grafana/pkg/middleware/auth_proxy.go

package middleware

import (
	"github.com/grafana/grafana/pkg/infra/remotecache"
	authproxy "github.com/grafana/grafana/pkg/middleware/auth_proxy"
	m "github.com/grafana/grafana/pkg/models"
)

const (

	// cachePrefix is a prefix for the cache key
	cachePrefix = authproxy.CachePrefix
)

func initContextWithAuthProxy(store *remotecache.RemoteCache, ctx *m.ReqContext, orgID int64) bool {
	auth := authproxy.New(&authproxy.Options{
		Store: store,
		Ctx:   ctx,
		OrgID: orgID,
	})

	// Bail if auth proxy is not enabled
	if !auth.IsEnabled() {
		return false
	}

	// If the there is no header - we can't move forward
	if !auth.HasHeader() {
		return false
	}

	// Check if allowed to continue with this IP
	if result, err := auth.IsAllowedIP(); !result {
		ctx.Handle(407, err.Error(), err.DetailsError)
		return true
	}

	// Try to get user id from various sources
	id, err := auth.GetUserID()
	if err != nil {
		ctx.Handle(500, err.Error(), err.DetailsError)
		return true
	}

	// Get full user info
	user, err := auth.GetSignedUser(id)
	if err != nil {
		ctx.Handle(500, err.Error(), err.DetailsError)
		return true
	}

	// Add user info to context
	ctx.SignedInUser = user
	ctx.IsSignedIn = true

	// Remember user data it in cache
	if err := auth.Remember(); err != nil {
		ctx.Handle(500, err.Error(), err.DetailsError)
		return true
	}

	return true
}
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`package middleware`

			`import (`
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 06:31:46 -05:00			`"github.com/grafana/grafana/pkg/infra/remotecache"`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`authproxy "github.com/grafana/grafana/pkg/middleware/auth_proxy"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`m "github.com/grafana/grafana/pkg/models"`
			`)`

Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 06:31:46 -05:00			`const (`

			`// cachePrefix is a prefix for the cache key`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`cachePrefix = authproxy.CachePrefix`
restrict session usage to auth_proxy 2019-01-23 05:41:15 -06:00			`)`
update auth proxy 2018-03-22 16:02:34 -05:00
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 06:31:46 -05:00			`func initContextWithAuthProxy(store remotecache.RemoteCache, ctx m.ReqContext, orgID int64) bool {`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`auth := authproxy.New(&authproxy.Options{`
			`Store: store,`
			`Ctx: ctx,`
			`OrgID: orgID,`
			`})`

			`// Bail if auth proxy is not enabled`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if !auth.IsEnabled() {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return false`
			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// If the there is no header - we can't move forward`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if !auth.HasHeader() {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return false`
			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Check if allowed to continue with this IP`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if result, err := auth.IsAllowedIP(); !result {`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`ctx.Handle(407, err.Error(), err.DetailsError)`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`return true`
			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Try to get user id from various sources`
			`id, err := auth.GetUserID()`
			`if err != nil {`
			`ctx.Handle(500, err.Error(), err.DetailsError)`
			`return true`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`}`
update auth proxy 2018-03-22 16:02:34 -05:00
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Get full user info`
			`user, err := auth.GetSignedUser(id)`
			`if err != nil {`
			`ctx.Handle(500, err.Error(), err.DetailsError)`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`return true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Add user info to context`
			`ctx.SignedInUser = user`
			`ctx.IsSignedIn = true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Remember user data it in cache`
			`if err := auth.Remember(); err != nil {`
			`ctx.Handle(500, err.Error(), err.DetailsError)`
			`return true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return true`
			`}`