authn

package
v0.0.0-...-fb7f86c Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 18, 2023 License: AGPL-3.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	ClientAPIKey      = "auth.client.api-key" // #nosec G101
	ClientAnonymous   = "auth.client.anonymous"
	ClientBasic       = "auth.client.basic"
	ClientJWT         = "auth.client.jwt"
	ClientExtendedJWT = "auth.client.extended-jwt"
	ClientRender      = "auth.client.render"
	ClientSession     = "auth.client.session"
	ClientForm        = "auth.client.form"
	ClientProxy       = "auth.client.proxy"
	ClientSAML        = "auth.client.saml"
)
View Source
const (
	MetaKeyUsername   = "username"
	MetaKeyAuthModule = "authModule"
	MetaKeyIsLogin    = "isLogin"
)
View Source
const (
	KeyOAuthPKCE  = "pkce"
	KeyOAuthState = "state"
)
View Source
const (
	NamespaceUser           = identity.NamespaceUser
	NamespaceAPIKey         = identity.NamespaceAPIKey
	NamespaceServiceAccount = identity.NamespaceServiceAccount
)

Variables

View Source
var (
	ErrTokenNeedsRotation  = errutil.NewBase(errutil.StatusUnauthorized, "session.token.rotate")
	ErrUnsupportedClient   = errutil.NewBase(errutil.StatusBadRequest, "auth.client.unsupported")
	ErrClientNotConfigured = errutil.NewBase(errutil.StatusBadRequest, "auth.client.notConfigured")
	ErrUnsupportedIdentity = errutil.NewBase(errutil.StatusNotImplemented, "auth.identity.unsupported")
	ErrExpiredAccessToken  = errutil.NewBase(errutil.StatusUnauthorized, "oauth.expired-token", errutil.WithPublicMessage("OAuth access token expired"))
)

Functions

func ClientWithPrefix

func ClientWithPrefix(name string) string

ClientWithPrefix returns a client name prefixed with "auth.client."

func DeleteSessionCookie

func DeleteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg)

func HandleLoginRedirect

func HandleLoginRedirect(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator)

HandleLoginRedirect is a utility function to perform common operations after a successful login and redirects

func HandleLoginRedirectResponse

func HandleLoginRedirectResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator) *response.RedirectResponse

HandleLoginRedirectResponse is a utility function to perform common operations after a successful login and return a response.RedirectResponse

func HandleLoginResponse

func HandleLoginResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator) *response.NormalResponse

HandleLoginResponse is a utility function to perform common operations after a successful login and returns response.NormalResponse

func NamespacedID

func NamespacedID(namespace string, id int64) string

NamespacedID builds a namespaced ID from a namespace and an ID.

func WriteSessionCookie

func WriteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg, token *usertoken.UserToken)

Types

type Client

type Client interface {
	// Name returns the name of a client
	Name() string
	// Authenticate performs the authentication for the request
	Authenticate(ctx context.Context, r *Request) (*Identity, error)
}

type ClientParams

type ClientParams struct {
	// SyncUser updates the internal representation of the identity from the identity provided
	SyncUser bool
	// AllowSignUp Adds identity to DB if it doesn't exist when, only work if SyncUser is enabled
	AllowSignUp bool
	// EnableDisabledUsers will enable disabled user, only work if SyncUser is enabled
	EnableDisabledUsers bool
	// FetchSyncedUser ensure that all required information is added to the identity
	FetchSyncedUser bool
	// SyncTeams will sync the groups from identity to teams in grafana, enterprise only feature
	SyncTeams bool
	// SyncOrgRoles will sync the roles from the identity to orgs in grafana
	SyncOrgRoles bool
	// CacheAuthProxyKey  if this key is set we will try to cache the user id for proxy client
	CacheAuthProxyKey string
	// LookUpParams are the arguments used to look up the entity in the DB.
	LookUpParams login.UserLookupParams
	// SyncPermissions ensure that permissions are loaded from DB and added to the identity
	SyncPermissions bool
}

ClientParams are hints to the auth service about how to handle the identity management from the authenticating client.

type ContextAwareClient

type ContextAwareClient interface {
	Client
	// Test should return true if client can be used to authenticate request
	Test(ctx context.Context, r *Request) bool
	// Priority for the client, a lower number means higher priority
	Priority() uint
}

ContextAwareClient is an optional interface that auth client can implement. Clients that implements this interface will be tried during request authentication

type HookClient

type HookClient interface {
	Client
	Hook(ctx context.Context, identity *Identity, r *Request) error
}

HookClient is an optional interface that auth clients can implement. Clients that implements this interface can specify an auth hook that will be called only for that client.

type Identity

type Identity struct {
	// OrgID is the active organization for the entity.
	OrgID int64
	// OrgName is the name of the active organization.
	OrgName string
	// OrgRoles is the list of organizations the entity is a member of and their roles.
	OrgRoles map[int64]org.RoleType
	// ID is the unique identifier for the entity in the Grafana database.
	// It is in the format <namespace>:<id> where namespace is one of the
	// Namespace* constants. For example, "user:1" or "api-key:1".
	// If the entity is not found in the DB or this entity is non-persistent, this field will be empty.
	ID string
	// IsAnonymous
	IsAnonymous bool
	// Login is the shorthand identifier of the entity. Should be unique.
	Login string
	// Name is the display name of the entity. It is not guaranteed to be unique.
	Name string
	// Email is the email address of the entity. Should be unique.
	Email string
	// IsGrafanaAdmin is true if the entity is a Grafana admin.
	IsGrafanaAdmin *bool
	// AuthenticatedBy is the name of the authentication client that was used to authenticate the current Identity.
	// For example, "password", "apikey", "auth_ldap" or "auth_azuread".
	AuthenticatedBy string
	// AuthId is the unique identifier for the entity in the external system.
	// Empty if the identity is provided by Grafana.
	AuthID string
	// IsDisabled is true if the entity is disabled.
	IsDisabled bool
	// HelpFlags1 is the help flags for the entity.
	HelpFlags1 user.HelpFlags1
	// LastSeenAt is the time when the entity was last seen.
	LastSeenAt time.Time
	// Teams is the list of teams the entity is a member of.
	Teams []int64
	// idP Groups that the entity is a member of. This is only populated if the
	// identity provider supports groups.
	Groups []string
	// OAuthToken is the OAuth token used to authenticate the entity.
	OAuthToken *oauth2.Token
	// SessionToken is the session token used to authenticate the entity.
	SessionToken *usertoken.UserToken
	// ClientParams are hints for the auth service on how to handle the identity.
	// Set by the authenticating client.
	ClientParams ClientParams
	// Permissions is the list of permissions the entity has.
	Permissions map[int64]map[string][]string
}

func IdentityFromSignedInUser

func IdentityFromSignedInUser(id string, usr *user.SignedInUser, params ClientParams, authenticatedBy string) *Identity

IdentityFromSignedInUser creates an identity from a SignedInUser.

func (*Identity) ExternalUserInfo

func (i *Identity) ExternalUserInfo() login.ExternalUserInfo

func (*Identity) NamespacedID

func (i *Identity) NamespacedID() (string, int64)

NamespacedID returns the namespace, e.g. "user" and the id for that namespace

func (*Identity) Role

func (i *Identity) Role() org.RoleType

Role returns the role of the identity in the active organization.

func (*Identity) SignedInUser

func (i *Identity) SignedInUser() *user.SignedInUser

SignedInUser returns a SignedInUser from the identity.

type IdentitySynchronizer

type IdentitySynchronizer interface {
	SyncIdentity(ctx context.Context, identity *Identity) error
}

type PasswordClient

type PasswordClient interface {
	AuthenticatePassword(ctx context.Context, r *Request, username, password string) (*Identity, error)
}

type PostAuthHookFn

type PostAuthHookFn func(ctx context.Context, identity *Identity, r *Request) error

type PostLoginHookFn

type PostLoginHookFn func(ctx context.Context, identity *Identity, r *Request, err error)

type ProxyClient

type ProxyClient interface {
	AuthenticateProxy(ctx context.Context, r *Request, username string, additional map[string]string) (*Identity, error)
}

type Redirect

type Redirect struct {
	// Url used for redirect
	URL string
	// Extra contains data used for redirect, e.g. for oauth this would be state and pkce
	Extra map[string]string
}

type RedirectClient

type RedirectClient interface {
	Client
	RedirectURL(ctx context.Context, r *Request) (*Redirect, error)
}

RedirectClient is an optional interface that auth clients can implement. Clients that implements this interface can be used to generate redirect urls for authentication flows, e.g. oauth clients

type RedirectValidator

type RedirectValidator func(url string) error

type Request

type Request struct {
	// OrgID will be populated by authn.Service
	OrgID int64
	// HTTPRequest is the original HTTP request to authenticate
	HTTPRequest *http.Request

	// Resp is the response writer to use for the request
	// Used to set cookies and headers
	Resp web.ResponseWriter
	// contains filtered or unexported fields
}

func (*Request) GetMeta

func (r *Request) GetMeta(k string) string

func (*Request) SetMeta

func (r *Request) SetMeta(k, v string)

type Service

type Service interface {
	// Authenticate authenticates a request
	Authenticate(ctx context.Context, r *Request) (*Identity, error)
	// RegisterPostAuthHook registers a hook with a priority that is called after a successful authentication.
	// A lower number means higher priority.
	RegisterPostAuthHook(hook PostAuthHookFn, priority uint)
	// Login authenticates a request and creates a session on successful authentication.
	Login(ctx context.Context, client string, r *Request) (*Identity, error)
	// RegisterPostLoginHook registers a hook that that is called after a login request.
	// A lower number means higher priority.
	RegisterPostLoginHook(hook PostLoginHookFn, priority uint)
	// RedirectURL will generate url that we can use to initiate auth flow for supported clients.
	RedirectURL(ctx context.Context, client string, r *Request) (*Redirect, error)
	// RegisterClient will register a new authn.Client that can be used for authentication
	RegisterClient(c Client)
}

type UsageStatClient

type UsageStatClient interface {
	Client
	UsageStatFn(ctx context.Context) (map[string]interface{}, error)
}

UsageStatClient is an optional interface that auth clients can implement. Clients that implements this interface can specify a usage stat collection hook

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL