grafana/pkg/middleware/auth.go

package middleware

import (
	"net/url"
	"strings"

	macaron "gopkg.in/macaron.v1"

	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util"
)

type AuthOptions struct {
	ReqGrafanaAdmin bool
	ReqSignedIn     bool
}

func getApiKey(c *models.ReqContext) string {
	header := c.Req.Header.Get("Authorization")
	parts := strings.SplitN(header, " ", 2)
	if len(parts) == 2 && parts[0] == "Bearer" {
		key := parts[1]
		return key
	}

	username, password, err := util.DecodeBasicAuthHeader(header)
	if err == nil && username == "api_key" {
		return password
	}

	return ""
}

func accessForbidden(c *models.ReqContext) {
	if c.IsApiRequest() {
		c.JsonApiErr(403, "Permission denied", nil)
		return
	}

	c.Redirect(setting.AppSubUrl + "/")
}

func notAuthorized(c *models.ReqContext) {
	if c.IsApiRequest() {
		c.JsonApiErr(401, "Unauthorized", nil)
		return
	}

	redirectTo := c.Req.RequestURI
	if setting.AppSubUrl != "" && !strings.HasPrefix(redirectTo, setting.AppSubUrl) {
		redirectTo = setting.AppSubUrl + c.Req.RequestURI
	}
	WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, newCookieOptions)

	c.Redirect(setting.AppSubUrl + "/login")
}

func EnsureEditorOrViewerCanEdit(c *models.ReqContext) {
	if !c.SignedInUser.HasRole(models.ROLE_EDITOR) && !setting.ViewersCanEdit {
		accessForbidden(c)
	}
}

func RoleAuth(roles ...models.RoleType) macaron.Handler {
	return func(c *models.ReqContext) {
		ok := false
		for _, role := range roles {
			if role == c.OrgRole {
				ok = true
				break
			}
		}
		if !ok {
			accessForbidden(c)
		}
	}
}

func Auth(options *AuthOptions) macaron.Handler {
	return func(c *models.ReqContext) {
		if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
			notAuthorized(c)
			return
		}

		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
			accessForbidden(c)
			return
		}
	}
}

// AdminOrFeatureEnabled creates a middleware that allows access
// if the signed in user is either an Org Admin or if the
// feature flag is enabled.
// Intended for when feature flags open up access to APIs that
// are otherwise only available to admins.
func AdminOrFeatureEnabled(enabled bool) macaron.Handler {
	return func(c *models.ReqContext) {
		if c.OrgRole == models.ROLE_ADMIN {
			return
		}

		if !enabled {
			accessForbidden(c)
		}
	}
}

func SnapshotPublicModeOrSignedIn() macaron.Handler {
	return func(c *models.ReqContext) {
		if setting.SnapshotPublicMode {
			return
		}

		_, err := c.Invoke(ReqSignedIn)
		if err != nil {
			c.JsonApiErr(500, "Failed to invoke required signed in middleware", err)
		}
	}
}
macaron transition progress 2014-10-05 14:13:01 -05:00			`package middleware`

			`import (`
Worked on login remember cookie, and redirect after login 2015-01-27 05:05:23 -06:00			`"net/url"`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00			`"strings"`
Progress on account and dashboard save/load 2014-11-20 08:19:44 -06:00
Viewers with viewers_can_edit should be able to access /explore (#15787) * fix: Viewers with viewers_can_edit should be able to access /explore #15773 * refactoring initial PR a bit to simplify function and reduce duplication 2019-03-05 05:41:01 -06:00			`macaron "gopkg.in/macaron.v1"`
Refactoring of api routes 2015-01-14 07:25:12 -06:00
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`"github.com/grafana/grafana/pkg/models"`
Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/setting"`
support passing api token in Basic auth password (#12416) 2018-06-28 05:08:32 -05:00			`"github.com/grafana/grafana/pkg/util"`
macaron transition progress 2014-10-05 14:13:01 -05:00			`)`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`type AuthOptions struct {`
Big refactoring for context.User, and how current user info is fetching, now included collaborator role 2015-01-16 07:32:18 -06:00			`ReqGrafanaAdmin bool`
			`ReqSignedIn bool`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func getApiKey(c *models.ReqContext) string {`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`header := c.Req.Header.Get("Authorization")`
			`parts := strings.SplitN(header, " ", 2)`
Basic auth: Fixed issue when using basic auth proxy infront of Grafana, Fixes #1673 2015-04-01 08:23:26 -05:00			`if len(parts) == 2 && parts[0] == "Bearer" {`
API token -> API key rename 2015-01-27 01:26:11 -06:00			`key := parts[1]`
			`return key`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`

support passing api token in Basic auth password (#12416) 2018-06-28 05:08:32 -05:00			`username, password, err := util.DecodeBasicAuthHeader(header)`
			`if err == nil && username == "api_key" {`
			`return password`
			`}`

Api Key role is now correcty added do middleware context 2015-01-16 09:15:35 -06:00			`return ""`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func accessForbidden(c *models.ReqContext) {`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`if c.IsApiRequest() {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`c.JsonApiErr(403, "Permission denied", nil)`
			`return`
			`}`

redirect "permission denied" requests to "/" (#10773) 2018-02-05 11:17:47 -06:00			`c.Redirect(setting.AppSubUrl + "/")`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func notAuthorized(c *models.ReqContext) {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`if c.IsApiRequest() {`
			`c.JsonApiErr(401, "Unauthorized", nil)`
Worked on login remember cookie, and redirect after login 2015-01-27 05:05:23 -06:00			`return`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`}`

API: Fix redirect issues (#22285) * Revert "API: Fix redirect issue when configured to use a subpath (#21652)" (#22671) This reverts commit 0e2d874ecf9277dcc17d562e05271917efc8b595. * Fix redirect validation (#22675) * Chore: Add test for parse of app url and app sub url Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> * Fix redirect: prepend subpath only if it's missing (#22676) * Validate redirect in login oauth (#22677) * Fix invalid redirect for authenticated user (#22678) * Login: Use correct path for OAuth logos Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com> 2020-03-11 04:04:48 -05:00			`redirectTo := c.Req.RequestURI`
			`if setting.AppSubUrl != "" && !strings.HasPrefix(redirectTo, setting.AppSubUrl) {`
			`redirectTo = setting.AppSubUrl + c.Req.RequestURI`
			`}`
			`WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, newCookieOptions)`
mark redirect_to cookie as http only closes #10829 2018-02-15 03:56:29 -06:00
Work on making grafana work in sub url 2015-01-04 14:03:40 -06:00			`c.Redirect(setting.AppSubUrl + "/login")`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func EnsureEditorOrViewerCanEdit(c *models.ReqContext) {`
			`if !c.SignedInUser.HasRole(models.ROLE_EDITOR) && !setting.ViewersCanEdit {`
Viewers with viewers_can_edit should be able to access /explore (#15787) * fix: Viewers with viewers_can_edit should be able to access /explore #15773 * refactoring initial PR a bit to simplify function and reduce duplication 2019-03-05 05:41:01 -06:00			`accessForbidden(c)`
			`}`
			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func RoleAuth(roles ...models.RoleType) macaron.Handler {`
			`return func(c *models.ReqContext) {`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 08:28:44 -06:00			`ok := false`
			`for _, role := range roles {`
Big Backend Refatoring: Renamed Account -> Org 2015-02-23 13:07:49 -06:00			`if role == c.OrgRole {`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 08:28:44 -06:00			`ok = true`
			`break`
			`}`
			`}`
			`if !ok {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`accessForbidden(c)`
Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 08:28:44 -06:00			`}`
			`}`
			`}`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`func Auth(options *AuthOptions) macaron.Handler {`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`return func(c *models.ReqContext) {`
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {`
			`notAuthorized(c)`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`return`
			`}`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00
fix(api auth): return 401 for authentication errors and 403 for access denied errors, fixes #2693 2015-09-08 03:46:31 -05:00			`if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {`
			`accessForbidden(c)`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`return`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00			`}`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`
			`}`
teams: editors can work with teams. 2019-03-06 03:27:38 -06:00
teams: better names for api permissions. 2019-03-14 04:02:46 -05:00			`// AdminOrFeatureEnabled creates a middleware that allows access`
			`// if the signed in user is either an Org Admin or if the`
			`// feature flag is enabled.`
			`// Intended for when feature flags open up access to APIs that`
			`// are otherwise only available to admins.`
			`func AdminOrFeatureEnabled(enabled bool) macaron.Handler {`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`return func(c *models.ReqContext) {`
			`if c.OrgRole == models.ROLE_ADMIN {`
teams: viewers and editors can view teams 2019-03-13 04:38:09 -05:00			`return`
teams: editors can work with teams. 2019-03-06 03:27:38 -06:00			`}`

teams: viewers and editors can view teams 2019-03-13 04:38:09 -05:00			`if !enabled {`
teams: editors can work with teams. 2019-03-06 03:27:38 -06:00			`accessForbidden(c)`
			`}`
			`}`
			`}`
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4) 2019-09-02 08:15:46 -05:00
			`func SnapshotPublicModeOrSignedIn() macaron.Handler {`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`return func(c *models.ReqContext) {`
Snapshot: Fix http api (#18830) (cherry picked from commit be2e2330f5c1f92082841d7eb13c5583143963a4) 2019-09-02 08:15:46 -05:00			`if setting.SnapshotPublicMode {`
			`return`
			`}`

			`_, err := c.Invoke(ReqSignedIn)`
			`if err != nil {`
			`c.JsonApiErr(500, "Failed to invoke required signed in middleware", err)`
			`}`
			`}`
			`}`