root
/
grafana
mirror of https://github.com/grafana/grafana.git
1
0
Fork 0
Code Issues Actions 165 Packages Projects Releases Wiki Activity
grafana/pkg/middleware/auth.go

297 lines
7.6 KiB
Go
Raw Permalink Normal View History

macaron transition progress
2014-10-06 03:13:01 +08:00
package middleware
import (
Auth: Allow soft token revocation (#31601) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-03-17 00:44:02 +08:00
"errors"
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-01-26 17:50:44 +08:00
"net/http"
Worked on login remember cookie, and redirect after login
2015-01-27 19:05:23 +08:00
"net/url"
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
"path/filepath"
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
"regexp"
Auth: Fix POST request failures with anonymous access (#26049) Macaron context.QueryBool() seems to modify the request context that causes the POST and PUT requests to fail with: "http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0"
2020-07-06 20:59:00 +08:00
"strconv"
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session.
2015-01-14 16:33:34 +08:00
"strings"
Progress on account and dashboard save/load
2014-11-20 22:19:44 +08:00
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
"github.com/grafana/grafana/pkg/infra/log"
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2020-12-11 18:44:44 +08:00
"github.com/grafana/grafana/pkg/middleware/cookies"
RBAC: Fix plugins pages access-control (#76321) * RBAC: Fix plugins pages access-control * Better comment Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Add a small comment on connections/datasources routes --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-10-12 16:46:43 +08:00
ac "github.com/grafana/grafana/pkg/services/accesscontrol"
Auth: Refactor auth package (#58920) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency
2022-11-18 16:56:06 +08:00
"github.com/grafana/grafana/pkg/services/auth"
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
"github.com/grafana/grafana/pkg/services/authn"
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
Snapshots: Add RBAC roles for creating and deleting (#96126)
2024-11-26 20:13:17 +08:00
"github.com/grafana/grafana/pkg/services/dashboards"
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
"github.com/grafana/grafana/pkg/services/org"
Plugins: Migrate licensing and access control to pkg/services/pluginsintegration package (#65258) * migrate licensing + access control * update package name
2023-03-27 17:15:37 +08:00
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginstore"
Changed go package path
2015-02-05 17:37:13 +08:00
"github.com/grafana/grafana/pkg/setting"
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 20:30:59 +08:00
"github.com/grafana/grafana/pkg/web"
macaron transition progress
2014-10-06 03:13:01 +08:00
)
Refactoring of auth middleware, and starting work on account admin
2015-01-15 19:16:54 +08:00
type AuthOptions struct {
Big refactoring for context.User, and how current user info is fetching, now included collaborator role
2015-01-16 21:32:18 +08:00
ReqGrafanaAdmin bool
Profile: Fixes profile preferences being accessible when anonymous access was enabled (#31516) * Profile: Fixes profile preferences page being available when anonymous access was enabled * Minor change * Renamed property
2021-02-28 01:04:28 +08:00
ReqNoAnonynmous bool
Auth: Add empty role definition (#64694) * Allow setting role as None Co-authored-by: gamab <gabi.mabs@gmail.com> Seeking for places where role.None would be used Co-authored-by: Jguer <joao.guerreiro@grafana.com> Adding None role to the frontend Co-authored-by: Jguer <joao.guerreiro@grafana.com> unify org role declaration and remove from add permission fix backend test fix backend lint * remove role none from frontend * Simplify checks Co-authored-by: Kalle Persson <kalle.persson@grafana.com> * nits --------- Co-authored-by: Kalle Persson <kalle.persson@grafana.com>
2023-07-06 21:40:06 +08:00
ReqSignedIn bool
Refactoring of auth middleware, and starting work on account admin
2015-01-15 19:16:54 +08:00
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func accessForbidden(c *contextmodel.ReqContext) {
Refactoring of api routes
2015-01-14 21:25:12 +08:00
if c.IsApiRequest() {
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693
2015-09-08 16:46:31 +08:00
c.JsonApiErr(403, "Permission denied", nil)
return
}
redirect "permission denied" requests to "/" (#10773)
2018-02-06 01:17:47 +08:00
c.Redirect(setting.AppSubUrl + "/")
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693
2015-09-08 16:46:31 +08:00
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func notAuthorized(c *contextmodel.ReqContext) {
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693
2015-09-08 16:46:31 +08:00
if c.IsApiRequest() {
AuthN: Rebuild Authenticate so we only have to call it once in context handler (#61705) * API: Add reqSignedIn to router groups * AuthN: Add fall through in context handler * AuthN: Add IsAnonymous field * AuthN: add priority to context aware clients * ContextHandler: Add comment * AuthN: Add a simple priority queue * AuthN: Add Name to client interface * AuthN: register clients with function * AuthN: update mock and fake to implement interface * AuthN: rewrite test without reflection * AuthN: add comment * AuthN: fix queue insert * AuthN: rewrite tests * AuthN: make the queue generic so we can reuse it for hooks * ContextHandler: Add fixme for auth headers * AuthN: remove unused variable * AuthN: use multierror * AuthN: write proper tests for queue * AuthN: Add queue item that can store the value and priority Co-authored-by: Jo <joao.guerreiro@grafana.com>
2023-01-26 17:50:44 +08:00
c.WriteErrOrFallback(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), c.LookupTokenErr)
Worked on login remember cookie, and redirect after login
2015-01-27 19:05:23 +08:00
return
Refactoring of api routes
2015-01-14 21:25:12 +08:00
}
Auth: Use sessionStorage instead of cookie for automatic redirection (#92759) * WIP: working as expected, has to be tested * Rename query param, small changes * Remove unused code * Address feedback * Cleanup * Use the feature toggle to control the behaviour * Use the toggle on the FE too * Prevent the extra redirect/reload Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> * Return to login if user is not authenticated * Add tracking issue * Align BE redirect constructor to locationSvc
2024-09-25 00:38:09 +08:00
if !c.UseSessionStorageRedirect {
writeRedirectCookie(c)
}
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
if errors.Is(c.LookupTokenErr, authn.ErrTokenNeedsRotation) {
Auth: Use sessionStorage instead of cookie for automatic redirection (#92759) * WIP: working as expected, has to be tested * Rename query param, small changes * Remove unused code * Address feedback * Cleanup * Use the feature toggle to control the behaviour * Use the toggle on the FE too * Prevent the extra redirect/reload Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> * Return to login if user is not authenticated * Add tracking issue * Align BE redirect constructor to locationSvc
2024-09-25 00:38:09 +08:00
if !c.UseSessionStorageRedirect {
c.Redirect(setting.AppSubUrl + "/user/auth-tokens/rotate")
return
}
c.Redirect(setting.AppSubUrl + "/user/auth-tokens/rotate" + getRedirectToQueryParam(c))
return
}
if !c.UseSessionStorageRedirect {
c.Redirect(setting.AppSubUrl + "/login")
Auth: Add feature flag to move token rotation to client (#65060) * FeatureToggle: Add toggle to use a new way of rotating tokens * API: Add endpoints to perform token rotation, one endpoint for api request and one endpoint for redirectsd * Auth: Aling not authorized handling between auth middleware and access control middleware * API: add utility function to get redirect for login * API: Handle token rotation redirect for login page * Frontend: Add job scheduling for token rotation and make call to token rotation as fallback in retry request * ContextHandler: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * AuthN: Prevent in-request rotation if feature flag is enabled and check if token needs to be rotated * Cookies: Add option NotHttpOnly * AuthToken: Add helper function to get next rotation time and another function to check if token need to be rotated * AuthN: Add function to delete session cookie and set expiry cookie Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-03-23 21:39:04 +08:00
return
}
Auth: Use sessionStorage instead of cookie for automatic redirection (#92759) * WIP: working as expected, has to be tested * Rename query param, small changes * Remove unused code * Address feedback * Cleanup * Use the feature toggle to control the behaviour * Use the toggle on the FE too * Prevent the extra redirect/reload Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> * Return to login if user is not authenticated * Add tracking issue * Align BE redirect constructor to locationSvc
2024-09-25 00:38:09 +08:00
c.Redirect(setting.AppSubUrl + "/login" + getRedirectToQueryParam(c))
Auth: Allow soft token revocation (#31601) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-03-17 00:44:02 +08:00
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func tokenRevoked(c *contextmodel.ReqContext, err *auth.TokenRevokedError) {
Auth: Allow soft token revocation (#31601) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-03-17 00:44:02 +08:00
if c.IsApiRequest() {
Grafana: Replace magic number with a constant variable in response status (#80132) * Chore: Replace response status with const var * Apply suggestions from code review Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com> * Add net/http import --------- Co-authored-by: Sofia Papagiannaki <1632407+papagian@users.noreply.github.com>
2024-02-28 00:39:51 +08:00
c.JSON(http.StatusUnauthorized, map[string]any{
Auth: Allow soft token revocation (#31601) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-03-17 00:44:02 +08:00
"message": "Token revoked",
Chore: use any rather than interface{} (#74066)
2023-08-30 23:46:47 +08:00
"error": map[string]any{
Auth: Allow soft token revocation (#31601) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-03-17 00:44:02 +08:00
"id": "ERR_TOKEN_REVOKED",
"maxConcurrentSessions": err.MaxConcurrentSessions,
},
})
return
}
Auth: Use sessionStorage instead of cookie for automatic redirection (#92759) * WIP: working as expected, has to be tested * Rename query param, small changes * Remove unused code * Address feedback * Cleanup * Use the feature toggle to control the behaviour * Use the toggle on the FE too * Prevent the extra redirect/reload Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> * Return to login if user is not authenticated * Add tracking issue * Align BE redirect constructor to locationSvc
2024-09-25 00:38:09 +08:00
if !c.UseSessionStorageRedirect {
writeRedirectCookie(c)
c.Redirect(setting.AppSubUrl + "/login")
return
}
c.Redirect(setting.AppSubUrl + "/login" + getRedirectToQueryParam(c))
Auth: Allow soft token revocation (#31601) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-03-17 00:44:02 +08:00
}
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func writeRedirectCookie(c *contextmodel.ReqContext) {
API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>
2020-03-11 17:04:48 +08:00
redirectTo := c.Req.RequestURI
if setting.AppSubUrl != "" && !strings.HasPrefix(redirectTo, setting.AppSubUrl) {
redirectTo = setting.AppSubUrl + c.Req.RequestURI
}
mark redirect_to cookie as http only closes #10829
2018-02-15 17:56:29 +08:00
Auth: Write the redirect cookie if denied - do not write a blank redirect (#57381) * Write the redirect cookie if denied - do not write a blank redirect * Remove redundant code, reverse polarity
2022-10-21 22:53:17 +08:00
if redirectTo == "/" {
return
}
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
// remove any forceLogin=true params
Auth: Fix redirection when auto_login is enabled (#94311) * Fix for SAML auto login * Fix for OAuth auto login
2024-10-07 20:59:00 +08:00
redirectTo = RemoveForceLoginParams(redirectTo)
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2020-12-11 18:44:44 +08:00
cookies.WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, nil)
macaron transition progress
2014-10-06 03:13:01 +08:00
}
Auth: Use sessionStorage instead of cookie for automatic redirection (#92759) * WIP: working as expected, has to be tested * Rename query param, small changes * Remove unused code * Address feedback * Cleanup * Use the feature toggle to control the behaviour * Use the toggle on the FE too * Prevent the extra redirect/reload Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> * Return to login if user is not authenticated * Add tracking issue * Align BE redirect constructor to locationSvc
2024-09-25 00:38:09 +08:00
func getRedirectToQueryParam(c *contextmodel.ReqContext) string {
redirectTo := c.Req.RequestURI
if setting.AppSubUrl != "" && strings.HasPrefix(redirectTo, setting.AppSubUrl) {
redirectTo = strings.TrimPrefix(redirectTo, setting.AppSubUrl)
}
if redirectTo == "/" {
return ""
}
// remove any forceLogin=true params
Auth: Fix redirection when auto_login is enabled (#94311) * Fix for SAML auto login * Fix for OAuth auto login
2024-10-07 20:59:00 +08:00
redirectTo = RemoveForceLoginParams(redirectTo)
Auth: Use sessionStorage instead of cookie for automatic redirection (#92759) * WIP: working as expected, has to be tested * Rename query param, small changes * Remove unused code * Address feedback * Cleanup * Use the feature toggle to control the behaviour * Use the toggle on the FE too * Prevent the extra redirect/reload Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> * Return to login if user is not authenticated * Add tracking issue * Align BE redirect constructor to locationSvc
2024-09-25 00:38:09 +08:00
return "?redirectTo=" + url.QueryEscape(redirectTo)
}
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
var forceLoginParamsRegexp = regexp.MustCompile(`&?forceLogin=true`)
Auth: Fix redirection when auto_login is enabled (#94311) * Fix for SAML auto login * Fix for OAuth auto login
2024-10-07 20:59:00 +08:00
func RemoveForceLoginParams(str string) string {
Dashboard: Fixes kiosk state after being redirected to login page and back (#29273) * Login: Fixes issue where url parameters where modified by golang url code * Add tests * Fix test cases * Update pkg/middleware/auth_test.go Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com> * fixed formatting Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-11-21 02:30:37 +08:00
return forceLoginParamsRegexp.ReplaceAllString(str, "")
}
RBAC: Fix plugins pages access-control (#76321) * RBAC: Fix plugins pages access-control * Better comment Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Add a small comment on connections/datasources routes --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-10-12 16:46:43 +08:00
func CanAdminPlugins(cfg *setting.Cfg, accessControl ac.AccessControl) func(c *contextmodel.ReqContext) {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
return func(c *contextmodel.ReqContext) {
RBAC: Fix plugins pages access-control (#76321) * RBAC: Fix plugins pages access-control * Better comment Co-authored-by: Ieva <ieva.vasiljeva@grafana.com> * Add a small comment on connections/datasources routes --------- Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
2023-10-12 16:46:43 +08:00
hasAccess := ac.HasAccess(accessControl, c)
if !pluginaccesscontrol.ReqCanAdminPlugins(cfg)(c) && !hasAccess(pluginaccesscontrol.AdminAccessEvaluator) {
Plugins Catalog: Only allow admins to access plugins catalog (#57101) * feat(plugins-catalog): only allow admins to access plugins catalog routes * add backend check * fix(plugins-catalog): update route role access to include server admins Co-authored-by: Will Browne <will.browne@grafana.com>
2022-11-30 16:41:28 +08:00
accessForbidden(c)
return
}
RBAC: Check forceLogin inside CanAdminPlugins (#93449)
2024-09-20 21:35:58 +08:00
if c.AllowAnonymous && !c.IsSignedIn && shouldForceLogin(c) {
notAuthorized(c)
return
}
Plugins Catalog: Only allow admins to access plugins catalog (#57101) * feat(plugins-catalog): only allow admins to access plugins catalog routes * add backend check * fix(plugins-catalog): update route role access to include server admins Co-authored-by: Will Browne <will.browne@grafana.com>
2022-11-30 16:41:28 +08:00
}
}
RBAC: Remove accessControlOnCall feature toggle (#101222) * RBAC: Remove accessControlOnCall feature toggle * Leave the other one in place * Tests * frontend * Readd empty ft to frontend test * Remove legacy RBAC check * Fix test * no need for context * Remove unused variable * Remove unecessary param * remove unecessary param from tests * More tests :D
2025-02-25 20:44:40 +08:00
func RoleAppPluginAuth(accessControl ac.AccessControl, ps pluginstore.Store, logger log.Logger) func(c *contextmodel.ReqContext) {
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
return func(c *contextmodel.ReqContext) {
pluginID := web.Params(c.Req)[":id"]
p, exists := ps.Plugin(c.Req.Context(), pluginID)
if !exists {
// The frontend will handle app not found appropriately
return
}
permitted := true
path := normalizeIncludePath(c.Req.URL.Path)
hasAccess := ac.HasAccess(accessControl, c)
for _, i := range p.Includes {
if i.Type != "page" {
continue
}
u, err := url.Parse(i.Path)
if err != nil {
logger.Error("failed to parse include path", "pluginId", pluginID, "include", i.Name, "err", err)
continue
}
if normalizeIncludePath(u.Path) == path {
RBAC: Remove accessControlOnCall feature toggle (#101222) * RBAC: Remove accessControlOnCall feature toggle * Leave the other one in place * Tests * frontend * Readd empty ft to frontend test * Remove legacy RBAC check * Fix test * no need for context * Remove unused variable * Remove unecessary param * remove unecessary param from tests * More tests :D
2025-02-25 20:44:40 +08:00
if i.RequiresRBACAction() && !hasAccess(pluginaccesscontrol.GetPluginRouteEvaluator(pluginID, i.Action)) {
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
logger.Debug("Plugin include is covered by RBAC, user doesn't have access", "plugin", pluginID, "include", i.Name)
permitted = false
break
RBAC: Remove accessControlOnCall feature toggle (#101222) * RBAC: Remove accessControlOnCall feature toggle * Leave the other one in place * Tests * frontend * Readd empty ft to frontend test * Remove legacy RBAC check * Fix test * no need for context * Remove unused variable * Remove unecessary param * remove unecessary param from tests * More tests :D
2025-02-25 20:44:40 +08:00
} else if !i.RequiresRBACAction() && !c.HasUserRole(i.Role) {
Plugins: Add backend check for app page role access (#78269) * add backend check for roles * tidy * fix tests * incorporate rbac * fix linter * apply PR feedback * add tests * fix logic * add comment * apply PR feedback
2023-12-18 23:12:46 +08:00
permitted = false
break
}
}
}
if !permitted {
accessForbidden(c)
return
}
}
}
func normalizeIncludePath(p string) string {
return strings.TrimPrefix(filepath.Clean(p), "/")
}
Move SignedInUser to user service and RoleType and Roles to org (#53445) * Move SignedInUser to user service and RoleType and Roles to org * Use go naming convention for roles * Fix some imports and leftovers * Fix ldap debug test * Fix lint * Fix lint 2 * Fix lint 3 * Fix type and not needed conversion * Clean up messages in api tests * Clean up api tests 2
2022-08-10 17:56:48 +08:00
func RoleAuth(roles ...org.RoleType) web.Handler {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
return func(c *contextmodel.ReqContext) {
Role checking when saving dashboard, making sure that the user has owner or editor role
2015-01-16 22:28:44 +08:00
ok := false
for _, role := range roles {
Big Backend Refatoring: Renamed Account -> Org
2015-02-24 03:07:49 +08:00
if role == c.OrgRole {
Role checking when saving dashboard, making sure that the user has owner or editor role
2015-01-16 22:28:44 +08:00
ok = true
break
}
}
if !ok {
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693
2015-09-08 16:46:31 +08:00
accessForbidden(c)
Role checking when saving dashboard, making sure that the user has owner or editor role
2015-01-16 22:28:44 +08:00
}
}
}
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 20:30:59 +08:00
func Auth(options *AuthOptions) web.Handler {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
return func(c *contextmodel.ReqContext) {
Auth: Fix POST request failures with anonymous access (#26049) Macaron context.QueryBool() seems to modify the request context that causes the POST and PUT requests to fail with: "http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0"
2020-07-06 20:59:00 +08:00
forceLogin := false
if c.AllowAnonymous {
Snapshots: Fix usage of sign in link from the snapshot page (#31986) Fix redirect to login page from snapshot page when not authenticated. Fixes #28547
2021-03-16 23:46:34 +08:00
forceLogin = shouldForceLogin(c)
Auth: Should redirect to login when anonymous enabled and URL with different org than anonymous specified (#28158) If anonymous access is enabled for an org and there are multiple orgs. When requesting a page that requires user to be logged in and orgId query string is set in the request url to an org not equal the anonymous org, if the user is not logged in should be redirected to the login page. Fixes #26120 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-10-23 22:34:35 +08:00
if !forceLogin {
orgIDValue := c.Req.URL.Query().Get("orgId")
orgID, err := strconv.ParseInt(orgIDValue, 10, 64)
CI: Bump golangci-lint to 2.0.2 (#103572)
2025-04-10 20:42:23 +08:00
if err == nil && orgID > 0 && orgID != c.GetOrgID() {
Auth: Should redirect to login when anonymous enabled and URL with different org than anonymous specified (#28158) If anonymous access is enabled for an org and there are multiple orgs. When requesting a page that requires user to be logged in and orgId query string is set in the request url to an org not equal the anonymous org, if the user is not logged in should be redirected to the login page. Fixes #26120 Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Sofia Papagiannaki <papagian@users.noreply.github.com>
2020-10-23 22:34:35 +08:00
forceLogin = true
}
}
Auth: Fix POST request failures with anonymous access (#26049) Macaron context.QueryBool() seems to modify the request context that causes the POST and PUT requests to fail with: "http: proxy error: net/http: HTTP/1.x transport connection broken: http: ContentLength=333 with Body length 0"
2020-07-06 20:59:00 +08:00
}
Profile: Fixes profile preferences being accessible when anonymous access was enabled (#31516) * Profile: Fixes profile preferences page being available when anonymous access was enabled * Minor change * Renamed property
2021-02-28 01:04:28 +08:00
requireLogin := !c.AllowAnonymous || forceLogin || options.ReqNoAnonynmous
Auth: Add support for forcing authentication in anonymous mode and modify SignIn to use it instead of redirect (#25567) * Forbid additional redirect urls * Optionally force login in anonymous mode * Update LoginCtrl page to ignore redirect parameter * Modify SignIn to set forceLogin query instead of redirect * Pass appUrl to frontend and use URL API for updating url query * Apply suggestions from code review Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com> * Fix SignIn test Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>
2020-06-16 21:33:44 +08:00
if !c.IsSignedIn && options.ReqSignedIn && requireLogin {
Auth: Refactor auth package (#58920) * Auth: move interface to its own file * Auth: move to test package * Auth: move quota consts to auth file * Auth: move service to impl package * Auth: move interfaces and related models to auth package * Auth: Create sub package and type alias to avoid circular dependency
2022-11-18 16:56:06 +08:00
var revokedErr *auth.TokenRevokedError
Chore: Remove untyped data map from macaron context (#39077)
2021-09-13 21:41:03 +08:00
if errors.As(c.LookupTokenErr, &revokedErr) {
Auth: Allow soft token revocation (#31601) * Add revoked_at field to user auth token to allow soft revokes * Allow soft token revocations * Update token revocations and tests * Return error info on revokedTokenErr * Override session cookie only when no revokedErr nor API request * Display modal on revoked token error * Feedback: Refactor TokenRevokedModal to FC * Add GetUserRevokedTokens into UserTokenService * Backendsrv: adds tests and refactors soft token path * Apply feedback * Write redirect cookie on token revoked error * Update TokenRevokedModal style * Return meaningful error info * Some UI changes * Update backend_srv tests * Minor style fix on backend_srv tests * Replace deprecated method usage to publish events * Fix backend_srv tests * Apply suggestions from code review Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> * Minor style fix after PR suggestion commit * Apply suggestions from code review Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com> * Prettier fixes Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: Ursula Kallio <73951760+osg-grafana@users.noreply.github.com>
2021-03-17 00:44:02 +08:00
tokenRevoked(c, revokedErr)
return
}
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693
2015-09-08 16:46:31 +08:00
notAuthorized(c)
Refactoring of auth middleware, and starting work on account admin
2015-01-15 19:16:54 +08:00
return
}
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session.
2015-01-14 16:33:34 +08:00
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693
2015-09-08 16:46:31 +08:00
if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
accessForbidden(c)
Refactoring of auth middleware, and starting work on account admin
2015-01-15 19:16:54 +08:00
return
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session.
2015-01-14 16:33:34 +08:00
}
macaron transition progress
2014-10-06 03:13:01 +08:00
}
}
teams: editors can work with teams.
2019-03-06 17:27:38 +08:00
Snapshots: Add RBAC roles for creating and deleting (#96126)
2024-11-26 20:13:17 +08:00
// SnapshotPublicModeOrCreate creates a middleware that allows access
// if snapshot public mode is enabled or if user has creation permission.
func SnapshotPublicModeOrCreate(cfg *setting.Cfg, ac2 ac.AccessControl) web.Handler {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
return func(c *contextmodel.ReqContext) {
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com>
2020-12-11 18:44:44 +08:00
if cfg.SnapshotPublicMode {
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4)
2019-09-02 21:15:46 +08:00
return
}
Snapshots: Disallow anonymous user to create snapshots (#31263)
2021-02-17 16:51:50 +08:00
if !c.IsSignedIn {
notAuthorized(c)
return
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4)
2019-09-02 21:15:46 +08:00
}
Snapshots: Add RBAC roles for creating and deleting (#96126)
2024-11-26 20:13:17 +08:00
ac.Middleware(ac2)(ac.EvalPermission(dashboards.ActionSnapshotsCreate))
}
}
// SnapshotPublicModeOrDelete creates a middleware that allows access
// if snapshot public mode is enabled or if user has delete permission.
func SnapshotPublicModeOrDelete(cfg *setting.Cfg, ac2 ac.AccessControl) web.Handler {
return func(c *contextmodel.ReqContext) {
if cfg.SnapshotPublicMode {
return
}
if !c.IsSignedIn {
notAuthorized(c)
return
}
ac.Middleware(ac2)(ac.EvalPermission(dashboards.ActionSnapshotsDelete))
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4)
2019-09-02 21:15:46 +08:00
}
}
Snapshots: Fix usage of sign in link from the snapshot page (#31986) Fix redirect to login page from snapshot page when not authenticated. Fixes #28547
2021-03-16 23:46:34 +08:00
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func ReqNotSignedIn(c *contextmodel.ReqContext) {
Login: Require user to not be signed in to get request password email (#35421)
2021-06-15 00:02:05 +08:00
if c.IsSignedIn {
c.Redirect(setting.AppSubUrl + "/")
}
}
Snapshots: Fix usage of sign in link from the snapshot page (#31986) Fix redirect to login page from snapshot page when not authenticated. Fixes #28547
2021-03-16 23:46:34 +08:00
// NoAuth creates a middleware that doesn't require any authentication.
// If forceLogin param is set it will redirect the user to the login page.
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go
2021-10-11 20:30:59 +08:00
func NoAuth() web.Handler {
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
return func(c *contextmodel.ReqContext) {
Snapshots: Fix usage of sign in link from the snapshot page (#31986) Fix redirect to login page from snapshot page when not authenticated. Fixes #28547
2021-03-16 23:46:34 +08:00
if shouldForceLogin(c) {
notAuthorized(c)
return
}
}
}
// shouldForceLogin checks if user should be enforced to login.
// Returns true if forceLogin parameter is set.
Chore: Move ReqContext to contexthandler service (#62102) * Chore: Move ReqContext to contexthandler service * Rename package to contextmodel * Generate ngalert files * Remove unused imports
2023-01-27 15:50:36 +08:00
func shouldForceLogin(c *contextmodel.ReqContext) bool {
Snapshots: Fix usage of sign in link from the snapshot page (#31986) Fix redirect to login page from snapshot page when not authenticated. Fixes #28547
2021-03-16 23:46:34 +08:00
forceLogin := false
forceLoginParam, err := strconv.ParseBool(c.Req.URL.Query().Get("forceLogin"))
if err == nil {
forceLogin = forceLoginParam
}
return forceLogin
}