grafana/pkg/api/login.go

package api

import (
	"net/url"

	"github.com/grafana/grafana/pkg/api/dtos"
	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/log"
	"github.com/grafana/grafana/pkg/login"
	"github.com/grafana/grafana/pkg/metrics"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/session"
	"github.com/grafana/grafana/pkg/setting"
)

const (
	ViewIndex = "index"
)

func (hs *HTTPServer) LoginView(c *m.ReqContext) {
	viewData, err := hs.setIndexViewData(c)
	if err != nil {
		c.Handle(500, "Failed to get settings", err)
		return
	}

	enabledOAuths := make(map[string]interface{})
	for key, oauth := range setting.OAuthService.OAuthInfos {
		enabledOAuths[key] = map[string]string{"name": oauth.Name}
	}

	viewData.Settings["oauth"] = enabledOAuths
	viewData.Settings["disableUserSignUp"] = !setting.AllowUserSignUp
	viewData.Settings["loginHint"] = setting.LoginHint
	viewData.Settings["disableLoginForm"] = setting.DisableLoginForm

	if loginError, ok := c.Session.Get("loginError").(string); ok {
		c.Session.Delete("loginError")
		viewData.Settings["loginError"] = loginError
	}

	if tryOAuthAutoLogin(c) {
		return
	}

	if !tryLoginUsingRememberCookie(c) {
		c.HTML(200, ViewIndex, viewData)
		return
	}

	if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {
		c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")
		c.Redirect(redirectTo)
		return
	}

	c.Redirect(setting.AppSubUrl + "/")
}

func tryOAuthAutoLogin(c *m.ReqContext) bool {
	if !setting.OAuthAutoLogin {
		return false
	}
	oauthInfos := setting.OAuthService.OAuthInfos
	if len(oauthInfos) != 1 {
		log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured.")
		return false
	}
	for key := range setting.OAuthService.OAuthInfos {
		redirectUrl := setting.AppSubUrl + "/login/" + key
		log.Info("OAuth auto login enabled. Redirecting to " + redirectUrl)
		c.Redirect(redirectUrl, 307)
		return true
	}
	return false
}

func tryLoginUsingRememberCookie(c *m.ReqContext) bool {
	// Check auto-login.
	uname := c.GetCookie(setting.CookieUserName)
	if len(uname) == 0 {
		return false
	}

	isSucceed := false
	defer func() {
		if !isSucceed {
			log.Trace("auto-login cookie cleared: %s", uname)
			c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/")
			c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/")
			return
		}
	}()

	userQuery := m.GetUserByLoginQuery{LoginOrEmail: uname}
	if err := bus.Dispatch(&userQuery); err != nil {
		return false
	}

	user := userQuery.Result

	// validate remember me cookie
	signingKey := user.Rands + user.Password
	if len(signingKey) < 10 {
		c.Logger.Error("Invalid user signingKey")
		return false
	}

	if val, _ := c.GetSuperSecureCookie(signingKey, setting.CookieRememberName); val != user.Login {
		return false
	}

	isSucceed = true
	loginUserWithUser(user, c)
	return true
}

func LoginAPIPing(c *m.ReqContext) {
	if !tryLoginUsingRememberCookie(c) {
		c.JsonApiErr(401, "Unauthorized", nil)
		return
	}

	c.JsonOK("Logged in")
}

func LoginPost(c *m.ReqContext, cmd dtos.LoginCommand) Response {
	if setting.DisableLoginForm {
		return Error(401, "Login is disabled", nil)
	}

	authQuery := &m.LoginUserQuery{
		ReqContext: c,
		Username:   cmd.User,
		Password:   cmd.Password,
		IpAddress:  c.Req.RemoteAddr,
	}

	if err := bus.Dispatch(authQuery); err != nil {
		if err == login.ErrInvalidCredentials || err == login.ErrTooManyLoginAttempts {
			return Error(401, "Invalid username or password", err)
		}

		return Error(500, "Error while trying to authenticate user", err)
	}

	user := authQuery.User

	loginUserWithUser(user, c)

	result := map[string]interface{}{
		"message": "Logged in",
	}

	if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {
		result["redirectUrl"] = redirectTo
		c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")
	}

	metrics.M_Api_Login_Post.Inc()

	return JSON(200, result)
}

func loginUserWithUser(user *m.User, c *m.ReqContext) {
	if user == nil {
		log.Error(3, "User login with nil user")
	}

	c.Resp.Header().Del("Set-Cookie")

	days := 86400 * setting.LogInRememberDays
	if days > 0 {
		c.SetCookie(setting.CookieUserName, user.Login, days, setting.AppSubUrl+"/")
		c.SetSuperSecureCookie(user.Rands+user.Password, setting.CookieRememberName, user.Login, days, setting.AppSubUrl+"/")
	}

	c.Session.RegenerateId(c.Context)
	c.Session.Set(session.SESS_KEY_USERID, user.Id)
}

func Logout(c *m.ReqContext) {
	c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/")
	c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/")
	c.Session.Destory(c.Context)
	if setting.SignoutRedirectUrl != "" {
		c.Redirect(setting.SignoutRedirectUrl)
	} else {
		c.Redirect(setting.AppSubUrl + "/login")
	}
}
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`package api`

			`import (`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`"net/url"`

Changed go package path 2015-02-05 17:37:13 +08:00			`"github.com/grafana/grafana/pkg/api/dtos"`
			`"github.com/grafana/grafana/pkg/bus"`
			`"github.com/grafana/grafana/pkg/log"`
feat(ldap): work on reading ldap config from toml file, #1450 2015-07-15 16:08:23 +08:00			`"github.com/grafana/grafana/pkg/login"`
Added server metrics 2015-03-23 03:14:00 +08:00			`"github.com/grafana/grafana/pkg/metrics"`
Changed go package path 2015-02-05 17:37:13 +08:00			`m "github.com/grafana/grafana/pkg/models"`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`"github.com/grafana/grafana/pkg/services/session"`
Changed go package path 2015-02-05 17:37:13 +08:00			`"github.com/grafana/grafana/pkg/setting"`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`)`

Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`const (`
Make golint happier 2018-03-22 19:37:35 +08:00			`ViewIndex = "index"`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`)`

Adds backend hooks service so extensions can modify index data 2018-10-12 17:26:42 +08:00			`func (hs HTTPServer) LoginView(c m.ReqContext) {`
			`viewData, err := hs.setIndexViewData(c)`
feat(external_plugin): lots of refactoring for side menu link extensions and view data, #3185 2015-11-20 16:43:10 +08:00			`if err != nil {`
Changed from goconfig to its new counter part go-ini 2015-01-27 17:09:54 +08:00			`c.Handle(500, "Failed to get settings", err)`
			`return`
			`}`

feat(oauth): refactoring PR #6077 2016-09-28 21:10:50 +08:00			`enabledOAuths := make(map[string]interface{})`
			`for key, oauth := range setting.OAuthService.OAuthInfos {`
			`enabledOAuths[key] = map[string]string{"name": oauth.Name}`
			`}`

			`viewData.Settings["oauth"] = enabledOAuths`
feat(external_plugin): lots of refactoring for side menu link extensions and view data, #3185 2015-11-20 16:43:10 +08:00			`viewData.Settings["disableUserSignUp"] = !setting.AllowUserSignUp`
Merge branch 'master' into external-plugins Conflicts: pkg/api/login.go public/app/core/routes/all.js public/app/core/table_model.ts public/app/panels/table/table_model.ts public/app/plugins/panels/table/editor.ts public/app/plugins/panels/table/table_model.ts 2015-12-15 00:28:57 +08:00			`viewData.Settings["loginHint"] = setting.LoginHint`
feat(config): changed name of allow_user_login_pass to disable_login_form, changed the section of the config option to [auth], impacts merged PR #5423 2016-09-28 21:27:08 +08:00			`viewData.Settings["disableLoginForm"] = setting.DisableLoginForm`
Login: only enabled oauth options are shown on login page 2015-01-28 17:26:13 +08:00
Add common type for oauth authorization errors 2017-02-01 21:32:51 +08:00			`if loginError, ok := c.Session.Get("loginError").(string); ok {`
oauth: delete session key instead of set to empty Adds the Delete function to the Session wrapper so that the Macaron function for deleting keys from a Session can be used. https://go-macaron.com/docs/middlewares/session#implement-provider-interface 2017-03-23 22:26:13 +08:00			`c.Session.Delete("loginError")`
Add common type for oauth authorization errors 2017-02-01 21:32:51 +08:00			`viewData.Settings["loginError"] = loginError`
			`}`

Implement oauth_auto_login setting Redirect in backend 2018-05-28 22:16:48 +08:00			`if tryOAuthAutoLogin(c) {`
			`return`
			`}`

Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`if !tryLoginUsingRememberCookie(c) {`
Make golint happier 2018-03-22 19:37:35 +08:00			`c.HTML(200, ViewIndex, viewData)`
Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`return`
			`}`

			`if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {`
			`c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")`
			`c.Redirect(redirectTo)`
			`return`
			`}`

			`c.Redirect(setting.AppSubUrl + "/")`
			`}`

Implement oauth_auto_login setting Redirect in backend 2018-05-28 22:16:48 +08:00			`func tryOAuthAutoLogin(c *m.ReqContext) bool {`
			`if !setting.OAuthAutoLogin {`
			`return false`
			`}`
			`oauthInfos := setting.OAuthService.OAuthInfos`
			`if len(oauthInfos) != 1 {`
			`log.Warn("Skipping OAuth auto login because multiple OAuth providers are configured.")`
			`return false`
			`}`
			`for key := range setting.OAuthService.OAuthInfos {`
			`redirectUrl := setting.AppSubUrl + "/login/" + key`
			`log.Info("OAuth auto login enabled. Redirecting to " + redirectUrl)`
			`c.Redirect(redirectUrl, 307)`
			`return true`
			`}`
			`return false`
			`}`

rename Context to ReqContext 2018-03-08 00:54:50 +08:00			`func tryLoginUsingRememberCookie(c *m.ReqContext) bool {`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`// Check auto-login.`
			`uname := c.GetCookie(setting.CookieUserName)`
			`if len(uname) == 0 {`
Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`return false`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`}`

			`isSucceed := false`
			`defer func() {`
			`if !isSucceed {`
			`log.Trace("auto-login cookie cleared: %s", uname)`
			`c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/")`
			`c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/")`
			`return`
			`}`
			`}()`

			`userQuery := m.GetUserByLoginQuery{LoginOrEmail: uname}`
			`if err := bus.Dispatch(&userQuery); err != nil {`
Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`return false`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`}`

			`user := userQuery.Result`

Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`// validate remember me cookie`
sql: added code migration type 2018-08-21 19:30:39 +08:00			`signingKey := user.Rands + user.Password`
			`if len(signingKey) < 10 {`
			`c.Logger.Error("Invalid user signingKey")`
			`return false`
			`}`

			`if val, _ := c.GetSuperSecureCookie(signingKey, setting.CookieRememberName); val != user.Login {`
Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`return false`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`}`

			`isSucceed = true`
			`loginUserWithUser(user, c)`
Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`return true`
			`}`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00
Make golint happier 2018-03-22 19:37:35 +08:00			`func LoginAPIPing(c *m.ReqContext) {`
Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`if !tryLoginUsingRememberCookie(c) {`
			`c.JsonApiErr(401, "Unauthorized", nil)`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`return`
			`}`

Datasource proxy & session timeout fix (casued 401 Unauthorized error after a while), Fixes #1667 2015-04-07 15:25:00 +08:00			`c.JsonOK("Logged in")`
Changed from goconfig to its new counter part go-ini 2015-01-27 17:09:54 +08:00			`}`

rename Context to ReqContext 2018-03-08 00:54:50 +08:00			`func LoginPost(c *m.ReqContext, cmd dtos.LoginCommand) Response {`
disable inviting new users to orgs if login form is disabled 2017-03-18 04:35:05 +08:00			`if setting.DisableLoginForm {`
Make golint happier 2018-03-23 05:13:46 +08:00			`return Error(401, "Login is disabled", nil)`
disable inviting new users to orgs if login form is disabled 2017-03-18 04:35:05 +08:00			`}`

switch to passing ReqContext as a property 2018-03-24 03:50:07 +08:00			`authQuery := &m.LoginUserQuery{`
			`ReqContext: c,`
			`Username: cmd.User,`
			`Password: cmd.Password,`
			`IpAddress: c.Req.RemoteAddr,`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`

switch to passing ReqContext as a property 2018-03-24 03:50:07 +08:00			`if err := bus.Dispatch(authQuery); err != nil {`
WIP: Protect against brute force (frequent) login attempts (#10031) * db: add login attempt migrations * db: add possibility to create login attempts * db: add possibility to retrieve login attempt count per username * auth: validation and update of login attempts for invalid credentials If login attempt count for user authenticating is 5 or more the last 5 minutes we temporarily block the user access to login * db: add possibility to delete expired login attempts * cleanup: Delete login attempts older than 10 minutes The cleanup job are running continuously and triggering each 10 minute * fix typo: rename consequent to consequent * auth: enable login attempt validation for ldap logins * auth: disable login attempts validation by configuration Setting is named DisableLoginAttemptsValidation and is false by default Config disable_login_attempts_validation is placed under security section #7616 * auth: don't run cleanup of login attempts if feature is disabled #7616 * auth: rename settings.go to ldap_settings.go * auth: refactor AuthenticateUser Extract grafana login, ldap login and login attemp validation together with their tests to separate files. Enables testing of many more aspects when authenticating a user. #7616 * auth: rename login attempt validation to brute force login protection Setting DisableLoginAttemptsValidation => DisableBruteForceLoginProtection Configuration disable_login_attempts_validation => disable_brute_force_login_protection #7616 2018-01-26 17:41:41 +08:00			`if err == login.ErrInvalidCredentials \|\| err == login.ErrTooManyLoginAttempts {`
Make golint happier 2018-03-23 05:13:46 +08:00			`return Error(401, "Invalid username or password", err)`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`}`

Make golint happier 2018-03-23 05:13:46 +08:00			`return Error(500, "Error while trying to authenticate user", err)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`

Started work on LDAP again, #1450 2015-07-10 17:10:48 +08:00			`user := authQuery.User`

User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-20 01:01:04 +08:00			`loginUserWithUser(user, c)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`result := map[string]interface{}{`
			`"message": "Logged in",`
			`}`

			`if redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to")); len(redirectTo) > 0 {`
			`result["redirectUrl"] = redirectTo`
			`c.SetCookie("redirect_to", "", -1, setting.AppSubUrl+"/")`
			`}`

convert old metrics to prom metrics 2017-09-06 17:23:52 +08:00			`metrics.M_Api_Login_Post.Inc()`
Added server metrics 2015-03-23 03:14:00 +08:00
Make golint happier 2018-03-23 05:13:46 +08:00			`return JSON(200, result)`
Initial work on ldap support, #1450 2015-06-04 15:34:42 +08:00			`}`

rename Context to ReqContext 2018-03-08 00:54:50 +08:00			`func loginUserWithUser(user m.User, c m.ReqContext) {`
User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-20 01:01:04 +08:00			`if user == nil {`
			`log.Error(3, "User login with nil user")`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`

fix: remove duplicate set-cookie when logging in, fixes #9013 2017-08-21 17:10:59 +08:00			`c.Resp.Header().Del("Set-Cookie")`

Backend auth: remember cookie is needed for oauth logins as well 2015-04-15 19:38:38 +08:00			`days := 86400 * setting.LogInRememberDays`
Do not set remember me cookie when days are set to zero 2016-03-08 00:26:31 +08:00			`if days > 0 {`
			`c.SetCookie(setting.CookieUserName, user.Login, days, setting.AppSubUrl+"/")`
fix: change to remember me cookie encoding 2017-04-25 21:29:44 +08:00			`c.SetSuperSecureCookie(user.Rands+user.Password, setting.CookieRememberName, user.Login, days, setting.AppSubUrl+"/")`
Do not set remember me cookie when days are set to zero 2016-03-08 00:26:31 +08:00			`}`
Backend auth: remember cookie is needed for oauth logins as well 2015-04-15 19:38:38 +08:00
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`c.Session.RegenerateId(c.Context)`
			`c.Session.Set(session.SESS_KEY_USERID, user.Id)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`

rename Context to ReqContext 2018-03-08 00:54:50 +08:00			`func Logout(c *m.ReqContext) {`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`c.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl+"/")`
			`c.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl+"/")`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`c.Session.Destory(c.Context)`
Fix #9847 Add a generic signout_redirect_url to enable oauth logout Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> 2018-05-27 20:52:50 +08:00			`if setting.SignoutRedirectUrl != "" {`
			`c.Redirect(setting.SignoutRedirectUrl)`
			`} else {`
			`c.Redirect(setting.AppSubUrl + "/login")`
			`}`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 20:36:08 +08:00			`}`