Affected by GO-2022-0342 and 33 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

GO-2025-3438: Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana

GO-2025-3704: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana

GO-2025-3740: Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana

GO-2025-3742: Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana

GO-2025-3814: Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana

GO-2025-3817: Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana

serviceaccounts

package

v0.0.0-test.2 Latest Latest Go to latest Published: Jul 20, 2023 License: AGPL-3.0 Imports: 7 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grafana/grafana

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type AddServiceAccountTokenCommand
type CreateServiceAccountForm
type GetSATokensQuery
type MigrationResult
type SearchOrgServiceAccountsQuery
- func (q *SearchOrgServiceAccountsQuery) SetDefaults()
type SearchOrgServiceAccountsResult
type Service
type ServiceAccount
type ServiceAccountDTO
type ServiceAccountFilter
type ServiceAccountProfileDTO
type Stats
type UpdateServiceAccountForm

Constants ¶

View Source

const (
	ActionRead             = "serviceaccounts:read"
	ActionWrite            = "serviceaccounts:write"
	ActionCreate           = "serviceaccounts:create"
	ActionDelete           = "serviceaccounts:delete"
	ActionPermissionsRead  = "serviceaccounts.permissions:read"
	ActionPermissionsWrite = "serviceaccounts.permissions:write"
)

Variables ¶

View Source

var (
	ScopeAll = "serviceaccounts:*"
	ScopeID  = accesscontrol.Scope("serviceaccounts", "id", accesscontrol.Parameter(":serviceAccountId"))
)

View Source

var (
	ErrServiceAccountNotFound            = errutil.NewBase(errutil.StatusNotFound, "serviceaccounts.ErrNotFound", errutil.WithPublicMessage("service account not found"))
	ErrServiceAccountInvalidRole         = errutil.NewBase(errutil.StatusBadRequest, "serviceaccounts.ErrInvalidRoleSpecified", errutil.WithPublicMessage("invalid role specified"))
	ErrServiceAccountRolePrivilegeDenied = errutil.NewBase(errutil.StatusForbidden, "serviceaccounts.ErrRoleForbidden", errutil.WithPublicMessage("can not assign a role higher than user's role"))
	ErrServiceAccountInvalidOrgID        = errutil.NewBase(errutil.StatusBadRequest, "serviceaccounts.ErrInvalidOrgId", errutil.WithPublicMessage("invalid org id specified"))
	ErrServiceAccountInvalidID           = errutil.NewBase(errutil.StatusBadRequest, "serviceaccounts.ErrInvalidId", errutil.WithPublicMessage("invalid service account id specified"))
	ErrServiceAccountInvalidAPIKeyID     = errutil.NewBase(errutil.StatusBadRequest, "serviceaccounts.ErrInvalidAPIKeyId", errutil.WithPublicMessage("invalid api key id specified"))
	ErrServiceAccountInvalidTokenID      = errutil.NewBase(errutil.StatusBadRequest, "serviceaccounts.ErrInvalidTokenId", errutil.WithPublicMessage("invalid service account token id specified"))
	ErrServiceAccountAlreadyExists       = errutil.NewBase(errutil.StatusBadRequest, "serviceaccounts.ErrAlreadyExists", errutil.WithPublicMessage("service account already exists"))
	ErrServiceAccountTokenNotFound       = errutil.NewBase(errutil.StatusNotFound, "serviceaccounts.ErrTokenNotFound", errutil.WithPublicMessage("service account token not found"))
	ErrInvalidTokenExpiration            = errutil.NewBase(errutil.StatusValidationFailed, "serviceaccounts.ErrInvalidInput", errutil.WithPublicMessage("invalid SecondsToLive value"))
	ErrDuplicateToken                    = errutil.NewBase(errutil.StatusBadRequest, "serviceaccounts.ErrTokenAlreadyExists", errutil.WithPublicMessage("service account token with given name already exists in the organization"))
)

View Source

var AccessEvaluator = accesscontrol.EvalAny(
	accesscontrol.EvalPermission(ActionRead),
	accesscontrol.EvalPermission(ActionCreate),
)

AccessEvaluator is used to protect the "Configuration > Service accounts" page access

Functions ¶

This section is empty.

Types ¶

type AddServiceAccountTokenCommand ¶

type AddServiceAccountTokenCommand struct {
	Name          string `json:"name" binding:"Required"`
	OrgId         int64  `json:"-"`
	Key           string `json:"-"`
	SecondsToLive int64  `json:"secondsToLive"`
}

type CreateServiceAccountForm ¶

type CreateServiceAccountForm struct {
	// example: grafana
	Name string `json:"name" binding:"Required"`
	// example: Admin
	Role *org.RoleType `json:"role"`
	// example: false
	IsDisabled *bool `json:"isDisabled"`
}

swagger:model

type GetSATokensQuery ¶

type GetSATokensQuery struct {
	OrgID            *int64 // optional filtering by org ID
	ServiceAccountID *int64 // optional filtering by service account ID
}

type MigrationResult ¶

type MigrationResult struct {
	Total           int      `json:"total"`
	Migrated        int      `json:"migrated"`
	Failed          int      `json:"failed"`
	FailedApikeyIDs []int64  `json:"failedApikeyIDs"`
	FailedDetails   []string `json:"failedDetails"`
}

type SearchOrgServiceAccountsQuery ¶

type SearchOrgServiceAccountsQuery struct {
	OrgID        int64
	Query        string
	Filter       ServiceAccountFilter
	Page         int
	Limit        int
	SignedInUser *user.SignedInUser
}

func (*SearchOrgServiceAccountsQuery) SetDefaults ¶

func (q *SearchOrgServiceAccountsQuery) SetDefaults()

type SearchOrgServiceAccountsResult ¶

type SearchOrgServiceAccountsResult struct {
	// It can be used for pagination of the user list
	// E.g. if totalCount is equal to 100 users and
	// the perpage parameter is set to 10 then there are 10 pages of users.
	TotalCount      int64                `json:"totalCount"`
	ServiceAccounts []*ServiceAccountDTO `json:"serviceAccounts"`
	Page            int                  `json:"page"`
	PerPage         int                  `json:"perPage"`
}

swagger: model

type Service ¶

type Service interface {
	CreateServiceAccount(ctx context.Context, orgID int64, saForm *CreateServiceAccountForm) (*ServiceAccountDTO, error)
	DeleteServiceAccount(ctx context.Context, orgID, serviceAccountID int64) error
	RetrieveServiceAccount(ctx context.Context, orgID, serviceAccountID int64) (*ServiceAccountProfileDTO, error)
	RetrieveServiceAccountIdByName(ctx context.Context, orgID int64, name string) (int64, error)
	UpdateServiceAccount(ctx context.Context, orgID, serviceAccountID int64,
		saForm *UpdateServiceAccountForm) (*ServiceAccountProfileDTO, error)
	AddServiceAccountToken(ctx context.Context, serviceAccountID int64,
		cmd *AddServiceAccountTokenCommand) (*apikey.APIKey, error)
}

ServiceAccountService is the service that manages service accounts.

Service accounts are used to authenticate API requests. They are not users and do not have a password.

type ServiceAccount ¶

type ServiceAccount struct {
	Id int64
}

type ServiceAccountDTO ¶

type ServiceAccountDTO struct {
	Id int64 `json:"id" xorm:"user_id"`
	// example: grafana
	Name string `json:"name" xorm:"name"`
	// example: sa-grafana
	Login string `json:"login" xorm:"login"`
	// example: 1
	OrgId int64 `json:"orgId" xorm:"org_id"`
	// example: false
	IsDisabled bool `json:"isDisabled" xorm:"is_disabled"`
	// example: Viewer
	Role string `json:"role" xorm:"role"`
	// example: 0
	Tokens int64 `json:"tokens"`
	// example: /avatar/85ec38023d90823d3e5b43ef35646af9
	AvatarUrl string `json:"avatarUrl"`
	// example: {"serviceaccounts:delete": true, "serviceaccounts:read": true, "serviceaccounts:write": true}
	AccessControl map[string]bool `json:"accessControl,omitempty"`
}

swagger: model

type ServiceAccountFilter ¶

type ServiceAccountFilter string // used for filtering

const (
	FilterOnlyExpiredTokens ServiceAccountFilter = "expiredTokens"
	FilterOnlyDisabled      ServiceAccountFilter = "disabled"
	FilterIncludeAll        ServiceAccountFilter = "all"
)

type ServiceAccountProfileDTO ¶

type ServiceAccountProfileDTO struct {
	// example: 2
	Id int64 `json:"id" xorm:"user_id"`
	// example: test
	Name string `json:"name" xorm:"name"`
	// example: sa-grafana
	Login string `json:"login" xorm:"login"`
	// example: 1
	OrgId int64 `json:"orgId" xorm:"org_id"`
	// example: false
	IsDisabled bool `json:"isDisabled" xorm:"is_disabled"`
	// example: 2022-03-21T14:35:33Z
	Created time.Time `json:"createdAt" xorm:"created"`
	// example: 2022-03-21T14:35:33Z
	Updated time.Time `json:"updatedAt" xorm:"updated"`
	// example: /avatar/8ea890a677d6a223c591a1beea6ea9d2
	AvatarUrl string `json:"avatarUrl" xorm:"-"`
	// example: Editor
	Role string `json:"role" xorm:"role"`
	// example: []
	Teams         []string        `json:"teams" xorm:"-"`
	Tokens        int64           `json:"tokens,omitempty"`
	AccessControl map[string]bool `json:"accessControl,omitempty" xorm:"-"`
}

swagger:model

type Stats ¶

type Stats struct {
	ServiceAccounts     int64 `xorm:"serviceaccounts"`
	Tokens              int64 `xorm:"serviceaccount_tokens"`
	ForcedExpiryEnabled bool  `xorm:"-"`
}

type UpdateServiceAccountForm ¶

type UpdateServiceAccountForm struct {
	Name             *string       `json:"name"`
	ServiceAccountID int64         `json:"serviceAccountId"`
	Role             *org.RoleType `json:"role"`
	IsDisabled       *bool         `json:"isDisabled"`
}

swagger:model

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
api
database
manager
retriever
secretscan
tests

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL