grafana/pkg/social/social.go

package social

import (
	"net/http"
	"strings"

	"context"

	"golang.org/x/oauth2"

	"github.com/grafana/grafana/pkg/log"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util"
)

type BasicUserInfo struct {
	Id      string
	Name    string
	Email   string
	Login   string
	Company string
	Role    string
}

type SocialConnector interface {
	Type() int
	UserInfo(client *http.Client, token *oauth2.Token) (*BasicUserInfo, error)
	IsEmailAllowed(email string) bool
	IsSignupAllowed() bool

	AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string
	Exchange(ctx context.Context, code string) (*oauth2.Token, error)
	Client(ctx context.Context, t *oauth2.Token) *http.Client
}

type SocialBase struct {
	*oauth2.Config
	log log.Logger
}

type Error struct {
	s string
}

func (e *Error) Error() string {
	return e.s
}

var (
	SocialBaseUrl = "/login/"
	SocialMap     = make(map[string]SocialConnector)
)

func NewOAuthService() {
	setting.OAuthService = &setting.OAuther{}
	setting.OAuthService.OAuthInfos = make(map[string]*setting.OAuthInfo)

	allOauthes := []string{"github", "google", "generic_oauth", "grafananet", "grafana_com"}

	for _, name := range allOauthes {
		sec := setting.Raw.Section("auth." + name)
		info := &setting.OAuthInfo{
			ClientId:       sec.Key("client_id").String(),
			ClientSecret:   sec.Key("client_secret").String(),
			Scopes:         util.SplitString(sec.Key("scopes").String()),
			AuthUrl:        sec.Key("auth_url").String(),
			TokenUrl:       sec.Key("token_url").String(),
			ApiUrl:         sec.Key("api_url").String(),
			Enabled:        sec.Key("enabled").MustBool(),
			AllowedDomains: util.SplitString(sec.Key("allowed_domains").String()),
			HostedDomain:   sec.Key("hosted_domain").String(),
			AllowSignup:    sec.Key("allow_sign_up").MustBool(),
			Name:           sec.Key("name").MustString(name),
			TlsClientCert:  sec.Key("tls_client_cert").String(),
			TlsClientKey:   sec.Key("tls_client_key").String(),
			TlsClientCa:    sec.Key("tls_client_ca").String(),
			TlsSkipVerify:  sec.Key("tls_skip_verify_insecure").MustBool(),
		}

		if !info.Enabled {
			continue
		}

		if name == "grafananet" {
			name = "grafana_com"
		}

		setting.OAuthService.OAuthInfos[name] = info

		config := oauth2.Config{
			ClientID:     info.ClientId,
			ClientSecret: info.ClientSecret,
			Endpoint: oauth2.Endpoint{
				AuthURL:  info.AuthUrl,
				TokenURL: info.TokenUrl,
			},
			RedirectURL: strings.TrimSuffix(setting.AppUrl, "/") + SocialBaseUrl + name,
			Scopes:      info.Scopes,
		}

		logger := log.New("oauth." + name)

		// GitHub.
		if name == "github" {
			SocialMap["github"] = &SocialGithub{
				SocialBase: &SocialBase{
					Config: &config,
					log:    logger,
				},
				allowedDomains:       info.AllowedDomains,
				apiUrl:               info.ApiUrl,
				allowSignup:          info.AllowSignup,
				teamIds:              sec.Key("team_ids").Ints(","),
				allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),
			}
		}

		// Google.
		if name == "google" {
			SocialMap["google"] = &SocialGoogle{
				SocialBase: &SocialBase{
					Config: &config,
					log:    logger,
				},
				allowedDomains: info.AllowedDomains,
				hostedDomain:   info.HostedDomain,
				apiUrl:         info.ApiUrl,
				allowSignup:    info.AllowSignup,
			}
		}

		// Generic - Uses the same scheme as Github.
		if name == "generic_oauth" {
			SocialMap["generic_oauth"] = &SocialGenericOAuth{
				SocialBase: &SocialBase{
					Config: &config,
					log:    logger,
				},
				allowedDomains:       info.AllowedDomains,
				apiUrl:               info.ApiUrl,
				allowSignup:          info.AllowSignup,
				teamIds:              sec.Key("team_ids").Ints(","),
				allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),
			}
		}

		if name == "grafana_com" {
			config = oauth2.Config{
				ClientID:     info.ClientId,
				ClientSecret: info.ClientSecret,
				Endpoint: oauth2.Endpoint{
					AuthURL:  setting.GrafanaComUrl + "/oauth2/authorize",
					TokenURL: setting.GrafanaComUrl + "/api/oauth2/token",
				},
				RedirectURL: strings.TrimSuffix(setting.AppUrl, "/") + SocialBaseUrl + name,
				Scopes:      info.Scopes,
			}

			SocialMap["grafana_com"] = &SocialGrafanaCom{
				SocialBase: &SocialBase{
					Config: &config,
					log:    logger,
				},
				url:                  setting.GrafanaComUrl,
				allowSignup:          info.AllowSignup,
				allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),
			}
		}
	}
}
working on oauth 2014-10-07 14:54:38 -05:00			`package social`

			`import (`
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic 2016-10-11 01:51:44 -05:00			`"net/http"`
working on oauth 2014-10-07 14:54:38 -05:00			`"strings"`

use context over golang.org/x/net/context 2018-01-16 05:32:42 -06:00			`"context"`

updated to new golang/x/oauth2 2014-12-30 03:10:13 -06:00			`"golang.org/x/oauth2"`
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic 2016-10-11 01:51:44 -05:00
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`"github.com/grafana/grafana/pkg/log"`
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic 2016-10-11 01:51:44 -05:00			`"github.com/grafana/grafana/pkg/setting"`
Config Array Syntax (#8204) * refactor util encryption library so it doesn't have to import log * add util.SplitString to handle space and/or comma-separated config lines * go fmt 2017-04-25 02:14:29 -05:00			`"github.com/grafana/grafana/pkg/util"`
working on oauth 2014-10-07 14:54:38 -05:00			`)`

			`type BasicUserInfo struct {`
shared library for managing external user accounts 2018-02-08 16:13:58 -06:00			`Id string`
(format) run go fmt in pkg 2016-12-13 21:15:35 -06:00			`Name string`
			`Email string`
			`Login string`
			`Company string`
			`Role string`
working on oauth 2014-10-07 14:54:38 -05:00			`}`

			`type SocialConnector interface {`
			`Type() int`
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`UserInfo(client http.Client, token oauth2.Token) (*BasicUserInfo, error)`
OAuth: Specify allowed email address domains for google or and github oauth logins, Closes #1660 2015-04-06 07:16:22 -05:00			`IsEmailAllowed(email string) bool`
Add allow_sign_up override for auth.google/github. 2015-04-09 20:15:19 -05:00			`IsSignupAllowed() bool`
working on oauth 2014-10-07 14:54:38 -05:00
updated to new golang/x/oauth2 2014-12-30 03:10:13 -06:00			`AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string`
Updated golang/x/oauth2 dependency, #1710 2015-04-04 02:50:25 -05:00			`Exchange(ctx context.Context, code string) (*oauth2.Token, error)`
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic 2016-10-11 01:51:44 -05:00			`Client(ctx context.Context, t oauth2.Token) http.Client`
working on oauth 2014-10-07 14:54:38 -05:00			`}`

support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`type SocialBase struct {`
			`*oauth2.Config`
			`log log.Logger`
			`}`

Add common type for oauth authorization errors 2017-02-01 07:32:51 -06:00			`type Error struct {`
			`s string`
			`}`

			`func (e *Error) Error() string {`
			`return e.s`
			`}`

working on oauth 2014-10-07 14:54:38 -05:00			`var (`
OAuth remake 2014-10-07 16:56:37 -05:00			`SocialBaseUrl = "/login/"`
working on oauth 2014-10-07 14:54:38 -05:00			`SocialMap = make(map[string]SocialConnector)`
			`)`

OAuth remake 2014-10-07 16:56:37 -05:00			`func NewOAuthService() {`
working on oauth 2014-10-07 14:54:38 -05:00			`setting.OAuthService = &setting.OAuther{}`
			`setting.OAuthService.OAuthInfos = make(map[string]*setting.OAuthInfo)`

grafana_com: changed name of oauth grafana_net integration (old settings names still work), and updated login button look, closes #8415 2017-05-22 07:56:50 -05:00			`allOauthes := []string{"github", "google", "generic_oauth", "grafananet", "grafana_com"}`
working on oauth 2014-10-07 14:54:38 -05:00
			`for _, name := range allOauthes {`
Initial Baby Step to refactoring settings from global vars to instance (#11777) * wip: start on refactoring settings * settings: progress on settings refactor * refactor: progress on settings refactoring * fix: fixed failing test * settings: moved smtp settings from global to instance 2018-04-30 09:21:04 -05:00			`sec := setting.Raw.Section("auth." + name)`
working on oauth 2014-10-07 14:54:38 -05:00			`info := &setting.OAuthInfo{`
OAuth: Specify allowed email address domains for google or and github oauth logins, Closes #1660 2015-04-06 07:16:22 -05:00			`ClientId: sec.Key("client_id").String(),`
			`ClientSecret: sec.Key("client_secret").String(),`
Config Array Syntax (#8204) * refactor util encryption library so it doesn't have to import log * add util.SplitString to handle space and/or comma-separated config lines * go fmt 2017-04-25 02:14:29 -05:00			`Scopes: util.SplitString(sec.Key("scopes").String()),`
OAuth: Specify allowed email address domains for google or and github oauth logins, Closes #1660 2015-04-06 07:16:22 -05:00			`AuthUrl: sec.Key("auth_url").String(),`
			`TokenUrl: sec.Key("token_url").String(),`
Updated changelog with, Github OAuth: Now works with Github for Enterprise, thanks @williamjoy 2015-04-15 03:31:56 -05:00			`ApiUrl: sec.Key("api_url").String(),`
OAuth: Specify allowed email address domains for google or and github oauth logins, Closes #1660 2015-04-06 07:16:22 -05:00			`Enabled: sec.Key("enabled").MustBool(),`
Config Array Syntax (#8204) * refactor util encryption library so it doesn't have to import log * add util.SplitString to handle space and/or comma-separated config lines * go fmt 2017-04-25 02:14:29 -05:00			`AllowedDomains: util.SplitString(sec.Key("allowed_domains").String()),`
added hosted domain suppport to google oauth login (#6372) 2016-10-28 05:00:47 -05:00			`HostedDomain: sec.Key("hosted_domain").String(),`
Add allow_sign_up override for auth.google/github. 2015-04-09 20:15:19 -05:00			`AllowSignup: sec.Key("allow_sign_up").MustBool(),`
feat(oauth): refactoring PR #6077 2016-09-28 08:10:50 -05:00			`Name: sec.Key("name").MustString(name),`
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic 2016-10-11 01:51:44 -05:00			`TlsClientCert: sec.Key("tls_client_cert").String(),`
			`TlsClientKey: sec.Key("tls_client_key").String(),`
			`TlsClientCa: sec.Key("tls_client_ca").String(),`
Always verify TLS unless explicitly told otherwise TLS was not being verified in a number of places: - connections to grafana.com - connections to OAuth providers when TLS client authentication was enabled - connections to self-hosted Grafana installations when using the CLI tool TLS should always be verified unless the user explicitly enables an option to skip verification. Removes some instances where `InsecureSkipVerify` is explicitly set to `false`, the default, to help avoid confusion and make it more difficult to regress on this fix by accident. Adds a `--insecure` flag to `grafana-cli` to skip TLS verification. Adds a `tls_skip_verify_insecure` setting for OAuth. Adds a `app_tls_skip_verify_insecure` setting under a new `[plugins]` section. I'm not super happy with the way the global setting is used by `pkg/api/app_routes.go` but that seems to be the existing pattern used. 2017-09-28 05:10:59 -05:00			`TlsSkipVerify: sec.Key("tls_skip_verify_insecure").MustBool(),`
OAuth remake 2014-10-07 16:56:37 -05:00			`}`

			`if !info.Enabled {`
			`continue`
working on oauth 2014-10-07 14:54:38 -05:00			`}`

grafana_com: changed name of oauth grafana_net integration (old settings names still work), and updated login button look, closes #8415 2017-05-22 07:56:50 -05:00			`if name == "grafananet" {`
			`name = "grafana_com"`
			`}`

working on oauth 2014-10-07 14:54:38 -05:00			`setting.OAuthService.OAuthInfos[name] = info`
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic 2016-10-11 01:51:44 -05:00
updated to new golang/x/oauth2 2014-12-30 03:10:13 -06:00			`config := oauth2.Config{`
			`ClientID: info.ClientId,`
			`ClientSecret: info.ClientSecret,`
			`Endpoint: oauth2.Endpoint{`
			`AuthURL: info.AuthUrl,`
			`TokenURL: info.TokenUrl,`
			`},`
			`RedirectURL: strings.TrimSuffix(setting.AppUrl, "/") + SocialBaseUrl + name,`
			`Scopes: info.Scopes,`
working on oauth 2014-10-07 14:54:38 -05:00			`}`

refactor: minor refactoring of PR #10560 2018-01-23 06:03:44 -06:00			`logger := log.New("oauth." + name)`
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00
OAuth remake 2014-10-07 16:56:37 -05:00			`// GitHub.`
			`if name == "github" {`
smalĺ refactorings 2015-04-29 02:49:22 -05:00			`SocialMap["github"] = &SocialGithub{`
go fmt 2018-01-18 18:17:05 -06:00			`SocialBase: &SocialBase{`
			`Config: &config,`
			`log: logger,`
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`},`
Add github organizations support 2015-05-23 09:06:51 -05:00			`allowedDomains: info.AllowedDomains,`
			`apiUrl: info.ApiUrl,`
			`allowSignup: info.AllowSignup,`
feat(oauth): refactoring PR #6077 2016-09-28 08:10:50 -05:00			`teamIds: sec.Key("team_ids").Ints(","),`
Config Array Syntax (#8204) * refactor util encryption library so it doesn't have to import log * add util.SplitString to handle space and/or comma-separated config lines * go fmt 2017-04-25 02:14:29 -05:00			`allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),`
smalĺ refactorings 2015-04-29 02:49:22 -05:00			`}`
OAuth remake 2014-10-07 16:56:37 -05:00			`}`
working on oauth 2014-10-07 14:54:38 -05:00
OAuth remake 2014-10-07 16:56:37 -05:00			`// Google.`
			`if name == "google" {`
smalĺ refactorings 2015-04-29 02:49:22 -05:00			`SocialMap["google"] = &SocialGoogle{`
go fmt 2018-01-18 18:17:05 -06:00			`SocialBase: &SocialBase{`
			`Config: &config,`
			`log: logger,`
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`},`
(format) run go fmt in pkg 2016-12-13 21:15:35 -06:00			`allowedDomains: info.AllowedDomains,`
			`hostedDomain: info.HostedDomain,`
			`apiUrl: info.ApiUrl,`
			`allowSignup: info.AllowSignup,`
smalĺ refactorings 2015-04-29 02:49:22 -05:00			`}`
OAuth remake 2014-10-07 16:56:37 -05:00			`}`
Allow users to use a generic oauth that conforms to the github style. Enables users to set their own link text. 2016-04-12 19:54:45 -05:00
			`// Generic - Uses the same scheme as Github.`
Make Generic OAuth Configs ENV VARS-friendly Use underscores instead of dashes. 2016-05-18 15:37:04 -05:00			`if name == "generic_oauth" {`
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`SocialMap["generic_oauth"] = &SocialGenericOAuth{`
go fmt 2018-01-18 18:17:05 -06:00			`SocialBase: &SocialBase{`
			`Config: &config,`
			`log: logger,`
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`},`
Allow users to use a generic oauth that conforms to the github style. Enables users to set their own link text. 2016-04-12 19:54:45 -05:00			`allowedDomains: info.AllowedDomains,`
			`apiUrl: info.ApiUrl,`
			`allowSignup: info.AllowSignup,`
feat(oauth): refactoring PR #6077 2016-09-28 08:10:50 -05:00			`teamIds: sec.Key("team_ids").Ints(","),`
Config Array Syntax (#8204) * refactor util encryption library so it doesn't have to import log * add util.SplitString to handle space and/or comma-separated config lines * go fmt 2017-04-25 02:14:29 -05:00			`allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),`
Allow users to use a generic oauth that conforms to the github style. Enables users to set their own link text. 2016-04-12 19:54:45 -05:00			`}`
			`}`
support logging in with grafana.net credentials 2016-09-19 15:48:07 -05:00
grafana_com: changed name of oauth grafana_net integration (old settings names still work), and updated login button look, closes #8415 2017-05-22 07:56:50 -05:00			`if name == "grafana_com" {`
Oauth2 Updates (#6226) * break out go and js build commands * support oauth providers that return errors via redirect * remove extra call to get grafana.net org membership * removed GitHub specifics from generic OAuth * readded ability to name generic source * revert to a backward-compatible state, refactor and clean up * streamline oauth user creation, make generic oauth support more generic 2016-10-11 01:51:44 -05:00			`config = oauth2.Config{`
support logging in with grafana.net credentials 2016-09-19 15:48:07 -05:00			`ClientID: info.ClientId,`
			`ClientSecret: info.ClientSecret,`
(format) run go fmt in pkg 2016-12-13 21:15:35 -06:00			`Endpoint: oauth2.Endpoint{`
grafana_com: changed name of oauth grafana_net integration (old settings names still work), and updated login button look, closes #8415 2017-05-22 07:56:50 -05:00			`AuthURL: setting.GrafanaComUrl + "/oauth2/authorize",`
			`TokenURL: setting.GrafanaComUrl + "/api/oauth2/token",`
support logging in with grafana.net credentials 2016-09-19 15:48:07 -05:00			`},`
(format) run go fmt in pkg 2016-12-13 21:15:35 -06:00			`RedirectURL: strings.TrimSuffix(setting.AppUrl, "/") + SocialBaseUrl + name,`
			`Scopes: info.Scopes,`
support logging in with grafana.net credentials 2016-09-19 15:48:07 -05:00			`}`

grafana_com: changed name of oauth grafana_net integration (old settings names still work), and updated login button look, closes #8415 2017-05-22 07:56:50 -05:00			`SocialMap["grafana_com"] = &SocialGrafanaCom{`
go fmt 2018-01-18 18:17:05 -06:00			`SocialBase: &SocialBase{`
			`Config: &config,`
			`log: logger,`
support for decoding JWT id tokens 2018-01-18 16:17:51 -06:00			`},`
grafana_com: changed name of oauth grafana_net integration (old settings names still work), and updated login button look, closes #8415 2017-05-22 07:56:50 -05:00			`url: setting.GrafanaComUrl,`
support logging in with grafana.net credentials 2016-09-19 15:48:07 -05:00			`allowSignup: info.AllowSignup,`
Config Array Syntax (#8204) * refactor util encryption library so it doesn't have to import log * add util.SplitString to handle space and/or comma-separated config lines * go fmt 2017-04-25 02:14:29 -05:00			`allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()),`
support logging in with grafana.net credentials 2016-09-19 15:48:07 -05:00			`}`
			`}`
working on oauth 2014-10-07 14:54:38 -05:00			`}`
			`}`