2014-12-29 13:36:08 +01:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
2018-01-16 12:32:42 +01:00
|
|
|
"context"
|
2016-10-08 01:20:45 -05:00
|
|
|
"crypto/rand"
|
2019-01-22 15:20:44 +01:00
|
|
|
"crypto/sha256"
|
2016-10-11 02:51:44 -04:00
|
|
|
"crypto/tls"
|
|
|
|
|
"crypto/x509"
|
2016-10-08 01:20:45 -05:00
|
|
|
"encoding/base64"
|
2019-01-22 15:20:44 +01:00
|
|
|
"encoding/hex"
|
2016-10-11 02:51:44 -04:00
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"net/http"
|
2017-02-09 14:01:53 -05:00
|
|
|
"net/url"
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2014-12-30 10:10:13 +01:00
|
|
|
"golang.org/x/oauth2"
|
|
|
|
|
|
2018-03-23 15:50:07 -04:00
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
2019-05-13 14:45:54 +08:00
|
|
|
"github.com/grafana/grafana/pkg/infra/log"
|
2019-02-23 23:35:26 +01:00
|
|
|
"github.com/grafana/grafana/pkg/infra/metrics"
|
2018-02-08 17:13:58 -05:00
|
|
|
"github.com/grafana/grafana/pkg/login"
|
2019-02-23 23:39:05 +01:00
|
|
|
"github.com/grafana/grafana/pkg/login/social"
|
2020-01-10 14:55:30 +01:00
|
|
|
"github.com/grafana/grafana/pkg/middleware"
|
2020-03-04 12:57:20 +01:00
|
|
|
"github.com/grafana/grafana/pkg/models"
|
2015-02-05 10:37:13 +01:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2014-12-29 13:36:08 +01:00
|
|
|
)
|
|
|
|
|
|
2019-01-22 15:20:44 +01:00
|
|
|
var (
|
|
|
|
|
oauthLogger = log.New("oauth")
|
|
|
|
|
OauthStateCookieName = "oauth_state"
|
|
|
|
|
)
|
2017-02-01 16:32:51 +03:00
|
|
|
|
2019-10-08 18:57:53 +02:00
|
|
|
func GenStateString() (string, error) {
|
2016-10-11 02:51:44 -04:00
|
|
|
rnd := make([]byte, 32)
|
2019-10-08 18:57:53 +02:00
|
|
|
if _, err := rand.Read(rnd); err != nil {
|
|
|
|
|
oauthLogger.Error("failed to generate state string", "err", err)
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
return base64.URLEncoding.EncodeToString(rnd), nil
|
2016-10-08 01:20:45 -05:00
|
|
|
}
|
|
|
|
|
|
2020-03-04 12:57:20 +01:00
|
|
|
func (hs *HTTPServer) OAuthLogin(ctx *models.ReqContext) {
|
2014-12-29 13:36:08 +01:00
|
|
|
if setting.OAuthService == nil {
|
2018-02-06 12:27:25 +01:00
|
|
|
ctx.Handle(404, "OAuth not enabled", nil)
|
2014-12-29 13:36:08 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
name := ctx.Params(":name")
|
|
|
|
|
connect, ok := social.SocialMap[name]
|
|
|
|
|
if !ok {
|
2018-02-06 12:27:25 +01:00
|
|
|
ctx.Handle(404, fmt.Sprintf("No OAuth with name %s configured", name), nil)
|
2014-12-29 13:36:08 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-12 15:12:21 +02:00
|
|
|
errorParam := ctx.Query("error")
|
|
|
|
|
if errorParam != "" {
|
2016-10-11 02:51:44 -04:00
|
|
|
errorDesc := ctx.Query("error_description")
|
2017-10-12 15:12:21 +02:00
|
|
|
oauthLogger.Error("failed to login ", "error", errorParam, "errorDesc", errorDesc)
|
2019-01-23 17:01:09 +01:00
|
|
|
hs.redirectWithError(ctx, login.ErrProviderDeniedRequest, "error", errorParam, "errorDesc", errorDesc)
|
2016-10-11 02:51:44 -04:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2014-12-29 13:36:08 +01:00
|
|
|
code := ctx.Query("code")
|
|
|
|
|
if code == "" {
|
2019-10-08 18:57:53 +02:00
|
|
|
state, err := GenStateString()
|
|
|
|
|
if err != nil {
|
|
|
|
|
ctx.Logger.Error("Generating state string failed", "err", err)
|
|
|
|
|
ctx.Handle(500, "An internal error occurred", nil)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-22 15:20:44 +01:00
|
|
|
hashedState := hashStatecode(state, setting.OAuthService.OAuthInfos[name].ClientSecret)
|
2020-01-10 14:55:30 +01:00
|
|
|
middleware.WriteCookie(ctx.Resp, OauthStateCookieName, hashedState, 60, hs.cookieOptionsFromCfg)
|
2016-10-28 03:00:47 -07:00
|
|
|
if setting.OAuthService.OAuthInfos[name].HostedDomain == "" {
|
|
|
|
|
ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
|
2016-12-14 12:15:35 +09:00
|
|
|
} else {
|
2017-06-05 10:09:27 +02:00
|
|
|
ctx.Redirect(connect.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", setting.OAuthService.OAuthInfos[name].HostedDomain), oauth2.AccessTypeOnline))
|
2016-10-28 03:00:47 -07:00
|
|
|
}
|
2016-10-08 01:20:45 -05:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-24 19:04:58 +01:00
|
|
|
cookieState := ctx.GetCookie(OauthStateCookieName)
|
2019-01-22 15:20:44 +01:00
|
|
|
|
|
|
|
|
// delete cookie
|
2020-01-10 14:55:30 +01:00
|
|
|
middleware.DeleteCookie(ctx.Resp, OauthStateCookieName, hs.cookieOptionsFromCfg)
|
2019-01-22 15:20:44 +01:00
|
|
|
|
2019-01-24 19:04:58 +01:00
|
|
|
if cookieState == "" {
|
2017-10-12 15:24:20 +02:00
|
|
|
ctx.Handle(500, "login.OAuthLogin(missing saved state)", nil)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-22 15:20:44 +01:00
|
|
|
queryState := hashStatecode(ctx.Query("state"), setting.OAuthService.OAuthInfos[name].ClientSecret)
|
2019-01-24 19:04:58 +01:00
|
|
|
oauthLogger.Info("state check", "queryState", queryState, "cookieState", cookieState)
|
|
|
|
|
if cookieState != queryState {
|
2016-10-08 01:20:45 -05:00
|
|
|
ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
|
2014-12-29 13:36:08 +01:00
|
|
|
return
|
|
|
|
|
}
|
2018-05-28 20:47:48 +02:00
|
|
|
|
2014-12-29 13:36:08 +01:00
|
|
|
// handle call back
|
2017-10-06 15:16:26 +01:00
|
|
|
tr := &http.Transport{
|
2018-05-28 16:12:36 +09:00
|
|
|
Proxy: http.ProxyFromEnvironment,
|
2017-10-06 15:16:26 +01:00
|
|
|
TLSClientConfig: &tls.Config{
|
|
|
|
|
InsecureSkipVerify: setting.OAuthService.OAuthInfos[name].TlsSkipVerify,
|
|
|
|
|
},
|
|
|
|
|
}
|
2017-10-06 15:23:06 +01:00
|
|
|
oauthClient := &http.Client{
|
2017-10-06 15:16:26 +01:00
|
|
|
Transport: tr,
|
|
|
|
|
}
|
2016-10-11 02:51:44 -04:00
|
|
|
|
2017-10-06 15:03:46 +01:00
|
|
|
if setting.OAuthService.OAuthInfos[name].TlsClientCert != "" || setting.OAuthService.OAuthInfos[name].TlsClientKey != "" {
|
2016-10-11 02:51:44 -04:00
|
|
|
cert, err := tls.LoadX509KeyPair(setting.OAuthService.OAuthInfos[name].TlsClientCert, setting.OAuthService.OAuthInfos[name].TlsClientKey)
|
|
|
|
|
if err != nil {
|
2018-01-23 13:03:44 +01:00
|
|
|
ctx.Logger.Error("Failed to setup TlsClientCert", "oauth", name, "error", err)
|
2018-01-18 17:17:51 -05:00
|
|
|
ctx.Handle(500, "login.OAuthLogin(Failed to setup TlsClientCert)", nil)
|
|
|
|
|
return
|
2016-10-11 02:51:44 -04:00
|
|
|
}
|
|
|
|
|
|
2017-10-06 15:16:26 +01:00
|
|
|
tr.TLSClientConfig.Certificates = append(tr.TLSClientConfig.Certificates, cert)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if setting.OAuthService.OAuthInfos[name].TlsClientCa != "" {
|
2016-10-11 02:51:44 -04:00
|
|
|
caCert, err := ioutil.ReadFile(setting.OAuthService.OAuthInfos[name].TlsClientCa)
|
|
|
|
|
if err != nil {
|
2018-01-23 13:03:44 +01:00
|
|
|
ctx.Logger.Error("Failed to setup TlsClientCa", "oauth", name, "error", err)
|
2018-01-18 17:17:51 -05:00
|
|
|
ctx.Handle(500, "login.OAuthLogin(Failed to setup TlsClientCa)", nil)
|
|
|
|
|
return
|
2016-10-11 02:51:44 -04:00
|
|
|
}
|
|
|
|
|
caCertPool := x509.NewCertPool()
|
|
|
|
|
caCertPool.AppendCertsFromPEM(caCert)
|
|
|
|
|
|
2017-10-06 15:16:26 +01:00
|
|
|
tr.TLSClientConfig.RootCAs = caCertPool
|
2016-10-11 02:51:44 -04:00
|
|
|
}
|
|
|
|
|
|
2017-10-06 15:23:06 +01:00
|
|
|
oauthCtx := context.WithValue(context.Background(), oauth2.HTTPClient, oauthClient)
|
2017-10-06 15:16:26 +01:00
|
|
|
|
2016-10-11 02:51:44 -04:00
|
|
|
// get token from provider
|
|
|
|
|
token, err := connect.Exchange(oauthCtx, code)
|
2014-12-29 13:36:08 +01:00
|
|
|
if err != nil {
|
|
|
|
|
ctx.Handle(500, "login.OAuthLogin(NewTransportWithCode)", err)
|
|
|
|
|
return
|
|
|
|
|
}
|
2016-11-15 14:36:21 -05:00
|
|
|
// token.TokenType was defaulting to "bearer", which is out of spec, so we explicitly set to "Bearer"
|
|
|
|
|
token.TokenType = "Bearer"
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2018-01-18 17:17:51 -05:00
|
|
|
oauthLogger.Debug("OAuthLogin Got token", "token", token)
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2016-10-11 02:51:44 -04:00
|
|
|
// set up oauth2 client
|
|
|
|
|
client := connect.Client(oauthCtx, token)
|
|
|
|
|
|
|
|
|
|
// get user info
|
2018-01-18 17:17:51 -05:00
|
|
|
userInfo, err := connect.UserInfo(client, token)
|
2014-12-29 13:36:08 +01:00
|
|
|
if err != nil {
|
2017-02-01 16:32:51 +03:00
|
|
|
if sErr, ok := err.(*social.Error); ok {
|
2019-01-23 17:01:09 +01:00
|
|
|
hs.redirectWithError(ctx, sErr)
|
2015-04-28 20:22:45 -07:00
|
|
|
} else {
|
|
|
|
|
ctx.Handle(500, fmt.Sprintf("login.OAuthLogin(get info from %s)", name), err)
|
|
|
|
|
}
|
2014-12-29 13:36:08 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-18 17:17:51 -05:00
|
|
|
oauthLogger.Debug("OAuthLogin got user info", "userInfo", userInfo)
|
2015-04-06 14:16:22 +02:00
|
|
|
|
2017-05-26 08:35:32 -04:00
|
|
|
// validate that we got at least an email address
|
|
|
|
|
if userInfo.Email == "" {
|
2019-01-23 17:01:09 +01:00
|
|
|
hs.redirectWithError(ctx, login.ErrNoEmail)
|
2017-05-26 08:35:32 -04:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-06 14:16:22 +02:00
|
|
|
// validate that the email is allowed to login to grafana
|
|
|
|
|
if !connect.IsEmailAllowed(userInfo.Email) {
|
2019-01-23 17:01:09 +01:00
|
|
|
hs.redirectWithError(ctx, login.ErrEmailNotAllowed)
|
2015-04-06 14:16:22 +02:00
|
|
|
return
|
|
|
|
|
}
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2020-03-04 12:57:20 +01:00
|
|
|
extUser := &models.ExternalUserInfo{
|
2018-02-08 17:13:58 -05:00
|
|
|
AuthModule: "oauth_" + name,
|
2019-02-01 19:40:57 -05:00
|
|
|
OAuthToken: token,
|
2018-02-08 17:13:58 -05:00
|
|
|
AuthId: userInfo.Id,
|
|
|
|
|
Name: userInfo.Name,
|
|
|
|
|
Login: userInfo.Login,
|
|
|
|
|
Email: userInfo.Email,
|
2020-03-04 12:57:20 +01:00
|
|
|
OrgRoles: map[int64]models.RoleType{},
|
2019-07-01 12:30:17 +03:00
|
|
|
Groups: userInfo.Groups,
|
2018-02-08 17:13:58 -05:00
|
|
|
}
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2018-02-08 17:13:58 -05:00
|
|
|
if userInfo.Role != "" {
|
2020-03-04 12:57:20 +01:00
|
|
|
rt := models.RoleType(userInfo.Role)
|
2019-11-05 21:56:42 +01:00
|
|
|
if rt.IsValid() {
|
2020-02-19 17:38:53 +01:00
|
|
|
var orgID int64
|
|
|
|
|
if setting.AutoAssignOrg && setting.AutoAssignOrgId > 0 {
|
|
|
|
|
orgID = int64(setting.AutoAssignOrgId)
|
|
|
|
|
} else {
|
|
|
|
|
orgID = int64(1)
|
|
|
|
|
}
|
|
|
|
|
extUser.OrgRoles[orgID] = rt
|
2019-11-05 21:56:42 +01:00
|
|
|
}
|
2018-02-08 17:13:58 -05:00
|
|
|
}
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2018-02-08 17:13:58 -05:00
|
|
|
// add/update user in grafana
|
2020-03-04 12:57:20 +01:00
|
|
|
cmd := &models.UpsertUserCommand{
|
2018-03-23 15:50:07 -04:00
|
|
|
ReqContext: ctx,
|
|
|
|
|
ExternalUser: extUser,
|
2018-02-08 17:13:58 -05:00
|
|
|
SignupAllowed: connect.IsSignupAllowed(),
|
|
|
|
|
}
|
2019-01-23 17:01:09 +01:00
|
|
|
|
2018-03-23 15:50:07 -04:00
|
|
|
err = bus.Dispatch(cmd)
|
2018-02-08 17:13:58 -05:00
|
|
|
if err != nil {
|
2019-01-23 17:01:09 +01:00
|
|
|
hs.redirectWithError(ctx, err)
|
2018-02-08 17:13:58 -05:00
|
|
|
return
|
2014-12-29 13:36:08 +01:00
|
|
|
}
|
|
|
|
|
|
2019-07-23 13:12:55 +03:00
|
|
|
// Do not expose disabled status,
|
|
|
|
|
// just show incorrect user credentials error (see #17947)
|
2019-07-05 12:35:04 +03:00
|
|
|
if cmd.Result.IsDisabled {
|
2019-07-23 13:12:55 +03:00
|
|
|
oauthLogger.Warn("User is disabled", "user", cmd.Result.Login)
|
|
|
|
|
hs.redirectWithError(ctx, login.ErrInvalidCredentials)
|
2019-07-05 12:35:04 +03:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2014-12-29 13:36:08 +01:00
|
|
|
// login
|
2019-01-15 15:15:52 +01:00
|
|
|
hs.loginUserWithUser(cmd.Result, ctx)
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2019-07-16 17:58:46 +03:00
|
|
|
metrics.MApiLoginOAuth.Inc()
|
2015-03-22 15:14:00 -04:00
|
|
|
|
2017-02-09 14:01:53 -05:00
|
|
|
if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
|
2020-01-10 14:55:30 +01:00
|
|
|
middleware.DeleteCookie(ctx.Resp, "redirect_to", hs.cookieOptionsFromCfg)
|
2017-02-09 14:01:53 -05:00
|
|
|
ctx.Redirect(redirectTo)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-05 08:21:52 +01:00
|
|
|
ctx.Redirect(setting.AppSubUrl + "/")
|
2014-12-29 13:36:08 +01:00
|
|
|
}
|
2017-02-01 16:32:51 +03:00
|
|
|
|
2019-01-22 15:20:44 +01:00
|
|
|
func hashStatecode(code, seed string) string {
|
|
|
|
|
hashBytes := sha256.Sum256([]byte(code + setting.SecretKey + seed))
|
|
|
|
|
return hex.EncodeToString(hashBytes[:])
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-04 12:57:20 +01:00
|
|
|
func (hs *HTTPServer) redirectWithError(ctx *models.ReqContext, err error, v ...interface{}) {
|
2018-01-23 13:03:44 +01:00
|
|
|
ctx.Logger.Error(err.Error(), v...)
|
2019-10-08 18:57:53 +02:00
|
|
|
if err := hs.trySetEncryptedCookie(ctx, LoginErrorCookieName, err.Error(), 60); err != nil {
|
|
|
|
|
oauthLogger.Error("Failed to set encrypted cookie", "err", err)
|
|
|
|
|
}
|
2019-01-23 17:01:09 +01:00
|
|
|
|
2017-02-01 16:32:51 +03:00
|
|
|
ctx.Redirect(setting.AppSubUrl + "/login")
|
|
|
|
|
}
|
