grafana/pkg/middleware/middleware.go

package middleware

import (
	"fmt"
	"strings"

	"github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/web"
)

var (
	ReqGrafanaAdmin = Auth(&AuthOptions{
		ReqSignedIn:     true,
		ReqGrafanaAdmin: true,
	})
	ReqSignedIn            = Auth(&AuthOptions{ReqSignedIn: true})
	ReqSignedInNoAnonymous = Auth(&AuthOptions{ReqSignedIn: true, ReqNoAnonynmous: true})
	ReqEditorRole          = RoleAuth(models.ROLE_EDITOR, models.ROLE_ADMIN)
	ReqOrgAdmin            = RoleAuth(models.ROLE_ADMIN)
)

func HandleNoCacheHeader(ctx *models.ReqContext) {
	ctx.SkipCache = ctx.Req.Header.Get("X-Grafana-NoCache") == "true"
}

func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler {
	return func(c *web.Context) {
		c.Resp.Before(func(w web.ResponseWriter) {
			// if response has already been written, skip.
			if w.Written() {
				return
			}

			if !strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") {
				addNoCacheHeaders(c.Resp)
			}

			if !cfg.AllowEmbedding {
				addXFrameOptionsDenyHeader(w)
			}

			addSecurityHeaders(w, cfg)
		})
	}
}

// addSecurityHeaders adds HTTP(S) response headers that enable various security protections in the client's browser.
func addSecurityHeaders(w web.ResponseWriter, cfg *setting.Cfg) {
	if cfg.StrictTransportSecurity {
		strictHeaderValues := []string{fmt.Sprintf("max-age=%v", cfg.StrictTransportSecurityMaxAge)}
		if cfg.StrictTransportSecurityPreload {
			strictHeaderValues = append(strictHeaderValues, "preload")
		}
		if cfg.StrictTransportSecuritySubDomains {
			strictHeaderValues = append(strictHeaderValues, "includeSubDomains")
		}
		w.Header().Set("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))
	}

	if cfg.ContentTypeProtectionHeader {
		w.Header().Set("X-Content-Type-Options", "nosniff")
	}

	if cfg.XSSProtectionHeader {
		w.Header().Set("X-XSS-Protection", "1; mode=block")
	}
}

func addNoCacheHeaders(w web.ResponseWriter) {
	w.Header().Set("Cache-Control", "no-cache")
	w.Header().Set("Pragma", "no-cache")
	w.Header().Set("Expires", "-1")
}

func addXFrameOptionsDenyHeader(w web.ResponseWriter) {
	w.Header().Set("X-Frame-Options", "deny")
}
Macaron rewrite 2014-10-05 09:50:04 -05:00			`package middleware`

			`import (`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`"fmt"`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`"strings"`
Macaron rewrite 2014-10-05 09:50:04 -05:00
Auth: Allow expiration of API keys (#17678) * Modify backend to allow expiration of API Keys * Add middleware test for expired api keys * Modify frontend to enable expiration of API Keys * Fix frontend tests * Fix migration and add index for `expires` field * Add api key tests for database access * Substitude time.Now() by a mock for test usage * Front-end modifications * Change input label to `Time to live` * Change input behavior to comply with the other similar * Add tooltip * Modify AddApiKey api call response Expiration should be time.Time instead of string Present expiration date in the selected timezone * Use kbn for transforming intervals to seconds * Use `assert` library for tests * Frontend fixes Add checks for empty/undefined/null values * Change expires column from datetime to integer * Restrict api key duration input It should be interval not number * AddApiKey must complain if SecondsToLive is negative * Declare ErrInvalidApiKeyExpiration * Move configuration to auth section * Update docs * Eliminate alias for models in modified files * Omit expiration from api response if empty * Eliminate Goconvey from test file * Fix test Do not sleep, use mocked timeNow() instead * Remove index for expires from api_key table The index should be anyway on both org_id and expires fields. However this commit eliminates completely the index for now since not many rows are expected to be in this table. * Use getTimeZone function * Minor change in api key listing The frontend should display a message instead of empty string if the key does not expire. 2019-06-26 01:47:03 -05:00			`"github.com/grafana/grafana/pkg/models"`
Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/setting"`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`"github.com/grafana/grafana/pkg/web"`
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error 2019-08-02 04:16:31 -05:00			`)`

made it possible to have frontend code in symlinked folders that can add routes 2018-10-11 05:36:04 -05:00			`var (`
Auth: consistently return same basic auth errors (#18310) * Auth: consistently return same basic auth errors * Put repeated errors in consts and return only those consts as error strings * Add tests for errors basic auth cases and moves tests to separate test-case. Also names test cases consistently * Add more error logs and makes their messages consistent * A bit of code style * Add additional test helper * Auth: do not expose even incorrect password * Auth: address review comments Use `Debug` for the cases when it's an user error 2019-08-02 04:16:31 -05:00			`ReqGrafanaAdmin = Auth(&AuthOptions{`
			`ReqSignedIn: true,`
			`ReqGrafanaAdmin: true,`
			`})`
Profile: Fixes profile preferences being accessible when anonymous access was enabled (#31516) * Profile: Fixes profile preferences page being available when anonymous access was enabled * Minor change * Renamed property 2021-02-27 11:04:28 -06:00			`ReqSignedIn = Auth(&AuthOptions{ReqSignedIn: true})`
			`ReqSignedInNoAnonymous = Auth(&AuthOptions{ReqSignedIn: true, ReqNoAnonynmous: true})`
			`ReqEditorRole = RoleAuth(models.ROLE_EDITOR, models.ROLE_ADMIN)`
			`ReqOrgAdmin = RoleAuth(models.ROLE_ADMIN)`
made it possible to have frontend code in symlinked folders that can add routes 2018-10-11 05:36:04 -05:00			`)`

Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00			`func HandleNoCacheHeader(ctx *models.ReqContext) {`
			`ctx.SkipCache = ctx.Req.Header.Get("X-Grafana-NoCache") == "true"`
			`}`

Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func AddDefaultResponseHeaders(cfg *setting.Cfg) web.Handler {`
			`return func(c *web.Context) {`
			`c.Resp.Before(func(w web.ResponseWriter) {`
API: Improve recovery middleware when response already been written (#22256) Suppresses stacktrace in recovery middleware if error is http.ErrAbortHandler. Skips writing response error in recovery middleware if resoonse have already been written. Skips try rotate of auth token if response have already been written. Skips adding default response headers if response have already been written. Fixes #15728 Ref #18082 Co-Authored-By: Arve Knudsen <arve.knudsen@gmail.com> 2020-02-18 15:53:40 -06:00			`// if response has already been written, skip.`
			`if w.Written() {`
			`return`
			`}`

Middleware: Add CSP support (#29740) * Middleware: Add support for CSP Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored by @iOrcohen 2021-01-12 00:42:32 -06:00			`if !strings.HasPrefix(c.Req.URL.Path, "/api/datasources/proxy/") {`
			`addNoCacheHeaders(c.Resp)`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`}`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if !cfg.AllowEmbedding {`
			`addXFrameOptionsDenyHeader(w)`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00			`}`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`addSecurityHeaders(w, cfg)`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`})`
api: adds no-cache header for GET requests Fixes #5356. Internet Explorer aggressively caches GET requests which means that all API calls fetching data are cached. This fix adds a Cache-Control header with the value no-cache to all GET requests to the API. 2017-07-04 09:33:37 -05:00			`}`
			`}`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`// addSecurityHeaders adds HTTP(S) response headers that enable various security protections in the client's browser.`
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func addSecurityHeaders(w web.ResponseWriter, cfg *setting.Cfg) {`
Middleware: Don't require HTTPS for HSTS headers to be emitted (#35147) Grafana itself may not be serving content over HTTPS, but it may be behind a transparent proxy which does. Fixes #26770. Based on #26868. 2022-01-28 00:23:28 -06:00			`if cfg.StrictTransportSecurity {`
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`strictHeaderValues := []string{fmt.Sprintf("max-age=%v", cfg.StrictTransportSecurityMaxAge)}`
			`if cfg.StrictTransportSecurityPreload {`
middleware: fix Strict-Transport-Security header (#17644) fixes #17641 2019-06-18 13:24:23 -05:00			`strictHeaderValues = append(strictHeaderValues, "preload")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`
Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if cfg.StrictTransportSecuritySubDomains {`
middleware: fix Strict-Transport-Security header (#17644) fixes #17641 2019-06-18 13:24:23 -05:00			`strictHeaderValues = append(strictHeaderValues, "includeSubDomains")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("Strict-Transport-Security", strings.Join(strictHeaderValues, "; "))`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`

Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if cfg.ContentTypeProtectionHeader {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("X-Content-Type-Options", "nosniff")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`

Move middleware context handler logic to service (#29605) * middleware: Move context handler to own service Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> Co-authored-by: Emil Tullsted <sakjur@users.noreply.github.com> Co-authored-by: Will Browne <wbrowne@users.noreply.github.com> 2020-12-11 04:44:44 -06:00			`if cfg.XSSProtectionHeader {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("X-XSS-Protection", "1; mode=block")`
middleware: add security related HTTP(S) response headers (#17522) * x_xss_protection * strict_transport_security (HSTS) * x_content_type_options these are currently defaulted to false (off) until the next minor release. fixes #17509 2019-06-12 06:15:50 -05:00			`}`
			`}`

Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func addNoCacheHeaders(w web.ResponseWriter) {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("Cache-Control", "no-cache")`
			`w.Header().Set("Pragma", "no-cache")`
			`w.Header().Set("Expires", "-1")`
Security: Responses from backend should not be cached (#16848) Currently all API requests set Cache-control: no-cache to avoid browsers caching sensitive data. This fixes so that all responses returned from backend not are cached using http headers. The exception is the data proxy where we don't add these http headers in case datasource backend needs to control whether data can be cached or not. Fixes #16845 2019-05-06 02:22:59 -05:00			`}`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00
Chore: replace macaron with web package (#40136) * replace macaron with web package * add web.go 2021-10-11 07:30:59 -05:00			`func addXFrameOptionsDenyHeader(w web.ResponseWriter) {`
Chore: Use Header.Set method instead of Header.Add (#29804) Signed-off-by: Arve Knudsen <arve.knudsen@gmail.com> 2020-12-14 08:13:01 -06:00			`w.Header().Set("X-Frame-Options", "deny")`
Security: Add new setting allow_embedding (#16853) When allow_embedding is false (default) the Grafana backend will set the http header `X-Frame-Options: deny` in all responses to non-static content which will instruct browser to not allow Grafana to be embedded in `<frame>`, `<iframe>`, `<embed>` or `<object>`. Closes #14189 2019-05-06 02:56:23 -05:00			`}`