grafana/pkg/middleware/auth_proxy.go

package middleware

import (
	"github.com/grafana/grafana/pkg/infra/log"
	"github.com/grafana/grafana/pkg/infra/remotecache"
	authproxy "github.com/grafana/grafana/pkg/middleware/auth_proxy"
	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
)

var header = setting.AuthProxyHeaderName

func initContextWithAuthProxy(store *remotecache.RemoteCache, ctx *models.ReqContext, orgID int64) bool {
	username := ctx.Req.Header.Get(header)
	auth := authproxy.New(&authproxy.Options{
		Store: store,
		Ctx:   ctx,
		OrgID: orgID,
	})

	logger := log.New("auth.proxy")

	// Bail if auth proxy is not enabled
	if !auth.IsEnabled() {
		return false
	}

	// If the there is no header - we can't move forward
	if !auth.HasHeader() {
		return false
	}

	// Check if allowed to continue with this IP
	if result, err := auth.IsAllowedIP(); !result {
		logger.Error(
			"Failed to check whitelisted IP addresses",
			"message", err.Error(),
			"error", err.DetailsError,
		)
		ctx.Handle(407, err.Error(), err.DetailsError)
		return true
	}

	// Try to log in user from various providers
	id, err := auth.Login()
	if err != nil {
		logger.Error(
			"Failed to login",
			"username", username,
			"message", err.Error(),
			"error", err.DetailsError,
		)
		ctx.Handle(407, err.Error(), err.DetailsError)
		return true
	}

	// Get full user info
	user, err := auth.GetSignedUser(id)
	if err != nil {
		logger.Error(
			"Failed to get signed user",
			"username", username,
			"message", err.Error(),
			"error", err.DetailsError,
		)
		ctx.Handle(407, err.Error(), err.DetailsError)
		return true
	}

	// Add user info to context
	ctx.SignedInUser = user
	ctx.IsSignedIn = true

	// Remember user data it in cache
	if err := auth.Remember(id); err != nil {
		logger.Error(
			"Failed to store user in cache",
			"username", username,
			"message", err.Error(),
			"error", err.DetailsError,
		)
		ctx.Handle(500, err.Error(), err.DetailsError)
		return true
	}

	return true
}
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`package middleware`

			`import (`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`"github.com/grafana/grafana/pkg/infra/log"`
Chore: use remote cache instead of session storage (#16114) Replaces session storage in auth_proxy middleware with remote cache Fixes #15161 2019-04-08 06:31:46 -05:00			`"github.com/grafana/grafana/pkg/infra/remotecache"`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`authproxy "github.com/grafana/grafana/pkg/middleware/auth_proxy"`
chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`"github.com/grafana/grafana/pkg/models"`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`"github.com/grafana/grafana/pkg/setting"`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`)`

Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`var header = setting.AuthProxyHeaderName`

chore: avoid aliasing models in middleware (#22484) 2020-02-28 05:50:58 -06:00			`func initContextWithAuthProxy(store remotecache.RemoteCache, ctx models.ReqContext, orgID int64) bool {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`username := ctx.Req.Header.Get(header)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`auth := authproxy.New(&authproxy.Options{`
			`Store: store,`
			`Ctx: ctx,`
			`OrgID: orgID,`
			`})`

Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger := log.New("auth.proxy")`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Bail if auth proxy is not enabled`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if !auth.IsEnabled() {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return false`
			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// If the there is no header - we can't move forward`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if !auth.HasHeader() {`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return false`
			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Check if allowed to continue with this IP`
Chore: remove use of `== false` (#17036) Interestingly enough, golint or revive doesn't not prohibit the use that construction :) Ref #17035 2019-05-14 02:18:28 -05:00			`if result, err := auth.IsAllowedIP(); !result {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger.Error(`
			`"Failed to check whitelisted IP addresses",`
			`"message", err.Error(),`
			`"error", err.DetailsError,`
			`)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`ctx.Handle(407, err.Error(), err.DetailsError)`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`return true`
			`}`

Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic 2019-05-17 06:57:26 -05:00			`// Try to log in user from various providers`
			`id, err := auth.Login()`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`if err != nil {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger.Error(`
			`"Failed to login",`
			`"username", username,`
			`"message", err.Error(),`
			`"error", err.DetailsError,`
			`)`
			`ctx.Handle(407, err.Error(), err.DetailsError)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`return true`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`}`
update auth proxy 2018-03-22 16:02:34 -05:00
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Get full user info`
			`user, err := auth.GetSignedUser(id)`
			`if err != nil {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger.Error(`
			`"Failed to get signed user",`
			`"username", username,`
			`"message", err.Error(),`
			`"error", err.DetailsError,`
			`)`
			`ctx.Handle(407, err.Error(), err.DetailsError)`
refactor authproxy & ldap integration, address comments 2018-04-16 15:17:01 -05:00			`return true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Add user info to context`
			`ctx.SignedInUser = user`
			`ctx.IsSignedIn = true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`// Remember user data it in cache`
Feature: LDAP refactoring (#16950) * incapsulates multipleldap logic under one module * abstracts users upsert and get logic * changes some of the text error messages and import sort sequence * heavily refactors the LDAP module – LDAP module now only deals with LDAP related behaviour * integrates affected auth_proxy module and their tests * refactoring of the auth_proxy logic 2019-05-17 06:57:26 -05:00			`if err := auth.Remember(id); err != nil {`
Auth: change the error HTTP status codes (#18584) * Auth: change the error HTTP status codes * Use 407 HTTP status code for incorrect credentials error * Improve proxy auth logs * Remove no longer needed TODO comment Fixes #18439 2019-08-20 12:13:27 -05:00			`logger.Error(`
			`"Failed to store user in cache",`
			`"username", username,`
			`"message", err.Error(),`
			`"error", err.DetailsError,`
			`)`
Chore: refactor auth proxy (#16504) * Chore: refactor auth proxy Introduced the helper struct for auth_proxy middleware. Added couple unit-tests, but it seems "integration" tests already cover most of the code paths. Although it might be good idea to test every bit of it, hm. Haven't refactored the extraction of the header logic that much Fixes #16147 * Fix: make linters happy 2019-04-16 07:09:18 -05:00			`ctx.Handle(500, err.Error(), err.DetailsError)`
			`return true`
Auth Proxy improvements - adds the option to use ldap groups for authorization in combination with an auth proxy - adds an option to limit where auth proxy requests come from by configure a list of ip's - fixes a security issue, session could be reused 2016-02-23 07:22:28 -06:00			`}`

Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`return true`
			`}`