grafana/pkg/services/authn/clients/basic.go

package clients

import (
	"context"
	"errors"
	"strings"

	"github.com/grafana/grafana/pkg/services/authn"
	"github.com/grafana/grafana/pkg/services/loginattempt"
	"github.com/grafana/grafana/pkg/util"
	"github.com/grafana/grafana/pkg/util/errutil"
	"github.com/grafana/grafana/pkg/web"
)

var (
	errDecodingBasicAuthHeader = errutil.NewBase(errutil.StatusBadRequest, "basic-auth.invalid-header", errutil.WithPublicMessage("Invalid Basic Auth Header"))
	errBasicAuthCredentials    = errutil.NewBase(errutil.StatusUnauthorized, "basic-auth.invalid-credentials", errutil.WithPublicMessage("Invalid username or password"))
)

var _ authn.Client = new(Basic)

func ProvideBasic(loginAttempts loginattempt.Service, clients ...authn.PasswordClient) *Basic {
	return &Basic{clients, loginAttempts}
}

type Basic struct {
	clients       []authn.PasswordClient
	loginAttempts loginattempt.Service
}

func (c *Basic) Authenticate(ctx context.Context, r *authn.Request) (*authn.Identity, error) {
	username, password, err := util.DecodeBasicAuthHeader(getBasicAuthHeaderFromRequest(r))
	if err != nil {
		return nil, errDecodingBasicAuthHeader.Errorf("failed to decode basic auth header: %w", err)
	}

	r.SetMeta(authn.MetaKeyUsername, username)

	ok, err := c.loginAttempts.Validate(ctx, username)
	if err != nil {
		return nil, err
	}
	if !ok {
		return nil, errBasicAuthCredentials.Errorf("too many consecutive incorrect login attempts for user - login for user temporarily blocked")
	}

	if len(password) == 0 {
		return nil, errBasicAuthCredentials.Errorf("no password provided")
	}

	for _, pwClient := range c.clients {
		identity, err := pwClient.AuthenticatePassword(ctx, r, username, password)
		if err != nil {
			if errors.Is(err, errIdentityNotFound) {
				// continue to next password client if identity could not be found
				continue
			}
			if errors.Is(err, errInvalidPassword) {
				// only add login attempt if identity was found but the provided password was invalid
				_ = c.loginAttempts.Add(ctx, username, web.RemoteAddr(r.HTTPRequest))
			}
			return nil, errBasicAuthCredentials.Errorf("failed to authenticate identity: %w", err)
		}

		return identity, nil
	}

	return nil, errBasicAuthCredentials.Errorf("failed to authenticate identity using basic auth")
}

func (c *Basic) Test(ctx context.Context, r *authn.Request) bool {
	if len(c.clients) == 0 {
		return false
	}
	return looksLikeBasicAuthRequest(r)
}

func looksLikeBasicAuthRequest(r *authn.Request) bool {
	return getBasicAuthHeaderFromRequest(r) != ""
}

func getBasicAuthHeaderFromRequest(r *authn.Request) string {
	if r.HTTPRequest == nil {
		return ""
	}

	header := r.HTTPRequest.Header.Get(authorizationHeaderName)
	if header == "" {
		return ""
	}

	if !strings.HasPrefix(header, basicPrefix) {
		return ""
	}

	return header
}
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`package clients`

			`import (`
			`"context"`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`"errors"`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`"strings"`

			`"github.com/grafana/grafana/pkg/services/authn"`
			`"github.com/grafana/grafana/pkg/services/loginattempt"`
			`"github.com/grafana/grafana/pkg/util"`
			`"github.com/grafana/grafana/pkg/util/errutil"`
AuthN: Login (#61225) * AuthN: Add function to login auth request 2023-01-10 07:55:27 -06:00			`"github.com/grafana/grafana/pkg/web"`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`)`

			`var (`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`errDecodingBasicAuthHeader = errutil.NewBase(errutil.StatusBadRequest, "basic-auth.invalid-header", errutil.WithPublicMessage("Invalid Basic Auth Header"))`
			`errBasicAuthCredentials = errutil.NewBase(errutil.StatusUnauthorized, "basic-auth.invalid-credentials", errutil.WithPublicMessage("Invalid username or password"))`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`)`

			`var _ authn.Client = new(Basic)`

AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`func ProvideBasic(loginAttempts loginattempt.Service, clients ...authn.PasswordClient) *Basic {`
			`return &Basic{clients, loginAttempts}`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`}`

			`type Basic struct {`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`clients []authn.PasswordClient`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`loginAttempts loginattempt.Service`
			`}`

			`func (c Basic) Authenticate(ctx context.Context, r authn.Request) (*authn.Identity, error) {`
			`username, password, err := util.DecodeBasicAuthHeader(getBasicAuthHeaderFromRequest(r))`
			`if err != nil {`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`return nil, errDecodingBasicAuthHeader.Errorf("failed to decode basic auth header: %w", err)`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`}`

AuthN: Post login hooks (#61287) * AuthN: add the ability to register post login hooks * AuthN: add a guard for the user id * AuthN: Add helper to create external user info from identity * AuthN: Pass auth request to password clients * AuthN: set auth module and username in metadata 2023-01-12 08:02:04 -06:00			`r.SetMeta(authn.MetaKeyUsername, username)`

AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`ok, err := c.loginAttempts.Validate(ctx, username)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !ok {`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`return nil, errBasicAuthCredentials.Errorf("too many consecutive incorrect login attempts for user - login for user temporarily blocked")`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`}`

			`if len(password) == 0 {`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`return nil, errBasicAuthCredentials.Errorf("no password provided")`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`}`

AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`for _, pwClient := range c.clients {`
AuthN: Post login hooks (#61287) * AuthN: add the ability to register post login hooks * AuthN: add a guard for the user id * AuthN: Add helper to create external user info from identity * AuthN: Pass auth request to password clients * AuthN: set auth module and username in metadata 2023-01-12 08:02:04 -06:00			`identity, err := pwClient.AuthenticatePassword(ctx, r, username, password)`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`if err != nil {`
			`if errors.Is(err, errIdentityNotFound) {`
			`// continue to next password client if identity could not be found`
			`continue`
			`}`
			`if errors.Is(err, errInvalidPassword) {`
			`// only add login attempt if identity was found but the provided password was invalid`
AuthN: Login (#61225) * AuthN: Add function to login auth request 2023-01-10 07:55:27 -06:00			`_ = c.loginAttempts.Add(ctx, username, web.RemoteAddr(r.HTTPRequest))`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`}`
			`return nil, errBasicAuthCredentials.Errorf("failed to authenticate identity: %w", err)`
			`}`

			`return identity, nil`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`}`

AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`return nil, errBasicAuthCredentials.Errorf("failed to authenticate identity using basic auth")`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`}`

			`func (c Basic) Test(ctx context.Context, r authn.Request) bool {`
AuthN: Refactor basic auth client to support multiple password auth (#61153) * AuthN: add interface for password clients * AuthN: Extract grafana password client * AuthN: Rewrite basic client tests * AuthN: Add Ldap client and rename method of PasswordClient * AuthN: Configure multiple password clients * AuthN: create ldap service and add tests 2023-01-09 09:40:29 -06:00			`if len(c.clients) == 0 {`
			`return false`
			`}`
AuthN: Add client to perform basic authentication (#60877) * AuthN: Add basic auth client boilerplate * AuthN: Implement test function for basic auth client * AuthN: Implement the authentication method for basic auth * AuthN: Add tests for basic auth authentication * ContextHandler: perform basic auth authentication through authn service if feature toggle is enabled * AuthN: Add providers for sync services and pass required dependencies 2023-01-03 03:23:38 -06:00			`return looksLikeBasicAuthRequest(r)`
			`}`

			`func looksLikeBasicAuthRequest(r *authn.Request) bool {`
			`return getBasicAuthHeaderFromRequest(r) != ""`
			`}`

			`func getBasicAuthHeaderFromRequest(r *authn.Request) string {`
			`if r.HTTPRequest == nil {`
			`return ""`
			`}`

			`header := r.HTTPRequest.Header.Get(authorizationHeaderName)`
			`if header == "" {`
			`return ""`
			`}`

			`if !strings.HasPrefix(header, basicPrefix) {`
			`return ""`
			`}`

			`return header`
			`}`