grafana/pkg/middleware/auth.go

package middleware

import (
	"net/url"
	"strings"

	"gopkg.in/macaron.v1"

	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
)

type AuthOptions struct {
	ReqGrafanaAdmin bool
	ReqSignedIn     bool
}

func getRequestUserId(c *Context) int64 {
	userId := c.Session.Get(SESS_KEY_USERID)

	if userId != nil {
		return userId.(int64)
	}

	return 0
}

func getApiKey(c *Context) string {
	header := c.Req.Header.Get("Authorization")
	parts := strings.SplitN(header, " ", 2)
	if len(parts) == 2 && parts[0] == "Bearer" {
		key := parts[1]
		return key
	}

	return ""
}

func accessForbidden(c *Context) {
	if c.IsApiRequest() {
		c.JsonApiErr(403, "Permission denied", nil)
		return
	}

	c.Redirect(setting.AppSubUrl + "/")
}

func notAuthorized(c *Context) {
	if c.IsApiRequest() {
		c.JsonApiErr(401, "Unauthorized", nil)
		return
	}

	c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")
	c.Redirect(setting.AppSubUrl + "/login")
}

func RoleAuth(roles ...m.RoleType) macaron.Handler {
	return func(c *Context) {
		ok := false
		for _, role := range roles {
			if role == c.OrgRole {
				ok = true
				break
			}
		}
		if !ok {
			accessForbidden(c)
		}
	}
}

func Auth(options *AuthOptions) macaron.Handler {
	return func(c *Context) {
		if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
			notAuthorized(c)
			return
		}

		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
			accessForbidden(c)
			return
		}
	}
}
macaron transition progress 2014-10-06 03:13:01 +08:00			`package middleware`

			`import (`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`"net/url"`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 16:33:34 +08:00			`"strings"`
Progress on account and dashboard save/load 2014-11-20 22:19:44 +08:00
feat(macaron): upgrades macaron version 2016-01-13 22:11:23 +08:00			`"gopkg.in/macaron.v1"`
Refactoring of api routes 2015-01-14 21:25:12 +08:00
Changed go package path 2015-02-05 17:37:13 +08:00			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
macaron transition progress 2014-10-06 03:13:01 +08:00			`)`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 19:16:54 +08:00			`type AuthOptions struct {`
Big refactoring for context.User, and how current user info is fetching, now included collaborator role 2015-01-16 21:32:18 +08:00			`ReqGrafanaAdmin bool`
			`ReqSignedIn bool`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 19:16:54 +08:00			`}`

User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-20 01:01:04 +08:00			`func getRequestUserId(c *Context) int64 {`
More work on backend for user favorites 2015-01-29 19:10:34 +08:00			`userId := c.Session.Get(SESS_KEY_USERID)`
macaron transition progress 2014-10-06 03:13:01 +08:00
User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-20 01:01:04 +08:00			`if userId != nil {`
			`return userId.(int64)`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 19:16:54 +08:00			`}`
Worked a little on anonymous access, needs more work 2015-01-07 23:37:24 +08:00
Api Key role is now correcty added do middleware context 2015-01-16 23:15:35 +08:00			`return 0`
			`}`

API token -> API key rename 2015-01-27 15:26:11 +08:00			`func getApiKey(c *Context) string {`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 19:16:54 +08:00			`header := c.Req.Header.Get("Authorization")`
			`parts := strings.SplitN(header, " ", 2)`
Basic auth: Fixed issue when using basic auth proxy infront of Grafana, Fixes #1673 2015-04-01 21:23:26 +08:00			`if len(parts) == 2 && parts[0] == "Bearer" {`
API token -> API key rename 2015-01-27 15:26:11 +08:00			`key := parts[1]`
			`return key`
macaron transition progress 2014-10-06 03:13:01 +08:00			`}`

Api Key role is now correcty added do middleware context 2015-01-16 23:15:35 +08:00			`return ""`
macaron transition progress 2014-10-06 03:13:01 +08:00			`}`

fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 16:46:31 +08:00			`func accessForbidden(c *Context) {`
Refactoring of api routes 2015-01-14 21:25:12 +08:00			`if c.IsApiRequest() {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 16:46:31 +08:00			`c.JsonApiErr(403, "Permission denied", nil)`
			`return`
			`}`

redirect "permission denied" requests to "/" (#10773) 2018-02-06 01:17:47 +08:00			`c.Redirect(setting.AppSubUrl + "/")`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 16:46:31 +08:00			`}`

			`func notAuthorized(c *Context) {`
			`if c.IsApiRequest() {`
			`c.JsonApiErr(401, "Unauthorized", nil)`
Worked on login remember cookie, and redirect after login 2015-01-27 19:05:23 +08:00			`return`
Refactoring of api routes 2015-01-14 21:25:12 +08:00			`}`

Small improvement to dashboard loading error handling 2015-03-31 20:03:01 +08:00			`c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")`
Work on making grafana work in sub url 2015-01-05 04:03:40 +08:00			`c.Redirect(setting.AppSubUrl + "/login")`
macaron transition progress 2014-10-06 03:13:01 +08:00			`}`

Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 22:28:44 +08:00			`func RoleAuth(roles ...m.RoleType) macaron.Handler {`
			`return func(c *Context) {`
			`ok := false`
			`for _, role := range roles {`
Big Backend Refatoring: Renamed Account -> Org 2015-02-24 03:07:49 +08:00			`if role == c.OrgRole {`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 22:28:44 +08:00			`ok = true`
			`break`
			`}`
			`}`
			`if !ok {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 16:46:31 +08:00			`accessForbidden(c)`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 22:28:44 +08:00			`}`
			`}`
			`}`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 19:16:54 +08:00			`func Auth(options *AuthOptions) macaron.Handler {`
			`return func(c *Context) {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 16:46:31 +08:00			`if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {`
			`notAuthorized(c)`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 19:16:54 +08:00			`return`
			`}`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 16:33:34 +08:00
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 16:46:31 +08:00			`if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {`
			`accessForbidden(c)`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 19:16:54 +08:00			`return`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 16:33:34 +08:00			`}`
macaron transition progress 2014-10-06 03:13:01 +08:00			`}`
			`}`