signoz

mirror of https://github.com/SigNoz/signoz.git synced 2026-06-09 02:20:26 +01:00

Author	SHA1	Message	Date
Vikrant Gupta	39a6918a7c	Merge branch 'main' into platform-pod/issues/2266	2026-06-09 00:23:22 +05:30
vikrantgupta25	fcc1e96cde	refactor(resource): split resourcedef.go along its logical seams Break the ~320-line resourcedef.go into cohesive files within the handler package (pure relocation, no behavior or API change): - extractor.go — extraction: ExtractorContext, phases, extractors + constructors - resourcedef.go — declaration: ResourceDef/ResourcesDef/RelatedResource/ ResourceSpec + their functions (resolveRequest, ResolveRequest) and the selectors - resolved_resource.go — resolved types + their functions (resolve, newResolvedRelated, FinalizeResponseIDs, HasResponseIDs) - resolved_context.go — context plumbing (resolvedKey + accessors) Each file's imports narrow to its concern; mux/gjson are now confined to extractor.go.	2026-06-09 00:13:40 +05:30
Nikhil Soni	c688170a13	feat(trace-detail): add flamegraph v3 with optimized memory consumption (part 1) (#11462 ) * feat: add types for flamegraph v3 in module structure * chore: remove limit from request payload It's a new api so doesn't need to be backward compatible * feat: add config for flamegraph * feat: add method to enrich selected spans * feat: add api and module for flamegraph v3 * feat: query full spans for smaller traces * chore: move exported methods to the top * chore: ignore nil assigment lint error * chore: extract out flamegraph building logic for easier review * chore: update openapi specs * chore: move flamegraph after aggregation to reduce diff * chore: remove un related changes to keep diff minimum * chore: avoid passing request type to module * feat: return selected fields only in flamegraph And reduce the no. of fields scanned from db * chore: make array fields required and non nullable * chore: update openapi specs * chore: mark all fields in response as required * refactor: switch to using group by instead of distinct on Since group by is faster is enough no. of threads are used * chore: remove service name root level field from flamegraph span * chore: update openapi specs * fix: update alias in order by of the query * chore: remove unnecessary nil check * fix: set empty array for missing data * chore: use single line for error creation * chore: mark response fields as required * chore: update openapi specs * chore: add test to verify the flamegraph query sql * chore: update openapi specs * chore: use orderbyasc instead of order by	2026-06-08 17:29:30 +00:00
Vikrant Gupta	7844fc1fe1	fix(authn): include base path in SSO callback and error-redirect URLs (#11588 ) Some checks failed build-staging / prepare (push) Has been cancelled Details build-staging / js-build (push) Has been cancelled Details build-staging / go-build (push) Has been cancelled Details build-staging / staging (push) Has been cancelled Details Release Drafter / update_release_draft (push) Has been cancelled Details * fix(authn): include base path in SSO callback and error-redirect URLs The SAML ACS URL and the OIDC/Google redirect URLs were built from the site URL host plus a hardcoded path (e.g. /api/v1/complete/saml), dropping the base path. When SigNoz is served under a sub-path (global.external_url with a path, e.g. https://example.com/signoz), the API is served at <prefix>/api/v1/complete/<provider>, so the identity provider was told to call back to a path without the prefix and hit a 404. Thread global.Config into the SAML/OIDC/Google callback providers and the session handler, and prepend global.Config.ExternalPath() to the callback paths and the SSO error redirect to /login. Root deployments are unchanged since ExternalPath() returns "" without a configured sub-path. * fix(authn): run callbackauthn suite with base path * refactor(tests): self-contained base-path fixture for callbackauthn Move the base-path setup out of the shared create_signoz factory and into a package-scoped signoz fixture in the callbackauthn suite's own conftest (same pattern as rootuser/conftest.py). When --base-path is set the fixture appends SIGNOZ_GLOBAL_EXTERNAL__URL and the url-config prefix locally; without it it behaves exactly like the global fixture. The shared factory and docker config are left untouched. * test(authn): add base-path SSO integration suite Adds a dedicated `basepath` integration suite that serves SigNoz under a hardcoded /signoz prefix (SIGNOZ_GLOBAL_EXTERNAL__URL) and exercises the SAML and OIDC happy-path logins end-to-end. Every SigNoz API call is issued under the prefix and the IdP callback (ACS / redirect URI) is registered with the prefix, so the flow only passes when the backend builds prefixed callback URLs. The shared TestContainerUrlConfig and create_signoz factory are left untouched. The suite's conftest shadows the same-named auth fixtures (create_user_admin, get_token, get_session_context, apply_license) with base-path-aware variants and reuses the Keycloak/browser fixtures, which are not under the base path. Google SSO is not covered: it requires the real accounts.google.com issuer and a real Google login, so it cannot run against the local Keycloak IdP; it shares the identical path.Join(ExternalPath, redirectPath) callback logic that SAML and OIDC validate. * revert: drop in-place base-path wiring from integration harness Removes the --base-path flag, TestContainerUrlConfig.base_path, the idp.py and 02_saml.py .get() changes, and the callbackauthn base-path conftest fixture. Base-path SSO is now covered by the dedicated `basepath` suite, so the shared harness (TestContainerUrlConfig, create_signoz, callbackauthn) is back to its original root-only form. * refactor(test): remove apply_license fixture * refactor(test): extract base-path-aware auth factories Extract the session-context / token / token-pair / admin-registration logic in fixtures/auth.py into reusable factory functions that take an optional base_path (token_getter, session_context_getter, tokens_getter, register_admin), with the fixtures delegating to them. Default base_path="" is byte-identical for existing callers. The basepath suite's conftest now reuses these factories with the /signoz prefix as thin one-line fixture overrides instead of duplicating the request logic. * refactor(test): give base-path admin registration a distinct cache key register_admin takes an optional cache_key (default "create_user_admin"); the basepath suite passes a distinct key so that under --reuse the admin marker cached against the signoz-base-path container is not restored for (or from) other suites' default signoz instance.	2026-06-08 14:15:04 +00:00
Vinicius Lourenço	e02da843f2	fix(infra-monitoring-charts): fixes for hosts/deployments/jobs/namespaces (#11599 ) * fix(infra-monitoring-jobs): title of the chart misleading Ref: https://github.com/SigNoz/engineering-pod/issues/5211#issuecomment-4619888389 * fix(infra-monitoring-namespaces): wrong limit & using wrong filter for statefulsets Ref: https://github.com/SigNoz/engineering-pod/issues/5211#issuecomment-4619023361 * feat(infra-monitoring-hosts): add new chart based on operations time Ref: https://github.com/SigNoz/engineering-pod/issues/5211#issue-4578950064 * feat(infra-monitoring-hosts): add group by on chart for system disk io Ref: https://github.com/SigNoz/engineering-pod/issues/5211#issuecomment-4611797867 * fix(infra-monitoring-hosts): chart for disk operations using the wrong metric Ref: https://github.com/SigNoz/engineering-pod/issues/5211#issue-4578950064 * fix(infra-monitoring-deployments): little typo in the chart name * fix(volumes): ensure the name/type are standard based on the metric type	2026-06-08 11:45:27 +00:00
vikrantgupta25	95ca75a6e9	refactor(resource): unify id resolution into a single phase-driven mechanism Replace the two-shaped id mechanism (a resolved string plus a stashed responseID extractor, decided by resolveID's magic tuple and a zero-value sentinel) with one retained extractor whose phase decides when it runs. - ResolvedResource/ResolvedRelated keep idExtractor (renamed from responseID); it is run in its declared phase, never re-run. - ResourceIDExtractor gains isPhase + runFor; ResolvedResource gains resolve, called once per phase (request by the resource middleware, response by audit). - resolveID and resolveRelated(ec) are gone; FinalizeResponseIDs collapses to a single resolve(phaseResponse) call. Request and response resolution are now symmetric.	2026-06-08 16:38:54 +05:30
vikrantgupta25	6de98502e2	refactor(resource): co-locate resolved context in handler; slice-of-pointers accessor Move the resolved-resource context plumbing (resolvedKey, accessors) out of the resource middleware and into pkg/http/handler next to ResolvedResource, so type and accessor live in one package (matching the authtypes/ctxtypes convention) and consumers import a single package. - Store []ResolvedResource instead of []ResolvedResource; in-place response-id finalization still works via the element pointers. - ResolvedResourcesFromContext returns an error (errCodeResolvedResourcesNotFound) instead of a bool; authz surfaces it, audit treats absence as a no-op. - Drop the now-dead authz Check/CheckAll/AuthZCheckGroup helpers superseded by CheckResources.	2026-06-08 16:09:00 +05:30
Vikrant Gupta	0dd693e5e1	Merge branch 'main' into platform-pod/issues/2266	2026-06-08 12:47:07 +05:30
vikrantgupta25	1c4c378bb6	feat(audit): mirror attach/detach audit on both ends for role↔service account Role def on SetRole/DeleteRole now carries Related=ServiceAccount so each permission-checked end emits its own event (serviceaccount.attached to role and role.attached to serviceaccount), matching the both-ends authz model.	2026-06-08 12:46:45 +05:30
vikrantgupta25	0f66fd66ed	feat(audit): emit audit events only for mutating verbs - Add coretypes.Verb.IsMutation() (create/update/delete/attach/detach) - Audit skips read/list defs (they remain for authz); failed and denied mutations still emit with Outcome=failure	2026-06-08 12:35:34 +05:30
vikrantgupta25	abc397510e	refactor(resource): set audit category on resource defs; drop MustNew/validate - Set Category (access_control) on every service account and role ResourceDef so audit events carry signoz.audit.action_category - Remove MustNewResourceDef/MustNewResourcesDef and validate(); registration via plain ResourceDef literals again. Validation to be revisited separately	2026-06-08 12:24:22 +05:30
vikrantgupta25	bb15148466	feat(resource): audit cleanup	2026-06-08 11:48:41 +05:30
vikrantgupta25	49e9657cae	feat(resource): add related resources	2026-06-08 00:17:06 +05:30
vikrantgupta25	d296ce0f3f	feat(resource): initial commit	2026-06-06 17:28:50 +05:30

59 changed files with 2578 additions and 760 deletions

									
										3

.github/workflows/integrationci.yaml
									
										vendored
									
												View File
												
				@@ -39,6 +39,7 @@ jobs:

				      matrix:

				        suite:

				          - alerts

				          - basepath

				          - callbackauthn

				          - cloudintegrations

				          - dashboard

				@@ -83,7 +84,7 @@ jobs:

				        run: |

				          cd tests && uv sync

				      - name: webdriver

				        if: matrix.suite == 'callbackauthn'

				        if: matrix.suite == 'callbackauthn' || matrix.suite == 'basepath'

				        run: |

				          wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add -

				          echo "deb http://dl.google.com/linux/chrome/deb/ stable main" | sudo tee -a /etc/apt/sources.list.d/google-chrome.list

									
										2

cmd/community/server.go
									
												View File
												
				@@ -91,7 +91,7 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e

						sqlstoreProviderFactories(),

						signoz.NewTelemetryStoreProviderFactories(),

						func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error) {

							return signoz.NewAuthNs(ctx, providerSettings, store, licensing)

							return signoz.NewAuthNs(ctx, providerSettings, store, licensing, config.Global)

						},

						func(ctx context.Context, sqlstore sqlstore.SQLStore, config authz.Config, _ licensing.Licensing, _ []authz.OnBeforeRoleDelete) (factory.ProviderFactory[authz.AuthZ, authz.Config], error) {

							openfgaDataStore, err := openfgaserver.NewSQLStore(sqlstore, config)

									
										6

cmd/enterprise/server.go
									
												View File
												
				@@ -107,17 +107,17 @@ func runServer(ctx context.Context, config signoz.Config, logger *slog.Logger) e

						sqlstoreProviderFactories(),

						signoz.NewTelemetryStoreProviderFactories(),

						func(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error) {

							samlCallbackAuthN, err := samlcallbackauthn.New(ctx, store, licensing)

							samlCallbackAuthN, err := samlcallbackauthn.New(ctx, store, licensing, config.Global)

							if err != nil {

								return nil, err

							}

							oidcCallbackAuthN, err := oidccallbackauthn.New(store, licensing, providerSettings)

							oidcCallbackAuthN, err := oidccallbackauthn.New(store, licensing, providerSettings, config.Global)

							if err != nil {

								return nil, err

							}

							authNs, err := signoz.NewAuthNs(ctx, providerSettings, store, licensing)

							authNs, err := signoz.NewAuthNs(ctx, providerSettings, store, licensing, config.Global)

							if err != nil {

								return nil, err

							}

									
										11

conf/example.yaml
									
												View File
												
				@@ -440,6 +440,17 @@ traces:

				    max_depth_to_auto_expand: 5

				    # Threshold below which all spans are returned without windowing.

				    max_limit_to_select_all_spans: 10000

				  flamegraph:

				    # Maximum number of BFS depth levels included in a windowed response.

				    max_selected_levels: 50

				    # Maximum spans per level before sampling is applied.

				    max_spans_per_level: 100

				    # Number of highest-latency spans always included when sampling a level.

				    sampling_top_latency_count: 5

				    # Number of timestamp buckets used for uniform sampling within a level.

				    sampling_bucket_count: 50

				    # Threshold below which all spans are returned without windowing or sampling.

				    select_all_spans_limit: 100000

				##################### Authz #################################

				authz:

									
										142

docs/api/openapi.yml
									
												View File
												
				@@ -6638,6 +6638,70 @@ components:

				      - attribute

				      - resource

				      type: string

				    SpantypesFlamegraphSpan:

				      properties:

				        attributes:

				          additionalProperties: {}

				          type: object

				        durationNano:

				          minimum: 0

				          type: integer

				        event:

				          items:

				            $ref: '#/components/schemas/SpantypesEvent'

				          type: array

				        hasError:

				          type: boolean

				        level:

				          format: int64

				          type: integer

				        name:

				          type: string

				        parentSpanId:

				          type: string

				        resource:

				          additionalProperties:

				            type: string

				          type: object

				        spanId:

				          type: string

				        timestamp:

				          minimum: 0

				          type: integer

				      required:

				      - spanId

				      - parentSpanId

				      - timestamp

				      - durationNano

				      - hasError

				      - name

				      - level

				      - event

				      - attributes

				      - resource

				      type: object

				    SpantypesGettableFlamegraphTrace:

				      properties:

				        endTimestampMillis:

				          format: int64

				          type: integer

				        hasMore:

				          type: boolean

				        spans:

				          items:

				            items:

				              $ref: '#/components/schemas/SpantypesFlamegraphSpan'

				            type: array

				          type: array

				        startTimestampMillis:

				          format: int64

				          type: integer

				      required:

				      - spans

				      - startTimestampMillis

				      - endTimestampMillis

				      - hasMore

				      type: object

				    SpantypesGettableSpanMapperGroups:

				      properties:

				        items:

				@@ -6703,6 +6767,15 @@ components:

				        traceId:

				          type: string

				      type: object

				    SpantypesPostableFlamegraph:

				      properties:

				        selectFields:

				          items:

				            $ref: '#/components/schemas/TelemetrytypesTelemetryFieldKey'

				          type: array

				        selectedSpanId:

				          type: string

				      type: object

				    SpantypesPostableSpanMapper:

				      properties:

				        config:

				@@ -20535,6 +20608,75 @@ paths:

				      summary: Put profile in Zeus for a deployment.

				      tags:

				      - zeus

				  /api/v3/traces/{traceID}/flamegraph:

				    post:

				      deprecated: false

				      description: Returns the flamegraph view of spans for a given trace ID.

				      operationId: GetFlamegraph

				      parameters:

				      - in: path

				        name: traceID

				        required: true

				        schema:

				          type: string

				      requestBody:

				        content:

				          application/json:

				            schema:

				              $ref: '#/components/schemas/SpantypesPostableFlamegraph'

				      responses:

				        "200":

				          content:

				            application/json:

				              schema:

				                properties:

				                  data:

				                    $ref: '#/components/schemas/SpantypesGettableFlamegraphTrace'

				                  status:

				                    type: string

				                required:

				                - status

				                - data

				                type: object

				          description: OK

				        "400":

				          content:

				            application/json:

				              schema:

				                $ref: '#/components/schemas/RenderErrorResponse'

				          description: Bad Request

				        "401":

				          content:

				            application/json:

				              schema:

				                $ref: '#/components/schemas/RenderErrorResponse'

				          description: Unauthorized

				        "403":

				          content:

				            application/json:

				              schema:

				                $ref: '#/components/schemas/RenderErrorResponse'

				          description: Forbidden

				        "404":

				          content:

				            application/json:

				              schema:

				                $ref: '#/components/schemas/RenderErrorResponse'

				          description: Not Found

				        "500":

				          content:

				            application/json:

				              schema:

				                $ref: '#/components/schemas/RenderErrorResponse'

				          description: Internal Server Error

				      security:

				      - api_key:

				        - VIEWER

				      - tokenizer:

				        - VIEWER

				      summary: Get flamegraph view for a trace

				      tags:

				      - tracedetail

				  /api/v3/traces/{traceID}/waterfall:

				    post:

				      deprecated: false

									
										24

ee/authn/callbackauthn/oidccallbackauthn/authn.go
									
												View File
												
				@@ -5,10 +5,12 @@ import (

					"fmt"

					"log/slog"

					"net/url"

					"path"

					"github.com/SigNoz/signoz/pkg/authn"

					"github.com/SigNoz/signoz/pkg/errors"

					"github.com/SigNoz/signoz/pkg/factory"

					"github.com/SigNoz/signoz/pkg/global"

					"github.com/SigNoz/signoz/pkg/http/client"

					"github.com/SigNoz/signoz/pkg/licensing"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

				@@ -26,13 +28,14 @@ var defaultScopes []string = []string{"email", "profile", oidc.ScopeOpenID}

				var _ authn.CallbackAuthN = (*AuthN)(nil)

				type AuthN struct {

					settings   factory.ScopedProviderSettings

					store      authtypes.AuthNStore

					licensing  licensing.Licensing

					httpClient *client.Client

					settings     factory.ScopedProviderSettings

					store        authtypes.AuthNStore

					licensing    licensing.Licensing

					httpClient   *client.Client

					globalConfig global.Config

				}

				func New(store authtypes.AuthNStore, licensing licensing.Licensing, providerSettings factory.ProviderSettings) (*AuthN, error) {

				func New(store authtypes.AuthNStore, licensing licensing.Licensing, providerSettings factory.ProviderSettings, globalConfig global.Config) (*AuthN, error) {

					settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/ee/authn/callbackauthn/oidccallbackauthn")

					httpClient, err := client.New(providerSettings.Logger, providerSettings.TracerProvider, providerSettings.MeterProvider)

				@@ -41,10 +44,11 @@ func New(store authtypes.AuthNStore, licensing licensing.Licensing, providerSett

					}

					return &AuthN{

						settings:   settings,

						store:      store,

						licensing:  licensing,

						httpClient: httpClient,

						settings:     settings,

						store:        store,

						licensing:    licensing,

						httpClient:   httpClient,

						globalConfig: globalConfig,

					}, nil

				}

				@@ -197,7 +201,7 @@ func (a *AuthN) oidcProviderAndoauth2Config(ctx context.Context, siteURL *url.UR

						RedirectURL: (&url.URL{

							Scheme: siteURL.Scheme,

							Host:   siteURL.Host,

							Path:   redirectPath,

							Path:   path.Join(a.globalConfig.ExternalPath(), redirectPath),

						}).String(),

					}, nil

				}

									
										16

ee/authn/callbackauthn/samlcallbackauthn/authn.go
									
												View File
												
				@@ -6,10 +6,12 @@ import (

					"encoding/base64"

					"encoding/pem"

					"net/url"

					"path"

					"strings"

					"github.com/SigNoz/signoz/pkg/authn"

					"github.com/SigNoz/signoz/pkg/errors"

					"github.com/SigNoz/signoz/pkg/global"

					"github.com/SigNoz/signoz/pkg/licensing"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

					"github.com/SigNoz/signoz/pkg/valuer"

				@@ -24,14 +26,16 @@ const (

				var _ authn.CallbackAuthN = (*AuthN)(nil)

				type AuthN struct {

					store     authtypes.AuthNStore

					licensing licensing.Licensing

					store        authtypes.AuthNStore

					licensing    licensing.Licensing

					globalConfig global.Config

				}

				func New(ctx context.Context, store authtypes.AuthNStore, licensing licensing.Licensing) (*AuthN, error) {

				func New(ctx context.Context, store authtypes.AuthNStore, licensing licensing.Licensing, globalConfig global.Config) (*AuthN, error) {

					return &AuthN{

						store:     store,

						licensing: licensing,

						store:        store,

						licensing:    licensing,

						globalConfig: globalConfig,

					}, nil

				}

				@@ -132,7 +136,7 @@ func (a *AuthN) serviceProvider(siteURL *url.URL, authDomain *authtypes.AuthDoma

						return nil, err

					}

					acsURL := &url.URL{Scheme: siteURL.Scheme, Host: siteURL.Host, Path: redirectPath}

					acsURL := &url.URL{Scheme: siteURL.Scheme, Host: siteURL.Host, Path: path.Join(a.globalConfig.ExternalPath(), redirectPath)}

					// Note:

					// The ServiceProviderIssuer is the client id in case of keycloak. Since we set it to the host here, we need to set the client id == host in keycloak.

									
										1

ee/query-service/app/server.go
									
												View File
												
				@@ -185,6 +185,7 @@ func (s *Server) createPublicServer(apiHandler *api.APIHandler, web web.Web) (*h

						s.config.APIServer.Timeout.Default,

						s.config.APIServer.Timeout.Max,

					).Wrap)

					r.Use(middleware.NewResource(s.signoz.Instrumentation.Logger()).Wrap)

					r.Use(middleware.NewAudit(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes, s.signoz.Auditor).Wrap)

					r.Use(middleware.NewComment().Wrap)

									
										93

frontend/src/api/generated/services/sigNoz.schemas.ts
									
												View File
												
				@@ -7769,6 +7769,77 @@ export enum SpantypesFieldContextDTO {

					attribute = 'attribute',

					resource = 'resource',

				}

				export type SpantypesFlamegraphSpanDTOAttributes = { [key: string]: unknown };

				export type SpantypesFlamegraphSpanDTOResource = { [key: string]: string };

				export interface SpantypesFlamegraphSpanDTO {

					/**

					 * @type object

					 */

					attributes: SpantypesFlamegraphSpanDTOAttributes;

					/**

					 * @type integer

					 * @minimum 0

					 */

					durationNano: number;

					/**

					 * @type array

					 */

					event: SpantypesEventDTO[];

					/**

					 * @type boolean

					 */

					hasError: boolean;

					/**

					 * @type integer

					 * @format int64

					 */

					level: number;

					/**

					 * @type string

					 */

					name: string;

					/**

					 * @type string

					 */

					parentSpanId: string;

					/**

					 * @type object

					 */

					resource: SpantypesFlamegraphSpanDTOResource;

					/**

					 * @type string

					 */

					spanId: string;

					/**

					 * @type integer

					 * @minimum 0

					 */

					timestamp: number;

				}

				export interface SpantypesGettableFlamegraphTraceDTO {

					/**

					 * @type integer

					 * @format int64

					 */

					endTimestampMillis: number;

					/**

					 * @type boolean

					 */

					hasMore: boolean;

					/**

					 * @type array

					 */

					spans: SpantypesFlamegraphSpanDTO[][];

					/**

					 * @type integer

					 * @format int64

					 */

					startTimestampMillis: number;

				}

				export type SpantypesSpanMapperGroupConditionDTOAnyOf = {

					/**

					 * @type array,null

				@@ -8070,6 +8141,17 @@ export interface SpantypesGettableWaterfallTraceDTO {

					uncollapsedSpans?: string[] | null;

				}

				export interface SpantypesPostableFlamegraphDTO {

					/**

					 * @type array

					 */

					selectFields?: TelemetrytypesTelemetryFieldKeyDTO[];

					/**

					 * @type string

					 */

					selectedSpanId?: string;

				}

				export enum SpantypesSpanMapperOperationDTO {

					move = 'move',

					copy = 'copy',

				@@ -10424,6 +10506,17 @@ export type GetHosts200 = {

					status: string;

				};

				export type GetFlamegraphPathParameters = {

					traceID: string;

				};

				export type GetFlamegraph200 = {

					data: SpantypesGettableFlamegraphTraceDTO;

					/**

					 * @type string

					 */

					status: string;

				};

				export type GetWaterfallPathParameters = {

					traceID: string;

				};

									
										102

frontend/src/api/generated/services/tracedetail/index.ts
									
												View File
												
				@@ -12,6 +12,8 @@ import type {

				} from 'react-query';

				import type {

					GetFlamegraph200,

					GetFlamegraphPathParameters,

					GetTraceAggregations200,

					GetTraceAggregationsPathParameters,

					GetWaterfall200,

				@@ -19,6 +21,7 @@ import type {

					GetWaterfallV4200,

					GetWaterfallV4PathParameters,

					RenderErrorResponseDTO,

					SpantypesPostableFlamegraphDTO,

					SpantypesPostableTraceAggregationsDTO,

					SpantypesPostableWaterfallDTO,

				} from '../sigNoz.schemas';

				@@ -126,6 +129,105 @@ export const useGetTraceAggregations = <

				> => {

					return useMutation(getGetTraceAggregationsMutationOptions(options));

				};

				/**

				 * Returns the flamegraph view of spans for a given trace ID.

				 * @summary Get flamegraph view for a trace

				 */

				export const getFlamegraph = (

					{ traceID }: GetFlamegraphPathParameters,

					spantypesPostableFlamegraphDTO?: BodyType<SpantypesPostableFlamegraphDTO>,

					signal?: AbortSignal,

				) => {

					return GeneratedAPIInstance<GetFlamegraph200>({

						url: `/api/v3/traces/${traceID}/flamegraph`,

						method: 'POST',

						headers: { 'Content-Type': 'application/json' },

						data: spantypesPostableFlamegraphDTO,

						signal,

					});

				};

				export const getGetFlamegraphMutationOptions = <

					TError = ErrorType<RenderErrorResponseDTO>,

					TContext = unknown,

				>(options?: {

					mutation?: UseMutationOptions<

						Awaited<ReturnType<typeof getFlamegraph>>,

						TError,

						{

							pathParams: GetFlamegraphPathParameters;

							data?: BodyType<SpantypesPostableFlamegraphDTO>;

						},

						TContext

					>;

				}): UseMutationOptions<

					Awaited<ReturnType<typeof getFlamegraph>>,

					TError,

					{

						pathParams: GetFlamegraphPathParameters;

						data?: BodyType<SpantypesPostableFlamegraphDTO>;

					},

					TContext

				> => {

					const mutationKey = ['getFlamegraph'];

					const { mutation: mutationOptions } = options

						? options.mutation &&

							'mutationKey' in options.mutation &&

							options.mutation.mutationKey

							? options

							: { ...options, mutation: { ...options.mutation, mutationKey } }

						: { mutation: { mutationKey } };

					const mutationFn: MutationFunction<

						Awaited<ReturnType<typeof getFlamegraph>>,

						{

							pathParams: GetFlamegraphPathParameters;

							data?: BodyType<SpantypesPostableFlamegraphDTO>;

						}

					> = (props) => {

						const { pathParams, data } = props ?? {};

						return getFlamegraph(pathParams, data);

					};

					return { mutationFn, ...mutationOptions };

				};

				export type GetFlamegraphMutationResult = NonNullable<

					Awaited<ReturnType<typeof getFlamegraph>>

				>;

				export type GetFlamegraphMutationBody =

					| BodyType<SpantypesPostableFlamegraphDTO>

					| undefined;

				export type GetFlamegraphMutationError = ErrorType<RenderErrorResponseDTO>;

				/**

				 * @summary Get flamegraph view for a trace

				 */

				export const useGetFlamegraph = <

					TError = ErrorType<RenderErrorResponseDTO>,

					TContext = unknown,

				>(options?: {

					mutation?: UseMutationOptions<

						Awaited<ReturnType<typeof getFlamegraph>>,

						TError,

						{

							pathParams: GetFlamegraphPathParameters;

							data?: BodyType<SpantypesPostableFlamegraphDTO>;

						},

						TContext

					>;

				}): UseMutationResult<

					Awaited<ReturnType<typeof getFlamegraph>>,

					TError,

					{

						pathParams: GetFlamegraphPathParameters;

						data?: BodyType<SpantypesPostableFlamegraphDTO>;

					},

					TContext

				> => {

					return useMutation(getGetFlamegraphMutationOptions(options));

				};

				/**

				 * Returns the waterfall view of spans for a given trace ID with tree structure, metadata, and windowed pagination

				 * @summary Get waterfall view for a trace

									
										2

frontend/src/container/InfraMonitoringK8s/Deployments/constants.ts
									
												View File
												
				@@ -72,7 +72,7 @@ export const deploymentWidgetInfo = [

						yAxisUnit: '',

					},

					{

						title: 'Memory usage, request, limits)',

						title: 'Memory usage, request, limits',

						yAxisUnit: 'bytes',

					},

					{

									
										2

frontend/src/container/InfraMonitoringK8s/Jobs/constants.ts
									
												View File
												
				@@ -69,7 +69,7 @@ export const jobWidgetInfo = [

						yAxisUnit: '',

					},

					{

						title: 'Memory usage, request, limits',

						title: 'Memory Usage',

						yAxisUnit: 'bytes',

					},

					{

									
										6

frontend/src/container/InfraMonitoringK8s/Namespaces/constants.ts
									
												View File
												
				@@ -703,7 +703,7 @@ export const getNamespaceMetricsQueryPayload = (

											],

											having: [],

											legend: `{{${k8sPodNameKey}}}`,

											limit: 20,

											limit: 10,

											orderBy: [],

											queryName: 'A',

											reduceTo: ReduceOperators.AVG,

				@@ -1014,8 +1014,8 @@ export const getNamespaceMetricsQueryPayload = (

														id: '5f2a55c5',

														key: {

															dataType: DataTypes.String,

															id: k8sStatefulsetNameKey,

															key: k8sStatefulsetNameKey,

															id: k8sNamespaceNameKey,

															key: k8sNamespaceNameKey,

															type: 'tag',

														},

														op: '=',

									
										12

frontend/src/container/InfraMonitoringK8s/Volumes/constants.ts
									
												View File
												
				@@ -317,9 +317,9 @@ export const getVolumeMetricsQueryPayload = (

										{

											aggregateAttribute: {

												dataType: DataTypes.Float64,

												id: 'k8s_volume_inodes_used--float64----true',

												id: 'k8s_volume_inodes_used--float64--Gauge--true',

												key: k8sVolumeInodesUsedKey,

												type: '',

												type: 'Gauge',

											},

											aggregateOperator: 'avg',

											dataSource: DataSource.METRICS,

				@@ -409,9 +409,9 @@ export const getVolumeMetricsQueryPayload = (

										{

											aggregateAttribute: {

												dataType: DataTypes.Float64,

												id: 'k8s_volume_inodes--float64----true',

												id: 'k8s_volume_inodes--float64--Gauge--true',

												key: k8sVolumeInodesKey,

												type: '',

												type: 'Gauge',

											},

											aggregateOperator: 'avg',

											dataSource: DataSource.METRICS,

				@@ -501,9 +501,9 @@ export const getVolumeMetricsQueryPayload = (

										{

											aggregateAttribute: {

												dataType: DataTypes.Float64,

												id: 'k8s_volume_inodes_free--float64----true',

												id: 'k8s_volume_inodes_free--float64--Gauge--true',

												key: k8sVolumeInodesFreeKey,

												type: '',

												type: 'Gauge',

											},

											aggregateOperator: 'avg',

											dataSource: DataSource.METRICS,

									
										114

frontend/src/container/LogDetailedView/InfraMetrics/constants.ts
									
												View File
												
				@@ -1619,6 +1619,9 @@ export const getHostQueryPayload = (

					const diskOpTimeKey = dotMetricsEnabled

						? 'system.disk.operation_time'

						: 'system_disk_operation_time';

					const diskOpsKey = dotMetricsEnabled

						? 'system.disk.operations'

						: 'system_disk_operations';

					const diskPendingKey = dotMetricsEnabled

						? 'system.disk.pending_operations'

						: 'system_disk_pending_operations';

				@@ -2375,9 +2378,24 @@ export const getHostQueryPayload = (

												op: 'AND',

											},

											functions: [],

											groupBy: [],

											groupBy: [

												{

													dataType: DataTypes.String,

													id: 'direction--string--tag--false',

													key: 'direction',

													type: 'tag',

												},

												{

													dataType: DataTypes.String,

													id: 'device--string--tag--false',

													key: 'device',

													type: 'tag',

												},

											],

											having: [],

											legend: 'system disk io',

											legend: '{{device}}::{{direction}}',

											limit: null,

											orderBy: [],

											queryName: 'A',

				@@ -2409,9 +2427,9 @@ export const getHostQueryPayload = (

										{

											aggregateAttribute: {

												dataType: DataTypes.Float64,

												id: 'system_disk_operation_time--float64--Sum--true',

												id: 'system_disk_operations--float64--Sum--true',

												key: diskOpTimeKey,

												key: diskOpsKey,

												type: 'Sum',

											},

											aggregateOperator: 'rate',

				@@ -2421,7 +2439,7 @@ export const getHostQueryPayload = (

											filters: {

												items: [

													{

														id: 'diskop_f1',

														id: 'diskops_f1',

														key: {

															dataType: DataTypes.String,

															id: 'host_name--string--tag--false',

				@@ -2454,7 +2472,7 @@ export const getHostQueryPayload = (

											],

											having: [

												{

													columnName: `SUM(${diskOpTimeKey})`,

													columnName: `SUM(${diskOpsKey})`,

													op: '>',

													value: 0,

												},

				@@ -2557,6 +2575,88 @@ export const getHostQueryPayload = (

							start,

							end,

						},

						{

							selectedTime: 'GLOBAL_TIME',

							graphType: PANEL_TYPES.TIME_SERIES,

							query: {

								builder: {

									queryData: [

										{

											aggregateAttribute: {

												dataType: DataTypes.Float64,

												id: 'system_disk_operation_time--float64--Sum--true',

												key: diskOpTimeKey,

												type: 'Sum',

											},

											aggregateOperator: 'rate',

											dataSource: DataSource.METRICS,

											disabled: false,

											expression: 'A',

											filters: {

												items: [

													{

														id: 'diskoptime_f1',

														key: {

															dataType: DataTypes.String,

															id: 'host_name--string--tag--false',

															key: hostNameKey,

															type: 'tag',

														},

														op: '=',

														value: hostName,

													},

												],

												op: 'AND',

											},

											functions: [],

											groupBy: [

												{

													dataType: DataTypes.String,

													id: 'device--string--tag--false',

													key: 'device',

													type: 'tag',

												},

												{

													dataType: DataTypes.String,

													id: 'direction--string--tag--false',

													key: 'direction',

													type: 'tag',

												},

											],

											having: [

												{

													columnName: `SUM(${diskOpTimeKey})`,

													op: '>',

													value: 0,

												},

											],

											legend: '{{device}}::{{direction}}',

											limit: null,

											orderBy: [],

											queryName: 'A',

											reduceTo: ReduceOperators.AVG,

											spaceAggregation: 'sum',

											stepInterval: 60,

											timeAggregation: 'rate',

										},

									],

									queryFormulas: [],

									queryTraceOperator: [],

								},

								clickhouse_sql: [{ disabled: false, legend: '', name: 'A', query: '' }],

								id: 'a8b3d2e1-4f5c-4a6b-9c8d-7e2f1a0b3c4f',

								promql: [{ disabled: false, legend: '', name: 'A', query: '' }],

								queryType: EQueryType.QUERY_BUILDER,

							},

							variables: {},

							formatForWeb: false,

							start,

							end,

						},

					];

				};

				@@ -2631,5 +2731,5 @@ export const hostWidgetInfo = [

					{ title: 'System disk io (bytes transferred)', yAxisUnit: 'bytes' },

					{ title: 'System disk operations/s', yAxisUnit: 'short' },

					{ title: 'Queue size', yAxisUnit: 'short' },

					{ title: 'Disk operations time', yAxisUnit: 's' },

					{ title: 'System disk operation time/s', yAxisUnit: 's' },

				];

									
										5

pkg/apiserver/signozapiserver/registry.go
									
												View File
												
				@@ -55,6 +55,11 @@ func (handler *healthOpenAPIHandler) AuditDef() *pkghandler.AuditDef {

					return nil

				}

				func (handler *healthOpenAPIHandler) ResourceDefs() []pkghandler.ResourceSpec {

					// Health endpoints don't act on resources.

					return nil

				}

				func (provider *provider) addRegistryRoutes(router *mux.Router) error {

					if err := router.Handle("/api/v2/healthz", newHealthOpenAPIHandler(

						provider.authzMiddleware.OpenAccess(provider.factoryHandler.Healthz),

									
										304

pkg/apiserver/signozapiserver/role.go
									
												View File
												
				@@ -5,168 +5,200 @@ import (

					"github.com/SigNoz/signoz/pkg/http/handler"

					"github.com/SigNoz/signoz/pkg/types"

					"github.com/SigNoz/signoz/pkg/types/audittypes"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

					"github.com/SigNoz/signoz/pkg/types/coretypes"

					"github.com/SigNoz/signoz/pkg/valuer"

					"github.com/gorilla/mux"

				)

				func (provider *provider) addRoleRoutes(router *mux.Router) error {

					if err := router.Handle("/api/v1/roles", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Create, authtypes.Relation{Verb: coretypes.VerbCreate}, coretypes.ResourceRole, roleCollectionSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "CreateRole",

						Tags:                []string{"role"},

						Summary:             "Create role",

						Description:         "This endpoint creates a role",

						Request:             new(authtypes.PostableRole),

						RequestContentType:  "",

						Response:            new(types.Identifiable),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusCreated,

						ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbCreate)}),

					})).Methods(http.MethodPost).GetError(); err != nil {

					if err := router.Handle("/api/v1/roles", handler.New(

						provider.authzMiddleware.CheckResources(provider.authzHandler.Create, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "CreateRole",

							Tags:                []string{"role"},

							Summary:             "Create role",

							Description:         "This endpoint creates a role",

							Request:             new(authtypes.PostableRole),

							RequestContentType:  "",

							Response:            new(types.Identifiable),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusCreated,

							ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbCreate)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceRole,

							Verb:     coretypes.VerbCreate,

							ID:       handler.ResponseJSONPath("data.id"),

							Selector: handler.WildcardSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodPost).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/roles", handler.New(provider.authzMiddleware.Check(provider.authzHandler.List, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceRole, roleCollectionSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "ListRoles",

						Tags:                []string{"role"},

						Summary:             "List roles",

						Description:         "This endpoint lists all roles",

						Request:             nil,

						RequestContentType:  "",

						Response:            make([]*authtypes.Role, 0),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusOK,

						ErrorStatusCodes:    []int{},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbList)}),

					})).Methods(http.MethodGet).GetError(); err != nil {

					if err := router.Handle("/api/v1/roles", handler.New(

						provider.authzMiddleware.CheckResources(provider.authzHandler.List, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "ListRoles",

							Tags:                []string{"role"},

							Summary:             "List roles",

							Description:         "This endpoint lists all roles",

							Request:             nil,

							RequestContentType:  "",

							Response:            make([]*authtypes.Role, 0),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbList)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceRole,

							Verb:     coretypes.VerbList,

							Selector: handler.WildcardSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodGet).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Get, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "GetRole",

						Tags:                []string{"role"},

						Summary:             "Get role",

						Description:         "This endpoint gets a role",

						Request:             nil,

						RequestContentType:  "",

						Response:            new(authtypes.Role),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusOK,

						ErrorStatusCodes:    []int{},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),

					})).Methods(http.MethodGet).GetError(); err != nil {

					if err := router.Handle("/api/v1/roles/{id}", handler.New(

						provider.authzMiddleware.CheckResources(provider.authzHandler.Get, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "GetRole",

							Tags:                []string{"role"},

							Summary:             "Get role",

							Description:         "This endpoint gets a role",

							Request:             nil,

							RequestContentType:  "",

							Response:            new(authtypes.Role),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceRole,

							Verb:     coretypes.VerbRead,

							ID:       handler.PathParam("id"),

							Selector: provider.roleSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodGet).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authzMiddleware.Check(provider.authzHandler.GetObjects, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "GetObjects",

						Tags:                []string{"role"},

						Summary:             "Get objects for a role by relation",

						Description:         "Gets all objects connected to the specified role via a given relation type",

						Request:             nil,

						RequestContentType:  "",

						Response:            make([]*coretypes.ObjectGroup, 0),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusOK,

						ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),

					})).Methods(http.MethodGet).GetError(); err != nil {

					if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(

						provider.authzMiddleware.CheckResources(provider.authzHandler.GetObjects, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "GetObjects",

							Tags:                []string{"role"},

							Summary:             "Get objects for a role by relation",

							Description:         "Gets all objects connected to the specified role via a given relation type",

							Request:             nil,

							RequestContentType:  "",

							Response:            make([]*coretypes.ObjectGroup, 0),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbRead)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceRole,

							Verb:     coretypes.VerbRead,

							ID:       handler.PathParam("id"),

							Selector: provider.roleSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodGet).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Patch, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "PatchRole",

						Tags:                []string{"role"},

						Summary:             "Patch role",

						Description:         "This endpoint patches a role",

						Request:             new(authtypes.PatchableRole),

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),

					})).Methods(http.MethodPatch).GetError(); err != nil {

					if err := router.Handle("/api/v1/roles/{id}", handler.New(

						provider.authzMiddleware.CheckResources(provider.authzHandler.Patch, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "PatchRole",

							Tags:                []string{"role"},

							Summary:             "Patch role",

							Description:         "This endpoint patches a role",

							Request:             new(authtypes.PatchableRole),

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceRole,

							Verb:     coretypes.VerbUpdate,

							ID:       handler.PathParam("id"),

							Selector: provider.roleSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodPatch).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(provider.authzMiddleware.Check(provider.authzHandler.PatchObjects, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "PatchObjects",

						Tags:                []string{"role"},

						Summary:             "Patch objects for a role by relation",

						Description:         "Patches the objects connected to the specified role via a given relation type",

						Request:             new(coretypes.PatchableObjects),

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),

					})).Methods(http.MethodPatch).GetError(); err != nil {

					if err := router.Handle("/api/v1/roles/{id}/relations/{relation}/objects", handler.New(

						provider.authzMiddleware.CheckResources(provider.authzHandler.PatchObjects, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "PatchObjects",

							Tags:                []string{"role"},

							Summary:             "Patch objects for a role by relation",

							Description:         "Patches the objects connected to the specified role via a given relation type",

							Request:             new(coretypes.PatchableObjects),

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbUpdate)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceRole,

							Verb:     coretypes.VerbUpdate,

							ID:       handler.PathParam("id"),

							Selector: provider.roleSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodPatch).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/roles/{id}", handler.New(provider.authzMiddleware.Check(provider.authzHandler.Delete, authtypes.Relation{Verb: coretypes.VerbDelete}, coretypes.ResourceRole, provider.roleInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "DeleteRole",

						Tags:                []string{"role"},

						Summary:             "Delete role",

						Description:         "This endpoint deletes a role",

						Request:             nil,

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),

					})).Methods(http.MethodDelete).GetError(); err != nil {

					if err := router.Handle("/api/v1/roles/{id}", handler.New(

						provider.authzMiddleware.CheckResources(provider.authzHandler.Delete, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "DeleteRole",

							Tags:                []string{"role"},

							Summary:             "Delete role",

							Description:         "This endpoint deletes a role",

							Request:             nil,

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusNotImplemented, http.StatusUnavailableForLegalReasons},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceRole.Scope(coretypes.VerbDelete)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceRole,

							Verb:     coretypes.VerbDelete,

							ID:       handler.PathParam("id"),

							Selector: provider.roleSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodDelete).GetError(); err != nil {

						return err

					}

					return nil

				}

				func roleCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {

					return []coretypes.Selector{

						coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

				func (provider *provider) roleInstanceSelectorCallback(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {

					roleID, err := valuer.NewUUID(mux.Vars(req)["id"])

					if err != nil {

						return nil, err

					}

					role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), roleID)

					if err != nil {

						return nil, err

					}

					return []coretypes.Selector{

						coretypes.TypeRole.MustSelector(role.Name),

						coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

									
										622

pkg/apiserver/signozapiserver/serviceaccount.go
									
												View File
												
				@@ -1,14 +1,12 @@

				package signozapiserver

				import (

					"bytes"

					"encoding/json"

					"io"

					"context"

					"net/http"

					"github.com/SigNoz/signoz/pkg/http/handler"

					"github.com/SigNoz/signoz/pkg/http/middleware"

					"github.com/SigNoz/signoz/pkg/types"

					"github.com/SigNoz/signoz/pkg/types/audittypes"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

					"github.com/SigNoz/signoz/pkg/types/coretypes"

					"github.com/SigNoz/signoz/pkg/types/serviceaccounttypes"

				@@ -17,41 +15,56 @@ import (

				)

				func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {

					if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Create, authtypes.Relation{Verb: coretypes.VerbCreate}, coretypes.ResourceServiceAccount, serviceAccountCollectionSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "CreateServiceAccount",

						Tags:                []string{"serviceaccount"},

						Summary:             "Create service account",

						Description:         "This endpoint creates a service account",

						Request:             new(serviceaccounttypes.PostableServiceAccount),

						RequestContentType:  "",

						Response:            new(types.Identifiable),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusCreated,

						ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbCreate)}),

					})).Methods(http.MethodPost).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Create, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "CreateServiceAccount",

							Tags:                []string{"serviceaccount"},

							Summary:             "Create service account",

							Description:         "This endpoint creates a service account",

							Request:             new(serviceaccounttypes.PostableServiceAccount),

							RequestContentType:  "",

							Response:            new(types.Identifiable),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusCreated,

							ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbCreate)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceServiceAccount,

							Verb:     coretypes.VerbCreate,

							ID:       handler.ResponseJSONPath("data.id"),

							Selector: handler.WildcardSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodPost).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.List, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceServiceAccount, serviceAccountCollectionSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "ListServiceAccounts",

						Tags:                []string{"serviceaccount"},

						Summary:             "List service accounts",

						Description:         "This endpoint lists the service accounts for an organisation",

						Request:             nil,

						RequestContentType:  "",

						Response:            make([]*serviceaccounttypes.ServiceAccount, 0),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusOK,

						ErrorStatusCodes:    []int{},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbList)}),

					})).Methods(http.MethodGet).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.List, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "ListServiceAccounts",

							Tags:                []string{"serviceaccount"},

							Summary:             "List service accounts",

							Description:         "This endpoint lists the service accounts for an organisation",

							Request:             nil,

							RequestContentType:  "",

							Response:            make([]*serviceaccounttypes.ServiceAccount, 0),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbList)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceServiceAccount,

							Verb:     coretypes.VerbList,

							Selector: handler.WildcardSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodGet).GetError(); err != nil {

						return err

					}

				@@ -72,89 +85,133 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Get, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "GetServiceAccount",

						Tags:                []string{"serviceaccount"},

						Summary:             "Gets a service account",

						Description:         "This endpoint gets an existing service account",

						Request:             nil,

						RequestContentType:  "",

						Response:            new(serviceaccounttypes.ServiceAccountWithRoles),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusOK,

						ErrorStatusCodes:    []int{http.StatusNotFound},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),

					})).Methods(http.MethodGet).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Get, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "GetServiceAccount",

							Tags:                []string{"serviceaccount"},

							Summary:             "Gets a service account",

							Description:         "This endpoint gets an existing service account",

							Request:             nil,

							RequestContentType:  "",

							Response:            new(serviceaccounttypes.ServiceAccountWithRoles),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{http.StatusNotFound},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceServiceAccount,

							Verb:     coretypes.VerbRead,

							ID:       handler.PathParam("id"),

							Selector: handler.IDSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodGet).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.GetRoles, authtypes.Relation{Verb: coretypes.VerbRead}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "GetServiceAccountRoles",

						Tags:                []string{"serviceaccount"},

						Summary:             "Gets service account roles",

						Description:         "This endpoint gets all the roles for the existing service account",

						Request:             nil,

						RequestContentType:  "",

						Response:            new([]*authtypes.Role),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusOK,

						ErrorStatusCodes:    []int{http.StatusNotFound},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),

					})).Methods(http.MethodGet).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.GetRoles, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "GetServiceAccountRoles",

							Tags:                []string{"serviceaccount"},

							Summary:             "Gets service account roles",

							Description:         "This endpoint gets all the roles for the existing service account",

							Request:             nil,

							RequestContentType:  "",

							Response:            new([]*authtypes.Role),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{http.StatusNotFound},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbRead)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceServiceAccount,

							Verb:     coretypes.VerbRead,

							ID:       handler.PathParam("id"),

							Selector: handler.IDSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodGet).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.SetRole, []middleware.AuthZCheckGroup{

						{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

						{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceRole, SelectorCallback: provider.roleAttachSelectorFromBody, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

					}), handler.OpenAPIDef{

						ID:                  "CreateServiceAccountRole",

						Tags:                []string{"serviceaccount"},

						Summary:             "Create service account role",

						Description:         "This endpoint assigns a role to a service account",

						Request:             new(serviceaccounttypes.PostableServiceAccountRole),

						RequestContentType:  "",

						Response:            new(types.Identifiable),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusCreated,

						ErrorStatusCodes:    []int{http.StatusBadRequest},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),

					})).Methods(http.MethodPost).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}/roles", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.SetRole, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "CreateServiceAccountRole",

							Tags:                []string{"serviceaccount"},

							Summary:             "Create service account role",

							Description:         "This endpoint assigns a role to a service account",

							Request:             new(serviceaccounttypes.PostableServiceAccountRole),

							RequestContentType:  "",

							Response:            new(types.Identifiable),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusCreated,

							ErrorStatusCodes:    []int{http.StatusBadRequest},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach), coretypes.ResourceRole.Scope(coretypes.VerbAttach)}),

						},

						handler.WithResourceDefs(

							handler.ResourceDef{

								Resource: coretypes.ResourceServiceAccount,

								Verb:     coretypes.VerbAttach,

								ID:       handler.PathParam("id"),

								Selector: handler.IDSelector,

								Category: audittypes.ActionCategoryAccessControl,

								Related:  &handler.RelatedResource{Resource: coretypes.ResourceRole, ID: handler.BodyJSONPath("id")},

							},

							handler.ResourceDef{

								Resource: coretypes.ResourceRole,

								Verb:     coretypes.VerbAttach,

								ID:       handler.BodyJSONPath("id"),

								Selector: provider.roleSelector,

								Category: audittypes.ActionCategoryAccessControl,

								Related:  &handler.RelatedResource{Resource: coretypes.ResourceServiceAccount, ID: handler.PathParam("id")},

							},

						),

					)).Methods(http.MethodPost).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.DeleteRole, []middleware.AuthZCheckGroup{

						{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

						{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceRole, SelectorCallback: provider.roleDetachSelectorFromPath, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

					}), handler.OpenAPIDef{

						ID:                  "DeleteServiceAccountRole",

						Tags:                []string{"serviceaccount"},

						Summary:             "Delete service account role",

						Description:         "This endpoint revokes a role from service account",

						Request:             nil,

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach), coretypes.ResourceRole.Scope(coretypes.VerbDetach)}),

					})).Methods(http.MethodDelete).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}/roles/{rid}", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.DeleteRole, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "DeleteServiceAccountRole",

							Tags:                []string{"serviceaccount"},

							Summary:             "Delete service account role",

							Description:         "This endpoint revokes a role from service account",

							Request:             nil,

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach), coretypes.ResourceRole.Scope(coretypes.VerbDetach)}),

						},

						handler.WithResourceDefs(

							handler.ResourceDef{

								Resource: coretypes.ResourceServiceAccount,

								Verb:     coretypes.VerbDetach,

								ID:       handler.PathParam("id"),

								Selector: handler.IDSelector,

								Category: audittypes.ActionCategoryAccessControl,

								Related:  &handler.RelatedResource{Resource: coretypes.ResourceRole, ID: handler.PathParam("rid")},

							},

							handler.ResourceDef{

								Resource: coretypes.ResourceRole,

								Verb:     coretypes.VerbDetach,

								ID:       handler.PathParam("rid"),

								Selector: provider.roleSelector,

								Category: audittypes.ActionCategoryAccessControl,

								Related:  &handler.RelatedResource{Resource: coretypes.ResourceServiceAccount, ID: handler.PathParam("id")},

							},

						),

					)).Methods(http.MethodDelete).GetError(); err != nil {

						return err

					}

				@@ -175,208 +232,207 @@ func (provider *provider) addServiceAccountRoutes(router *mux.Router) error {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Update, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "UpdateServiceAccount",

						Tags:                []string{"serviceaccount"},

						Summary:             "Updates a service account",

						Description:         "This endpoint updates an existing service account",

						Request:             new(serviceaccounttypes.UpdatableServiceAccount),

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),

					})).Methods(http.MethodPut).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Update, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "UpdateServiceAccount",

							Tags:                []string{"serviceaccount"},

							Summary:             "Updates a service account",

							Description:         "This endpoint updates an existing service account",

							Request:             new(serviceaccounttypes.UpdatableServiceAccount),

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{http.StatusNotFound, http.StatusBadRequest},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbUpdate)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceServiceAccount,

							Verb:     coretypes.VerbUpdate,

							ID:       handler.PathParam("id"),

							Selector: handler.IDSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodPut).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.Delete, authtypes.Relation{Verb: coretypes.VerbDelete}, coretypes.ResourceServiceAccount, serviceAccountInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "DeleteServiceAccount",

						Tags:                []string{"serviceaccount"},

						Summary:             "Deletes a service account",

						Description:         "This endpoint deletes an existing service account",

						Request:             nil,

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{http.StatusNotFound},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDelete)}),

					})).Methods(http.MethodDelete).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.Delete, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "DeleteServiceAccount",

							Tags:                []string{"serviceaccount"},

							Summary:             "Deletes a service account",

							Description:         "This endpoint deletes an existing service account",

							Request:             nil,

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{http.StatusNotFound},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceServiceAccount.Scope(coretypes.VerbDelete)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceServiceAccount,

							Verb:     coretypes.VerbDelete,

							ID:       handler.PathParam("id"),

							Selector: handler.IDSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodDelete).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.CreateFactorAPIKey, []middleware.AuthZCheckGroup{

						{{Relation: authtypes.Relation{Verb: coretypes.VerbCreate}, Resource: coretypes.ResourceMetaResourceFactorAPIKey, SelectorCallback: factorAPIKeyCollectionSelectorCallback, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

						{{Relation: authtypes.Relation{Verb: coretypes.VerbAttach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

					}), handler.OpenAPIDef{

						ID:                  "CreateServiceAccountKey",

						Tags:                []string{"serviceaccount"},

						Summary:             "Create a service account key",

						Description:         "This endpoint creates a service account key",

						Request:             new(serviceaccounttypes.PostableFactorAPIKey),

						RequestContentType:  "",

						Response:            new(serviceaccounttypes.GettableFactorAPIKeyWithKey),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusCreated,

						ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbCreate), coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach)}),

					})).Methods(http.MethodPost).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.CreateFactorAPIKey, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "CreateServiceAccountKey",

							Tags:                []string{"serviceaccount"},

							Summary:             "Create a service account key",

							Description:         "This endpoint creates a service account key",

							Request:             new(serviceaccounttypes.PostableFactorAPIKey),

							RequestContentType:  "",

							Response:            new(serviceaccounttypes.GettableFactorAPIKeyWithKey),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusCreated,

							ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusConflict},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbCreate), coretypes.ResourceServiceAccount.Scope(coretypes.VerbAttach)}),

						},

						handler.WithResourceDefs(

							handler.ResourceDef{

								Resource: coretypes.ResourceMetaResourceFactorAPIKey,

								Verb:     coretypes.VerbCreate,

								ID:       handler.ResponseJSONPath("data.id"),

								Selector: handler.WildcardSelector,

								Category: audittypes.ActionCategoryAccessControl,

							},

							handler.ResourceDef{

								Resource: coretypes.ResourceServiceAccount,

								Verb:     coretypes.VerbAttach,

								ID:       handler.PathParam("id"),

								Selector: handler.IDSelector,

								Category: audittypes.ActionCategoryAccessControl,

								Related:  &handler.RelatedResource{Resource: coretypes.ResourceMetaResourceFactorAPIKey, ID: handler.ResponseJSONPath("data.id")},

							},

						),

					)).Methods(http.MethodPost).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.ListFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbList}, coretypes.ResourceMetaResourceFactorAPIKey, factorAPIKeyCollectionSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "ListServiceAccountKeys",

						Tags:                []string{"serviceaccount"},

						Summary:             "List service account keys",

						Description:         "This endpoint lists the service account keys",

						Request:             nil,

						RequestContentType:  "",

						Response:            make([]*serviceaccounttypes.GettableFactorAPIKey, 0),

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusOK,

						ErrorStatusCodes:    []int{},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbList)}),

					})).Methods(http.MethodGet).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}/keys", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.ListFactorAPIKey, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "ListServiceAccountKeys",

							Tags:                []string{"serviceaccount"},

							Summary:             "List service account keys",

							Description:         "This endpoint lists the service account keys",

							Request:             nil,

							RequestContentType:  "",

							Response:            make([]*serviceaccounttypes.GettableFactorAPIKey, 0),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbList)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceMetaResourceFactorAPIKey,

							Verb:     coretypes.VerbList,

							Selector: handler.WildcardSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodGet).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authzMiddleware.Check(provider.serviceAccountHandler.UpdateFactorAPIKey, authtypes.Relation{Verb: coretypes.VerbUpdate}, coretypes.ResourceMetaResourceFactorAPIKey, factorAPIKeyInstanceSelectorCallback, []string{

						authtypes.SigNozAdminRoleName,

					}), handler.OpenAPIDef{

						ID:                  "UpdateServiceAccountKey",

						Tags:                []string{"serviceaccount"},

						Summary:             "Updates a service account key",

						Description:         "This endpoint updates an existing service account key",

						Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbUpdate)}),

					})).Methods(http.MethodPut).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.UpdateFactorAPIKey, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "UpdateServiceAccountKey",

							Tags:                []string{"serviceaccount"},

							Summary:             "Updates a service account key",

							Description:         "This endpoint updates an existing service account key",

							Request:             new(serviceaccounttypes.UpdatableFactorAPIKey),

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbUpdate)}),

						},

						handler.WithResourceDefs(handler.ResourceDef{

							Resource: coretypes.ResourceMetaResourceFactorAPIKey,

							Verb:     coretypes.VerbUpdate,

							ID:       handler.PathParam("fid"),

							Selector: handler.IDSelector,

							Category: audittypes.ActionCategoryAccessControl,

						}),

					)).Methods(http.MethodPut).GetError(); err != nil {

						return err

					}

					if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(provider.authzMiddleware.CheckAll(provider.serviceAccountHandler.RevokeFactorAPIKey, []middleware.AuthZCheckGroup{

						{{Relation: authtypes.Relation{Verb: coretypes.VerbDelete}, Resource: coretypes.ResourceMetaResourceFactorAPIKey, SelectorCallback: factorAPIKeyInstanceSelectorCallback, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

						{{Relation: authtypes.Relation{Verb: coretypes.VerbDetach}, Resource: coretypes.ResourceServiceAccount, SelectorCallback: serviceAccountInstanceSelectorCallback, Roles: []string{

							authtypes.SigNozAdminRoleName,

						}}},

					}), handler.OpenAPIDef{

						ID:                  "RevokeServiceAccountKey",

						Tags:                []string{"serviceaccount"},

						Summary:             "Revoke a service account key",

						Description:         "This endpoint revokes an existing service account key",

						Request:             nil,

						RequestContentType:  "",

						Response:            nil,

						ResponseContentType: "application/json",

						SuccessStatusCode:   http.StatusNoContent,

						ErrorStatusCodes:    []int{http.StatusNotFound},

						Deprecated:          false,

						SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbDelete), coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach)}),

					})).Methods(http.MethodDelete).GetError(); err != nil {

					if err := router.Handle("/api/v1/service_accounts/{id}/keys/{fid}", handler.New(

						provider.authzMiddleware.CheckResources(provider.serviceAccountHandler.RevokeFactorAPIKey, authtypes.SigNozAdminRoleName),

						handler.OpenAPIDef{

							ID:                  "RevokeServiceAccountKey",

							Tags:                []string{"serviceaccount"},

							Summary:             "Revoke a service account key",

							Description:         "This endpoint revokes an existing service account key",

							Request:             nil,

							RequestContentType:  "",

							Response:            nil,

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusNoContent,

							ErrorStatusCodes:    []int{http.StatusNotFound},

							Deprecated:          false,

							SecuritySchemes:     newScopedSecuritySchemes([]string{coretypes.ResourceMetaResourceFactorAPIKey.Scope(coretypes.VerbDelete), coretypes.ResourceServiceAccount.Scope(coretypes.VerbDetach)}),

						},

						handler.WithResourceDefs(

							handler.ResourceDef{

								Resource: coretypes.ResourceMetaResourceFactorAPIKey,

								Verb:     coretypes.VerbDelete,

								ID:       handler.PathParam("fid"),

								Selector: handler.IDSelector,

								Category: audittypes.ActionCategoryAccessControl,

							},

							handler.ResourceDef{

								Resource: coretypes.ResourceServiceAccount,

								Verb:     coretypes.VerbDetach,

								ID:       handler.PathParam("id"),

								Selector: handler.IDSelector,

								Category: audittypes.ActionCategoryAccessControl,

								Related:  &handler.RelatedResource{Resource: coretypes.ResourceMetaResourceFactorAPIKey, ID: handler.PathParam("fid")},

							},

						),

					)).Methods(http.MethodDelete).GetError(); err != nil {

						return err

					}

					return nil

				}

				func (provider *provider) roleDetachSelectorFromPath(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {

					roleID, err := valuer.NewUUID(mux.Vars(req)["rid"])

				// roleSelector resolves the FGA selectors for a role from its UUID. The id is

				// already extracted by the ResourceDef (path or body); this only does the

				// UUID -> name lookup the FGA object string requires. Shared by service account

				// and role routes.

				func (provider *provider) roleSelector(ctx context.Context, resource coretypes.Resource, id string, claims authtypes.Claims) ([]coretypes.Selector, error) {

					roleID, err := valuer.NewUUID(id)

					if err != nil {

						return nil, err

					}

					role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), roleID)

					role, err := provider.authzService.Get(ctx, valuer.MustNewUUID(claims.OrgID), roleID)

					if err != nil {

						return nil, err

					}

					return []coretypes.Selector{

						coretypes.TypeRole.MustSelector(role.Name),

						coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

				func (provider *provider) roleAttachSelectorFromBody(req *http.Request, claims authtypes.Claims) ([]coretypes.Selector, error) {

					body, err := io.ReadAll(req.Body)

					if err != nil {

						return nil, err

					}

					req.Body = io.NopCloser(bytes.NewReader(body))

					postableRole := new(serviceaccounttypes.PostableServiceAccountRole)

					if err := json.Unmarshal(body, postableRole); err != nil {

						return nil, err

					}

					role, err := provider.authzService.Get(req.Context(), valuer.MustNewUUID(claims.OrgID), postableRole.ID)

					if err != nil {

						return nil, err

					}

					return []coretypes.Selector{

						coretypes.TypeRole.MustSelector(role.Name),

						coretypes.TypeRole.MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

				func factorAPIKeyCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {

					return []coretypes.Selector{

						coretypes.TypeMetaResource.MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

				func factorAPIKeyInstanceSelectorCallback(req *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {

					fid := mux.Vars(req)["fid"]

					fidSelector, err := coretypes.TypeMetaResource.Selector(fid)

					if err != nil {

						return nil, err

					}

					return []coretypes.Selector{

						fidSelector,

						coretypes.TypeMetaResource.MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

				func serviceAccountCollectionSelectorCallback(_ *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {

					return []coretypes.Selector{

						coretypes.TypeServiceAccount.MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

				func serviceAccountInstanceSelectorCallback(req *http.Request, _ authtypes.Claims) ([]coretypes.Selector, error) {

					id := mux.Vars(req)["id"]

					idSelector, err := coretypes.TypeServiceAccount.Selector(id)

					if err != nil {

						return nil, err

					}

					return []coretypes.Selector{

						idSelector,

						coretypes.TypeServiceAccount.MustSelector(coretypes.WildCardSelectorString),

						resource.Type().MustSelector(role.Name),

						resource.Type().MustSelector(coretypes.WildCardSelectorString),

					}, nil

				}

									
										19

pkg/apiserver/signozapiserver/tracedetail.go
									
												View File
												
				@@ -67,5 +67,24 @@ func (provider *provider) addTraceDetailRoutes(router *mux.Router) error {

						return err

					}

					if err := router.Handle("/api/v3/traces/{traceID}/flamegraph", handler.New(

						provider.authzMiddleware.ViewAccess(provider.traceDetailHandler.GetFlamegraph),

						handler.OpenAPIDef{

							ID:                  "GetFlamegraph",

							Tags:                []string{"tracedetail"},

							Summary:             "Get flamegraph view for a trace",

							Description:         "Returns the flamegraph view of spans for a given trace ID.",

							Request:             new(spantypes.PostableFlamegraph),

							RequestContentType:  "application/json",

							Response:            new(spantypes.GettableFlamegraphTrace),

							ResponseContentType: "application/json",

							SuccessStatusCode:   http.StatusOK,

							ErrorStatusCodes:    []int{http.StatusBadRequest, http.StatusNotFound},

							SecuritySchemes:     newSecuritySchemes(types.RoleViewer),

						},

					)).Methods(http.MethodPost).GetError(); err != nil {

						return err

					}

					return nil

				}

									
										24

pkg/auditor/auditorserver/server_test.go
									
												View File
												
				@@ -20,16 +20,16 @@ func newTestSettings() factory.ScopedProviderSettings {

					return factory.NewScopedProviderSettings(instrumentationtest.New().ToProviderSettings(), "auditorserver_test")

				}

				func newTestEvent(resource string, action coretypes.Verb) audittypes.AuditEvent {

				func newTestEvent(resource coretypes.Resource, action coretypes.Verb) audittypes.AuditEvent {

					return audittypes.AuditEvent{

						Timestamp: time.Now(),

						EventName: audittypes.NewEventName(coretypes.MustNewKind(resource), action),

						EventName: audittypes.NewEventName(resource.Kind(), action),

						AuditAttributes: audittypes.AuditAttributes{

							Action:  action,

							Outcome: audittypes.OutcomeSuccess,

						},

						ResourceAttributes: audittypes.ResourceAttributes{

							ResourceKind: coretypes.MustNewKind(resource),

							Resource: resource,

						},

					}

				}

				@@ -84,7 +84,7 @@ func TestAdd_FlushesOnBatchSize(t *testing.T) {

					go func() { _ = server.Start(ctx) }()

					for i := 0; i < 3; i++ {

						server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))

						server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))

					}

					assert.Eventually(t, func() bool {

				@@ -113,7 +113,7 @@ func TestAdd_FlushesOnInterval(t *testing.T) {

					go func() { _ = server.Start(ctx) }()

					server.Add(ctx, newTestEvent("user", coretypes.VerbUpdate))

					server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbUpdate))

					assert.Eventually(t, func() bool {

						return exported.Load() == 1

				@@ -131,9 +131,9 @@ func TestAdd_DropsWhenBufferFull(t *testing.T) {

					ctx := context.Background()

					server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))

					server.Add(ctx, newTestEvent("dashboard", coretypes.VerbUpdate))

					server.Add(ctx, newTestEvent("dashboard", coretypes.VerbDelete))

					server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))

					server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbUpdate))

					server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbDelete))

					assert.Equal(t, 2, server.queueLen())

				}

				@@ -156,7 +156,7 @@ func TestStop_DrainsRemainingEvents(t *testing.T) {

					go func() { _ = server.Start(ctx) }()

					for i := 0; i < 5; i++ {

						server.Add(ctx, newTestEvent("alert-rule", coretypes.VerbCreate))

						server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceRule, coretypes.VerbCreate))

					}

					require.NoError(t, server.Stop(ctx))

				@@ -181,8 +181,8 @@ func TestAdd_ContinuesAfterExportFailure(t *testing.T) {

					go func() { _ = server.Start(ctx) }()

					server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))

					server.Add(ctx, newTestEvent("user", coretypes.VerbDelete))

					server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbDelete))

					server.Add(ctx, newTestEvent(coretypes.ResourceUser, coretypes.VerbDelete))

					assert.Eventually(t, func() bool {

						return calls.Load() >= 1

				@@ -213,7 +213,7 @@ func TestAdd_ConcurrentSafety(t *testing.T) {

						wg.Add(1)

						go func() {

							defer wg.Done()

							server.Add(ctx, newTestEvent("dashboard", coretypes.VerbCreate))

							server.Add(ctx, newTestEvent(coretypes.ResourceMetaResourceDashboard, coretypes.VerbCreate))

						}()

					}

					wg.Wait()

									
										20

pkg/authn/callbackauthn/googlecallbackauthn/authn.go
									
												View File
												
				@@ -4,6 +4,7 @@ import (

					"context"

					"log/slog"

					"net/url"

					"path"

					"github.com/coreos/go-oidc/v3/oidc"

					"golang.org/x/oauth2"

				@@ -14,6 +15,7 @@ import (

					"github.com/SigNoz/signoz/pkg/authn"

					"github.com/SigNoz/signoz/pkg/errors"

					"github.com/SigNoz/signoz/pkg/factory"

					"github.com/SigNoz/signoz/pkg/global"

					"github.com/SigNoz/signoz/pkg/http/client"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

					"github.com/SigNoz/signoz/pkg/valuer"

				@@ -29,12 +31,13 @@ var scopes []string = []string{"email", "profile"}

				var _ authn.CallbackAuthN = (*AuthN)(nil)

				type AuthN struct {

					store      authtypes.AuthNStore

					settings   factory.ScopedProviderSettings

					httpClient *client.Client

					store        authtypes.AuthNStore

					settings     factory.ScopedProviderSettings

					httpClient   *client.Client

					globalConfig global.Config

				}

				func New(ctx context.Context, store authtypes.AuthNStore, providerSettings factory.ProviderSettings) (*AuthN, error) {

				func New(ctx context.Context, store authtypes.AuthNStore, providerSettings factory.ProviderSettings, globalConfig global.Config) (*AuthN, error) {

					settings := factory.NewScopedProviderSettings(providerSettings, "github.com/SigNoz/signoz/pkg/authn/callbackauthn/googlecallbackauthn")

					httpClient, err := client.New(settings.Logger(), providerSettings.TracerProvider, providerSettings.MeterProvider)

				@@ -43,9 +46,10 @@ func New(ctx context.Context, store authtypes.AuthNStore, providerSettings facto

					}

					return &AuthN{

						store:      store,

						settings:   settings,

						httpClient: httpClient,

						store:        store,

						settings:     settings,

						httpClient:   httpClient,

						globalConfig: globalConfig,

					}, nil

				}

				@@ -178,7 +182,7 @@ func (a *AuthN) oauth2Config(siteURL *url.URL, authDomain *authtypes.AuthDomain,

						RedirectURL: (&url.URL{

							Scheme: siteURL.Scheme,

							Host:   siteURL.Host,

							Path:   redirectPath,

							Path:   path.Join(a.globalConfig.ExternalPath(), redirectPath),

						}).String(),

					}

				}

									
										103

pkg/http/handler/extractor.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,103 @@

				// Resource id extraction from the request/response.

				package handler

				import (

					"net/http"

					"github.com/gorilla/mux"

					"github.com/tidwall/gjson"

				)

				// ExtractorContext carries everything an extractor may read. The resource

				// middleware fills Request + RequestBody pre-handler; the audit middleware adds

				// ResponseBody post-handler. Each extractor is run exactly once, in the phase

				// whose data it needs.

				type ExtractorContext struct {

					Request      *http.Request

					RequestBody  []byte

					ResponseBody []byte

				}

				// extractPhase marks whether an extractor reads request-side data (resolved

				// pre-handler by the resource middleware) or response-side data (resolved

				// post-handler by the audit middleware).

				type extractPhase int

				const (

					phaseRequest extractPhase = iota

					phaseResponse

				)

				// ResourceIDExtractor resolves a single resource id. Phase-tagged so the

				// resolver runs it exactly once in the right phase. The declaration API exposes

				// only the constructors below, so the phase is an internal detail.

				type ResourceIDExtractor struct {

					phase extractPhase

					fn    func(ExtractorContext) (string, error)

				}

				// isPhase reports whether this extractor is runnable in the given phase.

				func (extractor ResourceIDExtractor) isPhase(phase extractPhase) bool {

					return extractor.fn != nil && extractor.phase == phase

				}

				// runFor runs the extractor against ec when it belongs to phase, reporting

				// whether it ran.

				func (extractor ResourceIDExtractor) runFor(phase extractPhase, ec ExtractorContext) (string, bool) {

					if !extractor.isPhase(phase) {

						return "", false

					}

					id, _ := extractor.fn(ec)

					return id, true

				}

				// ResourceIDsExtractor resolves multiple resource ids (fan-out). Always

				// request-phase — arrays come from the request body.

				type ResourceIDsExtractor struct {

					phase extractPhase

					fn    func(ExtractorContext) ([]string, error)

				}

				// PathParam reads a gorilla/mux path variable. Request-phase.

				func PathParam(name string) ResourceIDExtractor {

					return ResourceIDExtractor{phase: phaseRequest, fn: func(ec ExtractorContext) (string, error) {

						if ec.Request == nil {

							return "", nil

						}

						return mux.Vars(ec.Request)[name], nil

					}}

				}

				// BodyJSONPath reads a gjson path from the request body. Request-phase.

				func BodyJSONPath(path string) ResourceIDExtractor {

					return ResourceIDExtractor{phase: phaseRequest, fn: func(ec ExtractorContext) (string, error) {

						return gjson.GetBytes(ec.RequestBody, path).String(), nil

					}}

				}

				// BodyJSONArray reads a JSON array of strings from the request body. Request-phase.

				func BodyJSONArray(path string) ResourceIDsExtractor {

					return ResourceIDsExtractor{phase: phaseRequest, fn: func(ec ExtractorContext) ([]string, error) {

						result := gjson.GetBytes(ec.RequestBody, path)

						if !result.Exists() {

							return nil, nil

						}

						array := result.Array()

						ids := make([]string, 0, len(array))

						for _, r := range array {

							ids = append(ids, r.String())

						}

						return ids, nil

					}}

				}

				// ResponseJSONPath reads a gjson path from the response body. Response-phase —

				// yields "" pre-handler and the real value post-handler.

				func ResponseJSONPath(path string) ResourceIDExtractor {

					return ResourceIDExtractor{phase: phaseResponse, fn: func(ec ExtractorContext) (string, error) {

						return gjson.GetBytes(ec.ResponseBody, path).String(), nil

					}}

				}

									
										12

pkg/http/handler/handler.go
									
												View File
												
				@@ -16,12 +16,14 @@ type Handler interface {

					http.Handler

					ServeOpenAPI(openapi.OperationContext)

					AuditDef() *AuditDef

					ResourceDefs() []ResourceSpec

				}

				type handler struct {

					handlerFunc http.HandlerFunc

					openAPIDef  OpenAPIDef

					auditDef    *AuditDef

					handlerFunc  http.HandlerFunc

					openAPIDef   OpenAPIDef

					auditDef     *AuditDef

					resourceDefs []ResourceSpec

				}

				func New(handlerFunc http.HandlerFunc, openAPIDef OpenAPIDef, opts ...Option) Handler {

				@@ -133,3 +135,7 @@ func (handler *handler) ServeOpenAPI(opCtx openapi.OperationContext) {

				func (handler *handler) AuditDef() *AuditDef {

					return handler.auditDef

				}

				func (handler *handler) ResourceDefs() []ResourceSpec {

					return handler.resourceDefs

				}

									
										9

pkg/http/handler/option.go
									
												View File
												
				@@ -23,3 +23,12 @@ func WithAuditDef(def AuditDef) Option {

						h.auditDef = &def

					}

				}

				// WithResourceDefs attaches one or more resource specs (ResourceDef /

				// ResourcesDef) to the handler. The resource middleware resolves them and the

				// authz + audit middlewares read the result.

				func WithResourceDefs(defs ...ResourceSpec) Option {

					return func(h *handler) {

						h.resourceDefs = append(h.resourceDefs, defs...)

					}

				}

									
										33

pkg/http/handler/resolved_context.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,33 @@

				// Storing and retrieving the resolved resource list on the request context.

				package handler

				import (

					"context"

					"github.com/SigNoz/signoz/pkg/errors"

				)

				var errCodeResolvedResourcesNotFound = errors.MustNewCode("resolved_resources_not_found")

				// resolvedKey is the context key under which the resolved resource list is stored.

				type resolvedKey struct{}

				// NewContextWithResolvedResources stores the resolved resource list in the

				// context. Entries are pointers so the audit middleware can finalize

				// response-phase ids in place after the handler runs.

				func NewContextWithResolvedResources(ctx context.Context, resolved []*ResolvedResource) context.Context {

					return context.WithValue(ctx, resolvedKey{}, resolved)

				}

				// ResolvedResourcesFromContext returns the resolved resource list placed by the

				// Resource middleware, or an error if no list is present (the route declared no

				// ResourceDefs or the Resource middleware is not wired). Entries are pointers so

				// the audit middleware can finalize response-phase ids in place.

				func ResolvedResourcesFromContext(ctx context.Context) ([]*ResolvedResource, error) {

					resolved, ok := ctx.Value(resolvedKey{}).([]*ResolvedResource)

					if !ok {

						return nil, errors.New(errors.TypeInternal, errCodeResolvedResourcesNotFound, "resolved resources not found in context")

					}

					return resolved, nil

				}

									
										79

pkg/http/handler/resolved_resource.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,79 @@

				// The resolved output of a resource def, consumed by authz and audit.

				package handler

				import (

					"github.com/SigNoz/signoz/pkg/types/audittypes"

					"github.com/SigNoz/signoz/pkg/types/coretypes"

				)

				// ResolvedResource is the uniform output of resolution (after fan-out). ID is a

				// resolved string: request-phase ids are filled by the resource middleware;

				// response-phase ids stay "" until FinalizeResponseIDs runs in the audit

				// middleware. idExtractor is retained so resolve can run it in its phase.

				type ResolvedResource struct {

					Resource    coretypes.Resource

					Verb        coretypes.Verb

					ID          string

					Selector    SelectorFunc

					Category    audittypes.ActionCategory

					Related     *ResolvedRelated

					idExtractor ResourceIDExtractor

				}

				// ResolvedRelated is the resolved counterpart for audit context.

				type ResolvedRelated struct {

					Resource    coretypes.Resource

					ID          string

					idExtractor ResourceIDExtractor

				}

				// newResolvedRelated wires a related counterpart's structure. Its id is resolved

				// later by ResolvedResource.resolve, in the extractor's declared phase.

				func newResolvedRelated(related *RelatedResource) *ResolvedRelated {

					if related == nil {

						return nil

					}

					return &ResolvedRelated{Resource: related.Resource, idExtractor: related.ID}

				}

				// resolve fills this entry's ids whose extractor belongs to phase. Called once

				// per phase: phaseRequest by the resource middleware, phaseResponse by the audit

				// middleware. An extractor from a different phase is left untouched.

				func (resolved *ResolvedResource) resolve(phase extractPhase, ec ExtractorContext) {

					if id, ok := resolved.idExtractor.runFor(phase, ec); ok {

						resolved.ID = id

					}

					if resolved.Related != nil {

						if id, ok := resolved.Related.idExtractor.runFor(phase, ec); ok {

							resolved.Related.ID = id

						}

					}

				}

				// FinalizeResponseIDs runs the carried response-phase extractors against ec to

				// fill the ids that were unknown pre-handler. Called by the audit middleware

				// post-handler. Mutates the entries in place.

				func FinalizeResponseIDs(resolved []*ResolvedResource, ec ExtractorContext) {

					for _, entry := range resolved {

						entry.resolve(phaseResponse, ec)

					}

				}

				// HasResponseIDs reports whether any resolved entry needs the response body to

				// finalize its id. The audit middleware uses this to decide whether to capture

				// the success response body.

				func HasResponseIDs(resolved []*ResolvedResource) bool {

					for _, entry := range resolved {

						if entry.idExtractor.isPhase(phaseResponse) {

							return true

						}

						if entry.Related != nil && entry.Related.idExtractor.isPhase(phaseResponse) {

							return true

						}

					}

					return false

				}

									
										129

pkg/http/handler/resourcedef.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,129 @@

				// Declaration API a route author writes: the resource defs and the selectors

				// that map a resolved id to authz selectors.

				package handler

				import (

					"context"

					"github.com/SigNoz/signoz/pkg/errors"

					"github.com/SigNoz/signoz/pkg/types/audittypes"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

					"github.com/SigNoz/signoz/pkg/types/coretypes"

				)

				var errCodeInvalidResourceDef = errors.MustNewCode("invalid_resource_def")

				// SelectorFunc maps a resolved id (+ its resource) to authz FGA selectors. It is

				// the sole source of selectors — there is no default fallback to wildcard. Given

				// a missing id it decides for itself whether to return a wildcard or an error. It

				// never reads the request/body; ctx + claims are only for an optional DB lookup

				// (e.g. role UUID -> name).

				type SelectorFunc func(ctx context.Context, resource coretypes.Resource, id string, claims authtypes.Claims) ([]coretypes.Selector, error)

				// WildcardSelector ignores the id and returns the resource's wildcard selector.

				// Use for create / list / collection routes.

				var WildcardSelector SelectorFunc = func(_ context.Context, resource coretypes.Resource, _ string, _ authtypes.Claims) ([]coretypes.Selector, error) {

					return []coretypes.Selector{resource.Type().MustSelector(coretypes.WildCardSelectorString)}, nil

				}

				// IDSelector returns [exact, wildcard] for a present id and errors when the id is

				// missing. Use for instance routes whose id is in the path/body.

				var IDSelector SelectorFunc = func(_ context.Context, resource coretypes.Resource, id string, _ authtypes.Claims) ([]coretypes.Selector, error) {

					if id == "" {

						return nil, errors.Newf(errors.TypeInvalidInput, errCodeInvalidResourceDef, "resource id is required for %s", resource.Kind().String())

					}

					selector, err := resource.Type().Selector(id)

					if err != nil {

						return nil, err

					}

					return []coretypes.Selector{selector, resource.Type().MustSelector(coretypes.WildCardSelectorString)}, nil

				}

				// ResourceSpec is the sealed interface implemented by ResourceDef and

				// ResourcesDef. Only these two satisfy WithResourceDefs.

				type ResourceSpec interface {

					sealResourceSpec()

					resolveRequest(ec ExtractorContext) []*ResolvedResource

				}

				// ResourceDef declares one resource an operation acts on. For attach/detach,

				// Related names the counterpart for audit clarity only — it is never authz-checked.

				type ResourceDef struct {

					Resource coretypes.Resource

					Verb     coretypes.Verb

					ID       ResourceIDExtractor

					Selector SelectorFunc

					Category audittypes.ActionCategory

					Related  *RelatedResource

				}

				// ResourcesDef declares many resources of one kind (fan-out). One resolved

				// entry is produced per id.

				type ResourcesDef struct {

					Resource coretypes.Resource

					Verb     coretypes.Verb

					IDs      ResourceIDsExtractor

					Selector SelectorFunc

					Category audittypes.ActionCategory

					Related  *RelatedResource

				}

				// RelatedResource is a counterpart named purely for audit clarity. It carries no

				// verb and no selector and is not authz-checked.

				type RelatedResource struct {

					Resource coretypes.Resource

					ID       ResourceIDExtractor

				}

				func (ResourceDef) sealResourceSpec()  {}

				func (ResourcesDef) sealResourceSpec() {}

				func (d ResourceDef) resolveRequest(ec ExtractorContext) []*ResolvedResource {

					resolved := &ResolvedResource{

						Resource:    d.Resource,

						Verb:        d.Verb,

						Selector:    d.Selector,

						Category:    d.Category,

						idExtractor: d.ID,

						Related:     newResolvedRelated(d.Related),

					}

					resolved.resolve(phaseRequest, ec)

					return []*ResolvedResource{resolved}

				}

				func (d ResourcesDef) resolveRequest(ec ExtractorContext) []*ResolvedResource {

					var ids []string

					if d.IDs.fn != nil {

						ids, _ = d.IDs.fn(ec)

					}

					resolved := make([]*ResolvedResource, 0, len(ids))

					for _, id := range ids {

						entry := &ResolvedResource{

							Resource: d.Resource,

							Verb:     d.Verb,

							ID:       id,

							Selector: d.Selector,

							Category: d.Category,

							Related:  newResolvedRelated(d.Related),

						}

						entry.resolve(phaseRequest, ec)

						resolved = append(resolved, entry)

					}

					return resolved

				}

				// ResolveRequest resolves the request-phase ids for all specs (fan-out included)

				// against ec. Called by the resource middleware pre-handler.

				func ResolveRequest(defs []ResourceSpec, ec ExtractorContext) []*ResolvedResource {

					var resolved []*ResolvedResource

					for _, def := range defs {

						resolved = append(resolved, def.resolveRequest(ec)...)

					}

					return resolved

				}

									
										86

pkg/http/handler/resourcedef_test.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,86 @@

				package handler

				import (

					"context"

					"net/http"

					"net/http/httptest"

					"testing"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

					"github.com/SigNoz/signoz/pkg/types/coretypes"

					"github.com/gorilla/mux"

					"github.com/stretchr/testify/assert"

					"github.com/stretchr/testify/require"

				)

				func TestStandardSelectors(t *testing.T) {

					ctx := context.Background()

					claims := authtypes.Claims{}

					wildcard, err := WildcardSelector(ctx, coretypes.ResourceServiceAccount, "ignored", claims)

					require.NoError(t, err)

					require.Len(t, wildcard, 1)

					assert.Equal(t, coretypes.WildCardSelectorString, wildcard[0].String())

					// IDSelector errors on a missing id — no silent wildcard fallback.

					_, err = IDSelector(ctx, coretypes.ResourceServiceAccount, "", claims)

					require.Error(t, err)

					id := "0199c47d-f61b-7833-bc5f-c0730f12f046"

					selectors, err := IDSelector(ctx, coretypes.ResourceServiceAccount, id, claims)

					require.NoError(t, err)

					require.Len(t, selectors, 2)

					assert.Equal(t, id, selectors[0].String())

					assert.Equal(t, coretypes.WildCardSelectorString, selectors[1].String())

				}

				func TestResolveRequestAndFinalize(t *testing.T) {

					req := httptest.NewRequest(http.MethodPost, "/x", nil)

					req = mux.SetURLVars(req, map[string]string{"id": "sa-1"})

					body := []byte(`{"id":"role-1","channels":["c1","c2"]}`)

					defs := []ResourceSpec{

						ResourceDef{

							Resource: coretypes.ResourceServiceAccount, Verb: coretypes.VerbAttach,

							ID: PathParam("id"), Selector: IDSelector,

							Related: &RelatedResource{Resource: coretypes.ResourceRole, ID: BodyJSONPath("id")},

						},

						ResourceDef{

							Resource: coretypes.ResourceMetaResourceFactorAPIKey, Verb: coretypes.VerbCreate,

							ID: ResponseJSONPath("data.id"), Selector: WildcardSelector,

						},

						ResourcesDef{

							Resource: coretypes.ResourceMetaResourceNotificationChannel, Verb: coretypes.VerbAttach,

							IDs: BodyJSONArray("channels"), Selector: IDSelector,

						},

					}

					resolved := ResolveRequest(defs, ExtractorContext{Request: req, RequestBody: body})

					// 1 service account + 1 create + 2 channels (fan-out).

					require.Len(t, resolved, 4)

					assert.Equal(t, "sa-1", resolved[0].ID)

					require.NotNil(t, resolved[0].Related)

					assert.Equal(t, "role-1", resolved[0].Related.ID)

					assert.Equal(t, "", resolved[1].ID, "response-phase id is empty pre-handler")

					assert.Equal(t, "c1", resolved[2].ID)

					assert.Equal(t, "c2", resolved[3].ID)

					assert.True(t, HasResponseIDs(resolved))

					// Audit finalizes the response-phase id once the response body is present.

					FinalizeResponseIDs(resolved, ExtractorContext{ResponseBody: []byte(`{"data":{"id":"key-9"}}`)})

					assert.Equal(t, "key-9", resolved[1].ID)

				}

				func TestExtractorPhases(t *testing.T) {

					assert.Equal(t, phaseRequest, PathParam("id").phase)

					assert.Equal(t, phaseRequest, BodyJSONPath("id").phase)

					assert.Equal(t, phaseRequest, BodyJSONArray("ids").phase)

					assert.Equal(t, phaseResponse, ResponseJSONPath("data.id").phase)

					// ResponseJSONPath yields "" when the response body is absent (pre-handler).

					id, err := ResponseJSONPath("data.id").fn(ExtractorContext{})

					require.NoError(t, err)

					assert.Equal(t, "", id)

				}

									
										111

pkg/http/middleware/audit.go
									
												View File
												
				@@ -61,6 +61,13 @@ func (middleware *Audit) Wrap(next http.Handler) http.Handler {

						responseBuffer := &byteBuffer{}

						writer := newResponseCapture(rw, responseBuffer)

						// If any resolved resource derives its id from the response, capture the

						// success body (bounded) so the audit event can read it post-handler.

						if resolved, err := handler.ResolvedResourcesFromContext(req.Context()); err == nil && handler.HasResponseIDs(resolved) {

							writer.EnableBodyCapture()

						}

						next.ServeHTTP(writer, req)

						statusCode, writeErr := writer.StatusCode(), writer.WriteError()

				@@ -80,7 +87,9 @@ func (middleware *Audit) Wrap(next http.Handler) http.Handler {

							fields = append(fields, errors.Attr(writeErr))

							middleware.logger.ErrorContext(req.Context(), logMessage, fields...)

						} else {

							if responseBuffer.Len() != 0 {

							// Only log error bodies (status >= 400); a force-captured success

							// body is for audit id extraction, not for logging.

							if statusCode >= 400 && responseBuffer.Len() != 0 {

								fields = append(fields, "response.body", responseBuffer.String())

							}

				@@ -94,76 +103,54 @@ func (middleware *Audit) emitAuditEvent(req *http.Request, writer responseCaptur

						return

					}

					def := auditDefFromRequest(req)

					if def == nil {

						return

					}

					// extract claims

					claims, _ := authtypes.ClaimsFromContext(req.Context())

					// extract status code

					statusCode := writer.StatusCode()

					// extract traces.

					span := trace.SpanFromContext(req.Context())

					// extract error details.

					var errorType, errorCode string

					if statusCode >= 400 {

						errorType = render.ErrorTypeFromStatusCode(statusCode)

						errorCode = render.ErrorCodeFromBody(writer.BodyBytes())

					}

					event := audittypes.NewAuditEventFromHTTPRequest(

						req,

						routeTemplate,

						statusCode,

						span.SpanContext().TraceID(),

						span.SpanContext().SpanID(),

						def.Action,

						def.Category,

						claims,

						resourceIDFromRequest(req, def.ResourceIDParam),

						def.ResourceKind,

						errorType,

						errorCode,

					)

					// Resources resolved by the Resource middleware — emit one event per entry.

					resolved, err := handler.ResolvedResourcesFromContext(req.Context())

					if err != nil || len(resolved) == 0 {

						return

					}

					middleware.auditor.Audit(req.Context(), event)

				}

				func auditDefFromRequest(req *http.Request) *handler.AuditDef {

					route := mux.CurrentRoute(req)

					if route == nil {

						return nil

					}

					actualHandler := route.GetHandler()

					if actualHandler == nil {

						return nil

					}

					// The type assertion is necessary because route.GetHandler() returns

					// http.Handler, and not every http.Handler on the mux is a handler.Handler

					// (e.g. middleware wrappers, raw http.HandlerFunc registrations).

					provider, ok := actualHandler.(handler.Handler)

					if !ok {

						return nil

					}

					return provider.AuditDef()

				}

				func resourceIDFromRequest(req *http.Request, param string) string {

					if param == "" {

						return ""

					}

					vars := mux.Vars(req)

					if vars == nil {

						return ""

					}

					return vars[param]

					extractorCtx := handler.ExtractorContext{

						Request:      req,

						ResponseBody: writer.BodyBytes(),

					}

					handler.FinalizeResponseIDs(resolved, extractorCtx)

					for _, entry := range resolved {

						// Audit records state changes only — skip read/list verbs (they still

						// exist on the def for authz).

						if !entry.Verb.IsMutation() {

							continue

						}

						resourceAttributes := audittypes.NewResourceAttributes(entry.Resource, entry.ID)

						if entry.Related != nil {

							resourceAttributes = audittypes.NewRelatedResourceAttributes(entry.Resource, entry.ID, entry.Related.Resource, entry.Related.ID)

						}

						event := audittypes.NewAuditEventFromHTTPRequest(

							req,

							routeTemplate,

							statusCode,

							span.SpanContext().TraceID(),

							span.SpanContext().SpanID(),

							entry.Verb,

							entry.Category,

							claims,

							resourceAttributes,

							errorType,

							errorCode,

						)

						middleware.auditor.Audit(req.Context(), event)

					}

				}

									
										104

pkg/http/middleware/authz.go
									
												View File
												
				@@ -6,6 +6,7 @@ import (

					"github.com/SigNoz/signoz/pkg/authz"

					"github.com/SigNoz/signoz/pkg/errors"

					"github.com/SigNoz/signoz/pkg/http/handler"

					"github.com/SigNoz/signoz/pkg/http/render"

					"github.com/SigNoz/signoz/pkg/modules/organization"

					"github.com/SigNoz/signoz/pkg/types"

				@@ -19,18 +20,6 @@ const (

					authzDeniedMessage string = "::AUTHZ-DENIED::"

				)

				type AuthZCheckDef struct {

					Relation         authtypes.Relation

					Resource         coretypes.Resource

					SelectorCallback selectorCallbackWithClaimsFn

					Roles            []string

				}

				// AuthZCheckGroup is a set of checks OR'd together.

				// At least one check in the group must pass for the group to pass.

				type AuthZCheckGroup []AuthZCheckDef

				type selectorCallbackWithClaimsFn func(*http.Request, authtypes.Claims) ([]coretypes.Selector, error)

				type selectorCallbackWithoutClaimsFn func(*http.Request, []*types.Organization) ([]coretypes.Selector, valuer.UUID, error)

				type AuthZ struct {

				@@ -201,7 +190,12 @@ func (middleware *AuthZ) OpenAccess(next http.HandlerFunc) http.HandlerFunc {

					})

				}

				func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relation, typeable coretypes.Resource, cb selectorCallbackWithClaimsFn, roles []string) http.HandlerFunc {

				// CheckResources authorizes every resolved ResourceDef for the route (AND across

				// defs). It reads the list placed by the Resource middleware. Each def's Selector

				// is the sole source of its FGA selectors; roles are the role names allowed

				// (consumed by the OSS role-gate, while the resource selectors drive the EE

				// resource check).

				func (middleware *AuthZ) CheckResources(next http.HandlerFunc, roles ...string) http.HandlerFunc {

					return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {

						ctx := req.Context()

						claims, err := authtypes.ClaimsFromContext(ctx)

				@@ -210,40 +204,7 @@ func (middleware *AuthZ) Check(next http.HandlerFunc, relation authtypes.Relatio

							return

						}

						selectors, err := cb(req, claims)

						if err != nil {

							render.Error(rw, err)

							return

						}

						roleSelectors := []coretypes.Selector{}

						for _, role := range roles {

							roleSelectors = append(roleSelectors, coretypes.TypeRole.MustSelector(role))

						}

						err = middleware.authzService.CheckWithTupleCreation(ctx, claims, valuer.MustNewUUID(claims.OrgID), relation, typeable, selectors, roleSelectors)

						if err != nil {

							render.Error(rw, err)

							return

						}

						next(rw, req)

					})

				}

				// CheckAll verifies groups of permission checks.

				// Within each group, checks are OR'd (any check passing = group passes).

				// Across groups, results are AND'd (all groups must pass).

				//

				// This model expresses any combination:

				//   - Single check:          []AuthZCheckGroup{{checkA}}

				//   - Pure AND:              []AuthZCheckGroup{{checkA}, {checkB}}

				//   - Cross-resource OR:     []AuthZCheckGroup{{checkA, checkB}}

				//   - Mixed (A OR B) AND C:  []AuthZCheckGroup{{checkA, checkB}, {checkC}}

				func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGroup) http.HandlerFunc {

					return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {

						ctx := req.Context()

						claims, err := authtypes.ClaimsFromContext(ctx)

						resolved, err := handler.ResolvedResourcesFromContext(ctx)

						if err != nil {

							render.Error(rw, err)

							return

				@@ -251,32 +212,37 @@ func (middleware *AuthZ) CheckAll(next http.HandlerFunc, groups []AuthZCheckGrou

						orgID := valuer.MustNewUUID(claims.OrgID)

						for _, group := range groups {

							groupPassed := false

							var lastErr error

						roleSelectors := make([]coretypes.Selector, len(roles))

						for idx, role := range roles {

							roleSelectors[idx] = coretypes.TypeRole.MustSelector(role)

						}

							for _, check := range group {

								selectors, err := check.SelectorCallback(req, claims)

								if err != nil {

									render.Error(rw, err)

						for _, def := range resolved {

							if def.Selector == nil {

								render.Error(rw, errors.New(errors.TypeInternal, errors.CodeInternal, "resource def used with CheckResources must declare a Selector"))

								return

							}

							selectors, err := def.Selector(ctx, def.Resource, def.ID, claims)

							if err != nil {

								render.Error(rw, err)

								return

							}

							err = middleware.authzService.CheckWithTupleCreation(ctx, claims, orgID, authtypes.Relation{Verb: def.Verb}, def.Resource, selectors, roleSelectors)

							if err != nil {

								if errors.Asc(err, authtypes.ErrCodeAuthZForbidden) {

									middleware.logger.WarnContext(ctx, authzDeniedMessage, slog.Any("claims", claims))

									if def.ID != "" {

										render.Error(rw, errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "you don't have %s access to %s %s", def.Verb.StringValue(), def.Resource.Kind().String(), def.ID))

										return

									}

									render.Error(rw, errors.Newf(errors.TypeForbidden, authtypes.ErrCodeAuthZForbidden, "you don't have %s access to %s", def.Verb.StringValue(), def.Resource.Kind().String()))

									return

								}

								roleSelectors := make([]coretypes.Selector, len(check.Roles))

								for idx, role := range check.Roles {

									roleSelectors[idx] = coretypes.TypeRole.MustSelector(role)

								}

								err = middleware.authzService.CheckWithTupleCreation(ctx, claims, orgID, check.Relation, check.Resource, selectors, roleSelectors)

								if err == nil {

									groupPassed = true

									break

								}

								lastErr = err

							}

							if !groupPassed {

								render.Error(rw, lastErr)

								render.Error(rw, err)

								return

							}

						}

									
										69

pkg/http/middleware/resource.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,69 @@

				package middleware

				import (

					"bytes"

					"io"

					"log/slog"

					"net/http"

					"github.com/SigNoz/signoz/pkg/http/handler"

					"github.com/gorilla/mux"

				)

				// Resource resolves a route's declared ResourceDefs (request-side) and stashes

				// the result in the request context. It is the OUTER of the resource-aware

				// middlewares (placed before Audit) and the single point that buffers the

				// request body. AuthZ (in the handler) and Audit (inner) read the resolved list.

				type Resource struct {

					logger *slog.Logger

				}

				func NewResource(logger *slog.Logger) *Resource {

					return &Resource{logger: logger.With(slog.String("pkg", pkgname))}

				}

				func (middleware *Resource) Wrap(next http.Handler) http.Handler {

					return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {

						defs := resourceDefsFromRequest(req)

						if len(defs) == 0 {

							next.ServeHTTP(rw, req)

							return

						}

						// Buffer the request body once so request-side extractors can read it and

						// the handler still sees a fresh reader. Single buffering point.

						var body []byte

						if req.Body != nil {

							body, _ = io.ReadAll(req.Body)

							req.Body = io.NopCloser(bytes.NewReader(body))

						}

						extractorCtx := handler.ExtractorContext{

							Request:     req,

							RequestBody: body,

						}

						resolved := handler.ResolveRequest(defs, extractorCtx)

						ctx := handler.NewContextWithResolvedResources(req.Context(), resolved)

						next.ServeHTTP(rw, req.WithContext(ctx))

					})

				}

				func resourceDefsFromRequest(req *http.Request) []handler.ResourceSpec {

					route := mux.CurrentRoute(req)

					if route == nil {

						return nil

					}

					actualHandler := route.GetHandler()

					if actualHandler == nil {

						return nil

					}

					provider, ok := actualHandler.(handler.Handler)

					if !ok {

						return nil

					}

					return provider.ResourceDefs()

				}

									
										28

pkg/http/middleware/response.go
									
												View File
												
				@@ -23,9 +23,14 @@ type responseCapture interface {

					// WriteError returns the error (if any) from the downstream Write call.

					WriteError() error

					// BodyBytes returns the captured response body bytes. Only populated

					// for error responses (status >= 400).

					// BodyBytes returns the captured response body bytes. Populated for error

					// responses (status >= 400), or for any response once EnableBodyCapture is called.

					BodyBytes() []byte

					// EnableBodyCapture forces capture of the response body regardless of status

					// code (still bounded by maxResponseBodyCapture). Must be called before the

					// handler writes the response.

					EnableBodyCapture()

				}

				func newResponseCapture(rw http.ResponseWriter, buffer *byteBuffer) responseCapture {

				@@ -72,12 +77,13 @@ func (b *byteBuffer) String() string {

				}

				type nonFlushingResponseCapture struct {

					rw            http.ResponseWriter

					buffer        *byteBuffer

					captureBody   bool

					bodyBytesLeft int

					statusCode    int

					writeError    error

					rw               http.ResponseWriter

					buffer           *byteBuffer

					captureBody      bool

					forceCaptureBody bool

					bodyBytesLeft    int

					statusCode       int

					writeError       error

				}

				type flushingResponseCapture struct {

				@@ -98,13 +104,17 @@ func (writer *nonFlushingResponseCapture) Header() http.Header {

				// WriteHeader writes the HTTP response header.

				func (writer *nonFlushingResponseCapture) WriteHeader(statusCode int) {

					writer.statusCode = statusCode

					if statusCode >= 400 {

					if statusCode >= 400 || writer.forceCaptureBody {

						writer.captureBody = true

					}

					writer.rw.WriteHeader(statusCode)

				}

				func (writer *nonFlushingResponseCapture) EnableBodyCapture() {

					writer.forceCaptureBody = true

				}

				// Write writes HTTP response data.

				func (writer *nonFlushingResponseCapture) Write(data []byte) (int, error) {

					if writer.statusCode == 0 {

									
										13

pkg/modules/session/implsession/handler.go
									
												View File
												
				@@ -4,9 +4,11 @@ import (

					"context"

					"net/http"

					"net/url"

					"path"

					"time"

					"github.com/SigNoz/signoz/pkg/errors"

					"github.com/SigNoz/signoz/pkg/global"

					"github.com/SigNoz/signoz/pkg/http/binding"

					"github.com/SigNoz/signoz/pkg/http/render"

					"github.com/SigNoz/signoz/pkg/modules/session"

				@@ -15,11 +17,12 @@ import (

				)

				type handler struct {

					module session.Module

					module       session.Module

					globalConfig global.Config

				}

				func NewHandler(module session.Module) session.Handler {

					return &handler{module: module}

				func NewHandler(module session.Module, globalConfig global.Config) session.Handler {

					return &handler{module: module, globalConfig: globalConfig}

				}

				func (handler *handler) GetSessionContext(rw http.ResponseWriter, req *http.Request) {

				@@ -158,13 +161,13 @@ func (handler *handler) DeleteSession(rw http.ResponseWriter, req *http.Request)

					render.Success(rw, http.StatusNoContent, nil)

				}

				func (*handler) getRedirectURLFromErr(err error) string {

				func (handler *handler) getRedirectURLFromErr(err error) string {

					values := errors.AsURLValues(err)

					values.Add("callbackauthnerr", "true")

					return (&url.URL{

						// When UI is being served on a prefix, we need to redirect to the login page on the prefix.

						Path:     "/login",

						Path:     path.Join(handler.globalConfig.ExternalPath(), "/login"),

						RawQuery: values.Encode(),

					}).String()

				}

									
										33

pkg/modules/tracedetail/config.go
									
												View File
												
				@@ -6,7 +6,16 @@ import (

				)

				type Config struct {

					Waterfall WaterfallConfig `mapstructure:"waterfall"`

					Waterfall  WaterfallConfig  `mapstructure:"waterfall"`

					Flamegraph FlamegraphConfig `mapstructure:"flamegraph"`

				}

				type FlamegraphConfig struct {

					MaxSelectedLevels            int  `mapstructure:"max_selected_levels"`

					MaxSpansPerLevel             int  `mapstructure:"max_spans_per_level"`

					SamplingTopLatencySpansCount int  `mapstructure:"sampling_top_latency_count"`

					SamplingBucketCount          int  `mapstructure:"sampling_bucket_count"`

					SelectAllSpansLimit          uint `mapstructure:"select_all_spans_limit"`

				}

				type WaterfallConfig struct {

				@@ -29,6 +38,13 @@ func newConfig() factory.Config {

							MaxDepthToAutoExpand:     5,

							MaxLimitToSelectAllSpans: 10_000,

						},

						Flamegraph: FlamegraphConfig{

							MaxSelectedLevels:            50,

							MaxSpansPerLevel:             100,

							SamplingTopLatencySpansCount: 5,

							SamplingBucketCount:          50,

							SelectAllSpansLimit:          100_000,

						},

					}

				}

				@@ -42,5 +58,20 @@ func (c Config) Validate() error {

					if c.Waterfall.MaxLimitToSelectAllSpans == 0 {

						return errors.NewInvalidInputf(errors.CodeInvalidInput, "traces.waterfall.max_limit_to_select_all_spans must be positive")

					}

					if c.Flamegraph.MaxSelectedLevels <= 0 {

						return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.level_limit must be positive, got %d", c.Flamegraph.MaxSelectedLevels)

					}

					if c.Flamegraph.MaxSpansPerLevel <= 0 {

						return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.spans_per_level must be positive, got %d", c.Flamegraph.MaxSpansPerLevel)

					}

					if c.Flamegraph.SamplingTopLatencySpansCount < 0 {

						return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.top_latency_count cannot be negative, got %d", c.Flamegraph.SamplingTopLatencySpansCount)

					}

					if c.Flamegraph.SamplingBucketCount <= 0 {

						return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.bucket_count must be positive, got %d", c.Flamegraph.SamplingBucketCount)

					}

					if c.Flamegraph.SelectAllSpansLimit == 0 {

						return errors.NewInvalidInputf(errors.CodeInvalidInput, "tracedetail.flamegraph.max_limit_to_select_all_spans must be positive")

					}

					return nil

				}

									
										16

pkg/modules/tracedetail/impltracedetail/handler.go
									
												View File
												
				@@ -80,3 +80,19 @@ func (h *handler) GetTraceAggregations(rw http.ResponseWriter, r *http.Request)

					render.Success(rw, http.StatusOK, result)

				}

				func (h *handler) GetFlamegraph(rw http.ResponseWriter, r *http.Request) {

					req := new(spantypes.PostableFlamegraph)

					if err := binding.JSON.BindBody(r.Body, req); err != nil {

						render.Error(rw, err)

						return

					}

					result, err := h.module.GetFlamegraph(r.Context(), mux.Vars(r)["traceID"], req.SelectedSpanID, req.SelectFields)

					if err != nil {

						render.Error(rw, err)

						return

					}

					render.Success(rw, http.StatusOK, result)

				}

									
										56

pkg/modules/tracedetail/impltracedetail/module.go
									
												View File
												
				@@ -7,6 +7,7 @@ import (

					"github.com/SigNoz/signoz/pkg/factory"

					"github.com/SigNoz/signoz/pkg/modules/tracedetail"

					"github.com/SigNoz/signoz/pkg/types/spantypes"

					"github.com/SigNoz/signoz/pkg/types/telemetrytypes"

					"go.opentelemetry.io/otel/metric"

				)

				@@ -164,6 +165,17 @@ func (m *module) GetTraceAggregations(ctx context.Context, traceID string, req *

					return &spantypes.GettableTraceAggregations{Aggregations: results}, nil

				}

				func (m *module) GetFlamegraph(ctx context.Context, traceID string, selectedSpanID string, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error) {

					summary, err := m.store.GetTraceSummary(ctx, traceID)

					if err != nil {

						return nil, err

					}

					if summary.NumSpans <= uint64(m.config.Flamegraph.SelectAllSpansLimit) {

						return m.getFullFlamegraph(ctx, traceID, summary, selectFields)

					}

					return m.getWindowedFlamegraph(ctx, traceID, selectedSpanID, summary, selectFields)

				}

				// getWindowedWaterfall builds the waterfall tree with minimal data and then returns only a window of full spans.

				func (m *module) getWindowedWaterfall(ctx context.Context, traceID, selectedSpanID string, uncollapsedSpans []string, start, end time.Time) (*spantypes.GettableWaterfallTrace, error) {

					// Step 1: minimal fetch → build full tree → select visible window

				@@ -204,3 +216,47 @@ func (m *module) getWindowedWaterfall(ctx context.Context, traceID, selectedSpan

						waterfallTrace, selectedSpans, uncollapsedSpans, false, nil,

					), nil

				}

				func (m *module) getFullFlamegraph(ctx context.Context, traceID string, summary *spantypes.TraceSummary, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error) {

					fullSpans, err := m.store.GetFlamegraphSpans(ctx, traceID, summary.Start, summary.End, nil)

					if err != nil {

						return nil, err

					}

					if len(fullSpans) == 0 {

						return nil, spantypes.ErrTraceNotFound

					}

					flamegraphTrace := spantypes.NewFlamegraphTraceFromStorable(fullSpans, selectFields)

					return spantypes.NewGettableFlamegraphTrace(flamegraphTrace.GetAllLevels(), summary.Start.UnixMilli(), summary.End.UnixMilli(), false), nil

				}

				// getWindowedFlamegraph returns a window of a max levels and max sampled spans per level around the selected span.

				func (m *module) getWindowedFlamegraph(ctx context.Context, traceID, selectedSpanID string, summary *spantypes.TraceSummary, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error) {

					minimalSpans, err := m.store.GetMinimalSpans(ctx, traceID, summary.Start, summary.End)

					if err != nil {

						return nil, err

					}

					if len(minimalSpans) == 0 {

						return nil, spantypes.ErrTraceNotFound

					}

					flamegraphTrace := spantypes.NewFlamegraphTraceFromMinimal(minimalSpans)

					minimalSpans = nil //nolint:ineffassign,wastedassign // release backing array before further db calls

					cfg := m.config.Flamegraph

					selectedSpans := flamegraphTrace.GetSelectedLevels(selectedSpanID, cfg.MaxSelectedLevels, cfg.MaxSpansPerLevel, cfg.SamplingTopLatencySpansCount, cfg.SamplingBucketCount)

					if len(selectedSpans) == 0 {

						return nil, spantypes.ErrTraceNotFound

					}

					fullSpans, err := m.store.GetFlamegraphSpans(ctx, traceID, summary.Start, summary.End, spantypes.FlamegraphWindowSpanIDs(selectedSpans))

					if err != nil {

						return nil, err

					}

					return spantypes.NewGettableFlamegraphTrace(

						flamegraphTrace.EnrichSelectedSpans(selectedSpans, fullSpans, selectFields),

						summary.Start.UnixMilli(),

						summary.End.UnixMilli(),

						true,

					), nil

				}

									
										41

pkg/modules/tracedetail/impltracedetail/store.go
									
												View File
												
				@@ -154,6 +154,47 @@ func (s *traceStore) GetTraceSpansByIDs(ctx context.Context, traceID string, sta

					return spans, nil

				}

				func (s *traceStore) GetFlamegraphSpans(ctx context.Context, traceID string, start, end time.Time, spanIDs []string) ([]spantypes.StorableSpan, error) {

					sb := sqlbuilder.NewSelectBuilder()

					sb.Select(

						"span_id",

						"any(parent_span_id) AS parent_span_id",

						"any(timestamp) AS timestamp",

						"any(duration_nano) AS duration_nano",

						"any(has_error) AS has_error",

						"any(name) AS name",

						"any(events) AS events",

						"any(attributes_string) AS attributes_string",

						"any(attributes_number) AS attributes_number",

						"any(attributes_bool) AS attributes_bool",

						"any(resources_string) AS resources_string",

					)

					sb.From(fmt.Sprintf("%s.%s", spantypes.TraceDB, spantypes.TraceTable))

					conditions := []string{

						sb.E("trace_id", traceID),

						sb.GE("ts_bucket_start", start.Unix()-1800),

						sb.LE("ts_bucket_start", end.Unix()),

					}

					if len(spanIDs) > 0 {

						ids := make([]any, len(spanIDs))

						for i, id := range spanIDs {

							ids[i] = id

						}

						conditions = append(conditions, sb.In("span_id", ids...))

					}

					sb.Where(conditions...)

					sb.GroupBy("span_id")

					sb.OrderByAsc("timestamp")

					sb.OrderByAsc("name")

					query, args := sb.BuildWithFlavor(sqlbuilder.ClickHouse)

					var spans []spantypes.StorableSpan

					if err := s.telemetryStore.ClickhouseDB().Select(ctx, &spans, query, args...); err != nil {

						return nil, errors.WrapInternalf(err, errors.CodeInternal, "error querying flamegraph spans")

					}

					return spans, nil

				}

				func (s *traceStore) GetSpanCountByField(ctx context.Context, traceID string, summary *spantypes.TraceSummary, fieldKey telemetrytypes.TelemetryFieldKey) (map[string]uint64, error) {

					fieldExpr, err := buildFieldExpr(fieldKey)

					if err != nil {

									
										24

pkg/modules/tracedetail/impltracedetail/store_test.go
									
												View File
												
				@@ -91,6 +91,30 @@ func TestGetSpanCountByField(t *testing.T) {

					}

				}

				func TestGetFlamegraphSpans(t *testing.T) {

					baseSQL := "SELECT span_id, any(parent_span_id) AS parent_span_id, any(timestamp) AS timestamp, any(duration_nano) AS duration_nano, any(has_error) AS has_error, any(name) AS name, any(events) AS events, any(attributes_string) AS attributes_string, any(attributes_number) AS attributes_number, any(attributes_bool) AS attributes_bool, any(resources_string) AS resources_string FROM signoz_traces.distributed_signoz_index_v3 WHERE trace_id = ? AND ts_bucket_start >= ? AND ts_bucket_start <= ? GROUP BY span_id ORDER BY timestamp ASC, name ASC"

					withSpanIDsSQL := "SELECT span_id, any(parent_span_id) AS parent_span_id, any(timestamp) AS timestamp, any(duration_nano) AS duration_nano, any(has_error) AS has_error, any(name) AS name, any(events) AS events, any(attributes_string) AS attributes_string, any(attributes_number) AS attributes_number, any(attributes_bool) AS attributes_bool, any(resources_string) AS resources_string FROM signoz_traces.distributed_signoz_index_v3 WHERE trace_id = ? AND ts_bucket_start >= ? AND ts_bucket_start <= ? AND span_id IN (?, ?) GROUP BY span_id ORDER BY timestamp ASC, name ASC"

					tests := []struct {

						name    string

						spanIDs []string

						sql     string

					}{

						{name: "NoSpanIDs_GeneratesBaseSQL", spanIDs: nil, sql: baseSQL},

						{name: "WithSpanIDs_GeneratesInClauseSQL", spanIDs: []string{"span-1", "span-2"}, sql: withSpanIDsSQL},

					}

					for _, tc := range tests {

						t.Run(tc.name, func(t *testing.T) {

							s := newTestStore(sqlmock.QueryMatcherRegexp)

							s.Mock().ExpectSelect(regexp.QuoteMeta(tc.sql)).

								WillReturnRows(cmock.NewRows(nil, nil))

							_, _ = s.Store().GetFlamegraphSpans(context.Background(), testTraceID, testStart, testEnd, tc.spanIDs)

							assert.NoError(t, s.Mock().ExpectationsWereMet())

						})

					}

				}

				func TestGetSpanDurationByField(t *testing.T) {

					expectedSQL := "WITH all_spans AS (SELECT DISTINCT ON (span_id) resource.`service.name`::String AS field_value, toUnixTimestamp64Nano(timestamp) AS start_ns, start_ns + duration_nano AS end_ns FROM signoz_traces.distributed_signoz_index_v3 WHERE trace_id = ? AND ts_bucket_start >= ? AND ts_bucket_start <= ? AND notEmpty(field_value) ORDER BY timestamp ASC, name ASC), effective_start AS (SELECT field_value, end_ns, greatest(start_ns, ifNull(max(end_ns) OVER (PARTITION BY field_value ORDER BY start_ns ROWS BETWEEN UNBOUNDED PRECEDING AND 1 PRECEDING), toUInt64(0))) AS effective_start_ns FROM all_spans) SELECT field_value, sum(toUInt64(greatest(end_ns - effective_start_ns, 0))) AS total_ns FROM effective_start GROUP BY field_value"

									
										3

pkg/modules/tracedetail/tracedetail.go
									
												View File
												
				@@ -5,6 +5,7 @@ import (

					"net/http"

					"github.com/SigNoz/signoz/pkg/types/spantypes"

					"github.com/SigNoz/signoz/pkg/types/telemetrytypes"

				)

				// Handler exposes HTTP handlers for trace detail APIs.

				@@ -12,6 +13,7 @@ type Handler interface {

					GetWaterfall(http.ResponseWriter, *http.Request)

					GetWaterfallV4(http.ResponseWriter, *http.Request)

					GetTraceAggregations(http.ResponseWriter, *http.Request)

					GetFlamegraph(http.ResponseWriter, *http.Request)

				}

				// Module defines the business logic for trace detail operations.

				@@ -19,4 +21,5 @@ type Module interface {

					GetWaterfall(ctx context.Context, traceID string, req *spantypes.PostableWaterfall) (*spantypes.GettableWaterfallTrace, error)

					GetWaterfallV4(ctx context.Context, traceID string, selectedSpanID string, uncollapsedSpans []string, selectAllLimit uint) (*spantypes.GettableWaterfallTrace, error)

					GetTraceAggregations(ctx context.Context, traceID string, req *spantypes.PostableTraceAggregations) (*spantypes.GettableTraceAggregations, error)

					GetFlamegraph(ctx context.Context, traceID string, selectedSpanID string, selectFields []telemetrytypes.TelemetryFieldKey) (*spantypes.GettableFlamegraphTrace, error)

				}

									
										1

pkg/query-service/app/server.go
									
												View File
												
				@@ -168,6 +168,7 @@ func (s *Server) createPublicServer(api *APIHandler, web web.Web) (*http.Server,

						s.config.APIServer.Timeout.Default,

						s.config.APIServer.Timeout.Max,

					).Wrap)

					r.Use(middleware.NewResource(s.signoz.Instrumentation.Logger()).Wrap)

					r.Use(middleware.NewAudit(s.signoz.Instrumentation.Logger(), s.config.APIServer.Logging.ExcludedRoutes, s.signoz.Auditor).Wrap)

					r.Use(middleware.NewComment().Wrap)

									
										5

pkg/signoz/authn.go
									
												View File
												
				@@ -7,14 +7,15 @@ import (

					"github.com/SigNoz/signoz/pkg/authn/callbackauthn/googlecallbackauthn"

					"github.com/SigNoz/signoz/pkg/authn/passwordauthn/emailpasswordauthn"

					"github.com/SigNoz/signoz/pkg/factory"

					"github.com/SigNoz/signoz/pkg/global"

					"github.com/SigNoz/signoz/pkg/licensing"

					"github.com/SigNoz/signoz/pkg/types/authtypes"

				)

				func NewAuthNs(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing) (map[authtypes.AuthNProvider]authn.AuthN, error) {

				func NewAuthNs(ctx context.Context, providerSettings factory.ProviderSettings, store authtypes.AuthNStore, licensing licensing.Licensing, globalConfig global.Config) (map[authtypes.AuthNProvider]authn.AuthN, error) {

					emailPasswordAuthN := emailpasswordauthn.New(store)

					googleCallbackAuthN, err := googlecallbackauthn.New(ctx, store, providerSettings)

					googleCallbackAuthN, err := googlecallbackauthn.New(ctx, store, providerSettings, globalConfig)

					if err != nil {

						return nil, err

					}

									
										4

pkg/signoz/provider.go
									
												View File
												
				@@ -275,14 +275,14 @@ func NewQuerierProviderFactories(telemetryStore telemetrystore.TelemetryStore, p

					)

				}

				func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.AuthZ, modules Modules, handlers Handlers) factory.NamedMap[factory.ProviderFactory[apiserver.APIServer, apiserver.Config]] {

				func NewAPIServerProviderFactories(orgGetter organization.Getter, authz authz.AuthZ, modules Modules, handlers Handlers, globalConfig global.Config) factory.NamedMap[factory.ProviderFactory[apiserver.APIServer, apiserver.Config]] {

					return factory.MustNewNamedMap(

						signozapiserver.NewFactory(

							orgGetter,

							authz,

							implorganization.NewHandler(modules.OrgGetter, modules.OrgSetter),

							impluser.NewHandler(modules.UserSetter, modules.UserGetter),

							implsession.NewHandler(modules.Session),

							implsession.NewHandler(modules.Session, globalConfig),

							implauthdomain.NewHandler(modules.AuthDomain),

							implpreference.NewHandler(modules.Preference),

							handlers.Global,

									
										1

pkg/signoz/provider_test.go
									
												View File
												
				@@ -95,6 +95,7 @@ func TestNewProviderFactories(t *testing.T) {

							nil,

							Modules{},

							Handlers{},

							global.Config{},

						)

					})

				}

									
										2

pkg/signoz/signoz.go
									
												View File
												
				@@ -542,7 +542,7 @@ func New(

						ctx,

						providerSettings,

						config.APIServer,

						NewAPIServerProviderFactories(orgGetter, authz, modules, handlers),

						NewAPIServerProviderFactories(orgGetter, authz, modules, handlers, config.Global),

						"signoz",

					)

					if err != nil {

									
										54

pkg/types/audittypes/attributes.go
									
												View File
												
				@@ -71,23 +71,50 @@ func (attributes PrincipalAttributes) Put(dest pcommon.Map) {

				// Audit attributes — Resource (On What).

				// These are OTel resource attributes (placed on the Resource, not event attributes).

				type ResourceAttributes struct {

					ResourceID   string

					ResourceKind coretypes.Kind // guaranteed to be present

					Resource   coretypes.Resource // guaranteed to be present

					ResourceID string

					// TargetResource names the counterpart of an attach/detach event (audit

					// context only). nil when there is no relationship.

					TargetResource   coretypes.Resource

					TargetResourceID string

				}

				func NewResourceAttributes(resourceID string, resourceKind coretypes.Kind) ResourceAttributes {

				func NewResourceAttributes(resource coretypes.Resource, resourceID string) ResourceAttributes {

					return ResourceAttributes{

						ResourceID:   resourceID,

						ResourceKind: resourceKind,

						Resource:   resource,

						ResourceID: resourceID,

					}

				}

				// NewAttachResourceAttributes builds resource attributes that additionally name

				// the target counterpart (used for attach/detach audit events).

				func NewRelatedResourceAttributes(resource coretypes.Resource, resourceID string, targetResource coretypes.Resource, targetResourceID string) ResourceAttributes {

					return ResourceAttributes{

						Resource:         resource,

						ResourceID:       resourceID,

						TargetResource:   targetResource,

						TargetResourceID: targetResourceID,

					}

				}

				// PutResource writes the resource attributes to an OTel Resource's attribute map.

				// These are resource-level attributes (stored in the resource JSON column),

				// not event-level attributes (stored in attributes_string).

				func (attributes ResourceAttributes) PutResource(dest pcommon.Map) {

					putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.ResourceKind.String())

				func (attributes ResourceAttributes) PutResource(orgID valuer.UUID, dest pcommon.Map) {

					putStrIfNotEmpty(dest, "signoz.audit.resource.kind", attributes.Resource.Kind().String())

					putStrIfNotEmpty(dest, "signoz.audit.resource.id", attributes.ResourceID)

					if attributes.ResourceID != "" {

						putStrIfNotEmpty(dest, "signoz.audit.resource.object", attributes.Resource.Object(orgID, attributes.ResourceID))

					}

					if attributes.TargetResource != nil {

						putStrIfNotEmpty(dest, "signoz.audit.resource.target.kind", attributes.TargetResource.Kind().String())

						putStrIfNotEmpty(dest, "signoz.audit.resource.target.id", attributes.TargetResourceID)

						if attributes.TargetResourceID != "" {

							putStrIfNotEmpty(dest, "signoz.audit.resource.target.object", attributes.TargetResource.Object(orgID, attributes.TargetResourceID))

						}

					}

				}

				// Audit attributes — Error (When outcome is failure)

				@@ -193,13 +220,24 @@ func newBody(auditAttributes AuditAttributes, principalAttributes PrincipalAttri

					// Resource: " kind (id)" or " kind".

					b.WriteString(" ")

					b.WriteString(resourceAttributes.ResourceKind.String())

					b.WriteString(resourceAttributes.Resource.Kind().String())

					if resourceAttributes.ResourceID != "" {

						b.WriteString(" (")

						b.WriteString(resourceAttributes.ResourceID)

						b.WriteString(")")

					}

					// Target (attach/detach context): " · target kind (id)" or " · target kind".

					if resourceAttributes.TargetResource != nil {

						b.WriteString(" to ")

						b.WriteString(resourceAttributes.TargetResource.Kind().String())

						if resourceAttributes.TargetResourceID != "" {

							b.WriteString(" (")

							b.WriteString(resourceAttributes.TargetResourceID)

							b.WriteString(")")

						}

					}

					// Error suffix (failure only): ": type (code)" or ": type" or ": (code)" or omitted.

					if auditAttributes.Outcome == OutcomeFailure {

						errorType := errorAttributes.ErrorType

									
										30

pkg/types/audittypes/attributes_test.go
									
												View File
												
				@@ -63,8 +63,8 @@ func TestNewBody(t *testing.T) {

								PrincipalEmail: valuer.MustNewEmail("test@acme.com"),

							},

							resourceAttributes: ResourceAttributes{

								ResourceID:   "",

								ResourceKind: coretypes.MustNewKind("dashboard"),

								ResourceID: "",

								Resource:   coretypes.ResourceMetaResourceDashboard,

							},

							errorAttributes: ErrorAttributes{},

							expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) deleted dashboard",

				@@ -81,8 +81,8 @@ func TestNewBody(t *testing.T) {

								PrincipalEmail: valuer.Email{},

							},

							resourceAttributes: ResourceAttributes{

								ResourceID:   "abd",

								ResourceKind: coretypes.MustNewKind("dashboard"),

								ResourceID: "abd",

								Resource:   coretypes.ResourceMetaResourceDashboard,

							},

							errorAttributes: ErrorAttributes{},

							expectedBody:    "019a1234-abcd-7000-8000-567800000001 deleted dashboard (abd)",

				@@ -99,8 +99,8 @@ func TestNewBody(t *testing.T) {

								PrincipalEmail: valuer.Email{},

							},

							resourceAttributes: ResourceAttributes{

								ResourceID:   "abd",

								ResourceKind: coretypes.MustNewKind("dashboard"),

								ResourceID: "abd",

								Resource:   coretypes.ResourceMetaResourceDashboard,

							},

							errorAttributes: ErrorAttributes{},

							expectedBody:    "deleted dashboard (abd)",

				@@ -117,8 +117,8 @@ func TestNewBody(t *testing.T) {

								PrincipalEmail: valuer.MustNewEmail("alice@acme.com"),

							},

							resourceAttributes: ResourceAttributes{

								ResourceID:   "019b-5678",

								ResourceKind: coretypes.MustNewKind("dashboard"),

								ResourceID: "019b-5678",

								Resource:   coretypes.ResourceMetaResourceDashboard,

							},

							errorAttributes: ErrorAttributes{},

							expectedBody:    "alice@acme.com (019a1234-abcd-7000-8000-567800000001) created dashboard (019b-5678)",

				@@ -132,10 +132,10 @@ func TestNewBody(t *testing.T) {

							},

							principalAttributes: PrincipalAttributes{},

							resourceAttributes: ResourceAttributes{

								ResourceKind: coretypes.MustNewKind("alert-rule"),

								Resource: coretypes.ResourceMetaResourceRule,

							},

							errorAttributes: ErrorAttributes{},

							expectedBody:    "updated alert-rule",

							expectedBody:    "updated rule",

						},

						{

							name: "Failure_AllPresent",

				@@ -149,8 +149,8 @@ func TestNewBody(t *testing.T) {

								PrincipalEmail: valuer.MustNewEmail("viewer@acme.com"),

							},

							resourceAttributes: ResourceAttributes{

								ResourceID:   "019b-5678",

								ResourceKind: coretypes.MustNewKind("dashboard"),

								ResourceID: "019b-5678",

								Resource:   coretypes.ResourceMetaResourceDashboard,

							},

							errorAttributes: ErrorAttributes{

								ErrorType: "forbidden",

				@@ -169,7 +169,7 @@ func TestNewBody(t *testing.T) {

								PrincipalEmail: valuer.MustNewEmail("test@acme.com"),

							},

							resourceAttributes: ResourceAttributes{

								ResourceKind: coretypes.MustNewKind("user"),

								Resource: coretypes.ResourceUser,

							},

							errorAttributes: ErrorAttributes{

								ErrorType: "not-found",

				@@ -187,8 +187,8 @@ func TestNewBody(t *testing.T) {

								PrincipalEmail: valuer.MustNewEmail("test@acme.com"),

							},

							resourceAttributes: ResourceAttributes{

								ResourceID:   "019b-5678",

								ResourceKind: coretypes.MustNewKind("dashboard"),

								ResourceID: "019b-5678",

								Resource:   coretypes.ResourceMetaResourceDashboard,

							},

							errorAttributes: ErrorAttributes{},

							expectedBody:    "test@acme.com (019a1234-abcd-7000-8000-567800000001) failed to create dashboard (019b-5678)",

									
										13

pkg/types/audittypes/event.go
									
												View File
												
				@@ -44,6 +44,8 @@ type AuditEvent struct {

					TransportAttributes TransportAttributes

				}

				// NewAuditEvent builds an audit event from pre-built resource attributes (which

				// may carry attach/target context).

				func NewAuditEventFromHTTPRequest(

					req *http.Request,

					route string,

				@@ -53,14 +55,12 @@ func NewAuditEventFromHTTPRequest(

					action coretypes.Verb,

					actionCategory ActionCategory,

					claims authtypes.Claims,

					resourceID string,

					resourceKind coretypes.Kind,

					resourceAttributes ResourceAttributes,

					errorType string,

					errorCode string,

				) AuditEvent {

					auditAttributes := NewAuditAttributesFromHTTP(statusCode, action, actionCategory, claims)

					principalAttributes := NewPrincipalAttributesFromClaims(claims)

					resourceAttributes := NewResourceAttributes(resourceID, resourceKind)

					errorAttributes := NewErrorAttributes(errorType, errorCode)

					transportAttributes := NewTransportAttributesFromHTTP(req, route, statusCode)

				@@ -69,7 +69,7 @@ func NewAuditEventFromHTTPRequest(

						TraceID:             traceID,

						SpanID:              spanID,

						Body:                newBody(auditAttributes, principalAttributes, resourceAttributes, errorAttributes),

						EventName:           NewEventName(resourceAttributes.ResourceKind, auditAttributes.Action),

						EventName:           NewEventName(resourceAttributes.Resource.Kind(), auditAttributes.Action),

						AuditAttributes:     auditAttributes,

						PrincipalAttributes: principalAttributes,

						ResourceAttributes:  resourceAttributes,

				@@ -89,7 +89,7 @@ func NewPLogsFromAuditEvents(events []AuditEvent, name string, version string, s

					groups := make(map[resourceKey][]int)

					order := make([]resourceKey, 0)

					for i, event := range events {

						key := resourceKey{kind: event.ResourceAttributes.ResourceKind.String(), id: event.ResourceAttributes.ResourceID}

						key := resourceKey{kind: event.ResourceAttributes.Resource.Kind().String(), id: event.ResourceAttributes.ResourceID}

						if _, exists := groups[key]; !exists {

							order = append(order, key)

						}

				@@ -101,7 +101,8 @@ func NewPLogsFromAuditEvents(events []AuditEvent, name string, version string, s

						resourceAttrs := resourceLogs.Resource().Attributes()

						resourceAttrs.PutStr(string(semconv.ServiceNameKey), name)

						resourceAttrs.PutStr(string(semconv.ServiceVersionKey), version)

						events[groups[key][0]].ResourceAttributes.PutResource(resourceAttrs)

						head := events[groups[key][0]]

						head.ResourceAttributes.PutResource(head.PrincipalAttributes.PrincipalOrgID, resourceAttrs)

						scopeLogs := resourceLogs.ScopeLogs().AppendEmpty()

						scopeLogs.Scope().SetName(scope)

									
										56

pkg/types/audittypes/event_test.go
									
												View File
												
				@@ -12,10 +12,10 @@ import (

				)

				var (

					testDashboardKind = coretypes.MustNewKind("dashboard")

					testDashboardResource = coretypes.ResourceMetaResourceDashboard

				)

				func TestNewAuditEventFromHTTPRequest(t *testing.T) {

				func TestNewAuditEvent(t *testing.T) {

					traceID := oteltrace.TraceID{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}

					spanID := oteltrace.SpanID{1, 2, 3, 4, 5, 6, 7, 8}

				@@ -28,8 +28,8 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {

						action          coretypes.Verb

						category        ActionCategory

						claims          authtypes.Claims

						resource        coretypes.Resource

						resourceID      string

						resourceKind    coretypes.Kind

						errorType       string

						errorCode       string

						expectedOutcome Outcome

				@@ -44,8 +44,8 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {

							action:          coretypes.VerbCreate,

							category:        ActionCategoryConfigurationChange,

							claims:          authtypes.Claims{UserID: "019a1234-abcd-7000-8000-567800000001", Email: "alice@acme.com", OrgID: "019a-0000-0000-0001", IdentNProvider: authtypes.IdentNProviderTokenizer},

							resource:        testDashboardResource,

							resourceID:      "019b-5678-efgh-9012",

							resourceKind:    testDashboardKind,

							expectedOutcome: OutcomeSuccess,

							expectedBody:    "alice@acme.com (019a1234-abcd-7000-8000-567800000001) created dashboard (019b-5678-efgh-9012)",

						},

				@@ -58,8 +58,8 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {

							action:          coretypes.VerbUpdate,

							category:        ActionCategoryConfigurationChange,

							claims:          authtypes.Claims{UserID: "019aaaaa-bbbb-7000-8000-cccc00000002", Email: "viewer@acme.com", OrgID: "019a-0000-0000-0001", IdentNProvider: authtypes.IdentNProviderTokenizer},

							resource:        testDashboardResource,

							resourceID:      "019b-5678-efgh-9012",

							resourceKind:    testDashboardKind,

							errorType:       "forbidden",

							errorCode:       "authz_forbidden",

							expectedOutcome: OutcomeFailure,

				@@ -80,15 +80,14 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {

								testCase.action,

								testCase.category,

								testCase.claims,

								testCase.resourceID,

								testCase.resourceKind,

								NewResourceAttributes(testCase.resource, testCase.resourceID),

								testCase.errorType,

								testCase.errorCode,

							)

							assert.Equal(t, testCase.expectedOutcome, event.AuditAttributes.Outcome)

							assert.Equal(t, testCase.expectedBody, event.Body)

							assert.Equal(t, testCase.resourceKind, event.ResourceAttributes.ResourceKind)

							assert.Equal(t, testCase.resource.Kind(), event.ResourceAttributes.Resource.Kind())

							assert.Equal(t, testCase.resourceID, event.ResourceAttributes.ResourceID)

							assert.Equal(t, testCase.action, event.AuditAttributes.Action)

							assert.Equal(t, testCase.category, event.AuditAttributes.ActionCategory)

				@@ -103,18 +102,18 @@ func TestNewAuditEventFromHTTPRequest(t *testing.T) {

					}

				}

				func newTestEvent(resourceKind coretypes.Kind, resourceID string, action coretypes.Verb) AuditEvent {

				func newTestEvent(resource coretypes.Resource, resourceID string, action coretypes.Verb) AuditEvent {

					return AuditEvent{

						Body:      resourceKind.String() + "." + action.PastTense(),

						EventName: NewEventName(resourceKind, action),

						Body:      resource.Kind().String() + "." + action.PastTense(),

						EventName: NewEventName(resource.Kind(), action),

						AuditAttributes: AuditAttributes{

							Action:         action,

							ActionCategory: ActionCategoryConfigurationChange,

							Outcome:        OutcomeSuccess,

						},

						ResourceAttributes: ResourceAttributes{

							ResourceKind: resourceKind,

							ResourceID:   resourceID,

							Resource:   resource,

							ResourceID: resourceID,

						},

					}

				}

				@@ -136,7 +135,7 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

						{

							name: "SingleEvent",

							events: []AuditEvent{

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),

							},

							expectedResourceLogs:    1,

							expectedResourceKinds:   []string{"dashboard"},

				@@ -146,9 +145,9 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

						{

							name: "SameResource_MultipleEvents",

							events: []AuditEvent{

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbDelete),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbDelete),

							},

							expectedResourceLogs:    1,

							expectedResourceKinds:   []string{"dashboard"},

				@@ -158,8 +157,8 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

						{

							name: "DifferentResources_SeparateGroups",

							events: []AuditEvent{

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),

								newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbDelete),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),

								newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbDelete),

							},

							expectedResourceLogs:    2,

							expectedResourceKinds:   []string{"dashboard", "user"},

				@@ -169,8 +168,8 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

						{

							name: "SameKind_DifferentIDs_SeparateGroups",

							events: []AuditEvent{

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),

								newTestEvent(testDashboardKind, "d-002", coretypes.VerbDelete),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),

								newTestEvent(testDashboardResource, "d-002", coretypes.VerbDelete),

							},

							expectedResourceLogs:    2,

							expectedResourceKinds:   []string{"dashboard", "dashboard"},

				@@ -180,11 +179,11 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

						{

							name: "InterleavedResources_GroupedCorrectly",

							events: []AuditEvent{

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbCreate),

								newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbUpdate),

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbUpdate),

								newTestEvent(coretypes.MustNewKind("user"), "u-001", coretypes.VerbDelete),

								newTestEvent(testDashboardKind, "d-001", coretypes.VerbDelete),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbCreate),

								newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbUpdate),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbUpdate),

								newTestEvent(coretypes.ResourceUser, "u-001", coretypes.VerbDelete),

								newTestEvent(testDashboardResource, "d-001", coretypes.VerbDelete),

							},

							expectedResourceLogs:    2,

							expectedResourceKinds:   []string{"dashboard", "user"},

				@@ -203,7 +202,6 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

								resourceLogs := logs.ResourceLogs().At(i)

								resourceAttrs := resourceLogs.Resource().Attributes()

								// Verify service resource attributes

								serviceName, exists := resourceAttrs.Get("service.name")

								assert.True(t, exists)

								assert.Equal(t, "signoz", serviceName.Str())

				@@ -212,7 +210,6 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

								assert.True(t, exists)

								assert.Equal(t, "0.90.0", serviceVersion.Str())

								// Verify audit resource attributes on Resource (not event attributes)

								kind, exists := resourceAttrs.Get("signoz.audit.resource.kind")

								assert.True(t, exists)

								assert.Equal(t, testCase.expectedResourceKinds[i], kind.Str())

				@@ -221,14 +218,11 @@ func TestNewPLogsFromAuditEvents(t *testing.T) {

								assert.True(t, exists)

								assert.Equal(t, testCase.expectedResourceIDs[i], id.Str())

								// Verify scope

								assert.Equal(t, 1, resourceLogs.ScopeLogs().Len())

								assert.Equal(t, "signoz.audit", resourceLogs.ScopeLogs().At(0).Scope().Name())

								// Verify log record count per group

								assert.Equal(t, testCase.expectedLogRecordCounts[i], resourceLogs.ScopeLogs().At(0).LogRecords().Len())

								// Verify resource attrs are NOT in log record event attributes

								for j := 0; j < resourceLogs.ScopeLogs().At(0).LogRecords().Len(); j++ {

									recordAttrs := resourceLogs.ScopeLogs().At(0).LogRecords().At(j).Attributes()

									_, hasKind := recordAttrs.Get("signoz.audit.resource.kind")

									
										11

pkg/types/coretypes/verb.go
									
												View File
												
				@@ -53,3 +53,14 @@ func (Verb) Enum() []any {

				func (verb Verb) PastTense() string {

					return verb.pastTense

				}

				// IsMutation reports whether the verb changes state (create/update/delete/

				// attach/detach) as opposed to a read (read/list/assignee).

				func (verb Verb) IsMutation() bool {

					switch verb {

					case VerbCreate, VerbUpdate, VerbDelete, VerbAttach, VerbDetach:

						return true

					default:

						return false

					}

				}

									
										102

pkg/types/spantypes/flamegraph_span.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,102 @@

				package spantypes

				import (

					"github.com/SigNoz/signoz/pkg/types/telemetrytypes"

				)

				type FlamegraphSpan struct {

					SpanID       string            `json:"spanId" required:"true"`

					ParentSpanID string            `json:"parentSpanId" required:"true"`

					Timestamp    uint64            `json:"timestamp" required:"true"`

					DurationNano uint64            `json:"durationNano" required:"true"`

					HasError     bool              `json:"hasError" required:"true"`

					Name         string            `json:"name" required:"true"`

					Level        int64             `json:"level" required:"true"`

					Events       []Event           `json:"event" required:"true" nullable:"false"`

					Attributes   map[string]any    `json:"attributes" required:"true" nullable:"false"`

					Resource     map[string]string `json:"resource" required:"true" nullable:"false"`

					Children     []*FlamegraphSpan `json:"-"` // internal tree use only

				}

				// FlamegraphLevel groups span IDs at a single level within the selected window.

				type FlamegraphLevel struct {

					Level   int64

					SpanIDs []string

				}

				type PostableFlamegraph struct {

					SelectedSpanID string                             `json:"selectedSpanId"`

					SelectFields   []telemetrytypes.TelemetryFieldKey `json:"selectFields,omitempty"`

				}

				// GettableFlamegraphTrace is the response for the v3 flamegraph API.

				type GettableFlamegraphTrace struct {

					Spans                [][]*FlamegraphSpan `json:"spans" required:"true" nullable:"false"`

					StartTimestampMillis int64               `json:"startTimestampMillis" required:"true"`

					EndTimestampMillis   int64               `json:"endTimestampMillis" required:"true"`

					HasMore              bool                `json:"hasMore" required:"true"`

				}

				func NewGettableFlamegraphTrace(spans [][]*FlamegraphSpan, startMs, endMs int64, hasMore bool) *GettableFlamegraphTrace {

					return &GettableFlamegraphTrace{

						Spans:                spans,

						StartTimestampMillis: startMs,

						EndTimestampMillis:   endMs,

						HasMore:              hasMore,

					}

				}

				func NewFlamegraphSpanFromStorable(s *StorableSpan, level int64, selectFields []telemetrytypes.TelemetryFieldKey) *FlamegraphSpan {

					span := &FlamegraphSpan{

						SpanID:       s.SpanID,

						ParentSpanID: s.ParentSpanID,

						Timestamp:    uint64(s.StartTime.UnixNano()),

						DurationNano: s.DurationNano,

						HasError:     s.HasError,

						Name:         s.Name,

						Level:        level,

						Events:       s.UnmarshalledEvents(),

						Attributes:   make(map[string]any),

						Resource:     make(map[string]string),

					}

					if len(selectFields) == 0 {

						return span

					}

					for _, field := range selectFields {

						switch field.FieldContext {

						case telemetrytypes.FieldContextResource:

							if v, ok := s.ResourcesString[field.Name]; ok && v != "" {

								span.Resource[field.Name] = v

							}

						case telemetrytypes.FieldContextAttribute:

							if v := s.AttributeValue(field.Name); v != nil {

								span.Attributes[field.Name] = v

							}

						}

					}

					return span

				}

				func NewMissingParentFlamegraphSpan(node *FlamegraphSpan) *FlamegraphSpan {

					return &FlamegraphSpan{

						SpanID:       node.ParentSpanID,

						Name:         "Missing Span",

						Timestamp:    node.Timestamp,

						DurationNano: node.DurationNano,

						Events:       []Event{},

						Children:     []*FlamegraphSpan{node},

					}

				}

				// FlamegraphWindowSpanIDs collects all span IDs from a level window into a flat slice.

				func FlamegraphWindowSpanIDs(window []FlamegraphLevel) []string {

					total := 0

					for _, lvl := range window {

						total += len(lvl.SpanIDs)

					}

					ids := make([]string, 0, total)

					for _, lvl := range window {

						ids = append(ids, lvl.SpanIDs...)

					}

					return ids

				}

									
										111

pkg/types/spantypes/flamegraph_trace.go
									
										Normal file
									
												View File
												
				@@ -0,0 +1,111 @@

				package spantypes

				import (

					"sort"

					"github.com/SigNoz/signoz/pkg/types/telemetrytypes"

				)

				// FlamegraphTrace holds the level wise tree built from minimal spans.

				type FlamegraphTrace struct {

					roots     []*FlamegraphSpan

					nodeByID  map[string]*FlamegraphSpan

					startTime uint64

					endTime   uint64

				}

				func NewFlamegraphTraceFromMinimal(spans []MinimalSpan) *FlamegraphTrace {

					t := &FlamegraphTrace{

						nodeByID: make(map[string]*FlamegraphSpan, len(spans)),

					}

					for i := range spans {

						node := spans[i].ToFlamegraphSpan()

						t.updateTimeRange(node.Timestamp, node.DurationNano)

						t.nodeByID[node.SpanID] = node

					}

					t.buildSpanTree()

					return t

				}

				func NewFlamegraphTraceFromStorable(spans []StorableSpan, selectFields []telemetrytypes.TelemetryFieldKey) *FlamegraphTrace {

					t := &FlamegraphTrace{

						nodeByID: make(map[string]*FlamegraphSpan, len(spans)),

					}

					for i := range spans {

						node := NewFlamegraphSpanFromStorable(&spans[i], 0, selectFields) // level is set later by BFS

						t.updateTimeRange(node.Timestamp, node.DurationNano)

						t.nodeByID[node.SpanID] = node

					}

					t.buildSpanTree()

					return t

				}

				func (t *FlamegraphTrace) GetAllLevels() [][]*FlamegraphSpan {

					return nil

				}

				// GetSelectedLevels returns the window of levels around selectedSpanID with sampling applied to dense levels.

				func (t *FlamegraphTrace) GetSelectedLevels(selectedSpanID string, levelLimit, spansPerLevel, topLatencyCount, bucketCount int) []FlamegraphLevel {

					return nil

				}

				func (t *FlamegraphTrace) EnrichSelectedSpans(selectedSpans []FlamegraphLevel, fullSpans []StorableSpan, selectFields []telemetrytypes.TelemetryFieldKey) [][]*FlamegraphSpan {

					fullByID := make(map[string]*StorableSpan, len(fullSpans))

					for i := range fullSpans {

						fullByID[fullSpans[i].SpanID] = &fullSpans[i]

					}

					result := make([][]*FlamegraphSpan, len(selectedSpans))

					for i, lvl := range selectedSpans {

						result[i] = make([]*FlamegraphSpan, 0, len(lvl.SpanIDs))

						for _, spanID := range lvl.SpanIDs {

							if full, ok := fullByID[spanID]; ok {

								result[i] = append(result[i], NewFlamegraphSpanFromStorable(full, lvl.Level, selectFields))

							} else if lean, ok := t.nodeByID[spanID]; ok {

								result[i] = append(result[i], lean)

							}

						}

					}

					return result

				}

				func (t *FlamegraphTrace) updateTimeRange(timestamp, durationNano uint64) {

					if t.startTime == 0 || timestamp < t.startTime {

						t.startTime = timestamp

					}

					if end := timestamp + durationNano; end > t.endTime {

						t.endTime = end

					}

				}

				func (t *FlamegraphTrace) buildSpanTree() {

					for _, node := range t.nodeByID {

						if node.ParentSpanID != "" {

							if parent, ok := t.nodeByID[node.ParentSpanID]; ok {

								parent.Children = append(parent.Children, node)

							} else {

								missing := NewMissingParentFlamegraphSpan(node)

								t.nodeByID[missing.SpanID] = missing

								t.roots = append(t.roots, missing)

							}

						} else if flamegraphSpanIndex(t.roots, node.SpanID) == -1 {

							t.roots = append(t.roots, node)

						}

					}

					sort.Slice(t.roots, func(i, j int) bool {

						if t.roots[i].Timestamp == t.roots[j].Timestamp {

							return t.roots[i].SpanID < t.roots[j].SpanID

						}

						return t.roots[i].Timestamp < t.roots[j].Timestamp

					})

				}

				func flamegraphSpanIndex(spans []*FlamegraphSpan, spanID string) int {

					for i, s := range spans {

						if s.SpanID == spanID {

							return i

						}

					}

					return -1

				}

									
										1

pkg/types/spantypes/store.go
									
												View File
												
				@@ -30,6 +30,7 @@ type TraceStore interface {

					GetTraceSpans(ctx context.Context, traceID string, summary *TraceSummary) ([]StorableSpan, error)

					GetMinimalSpans(ctx context.Context, traceID string, start, end time.Time) ([]MinimalSpan, error)

					GetTraceSpansByIDs(ctx context.Context, traceID string, start, end time.Time, spanIDs []string) ([]StorableSpan, error)

					GetFlamegraphSpans(ctx context.Context, traceID string, start, end time.Time, spanIDs []string) ([]StorableSpan, error)

					GetSpanCountByField(ctx context.Context, traceID string, summary *TraceSummary, fieldKey telemetrytypes.TelemetryFieldKey) (map[string]uint64, error)

					GetSpanDurationByField(ctx context.Context, traceID string, summary *TraceSummary, fieldKey telemetrytypes.TelemetryFieldKey) (map[string]uint64, error)

									
										26

pkg/types/spantypes/waterfall_span.go
									
												View File
												
				@@ -164,6 +164,17 @@ func (item *MinimalSpan) ToWaterfallSpan(traceID string) *WaterfallSpan {

					}

				}

				func (item *MinimalSpan) ToFlamegraphSpan() *FlamegraphSpan {

					return &FlamegraphSpan{

						SpanID:       item.SpanID,

						ParentSpanID: item.ParentSpanID,

						Timestamp:    uint64(item.StartTime.UnixNano()),

						DurationNano: item.DurationNano,

						HasError:     item.HasError,

						Children:     make([]*FlamegraphSpan, 0),

					}

				}

				// NewMissingWaterfallSpan creates a synthetic placeholder span for a parent that has no recorded data.

				func NewMissingWaterfallSpan(spanID, traceID string, timeUnixNano, durationNano uint64) *WaterfallSpan {

					return &WaterfallSpan{

				@@ -267,6 +278,19 @@ func (ws *WaterfallSpan) getPathToSelectedSpanID(selectedSpanID string) ([]strin

					return nil, false

				}

				func (item *StorableSpan) AttributeValue(name string) any {

					if v, ok := item.AttributesString[name]; ok {

						return v

					}

					if v, ok := item.AttributesNumber[name]; ok {

						return v

					}

					if v, ok := item.AttributesBool[name]; ok {

						return v

					}

					return nil

				}

				func (item *StorableSpan) Attributes() map[string]any {

					attributes := make(map[string]any, len(item.AttributesString)+len(item.AttributesNumber)+len(item.AttributesBool))

					for k, v := range item.AttributesString {

				@@ -296,7 +320,7 @@ func (item *StorableSpan) UnmarshalledEvents() []Event {

				func (item *StorableSpan) UnmarshalledRefs() []OtelSpanRef {

					refs := []OtelSpanRef{}

					if err := json.Unmarshal([]byte(item.References), &refs); err != nil {

						return nil // skip malformed values

						return []OtelSpanRef{} // skip malformed values

					}

					return refs

				}

									
										140

tests/fixtures/auth.py
									
										vendored
									
												View File
												
				@@ -56,11 +56,18 @@ def _login(signoz: types.SigNoz, email: str, password: str) -> str:

				    return login.json()["data"]["accessToken"]

				@pytest.fixture(name="create_user_admin", scope="package")

				def create_user_admin(signoz: types.SigNoz, request: pytest.FixtureRequest, pytestconfig: pytest.Config) -> types.Operation:

				    def create() -> None:

				def register_admin(

				    signoz: types.SigNoz,

				    request: pytest.FixtureRequest,

				    pytestconfig: pytest.Config,

				    cache_key: str = "create_user_admin",

				    base_path: str = "",

				) -> types.Operation:

				    """Register the first admin (creates the org), under base_path. Reuse-wrapped."""

				    def create() -> types.Operation:

				        response = requests.post(

				            signoz.self.host_configs["8080"].get("/api/v1/register"),

				            signoz.self.host_configs["8080"].get(f"{base_path}/api/v1/register"),

				            json={

				                "name": USER_ADMIN_NAME,

				                "orgName": "",

				@@ -83,7 +90,7 @@ def create_user_admin(signoz: types.SigNoz, request: pytest.FixtureRequest, pyte

				    return reuse.wrap(

				        request,

				        pytestconfig,

				        "create_user_admin",

				        cache_key,

				        lambda: types.Operation(name=""),

				        create,

				        delete,

				@@ -91,86 +98,86 @@ def create_user_admin(signoz: types.SigNoz, request: pytest.FixtureRequest, pyte

				    )

				@pytest.fixture(name="get_session_context", scope="function")

				def get_session_context(signoz: types.SigNoz) -> Callable[[str, str], str]:

				    def _get_session_context(email: str) -> str:

				@pytest.fixture(name="create_user_admin", scope="package")

				def create_user_admin(signoz: types.SigNoz, request: pytest.FixtureRequest, pytestconfig: pytest.Config) -> types.Operation:

				    return register_admin(signoz, request, pytestconfig)

				def session_context_getter(signoz: types.SigNoz, base_path: str = "") -> Callable[[str], dict]:

				    """Build a callable that fetches the session context for an email (under base_path)."""

				    def fetch_session_context(email: str) -> dict:

				        response = requests.get(

				            signoz.self.host_configs["8080"].get("/api/v2/sessions/context"),

				            params={

				                "email": email,

				                "ref": f"{signoz.self.host_configs['8080'].base()}",

				            },

				            signoz.self.host_configs["8080"].get(f"{base_path}/api/v2/sessions/context"),

				            params={"email": email, "ref": f"{signoz.self.host_configs['8080'].base()}"},

				            timeout=5,

				        )

				        assert response.status_code == HTTPStatus.OK

				        return response.json()["data"]

				    return _get_session_context

				    return fetch_session_context

				@pytest.fixture(name="get_session_context", scope="function")

				def get_session_context(signoz: types.SigNoz) -> Callable[[str], dict]:

				    return session_context_getter(signoz)

				def token_getter(signoz: types.SigNoz, base_path: str = "") -> Callable[[str, str], str]:

				    """Build a callable that logs in (email/password) and returns the access token (under base_path)."""

				    def fetch_token(email: str, password: str) -> str:

				        context = requests.get(

				            signoz.self.host_configs["8080"].get(f"{base_path}/api/v2/sessions/context"),

				            params={"email": email, "ref": f"{signoz.self.host_configs['8080'].base()}"},

				            timeout=5,

				        )

				        assert context.status_code == HTTPStatus.OK

				        org_id = context.json()["data"]["orgs"][0]["id"]

				        login = requests.post(

				            signoz.self.host_configs["8080"].get(f"{base_path}/api/v2/sessions/email_password"),

				            json={"email": email, "password": password, "orgId": org_id},

				            timeout=5,

				        )

				        assert login.status_code == HTTPStatus.OK

				        return login.json()["data"]["accessToken"]

				    return fetch_token

				@pytest.fixture(name="get_token", scope="function")

				def get_token(signoz: types.SigNoz) -> Callable[[str, str], str]:

				    def _get_token(email: str, password: str) -> str:

				        response = requests.get(

				            signoz.self.host_configs["8080"].get("/api/v2/sessions/context"),

				            params={

				                "email": email,

				                "ref": f"{signoz.self.host_configs['8080'].base()}",

				            },

				    return token_getter(signoz)

				def tokens_getter(signoz: types.SigNoz, base_path: str = "") -> Callable[[str, str], tuple[str, str]]:

				    """Build a callable that logs in and returns the (access, refresh) token pair (under base_path)."""

				    def fetch_tokens(email: str, password: str) -> tuple[str, str]:

				        context = requests.get(

				            signoz.self.host_configs["8080"].get(f"{base_path}/api/v2/sessions/context"),

				            params={"email": email, "ref": f"{signoz.self.host_configs['8080'].base()}"},

				            timeout=5,

				        )

				        assert context.status_code == HTTPStatus.OK

				        org_id = context.json()["data"]["orgs"][0]["id"]

				        assert response.status_code == HTTPStatus.OK

				        org_id = response.json()["data"]["orgs"][0]["id"]

				        response = requests.post(

				            signoz.self.host_configs["8080"].get("/api/v2/sessions/email_password"),

				            json={

				                "email": email,

				                "password": password,

				                "orgId": org_id,

				            },

				        login = requests.post(

				            signoz.self.host_configs["8080"].get(f"{base_path}/api/v2/sessions/email_password"),

				            json={"email": email, "password": password, "orgId": org_id},

				            timeout=5,

				        )

				        assert login.status_code == HTTPStatus.OK

				        data = login.json()["data"]

				        return data["accessToken"], data["refreshToken"]

				        assert response.status_code == HTTPStatus.OK

				        return response.json()["data"]["accessToken"]

				    return _get_token

				    return fetch_tokens

				@pytest.fixture(name="get_tokens", scope="function")

				def get_tokens(signoz: types.SigNoz) -> Callable[[str, str], tuple[str, str]]:

				    def _get_tokens(email: str, password: str) -> str:

				        response = requests.get(

				            signoz.self.host_configs["8080"].get("/api/v2/sessions/context"),

				            params={

				                "email": email,

				                "ref": f"{signoz.self.host_configs['8080'].base()}",

				            },

				            timeout=5,

				        )

				        assert response.status_code == HTTPStatus.OK

				        org_id = response.json()["data"]["orgs"][0]["id"]

				        response = requests.post(

				            signoz.self.host_configs["8080"].get("/api/v2/sessions/email_password"),

				            json={

				                "email": email,

				                "password": password,

				                "orgId": org_id,

				            },

				            timeout=5,

				        )

				        assert response.status_code == HTTPStatus.OK

				        access_token = response.json()["data"]["accessToken"]

				        refresh_token = response.json()["data"]["refreshToken"]

				        return access_token, refresh_token

				    return _get_tokens

				    return tokens_getter(signoz)

				@pytest.fixture(name="apply_license", scope="package")

				@@ -270,6 +277,7 @@ def add_license(

				    signoz: types.SigNoz,

				    make_http_mocks: Callable[[types.TestContainerDocker, list[Mapping]], None],

				    get_token: Callable[[str, str], str],  # pylint: disable=redefined-outer-name

				    base_path: str = "",

				) -> None:

				    make_http_mocks(

				        signoz.zeus,

				@@ -308,7 +316,7 @@ def add_license(

				    access_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

				    response = requests.post(

				        url=signoz.self.host_configs["8080"].get("/api/v3/licenses"),

				        url=signoz.self.host_configs["8080"].get(f"{base_path}/api/v3/licenses"),

				        json={"key": "secret-key"},

				        headers={"Authorization": "Bearer " + access_token},

				        timeout=5,

									
										126

tests/integration/tests/basepath/01_oidc.py
									
										Normal file
									
												View File
												
				@@ -0,0 +1,126 @@

				from collections.abc import Callable

				from http import HTTPStatus

				from urllib.parse import urlparse

				import requests

				from selenium import webdriver

				from wiremock.resources.mappings import Mapping

				from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD, add_license, assert_user_has_role

				from fixtures.types import Operation, SigNoz, TestContainerDocker, TestContainerIDP

				# SigNoz is served under /signoz, so the OIDC callback registered with the IdP

				# must include the prefix to match the backend-generated redirect URI.

				BASE_PATH = "/signoz"

				OIDC_CALLBACK_PATH = f"{BASE_PATH}/api/v1/complete/oidc"

				def test_apply_license(

				    signoz: SigNoz,

				    create_user_admin: Operation,  # pylint: disable=unused-argument

				    make_http_mocks: Callable[[TestContainerDocker, list[Mapping]], None],

				    get_token: Callable[[str, str], str],

				) -> None:

				    """

				    Applies a license to the signoz instance. add_license is a plain function

				    called from the test (function scope), so the function-scoped make_http_mocks

				    fixture is safe to use; base_path prefixes the licensing API call.

				    """

				    add_license(signoz, make_http_mocks, get_token, base_path=BASE_PATH)

				def test_create_auth_domain(

				    signoz: SigNoz,

				    idp: TestContainerIDP,  # pylint: disable=unused-argument

				    create_oidc_client: Callable[[str, str], None],

				    get_oidc_settings: Callable[[str], dict],

				    get_token: Callable[[str, str], str],

				) -> None:

				    """

				    Creates an OIDC auth domain in SigNoz served under a base path. The callback

				    registered with the IdP carries the /signoz prefix.

				    """

				    client_id = f"oidc.basepath.test.{signoz.self.host_configs['8080'].address}:{signoz.self.host_configs['8080'].port}"

				    # Create an oidc client in the idp with the prefixed callback.

				    create_oidc_client(client_id, OIDC_CALLBACK_PATH)

				    # Get the oidc settings from keycloak.

				    settings = get_oidc_settings(client_id)

				    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

				    response = requests.post(

				        signoz.self.host_configs["8080"].get("/signoz/api/v1/domains"),

				        json={

				            "name": "oidc.basepath.test",

				            "config": {

				                "ssoEnabled": True,

				                "ssoType": "oidc",

				                "oidcConfig": {

				                    "clientId": settings["client_id"],

				                    "clientSecret": settings["client_secret"],

				                    # Change the hostname of the issuer to the internal resolvable hostname of the idp

				                    "issuer": f"{idp.container.container_configs['6060'].get(urlparse(settings['issuer']).path)}",

				                    "issuerAlias": settings["issuer"],

				                    "getUserInfo": True,

				                },

				            },

				        },

				        headers={"Authorization": f"Bearer {admin_token}"},

				        timeout=2,

				    )

				    assert response.status_code == HTTPStatus.CREATED

				def test_oidc_authn(

				    signoz: SigNoz,

				    idp: TestContainerIDP,

				    driver: webdriver.Chrome,

				    create_user_idp: Callable[[str, str, bool, str, str], None],

				    idp_login: Callable[[str, str], None],

				    get_token: Callable[[str, str], str],

				    get_session_context: Callable[[str], dict],

				) -> None:

				    """

				    Tests the OIDC authn flow when SigNoz is served under a base path. The login

				    URL the backend produces (and thus the IdP callback) carries the /signoz

				    prefix; the e2e browser login must complete and create the user.

				    """

				    # Create a user in the idp.

				    create_user_idp("viewer@oidc.basepath.test", "password123", True)

				    # Get the session context from signoz which will give the OIDC login URL.

				    session_context = get_session_context("viewer@oidc.basepath.test")

				    assert len(session_context["orgs"]) == 1

				    assert len(session_context["orgs"][0]["authNSupport"]["callback"]) == 1

				    url = session_context["orgs"][0]["authNSupport"]["callback"][0]["url"]

				    # change the url to the external resolvable hostname of the idp

				    parsed_url = urlparse(url)

				    actual_url = f"{idp.container.host_configs['6060'].get(parsed_url.path)}?{parsed_url.query}"

				    driver.get(actual_url)

				    idp_login("viewer@oidc.basepath.test", "password123")

				    # Assert that the user was created in signoz (lookup under the base path).

				    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

				    users = requests.get(

				        signoz.self.host_configs["8080"].get("/signoz/api/v2/users"),

				        headers={"Authorization": f"Bearer {admin_token}"},

				        timeout=5,

				    )

				    assert users.status_code == HTTPStatus.OK, users.text

				    user = next((u for u in users.json()["data"] if u["email"] == "viewer@oidc.basepath.test"), None)

				    assert user is not None, "User with email 'viewer@oidc.basepath.test' not found"

				    user_with_roles = requests.get(

				        signoz.self.host_configs["8080"].get(f"/signoz/api/v2/users/{user['id']}"),

				        headers={"Authorization": f"Bearer {admin_token}"},

				        timeout=5,

				    )

				    assert user_with_roles.status_code == HTTPStatus.OK, user_with_roles.text

				    assert_user_has_role(user_with_roles.json()["data"], "signoz-viewer")

									
										117

tests/integration/tests/basepath/02_saml.py
									
										Normal file
									
												View File
												
				@@ -0,0 +1,117 @@

				from collections.abc import Callable

				from http import HTTPStatus

				import requests

				from selenium import webdriver

				from wiremock.resources.mappings import Mapping

				from fixtures.auth import USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD, add_license, assert_user_has_role

				from fixtures.types import Operation, SigNoz, TestContainerDocker, TestContainerIDP

				# SigNoz is served under /signoz, so the SAML ACS registered with the IdP must

				# include the prefix to match the backend-generated AssertionConsumerServiceURL.

				BASE_PATH = "/signoz"

				SAML_CALLBACK_PATH = f"{BASE_PATH}/api/v1/complete/saml"

				def test_apply_license(

				    signoz: SigNoz,

				    create_user_admin: Operation,  # pylint: disable=unused-argument

				    make_http_mocks: Callable[[TestContainerDocker, list[Mapping]], None],

				    get_token: Callable[[str, str], str],

				) -> None:

				    """

				    Applies a license to the signoz instance. add_license is a plain function

				    called from the test (function scope), so the function-scoped make_http_mocks

				    fixture is safe to use; base_path prefixes the licensing API call.

				    """

				    add_license(signoz, make_http_mocks, get_token, base_path=BASE_PATH)

				def test_create_auth_domain(

				    signoz: SigNoz,

				    idp: TestContainerIDP,  # pylint: disable=unused-argument

				    create_saml_client: Callable[[str, str], None],

				    get_saml_settings: Callable[[], dict],

				    get_token: Callable[[str, str], str],

				) -> None:

				    """

				    Creates a SAML auth domain in SigNoz served under a base path. The ACS

				    registered with the IdP carries the /signoz prefix.

				    """

				    # Create a saml client in the idp with the prefixed ACS.

				    create_saml_client("saml.basepath.test", SAML_CALLBACK_PATH)

				    # Get the saml settings from keycloak.

				    settings = get_saml_settings()

				    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

				    response = requests.post(

				        signoz.self.host_configs["8080"].get("/signoz/api/v1/domains"),

				        json={

				            "name": "saml.basepath.test",

				            "config": {

				                "ssoEnabled": True,

				                "ssoType": "saml",

				                "samlConfig": {

				                    "samlEntity": settings["entityID"],

				                    "samlIdp": settings["singleSignOnServiceLocation"],

				                    "samlCert": settings["certificate"],

				                },

				            },

				        },

				        headers={"Authorization": f"Bearer {admin_token}"},

				        timeout=2,

				    )

				    assert response.status_code == HTTPStatus.CREATED

				def test_saml_authn(

				    signoz: SigNoz,

				    idp: TestContainerIDP,  # pylint: disable=unused-argument

				    driver: webdriver.Chrome,

				    create_user_idp: Callable[[str, str, bool, str, str], None],

				    idp_login: Callable[[str, str], None],

				    get_token: Callable[[str, str], str],

				    get_session_context: Callable[[str], dict],

				) -> None:

				    """

				    Tests the SAML authn flow when SigNoz is served under a base path. The

				    AssertionConsumerServiceURL in the AuthnRequest carries the /signoz prefix;

				    the e2e browser login must complete and create the user.

				    """

				    # Create a user in the idp.

				    create_user_idp("viewer@saml.basepath.test", "password", True)

				    # Get the session context from signoz which will give the SAML login URL.

				    session_context = get_session_context("viewer@saml.basepath.test")

				    assert len(session_context["orgs"]) == 1

				    assert len(session_context["orgs"][0]["authNSupport"]["callback"]) == 1

				    url = session_context["orgs"][0]["authNSupport"]["callback"][0]["url"]

				    driver.get(url)

				    idp_login("viewer@saml.basepath.test", "password")

				    # Assert that the user was created in signoz (lookup under the base path).

				    admin_token = get_token(USER_ADMIN_EMAIL, USER_ADMIN_PASSWORD)

				    users = requests.get(

				        signoz.self.host_configs["8080"].get("/signoz/api/v2/users"),

				        headers={"Authorization": f"Bearer {admin_token}"},

				        timeout=5,

				    )

				    assert users.status_code == HTTPStatus.OK, users.text

				    user = next((u for u in users.json()["data"] if u["email"] == "viewer@saml.basepath.test"), None)

				    assert user is not None, "User with email 'viewer@saml.basepath.test' not found"

				    user_with_roles = requests.get(

				        signoz.self.host_configs["8080"].get(f"/signoz/api/v2/users/{user['id']}"),

				        headers={"Authorization": f"Bearer {admin_token}"},

				        timeout=5,

				    )

				    assert user_with_roles.status_code == HTTPStatus.OK, user_with_roles.text

				    assert_user_has_role(user_with_roles.json()["data"], "signoz-viewer")

0

tests/integration/tests/basepath/init.py Normal file

View File

									
										57

tests/integration/tests/basepath/conftest.py
									
										Normal file
									
												View File
												
				@@ -0,0 +1,57 @@

				from collections.abc import Callable

				import pytest

				from testcontainers.core.container import Network

				from fixtures import types

				from fixtures.auth import register_admin, session_context_getter, token_getter

				from fixtures.signoz import create_signoz

				# SigNoz is served under this URL path prefix for the base-path suite. The auth

				# helpers from fixtures/auth.py are reused via their factories with this prefix,

				# so these fixtures shadow the same-named root ones without duplicating logic.

				# Only the path component is read by global.ExternalPath(), which derives the

				# http.StripPrefix route prefix.

				BASE_PATH = "/signoz"

				@pytest.fixture(name="signoz", scope="package")

				def signoz_base_path(  # pylint: disable=too-many-arguments,too-many-positional-arguments

				    network: Network,

				    zeus: types.TestContainerDocker,

				    gateway: types.TestContainerDocker,

				    sqlstore: types.TestContainerSQL,

				    clickhouse: types.TestContainerClickhouse,

				    request: pytest.FixtureRequest,

				    pytestconfig: pytest.Config,

				) -> types.SigNoz:

				    """

				    Package-scoped SigNoz served under BASE_PATH. Sets SIGNOZ_GLOBAL_EXTERNAL__URL

				    with the prefix so the backend derives the http.StripPrefix route prefix.

				    """

				    return create_signoz(

				        network=network,

				        zeus=zeus,

				        gateway=gateway,

				        sqlstore=sqlstore,

				        clickhouse=clickhouse,

				        request=request,

				        pytestconfig=pytestconfig,

				        cache_key="signoz_base_path",

				        env_overrides={"SIGNOZ_GLOBAL_EXTERNAL__URL": f"http://localhost:8080{BASE_PATH}"},

				    )

				@pytest.fixture(name="create_user_admin", scope="package")

				def create_user_admin_base_path(signoz: types.SigNoz, request: pytest.FixtureRequest, pytestconfig: pytest.Config) -> types.Operation:

				    return register_admin(signoz, request, pytestconfig, cache_key="create_user_admin_base_path", base_path=BASE_PATH)

				@pytest.fixture(name="get_token", scope="function")

				def get_token(signoz: types.SigNoz) -> Callable[[str, str], str]:

				    return token_getter(signoz, BASE_PATH)

				@pytest.fixture(name="get_session_context", scope="function")

				def get_session_context(signoz: types.SigNoz) -> Callable[[str], dict]:

				    return session_context_getter(signoz, BASE_PATH)

									
										2

tests/integration/tests/cloudintegrations/05_services.py
									
												View File
												
				@@ -483,7 +483,7 @@ def test_enable_metrics_provisions_dashboards(

				    assert isinstance(dashboards_in_service, list) and len(dashboards_in_service) > 0, "assets.dashboards should be non-empty after enabling metrics"

				    provisioned_ids = set()

				    for dash in dashboards_in_service:

				        assert "integrationDashboard" in dash, f"Integration dashboard entry missing"

				        assert "integrationDashboard" in dash, "Integration dashboard entry missing"

				        try:

				            uuid.UUID(dash["integrationDashboard"]["id"])

				        except ValueError as err:

Compare commits

14 Commits nv/dashboa ... platform-p

3 .github/workflows/integrationci.yaml vendored Unescape Escape View File

2 cmd/community/server.go Unescape Escape View File

6 cmd/enterprise/server.go Unescape Escape View File

11 conf/example.yaml Unescape Escape View File

142 docs/api/openapi.yml Unescape Escape View File

24 ee/authn/callbackauthn/oidccallbackauthn/authn.go Unescape Escape View File

16 ee/authn/callbackauthn/samlcallbackauthn/authn.go Unescape Escape View File

1 ee/query-service/app/server.go Unescape Escape View File

93 frontend/src/api/generated/services/sigNoz.schemas.ts Unescape Escape View File

102 frontend/src/api/generated/services/tracedetail/index.ts Unescape Escape View File

2 frontend/src/container/InfraMonitoringK8s/Deployments/constants.ts Unescape Escape View File

2 frontend/src/container/InfraMonitoringK8s/Jobs/constants.ts Unescape Escape View File

6 frontend/src/container/InfraMonitoringK8s/Namespaces/constants.ts Unescape Escape View File

12 frontend/src/container/InfraMonitoringK8s/Volumes/constants.ts Unescape Escape View File

114 frontend/src/container/LogDetailedView/InfraMetrics/constants.ts Unescape Escape View File

5 pkg/apiserver/signozapiserver/registry.go Unescape Escape View File

304 pkg/apiserver/signozapiserver/role.go Unescape Escape View File

622 pkg/apiserver/signozapiserver/serviceaccount.go Unescape Escape View File

19 pkg/apiserver/signozapiserver/tracedetail.go Unescape Escape View File

24 pkg/auditor/auditorserver/server_test.go Unescape Escape View File

20 pkg/authn/callbackauthn/googlecallbackauthn/authn.go Unescape Escape View File

103 pkg/http/handler/extractor.go Normal file Unescape Escape View File

12 pkg/http/handler/handler.go Unescape Escape View File

9 pkg/http/handler/option.go Unescape Escape View File

33 pkg/http/handler/resolved_context.go Normal file Unescape Escape View File

79 pkg/http/handler/resolved_resource.go Normal file Unescape Escape View File

129 pkg/http/handler/resourcedef.go Normal file Unescape Escape View File

86 pkg/http/handler/resourcedef_test.go Normal file Unescape Escape View File

111 pkg/http/middleware/audit.go Unescape Escape View File

104 pkg/http/middleware/authz.go Unescape Escape View File

69 pkg/http/middleware/resource.go Normal file Unescape Escape View File

28 pkg/http/middleware/response.go Unescape Escape View File

13 pkg/modules/session/implsession/handler.go Unescape Escape View File

33 pkg/modules/tracedetail/config.go Unescape Escape View File

16 pkg/modules/tracedetail/impltracedetail/handler.go Unescape Escape View File

56 pkg/modules/tracedetail/impltracedetail/module.go Unescape Escape View File

41 pkg/modules/tracedetail/impltracedetail/store.go Unescape Escape View File

24 pkg/modules/tracedetail/impltracedetail/store_test.go Unescape Escape View File

3 pkg/modules/tracedetail/tracedetail.go Unescape Escape View File

1 pkg/query-service/app/server.go Unescape Escape View File

5 pkg/signoz/authn.go Unescape Escape View File

4 pkg/signoz/provider.go Unescape Escape View File

1 pkg/signoz/provider_test.go Unescape Escape View File

2 pkg/signoz/signoz.go Unescape Escape View File

54 pkg/types/audittypes/attributes.go Unescape Escape View File

30 pkg/types/audittypes/attributes_test.go Unescape Escape View File

13 pkg/types/audittypes/event.go Unescape Escape View File

56 pkg/types/audittypes/event_test.go Unescape Escape View File

11 pkg/types/coretypes/verb.go Unescape Escape View File

102 pkg/types/spantypes/flamegraph_span.go Normal file Unescape Escape View File

111 pkg/types/spantypes/flamegraph_trace.go Normal file Unescape Escape View File

1 pkg/types/spantypes/store.go Unescape Escape View File

26 pkg/types/spantypes/waterfall_span.go Unescape Escape View File

140 tests/fixtures/auth.py vendored Unescape Escape View File

126 tests/integration/tests/basepath/01_oidc.py Normal file Unescape Escape View File

117 tests/integration/tests/basepath/02_saml.py Normal file Unescape Escape View File

0 tests/integration/tests/basepath/__init__.py Normal file Unescape Escape View File

57 tests/integration/tests/basepath/conftest.py Normal file Unescape Escape View File

2 tests/integration/tests/cloudintegrations/05_services.py Unescape Escape View File

14 Commits

nv/dashboa ... platform-p

3

.github/workflows/integrationci.yaml vendored

View File

2

cmd/community/server.go

View File

6

cmd/enterprise/server.go

View File

11

conf/example.yaml

View File

142

docs/api/openapi.yml

View File

24

ee/authn/callbackauthn/oidccallbackauthn/authn.go

View File

16

ee/authn/callbackauthn/samlcallbackauthn/authn.go

View File

1

ee/query-service/app/server.go

View File

93

frontend/src/api/generated/services/sigNoz.schemas.ts

View File

102

frontend/src/api/generated/services/tracedetail/index.ts

View File

2

frontend/src/container/InfraMonitoringK8s/Deployments/constants.ts

View File

2

frontend/src/container/InfraMonitoringK8s/Jobs/constants.ts

View File

6

frontend/src/container/InfraMonitoringK8s/Namespaces/constants.ts

View File

12

frontend/src/container/InfraMonitoringK8s/Volumes/constants.ts

View File

114

frontend/src/container/LogDetailedView/InfraMetrics/constants.ts

View File

5

pkg/apiserver/signozapiserver/registry.go

View File

304

pkg/apiserver/signozapiserver/role.go

View File

622

pkg/apiserver/signozapiserver/serviceaccount.go

View File

19

pkg/apiserver/signozapiserver/tracedetail.go

View File

24

pkg/auditor/auditorserver/server_test.go

View File

20

pkg/authn/callbackauthn/googlecallbackauthn/authn.go

View File

103

pkg/http/handler/extractor.go Normal file

View File

12

pkg/http/handler/handler.go

View File

9

pkg/http/handler/option.go

View File

33

pkg/http/handler/resolved_context.go Normal file

View File

79

pkg/http/handler/resolved_resource.go Normal file

View File

129

pkg/http/handler/resourcedef.go Normal file

View File

86

pkg/http/handler/resourcedef_test.go Normal file

View File

111

pkg/http/middleware/audit.go

View File

104

pkg/http/middleware/authz.go

View File

69

pkg/http/middleware/resource.go Normal file

View File

28

pkg/http/middleware/response.go

View File

13

pkg/modules/session/implsession/handler.go

View File

33

pkg/modules/tracedetail/config.go

View File

16

pkg/modules/tracedetail/impltracedetail/handler.go

View File

56

pkg/modules/tracedetail/impltracedetail/module.go

View File

41

pkg/modules/tracedetail/impltracedetail/store.go

View File

24

pkg/modules/tracedetail/impltracedetail/store_test.go

View File

3

pkg/modules/tracedetail/tracedetail.go

View File

1

pkg/query-service/app/server.go

View File

5

pkg/signoz/authn.go

View File

4

pkg/signoz/provider.go

View File

1

pkg/signoz/provider_test.go

View File

2

pkg/signoz/signoz.go

View File

54

pkg/types/audittypes/attributes.go

View File

30

pkg/types/audittypes/attributes_test.go

View File

13

pkg/types/audittypes/event.go

View File

56

pkg/types/audittypes/event_test.go

View File

11

pkg/types/coretypes/verb.go

View File

102

pkg/types/spantypes/flamegraph_span.go Normal file

View File

111

pkg/types/spantypes/flamegraph_trace.go Normal file

View File

1

pkg/types/spantypes/store.go

View File

26

pkg/types/spantypes/waterfall_span.go

View File

140

tests/fixtures/auth.py vendored

View File

126

tests/integration/tests/basepath/01_oidc.py Normal file

View File

117

tests/integration/tests/basepath/02_saml.py Normal file

View File

0

tests/integration/tests/basepath/init.py Normal file

View File

57

tests/integration/tests/basepath/conftest.py Normal file

View File

2

tests/integration/tests/cloudintegrations/05_services.py

View File