Affected by GO-2022-0342 and 33 other vulnerabilities

GO-2022-0342: Grafana XSS in Dashboard Text Panel in github.com/grafana/grafana

GO-2022-0707: Grafana Authentication Bypass in github.com/grafana/grafana

GO-2024-2483: Grafana XSS via adding a link in General feature in github.com/grafana/grafana

GO-2024-2510: Grafana Cross-site Scripting (XSS) in github.com/grafana/grafana

GO-2024-2513: Grafana information disclosure in github.com/grafana/grafana

GO-2024-2515: Grafana XSS via the OpenTSDB datasource in github.com/grafana/grafana

GO-2024-2516: Grafana XSS via a column style in github.com/grafana/grafana

GO-2024-2517: Grafana XSS in header column rename in github.com/grafana/grafana

GO-2024-2519: Grafana world readable configuration files in github.com/grafana/grafana

GO-2024-2520: Grafana XSS via a query alias for the ElasticSearch datasource in github.com/grafana/grafana

GO-2024-2523: Grafana stored XSS in github.com/grafana/grafana

GO-2024-2629: Grafana's users with permissions to create a data source can CRUD all data sources in github.com/grafana/grafana

GO-2024-2661: Arbitrary file read in github.com/grafana/grafana

GO-2024-2697: Grafana: Users outside an organization can delete a snapshot with its key in github.com/grafana/grafana

GO-2024-2843: Grafana Email addresses and usernames can not be trusted in github.com/grafana/grafana

GO-2024-2844: Grafana User enumeration via forget password in github.com/grafana/grafana

GO-2024-2847: Grafana Escalation from admin to server admin when auth proxy is used in github.com/grafana/grafana

GO-2024-2848: Grafana when using email as a username can block other users from signing in in github.com/grafana/grafana

GO-2024-2851: Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins in github.com/grafana/grafana

GO-2024-2852: Grafana account takeover via OAuth vulnerability in github.com/grafana/grafana

GO-2024-2854: Grafana folders admin only permission privilege escalation in github.com/grafana/grafana

GO-2024-2855: Grafana Plugin signature bypass in github.com/grafana/grafana

GO-2024-2856: Grafana Race condition allowing privilege escalation in github.com/grafana/grafana

GO-2024-2857: Grafana Stored Cross-site Scripting in Unified Alerting in github.com/grafana/grafana

GO-2024-2867: Grafana Spoofing originalUrl of snapshots in github.com/grafana/grafana

GO-2024-3079: Grafana plugin data sources vulnerable to access control bypass in github.com/grafana/grafana

GO-2024-3215: Grafana Command Injection And Local File Inclusion Via Sql Expressions in github.com/grafana/grafana

GO-2024-3240: Grafana org admin can delete pending invites in different org in github.com/grafana/grafana

GO-2025-3438: Grafana Alerting VictorOps integration could be exposed to users with Viewer permission in github.com/grafana/grafana

GO-2025-3704: Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin in github.com/grafana/grafana

GO-2025-3740: Grafana vulnerable to authenticated users bypassing dashboard, folder permissions in github.com/grafana/grafana

GO-2025-3742: Grafana's datasource proxy API allows authorization checks to be bypassed in github.com/grafana/grafana

GO-2025-3814: Grafana's insecure DingDing Alert integration exposes sensitive information in github.com/grafana/grafana

GO-2025-3817: Grafana is vulnerable to XSS attacks through open redirects and path traversal in github.com/grafana/grafana

oauthserver

package

v0.0.0-testrgm6 Latest Latest Go to latest Published: Jul 24, 2023 License: AGPL-3.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/grafana/grafana

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func ErrClientNotFound(clientID string) error
type ExternalService
type ExternalServiceDTO
type ExternalServiceRegistration
type ImpersonationCfg
type KeyOption
type KeyResult
type OAuth2Server
type SelfCfg
type Store

Constants ¶

View Source

const (
	// TmpOrgID is the orgID we use while global service accounts are not supported.
	TmpOrgID int64 = 1
	// NoServiceAccountID is the ID we use for client that have no service account associated.
	NoServiceAccountID int64 = 0

	// List of scopes used to identify the impersonated user.
	ScopeUsersSelf       = "users:self"
	ScopeGlobalUsersSelf = "global.users:self"
	ScopeTeamsSelf       = "teams:self"

	// Supported encryptions
	RS256 = "RS256"
	ES256 = "ES256"
)

Variables ¶

View Source

var (
	ErrClientRequiredID = errutil.NewBase(errutil.StatusBadRequest,
		"oauthserver.required-client-id",
		errutil.WithPublicMessage("client ID is required")).Errorf("Client ID is required")
	ErrClientRequiredName = errutil.NewBase(errutil.StatusBadRequest,
		"oauthserver.required-client-name",
		errutil.WithPublicMessage("client name is required")).Errorf("Client name is required")
)

View Source

var (
	ErrClientNotFoundMessageID = "oauthserver.client-not-found"
)

Functions ¶

func ErrClientNotFound ¶

func ErrClientNotFound(clientID string) error

Types ¶

type ExternalService ¶

type ExternalService struct {
	ID               int64  `xorm:"id pk autoincr"`
	Name             string `xorm:"name"`
	ClientID         string `xorm:"client_id"`
	Secret           string `xorm:"secret"`
	RedirectURI      string `xorm:"redirect_uri"` // Not used yet (code flow)
	GrantTypes       string `xorm:"grant_types"`  // CSV value
	Audiences        string `xorm:"audiences"`    // CSV value
	PublicPem        []byte `xorm:"public_pem"`
	ServiceAccountID int64  `xorm:"service_account_id"`
	// SelfPermissions are the registered service account permissions (registered and managed permissions)
	SelfPermissions []ac.Permission
	// ImpersonatePermissions is the restriction set of permissions while impersonating
	ImpersonatePermissions []ac.Permission

	// SignedInUser refers to the current Service Account identity/user
	SignedInUser      *user.SignedInUser
	Scopes            []string
	ImpersonateScopes []string
}

func (*ExternalService) GetAudience ¶

func (c *ExternalService) GetAudience() fosite.Arguments

GetAudience returns the allowed audience(s) for this client.

func (*ExternalService) GetGrantTypes ¶

func (c *ExternalService) GetGrantTypes() fosite.Arguments

GetGrantTypes returns the client's allowed grant types.

func (*ExternalService) GetHashedSecret ¶

func (c *ExternalService) GetHashedSecret() []byte

GetHashedSecret returns the hashed secret as it is stored in the store.

func (*ExternalService) GetID ¶

func (c *ExternalService) GetID() string

GetID returns the client ID.

func (*ExternalService) GetRedirectURIs ¶

func (c *ExternalService) GetRedirectURIs() []string

GetRedirectURIs returns the client's allowed redirect URIs.

func (*ExternalService) GetResponseTypes ¶

func (c *ExternalService) GetResponseTypes() fosite.Arguments

GetResponseTypes returns the client's allowed response types. All allowed combinations of response types have to be listed, each combination having response types of the combination separated by a space.

func (*ExternalService) GetScopes ¶

func (c *ExternalService) GetScopes() fosite.Arguments

GetScopes returns the scopes this client is allowed to request on its own behalf.

func (*ExternalService) GetScopesOnUser ¶

func (c *ExternalService) GetScopesOnUser(ctx context.Context, accessControl ac.AccessControl, userID int64) []string

GetScopes returns the scopes this client is allowed to request on a specific user.

func (*ExternalService) IsPublic ¶

func (c *ExternalService) IsPublic() bool

IsPublic returns true, if this client is marked as public.

func (*ExternalService) LogID ¶

func (c *ExternalService) LogID() string

func (*ExternalService) ToDTO ¶

func (c *ExternalService) ToDTO() *ExternalServiceDTO

type ExternalServiceDTO ¶

type ExternalServiceDTO struct {
	Name        string     `json:"name"`
	ID          string     `json:"clientId"`
	Secret      string     `json:"clientSecret"`
	RedirectURI string     `json:"redirectUri,omitempty"` // Not used yet (code flow)
	GrantTypes  string     `json:"grantTypes"`            // CSV value
	Audiences   string     `json:"audiences"`             // CSV value
	KeyResult   *KeyResult `json:"key,omitempty"`
}

type ExternalServiceRegistration ¶

type ExternalServiceRegistration struct {
	Name string `json:"name"`
	// RedirectURI is the URI that is used in the code flow.
	// Note that this is not used yet.
	RedirectURI *string `json:"redirectUri,omitempty"`
	// Impersonation access configuration
	Impersonation ImpersonationCfg `json:"impersonation"`
	// Self access configuration
	Self SelfCfg `json:"self"`
	// Key is the option to specify a public key or ask the server to generate a crypto key pair.
	Key *KeyOption `json:"key,omitempty"`
}

ExternalServiceRegistration represents the registration form to save new OAuth2 client.

type ImpersonationCfg ¶

type ImpersonationCfg struct {
	// Enabled allows the service to request access tokens to impersonate users using the jwtbearer grant
	Enabled bool `json:"enabled"`
	// Groups allows the service to list the impersonated user's teams
	Groups bool `json:"groups"`
	// Permissions are the permissions that the external service needs when impersonating a user.
	// The intersection of this set with the impersonated user's permission guarantees that the client will not
	// gain more privileges than the impersonated user has.
	Permissions []accesscontrol.Permission `json:"permissions,omitempty"`
}

type KeyOption ¶

type KeyOption struct {
	// URL       string `json:"url,omitempty"` // TODO allow specifying a URL (to a .jwks file) to fetch the key from
	// PublicPEM contains the Base64 encoded public key in PEM format
	PublicPEM string `json:"public_pem,omitempty"`
	Generate  bool   `json:"generate,omitempty"`
}

type KeyResult ¶

type KeyResult struct {
	URL        string `json:"url,omitempty"`
	PrivatePem string `json:"private,omitempty"`
	PublicPem  string `json:"public,omitempty"`
	Generated  bool   `json:"generated,omitempty"`
}

type OAuth2Server ¶

type OAuth2Server interface {
	// SaveExternalService creates or updates an external service in the database, it generates client_id and secrets and
	// it ensures that the associated service account has the correct permissions.
	SaveExternalService(ctx context.Context, cmd *ExternalServiceRegistration) (*ExternalServiceDTO, error)
	// GetExternalService retrieves an external service from store by client_id. It populates the SelfPermissions and
	// SignedInUser from the associated service account.
	GetExternalService(ctx context.Context, id string) (*ExternalService, error)

	// HandleTokenRequest handles the client's OAuth2 query to obtain an access_token by presenting its authorization
	// grant (ex: client_credentials, jwtbearer).
	HandleTokenRequest(rw http.ResponseWriter, req *http.Request)
	// HandleIntrospectionRequest handles the OAuth2 query to determine the active state of an OAuth 2.0 token and
	// to determine meta-information about this token.
	HandleIntrospectionRequest(rw http.ResponseWriter, req *http.Request)
}

OAuth2Server represents a service in charge of managing OAuth2 clients and handling OAuth2 requests (token, introspection).

type SelfCfg ¶

type SelfCfg struct {
	// Enabled allows the service to request access tokens for itself using the client_credentials grant
	Enabled bool `json:"enabled"`
	// Permissions are the permissions that the external service needs its associated service account to have.
	Permissions []accesscontrol.Permission `json:"permissions,omitempty"`
}

type Store ¶

type Store interface {
	RegisterExternalService(ctx context.Context, client *ExternalService) error
	SaveExternalService(ctx context.Context, client *ExternalService) error
	GetExternalService(ctx context.Context, id string) (*ExternalService, error)
	GetExternalServiceByName(ctx context.Context, name string) (*ExternalService, error)
	GetExternalServicePublicKey(ctx context.Context, clientID string) (*jose.JSONWebKey, error)
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
api
oasimpl
oastest
store
utils

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL