2014-10-05 14:13:01 -05:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2021-03-16 11:44:02 -05:00
|
|
|
"errors"
|
2023-01-26 03:50:44 -06:00
|
|
|
"net/http"
|
2015-01-27 05:05:23 -06:00
|
|
|
"net/url"
|
2020-11-20 12:30:37 -06:00
|
|
|
"regexp"
|
2020-07-06 07:59:00 -05:00
|
|
|
"strconv"
|
2015-01-14 02:33:34 -06:00
|
|
|
"strings"
|
2014-11-20 08:19:44 -06:00
|
|
|
|
2020-12-11 04:44:44 -06:00
|
|
|
"github.com/grafana/grafana/pkg/middleware/cookies"
|
2022-11-18 02:56:06 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/auth"
|
2023-03-23 08:39:04 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/authn"
|
2023-01-27 01:50:36 -06:00
|
|
|
contextmodel "github.com/grafana/grafana/pkg/services/contexthandler/model"
|
2022-08-10 04:56:48 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/org"
|
2023-03-27 04:15:37 -05:00
|
|
|
"github.com/grafana/grafana/pkg/services/pluginsintegration/pluginaccesscontrol"
|
2015-02-05 03:37:13 -06:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2021-10-11 07:30:59 -05:00
|
|
|
"github.com/grafana/grafana/pkg/web"
|
2014-10-05 14:13:01 -05:00
|
|
|
)
|
|
|
|
|
2015-01-15 05:16:54 -06:00
|
|
|
type AuthOptions struct {
|
2015-01-16 07:32:18 -06:00
|
|
|
ReqGrafanaAdmin bool
|
2021-02-27 11:04:28 -06:00
|
|
|
ReqNoAnonynmous bool
|
2023-07-06 08:40:06 -05:00
|
|
|
ReqSignedIn bool
|
2015-01-15 05:16:54 -06:00
|
|
|
}
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
func accessForbidden(c *contextmodel.ReqContext) {
|
2015-01-14 07:25:12 -06:00
|
|
|
if c.IsApiRequest() {
|
2015-09-08 03:46:31 -05:00
|
|
|
c.JsonApiErr(403, "Permission denied", nil)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2018-02-05 11:17:47 -06:00
|
|
|
c.Redirect(setting.AppSubUrl + "/")
|
2015-09-08 03:46:31 -05:00
|
|
|
}
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
func notAuthorized(c *contextmodel.ReqContext) {
|
2015-09-08 03:46:31 -05:00
|
|
|
if c.IsApiRequest() {
|
2023-01-26 03:50:44 -06:00
|
|
|
c.WriteErrOrFallback(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), c.LookupTokenErr)
|
2015-01-27 05:05:23 -06:00
|
|
|
return
|
2015-01-14 07:25:12 -06:00
|
|
|
}
|
|
|
|
|
2021-03-16 11:44:02 -05:00
|
|
|
writeRedirectCookie(c)
|
2023-03-23 08:39:04 -05:00
|
|
|
|
|
|
|
if errors.Is(c.LookupTokenErr, authn.ErrTokenNeedsRotation) {
|
|
|
|
c.Redirect(setting.AppSubUrl + "/user/auth-tokens/rotate")
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-03-16 11:44:02 -05:00
|
|
|
c.Redirect(setting.AppSubUrl + "/login")
|
|
|
|
}
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
func tokenRevoked(c *contextmodel.ReqContext, err *auth.TokenRevokedError) {
|
2021-03-16 11:44:02 -05:00
|
|
|
if c.IsApiRequest() {
|
2023-08-30 10:46:47 -05:00
|
|
|
c.JSON(401, map[string]any{
|
2021-03-16 11:44:02 -05:00
|
|
|
"message": "Token revoked",
|
2023-08-30 10:46:47 -05:00
|
|
|
"error": map[string]any{
|
2021-03-16 11:44:02 -05:00
|
|
|
"id": "ERR_TOKEN_REVOKED",
|
|
|
|
"maxConcurrentSessions": err.MaxConcurrentSessions,
|
|
|
|
},
|
|
|
|
})
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
writeRedirectCookie(c)
|
|
|
|
c.Redirect(setting.AppSubUrl + "/login")
|
|
|
|
}
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
func writeRedirectCookie(c *contextmodel.ReqContext) {
|
2020-03-11 04:04:48 -05:00
|
|
|
redirectTo := c.Req.RequestURI
|
|
|
|
if setting.AppSubUrl != "" && !strings.HasPrefix(redirectTo, setting.AppSubUrl) {
|
|
|
|
redirectTo = setting.AppSubUrl + c.Req.RequestURI
|
|
|
|
}
|
2018-02-15 03:56:29 -06:00
|
|
|
|
2022-10-21 09:53:17 -05:00
|
|
|
if redirectTo == "/" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-11-20 12:30:37 -06:00
|
|
|
// remove any forceLogin=true params
|
|
|
|
redirectTo = removeForceLoginParams(redirectTo)
|
2020-12-11 04:44:44 -06:00
|
|
|
cookies.WriteCookie(c.Resp, "redirect_to", url.QueryEscape(redirectTo), 0, nil)
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
|
2020-11-20 12:30:37 -06:00
|
|
|
var forceLoginParamsRegexp = regexp.MustCompile(`&?forceLogin=true`)
|
|
|
|
|
|
|
|
func removeForceLoginParams(str string) string {
|
|
|
|
return forceLoginParamsRegexp.ReplaceAllString(str, "")
|
|
|
|
}
|
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
func CanAdminPlugins(cfg *setting.Cfg) func(c *contextmodel.ReqContext) {
|
|
|
|
return func(c *contextmodel.ReqContext) {
|
2023-03-27 04:15:37 -05:00
|
|
|
if !pluginaccesscontrol.ReqCanAdminPlugins(cfg)(c) {
|
2022-11-30 02:41:28 -06:00
|
|
|
accessForbidden(c)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-10 04:56:48 -05:00
|
|
|
func RoleAuth(roles ...org.RoleType) web.Handler {
|
2023-01-27 01:50:36 -06:00
|
|
|
return func(c *contextmodel.ReqContext) {
|
2015-01-16 08:28:44 -06:00
|
|
|
ok := false
|
|
|
|
for _, role := range roles {
|
2015-02-23 13:07:49 -06:00
|
|
|
if role == c.OrgRole {
|
2015-01-16 08:28:44 -06:00
|
|
|
ok = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !ok {
|
2015-09-08 03:46:31 -05:00
|
|
|
accessForbidden(c)
|
2015-01-16 08:28:44 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-10-11 07:30:59 -05:00
|
|
|
func Auth(options *AuthOptions) web.Handler {
|
2023-01-27 01:50:36 -06:00
|
|
|
return func(c *contextmodel.ReqContext) {
|
2020-07-06 07:59:00 -05:00
|
|
|
forceLogin := false
|
|
|
|
if c.AllowAnonymous {
|
2021-03-16 10:46:34 -05:00
|
|
|
forceLogin = shouldForceLogin(c)
|
2020-10-23 09:34:35 -05:00
|
|
|
if !forceLogin {
|
|
|
|
orgIDValue := c.Req.URL.Query().Get("orgId")
|
|
|
|
orgID, err := strconv.ParseInt(orgIDValue, 10, 64)
|
2023-10-09 03:40:19 -05:00
|
|
|
if err == nil && orgID > 0 && orgID != c.SignedInUser.GetOrgID() {
|
2020-10-23 09:34:35 -05:00
|
|
|
forceLogin = true
|
|
|
|
}
|
|
|
|
}
|
2020-07-06 07:59:00 -05:00
|
|
|
}
|
2021-02-27 11:04:28 -06:00
|
|
|
|
|
|
|
requireLogin := !c.AllowAnonymous || forceLogin || options.ReqNoAnonynmous
|
|
|
|
|
2020-06-16 08:33:44 -05:00
|
|
|
if !c.IsSignedIn && options.ReqSignedIn && requireLogin {
|
2022-11-18 02:56:06 -06:00
|
|
|
var revokedErr *auth.TokenRevokedError
|
2021-09-13 08:41:03 -05:00
|
|
|
if errors.As(c.LookupTokenErr, &revokedErr) {
|
2021-03-16 11:44:02 -05:00
|
|
|
tokenRevoked(c, revokedErr)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-09-08 03:46:31 -05:00
|
|
|
notAuthorized(c)
|
2015-01-15 05:16:54 -06:00
|
|
|
return
|
|
|
|
}
|
2015-01-14 02:33:34 -06:00
|
|
|
|
2015-09-08 03:46:31 -05:00
|
|
|
if !c.IsGrafanaAdmin && options.ReqGrafanaAdmin {
|
|
|
|
accessForbidden(c)
|
2015-01-15 05:16:54 -06:00
|
|
|
return
|
2015-01-14 02:33:34 -06:00
|
|
|
}
|
2014-10-05 14:13:01 -05:00
|
|
|
}
|
|
|
|
}
|
2019-03-06 03:27:38 -06:00
|
|
|
|
2021-02-17 02:51:50 -06:00
|
|
|
// SnapshotPublicModeOrSignedIn creates a middleware that allows access
|
|
|
|
// if snapshot public mode is enabled or if user is signed in.
|
2021-10-11 07:30:59 -05:00
|
|
|
func SnapshotPublicModeOrSignedIn(cfg *setting.Cfg) web.Handler {
|
2023-01-27 01:50:36 -06:00
|
|
|
return func(c *contextmodel.ReqContext) {
|
2020-12-11 04:44:44 -06:00
|
|
|
if cfg.SnapshotPublicMode {
|
2019-09-02 08:15:46 -05:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-02-17 02:51:50 -06:00
|
|
|
if !c.IsSignedIn {
|
|
|
|
notAuthorized(c)
|
|
|
|
return
|
2019-09-02 08:15:46 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-03-16 10:46:34 -05:00
|
|
|
|
2023-01-27 01:50:36 -06:00
|
|
|
func ReqNotSignedIn(c *contextmodel.ReqContext) {
|
2021-06-14 11:02:05 -05:00
|
|
|
if c.IsSignedIn {
|
|
|
|
c.Redirect(setting.AppSubUrl + "/")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-16 10:46:34 -05:00
|
|
|
// NoAuth creates a middleware that doesn't require any authentication.
|
|
|
|
// If forceLogin param is set it will redirect the user to the login page.
|
2021-10-11 07:30:59 -05:00
|
|
|
func NoAuth() web.Handler {
|
2023-01-27 01:50:36 -06:00
|
|
|
return func(c *contextmodel.ReqContext) {
|
2021-03-16 10:46:34 -05:00
|
|
|
if shouldForceLogin(c) {
|
|
|
|
notAuthorized(c)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// shouldForceLogin checks if user should be enforced to login.
|
|
|
|
// Returns true if forceLogin parameter is set.
|
2023-01-27 01:50:36 -06:00
|
|
|
func shouldForceLogin(c *contextmodel.ReqContext) bool {
|
2021-03-16 10:46:34 -05:00
|
|
|
forceLogin := false
|
|
|
|
forceLoginParam, err := strconv.ParseBool(c.Req.URL.Query().Get("forceLogin"))
|
|
|
|
if err == nil {
|
|
|
|
forceLogin = forceLoginParam
|
|
|
|
}
|
|
|
|
|
|
|
|
return forceLogin
|
|
|
|
}
|