grafana/pkg/middleware/middleware.go

package middleware

import (
	"strconv"
	"strings"

	"gopkg.in/macaron.v1"

	"github.com/grafana/grafana/pkg/bus"
	"github.com/grafana/grafana/pkg/components/apikeygen"
	"github.com/grafana/grafana/pkg/log"
	"github.com/grafana/grafana/pkg/metrics"
	m "github.com/grafana/grafana/pkg/models"
	"github.com/grafana/grafana/pkg/setting"
	"github.com/grafana/grafana/pkg/util"
)

type Context struct {
	*macaron.Context
	*m.SignedInUser

	Session SessionStore

	IsSignedIn     bool
	AllowAnonymous bool
	Logger         log.Logger
}

func GetContextHandler() macaron.Handler {
	return func(c *macaron.Context) {
		ctx := &Context{
			Context:        c,
			SignedInUser:   &m.SignedInUser{},
			Session:        GetSession(),
			IsSignedIn:     false,
			AllowAnonymous: false,
			Logger:         log.New("context"),
		}

		// the order in which these are tested are important
		// look for api key in Authorization header first
		// then init session and look for userId in session
		// then look for api key in session (special case for render calls via api)
		// then test if anonymous access is enabled
		if initContextWithApiKey(ctx) ||
			initContextWithBasicAuth(ctx) ||
			initContextWithAuthProxy(ctx) ||
			initContextWithUserSessionCookie(ctx) ||
			initContextWithApiKeyFromSession(ctx) ||
			initContextWithAnonymousUser(ctx) {
		}

		ctx.Logger = log.New("context", "user", ctx.UserId, "orgId", ctx.OrgId)
		ctx.Data["ctx"] = ctx

		c.Map(ctx)
	}
}

func initContextWithAnonymousUser(ctx *Context) bool {
	if !setting.AnonymousEnabled {
		return false
	}

	orgQuery := m.GetOrgByNameQuery{Name: setting.AnonymousOrgName}
	if err := bus.Dispatch(&orgQuery); err != nil {
		log.Error(3, "Anonymous access organization error: '%s': %s", setting.AnonymousOrgName, err)
		return false
	} else {
		ctx.IsSignedIn = false
		ctx.AllowAnonymous = true
		ctx.SignedInUser = &m.SignedInUser{}
		ctx.OrgRole = m.RoleType(setting.AnonymousOrgRole)
		ctx.OrgId = orgQuery.Result.Id
		ctx.OrgName = orgQuery.Result.Name
		return true
	}
}

func initContextWithUserSessionCookie(ctx *Context) bool {
	// initialize session
	if err := ctx.Session.Start(ctx); err != nil {
		log.Error(3, "Failed to start session", err)
		return false
	}

	var userId int64
	if userId = getRequestUserId(ctx); userId == 0 {
		return false
	}

	query := m.GetSignedInUserQuery{UserId: userId}
	if err := bus.Dispatch(&query); err != nil {
		log.Error(3, "Failed to get user with id %v", userId)
		return false
	} else {
		ctx.SignedInUser = query.Result
		ctx.IsSignedIn = true
		return true
	}
}

func initContextWithApiKey(ctx *Context) bool {
	var keyString string
	if keyString = getApiKey(ctx); keyString == "" {
		return false
	}

	// base64 decode key
	decoded, err := apikeygen.Decode(keyString)
	if err != nil {
		ctx.JsonApiErr(401, "Invalid API key", err)
		return true
	}
	// fetch key
	keyQuery := m.GetApiKeyByNameQuery{KeyName: decoded.Name, OrgId: decoded.OrgId}
	if err := bus.Dispatch(&keyQuery); err != nil {
		ctx.JsonApiErr(401, "Invalid API key", err)
		return true
	} else {
		apikey := keyQuery.Result

		// validate api key
		if !apikeygen.IsValid(decoded, apikey.Key) {
			ctx.JsonApiErr(401, "Invalid API key", err)
			return true
		}

		ctx.IsSignedIn = true
		ctx.SignedInUser = &m.SignedInUser{}
		ctx.OrgRole = apikey.Role
		ctx.ApiKeyId = apikey.Id
		ctx.OrgId = apikey.OrgId
		return true
	}
}

func initContextWithBasicAuth(ctx *Context) bool {
	if !setting.BasicAuthEnabled {
		return false
	}

	header := ctx.Req.Header.Get("Authorization")
	if header == "" {
		return false
	}

	username, password, err := util.DecodeBasicAuthHeader(header)
	if err != nil {
		ctx.JsonApiErr(401, "Invalid Basic Auth Header", err)
		return true
	}

	loginQuery := m.GetUserByLoginQuery{LoginOrEmail: username}
	if err := bus.Dispatch(&loginQuery); err != nil {
		ctx.JsonApiErr(401, "Basic auth failed", err)
		return true
	}

	user := loginQuery.Result

	// validate password
	if util.EncodePassword(password, user.Salt) != user.Password {
		ctx.JsonApiErr(401, "Invalid username or password", nil)
		return true
	}

	query := m.GetSignedInUserQuery{UserId: user.Id}
	if err := bus.Dispatch(&query); err != nil {
		ctx.JsonApiErr(401, "Authentication error", err)
		return true
	} else {
		ctx.SignedInUser = query.Result
		ctx.IsSignedIn = true
		return true
	}
}

// special case for panel render calls with api key
func initContextWithApiKeyFromSession(ctx *Context) bool {
	keyId := ctx.Session.Get(SESS_KEY_APIKEY)
	if keyId == nil {
		return false
	}

	keyQuery := m.GetApiKeyByIdQuery{ApiKeyId: keyId.(int64)}
	if err := bus.Dispatch(&keyQuery); err != nil {
		log.Error(3, "Failed to get api key by id", err)
		return false
	} else {
		apikey := keyQuery.Result

		ctx.IsSignedIn = true
		ctx.SignedInUser = &m.SignedInUser{}
		ctx.OrgRole = apikey.Role
		ctx.ApiKeyId = apikey.Id
		ctx.OrgId = apikey.OrgId
		return true
	}
}

// Handle handles and logs error by given status.
func (ctx *Context) Handle(status int, title string, err error) {
	if err != nil {
		log.Error(4, "%s: %v", title, err)
		if setting.Env != setting.PROD {
			ctx.Data["ErrorMsg"] = err
		}
	}

	switch status {
	case 200:
		metrics.M_Page_Status_200.Inc(1)
	case 404:
		metrics.M_Page_Status_404.Inc(1)
	case 500:
		metrics.M_Page_Status_500.Inc(1)
	}

	ctx.Data["Title"] = title
	ctx.HTML(status, strconv.Itoa(status))
}

func (ctx *Context) JsonOK(message string) {
	resp := make(map[string]interface{})

	resp["message"] = message

	ctx.JSON(200, resp)
}

func (ctx *Context) IsApiRequest() bool {
	return strings.HasPrefix(ctx.Req.URL.Path, "/api")
}

func (ctx *Context) JsonApiErr(status int, message string, err error) {
	resp := make(map[string]interface{})

	if err != nil {
		log.Error(4, "%s: %v", message, err)
		if setting.Env != setting.PROD {
			resp["error"] = err.Error()
		}
	}

	switch status {
	case 404:
		metrics.M_Api_Status_404.Inc(1)
		resp["message"] = "Not Found"
	case 500:
		metrics.M_Api_Status_500.Inc(1)
		resp["message"] = "Internal Server Error"
	}

	if message != "" {
		resp["message"] = message
	}

	ctx.JSON(status, resp)
}

func (ctx *Context) HasUserRole(role m.RoleType) bool {
	return ctx.OrgRole.Includes(role)
}

func (ctx *Context) TimeRequest(timer metrics.Timer) {
	ctx.Data["perfmon.timer"] = timer
}
Macaron rewrite 2014-10-05 09:50:04 -05:00			`package middleware`

			`import (`
OAuth remake 2014-10-07 16:56:37 -05:00			`"strconv"`
Refactoring of api routes 2015-01-14 07:25:12 -06:00			`"strings"`
Macaron rewrite 2014-10-05 09:50:04 -05:00
feat(macaron): upgrades macaron version 2016-01-13 08:11:23 -06:00			`"gopkg.in/macaron.v1"`
Macaron rewrite 2014-10-05 09:50:04 -05:00
Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/bus"`
New implementation for API Keys that only stores hashed api keys, and the client key is base64 decoded json web token with the unhashed key, Closes #1440 2015-02-26 10:23:28 -06:00			`"github.com/grafana/grafana/pkg/components/apikeygen"`
Changed go package path 2015-02-05 03:37:13 -06:00			`"github.com/grafana/grafana/pkg/log"`
Added server metrics 2015-03-22 14:14:00 -05:00			`"github.com/grafana/grafana/pkg/metrics"`
Changed go package path 2015-02-05 03:37:13 -06:00			`m "github.com/grafana/grafana/pkg/models"`
			`"github.com/grafana/grafana/pkg/setting"`
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`"github.com/grafana/grafana/pkg/util"`
Macaron rewrite 2014-10-05 09:50:04 -05:00			`)`

			`type Context struct {`
			`*macaron.Context`
Corrected spelling of SignedInUser (was SignInUser) 2015-01-16 09:17:35 -06:00			`*m.SignedInUser`
Big refactoring for context.User, and how current user info is fetching, now included collaborator role 2015-01-16 07:32:18 -06:00
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`Session SessionStore`
Macaron rewrite 2014-10-05 09:50:04 -05:00
Fixed anonymous access mode, Closes #1586 2015-03-11 11:34:11 -05:00			`IsSignedIn bool`
			`AllowAnonymous bool`
feat(logging): a lot of progress on moving to new logging lib, #4590 2016-06-06 16:06:44 -05:00			`Logger log.Logger`
more macaroon stuff 2014-10-06 14:31:54 -05:00			`}`

Macaron rewrite 2014-10-05 09:50:04 -05:00			`func GetContextHandler() macaron.Handler {`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`return func(c *macaron.Context) {`
Macaron rewrite 2014-10-05 09:50:04 -05:00			`ctx := &Context{`
Fixed anonymous access mode, Closes #1586 2015-03-11 11:34:11 -05:00			`Context: c,`
			`SignedInUser: &m.SignedInUser{},`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`Session: GetSession(),`
Fixed anonymous access mode, Closes #1586 2015-03-11 11:34:11 -05:00			`IsSignedIn: false,`
			`AllowAnonymous: false,`
feat(logging): a lot of progress on moving to new logging lib, #4590 2016-06-06 16:06:44 -05:00			`Logger: log.New("context"),`
Macaron rewrite 2014-10-05 09:50:04 -05:00			`}`

HTTP API: grafana /render calls nows with api keys, Fixes #1649 2015-04-08 01:59:12 -05:00			`// the order in which these are tested are important`
			`// look for api key in Authorization header first`
			`// then init session and look for userId in session`
			`// then look for api key in session (special case for render calls via api)`
			`// then test if anonymous access is enabled`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`if initContextWithApiKey(ctx) \|\|`
Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`initContextWithBasicAuth(ctx) \|\|`
Auth: Support for user authentication via reverse proxy header (like X-Authenticated-User, or X-WEBAUTH-USER), Closes #1921 2015-05-02 05:06:58 -05:00			`initContextWithAuthProxy(ctx) \|\|`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`initContextWithUserSessionCookie(ctx) \|\|`
HTTP API: grafana /render calls nows with api keys, Fixes #1649 2015-04-08 01:59:12 -05:00			`initContextWithApiKeyFromSession(ctx) \|\|`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`initContextWithAnonymousUser(ctx) {`
Refactoring of auth middleware, and starting work on account admin 2015-01-15 05:16:54 -06:00			`}`

feat(logging): a lot of progress on moving to new logging lib, #4590 2016-06-06 16:06:44 -05:00			`ctx.Logger = log.New("context", "user", ctx.UserId, "orgId", ctx.OrgId)`
feat(logging): progress on new logging #4590 2016-06-07 02:29:47 -05:00			`ctx.Data["ctx"] = ctx`
feat(logging): a lot of progress on moving to new logging lib, #4590 2016-06-06 16:06:44 -05:00
Macaron rewrite 2014-10-05 09:50:04 -05:00			`c.Map(ctx)`
			`}`
			`}`

A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`func initContextWithAnonymousUser(ctx *Context) bool {`
			`if !setting.AnonymousEnabled {`
			`return false`
			`}`

			`orgQuery := m.GetOrgByNameQuery{Name: setting.AnonymousOrgName}`
			`if err := bus.Dispatch(&orgQuery); err != nil {`
			`log.Error(3, "Anonymous access organization error: '%s': %s", setting.AnonymousOrgName, err)`
			`return false`
			`} else {`
			`ctx.IsSignedIn = false`
			`ctx.AllowAnonymous = true`
			`ctx.SignedInUser = &m.SignedInUser{}`
			`ctx.OrgRole = m.RoleType(setting.AnonymousOrgRole)`
			`ctx.OrgId = orgQuery.Result.Id`
			`ctx.OrgName = orgQuery.Result.Name`
			`return true`
			`}`
			`}`

			`func initContextWithUserSessionCookie(ctx *Context) bool {`
			`// initialize session`
			`if err := ctx.Session.Start(ctx); err != nil {`
			`log.Error(3, "Failed to start session", err)`
			`return false`
			`}`

			`var userId int64`
			`if userId = getRequestUserId(ctx); userId == 0 {`
			`return false`
			`}`

			`query := m.GetSignedInUserQuery{UserId: userId}`
			`if err := bus.Dispatch(&query); err != nil {`
More middleware unit tests cover all current auth mechanisms 2015-05-02 02:24:56 -05:00			`log.Error(3, "Failed to get user with id %v", userId)`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`return false`
			`} else {`
			`ctx.SignedInUser = query.Result`
			`ctx.IsSignedIn = true`
			`return true`
			`}`
			`}`

			`func initContextWithApiKey(ctx *Context) bool {`
			`var keyString string`
			`if keyString = getApiKey(ctx); keyString == "" {`
			`return false`
			`}`

			`// base64 decode key`
			`decoded, err := apikeygen.Decode(keyString)`
			`if err != nil {`
			`ctx.JsonApiErr(401, "Invalid API key", err)`
			`return true`
			`}`
			`// fetch key`
			`keyQuery := m.GetApiKeyByNameQuery{KeyName: decoded.Name, OrgId: decoded.OrgId}`
			`if err := bus.Dispatch(&keyQuery); err != nil {`
			`ctx.JsonApiErr(401, "Invalid API key", err)`
			`return true`
			`} else {`
			`apikey := keyQuery.Result`

			`// validate api key`
			`if !apikeygen.IsValid(decoded, apikey.Key) {`
			`ctx.JsonApiErr(401, "Invalid API key", err)`
			`return true`
			`}`

			`ctx.IsSignedIn = true`
			`ctx.SignedInUser = &m.SignedInUser{}`
HTTP API: grafana /render calls nows with api keys, Fixes #1649 2015-04-08 01:59:12 -05:00			`ctx.OrgRole = apikey.Role`
			`ctx.ApiKeyId = apikey.Id`
			`ctx.OrgId = apikey.OrgId`
			`return true`
			`}`
			`}`

Auth: You can now authenicate against api with username / password using basic auth, Closes #2218 2015-06-30 02:37:52 -05:00			`func initContextWithBasicAuth(ctx *Context) bool {`
			`if !setting.BasicAuthEnabled {`
			`return false`
			`}`

			`header := ctx.Req.Header.Get("Authorization")`
			`if header == "" {`
			`return false`
			`}`

			`username, password, err := util.DecodeBasicAuthHeader(header)`
			`if err != nil {`
			`ctx.JsonApiErr(401, "Invalid Basic Auth Header", err)`
			`return true`
			`}`

			`loginQuery := m.GetUserByLoginQuery{LoginOrEmail: username}`
			`if err := bus.Dispatch(&loginQuery); err != nil {`
			`ctx.JsonApiErr(401, "Basic auth failed", err)`
			`return true`
			`}`

			`user := loginQuery.Result`

			`// validate password`
			`if util.EncodePassword(password, user.Salt) != user.Password {`
			`ctx.JsonApiErr(401, "Invalid username or password", nil)`
			`return true`
			`}`

			`query := m.GetSignedInUserQuery{UserId: user.Id}`
			`if err := bus.Dispatch(&query); err != nil {`
			`ctx.JsonApiErr(401, "Authentication error", err)`
			`return true`
			`} else {`
			`ctx.SignedInUser = query.Result`
			`ctx.IsSignedIn = true`
			`return true`
			`}`
			`}`

HTTP API: grafana /render calls nows with api keys, Fixes #1649 2015-04-08 01:59:12 -05:00			`// special case for panel render calls with api key`
			`func initContextWithApiKeyFromSession(ctx *Context) bool {`
			`keyId := ctx.Session.Get(SESS_KEY_APIKEY)`
			`if keyId == nil {`
			`return false`
			`}`

			`keyQuery := m.GetApiKeyByIdQuery{ApiKeyId: keyId.(int64)}`
			`if err := bus.Dispatch(&keyQuery); err != nil {`
			`log.Error(3, "Failed to get api key by id", err)`
			`return false`
			`} else {`
			`apikey := keyQuery.Result`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00
HTTP API: grafana /render calls nows with api keys, Fixes #1649 2015-04-08 01:59:12 -05:00			`ctx.IsSignedIn = true`
			`ctx.SignedInUser = &m.SignedInUser{}`
A big refactoring for how sessions are handled, Api calls that authenticate with api key will no longer create a new session 2015-04-07 12:21:14 -05:00			`ctx.OrgRole = apikey.Role`
			`ctx.ApiKeyId = apikey.Id`
			`ctx.OrgId = apikey.OrgId`
			`return true`
			`}`
			`}`

Macaron rewrite 2014-10-05 09:50:04 -05:00			`// Handle handles and logs error by given status.`
			`func (ctx *Context) Handle(status int, title string, err error) {`
			`if err != nil {`
			`log.Error(4, "%s: %v", title, err)`
Added disable user sign up feature 2015-01-29 08:46:54 -06:00			`if setting.Env != setting.PROD {`
Macaron rewrite 2014-10-05 09:50:04 -05:00			`ctx.Data["ErrorMsg"] = err`
			`}`
			`}`

Added server metrics 2015-03-22 14:14:00 -05:00			`switch status {`
			`case 200:`
			`metrics.M_Page_Status_200.Inc(1)`
			`case 404:`
			`metrics.M_Page_Status_404.Inc(1)`
			`case 500:`
			`metrics.M_Page_Status_500.Inc(1)`
			`}`

fixed error handling, and error logging for panel rendering 2015-02-05 05:23:24 -06:00			`ctx.Data["Title"] = title`
OAuth remake 2014-10-07 16:56:37 -05:00			`ctx.HTML(status, strconv.Itoa(status))`
Macaron rewrite 2014-10-05 09:50:04 -05:00			`}`
macaron transition progress 2014-10-05 14:13:01 -05:00
More general backend work, in the middle of the night... Zzzz 2014-12-16 20:09:54 -06:00			`func (ctx *Context) JsonOK(message string) {`
			`resp := make(map[string]interface{})`

			`resp["message"] = message`

			`ctx.JSON(200, resp)`
			`}`

Refactoring of api routes 2015-01-14 07:25:12 -06:00			`func (ctx *Context) IsApiRequest() bool {`
			`return strings.HasPrefix(ctx.Req.URL.Path, "/api")`
			`}`

working on oauth 2014-10-07 14:54:38 -05:00			`func (ctx *Context) JsonApiErr(status int, message string, err error) {`
more macaroon stuff 2014-10-06 14:31:54 -05:00			`resp := make(map[string]interface{})`

			`if err != nil {`
			`log.Error(4, "%s: %v", message, err)`
started work datasources admin 2014-12-16 05:04:08 -06:00			`if setting.Env != setting.PROD {`
			`resp["error"] = err.Error()`
more macaroon stuff 2014-10-06 14:31:54 -05:00			`}`
			`}`

			`switch status {`
			`case 404:`
Fix wrong metrics counter 2015-06-30 00:52:55 -05:00			`metrics.M_Api_Status_404.Inc(1)`
more macaroon stuff 2014-10-06 14:31:54 -05:00			`resp["message"] = "Not Found"`
			`case 500:`
Fix wrong metrics counter 2015-06-30 00:52:55 -05:00			`metrics.M_Api_Status_500.Inc(1)`
more macaroon stuff 2014-10-06 14:31:54 -05:00			`resp["message"] = "Internal Server Error"`
			`}`

			`if message != "" {`
			`resp["message"] = message`
			`}`

Tried postgres 2014-11-24 03:17:13 -06:00			`ctx.JSON(status, resp)`
more macaroon stuff 2014-10-06 14:31:54 -05:00			`}`
feat(plugins): WIP on new apps concept 2015-12-21 16:09:27 -06:00
refactor(apps): more WIP work on apps 2015-12-22 04:37:44 -06:00			`func (ctx *Context) HasUserRole(role m.RoleType) bool {`
feat(plugins): WIP on new apps concept 2015-12-21 16:09:27 -06:00			`return ctx.OrgRole.Includes(role)`
			`}`
feat(timing): timing is now working with graphite and influxdb 2016-06-03 02:17:36 -05:00
			`func (ctx *Context) TimeRequest(timer metrics.Timer) {`
			`ctx.Data["perfmon.timer"] = timer`
			`}`