2014-12-29 13:36:08 +01:00
|
|
|
package api
|
|
|
|
|
|
|
|
|
|
import (
|
2021-01-19 17:55:53 +01:00
|
|
|
"context"
|
2019-01-23 17:01:09 +01:00
|
|
|
"encoding/hex"
|
2020-03-23 13:37:53 +01:00
|
|
|
"errors"
|
2022-06-03 03:24:24 -04:00
|
|
|
"fmt"
|
2020-09-04 14:54:59 +02:00
|
|
|
"net/http"
|
2015-01-27 12:05:23 +01:00
|
|
|
"net/url"
|
2019-12-12 17:08:34 +02:00
|
|
|
"strings"
|
2015-01-27 12:05:23 +01:00
|
|
|
|
2015-02-05 10:37:13 +01:00
|
|
|
"github.com/grafana/grafana/pkg/api/dtos"
|
2021-01-15 14:43:20 +01:00
|
|
|
"github.com/grafana/grafana/pkg/api/response"
|
2019-02-23 23:35:26 +01:00
|
|
|
"github.com/grafana/grafana/pkg/infra/metrics"
|
2020-11-25 03:55:22 -03:00
|
|
|
"github.com/grafana/grafana/pkg/infra/network"
|
2015-07-15 10:08:23 +02:00
|
|
|
"github.com/grafana/grafana/pkg/login"
|
2020-12-11 11:44:44 +01:00
|
|
|
"github.com/grafana/grafana/pkg/middleware/cookies"
|
2019-07-05 15:24:52 +02:00
|
|
|
"github.com/grafana/grafana/pkg/models"
|
2022-11-18 09:56:06 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/auth"
|
2023-01-17 09:11:45 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/authn"
|
2023-01-27 08:50:36 +01:00
|
|
|
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
2023-01-17 09:11:45 +01:00
|
|
|
"github.com/grafana/grafana/pkg/services/featuremgmt"
|
2022-08-10 08:21:33 +00:00
|
|
|
loginService "github.com/grafana/grafana/pkg/services/login"
|
2021-11-04 18:47:21 +02:00
|
|
|
"github.com/grafana/grafana/pkg/services/secrets"
|
2022-06-28 14:32:25 +02:00
|
|
|
"github.com/grafana/grafana/pkg/services/user"
|
2015-02-05 10:37:13 +01:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2021-10-11 14:30:59 +02:00
|
|
|
"github.com/grafana/grafana/pkg/web"
|
2014-12-29 13:36:08 +01:00
|
|
|
)
|
|
|
|
|
|
2015-01-27 12:05:23 +01:00
|
|
|
const (
|
2021-01-12 07:42:32 +01:00
|
|
|
viewIndex = "index"
|
|
|
|
|
loginErrorCookieName = "login_error"
|
2015-01-27 12:05:23 +01:00
|
|
|
)
|
|
|
|
|
|
2019-07-09 09:37:24 +03:00
|
|
|
var setIndexViewData = (*HTTPServer).setIndexViewData
|
|
|
|
|
|
|
|
|
|
var getViewIndex = func() string {
|
2021-01-12 07:42:32 +01:00
|
|
|
return viewIndex
|
2019-07-09 09:37:24 +03:00
|
|
|
}
|
|
|
|
|
|
2020-04-17 10:48:37 +03:00
|
|
|
func (hs *HTTPServer) ValidateRedirectTo(redirectTo string) error {
|
2019-12-12 17:08:34 +02:00
|
|
|
to, err := url.Parse(redirectTo)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return login.ErrInvalidRedirectTo
|
|
|
|
|
}
|
|
|
|
|
if to.IsAbs() {
|
|
|
|
|
return login.ErrAbsoluteRedirectTo
|
|
|
|
|
}
|
2020-06-16 16:33:44 +03:00
|
|
|
|
|
|
|
|
if to.Host != "" {
|
|
|
|
|
return login.ErrForbiddenRedirectTo
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// path should have exactly one leading slash
|
|
|
|
|
if !strings.HasPrefix(to.Path, "/") {
|
|
|
|
|
return login.ErrForbiddenRedirectTo
|
|
|
|
|
}
|
|
|
|
|
if strings.HasPrefix(to.Path, "//") {
|
|
|
|
|
return login.ErrForbiddenRedirectTo
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-11 11:04:48 +02:00
|
|
|
// when using a subUrl, the redirect_to should start with the subUrl (which contains the leading slash), otherwise the redirect
|
2020-02-14 08:51:35 -05:00
|
|
|
// will send the user to the wrong location
|
2020-11-13 09:52:38 +01:00
|
|
|
if hs.Cfg.AppSubURL != "" && !strings.HasPrefix(to.Path, hs.Cfg.AppSubURL+"/") {
|
2019-12-12 17:08:34 +02:00
|
|
|
return login.ErrInvalidRedirectTo
|
|
|
|
|
}
|
2020-06-16 16:33:44 +03:00
|
|
|
|
2019-12-12 17:08:34 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-11 11:44:44 +01:00
|
|
|
func (hs *HTTPServer) CookieOptionsFromCfg() cookies.CookieOptions {
|
2020-04-06 16:56:19 +02:00
|
|
|
path := "/"
|
2020-11-13 09:52:38 +01:00
|
|
|
if len(hs.Cfg.AppSubURL) > 0 {
|
|
|
|
|
path = hs.Cfg.AppSubURL
|
2020-04-06 16:56:19 +02:00
|
|
|
}
|
2020-12-11 11:44:44 +01:00
|
|
|
return cookies.CookieOptions{
|
2020-04-06 16:56:19 +02:00
|
|
|
Path: path,
|
2020-01-14 17:41:54 +01:00
|
|
|
Secure: hs.Cfg.CookieSecure,
|
|
|
|
|
SameSiteDisabled: hs.Cfg.CookieSameSiteDisabled,
|
|
|
|
|
SameSiteMode: hs.Cfg.CookieSameSiteMode,
|
2020-01-10 14:55:30 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) LoginView(c *contextmodel.ReqContext) {
|
2019-07-09 09:37:24 +03:00
|
|
|
viewData, err := setIndexViewData(hs, c)
|
2015-11-20 09:43:10 +01:00
|
|
|
if err != nil {
|
2020-12-15 19:09:04 +01:00
|
|
|
c.Handle(hs.Cfg, 500, "Failed to get settings", err)
|
2015-01-27 10:09:54 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-20 14:51:06 +03:00
|
|
|
urlParams := c.Req.URL.Query()
|
|
|
|
|
if _, disableAutoLogin := urlParams["disableAutoLogin"]; disableAutoLogin {
|
|
|
|
|
hs.log.Debug("Auto login manually disabled")
|
2022-04-15 14:01:58 +02:00
|
|
|
c.HTML(http.StatusOK, getViewIndex(), viewData)
|
2020-10-20 14:51:06 +03:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-30 20:39:55 +03:00
|
|
|
if loginError, ok := hs.tryGetEncryptedCookie(c, loginErrorCookieName); ok {
|
2020-09-22 16:22:19 +02:00
|
|
|
// this cookie is only set whenever an OAuth login fails
|
|
|
|
|
// therefore the loginError should be passed to the view data
|
|
|
|
|
// and the view should return immediately before attempting
|
|
|
|
|
// to login again via OAuth and enter to a redirect loop
|
2021-01-12 07:42:32 +01:00
|
|
|
cookies.DeleteCookie(c.Resp, loginErrorCookieName, hs.CookieOptionsFromCfg)
|
2017-02-01 16:32:51 +03:00
|
|
|
viewData.Settings["loginError"] = loginError
|
2022-04-15 14:01:58 +02:00
|
|
|
c.HTML(http.StatusOK, getViewIndex(), viewData)
|
2019-07-09 09:37:24 +03:00
|
|
|
return
|
2017-02-01 16:32:51 +03:00
|
|
|
}
|
|
|
|
|
|
2023-01-19 15:53:02 +01:00
|
|
|
if hs.tryAutoLogin(c) {
|
2018-05-28 16:16:48 +02:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-07 17:48:56 +01:00
|
|
|
if c.IsSignedIn {
|
|
|
|
|
// Assign login token to auth proxy users if enable_login_token = true
|
2020-12-11 11:44:44 +01:00
|
|
|
if hs.Cfg.AuthProxyEnabled && hs.Cfg.AuthProxyEnableLoginToken {
|
2022-08-11 13:28:55 +02:00
|
|
|
user := &user.User{ID: c.SignedInUser.UserID, Email: c.SignedInUser.Email, Login: c.SignedInUser.Login}
|
2020-03-23 13:37:53 +01:00
|
|
|
err := hs.loginUserWithUser(user, c)
|
|
|
|
|
if err != nil {
|
2022-07-07 14:28:04 +00:00
|
|
|
c.Handle(hs.Cfg, http.StatusInternalServerError, "Failed to sign in user", err)
|
2020-03-23 13:37:53 +01:00
|
|
|
return
|
|
|
|
|
}
|
2019-11-07 17:48:56 +01:00
|
|
|
}
|
|
|
|
|
|
2020-11-24 07:27:08 +01:00
|
|
|
if redirectTo := c.GetCookie("redirect_to"); len(redirectTo) > 0 {
|
2020-04-17 10:48:37 +03:00
|
|
|
if err := hs.ValidateRedirectTo(redirectTo); err != nil {
|
2020-03-11 11:04:48 +02:00
|
|
|
// the user is already logged so instead of rendering the login page with error
|
|
|
|
|
// it should be redirected to the home page.
|
2021-11-08 17:56:56 +01:00
|
|
|
c.Logger.Debug("Ignored invalid redirect_to cookie value", "redirect_to", redirectTo)
|
2020-11-13 09:52:38 +01:00
|
|
|
redirectTo = hs.Cfg.AppSubURL + "/"
|
2019-12-12 17:08:34 +02:00
|
|
|
}
|
2020-12-11 11:44:44 +01:00
|
|
|
cookies.DeleteCookie(c.Resp, "redirect_to", hs.CookieOptionsFromCfg)
|
2019-11-07 17:48:56 +01:00
|
|
|
c.Redirect(redirectTo)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-10 12:41:29 +01:00
|
|
|
c.Redirect(hs.Cfg.AppSubURL + "/")
|
2019-01-23 15:28:33 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-15 14:01:58 +02:00
|
|
|
c.HTML(http.StatusOK, getViewIndex(), viewData)
|
2019-11-07 17:48:56 +01:00
|
|
|
}
|
2019-01-23 15:28:33 +01:00
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) tryAutoLogin(c *contextmodel.ReqContext) bool {
|
2023-01-19 15:53:02 +01:00
|
|
|
samlAutoLogin := hs.samlAutoLoginEnabled()
|
2021-07-07 08:54:17 +02:00
|
|
|
oauthInfos := hs.SocialService.GetOAuthInfoProviders()
|
2023-01-19 15:53:02 +01:00
|
|
|
|
|
|
|
|
autoLoginProvidersLen := 0
|
|
|
|
|
for _, provider := range oauthInfos {
|
|
|
|
|
if provider.AutoLogin {
|
|
|
|
|
autoLoginProvidersLen++
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// If no auto_login option configured for specific OAuth, use legacy option
|
|
|
|
|
if setting.OAuthAutoLogin && autoLoginProvidersLen == 0 {
|
|
|
|
|
autoLoginProvidersLen = len(oauthInfos)
|
|
|
|
|
}
|
|
|
|
|
if samlAutoLogin {
|
|
|
|
|
autoLoginProvidersLen++
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if autoLoginProvidersLen > 1 {
|
|
|
|
|
c.Logger.Warn("Skipping auto login because multiple auth providers are configured with auto_login option")
|
2018-05-28 16:16:48 +02:00
|
|
|
return false
|
2023-01-19 15:53:02 +01:00
|
|
|
}
|
|
|
|
|
if autoLoginProvidersLen == 0 && setting.OAuthAutoLogin {
|
|
|
|
|
c.Logger.Warn("Skipping auto login because no auth providers are configured")
|
2022-12-20 14:35:43 +01:00
|
|
|
return false
|
2018-05-28 16:16:48 +02:00
|
|
|
}
|
2023-01-19 15:53:02 +01:00
|
|
|
|
|
|
|
|
for providerName, provider := range oauthInfos {
|
|
|
|
|
if provider.AutoLogin || setting.OAuthAutoLogin {
|
|
|
|
|
redirectUrl := hs.Cfg.AppSubURL + "/login/" + providerName
|
|
|
|
|
c.Logger.Info("OAuth auto login enabled. Redirecting to " + redirectUrl)
|
|
|
|
|
c.Redirect(redirectUrl, 307)
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if samlAutoLogin {
|
|
|
|
|
redirectUrl := hs.Cfg.AppSubURL + "/login/saml"
|
|
|
|
|
c.Logger.Info("SAML auto login enabled. Redirecting to " + redirectUrl)
|
2018-05-28 16:16:48 +02:00
|
|
|
c.Redirect(redirectUrl, 307)
|
|
|
|
|
return true
|
|
|
|
|
}
|
2023-01-19 15:53:02 +01:00
|
|
|
|
2018-05-28 16:16:48 +02:00
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) LoginAPIPing(c *contextmodel.ReqContext) response.Response {
|
2019-01-24 15:17:09 +01:00
|
|
|
if c.IsSignedIn || c.IsAnonymous {
|
2022-04-15 14:01:58 +02:00
|
|
|
return response.JSON(http.StatusOK, "Logged in")
|
2015-01-27 12:05:23 +01:00
|
|
|
}
|
|
|
|
|
|
2021-01-15 14:43:20 +01:00
|
|
|
return response.Error(401, "Unauthorized", nil)
|
2015-01-27 10:09:54 +01:00
|
|
|
}
|
|
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) LoginPost(c *contextmodel.ReqContext) response.Response {
|
2023-01-17 09:11:45 +01:00
|
|
|
if hs.Features.IsEnabled(featuremgmt.FlagAuthnService) {
|
|
|
|
|
identity, err := hs.authnService.Login(c.Req.Context(), authn.ClientForm, &authn.Request{HTTPRequest: c.Req, Resp: c.Resp})
|
|
|
|
|
if err != nil {
|
|
|
|
|
tokenErr := &auth.CreateTokenErr{}
|
|
|
|
|
if errors.As(err, &tokenErr) {
|
|
|
|
|
return response.Error(tokenErr.StatusCode, tokenErr.ExternalErr, tokenErr.InternalErr)
|
|
|
|
|
}
|
|
|
|
|
return response.Err(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cookies.WriteSessionCookie(c, hs.Cfg, identity.SessionToken.UnhashedToken, hs.Cfg.LoginMaxLifetime)
|
|
|
|
|
result := map[string]interface{}{
|
|
|
|
|
"message": "Logged in",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if redirectTo := c.GetCookie("redirect_to"); len(redirectTo) > 0 {
|
|
|
|
|
if err := hs.ValidateRedirectTo(redirectTo); err == nil {
|
|
|
|
|
result["redirectUrl"] = redirectTo
|
|
|
|
|
} else {
|
|
|
|
|
c.Logger.Info("Ignored invalid redirect_to cookie value.", "url", redirectTo)
|
|
|
|
|
}
|
|
|
|
|
cookies.DeleteCookie(c.Resp, "redirect_to", hs.CookieOptionsFromCfg)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
metrics.MApiLoginPost.Inc()
|
|
|
|
|
return response.JSON(http.StatusOK, result)
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-06 12:52:27 +02:00
|
|
|
cmd := dtos.LoginCommand{}
|
2021-10-11 14:30:59 +02:00
|
|
|
if err := web.Bind(c.Req, &cmd); err != nil {
|
2021-10-06 12:52:27 +02:00
|
|
|
return response.Error(http.StatusBadRequest, "bad login data", err)
|
|
|
|
|
}
|
2020-11-06 10:01:13 +01:00
|
|
|
authModule := ""
|
2022-07-20 14:50:06 +02:00
|
|
|
var usr *user.User
|
2021-01-15 14:43:20 +01:00
|
|
|
var resp *response.NormalResponse
|
2020-09-04 14:54:59 +02:00
|
|
|
|
|
|
|
|
defer func() {
|
2021-01-15 14:43:20 +01:00
|
|
|
err := resp.Err()
|
|
|
|
|
if err == nil && resp.ErrMessage() != "" {
|
|
|
|
|
err = errors.New(resp.ErrMessage())
|
2020-09-04 14:54:59 +02:00
|
|
|
}
|
2020-11-06 10:01:13 +01:00
|
|
|
hs.HooksService.RunLoginHook(&models.LoginInfo{
|
|
|
|
|
AuthModule: authModule,
|
2022-07-20 14:50:06 +02:00
|
|
|
User: usr,
|
2020-10-26 15:47:01 +01:00
|
|
|
LoginUsername: cmd.User,
|
2021-01-15 14:43:20 +01:00
|
|
|
HTTPStatus: resp.Status(),
|
2020-10-26 15:47:01 +01:00
|
|
|
Error: err,
|
2020-11-06 10:01:13 +01:00
|
|
|
}, c)
|
2020-09-04 14:54:59 +02:00
|
|
|
}()
|
|
|
|
|
|
2017-03-17 16:35:05 -04:00
|
|
|
if setting.DisableLoginForm {
|
2021-01-15 14:43:20 +01:00
|
|
|
resp = response.Error(http.StatusUnauthorized, "Login is disabled", nil)
|
|
|
|
|
return resp
|
2017-03-17 16:35:05 -04:00
|
|
|
}
|
|
|
|
|
|
2019-07-05 15:24:52 +02:00
|
|
|
authQuery := &models.LoginUserQuery{
|
2018-03-23 15:50:07 -04:00
|
|
|
ReqContext: c,
|
|
|
|
|
Username: cmd.User,
|
|
|
|
|
Password: cmd.Password,
|
2022-12-13 09:33:05 -05:00
|
|
|
IpAddress: c.RemoteAddr(),
|
2020-12-11 11:44:44 +01:00
|
|
|
Cfg: hs.Cfg,
|
2014-12-29 13:36:08 +01:00
|
|
|
}
|
|
|
|
|
|
2022-04-04 20:36:15 +02:00
|
|
|
err := hs.authenticator.AuthenticateUser(c.Req.Context(), authQuery)
|
2020-11-06 10:01:13 +01:00
|
|
|
authModule = authQuery.AuthModule
|
2020-09-04 14:54:59 +02:00
|
|
|
if err != nil {
|
2021-01-15 14:43:20 +01:00
|
|
|
resp = response.Error(401, "Invalid username or password", err)
|
2020-11-19 13:34:28 +01:00
|
|
|
if errors.Is(err, login.ErrInvalidCredentials) || errors.Is(err, login.ErrTooManyLoginAttempts) || errors.Is(err,
|
2022-07-20 14:50:06 +02:00
|
|
|
user.ErrUserNotFound) {
|
2022-10-12 18:34:59 +03:00
|
|
|
return resp
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if errors.Is(err, login.ErrNoAuthProvider) {
|
|
|
|
|
resp = response.Error(http.StatusInternalServerError, "No authorization providers enabled", err)
|
2021-01-15 14:43:20 +01:00
|
|
|
return resp
|
2015-06-04 09:34:42 +02:00
|
|
|
}
|
|
|
|
|
|
2019-07-23 13:12:55 +03:00
|
|
|
// Do not expose disabled status,
|
|
|
|
|
// just show incorrect user credentials error (see #17947)
|
2020-11-19 13:34:28 +01:00
|
|
|
if errors.Is(err, login.ErrUserDisabled) {
|
2019-07-23 13:12:55 +03:00
|
|
|
hs.log.Warn("User is disabled", "user", cmd.User)
|
2021-01-15 14:43:20 +01:00
|
|
|
return resp
|
2019-05-21 14:52:49 +03:00
|
|
|
}
|
|
|
|
|
|
2021-01-15 14:43:20 +01:00
|
|
|
resp = response.Error(500, "Error while trying to authenticate user", err)
|
|
|
|
|
return resp
|
2014-12-29 13:36:08 +01:00
|
|
|
}
|
|
|
|
|
|
2022-07-20 14:50:06 +02:00
|
|
|
usr = authQuery.User
|
2015-07-10 11:10:48 +02:00
|
|
|
|
2022-07-20 14:50:06 +02:00
|
|
|
err = hs.loginUserWithUser(usr, c)
|
2020-03-23 13:37:53 +01:00
|
|
|
if err != nil {
|
2022-11-18 09:56:06 +01:00
|
|
|
var createTokenErr *auth.CreateTokenErr
|
2021-02-25 15:30:51 +01:00
|
|
|
if errors.As(err, &createTokenErr) {
|
|
|
|
|
resp = response.Error(createTokenErr.StatusCode, createTokenErr.ExternalErr, createTokenErr.InternalErr)
|
|
|
|
|
} else {
|
|
|
|
|
resp = response.Error(http.StatusInternalServerError, "Error while signing in user", err)
|
|
|
|
|
}
|
2021-01-15 14:43:20 +01:00
|
|
|
return resp
|
2020-03-23 13:37:53 +01:00
|
|
|
}
|
2014-12-29 13:36:08 +01:00
|
|
|
|
2015-01-27 12:05:23 +01:00
|
|
|
result := map[string]interface{}{
|
|
|
|
|
"message": "Logged in",
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-24 07:27:08 +01:00
|
|
|
if redirectTo := c.GetCookie("redirect_to"); len(redirectTo) > 0 {
|
2020-04-17 10:48:37 +03:00
|
|
|
if err := hs.ValidateRedirectTo(redirectTo); err == nil {
|
2019-12-12 17:08:34 +02:00
|
|
|
result["redirectUrl"] = redirectTo
|
|
|
|
|
} else {
|
2021-11-08 17:56:56 +01:00
|
|
|
c.Logger.Info("Ignored invalid redirect_to cookie value.", "url", redirectTo)
|
2019-12-12 17:08:34 +02:00
|
|
|
}
|
2020-12-11 11:44:44 +01:00
|
|
|
cookies.DeleteCookie(c.Resp, "redirect_to", hs.CookieOptionsFromCfg)
|
2015-01-27 12:05:23 +01:00
|
|
|
}
|
|
|
|
|
|
2019-07-16 17:58:46 +03:00
|
|
|
metrics.MApiLoginPost.Inc()
|
2021-01-15 14:43:20 +01:00
|
|
|
resp = response.JSON(http.StatusOK, result)
|
|
|
|
|
return resp
|
2015-06-04 09:34:42 +02:00
|
|
|
}
|
|
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) loginUserWithUser(user *user.User, c *contextmodel.ReqContext) error {
|
2015-01-19 18:01:04 +01:00
|
|
|
if user == nil {
|
2020-03-23 13:37:53 +01:00
|
|
|
return errors.New("could not login user")
|
2014-12-29 13:36:08 +01:00
|
|
|
}
|
|
|
|
|
|
2020-11-25 03:55:22 -03:00
|
|
|
addr := c.RemoteAddr()
|
|
|
|
|
ip, err := network.GetIPFromAddress(addr)
|
|
|
|
|
if err != nil {
|
|
|
|
|
hs.log.Debug("Failed to get IP from client address", "addr", addr)
|
|
|
|
|
ip = nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hs.log.Debug("Got IP address from client address", "addr", addr, "ip", ip)
|
2021-01-19 17:55:53 +01:00
|
|
|
ctx := context.WithValue(c.Req.Context(), models.RequestURIKey{}, c.Req.RequestURI)
|
|
|
|
|
userToken, err := hs.AuthTokenService.CreateToken(ctx, user, ip, c.Req.UserAgent())
|
2019-01-15 15:15:52 +01:00
|
|
|
if err != nil {
|
2022-06-03 03:24:24 -04:00
|
|
|
return fmt.Errorf("%v: %w", "failed to create auth token", err)
|
2016-03-07 17:26:31 +01:00
|
|
|
}
|
2021-01-19 17:55:53 +01:00
|
|
|
c.UserToken = userToken
|
2020-03-23 13:37:53 +01:00
|
|
|
|
2019-07-03 09:16:00 -04:00
|
|
|
hs.log.Info("Successful Login", "User", user.Email)
|
2020-12-11 11:44:44 +01:00
|
|
|
cookies.WriteSessionCookie(c, hs.Cfg, userToken.UnhashedToken, hs.Cfg.LoginMaxLifetime)
|
2020-03-23 13:37:53 +01:00
|
|
|
return nil
|
2014-12-29 13:36:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) Logout(c *contextmodel.ReqContext) {
|
2022-08-10 08:21:33 +00:00
|
|
|
// If SAML is enabled and this is a SAML user use saml logout
|
2021-04-28 11:26:58 +02:00
|
|
|
if hs.samlSingleLogoutEnabled() {
|
2022-08-11 13:28:55 +02:00
|
|
|
getAuthQuery := models.GetAuthInfoQuery{UserId: c.UserID}
|
2022-08-10 08:21:33 +00:00
|
|
|
if err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
|
|
|
|
|
if getAuthQuery.Result.AuthModule == loginService.SAMLAuthModule {
|
|
|
|
|
c.Redirect(hs.Cfg.AppSubURL + "/logout/saml")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-10-08 17:42:55 +03:00
|
|
|
}
|
|
|
|
|
|
2022-10-18 18:17:28 +02:00
|
|
|
// Invalidate the OAuth tokens in case the User logged in with OAuth or the last external AuthEntry is an OAuth one
|
|
|
|
|
if entry, exists, _ := hs.oauthTokenService.HasOAuthEntry(c.Req.Context(), c.SignedInUser); exists {
|
|
|
|
|
if err := hs.oauthTokenService.InvalidateOAuthTokens(c.Req.Context(), entry); err != nil {
|
|
|
|
|
hs.log.Warn("failed to invalidate oauth tokens for user", "userId", c.UserID, "error", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-16 17:44:02 +01:00
|
|
|
err := hs.AuthTokenService.RevokeToken(c.Req.Context(), c.UserToken, false)
|
2022-11-18 09:56:06 +01:00
|
|
|
if err != nil && !errors.Is(err, auth.ErrUserTokenNotFound) {
|
2019-02-04 23:44:28 +01:00
|
|
|
hs.log.Error("failed to revoke auth token", "error", err)
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-11 11:44:44 +01:00
|
|
|
cookies.WriteSessionCookie(c, hs.Cfg, "", -1)
|
2019-01-15 15:15:52 +01:00
|
|
|
|
2018-05-27 14:52:50 +02:00
|
|
|
if setting.SignoutRedirectUrl != "" {
|
|
|
|
|
c.Redirect(setting.SignoutRedirectUrl)
|
|
|
|
|
} else {
|
2019-07-03 09:16:00 -04:00
|
|
|
hs.log.Info("Successful Logout", "User", c.Email)
|
2021-03-10 12:41:29 +01:00
|
|
|
c.Redirect(hs.Cfg.AppSubURL + "/login")
|
2018-05-27 14:52:50 +02:00
|
|
|
}
|
2014-12-29 13:36:08 +01:00
|
|
|
}
|
2019-01-23 17:01:09 +01:00
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) tryGetEncryptedCookie(ctx *contextmodel.ReqContext, cookieName string) (string, bool) {
|
2019-01-23 17:01:09 +01:00
|
|
|
cookie := ctx.GetCookie(cookieName)
|
|
|
|
|
if cookie == "" {
|
|
|
|
|
return "", false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
decoded, err := hex.DecodeString(cookie)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", false
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-04 18:47:21 +02:00
|
|
|
decryptedError, err := hs.SecretsService.Decrypt(ctx.Req.Context(), decoded)
|
2019-01-23 17:01:09 +01:00
|
|
|
return string(decryptedError), err == nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) trySetEncryptedCookie(ctx *contextmodel.ReqContext, cookieName string, value string, maxAge int) error {
|
2021-11-04 18:47:21 +02:00
|
|
|
encryptedError, err := hs.SecretsService.Encrypt(ctx.Req.Context(), []byte(value), secrets.WithoutScope())
|
2019-01-23 17:01:09 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-11 11:44:44 +01:00
|
|
|
cookies.WriteCookie(ctx.Resp, cookieName, hex.EncodeToString(encryptedError), 60, hs.CookieOptionsFromCfg)
|
2019-01-23 17:01:09 +01:00
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
2020-04-17 10:48:37 +03:00
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) redirectWithError(ctx *contextmodel.ReqContext, err error, v ...interface{}) {
|
2022-10-31 09:11:31 +01:00
|
|
|
ctx.Logger.Warn(err.Error(), v...)
|
2021-02-25 15:30:51 +01:00
|
|
|
if err := hs.trySetEncryptedCookie(ctx, loginErrorCookieName, getLoginExternalError(err), 60); err != nil {
|
2020-04-17 10:48:37 +03:00
|
|
|
hs.log.Error("Failed to set encrypted cookie", "err", err)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-10 12:41:29 +01:00
|
|
|
ctx.Redirect(hs.Cfg.AppSubURL + "/login")
|
2020-04-17 10:48:37 +03:00
|
|
|
}
|
|
|
|
|
|
2023-01-27 08:50:36 +01:00
|
|
|
func (hs *HTTPServer) RedirectResponseWithError(ctx *contextmodel.ReqContext, err error, v ...interface{}) *response.RedirectResponse {
|
2020-04-17 10:48:37 +03:00
|
|
|
ctx.Logger.Error(err.Error(), v...)
|
2021-02-25 15:30:51 +01:00
|
|
|
if err := hs.trySetEncryptedCookie(ctx, loginErrorCookieName, getLoginExternalError(err), 60); err != nil {
|
2020-04-17 10:48:37 +03:00
|
|
|
hs.log.Error("Failed to set encrypted cookie", "err", err)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-10 12:41:29 +01:00
|
|
|
return response.Redirect(hs.Cfg.AppSubURL + "/login")
|
2020-04-17 10:48:37 +03:00
|
|
|
}
|
2021-02-25 15:30:51 +01:00
|
|
|
|
2021-04-28 11:26:58 +02:00
|
|
|
func (hs *HTTPServer) samlEnabled() bool {
|
2022-01-07 15:11:23 -05:00
|
|
|
return hs.SettingsProvider.KeyValue("auth.saml", "enabled").MustBool(false) && hs.License.FeatureEnabled("saml")
|
2021-04-28 11:26:58 +02:00
|
|
|
}
|
|
|
|
|
|
2021-10-04 09:58:16 -03:00
|
|
|
func (hs *HTTPServer) samlName() string {
|
|
|
|
|
return hs.SettingsProvider.KeyValue("auth.saml", "name").MustString("SAML")
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-28 11:26:58 +02:00
|
|
|
func (hs *HTTPServer) samlSingleLogoutEnabled() bool {
|
2022-08-10 08:21:33 +00:00
|
|
|
return hs.samlEnabled() && hs.SettingsProvider.KeyValue("auth.saml", "single_logout").MustBool(false) && hs.samlEnabled()
|
2021-04-28 11:26:58 +02:00
|
|
|
}
|
|
|
|
|
|
2023-01-19 15:53:02 +01:00
|
|
|
func (hs *HTTPServer) samlAutoLoginEnabled() bool {
|
|
|
|
|
return hs.samlEnabled() && hs.SettingsProvider.KeyValue("auth.saml", "auto_login").MustBool(false)
|
|
|
|
|
}
|
|
|
|
|
|
2021-02-25 15:30:51 +01:00
|
|
|
func getLoginExternalError(err error) string {
|
2022-11-18 09:56:06 +01:00
|
|
|
var createTokenErr *auth.CreateTokenErr
|
2021-02-25 15:30:51 +01:00
|
|
|
if errors.As(err, &createTokenErr) {
|
|
|
|
|
return createTokenErr.ExternalErr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return err.Error()
|
|
|
|
|
}
|
