grafana/pkg/middleware/auth_proxy.go

package middleware

import (
	"errors"

	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/infra/remotecache"
	authproxy "github.com/grafana/grafana/pkg/middleware/auth_proxy"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
)

var header = setting.AuthProxyHeaderName

func logUserIn(auth *authproxy.AuthProxy, username string, logger log.Logger, ignoreCache bool) (int64, *authproxy.Error) {
	logger.Debug("Trying to log user in", "username", username, "ignoreCache", ignoreCache)
	// Try to log in user via various providers
	id, e := auth.Login(logger, ignoreCache)
	if e != nil {
		logger.Error("Failed to login", "username", username, "message", e.Error(), "error", e.DetailsError,
			"ignoreCache", ignoreCache)
		return 0, e
	}
	return id, nil
}

func initContextWithAuthProxy(store *remotecache.RemoteCache, ctx *models.ReqContext, orgID int64) bool {
	username := ctx.Req.Header.Get(header)
	auth := authproxy.New(&authproxy.Options{
		Store: store,
		Ctx:   ctx,
		OrgID: orgID,
	})

	logger := log.New("auth.proxy")

	// Bail if auth proxy is not enabled
	if !auth.IsEnabled() {
		return false
	}

	// If there is no header - we can't move forward
	if !auth.HasHeader() {
		return false
	}

	// Check if allowed to continue with this IP
	if result, err := auth.IsAllowedIP(); !result {
		logger.Error(
			"Failed to check whitelisted IP addresses",
			"message", err.Error(),
			"error", err.DetailsError,
		)
		ctx.Handle(407, err.Error(), err.DetailsError)
		return true
	}

	id, e := logUserIn(auth, username, logger, false)
	if e != nil {
		ctx.Handle(407, e.Error(), e.DetailsError)
		return true
	}

	logger.Debug("Got user ID, getting full user info", "userID", id)

	user, e := auth.GetSignedUser(id)
	if e != nil {
		// The reason we couldn't find the user corresponding to the ID might be that the ID was found from a stale
		// cache entry. For example, if a user is deleted via the API, corresponding cache entries aren't invalidated
		// because cache keys are computed from request header values and not just the user ID. Meaning that
		// we can't easily derive cache keys to invalidate when deleting a user. To work around this, we try to
		// log the user in again without the cache.
		logger.Debug("Failed to get user info given ID, retrying without cache", "userID", id)
		if err := auth.RemoveUserFromCache(logger); err != nil {
			if !errors.Is(err, remotecache.ErrCacheItemNotFound) {
				logger.Error("Got unexpected error when removing user from auth cache", "error", err)
			}
		}
		id, e = logUserIn(auth, username, logger, true)
		if e != nil {
			ctx.Handle(407, e.Error(), e.DetailsError)
			return true
		}

		user, e = auth.GetSignedUser(id)
		if e != nil {
			ctx.Handle(407, e.Error(), e.DetailsError)
			return true
		}
	}

	logger.Debug("Successfully got user info", "userID", user.UserId, "username", user.Login)

	// Add user info to context
	ctx.SignedInUser = user
	ctx.IsSignedIn = true

	// Remember user data in cache
	if e := auth.Remember(id); e != nil {
		logger.Error(
			"Failed to store user in cache",
			"username", username,
			"message", e.Error(),
			"error", e.DetailsError,
		)
		ctx.Handle(500, e.Error(), e.DetailsError)
		return true
	}

	return true
}
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`package middleware`

			`import (`
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`"errors"`

Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`"github.com/grafana/grafana/pkg/infra/log"`
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 06:31:46 -05:00			`"github.com/grafana/grafana/pkg/infra/remotecache"`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`authproxy "github.com/grafana/grafana/pkg/middleware/auth_proxy"`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`"github.com/grafana/grafana/pkg/models"`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`"github.com/grafana/grafana/pkg/setting"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`)`

Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`var header = setting.AuthProxyHeaderName`

Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`func logUserIn(auth authproxy.AuthProxy, username string, logger log.Logger, ignoreCache bool) (int64, authproxy.Error) {`
			`logger.Debug("Trying to log user in", "username", username, "ignoreCache", ignoreCache)`
			`// Try to log in user via various providers`
Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`id, e := auth.Login(logger, ignoreCache)`
			`if e != nil {`
			`logger.Error("Failed to login", "username", username, "message", e.Error(), "error", e.DetailsError,`
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`"ignoreCache", ignoreCache)`
Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`return 0, e`
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`}`
			`return id, nil`
			`}`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func initContextWithAuthProxy(store remotecache.RemoteCache, ctx models.ReqContext, orgID int64) bool {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`username := ctx.Req.Header.Get(header)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`auth := authproxy.New(&authproxy.Options{`
			`Store: store,`
			`Ctx: ctx,`
			`OrgID: orgID,`
			`})`

Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger := log.New("auth.proxy")`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Bail if auth proxy is not enabled`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if !auth.IsEnabled() {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return false`
			`}`

Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`// If there is no header - we can't move forward`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if !auth.HasHeader() {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return false`
			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Check if allowed to continue with this IP`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if result, err := auth.IsAllowedIP(); !result {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger.Error(`
			`"Failed to check whitelisted IP addresses",`
			`"message", err.Error(),`
			`"error", err.DetailsError,`
			`)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`ctx.Handle(407, err.Error(), err.DetailsError)`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`return true`
			`}`

Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`id, e := logUserIn(auth, username, logger, false)`
			`if e != nil {`
			`ctx.Handle(407, e.Error(), e.DetailsError)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`return true`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`}`
update auth proxy 2018-03-22 16:02:34 -05:00
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`logger.Debug("Got user ID, getting full user info", "userID", id)`

Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`user, e := auth.GetSignedUser(id)`
			`if e != nil {`
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`// The reason we couldn't find the user corresponding to the ID might be that the ID was found from a stale`
			`// cache entry. For example, if a user is deleted via the API, corresponding cache entries aren't invalidated`
			`// because cache keys are computed from request header values and not just the user ID. Meaning that`
			`// we can't easily derive cache keys to invalidate when deleting a user. To work around this, we try to`
			`// log the user in again without the cache.`
			`logger.Debug("Failed to get user info given ID, retrying without cache", "userID", id)`
			`if err := auth.RemoveUserFromCache(logger); err != nil {`
			`if !errors.Is(err, remotecache.ErrCacheItemNotFound) {`
			`logger.Error("Got unexpected error when removing user from auth cache", "error", err)`
			`}`
			`}`
Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`id, e = logUserIn(auth, username, logger, true)`
			`if e != nil {`
			`ctx.Handle(407, e.Error(), e.DetailsError)`
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`return true`
			`}`

Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`user, e = auth.GetSignedUser(id)`
			`if e != nil {`
			`ctx.Handle(407, e.Error(), e.DetailsError)`
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`return true`
			`}`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`logger.Debug("Successfully got user info", "userID", user.UserId, "username", user.Login)`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Add user info to context`
			`ctx.SignedInUser = user`
			`ctx.IsSignedIn = true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00
Auth proxy: Ignore stale cache entries (#23979) * Auth proxy: Retry without cache if failing to get user 2020-06-17 11:43:16 -05:00			`// Remember user data in cache`
Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`if e := auth.Remember(id); e != nil {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger.Error(`
			`"Failed to store user in cache",`
			`"username", username,`
Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`"message", e.Error(),`
			`"error", e.DetailsError,`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`)`
Chore: Fix linting issues caught by ruleguard (#28799) * Chore: Fix linting issues caught by ruleguard Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> * Improve error check Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-11-17 04:27:45 -06:00			`ctx.Handle(500, e.Error(), e.DetailsError)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`return true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return true`
			`}`