grafana/pkg/middleware/auth.go

106 lines
2.1 KiB
Go
Raw Normal View History

2014-10-06 03:13:01 +08:00
package middleware
import (
"net/url"
"strings"
macaron "gopkg.in/macaron.v1"
2015-01-14 21:25:12 +08:00
2015-02-05 17:37:13 +08:00
m "github.com/grafana/grafana/pkg/models"
"github.com/grafana/grafana/pkg/setting"
"github.com/grafana/grafana/pkg/util"
2014-10-06 03:13:01 +08:00
)
type AuthOptions struct {
ReqGrafanaAdmin bool
ReqSignedIn bool
}
2018-03-08 00:54:50 +08:00
func getApiKey(c *m.ReqContext) string {
header := c.Req.Header.Get("Authorization")
parts := strings.SplitN(header, " ", 2)
if len(parts) == 2 && parts[0] == "Bearer" {
2015-01-27 15:26:11 +08:00
key := parts[1]
return key
2014-10-06 03:13:01 +08:00
}
username, password, err := util.DecodeBasicAuthHeader(header)
if err == nil && username == "api_key" {
return password
}
return ""
2014-10-06 03:13:01 +08:00
}
2018-03-08 00:54:50 +08:00
func accessForbidden(c *m.ReqContext) {
2015-01-14 21:25:12 +08:00
if c.IsApiRequest() {
c.JsonApiErr(403, "Permission denied", nil)
return
}
c.Redirect(setting.AppSubUrl + "/")
}
2018-03-08 00:54:50 +08:00
func notAuthorized(c *m.ReqContext) {
if c.IsApiRequest() {
c.JsonApiErr(401, "Unauthorized", nil)
return
2015-01-14 21:25:12 +08:00
}
c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/", nil, false, true)
2015-01-05 04:03:40 +08:00
c.Redirect(setting.AppSubUrl + "/login")
2014-10-06 03:13:01 +08:00
}
func EnsureEditorOrViewerCanEdit(c *m.ReqContext) {
if !c.SignedInUser.HasRole(m.ROLE_EDITOR) && !setting.ViewersCanEdit {
accessForbidden(c)
}
}
func RoleAuth(roles ...m.RoleType) macaron.Handler {
2018-03-08 00:54:50 +08:00
return func(c *m.ReqContext) {
ok := false
for _, role := range roles {
if role == c.OrgRole {
ok = true
break
}
}
if !ok {
accessForbidden(c)
}
}
}
func Auth(options *AuthOptions) macaron.Handler {
2018-03-08 00:54:50 +08:00
return func(c *m.ReqContext) {
if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
notAuthorized(c)
return
}
if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
accessForbidden(c)
return
}
2014-10-06 03:13:01 +08:00
}
}
2019-03-06 17:27:38 +08:00
// AdminOrFeatureEnabled creates a middleware that allows access
// if the signed in user is either an Org Admin or if the
// feature flag is enabled.
// Intended for when feature flags open up access to APIs that
// are otherwise only available to admins.
func AdminOrFeatureEnabled(enabled bool) macaron.Handler {
2019-03-06 17:27:38 +08:00
return func(c *m.ReqContext) {
if c.OrgRole == m.ROLE_ADMIN {
return
2019-03-06 17:27:38 +08:00
}
if !enabled {
2019-03-06 17:27:38 +08:00
accessForbidden(c)
}
}
}