2014-10-05 09:50:04 -05:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2014-10-07 16:56:37 -05:00
|
|
|
"strconv"
|
2014-10-05 09:50:04 -05:00
|
|
|
|
2015-02-05 03:37:13 -06:00
|
|
|
"github.com/grafana/grafana/pkg/bus"
|
2015-02-26 10:23:28 -06:00
|
|
|
"github.com/grafana/grafana/pkg/components/apikeygen"
|
2015-02-05 03:37:13 -06:00
|
|
|
"github.com/grafana/grafana/pkg/log"
|
|
|
|
m "github.com/grafana/grafana/pkg/models"
|
2019-01-16 07:53:59 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/auth"
|
2018-03-06 16:59:45 -06:00
|
|
|
"github.com/grafana/grafana/pkg/services/session"
|
2015-02-05 03:37:13 -06:00
|
|
|
"github.com/grafana/grafana/pkg/setting"
|
2015-06-30 02:37:52 -05:00
|
|
|
"github.com/grafana/grafana/pkg/util"
|
2019-01-17 10:11:52 -06:00
|
|
|
macaron "gopkg.in/macaron.v1"
|
2014-10-05 09:50:04 -05:00
|
|
|
)
|
|
|
|
|
2018-10-11 05:36:04 -05:00
|
|
|
var (
|
|
|
|
ReqGrafanaAdmin = Auth(&AuthOptions{ReqSignedIn: true, ReqGrafanaAdmin: true})
|
|
|
|
ReqSignedIn = Auth(&AuthOptions{ReqSignedIn: true})
|
|
|
|
ReqEditorRole = RoleAuth(m.ROLE_EDITOR, m.ROLE_ADMIN)
|
|
|
|
ReqOrgAdmin = RoleAuth(m.ROLE_ADMIN)
|
|
|
|
)
|
|
|
|
|
2019-01-22 05:00:33 -06:00
|
|
|
func GetContextHandler(ats auth.UserAuthTokenService) macaron.Handler {
|
2015-04-07 12:21:14 -05:00
|
|
|
return func(c *macaron.Context) {
|
2018-03-07 10:54:50 -06:00
|
|
|
ctx := &m.ReqContext{
|
2015-03-11 11:34:11 -05:00
|
|
|
Context: c,
|
|
|
|
SignedInUser: &m.SignedInUser{},
|
2019-01-23 05:41:15 -06:00
|
|
|
Session: session.GetSession(), // should only be used by auth_proxy
|
2015-03-11 11:34:11 -05:00
|
|
|
IsSignedIn: false,
|
|
|
|
AllowAnonymous: false,
|
2018-10-26 03:40:33 -05:00
|
|
|
SkipCache: false,
|
2016-06-06 16:06:44 -05:00
|
|
|
Logger: log.New("context"),
|
2014-10-05 09:50:04 -05:00
|
|
|
}
|
|
|
|
|
2017-04-14 08:47:39 -05:00
|
|
|
orgId := int64(0)
|
|
|
|
orgIdHeader := ctx.Req.Header.Get("X-Grafana-Org-Id")
|
|
|
|
if orgIdHeader != "" {
|
|
|
|
orgId, _ = strconv.ParseInt(orgIdHeader, 10, 64)
|
|
|
|
}
|
|
|
|
|
2015-04-08 01:59:12 -05:00
|
|
|
// the order in which these are tested are important
|
|
|
|
// look for api key in Authorization header first
|
|
|
|
// then init session and look for userId in session
|
|
|
|
// then look for api key in session (special case for render calls via api)
|
|
|
|
// then test if anonymous access is enabled
|
2018-10-15 14:13:03 -05:00
|
|
|
switch {
|
|
|
|
case initContextWithRenderAuth(ctx):
|
|
|
|
case initContextWithApiKey(ctx):
|
|
|
|
case initContextWithBasicAuth(ctx, orgId):
|
|
|
|
case initContextWithAuthProxy(ctx, orgId):
|
2019-01-21 04:37:44 -06:00
|
|
|
case ats.InitContextWithToken(ctx, orgId):
|
2018-10-15 14:13:03 -05:00
|
|
|
case initContextWithAnonymousUser(ctx):
|
2015-01-15 05:16:54 -06:00
|
|
|
}
|
|
|
|
|
2016-06-07 05:20:46 -05:00
|
|
|
ctx.Logger = log.New("context", "userId", ctx.UserId, "orgId", ctx.OrgId, "uname", ctx.Login)
|
2016-06-07 02:29:47 -05:00
|
|
|
ctx.Data["ctx"] = ctx
|
2016-06-06 16:06:44 -05:00
|
|
|
|
2014-10-05 09:50:04 -05:00
|
|
|
c.Map(ctx)
|
2017-08-09 03:36:41 -05:00
|
|
|
|
|
|
|
// update last seen every 5min
|
|
|
|
if ctx.ShouldUpdateLastSeenAt() {
|
|
|
|
ctx.Logger.Debug("Updating last user_seen_at", "user_id", ctx.UserId)
|
|
|
|
if err := bus.Dispatch(&m.UpdateUserLastSeenAtCommand{UserId: ctx.UserId}); err != nil {
|
|
|
|
ctx.Logger.Error("Failed to update last_seen_at", "error", err)
|
|
|
|
}
|
|
|
|
}
|
2014-10-05 09:50:04 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-03-07 10:54:50 -06:00
|
|
|
func initContextWithAnonymousUser(ctx *m.ReqContext) bool {
|
2015-04-07 12:21:14 -05:00
|
|
|
if !setting.AnonymousEnabled {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
orgQuery := m.GetOrgByNameQuery{Name: setting.AnonymousOrgName}
|
|
|
|
if err := bus.Dispatch(&orgQuery); err != nil {
|
|
|
|
log.Error(3, "Anonymous access organization error: '%s': %s", setting.AnonymousOrgName, err)
|
|
|
|
return false
|
|
|
|
}
|
2017-04-14 08:47:39 -05:00
|
|
|
|
|
|
|
ctx.IsSignedIn = false
|
|
|
|
ctx.AllowAnonymous = true
|
2017-12-15 07:19:49 -06:00
|
|
|
ctx.SignedInUser = &m.SignedInUser{IsAnonymous: true}
|
2017-04-14 08:47:39 -05:00
|
|
|
ctx.OrgRole = m.RoleType(setting.AnonymousOrgRole)
|
|
|
|
ctx.OrgId = orgQuery.Result.Id
|
|
|
|
ctx.OrgName = orgQuery.Result.Name
|
|
|
|
return true
|
2015-04-07 12:21:14 -05:00
|
|
|
}
|
|
|
|
|
2018-03-07 10:54:50 -06:00
|
|
|
func initContextWithApiKey(ctx *m.ReqContext) bool {
|
2015-04-07 12:21:14 -05:00
|
|
|
var keyString string
|
|
|
|
if keyString = getApiKey(ctx); keyString == "" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// base64 decode key
|
|
|
|
decoded, err := apikeygen.Decode(keyString)
|
|
|
|
if err != nil {
|
|
|
|
ctx.JsonApiErr(401, "Invalid API key", err)
|
|
|
|
return true
|
|
|
|
}
|
2017-04-14 08:47:39 -05:00
|
|
|
|
2015-04-07 12:21:14 -05:00
|
|
|
// fetch key
|
|
|
|
keyQuery := m.GetApiKeyByNameQuery{KeyName: decoded.Name, OrgId: decoded.OrgId}
|
|
|
|
if err := bus.Dispatch(&keyQuery); err != nil {
|
|
|
|
ctx.JsonApiErr(401, "Invalid API key", err)
|
|
|
|
return true
|
2017-04-14 08:47:39 -05:00
|
|
|
}
|
2015-04-07 12:21:14 -05:00
|
|
|
|
2017-04-14 08:47:39 -05:00
|
|
|
apikey := keyQuery.Result
|
2015-04-07 12:21:14 -05:00
|
|
|
|
2017-04-14 08:47:39 -05:00
|
|
|
// validate api key
|
|
|
|
if !apikeygen.IsValid(decoded, apikey.Key) {
|
|
|
|
ctx.JsonApiErr(401, "Invalid API key", err)
|
2015-04-08 01:59:12 -05:00
|
|
|
return true
|
|
|
|
}
|
2017-04-14 08:47:39 -05:00
|
|
|
|
|
|
|
ctx.IsSignedIn = true
|
|
|
|
ctx.SignedInUser = &m.SignedInUser{}
|
|
|
|
ctx.OrgRole = apikey.Role
|
|
|
|
ctx.ApiKeyId = apikey.Id
|
|
|
|
ctx.OrgId = apikey.OrgId
|
|
|
|
return true
|
2015-04-08 01:59:12 -05:00
|
|
|
}
|
|
|
|
|
2018-03-07 10:54:50 -06:00
|
|
|
func initContextWithBasicAuth(ctx *m.ReqContext, orgId int64) bool {
|
2016-12-13 02:15:52 -06:00
|
|
|
|
2015-06-30 02:37:52 -05:00
|
|
|
if !setting.BasicAuthEnabled {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
header := ctx.Req.Header.Get("Authorization")
|
|
|
|
if header == "" {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
username, password, err := util.DecodeBasicAuthHeader(header)
|
|
|
|
if err != nil {
|
|
|
|
ctx.JsonApiErr(401, "Invalid Basic Auth Header", err)
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
loginQuery := m.GetUserByLoginQuery{LoginOrEmail: username}
|
|
|
|
if err := bus.Dispatch(&loginQuery); err != nil {
|
|
|
|
ctx.JsonApiErr(401, "Basic auth failed", err)
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
user := loginQuery.Result
|
|
|
|
|
2018-02-08 16:13:58 -06:00
|
|
|
loginUserQuery := m.LoginUserQuery{Username: username, Password: password, User: user}
|
2016-12-13 02:15:52 -06:00
|
|
|
if err := bus.Dispatch(&loginUserQuery); err != nil {
|
|
|
|
ctx.JsonApiErr(401, "Invalid username or password", err)
|
2015-06-30 02:37:52 -05:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2017-04-14 08:47:39 -05:00
|
|
|
query := m.GetSignedInUserQuery{UserId: user.Id, OrgId: orgId}
|
2015-06-30 02:37:52 -05:00
|
|
|
if err := bus.Dispatch(&query); err != nil {
|
|
|
|
ctx.JsonApiErr(401, "Authentication error", err)
|
|
|
|
return true
|
|
|
|
}
|
2017-04-14 08:47:39 -05:00
|
|
|
|
|
|
|
ctx.SignedInUser = query.Result
|
|
|
|
ctx.IsSignedIn = true
|
|
|
|
return true
|
2015-06-30 02:37:52 -05:00
|
|
|
}
|
|
|
|
|
2017-07-04 09:33:37 -05:00
|
|
|
func AddDefaultResponseHeaders() macaron.Handler {
|
2018-03-07 10:54:50 -06:00
|
|
|
return func(ctx *m.ReqContext) {
|
2017-07-04 09:33:37 -05:00
|
|
|
if ctx.IsApiRequest() && ctx.Req.Method == "GET" {
|
|
|
|
ctx.Resp.Header().Add("Cache-Control", "no-cache")
|
2017-07-06 11:56:22 -05:00
|
|
|
ctx.Resp.Header().Add("Pragma", "no-cache")
|
|
|
|
ctx.Resp.Header().Add("Expires", "-1")
|
2017-07-04 09:33:37 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|