Documentation
¶
Index ¶
- Constants
- Variables
- func ClientWithPrefix(name string) string
- func DeleteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg)
- func HandleLoginRedirect(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, ...)
- func HandleLoginRedirectResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, ...) *response.RedirectResponse
- func HandleLoginResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, ...) *response.NormalResponse
- func NamespacedID(namespace string, id int64) string
- func WriteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg, token *usertoken.UserToken)
- type Client
- type ClientParams
- type ContextAwareClient
- type HookClient
- type Identity
- type PasswordClient
- type PostAuthHookFn
- type PostLoginHookFn
- type ProxyClient
- type Redirect
- type RedirectClient
- type RedirectValidator
- type Request
- type Service
- type UsageStatClient
Constants ¶
View Source
const ( ClientAPIKey = "auth.client.api-key" // #nosec G101 ClientAnonymous = "auth.client.anonymous" ClientBasic = "auth.client.basic" ClientJWT = "auth.client.jwt" ClientExtendedJWT = "auth.client.extended-jwt" ClientRender = "auth.client.render" ClientSession = "auth.client.session" ClientForm = "auth.client.form" ClientProxy = "auth.client.proxy" ClientSAML = "auth.client.saml" )
View Source
const ( MetaKeyUsername = "username" MetaKeyAuthModule = "authModule" MetaKeyIsLogin = "isLogin" )
View Source
const ( KeyOAuthPKCE = "pkce" KeyOAuthState = "state" )
View Source
const ( NamespaceUser = "user" NamespaceAPIKey = "api-key" NamespaceServiceAccount = "service-account" )
Variables ¶
View Source
var ( ErrTokenNeedsRotation = errutil.NewBase(errutil.StatusUnauthorized, "session.token.rotate") ErrUnsupportedClient = errutil.NewBase(errutil.StatusBadRequest, "auth.client.unsupported") ErrClientNotConfigured = errutil.NewBase(errutil.StatusBadRequest, "auth.client.notConfigured") ErrUnsupportedIdentity = errutil.NewBase(errutil.StatusNotImplemented, "auth.identity.unsupported") )
Functions ¶
func ClientWithPrefix ¶
ClientWithPrefix returns a client name prefixed with "auth.client."
func DeleteSessionCookie ¶
func DeleteSessionCookie(w http.ResponseWriter, cfg *setting.Cfg)
func HandleLoginRedirect ¶
func HandleLoginRedirect(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator)
HandleLoginRedirect is a utility function to perform common operations after a successful login and redirects
func HandleLoginRedirectResponse ¶
func HandleLoginRedirectResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator) *response.RedirectResponse
HandleLoginRedirectResponse is a utility function to perform common operations after a successful login and return a response.RedirectResponse
func HandleLoginResponse ¶
func HandleLoginResponse(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, identity *Identity, validator RedirectValidator) *response.NormalResponse
HandleLoginResponse is a utility function to perform common operations after a successful login and returns response.NormalResponse
func NamespacedID ¶
NamespacedID builds a namespaced ID from a namespace and an ID.
func WriteSessionCookie ¶
Types ¶
type ClientParams ¶
type ClientParams struct {
// SyncUser updates the internal representation of the identity from the identity provided
SyncUser bool
// AllowSignUp Adds identity to DB if it doesn't exist when, only work if SyncUser is enabled
AllowSignUp bool
// EnableDisabledUsers will enable disabled user, only work if SyncUser is enabled
EnableDisabledUsers bool
// FetchSyncedUser ensure that all required information is added to the identity
FetchSyncedUser bool
// SyncTeams will sync the groups from identity to teams in grafana, enterprise only feature
SyncTeams bool
// SyncOrgRoles will sync the roles from the identity to orgs in grafana
SyncOrgRoles bool
// CacheAuthProxyKey if this key is set we will try to cache the user id for proxy client
CacheAuthProxyKey string
// LookUpParams are the arguments used to look up the entity in the DB.
LookUpParams login.UserLookupParams
// SyncPermissions ensure that permissions are loaded from DB and added to the identity
SyncPermissions bool
}
ClientParams are hints to the auth service about how to handle the identity management from the authenticating client.
type ContextAwareClient ¶
type ContextAwareClient interface {
Client
// Test should return true if client can be used to authenticate request
Test(ctx context.Context, r *Request) bool
// Priority for the client, a lower number means higher priority
Priority() uint
}
ContextAwareClient is an optional interface that auth client can implement. Clients that implements this interface will be tried during request authentication
type HookClient ¶
type HookClient interface {
Client
Hook(ctx context.Context, identity *Identity, r *Request) error
}
HookClient is an optional interface that auth clients can implement. Clients that implements this interface can specify an auth hook that will be called only for that client.
type Identity ¶
type Identity struct {
// OrgID is the active organization for the entity.
OrgID int64
// OrgCount is the number of organizations the entity is a member of.
OrgCount int
// OrgName is the name of the active organization.
OrgName string
// OrgRoles is the list of organizations the entity is a member of and their roles.
OrgRoles map[int64]org.RoleType
// ID is the unique identifier for the entity in the Grafana database.
// It is in the format <namespace>:<id> where namespace is one of the
// Namespace* constants. For example, "user:1" or "api-key:1".
// If the entity is not found in the DB or this entity is non-persistent, this field will be empty.
ID string
// IsAnonymous
IsAnonymous bool
// Login is the shorthand identifier of the entity. Should be unique.
Login string
// Name is the display name of the entity. It is not guaranteed to be unique.
Name string
// Email is the email address of the entity. Should be unique.
Email string
// IsGrafanaAdmin is true if the entity is a Grafana admin.
IsGrafanaAdmin *bool
// AuthenticatedBy is the name of the authentication client that was used to authenticate the current Identity.
// For example, "password", "apikey", "auth_ldap" or "auth_azuread".
AuthenticatedBy string
// AuthId is the unique identifier for the entity in the external system.
// Empty if the identity is provided by Grafana.
AuthID string
// IsDisabled is true if the entity is disabled.
IsDisabled bool
// HelpFlags1 is the help flags for the entity.
HelpFlags1 user.HelpFlags1
// LastSeenAt is the time when the entity was last seen.
LastSeenAt time.Time
// Teams is the list of teams the entity is a member of.
Teams []int64
// idP Groups that the entity is a member of. This is only populated if the
// identity provider supports groups.
Groups []string
// OAuthToken is the OAuth token used to authenticate the entity.
OAuthToken *oauth2.Token
// SessionToken is the session token used to authenticate the entity.
SessionToken *usertoken.UserToken
// ClientParams are hints for the auth service on how to handle the identity.
// Set by the authenticating client.
ClientParams ClientParams
// Permissions is the list of permissions the entity has.
Permissions map[int64]map[string][]string
}
func IdentityFromSignedInUser ¶
func IdentityFromSignedInUser(id string, usr *user.SignedInUser, params ClientParams, authenticatedBy string) *Identity
IdentityFromSignedInUser creates an identity from a SignedInUser.
func (*Identity) ExternalUserInfo ¶
func (i *Identity) ExternalUserInfo() login.ExternalUserInfo
func (*Identity) NamespacedID ¶
NamespacedID returns the namespace, e.g. "user" and the id for that namespace
func (*Identity) SignedInUser ¶
func (i *Identity) SignedInUser() *user.SignedInUser
SignedInUser returns a SignedInUser from the identity.
type PasswordClient ¶
type PostAuthHookFn ¶
type PostLoginHookFn ¶
type ProxyClient ¶
type RedirectClient ¶
type RedirectClient interface {
Client
RedirectURL(ctx context.Context, r *Request) (*Redirect, error)
}
RedirectClient is an optional interface that auth clients can implement. Clients that implements this interface can be used to generate redirect urls for authentication flows, e.g. oauth clients
type RedirectValidator ¶
type Request ¶
type Request struct {
// OrgID will be populated by authn.Service
OrgID int64
// HTTPRequest is the original HTTP request to authenticate
HTTPRequest *http.Request
// Resp is the response writer to use for the request
// Used to set cookies and headers
Resp web.ResponseWriter
// contains filtered or unexported fields
}
type Service ¶
type Service interface {
// Authenticate authenticates a request
Authenticate(ctx context.Context, r *Request) (*Identity, error)
// RegisterPostAuthHook registers a hook with a priority that is called after a successful authentication.
// A lower number means higher priority.
RegisterPostAuthHook(hook PostAuthHookFn, priority uint)
// Login authenticates a request and creates a session on successful authentication.
Login(ctx context.Context, client string, r *Request) (*Identity, error)
// RegisterPostLoginHook registers a hook that that is called after a login request.
// A lower number means higher priority.
RegisterPostLoginHook(hook PostLoginHookFn, priority uint)
// RedirectURL will generate url that we can use to initiate auth flow for supported clients.
RedirectURL(ctx context.Context, client string, r *Request) (*Redirect, error)
// RegisterClient will register a new authn.Client that can be used for authentication
RegisterClient(c Client)
}
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.