import grafana-9.0.9-3.el9_2

1 year ago · 68e62fc98a
parent a36c1eaac1
commit 68e62fc98a
3 changed files with 102 additions and 15 deletions
--- a/SOURCES/0011-remove-email-lookup.patch
+++ b/SOURCES/0011-remove-email-lookup.patch
@ -0,0 +1,61 @@
 commit bae86dbeb0
 Author: Ieva <ieva.vasiljeva@grafana.com>
 Date:   Tue Jun 6 17:45:31 2023 +0100
    Auth: Remove Email Lookup from oauth integrations 9.2 (#898)
    backport https://github.com/grafana/grafana-private-mirror/pull/894 to 9.3.x
 diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
 index 22014aee43..af00c56a68 100644
 --- a/pkg/api/login_oauth.go
 +++ b/pkg/api/login_oauth.go
@@ -299,16 +299,17 @@
 	connect social.SocialConnector,
 ) (*models.User, error) {
 	oauthLogger.Debug("Syncing Grafana user with corresponding OAuth profile")
 +	lookupParams := models.UserLookupParams{}
 +	if hs.Cfg.OAuthAllowInsecureEmailLookup {
 +		lookupParams.Email = &extUser.Email
 +	}
 +
 	// add/update user in Grafana
 	cmd := &models.UpsertUserCommand{
 -		ReqContext:    ctx,
 -		ExternalUser:  extUser,
 -		SignupAllowed: connect.IsSignupAllowed(),
 -		UserLookupParams: models.UserLookupParams{
 -			Email:  &extUser.Email,
 -			UserID: nil,
 -			Login:  nil,
 -		},
 +		ReqContext:       ctx,
 +		ExternalUser:     extUser,
 +		SignupAllowed:    connect.IsSignupAllowed(),
 +		UserLookupParams: lookupParams,
 	}
 	if err := hs.Login.UpsertUser(ctx.Req.Context(), cmd); err != nil {
 diff --git a/pkg/setting/setting.go b/pkg/setting/setting.go
 index 20e8f78a2f..03aa5c17d8 100644
 --- a/pkg/setting/setting.go
 +++ b/pkg/setting/setting.go
@@ -312,7 +312,8 @@
 	AuthProxySyncTTL          int
 	// OAuth
 -	OAuthCookieMaxAge int
 +	OAuthCookieMaxAge             int
 +	OAuthAllowInsecureEmailLookup bool
 	// JWT Auth
 	JWTAuthEnabled       bool
@@ -1256,6 +1256,8 @@
 		return err
 	}
 +	cfg.OAuthAllowInsecureEmailLookup = auth.Key("oauth_allow_insecure_email_lookup").MustBool(false)
 +
 	const defaultMaxLifetime = "30d"
 	maxLifetimeDurationVal := valueAsString(auth, "login_maximum_lifetime_duration", defaultMaxLifetime)
 	cfg.LoginMaxLifetime, err = gtime.ParseDuration(maxLifetimeDurationVal)
--- a/SOURCES/0012-fix-alert-test.patch
+++ b/SOURCES/0012-fix-alert-test.patch
@ -0,0 +1,19 @@
 From 3236aa416f6d1b109bff1fdd4127292988fb199c Mon Sep 17 00:00:00 2001
 From: Stan Cox <scox@redhat.com>
 Date: Wed, 22 Jun 2022 17:05:48 +0200
 Subject: [PATCH] fix alert test
 diff --git a/pkg/tests/api/alerting/api_alertmanager_test.go b/pkg/tests/api/alerting/api_alertmanager_test.go
 index 2d6e1235b6..f0eff6d2ac 100644
 --- a/pkg/tests/api/alerting/api_alertmanager_test.go	2023-01-24 14:44:19.000000000 -0500
 +++ b/pkg/tests/api/alerting/api_alertmanager_test.go	2023-04-13 16:20:51.718515009 -0400
@@ -210,7 +210,7 @@
 		{
 			"comment": "string",
 			"createdBy": "string",
 -			"endsAt": "2023-03-31T14:17:04.419Z",
 +			"endsAt": "2032-03-31T14:17:04.419Z",
 			"matchers": [
 			  {
 				"isRegex": true,
--- a/SPECS/grafana.spec
+++ b/SPECS/grafana.spec
@ -23,7 +23,7 @@ end}
 Name:             grafana
 Version:          9.0.9
-Release:          2%{?dist}
+Release:          3%{?dist}
 Summary:          Metrics dashboard and graph editor
 License:          AGPLv3
 URL:              https://grafana.org
@ -71,6 +71,8 @@ Patch7:           0007-skip-marketplace-plugin-install-test.patch
 Patch8:           0008-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
 Patch9:           0009-Prometheus-Fix-integer-overflow-in-rate-interval-cal.patch
 Patch10:	  0010-v9.0.x-Login-email-before-username-57406.patch
 Patch11:	  0011-remove-email-lookup.patch
 Patch12:	  0012-fix-alert-test.patch
 # Patches affecting the vendor tarball
 Patch1001:        1001-vendor-patch-removed-backend-crypto.patch
@ -696,25 +698,27 @@ rm -r plugins-bundled
 %setup -q -T -D -b 2
 %endif
-%patch1 -p1
+%patch -P 1 -p1
-%patch2 -p1
+%patch -P 2 -p1
-%patch3 -p1
+%patch -P 3 -p1
-%patch4 -p1
+%patch -P 4 -p1
-%patch5 -p1
+%patch -P 5 -p1
 %if 0%{?fedora} || 0%{?rhel} > 8
-%patch6 -p1
+%patch -P 6 -p1
 %endif
-%patch7 -p1
+%patch -P 7 -p1
-%patch8 -p1
+%patch -P 8 -p1
-%patch9 -p1
+%patch -P 9 -p1
-%patch10 -p1
+%patch -P 10 -p1
-
+%patch -P 11 -p1
-%patch1001 -p1
+%patch -P 12 -p1
 %patch -P 1001 -p1
 %if %{enable_fips_mode}
-%patch1002 -p1
+%patch -P 1002 -p1
 %endif
 %ifarch s390x i686 armv7hl
-%patch1003 -p1
+%patch -P 1003 -p1
 %endif
@ -899,6 +903,9 @@ OPENSSL_FORCE_FIPS_MODE=1 GOLANG_FIPS=1 go test -v ./pkg/util -run TestEncryptio
 %changelog
 * Wed Jun 28 2023 Stan Cox <scox@redhat.com> 9.0.9-3
 - resolve CVE-2023-3128 grafana: Remove Email Lookup from oauth integrations
 * Tue Nov 01 2022 Stan Cox <scox@redhat.com> 9.0.9-2
 - resolve CVE-2022-39229 grafana: Using email as a username can prevent other users from signing in
 - resolve CVE-2022-2880 CVE-2022-41715 grafana: various flaws