grafana/pkg/middleware/auth_proxy.go

package middleware

import (
	"fmt"
	"net"
	"net/mail"
	"reflect"
	"strings"
	"time"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/infra/remotecache"
	"github.com/grafana/grafana/pkg/login"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
)

const (

	// cachePrefix is a prefix for the cache key
	cachePrefix = "auth-proxy-sync-ttl:%s"
)

func initContextWithAuthProxy(store *remotecache.RemoteCache, ctx *m.ReqContext, orgID int64) bool {
	if !setting.AuthProxyEnabled {
		return false
	}

	proxyHeaderValue := ctx.Req.Header.Get(setting.AuthProxyHeaderName)
	if len(proxyHeaderValue) == 0 {
		return false
	}

	// if auth proxy ip(s) defined, check if request comes from one of those
	if err := checkAuthenticationProxy(ctx.Req.RemoteAddr, proxyHeaderValue); err != nil {
		ctx.Handle(407, "Proxy authentication required", err)
		return true
	}

	query := &m.GetSignedInUserQuery{OrgId: orgID}
	cacheKey := fmt.Sprintf(cachePrefix, proxyHeaderValue)
	userID, err := store.Get(cacheKey)
	inCache := err == nil

	// load the user if we have them
	if inCache {
		query.UserId = userID.(int64)

		// if we're using ldap, pass authproxy login name to ldap user sync
	} else if setting.LdapEnabled {
		syncQuery := &m.LoginUserQuery{
			ReqContext: ctx,
			Username:   proxyHeaderValue,
		}

		if err := syncGrafanaUserWithLdapUser(syncQuery); err != nil {
			if err == login.ErrInvalidCredentials {
				ctx.Handle(500, "Unable to authenticate user", err)
				return false
			}
		}

		if syncQuery.User == nil {
			ctx.Handle(500, "Failed to sync user", nil)
			return false
		}

		query.UserId = syncQuery.User.Id
		// no ldap, just use the info we have
	} else {
		extUser := &m.ExternalUserInfo{
			AuthModule: "authproxy",
			AuthId:     proxyHeaderValue,
		}

		if setting.AuthProxyHeaderProperty == "username" {
			extUser.Login = proxyHeaderValue

			// only set Email if it can be parsed as an email address
			emailAddr, emailErr := mail.ParseAddress(proxyHeaderValue)
			if emailErr == nil {
				extUser.Email = emailAddr.Address
			}
		} else if setting.AuthProxyHeaderProperty == "email" {
			extUser.Email = proxyHeaderValue
			extUser.Login = proxyHeaderValue
		} else {
			ctx.Handle(500, "Auth proxy header property invalid", nil)
			return true
		}

		for _, field := range []string{"Name", "Email", "Login"} {
			if setting.AuthProxyHeaders[field] == "" {
				continue
			}

			if val := ctx.Req.Header.Get(setting.AuthProxyHeaders[field]); val != "" {
				reflect.ValueOf(extUser).Elem().FieldByName(field).SetString(val)
			}
		}

		// add/update user in grafana
		cmd := &m.UpsertUserCommand{
			ReqContext:    ctx,
			ExternalUser:  extUser,
			SignupAllowed: setting.AuthProxyAutoSignUp,
		}
		err := bus.Dispatch(cmd)
		if err != nil {
			ctx.Handle(500, "Failed to login as user specified in auth proxy header", err)
			return true
		}

		query.UserId = cmd.Result.Id
	}

	if err := bus.Dispatch(query); err != nil {
		ctx.Handle(500, "Failed to find user", err)
		return true
	}
	ctx.SignedInUser = query.Result
	ctx.IsSignedIn = true

	expiration := time.Duration(-setting.AuthProxyLdapSyncTtl) * time.Minute
	value := query.UserId

	// This <if> is here to make sure we do not
	// rewrite the expiration all the time
	if inCache == false {
		if err = store.Set(cacheKey, value, expiration); err != nil {
			ctx.Handle(500, "Couldn't write a user in cache key", err)
			return true
		}
	}

	return true
}

var syncGrafanaUserWithLdapUser = func(query *m.LoginUserQuery) error {
	ldapCfg := login.LdapCfg
	if len(ldapCfg.Servers) < 1 {
		return fmt.Errorf("No LDAP servers available")
	}

	for _, server := range ldapCfg.Servers {
		author := login.NewLdapAuthenticator(server)
		if err := author.SyncUser(query); err != nil {
			return err
		}
	}

	return nil
}

func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error {
	if len(strings.TrimSpace(setting.AuthProxyWhitelist)) == 0 {
		return nil
	}

	proxies := strings.Split(setting.AuthProxyWhitelist, ",")
	var proxyObjs []*net.IPNet
	for _, proxy := range proxies {
		proxyObjs = append(proxyObjs, coerceProxyAddress(proxy))
	}

	sourceIP, _, _ := net.SplitHostPort(remoteAddr)
	sourceObj := net.ParseIP(sourceIP)

	for _, proxyObj := range proxyObjs {
		if proxyObj.Contains(sourceObj) {
			return nil
		}
	}
	return fmt.Errorf("Request for user (%s) from %s is not from the authentication proxy", proxyHeaderValue, sourceIP)
}

func coerceProxyAddress(proxyAddr string) *net.IPNet {
	proxyAddr = strings.TrimSpace(proxyAddr)
	if !strings.Contains(proxyAddr, "/") {
		proxyAddr = strings.Join([]string{proxyAddr, "32"}, "/")
	}

	_, network, err := net.ParseCIDR(proxyAddr)
	if err != nil {
		fmt.Println(err)
	}
	return network
}
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`package middleware`

			`import (`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`"fmt"`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 21:43:33 +08:00			`"net"`
update auth proxy 2018-03-23 05:02:34 +08:00			`"net/mail"`
support additional fields in authproxy (#11661) 2018-05-07 16:39:16 +08:00			`"reflect"`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`"strings"`
			`"time"`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`"github.com/grafana/grafana/pkg/bus"`
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`"github.com/grafana/grafana/pkg/infra/remotecache"`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`"github.com/grafana/grafana/pkg/login"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
			`)`

Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`const (`

			`// cachePrefix is a prefix for the cache key`
			`cachePrefix = "auth-proxy-sync-ttl:%s"`
restrict session usage to auth_proxy 2019-01-23 19:41:15 +08:00			`)`
update auth proxy 2018-03-23 05:02:34 +08:00
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`func initContextWithAuthProxy(store remotecache.RemoteCache, ctx m.ReqContext, orgID int64) bool {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`if !setting.AuthProxyEnabled {`
			`return false`
			`}`

			`proxyHeaderValue := ctx.Req.Header.Get(setting.AuthProxyHeaderName)`
Final tweaks to auth proxy feature 2015-05-02 18:30:53 +08:00			`if len(proxyHeaderValue) == 0 {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`return false`
			`}`

Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`// if auth proxy ip(s) defined, check if request comes from one of those`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 21:43:33 +08:00			`if err := checkAuthenticationProxy(ctx.Req.RemoteAddr, proxyHeaderValue); err != nil {`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`ctx.Handle(407, "Proxy authentication required", err)`
			`return true`
			`}`

update auth proxy 2018-03-23 05:02:34 +08:00			`query := &m.GetSignedInUserQuery{OrgId: orgID}`
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`cacheKey := fmt.Sprintf(cachePrefix, proxyHeaderValue)`
			`userID, err := store.Get(cacheKey)`
			`inCache := err == nil`
update auth proxy 2018-03-23 05:02:34 +08:00
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`// load the user if we have them`
			`if inCache {`
			`query.UserId = userID.(int64)`
refactor authproxy & ldap integration, address comments 2018-04-17 04:17:01 +08:00
			`// if we're using ldap, pass authproxy login name to ldap user sync`
			`} else if setting.LdapEnabled {`
			`syncQuery := &m.LoginUserQuery{`
			`ReqContext: ctx,`
			`Username: proxyHeaderValue,`
			`}`

			`if err := syncGrafanaUserWithLdapUser(syncQuery); err != nil {`
			`if err == login.ErrInvalidCredentials {`
			`ctx.Handle(500, "Unable to authenticate user", err)`
			`return false`
			`}`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`}`
refactor authproxy & ldap integration, address comments 2018-04-17 04:17:01 +08:00
			`if syncQuery.User == nil {`
			`ctx.Handle(500, "Failed to sync user", nil)`
			`return false`
			`}`

			`query.UserId = syncQuery.User.Id`
			`// no ldap, just use the info we have`
update auth proxy 2018-03-23 05:02:34 +08:00			`} else {`
switch to passing ReqContext as a property 2018-03-24 03:50:07 +08:00			`extUser := &m.ExternalUserInfo{`
update auth proxy 2018-03-23 05:02:34 +08:00			`AuthModule: "authproxy",`
			`AuthId: proxyHeaderValue,`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`}`
Make golint happier 2018-03-23 05:13:46 +08:00
update auth proxy 2018-03-23 05:02:34 +08:00			`if setting.AuthProxyHeaderProperty == "username" {`
			`extUser.Login = proxyHeaderValue`

			`// only set Email if it can be parsed as an email address`
			`emailAddr, emailErr := mail.ParseAddress(proxyHeaderValue)`
			`if emailErr == nil {`
			`extUser.Email = emailAddr.Address`
			`}`
			`} else if setting.AuthProxyHeaderProperty == "email" {`
			`extUser.Email = proxyHeaderValue`
			`extUser.Login = proxyHeaderValue`
			`} else {`
			`ctx.Handle(500, "Auth proxy header property invalid", nil)`
cleanup 2018-03-23 23:58:38 +08:00			`return true`
Make golint happier 2018-03-23 05:13:46 +08:00			`}`

support additional fields in authproxy (#11661) 2018-05-07 16:39:16 +08:00			`for _, field := range []string{"Name", "Email", "Login"} {`
			`if setting.AuthProxyHeaders[field] == "" {`
			`continue`
			`}`

			`if val := ctx.Req.Header.Get(setting.AuthProxyHeaders[field]); val != "" {`
			`reflect.ValueOf(extUser).Elem().FieldByName(field).SetString(val)`
			`}`
			`}`

update auth proxy 2018-03-23 05:02:34 +08:00			`// add/update user in grafana`
switch to Result 2018-03-23 23:16:11 +08:00			`cmd := &m.UpsertUserCommand{`
switch to passing ReqContext as a property 2018-03-24 03:50:07 +08:00			`ReqContext: ctx,`
			`ExternalUser: extUser,`
update auth proxy 2018-03-23 05:02:34 +08:00			`SignupAllowed: setting.AuthProxyAutoSignUp,`
			`}`
switch to passing ReqContext as a property 2018-03-24 03:50:07 +08:00			`err := bus.Dispatch(cmd)`
update auth proxy 2018-03-23 05:02:34 +08:00			`if err != nil {`
			`ctx.Handle(500, "Failed to login as user specified in auth proxy header", err)`
Make golint happier 2018-03-23 05:13:46 +08:00			`return true`
			`}`
update auth proxy 2018-03-23 05:02:34 +08:00
switch to Result 2018-03-23 23:16:11 +08:00			`query.UserId = cmd.Result.Id`
refactor authproxy & ldap integration, address comments 2018-04-17 04:17:01 +08:00			`}`
update auth proxy 2018-03-23 05:02:34 +08:00
refactor authproxy & ldap integration, address comments 2018-04-17 04:17:01 +08:00			`if err := bus.Dispatch(query); err != nil {`
			`ctx.Handle(500, "Failed to find user", err)`
			`return true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`}`
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`ctx.SignedInUser = query.Result`
			`ctx.IsSignedIn = true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`expiration := time.Duration(-setting.AuthProxyLdapSyncTtl) * time.Minute`
			`value := query.UserId`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`// This <if> is here to make sure we do not`
			`// rewrite the expiration all the time`
			`if inCache == false {`
			`if err = store.Set(cacheKey, value, expiration); err != nil {`
			`ctx.Handle(500, "Couldn't write a user in cache key", err)`
			`return true`
refactor authproxy & ldap integration, address comments 2018-04-17 04:17:01 +08:00			`}`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 18:06:58 +08:00			`return true`
			`}`

refactor authproxy & ldap integration, address comments 2018-04-17 04:17:01 +08:00			`var syncGrafanaUserWithLdapUser = func(query *m.LoginUserQuery) error {`
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`ldapCfg := login.LdapCfg`
			`if len(ldapCfg.Servers) < 1 {`
			`return fmt.Errorf("No LDAP servers available")`
Make golint happier 2018-03-23 05:13:46 +08:00			`}`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 19:31:46 +08:00			`for _, server := range ldapCfg.Servers {`
			`author := login.NewLdapAuthenticator(server)`
			`if err := author.SyncUser(query); err != nil {`
			`return err`
refactor authproxy & ldap integration, address comments 2018-04-17 04:17:01 +08:00			`}`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`}`

			`return nil`
			`}`

Use net.SplitHostPort to support IPv6 - Add some tests - Make error message more helpful 2018-03-22 01:28:56 +08:00			`func checkAuthenticationProxy(remoteAddr string, proxyHeaderValue string) error {`
Make golint happier 2018-03-23 05:13:46 +08:00			`if len(strings.TrimSpace(setting.AuthProxyWhitelist)) == 0 {`
			`return nil`
			`}`
Use net.SplitHostPort to support IPv6 - Add some tests - Make error message more helpful 2018-03-22 01:28:56 +08:00
make sure to use real ip when validating white listed ip's 2018-06-15 19:40:42 +08:00			`proxies := strings.Split(setting.AuthProxyWhitelist, ",")`
Adding CIDR capability to auth_proxy whitelist 2018-12-18 13:43:14 +08:00			`var proxyObjs []*net.IPNet`
			`for _, proxy := range proxies {`
			`proxyObjs = append(proxyObjs, coerceProxyAddress(proxy))`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 21:43:33 +08:00			`}`
make sure to use real ip when validating white listed ip's 2018-06-15 19:40:42 +08:00
Adding CIDR capability to auth_proxy whitelist 2018-12-18 13:43:14 +08:00			`sourceIP, _, _ := net.SplitHostPort(remoteAddr)`
			`sourceObj := net.ParseIP(sourceIP)`

			`for _, proxyObj := range proxyObjs {`
			`if proxyObj.Contains(sourceObj) {`
Use net.SplitHostPort to support IPv6 - Add some tests - Make error message more helpful 2018-03-22 01:28:56 +08:00			`return nil`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`}`
Make golint happier 2018-03-23 05:13:46 +08:00			`}`
Revert "auth proxy: use real ip when validating white listed ip's" 2018-06-28 21:43:33 +08:00			`return fmt.Errorf("Request for user (%s) from %s is not from the authentication proxy", proxyHeaderValue, sourceIP)`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 21:22:28 +08:00			`}`
Adding CIDR capability to auth_proxy whitelist 2018-12-18 13:43:14 +08:00
			`func coerceProxyAddress(proxyAddr string) *net.IPNet {`
			`proxyAddr = strings.TrimSpace(proxyAddr)`
			`if !strings.Contains(proxyAddr, "/") {`
			`proxyAddr = strings.Join([]string{proxyAddr, "32"}, "/")`
			`}`

			`_, network, err := net.ParseCIDR(proxyAddr)`
			`if err != nil {`
			`fmt.Println(err)`
			`}`
			`return network`
			`}`