grafana/pkg/middleware/auth.go

package middleware

import (
	"errors"
	"strconv"
	"strings"

	"github.com/Unknwon/macaron"

	"github.com/torkelo/grafana-pro/pkg/bus"
	m "github.com/torkelo/grafana-pro/pkg/models"
	"github.com/torkelo/grafana-pro/pkg/setting"
)

type AuthOptions struct {
	ReqGrafanaAdmin bool
	ReqSignedIn     bool
}

func getRequestAccountId(c *Context) (int64, error) {
	accountId := c.Session.Get("accountId")

	if accountId != nil {
		return accountId.(int64), nil
	}

	// localhost render query
	urlQuery := c.Req.URL.Query()
	if len(urlQuery["render"]) > 0 {
		accId, _ := strconv.ParseInt(urlQuery["accountId"][0], 10, 64)
		c.Session.Set("accountId", accId)
		accountId = accId
	}

	// check api token
	header := c.Req.Header.Get("Authorization")
	parts := strings.SplitN(header, " ", 2)
	if len(parts) == 2 || parts[0] == "Bearer" {
		token := parts[1]
		userQuery := m.GetAccountByTokenQuery{Token: token}
		if err := bus.Dispatch(&userQuery); err != nil {
			return -1, err
		}
		return userQuery.Result.Id, nil
	}

	// anonymous gues user
	if setting.Anonymous {
		return setting.AnonymousAccountId, nil
	}

	return -1, errors.New("Auth: session account id not found")
}

func authDenied(c *Context) {
	if c.IsApiRequest() {
		c.JsonApiErr(401, "Access denied", nil)
	}

	c.Redirect(setting.AppSubUrl + "/login")
}

func RoleAuth(roles ...m.RoleType) macaron.Handler {
	return func(c *Context) {
		ok := false
		for _, role := range roles {
			if role == c.UserRole {
				ok = true
				break
			}
		}
		if !ok {
			authDenied(c)
		}
	}
}

func Auth(options *AuthOptions) macaron.Handler {
	return func(c *Context) {

		if !c.IsSignedIn && options.ReqSignedIn {
			authDenied(c)
			return
		}

		if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
			authDenied(c)
			return
		}
	}
}
macaron transition progress 2014-10-05 14:13:01 -05:00			`package middleware`

			`import (`
			`"errors"`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00			`"strconv"`
			`"strings"`
Progress on account and dashboard save/load 2014-11-20 08:19:44 -06:00
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`"github.com/Unknwon/macaron"`

Refactoring get account by id and by login to queries 2014-12-19 06:40:02 -06:00			`"github.com/torkelo/grafana-pro/pkg/bus"`
			`m "github.com/torkelo/grafana-pro/pkg/models"`
Work on making grafana work in sub url 2015-01-04 14:03:40 -06:00			`"github.com/torkelo/grafana-pro/pkg/setting"`
macaron transition progress 2014-10-05 14:13:01 -05:00			`)`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`type AuthOptions struct {`
Big refactoring for context.User, and how current user info is fetching, now included collaborator role 2015-01-16 07:32:18 -06:00			`ReqGrafanaAdmin bool`
			`ReqSignedIn bool`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`}`

			`func getRequestAccountId(c *Context) (int64, error) {`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`accountId := c.Session.Get("accountId")`
macaron transition progress 2014-10-05 14:13:01 -05:00
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`if accountId != nil {`
			`return accountId.(int64), nil`
			`}`
Worked a little on anonymous access, needs more work 2015-01-07 09:37:24 -06:00
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`// localhost render query`
			`urlQuery := c.Req.URL.Query()`
macaron transition progress 2014-10-05 14:13:01 -05:00			`if len(urlQuery["render"]) > 0 {`
Fixed png rending 2014-12-01 15:25:57 -06:00			`accId, _ := strconv.ParseInt(urlQuery["accountId"][0], 10, 64)`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`c.Session.Set("accountId", accId)`
macaron transition progress 2014-10-05 14:13:01 -05:00			`accountId = accId`
			`}`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`// check api token`
			`header := c.Req.Header.Get("Authorization")`
			`parts := strings.SplitN(header, " ", 2)`
			`if len(parts) == 2 \|\| parts[0] == "Bearer" {`
			`token := parts[1]`
			`userQuery := m.GetAccountByTokenQuery{Token: token}`
			`if err := bus.Dispatch(&userQuery); err != nil {`
			`return -1, err`
Worked a little on anonymous access, needs more work 2015-01-07 09:37:24 -06:00			`}`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`return userQuery.Result.Id, nil`
			`}`
Worked a little on anonymous access, needs more work 2015-01-07 09:37:24 -06:00
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`// anonymous gues user`
			`if setting.Anonymous {`
			`return setting.AnonymousAccountId, nil`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`return -1, errors.New("Auth: session account id not found")`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`

			`func authDenied(c *Context) {`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`if c.IsApiRequest() {`
			`c.JsonApiErr(401, "Access denied", nil)`
			`}`

Work on making grafana work in sub url 2015-01-04 14:03:40 -06:00			`c.Redirect(setting.AppSubUrl + "/login")`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`

Role checking when saving dashboard, making sure that the user has owner or editor role 2015-01-16 08:28:44 -06:00			`func RoleAuth(roles ...m.RoleType) macaron.Handler {`
			`return func(c *Context) {`
			`ok := false`
			`for _, role := range roles {`
			`if role == c.UserRole {`
			`ok = true`
			`break`
			`}`
			`}`
			`if !ok {`
			`authDenied(c)`
			`}`
			`}`
			`}`

Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`func Auth(options *AuthOptions) macaron.Handler {`
			`return func(c *Context) {`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`if !c.IsSignedIn && options.ReqSignedIn {`
			`authDenied(c)`
			`return`
			`}`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00
Big refactoring for context.User, and how current user info is fetching, now included collaborator role 2015-01-16 07:32:18 -06:00			`if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`authDenied(c)`
			`return`
add Token authentication support Added CRUD methods for Tokens. Extend Auth Handler to check for the presence of a Bearer Authorization header to authenticate against. If there is no header, or the token is not valid, the Auth Handler falls back to looking for a Session. 2015-01-14 02:33:34 -06:00			`}`
macaron transition progress 2014-10-05 14:13:01 -05:00			`}`
			`}`