grafana/pkg/api/login_oauth.go

package api

import (
	"errors"
	"fmt"
	"net/url"

	"golang.org/x/oauth2"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/log"
	"github.com/grafana/grafana/pkg/metrics"
	"github.com/grafana/grafana/pkg/middleware"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/social"
)

func OAuthLogin(ctx *middleware.Context) {
	if setting.OAuthService == nil {
		ctx.Handle(404, "login.OAuthLogin(oauth service not enabled)", nil)
		return
	}

	name := ctx.Params(":name")
	connect, ok := social.SocialMap[name]
	if !ok {
		ctx.Handle(404, "login.OAuthLogin(social login not enabled)", errors.New(name))
		return
	}

	code := ctx.Query("code")
	if code == "" {
		ctx.Redirect(connect.AuthCodeURL("", oauth2.AccessTypeOnline))
		return
	}

	// handle call back
	token, err := connect.Exchange(oauth2.NoContext, code)
	if err != nil {
		ctx.Handle(500, "login.OAuthLogin(NewTransportWithCode)", err)
		return
	}

	log.Trace("login.OAuthLogin(Got token)")

	userInfo, err := connect.UserInfo(token)
	if err != nil {
		if err == social.ErrMissingTeamMembership {
			ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github team membership not fulfilled"))
		} else {
			ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err)
		}
		return
	}

	log.Trace("login.OAuthLogin(social login): %s", userInfo)

	// validate that the email is allowed to login to grafana
	if !connect.IsEmailAllowed(userInfo.Email) {
		log.Info("OAuth login attempt with unallowed email, %s", userInfo.Email)
		ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required email domain not fulfilled"))
		return
	}

	userQuery := m.GetUserByLoginQuery{LoginOrEmail: userInfo.Email}
	err = bus.Dispatch(&userQuery)

	// create account if missing
	if err == m.ErrUserNotFound {
		if !connect.IsSignupAllowed() {
			ctx.Redirect(setting.AppSubUrl + "/login")
			return
		}

		cmd := m.CreateUserCommand{
			Login:   userInfo.Email,
			Email:   userInfo.Email,
			Name:    userInfo.Name,
			Company: userInfo.Company,
		}

		if err = bus.Dispatch(&cmd); err != nil {
			ctx.Handle(500, "Failed to create account", err)
			return
		}

		userQuery.Result = &cmd.Result
	} else if err != nil {
		ctx.Handle(500, "Unexpected error", err)
	}

	// login
	loginUserWithUser(userQuery.Result, ctx)

	metrics.M_Api_Login_OAuth.Inc(1)

	ctx.Redirect(setting.AppSubUrl + "/")
}
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`package api`

			`import (`
			`"errors"`
			`"fmt"`
Added message alerts when login failed due to github team membership or email domain requirement, #1731, #1660 2015-04-29 03:08:01 -05:00			`"net/url"`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00
updated to new golang/x/oauth2 2014-12-30 03:10:13 -06:00			`"golang.org/x/oauth2"`

Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/bus"`
			`"github.com/grafana/grafana/pkg/log"`
Added server metrics 2015-03-22 14:14:00 -05:00			`"github.com/grafana/grafana/pkg/metrics"`
Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/middleware"`
			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
			`"github.com/grafana/grafana/pkg/social"`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`)`

			`func OAuthLogin(ctx *middleware.Context) {`
			`if setting.OAuthService == nil {`
			`ctx.Handle(404, "login.OAuthLogin(oauth service not enabled)", nil)`
			`return`
			`}`

			`name := ctx.Params(":name")`
			`connect, ok := social.SocialMap[name]`
			`if !ok {`
			`ctx.Handle(404, "login.OAuthLogin(social login not enabled)", errors.New(name))`
			`return`
			`}`

			`code := ctx.Query("code")`
			`if code == "" {`
updated to new golang/x/oauth2 2014-12-30 03:10:13 -06:00			`ctx.Redirect(connect.AuthCodeURL("", oauth2.AccessTypeOnline))`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`return`
			`}`

			`// handle call back`
updated to new golang/x/oauth2 2014-12-30 03:10:13 -06:00			`token, err := connect.Exchange(oauth2.NoContext, code)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`if err != nil {`
			`ctx.Handle(500, "login.OAuthLogin(NewTransportWithCode)", err)`
			`return`
			`}`

			`log.Trace("login.OAuthLogin(Got token)")`

updated to new golang/x/oauth2 2014-12-30 03:10:13 -06:00			`userInfo, err := connect.UserInfo(token)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`if err != nil {`
Handle special error case if connect.UserInfo returns an error 2015-04-28 22:22:45 -05:00			`if err == social.ErrMissingTeamMembership {`
Added message alerts when login failed due to github team membership or email domain requirement, #1731, #1660 2015-04-29 03:08:01 -05:00			`ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required Github team membership not fulfilled"))`
Handle special error case if connect.UserInfo returns an error 2015-04-28 22:22:45 -05:00			`} else {`
			`ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err)`
			`}`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`return`
			`}`

OAuth: Specify allowed email address domains for google or and github oauth logins, Closes #1660 2015-04-06 07:16:22 -05:00			`log.Trace("login.OAuthLogin(social login): %s", userInfo)`

			`// validate that the email is allowed to login to grafana`
			`if !connect.IsEmailAllowed(userInfo.Email) {`
			`log.Info("OAuth login attempt with unallowed email, %s", userInfo.Email)`
Added message alerts when login failed due to github team membership or email domain requirement, #1731, #1660 2015-04-29 03:08:01 -05:00			`ctx.Redirect(setting.AppSubUrl + "/login?failedMsg=" + url.QueryEscape("Required email domain not fulfilled"))`
OAuth: Specify allowed email address domains for google or and github oauth logins, Closes #1660 2015-04-06 07:16:22 -05:00			`return`
			`}`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00
User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-19 11:01:04 -06:00			`userQuery := m.GetUserByLoginQuery{LoginOrEmail: userInfo.Email}`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`err = bus.Dispatch(&userQuery)`

			`// create account if missing`
User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-19 11:01:04 -06:00			`if err == m.ErrUserNotFound {`
Add allow_sign_up override for auth.google/github. 2015-04-09 20:15:19 -05:00			`if !connect.IsSignupAllowed() {`
Added disable user sign up feature 2015-01-29 08:46:54 -06:00			`ctx.Redirect(setting.AppSubUrl + "/login")`
			`return`
			`}`

User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-19 11:01:04 -06:00			`cmd := m.CreateUserCommand{`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`Login: userInfo.Email,`
			`Email: userInfo.Email,`
			`Name: userInfo.Name,`
			`Company: userInfo.Company,`
			`}`

			`if err = bus.Dispatch(&cmd); err != nil {`
			`ctx.Handle(500, "Failed to create account", err)`
			`return`
			`}`

			`userQuery.Result = &cmd.Result`
			`} else if err != nil {`
			`ctx.Handle(500, "Unexpected error", err)`
			`}`

			`// login`
User / Account model split, User and account now seperate entities, collaborators are now AccountUsers 2015-01-19 11:01:04 -06:00			`loginUserWithUser(userQuery.Result, ctx)`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00
Added server metrics 2015-03-22 14:14:00 -05:00			`metrics.M_Api_Login_OAuth.Inc(1)`

fixed oauth login redirect when using app sub url 2015-01-05 01:21:52 -06:00			`ctx.Redirect(setting.AppSubUrl + "/")`
InfluxDB now works in proxy mode, influxdb username and password is added in the backend and never exposed to frontend, #8 2014-12-29 06:36:08 -06:00			`}`