Merge branch 'master' into dependabot/go_modules/golang.org/x/term-0.…

…10.0
target · Jul 12, 2023 · 97eee70 · 97eee70
2 parents 91cee75 + 10269ba
commit 97eee70
Show file tree

Hide file tree

Showing 27 changed files with 1,572 additions and 592 deletions.
diff --git a/alert/feedback.go b/alert/feedback.go
@@ -0,0 +1,7 @@
+package alert
+
+// Feedback represents user provided information about a given alert
+type Feedback struct {
+	AlertID     int
+	NoiseReason string
+}
diff --git a/alert/queries.sql b/alert/queries.sql
@@ -1,23 +1,50 @@
 -- name: LockOneAlertService :one
-SELECT maintenance_expires_at notnull::bool AS is_maint_mode,
+SELECT
+    maintenance_expires_at NOTNULL::bool AS is_maint_mode,
     alerts.status
-FROM services svc
+FROM
+    services svc
     JOIN alerts ON alerts.service_id = svc.id
-WHERE alerts.id = $1 FOR
-UPDATE;
+WHERE
+    alerts.id = $1
+FOR UPDATE;
 
 -- name: RequestAlertEscalationByTime :one
-UPDATE escalation_policy_state
-SET force_escalation = TRUE
-WHERE alert_id = $1
-    AND (
-        last_escalation <= $2::timestamptz
-        OR last_escalation IS NULL
-    ) RETURNING TRUE;
+UPDATE
+    escalation_policy_state
+SET
+    force_escalation = TRUE
+WHERE
+    alert_id = $1
+    AND (last_escalation <= $2::timestamptz
+        OR last_escalation IS NULL)
+RETURNING
+    TRUE;
 
 -- name: AlertHasEPState :one
-SELECT EXISTS (
-        SELECT 1
-        FROM escalation_policy_state
-        WHERE alert_id = $1
-    ) AS has_ep_state;
+SELECT
+    EXISTS (
+        SELECT
+            1
+        FROM
+            escalation_policy_state
+        WHERE
+            alert_id = $1) AS has_ep_state;
+
+-- name: AlertFeedback :one
+SELECT
+    alert_id,
+    noise_reason
+FROM
+    alert_feedback
+WHERE
+    alert_id = $1;
+
+-- name: SetAlertFeedback :exec
+INSERT INTO alert_feedback(alert_id, noise_reason)
+    VALUES ($1, $2)
+ON CONFLICT (alert_id)
+    DO UPDATE SET
+        noise_reason = $2
+    WHERE
+        alert_feedback.alert_id = $1;
diff --git a/alert/store.go b/alert/store.go
@@ -791,3 +791,47 @@ func (s *Store) State(ctx context.Context, alertIDs []int) ([]State, error) {
 
 	return list, nil
 }
+
+func (s *Store) Feedback(ctx context.Context, alertID int) (*Feedback, error) {
+	err := permission.LimitCheckAny(ctx, permission.System, permission.User)
+	if err != nil {
+		return nil, err
+	}
+
+	row, err := gadb.New(s.db).AlertFeedback(ctx, int64(alertID))
+	if errors.Is(err, sql.ErrNoRows) {
+		return &Feedback{
+			AlertID: alertID,
+		}, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	return &Feedback{
+		AlertID:     int(row.AlertID),
+		NoiseReason: row.NoiseReason,
+	}, err
+}
+
+func (s Store) UpdateFeedback(ctx context.Context, feedback *Feedback) error {
+	err := permission.LimitCheckAny(ctx, permission.System, permission.User)
+	if err != nil {
+		return err
+	}
+
+	err = validate.Text("NoiseReason", feedback.NoiseReason, 1, 255)
+	if err != nil {
+		return err
+	}
+
+	err = gadb.New(s.db).SetAlertFeedback(ctx, gadb.SetAlertFeedbackParams{
+		AlertID:     int64(feedback.AlertID),
+		NoiseReason: feedback.NoiseReason,
+	})
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/auth/cookies.go b/auth/cookies.go
@@ -10,12 +10,12 @@ import (
 )
 
 // SetCookie will set a cookie value for all API prefixes, respecting the current config parameters.
-func SetCookie(w http.ResponseWriter, req *http.Request, name, value string) {
-	SetCookieAge(w, req, name, value, 0)
+func SetCookie(w http.ResponseWriter, req *http.Request, name, value string, isSession bool) {
+	SetCookieAge(w, req, name, value, 0, isSession)
 }
 
 // SetCookieAge behaves like SetCookie but also sets the MaxAge.
-func SetCookieAge(w http.ResponseWriter, req *http.Request, name, value string, age time.Duration) {
+func SetCookieAge(w http.ResponseWriter, req *http.Request, name, value string, age time.Duration, isSession bool) {
 	cfg := config.FromContext(req.Context())
 	u, err := url.Parse(cfg.PublicURL())
 	if err != nil {
@@ -29,6 +29,13 @@ func SetCookieAge(w http.ResponseWriter, req *http.Request, name, value string,
 		secure = u.Scheme == "https"
 	}
 
+	// Use Lax mode for non-session cookies, this allows the cookie to be sent when
+	// navigating to the login page from a different domain (e.g., OAuth redirect).
+	sameSite := http.SameSiteLaxMode
+	if isSession {
+		sameSite = http.SameSiteStrictMode
+	}
+
 	http.SetCookie(w, &http.Cookie{
 		HttpOnly: true,
 		Secure:   secure,
@@ -38,11 +45,11 @@ func SetCookieAge(w http.ResponseWriter, req *http.Request, name, value string,
 		Value:  value,
 		MaxAge: int(age.Seconds()),
 
-		SameSite: http.SameSiteStrictMode,
+		SameSite: sameSite,
 	})
 }
 
 // ClearCookie will clear and expire the cookie with the given name, for all API prefixes.
-func ClearCookie(w http.ResponseWriter, req *http.Request, name string) {
-	SetCookieAge(w, req, name, "", -time.Second)
+func ClearCookie(w http.ResponseWriter, req *http.Request, name string, isSession bool) {
+	SetCookieAge(w, req, name, "", -time.Second, isSession)
 }
diff --git a/auth/github/identityprovider.go b/auth/github/identityprovider.go
@@ -95,7 +95,7 @@ func (p *Provider) ExtractIdentity(route *auth.RouteInfo, w http.ResponseWriter,
 			return nil, auth.Error("Failed to generate state token.")
 		}
 
-		auth.SetCookie(w, req, stateCookieName, tok)
+		auth.SetCookie(w, req, stateCookieName, tok, false)
 		u := authConfig(ctx).AuthCodeURL(tok, oauth2.ApprovalForce)
 
 		return nil, auth.RedirectURL(u)
@@ -110,7 +110,7 @@ func (p *Provider) ExtractIdentity(route *auth.RouteInfo, w http.ResponseWriter,
 	if err != nil || stateCookie.Value != tokStr {
 		return nil, auth.Error("Invalid state token.")
 	}
-	auth.ClearCookie(w, req, stateCookieName)
+	auth.ClearCookie(w, req, stateCookieName, false)
 
 	valid, err := p.validateStateToken(req.Context(), tokStr)
 	if err != nil {

diff --git a/auth/handler.go b/auth/handler.go
@@ -212,7 +212,7 @@ func (h *Handler) FindAllUserSessions(ctx context.Context, userID string) ([]Use
 
 // ServeLogout will clear the current session cookie and end the session(s) (if any).
 func (h *Handler) ServeLogout(w http.ResponseWriter, req *http.Request) {
-	ClearCookie(w, req, CookieName)
+	ClearCookie(w, req, CookieName, true)
 	var sessionIDs []string
 	for _, c := range req.Cookies() {
 		switch c.Name {
@@ -539,7 +539,7 @@ func (h *Handler) CreateSession(ctx context.Context, userAgent, userID string) (
 }
 
 func (h *Handler) setSessionCookie(w http.ResponseWriter, req *http.Request, val string) {
-	SetCookieAge(w, req, CookieName, val, 30*24*time.Hour)
+	SetCookieAge(w, req, CookieName, val, 30*24*time.Hour, true)
 }
 
 func (h *Handler) authWithToken(w http.ResponseWriter, req *http.Request, next http.Handler) bool {
@@ -717,7 +717,7 @@ func (h *Handler) refererURL(w http.ResponseWriter, req *http.Request) (*url.URL
 }
 
 func (h *Handler) serveProviderPost(id string, p IdentityProvider, refU *url.URL, w http.ResponseWriter, req *http.Request) {
-	SetCookie(w, req, "login_redir", refU.String())
+	SetCookie(w, req, "login_redir", refU.String(), false)
 
 	h.handleProvider(id, p, refU, w, req)
 }

diff --git a/auth/oidc/identityprovider.go b/auth/oidc/identityprovider.go
@@ -194,7 +194,7 @@ func (p *Provider) ExtractIdentity(route *auth.RouteInfo, w http.ResponseWriter,
 			return nil, auth.Error("Failed to generate state token.")
 		}
 		nonceStr := b64enc.EncodeToString(nonce[:])
-		auth.SetCookie(w, req, nonceCookieName, nonceStr)
+		auth.SetCookie(w, req, nonceCookieName, nonceStr, false)
 
 		oaCfg, _, err := p.oaConfig(ctx)
 		if err != nil {
@@ -215,7 +215,7 @@ func (p *Provider) ExtractIdentity(route *auth.RouteInfo, w http.ResponseWriter,
 	if err != nil {
 		return nil, auth.Error("There was a problem recognizing this browser. You can try again")
 	}
-	auth.ClearCookie(w, req, nonceCookieName)
+	auth.ClearCookie(w, req, nonceCookieName, false)
 
 	nonce, err := b64enc.DecodeString(nonceC.Value)
 	if err != nil || len(nonce) != 16 {

diff --git a/gadb/models.go b/gadb/models.go
diff --git a/gadb/queries.sql.go b/gadb/queries.sql.go