2014-10-05 14:13:01 -05:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2015-01-27 05:05:23 -06:00
|
|
|
"net/url"
|
2015-01-14 02:33:34 -06:00
|
|
|
"strings"
|
2014-11-20 08:19:44 -06:00
|
|
|
|
2015-01-14 07:25:12 -06:00
|
|
|
"github.com/Unknwon/macaron"
|
|
|
|
|
2014-12-19 06:40:02 -06:00
|
|
|
m "github.com/torkelo/grafana-pro/pkg/models"
|
2015-01-04 14:03:40 -06:00
|
|
|
"github.com/torkelo/grafana-pro/pkg/setting"
|
2014-10-05 14:13:01 -05:00
|
|
|
)
|
|
|
|
|
2015-01-15 05:16:54 -06:00
|
|
|
type AuthOptions struct {
|
2015-01-16 07:32:18 -06:00
|
|
|
ReqGrafanaAdmin bool
|
|
|
|
ReqSignedIn bool
|
2015-01-15 05:16:54 -06:00
|
|
|
}
|
|
|
|
|
2015-01-19 11:01:04 -06:00
|
|
|
func getRequestUserId(c *Context) int64 {
|
2015-01-29 05:10:34 -06:00
|
|
|
userId := c.Session.Get(SESS_KEY_USERID)
|
2014-10-05 14:13:01 -05:00
|
|
|
|
2015-01-19 11:01:04 -06:00
|
|
|
if userId != nil {
|
|
|
|
return userId.(int64)
|
2015-01-15 05:16:54 -06:00
|
|
|
}
|
2015-01-07 09:37:24 -06:00
|
|
|
|
2015-01-16 10:00:31 -06:00
|
|
|
// TODO: figure out a way to secure this
|
|
|
|
if c.Query("render") == "1" {
|
2015-01-29 05:10:34 -06:00
|
|
|
userId := c.QueryInt64(SESS_KEY_USERID)
|
|
|
|
c.Session.Set(SESS_KEY_USERID, userId)
|
2015-01-19 11:01:04 -06:00
|
|
|
return userId
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
2015-01-16 09:15:35 -06:00
|
|
|
return 0
|
|
|
|
}
|
|
|
|
|
2015-01-27 01:26:11 -06:00
|
|
|
func getApiKey(c *Context) string {
|
2015-01-15 05:16:54 -06:00
|
|
|
header := c.Req.Header.Get("Authorization")
|
|
|
|
parts := strings.SplitN(header, " ", 2)
|
|
|
|
if len(parts) == 2 || parts[0] == "Bearer" {
|
2015-01-27 01:26:11 -06:00
|
|
|
key := parts[1]
|
|
|
|
return key
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
2015-01-16 09:15:35 -06:00
|
|
|
return ""
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
func authDenied(c *Context) {
|
2015-01-14 07:25:12 -06:00
|
|
|
if c.IsApiRequest() {
|
|
|
|
c.JsonApiErr(401, "Access denied", nil)
|
2015-01-27 05:05:23 -06:00
|
|
|
return
|
2015-01-14 07:25:12 -06:00
|
|
|
}
|
|
|
|
|
2015-01-04 14:03:40 -06:00
|
|
|
c.Redirect(setting.AppSubUrl + "/login")
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
2015-01-16 08:28:44 -06:00
|
|
|
func RoleAuth(roles ...m.RoleType) macaron.Handler {
|
|
|
|
return func(c *Context) {
|
|
|
|
ok := false
|
|
|
|
for _, role := range roles {
|
2015-01-19 11:01:04 -06:00
|
|
|
if role == c.AccountRole {
|
2015-01-16 08:28:44 -06:00
|
|
|
ok = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !ok {
|
|
|
|
authDenied(c)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-01-15 05:16:54 -06:00
|
|
|
func Auth(options *AuthOptions) macaron.Handler {
|
|
|
|
return func(c *Context) {
|
2015-01-27 08:45:27 -06:00
|
|
|
if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
|
2015-01-28 04:33:50 -06:00
|
|
|
c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")
|
2015-01-15 05:16:54 -06:00
|
|
|
authDenied(c)
|
|
|
|
return
|
|
|
|
}
|
2015-01-14 02:33:34 -06:00
|
|
|
|
2015-01-27 08:45:27 -06:00
|
|
|
if !c.IsSignedIn && options.ReqSignedIn && !c.HasAnonymousAccess {
|
|
|
|
c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/")
|
2015-01-15 05:16:54 -06:00
|
|
|
authDenied(c)
|
|
|
|
return
|
2015-01-14 02:33:34 -06:00
|
|
|
}
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
}
|