2014-10-05 21:13:01 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
import (
|
2015-01-27 12:05:23 +01:00
|
|
|
"net/url"
|
2015-01-14 16:33:34 +08:00
|
|
|
"strings"
|
2014-11-20 15:19:44 +01:00
|
|
|
|
2016-01-13 15:11:23 +01:00
|
|
|
"gopkg.in/macaron.v1"
|
2015-01-14 14:25:12 +01:00
|
|
|
|
2015-02-05 10:37:13 +01:00
|
|
|
m "github.com/grafana/grafana/pkg/models"
|
2018-03-06 17:59:45 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/session"
|
2015-02-05 10:37:13 +01:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2014-10-05 21:13:01 +02:00
|
|
|
)
|
|
|
|
|
|
2015-01-15 12:16:54 +01:00
|
|
|
type AuthOptions struct {
|
2015-01-16 14:32:18 +01:00
|
|
|
ReqGrafanaAdmin bool
|
|
|
|
|
ReqSignedIn bool
|
2015-01-15 12:16:54 +01:00
|
|
|
}
|
|
|
|
|
|
2018-03-07 11:54:50 -05:00
|
|
|
func getRequestUserId(c *m.ReqContext) int64 {
|
2018-03-22 12:37:35 +01:00
|
|
|
userID := c.Session.Get(session.SESS_KEY_USERID)
|
2014-10-05 21:13:01 +02:00
|
|
|
|
2018-03-22 12:37:35 +01:00
|
|
|
if userID != nil {
|
|
|
|
|
return userID.(int64)
|
2015-01-15 12:16:54 +01:00
|
|
|
}
|
2015-01-07 16:37:24 +01:00
|
|
|
|
2015-01-16 16:15:35 +01:00
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-07 11:54:50 -05:00
|
|
|
func getApiKey(c *m.ReqContext) string {
|
2015-01-15 12:16:54 +01:00
|
|
|
header := c.Req.Header.Get("Authorization")
|
|
|
|
|
parts := strings.SplitN(header, " ", 2)
|
2015-04-01 15:23:26 +02:00
|
|
|
if len(parts) == 2 && parts[0] == "Bearer" {
|
2015-01-27 08:26:11 +01:00
|
|
|
key := parts[1]
|
|
|
|
|
return key
|
2014-10-05 21:13:01 +02:00
|
|
|
}
|
|
|
|
|
|
2015-01-16 16:15:35 +01:00
|
|
|
return ""
|
2014-10-05 21:13:01 +02:00
|
|
|
}
|
|
|
|
|
|
2018-03-07 11:54:50 -05:00
|
|
|
func accessForbidden(c *m.ReqContext) {
|
2015-01-14 14:25:12 +01:00
|
|
|
if c.IsApiRequest() {
|
2015-09-08 10:46:31 +02:00
|
|
|
c.JsonApiErr(403, "Permission denied", nil)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-02-05 20:17:47 +03:00
|
|
|
c.Redirect(setting.AppSubUrl + "/")
|
2015-09-08 10:46:31 +02:00
|
|
|
}
|
|
|
|
|
|
2018-03-07 11:54:50 -05:00
|
|
|
func notAuthorized(c *m.ReqContext) {
|
2015-09-08 10:46:31 +02:00
|
|
|
if c.IsApiRequest() {
|
|
|
|
|
c.JsonApiErr(401, "Unauthorized", nil)
|
2015-01-27 12:05:23 +01:00
|
|
|
return
|
2015-01-14 14:25:12 +01:00
|
|
|
}
|
|
|
|
|
|
2018-02-15 10:56:29 +01:00
|
|
|
c.SetCookie("redirect_to", url.QueryEscape(setting.AppSubUrl+c.Req.RequestURI), 0, setting.AppSubUrl+"/", nil, false, true)
|
|
|
|
|
|
2015-01-04 21:03:40 +01:00
|
|
|
c.Redirect(setting.AppSubUrl + "/login")
|
2014-10-05 21:13:01 +02:00
|
|
|
}
|
|
|
|
|
|
2015-01-16 15:28:44 +01:00
|
|
|
func RoleAuth(roles ...m.RoleType) macaron.Handler {
|
2018-03-07 11:54:50 -05:00
|
|
|
return func(c *m.ReqContext) {
|
2015-01-16 15:28:44 +01:00
|
|
|
ok := false
|
|
|
|
|
for _, role := range roles {
|
2015-02-23 20:07:49 +01:00
|
|
|
if role == c.OrgRole {
|
2015-01-16 15:28:44 +01:00
|
|
|
ok = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if !ok {
|
2015-09-08 10:46:31 +02:00
|
|
|
accessForbidden(c)
|
2015-01-16 15:28:44 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2015-01-15 12:16:54 +01:00
|
|
|
func Auth(options *AuthOptions) macaron.Handler {
|
2018-03-07 11:54:50 -05:00
|
|
|
return func(c *m.ReqContext) {
|
2015-09-08 10:46:31 +02:00
|
|
|
if !c.IsSignedIn && options.ReqSignedIn && !c.AllowAnonymous {
|
|
|
|
|
notAuthorized(c)
|
2015-01-15 12:16:54 +01:00
|
|
|
return
|
|
|
|
|
}
|
2015-01-14 16:33:34 +08:00
|
|
|
|
2015-09-08 10:46:31 +02:00
|
|
|
if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
|
|
|
|
|
accessForbidden(c)
|
2015-01-15 12:16:54 +01:00
|
|
|
return
|
2015-01-14 16:33:34 +08:00
|
|
|
}
|
2014-10-05 21:13:01 +02:00
|
|
|
}
|
|
|
|
|
}
|
