoginResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator) *response.NormalResponse
HandleLoginResponse is a utility function to perform common operations after a successful login and returns response.NormalResponse
func NamespacedID ¶
NamespacedID builds a namespaced ID from a namespace and an ID.
func WriteSessionCookie ¶
Types ¶
type ClientParams ¶
type ClientParams struct { // SyncUser updates the internal representation of the identity from the identity provided SyncUser bool // AllowSignUp Adds identity to DB if it doesn't exist when, only work if SyncUser is enabled AllowSignUp bool // EnableDisabledUsers will enable disabled user, only work if SyncUser is enabled EnableDisabledUsers bool // FetchSyncedUser ensure that all required information is added to the identity FetchSyncedUser bool // SyncTeams will sync the groups from identity to teams in grafana, enterprise only feature SyncTeams bool // SyncOrgRoles will sync the roles from the identity to orgs in grafana SyncOrgRoles bool // CacheAuthProxyKey if this key is set we will try to cache the user id for proxy client CacheAuthProxyKey string // LookUpParams are the arguments used to look up the entity in the DB. LookUpParams login.UserLookupParams // SyncPermissions ensure that permissions are loaded from DB and added to the identity SyncPermissions bool }
ClientParams are hints to the auth service about how to handle the identity management from the authenticating client.
type ContextAwareClient ¶
type ContextAwareClient interface { Client // Test should return true if client can be used to authenticate request Test(ctx context.Context, r *Request) bool // Priority for the client, a lower number means higher priority Priority() uint }
ContextAwareClient is an optional interface that auth client can implement. Clients that implements this interface will be tried during request authentication
type HookClient ¶
type HookClient interface { Client Hook(ctx context.Context, identity *Identity, r *Request) error }
HookClient is an optional interface that auth clients can implement. Clients that implements this interface can specify an auth hook that will be called only for that client.
type Identity ¶
type Identity struct { // OrgID is the active organization for the entity. OrgID int64 // OrgName is the name of the active organization. OrgName string // OrgRoles is the list of organizations the entity is a member of and their roles. OrgRoles map[int64]org.RoleType // ID is the unique identifier for the entity in the Grafana database. // It is in the format <namespace>:<id> where namespace is one of the // Namespace* constants. For example, "user:1" or "api-key:1". // If the entity is not found in the DB or this entity is non-persistent, this field will be empty. ID string // IsAnonymous IsAnonymous bool // Login is the shorthand identifier of the entity. Should be unique. Login string // Name is the display name of the entity. It is not guaranteed to be unique. Name string // Email is the email address of the entity. Should be unique. Email string // IsGrafanaAdmin is true if the entity is a Grafana admin. IsGrafanaAdmin *bool // AuthenticatedBy is the name of the authentication client that was used to authenticate the current Identity. // For example, "password", "apikey", "auth_ldap" or "auth_azuread". AuthenticatedBy string // AuthId is the unique identifier for the entity in the external system. // Empty if the identity is provided by Grafana. AuthID string // IsDisabled is true if the entity is disabled. IsDisabled bool // HelpFlags1 is the help flags for the entity. HelpFlags1 user.HelpFlags1 // LastSeenAt is the time when the entity was last seen. LastSeenAt time.Time // Teams is the list of teams the entity is a member of. Teams []int64 // idP Groups that the entity is a member of. This is only populated if the // identity provider supports groups. Groups []string // OAuthToken is the OAuth token used to authenticate the entity. OAuthToken *oauth2.Token // SessionToken is the session token used to authenticate the entity. SessionToken *usertoken.UserToken // ClientParams are hints for the auth service on how to handle the identity. // Set by the authenticating client. ClientParams ClientParams // Permissions is the list of permissions the entity has. Permissions map[int64]map[string][]string }
func IdentityFromSignedInUser ¶
func IdentityFromSignedInUser(id string, usr *user.SignedInUser, params ClientParams, authenticatedBy string) *Identity
IdentityFromSignedInUser creates an identity from a SignedInUser.
func (*Identity) ExternalUserInfo ¶
func (i *Identity) ExternalUserInfo() login.ExternalUserInfo
func (*Identity) NamespacedID ¶
NamespacedID returns the namespace, e.g. "user" and the id for that namespace
func (*Identity) SignedInUser ¶
func (i *Identity) SignedInUser() *user.SignedInUser
SignedInUser returns a SignedInUser from the identity.
type IdentitySynchronizer ¶
type PasswordClient ¶
type PostAuthHookFn ¶
type PostLoginHookFn ¶
type ProxyClient ¶
type RedirectClient ¶
type RedirectClient interface { Client RedirectURL(ctx context.Context, r *Request) (*Redirect, error) }
RedirectClient is an optional interface that auth clients can implement. Clients that implements this interface can be used to generate redirect urls for authentication flows, e.g. oauth clients
type RedirectValidator ¶
type Request ¶
type Request struct { // OrgID will be populated by authn.Service OrgID int64 // HTTPRequest is the original HTTP request to authenticate HTTPRequest *http.Request // Resp is the response writer to use for the request // Used to set cookies and headers Resp web.ResponseWriter // contains filtered or unexported fields }
type Service ¶
type Service interface { // Authenticate authenticates a request Authenticate(ctx context.Context, r *Request) (*Identity, error) // RegisterPostAuthHook registers a hook with a priority that is called after a successful authentication. // A lower number means higher priority. RegisterPostAuthHook(hook PostAuthHookFn, priority uint) // Login authenticates a request and creates a session on successful authentication. Login(ctx context.Context, client string, r *Request) (*Identity, error) // RegisterPostLoginHook registers a hook that that is called after a login request. // A lower number means higher priority. RegisterPostLoginHook(hook PostLoginHookFn, priority uint) // RedirectURL will generate url that we can use to initiate auth flow for supported clients. RedirectURL(ctx context.Context, client string, r *Request) (*Redirect, error) // RegisterClient will register a new authn.Client that can be used for authentication RegisterClient(c Client) }