grafana/pkg/middleware/auth_proxy.go

package middleware

import (
	"errors"
	"fmt"
	"strings"
	"time"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/log"
	"github.com/grafana/grafana/pkg/login"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/services/session"
	"github.com/grafana/grafana/pkg/setting"
)

func initContextWithAuthProxy(ctx *m.Context, orgId int64) bool {
	if !setting.AuthProxyEnabled {
		return false
	}

	proxyHeaderValue := ctx.Req.Header.Get(setting.AuthProxyHeaderName)
	if len(proxyHeaderValue) == 0 {
		return false
	}

	// if auth proxy ip(s) defined, check if request comes from one of those
	if err := checkAuthenticationProxy(ctx, proxyHeaderValue); err != nil {
		ctx.Handle(407, "Proxy authentication required", err)
		return true
	}

	query := getSignedInUserQueryForProxyAuth(proxyHeaderValue)
	query.OrgId = orgId
	if err := bus.Dispatch(query); err != nil {
		if err != m.ErrUserNotFound {
			ctx.Handle(500, "Failed to find user specified in auth proxy header", err)
			return true
		}

		if setting.AuthProxyAutoSignUp {
			cmd := getCreateUserCommandForProxyAuth(proxyHeaderValue)
			if setting.LdapEnabled {
				cmd.SkipOrgSetup = true
			}

			if err := bus.Dispatch(cmd); err != nil {
				ctx.Handle(500, "Failed to create user specified in auth proxy header", err)
				return true
			}
			query = &m.GetSignedInUserQuery{UserId: cmd.Result.Id, OrgId: orgId}
			if err := bus.Dispatch(query); err != nil {
				ctx.Handle(500, "Failed find user after creation", err)
				return true
			}
		} else {
			return false
		}
	}

	// initialize session
	if err := ctx.Session.Start(ctx.Context); err != nil {
		log.Error(3, "Failed to start session", err)
		return false
	}

	// Make sure that we cannot share a session between different users!
	if getRequestUserId(ctx) > 0 && getRequestUserId(ctx) != query.Result.UserId {
		// remove session
		if err := ctx.Session.Destory(ctx.Context); err != nil {
			log.Error(3, "Failed to destroy session, err")
		}

		// initialize a new session
		if err := ctx.Session.Start(ctx.Context); err != nil {
			log.Error(3, "Failed to start session", err)
		}
	}

	// When ldap is enabled, sync userinfo and org roles
	if err := syncGrafanaUserWithLdapUser(ctx, query); err != nil {
		if err == login.ErrInvalidCredentials {
			ctx.Handle(500, "Unable to authenticate user", err)
			return false
		}

		ctx.Handle(500, "Failed to sync user", err)
		return false
	}

	ctx.SignedInUser = query.Result
	ctx.IsSignedIn = true
	ctx.Session.Set(session.SESS_KEY_USERID, ctx.UserId)

	return true
}

var syncGrafanaUserWithLdapUser = func(ctx *m.Context, query *m.GetSignedInUserQuery) error {
	if setting.LdapEnabled {
		expireEpoch := time.Now().Add(time.Duration(-setting.AuthProxyLdapSyncTtl) * time.Minute).Unix()

		var lastLdapSync int64
		if lastLdapSyncInSession := ctx.Session.Get(session.SESS_KEY_LASTLDAPSYNC); lastLdapSyncInSession != nil {
			lastLdapSync = lastLdapSyncInSession.(int64)
		}

		if lastLdapSync < expireEpoch {
			ldapCfg := login.LdapCfg

			for _, server := range ldapCfg.Servers {
				author := login.NewLdapAuthenticator(server)
				if err := author.SyncSignedInUser(query.Result); err != nil {
					return err
				}
			}

			ctx.Session.Set(session.SESS_KEY_LASTLDAPSYNC, time.Now().Unix())
		}
	}

	return nil
}

func checkAuthenticationProxy(ctx *m.Context, proxyHeaderValue string) error {
	if len(strings.TrimSpace(setting.AuthProxyWhitelist)) > 0 {
		proxies := strings.Split(setting.AuthProxyWhitelist, ",")
		remoteAddrSplit := strings.Split(ctx.Req.RemoteAddr, ":")
		sourceIP := remoteAddrSplit[0]

		found := false
		for _, proxyIP := range proxies {
			if sourceIP == strings.TrimSpace(proxyIP) {
				found = true
				break
			}
		}

		if !found {
			msg := fmt.Sprintf("Request for user (%s) is not from the authentication proxy", proxyHeaderValue)
			err := errors.New(msg)
			return err
		}
	}

	return nil
}

func getSignedInUserQueryForProxyAuth(headerVal string) *m.GetSignedInUserQuery {
	query := m.GetSignedInUserQuery{}
	if setting.AuthProxyHeaderProperty == "username" {
		query.Login = headerVal
	} else if setting.AuthProxyHeaderProperty == "email" {
		query.Email = headerVal
	} else {
		panic("Auth proxy header property invalid")
	}
	return &query
}

func getCreateUserCommandForProxyAuth(headerVal string) *m.CreateUserCommand {
	cmd := m.CreateUserCommand{}
	if setting.AuthProxyHeaderProperty == "username" {
		cmd.Login = headerVal
		cmd.Email = headerVal
	} else if setting.AuthProxyHeaderProperty == "email" {
		cmd.Email = headerVal
		cmd.Login = headerVal
	} else {
		panic("Auth proxy header property invalid")
	}
	return &cmd
}
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`package middleware`

			`import (`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`"errors"`
			`"fmt"`
			`"strings"`
			`"time"`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`"github.com/grafana/grafana/pkg/bus"`
fix(auth proxy): Fix for server side rendering of panel when using auth proxy, fixes #2568 2015-08-21 13:49:49 +08:00			`"github.com/grafana/grafana/pkg/log"`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`"github.com/grafana/grafana/pkg/login"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`m "github.com/grafana/grafana/pkg/models"`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`"github.com/grafana/grafana/pkg/services/session"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`"github.com/grafana/grafana/pkg/setting"`
			`)`

move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`func initContextWithAuthProxy(ctx *m.Context, orgId int64) bool {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`if !setting.AuthProxyEnabled {`
			`return false`
			`}`

			`proxyHeaderValue := ctx.Req.Header.Get(setting.AuthProxyHeaderName)`
Final tweaks to auth proxy feature 2015-05-02 18:30:53 +08:00			`if len(proxyHeaderValue) == 0 {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`return false`
			`}`

Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`// if auth proxy ip(s) defined, check if request comes from one of those`
			`if err := checkAuthenticationProxy(ctx, proxyHeaderValue); err != nil {`
			`ctx.Handle(407, "Proxy authentication required", err)`
			`return true`
			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`query := getSignedInUserQueryForProxyAuth(proxyHeaderValue)`
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122) 2017-04-14 21:47:39 +08:00			`query.OrgId = orgId`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`if err := bus.Dispatch(query); err != nil {`
			`if err != m.ErrUserNotFound {`
minor spelling corrections Signed-off-by: Dmitry Smirnov <onlyjob@member.fsf.org> 2016-02-13 08:01:03 +08:00			`ctx.Handle(500, "Failed to find user specified in auth proxy header", err)`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`return true`
			`}`

			`if setting.AuthProxyAutoSignUp {`
			`cmd := getCreateUserCommandForProxyAuth(proxyHeaderValue)`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`if setting.LdapEnabled {`
			`cmd.SkipOrgSetup = true`
			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`if err := bus.Dispatch(cmd); err != nil {`
			`ctx.Handle(500, "Failed to create user specified in auth proxy header", err)`
			`return true`
			`}`
use X-Grafana-Org-Id header to ensure backend uses correct org (#8122) 2017-04-14 21:47:39 +08:00			`query = &m.GetSignedInUserQuery{UserId: cmd.Result.Id, OrgId: orgId}`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`if err := bus.Dispatch(query); err != nil {`
			`ctx.Handle(500, "Failed find user after creation", err)`
			`return true`
			`}`
Final tweaks to auth proxy feature 2015-05-02 18:30:53 +08:00			`} else {`
			`return false`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`}`
			`}`

fix(auth proxy): Fix for server side rendering of panel when using auth proxy, fixes #2568 2015-08-21 13:49:49 +08:00			`// initialize session`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`if err := ctx.Session.Start(ctx.Context); err != nil {`
fix(auth proxy): Fix for server side rendering of panel when using auth proxy, fixes #2568 2015-08-21 13:49:49 +08:00			`log.Error(3, "Failed to start session", err)`
			`return false`
			`}`

Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`// Make sure that we cannot share a session between different users!`
			`if getRequestUserId(ctx) > 0 && getRequestUserId(ctx) != query.Result.UserId {`
			`// remove session`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`if err := ctx.Session.Destory(ctx.Context); err != nil {`
Optimize some wrong usage and spelling Signed-off-by: wgliang <liangcszzu@163.com> 2017-09-07 17:50:11 +08:00			`log.Error(3, "Failed to destroy session, err")`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`}`

			`// initialize a new session`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`if err := ctx.Session.Start(ctx.Context); err != nil {`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`log.Error(3, "Failed to start session", err)`
			`}`
			`}`

			`// When ldap is enabled, sync userinfo and org roles`
			`if err := syncGrafanaUserWithLdapUser(ctx, query); err != nil {`
			`if err == login.ErrInvalidCredentials {`
			`ctx.Handle(500, "Unable to authenticate user", err)`
			`return false`
			`}`

			`ctx.Handle(500, "Failed to sync user", err)`
			`return false`
			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`ctx.SignedInUser = query.Result`
			`ctx.IsSignedIn = true`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`ctx.Session.Set(session.SESS_KEY_USERID, ctx.UserId)`
fix(auth proxy): Fix for server side rendering of panel when using auth proxy, fixes #2568 2015-08-21 13:49:49 +08:00
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`return true`
			`}`

move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`var syncGrafanaUserWithLdapUser = func(ctx m.Context, query m.GetSignedInUserQuery) error {`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`if setting.LdapEnabled {`
			`expireEpoch := time.Now().Add(time.Duration(-setting.AuthProxyLdapSyncTtl) * time.Minute).Unix()`

			`var lastLdapSync int64`
move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`if lastLdapSyncInSession := ctx.Session.Get(session.SESS_KEY_LASTLDAPSYNC); lastLdapSyncInSession != nil {`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`lastLdapSync = lastLdapSyncInSession.(int64)`
			`}`

			`if lastLdapSync < expireEpoch {`
			`ldapCfg := login.LdapCfg`

			`for _, server := range ldapCfg.Servers {`
Optimize some wrong usage and spelling Signed-off-by: wgliang <liangcszzu@163.com> 2017-09-07 17:50:11 +08:00			`author := login.NewLdapAuthenticator(server)`
			`if err := author.SyncSignedInUser(query.Result); err != nil {`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`return err`
			`}`
			`}`

move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`ctx.Session.Set(session.SESS_KEY_LASTLDAPSYNC, time.Now().Unix())`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`}`
			`}`

			`return nil`
			`}`

move Context and session out of middleware 2018-03-07 06:59:45 +08:00			`func checkAuthenticationProxy(ctx *m.Context, proxyHeaderValue string) error {`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`if len(strings.TrimSpace(setting.AuthProxyWhitelist)) > 0 {`
			`proxies := strings.Split(setting.AuthProxyWhitelist, ",")`
			`remoteAddrSplit := strings.Split(ctx.Req.RemoteAddr, ":")`
			`sourceIP := remoteAddrSplit[0]`

			`found := false`
			`for _, proxyIP := range proxies {`
			`if sourceIP == strings.TrimSpace(proxyIP) {`
			`found = true`
			`break`
			`}`
			`}`

			`if !found {`
			`msg := fmt.Sprintf("Request for user (%s) is not from the authentication proxy", proxyHeaderValue)`
			`err := errors.New(msg)`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`func getSignedInUserQueryForProxyAuth(headerVal string) *m.GetSignedInUserQuery {`
			`query := m.GetSignedInUserQuery{}`
			`if setting.AuthProxyHeaderProperty == "username" {`
			`query.Login = headerVal`
			`} else if setting.AuthProxyHeaderProperty == "email" {`
			`query.Email = headerVal`
			`} else {`
			`panic("Auth proxy header property invalid")`
			`}`
			`return &query`
			`}`

			`func getCreateUserCommandForProxyAuth(headerVal string) *m.CreateUserCommand {`
			`cmd := m.CreateUserCommand{}`
			`if setting.AuthProxyHeaderProperty == "username" {`
			`cmd.Login = headerVal`
Set email when creating user from auth_proxy header, Fixes #2156 2015-06-14 02:14:44 +08:00			`cmd.Email = headerVal`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`} else if setting.AuthProxyHeaderProperty == "email" {`
			`cmd.Email = headerVal`
Set email when creating user from auth_proxy header, Fixes #2156 2015-06-14 02:14:44 +08:00			`cmd.Login = headerVal`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`} else {`
			`panic("Auth proxy header property invalid")`
			`}`
			`return &cmd`
			`}`